Security site settings

This section contains references to some of the settings that are relevant to security.

Secure storage

Users can upload files to the application server. This allows users to upload attachments, save automation scripts and test run results, and so on. All files uploaded to the server must be validated, since they can contain viruses, malicious code, or Trojan horses that could infect the entire system. An attacker or a malicious user can upload malicious files from one account and then download them to diverse clients.

The site administrator can limit the types of files that can be uploaded by using the FILE_EXTENSION_BLACK_LIST_UPLOAD site parameter, which filters unwanted file types by extension. However, the attachment files can contain dangerous content. As a result, a downloaded file must still be opened with caution.

It is strongly recommended to implement proper antivirus protection for the file storage allocated for the repository.

The site administrator can restrict the download of specific file types as described below.

In addition, the size of the file uploaded as an attachment can be limited by setting the UPLOAD_ATTACH_MAX_SIZE site parameter.

Since OpenText Application Quality Management provides an OTA API to work with file storage, it is recommended to secure the API by setting the DISABLE_EXTENDED_STORAGE and RESTRICT_SERVER_FOLDERS site parameters.

Secure client installation

As mentioned above, attachment files can contain dangerous content. As a result, a downloaded file must be opened with caution. The site administrator can help protect the client machine by using the FILE_EXTENSION_BLACK_LIST_DOWNLOAD and DOWNLOAD_REST_ATTACHMENTS site parameters to restrict certain file types from being downloaded.

Secure access to Excel report query execution

Business View Microsoft Excel reports use DQL queries to retrieve data from the database. The user cannot manually edit SQL queries generated from DQL to insert forbidden commands.

For supported DQL functions, see Work with DQL. You can customize the maximum number of records that can be retrieved from the database by setting Row Limit in Excel. For details, see Business Views Microsoft Excel reports.

Secure debug features

A set of tools is provided for troubleshooting and to provide better supportability. These features, which can expose sensitive internal information about the system and about activities performed on the system, are disabled by default and can be switched on by using the following site parameters. It is recommended to validate that the parameters are reset to the default values immediately after using the debug feature.

The debug related site parameters are:

ENABLE_JMX_CONSOLE
ENABLE_PERFORMANCE_MONITOR_BIRT_REPORTS
DISABLE_CONSOLE_DEBUG_INFO
DISABLE_COMMAND_INTERFACE
DISABLE_VERBOSE_ERROR_MESSAGES

Secure access

Display of the last user login name is controlled by the DISPLAY_LAST_USER_INFO site parameter.
Display of the last login attempt is controlled by the DISPLAY_LAST_LOGIN_ATTEMPT site parameter.
Whether a project administrator can change user details is controlled by the ALLOW_UPDATE_USER_PROPERTIES_FROM_CUSTOMIZATION site parameter.
Whether users can reset their passwords using the Forgot Password link is controlled by the PASSWORD_RESET_DISABLE, PASSWORD_RESET_VALID_PERIOD, and PASSWORD_RESET_SERVER site parameters.
The following site parameters control the user session:
- WAIT_BEFORE_DISCONNECT
- FAST_RECONNECT_MODE
- AUTO_LOGOUT_ON_SERVER_DISCONNECT
You can determine the number of login attempts a user can make before being deactivated. This is controlled by the MAX_INVALID_LOGINS_ATTEMPT_TO_LOCKOUT site parameter. In addition, you can set a parameter that resets the count of failed logins if a specified amount of time passes after an attempted login. This is controlled by the INTERVAL_BETWEEN_INVALID_LOGINS_TO_LOCKOUT site parameter.

Secure data hiding

Data hiding involves hiding rows and columns. The DATA_HIDING_MODE site parameter controls the transfer of hidden data from the appication server to a client. The default value, which is highly recommended for use, blocks the transfer of hidden data.

Restrict mail distribution

You can restrict which users receive emails from OpenText Application Quality Management. For details, see Configure parameters and mail settings.

Restrict External Attachments

Whether external attachments can be saved to the database is controlled by the DENY_EXTERNAL_IMAGES site parameter.

Best Practice

Set the UPLOAD_ATTACH_MAX_SIZE site parameter to limit the size of the file uploaded as an attachment.

Update user passwords regularly.
1. Enable the Users must reset their passwords once in every <number> days password policy for all users. Set the <number> parameter to smaller values for admin users. For details, see Password policy management.
2. Reset the password when the old password expires.