Securing communication between the license server and other applications
Keeping your Helix ALM License Server and other Helix ALM product data secure is critical. To prevent hackers from compromising your data, encrypt communication between license server and other applications, specifically Helix ALM product servers, license server admin clients, and the license server API.
The following information explains how the license server encrypts data, how authentication works, and how key exchange is used for different authentication methods. See Setting server options for information about configuring secure communication.
Encryption scrambles data to prevent interception, or eavesdropping, as it passes between the license server and other applications. The license server uses the OpenSSL implementation of Advanced Encryption Standard-256 (AES-256) to encrypt communication between in Helix ALM License Server 2014.1 and later.
Communication between the license server and other license servers, Helix ALM product servers, license server admin clients, and the license server API is encrypted when you select Encrypt communication between the license server and other applications in the Server category in the server options. See Setting server options.
Note: Always use encryption unless you are evaluating Helix ALM products or troubleshooting a performance issue. Passwords are always encrypted even if communication is not.
Login credentials sent from the Helix ALM License Server Web Admin Utility and the CGI is not encrypted, even if encryption is enabled on the server. We strongly recommend configuring HTTPS to encrypt communication from the browser to the CGIs on the web server. See your web server documentation for information about configuring and using HTTPS.
Authentication is the process of logging in a user to the license server. The following authentication methods are used by the license server.
| Authentication method | How it works |
|---|---|
| Helix ALM License Server | The username and mathematical proof that the user knows the password (not the actual password) are sent to the license server. The server sends different mathematical proof that it knows the password to the other application. |
| Active Directory or LDAP | Using single sign-on—Credentials proving the user's identity are sent from the LDAP server to the license server and verified. |
| Not using single sign-on—The username and password are sent to the license server. | |
| OpenID Connect or SAML identity provider | The Helix ALM product username is sent to the license server. The server sends a login URL back to the client, which navigates to the configured identity provider in a browser. After the user authenticates with the identity provider, the user's identity is verified by the license server. |
| External authentication | Data from the organization's authentication system is sent to the license server. |
Key exchange is a method of exchanging secret keys over an insecure network connection without exposing them to eavesdroppers. The key exchange method used depends on the authentication method.
The following key exchange methods are used in license server.
| Key exchange method | When it is used | How it works | To use it: |
|---|---|---|---|
| Secure Remote Password (SRP) | User is authenticated by the Helix ALM License Server and RSA key exchange is not enabled | A shared secret key is generated during authentication. To compromise the secret key or impersonate the server, a hacker must know the user's password. | Select Encrypt communication between the license server and other applications in the server options. |
| Diffie-Hellman | User is authenticated using LDAP or external authentication, and RSA key exchange is not enabled | A mathematical process is used to generate a secret key. To compromise the secret key, a hacker must have control over an intermediate network node or impersonate the real server. Does not protect against man-in-the-middle attacks. | Select Encrypt communication between the license server and other applications in the server options. |
| RSA | RSA key exchange is enabled in the server options. Only used in communication between the license server and license server admin utility clients. | The client generates a random, 256-bit secret key and encrypts it with the server's public key. The server hashes the secret key and signs the hash with its private key. The private key is only stored on the server hard drive and never leaves the server. To compromise the secret key or impersonate the server, a hacker must know the server's private key or substitute their own public key in client applications. | Select Encrypt communication between the license server and other applications and Use RSA key exchange in the server options. |
SRP and Diffie-Hellman are low risk key exchange methods if your organization’s network is secure and no applications outside of the network can communicate with the license server.
We recommend using RSA key exchange to prevent hackers from eavesdropping on communication if:
- Your organization stores sensitive information in Helix ALM products.
- Your network is potentially insecure.
- Users log in to client applications from outside your network.
- Users are authenticated to the license server using LDAP, single sign-on, or external authentication.
Using RSA requires additional setup for users. See Configuring RSA key exchange.
