Integration Bridge security
Note: This topic is relevant for NextGen Synchronizer only. For details about the ALM Synchronizer, see ALM Synchronizer for Agile Manager or search using the ALM Synchronizer filter.
The Integration Bridge does not expose any internal information. Additionally, Micro Focus application JAR files are signed by Micro Focus, helping to validate the code's origin.
The Integration Bridge can use OAuth authentication when connecting to Agile Manager, instead of using the credentials of an Agile Manager user.
All new Integration Bridge installations use OAuth authentication.
Existing bridges upgraded to version 1.03 or later continue to use Agile Manager user credentials until the password expires or until you manually update the bridge to use OAuth.
For details, see Synchronizer Integration Bridge: New way to connect to Agile Manager.
Communication between the Integration Bridge and Agile Manager is secured by SSL.
The bridge logs in to Agile Manager using the Agile Manager user credentials or client ID and secret provided during installation, or later as described in Set Agile Manager credentials.
Connections using a certificate that is not signed by a well-known Certificate Authority
If you connect to a secured Agile Manager or ALM server using a certificate that is not signed by a well-known Certificate Authority, you must establish trust for the certificate.
To establish this trust, import the issuer's certificate to the JRE's truststore in the following directory:
<Integration Bridge installation directory>\product\util\3rd-party\jre1.7.0_51\jre\lib\security\ (On Linux, reverse the slashes in this path and the ones below)
Do the following:
With Agile Manager or ALM open in your browser window, export the certificate from the browser, and save it to a file named server.cer.
On the Integration Bridge machine, place the server.cer file in the
<Integration Bridge installation\product\util\3rd-party\jre1.7.0_51\jre\bindirectory.
Use the keytool command from the
<Integration Bridge installation>\product\util\3rd-party\jre1.7.0_51\jre\bindirectory to import the server.cer file to the <Integration Bridge installation>\product\util\3rd-party\jre1.7.0_51\jre\lib\security\cacertsdirectory.
keytool.exe -import -v -trustcacerts -alias <alias>
-file server.cer -storepass <password> -keystore <Integration Bridge installation>\product\util\3rd-party\jre1.7.0_51\jre\lib\security\cacerts
Note: You may need to repeat this command for the rest of the certificate chain, using a different alias each time.
Restart the Integration Bridge.
Passwords for connecting to endpoints are encrypted and saved on the customer's machine, preventing credentials from being transferred to another machine.
The encryption method uses keys that are randomly generated during installation. The bridge uses AES 128 as the main encryption method.
|Download sources||Do not download the Integration Bridge installation file or updates from unknown sources.|
|Integration Bridge machine||Install the Integration Bridge on a dedicated, hardened machine.|
|Integration Bridge network||
Deploy the Integration Bridge in an isolated network, with a firewall between the bridge and the target on-premises application.
Integration Bridge permissions
By default, the Integration Bridge service runs using the Windows Local System service user.
To increase system security, assign a simple Windows user to run the Integration Bridge.
Tip: You can protect the Integration Bridge installation folder by granting permissions to that folder only to administrators, the Local System service user, and the dedicated user you created.
Integration Bridge permissions
The Integration Bridge runs using the permissions of the Linux user that installed it, and this user will have full read, write, and execute permissions on all of the folders and files installed with the bridge.
Therefore, you may want to consider installing the Integration Bridge as a non-root user. If you do:
|Installing multiple Integration Bridges||
If you install multiple bridges, we recommend that you use a separate set of Agile Manager credentials (client ID and secret) for each bridge.
|Integration Bridge user||
The Agile Manager user with the Integration Bridge role should not have any other additional roles.
|On-premises application users||
When defining permissions for users of on-premises applications that communicate with Agile Manager, such as ALM users, limit permissions to specifically required operations only.
When a new version of the Integration Bridge is available, it is automatically downloaded from Agile Manager. The signature on the downloaded file is verified before the new version is installed.