Securing communication between clients and the Helix ALM Server
Keeping your Helix ALM data secure is critical. To prevent hackers from compromising your data, encrypt communication between clients and the Helix ALM Server.
The following information explains how Helix ALM encrypts data, how authentication works, and how key exchange is used for different authentication methods. See Setting security options for information about configuring secure client/server communication.
Encryption scrambles data to prevent interception, or eavesdropping, as it passes between clients (Helix ALM Client, Helix ALM Web, server admin utilities, and add-ins) and the Helix ALM Server. Helix ALM uses the OpenSSL implementation of Advanced Encryption Standard-256 (AES-256) to encrypt communication between clients and servers in Helix ALM (and TestTrack 2014.1 and later).
Client/server communication is encrypted when you select Encrypt communication between clients and the server in the Security server options. See Setting security options.
Note: Always use encryption unless you are evaluating Helix ALM or troubleshooting a performance issue. Passwords are always encrypted even if client/server communication is not.
Login credentials sent from web clients to the CGIs are not encrypted, even if encryption is enabled on the server. We strongly recommend configuring HTTPS to encrypt communication from the browser to the CGIs on the web server. See your web server documentation for information about configuring and using HTTPS.
Authentication is the process of logging in a user. The following authentication methods are used in Helix ALM.
| Authentication method | How it works |
|---|---|
| Helix ALM License Server | The username and mathematical proof that the user knows the password (not the actual password) are sent to the Helix ALM Server. The server sends different mathematical proof that it knows the password to the client. |
| LDAP | Using single sign-on—Credentials proving the user's identity are sent from the LDAP server to the Helix ALM Server and verified. |
| Not using single sign-on—The username and password are sent to the Helix ALM Server. | |
| External authentication | Data from the organization's authentication system is sent to the Helix ALM Server. |
Key exchange is a method of exchanging secret keys over an insecure network connection without exposing them to eavesdroppers. The key exchange method used depends on the authentication method.
The following key exchange methods are used in Helix ALM.
| Key exchange method | When it is used | How it works | To use it: |
|---|---|---|---|
| Secure Remote Password (SRP) | User is authenticated from the Helix ALM License Server and RSA key exchange is not enabled | A shared secret key is generated during authentication. To compromise the secret key or impersonate the server, a hacker must know the user's password. | Select Encrypt communication between clients and the server in the Security server options. |
| Diffie-Hellman | User is authenticated using LDAP or external authentication, and RSA key exchange is not enabled | A mathematical process is used to generate a secret key. To compromise the secret key, a hacker must have control over an intermediate network node or impersonate the real server. Does not protect against man-in-the-middle attacks. | Select Encrypt communication between clients and the server in the Security server options. |
| RSA | RSA key exchange is enabled in the Security server options | The client generates a random, 256-bit secret key and encrypts it with the server's public key. The server hashes the secret key and signs the hash with its private key. The private key is only stored on the server hard drive and never leaves the server. To compromise the secret key or impersonate the server, a hacker must know the server's private key or substitute their own public key in client applications. | Select Encrypt communication between clients and the server and Use RSA key exchange in the Security server options. |
SRP and Diffie-Hellman are low risk key exchange methods if your organization’s network is secure and no client applications outside of the network can communicate with the Helix ALM Server.
We recommend using RSA key exchange to prevent hackers from eavesdropping on communication if:
- Your organization stores sensitive information in Helix ALM.
- Your network is potentially insecure.
- Users log in to client applications from outside your network.
- Users are authenticated to Helix ALM using LDAP, single sign-on, or external authentication.
Using RSA requires additional setup for users. See Configuring RSA key exchange.
