Installation security

This section provides information on aspects of installation security.

Supported operating systems

For the list of supported system environments, see Support Matrix.

About system files permission in Windows: Server files and folders by default inherit the permissions from the root folder where the server files and folders are stored. This enables all regular users to read and execute these files. We recommend you either remove the read and execute permissions from all regular users or not inherit such permissions to them. For details, see the Microsoft documentation.

Back to top

Web server security recommendations

It is important to configure your front-end web server for strong encryption (ciphers and protocols) to ensure a secure channel between the client and the server. For information on how to restrict the use of certain cryptographic algorithms and protocols at the web server level (IIS and Apache) see this KB article.

IIS Web Server

For information on enabling SSL/TLS for all interactions with the web server, see the Microsoft documentation.

Note: SSL/TLS should be enabled for the entire IIS web server under which you installed the OpenText Application Quality Management applications.

To disable weak ciphers on IIS, see the Microsoft documentation.

Apache web server

For information on enabling SSL/TLS for all interactions with the web server and on enforcing strong security, see the Apache documentation.

Back to top

Application server security recommendations

  • For information on how to configure Jetty to support HTTP Strict Transport Security (HSTS), see this KB article.

    Note: This is irrelevant if you are using 15.0.1 Patch 3, 15.5.1 Patch 1, or their later versions, because the HSTS header is configured by default when TLS or SSL is enabled.

  • When configuring SSL/TLS on the ALM application server (Jetty), keep your keystore in a private directory with restricted access. Although the Java keystore is password protected, it is vulnerable as long as the password was not changed from its default value of changeit.

  • Always change default passwords.

  • Always obfuscate passwords entered into the jetty.xml file. For details, see the Jetty documentation.

  • Since the default td user password is documented, it is strongly recommended to change the td user’s password. This is done during the installation in the Create new SA schema step, if the td user does not yet exist in this database server. Each subsequent installation that uses the same database server uses the existing td user credentials. To change the password for the previously created td user, follow the steps in this KB article.

  • Configure jetty to use secure cookies.

  • Always change the default password when creating a database schema.

  • Limit the access to directories to relevant users (such as system administrators, the user who runs the OpenText Application Quality Management service, and users who have a site administrator role in the application).

  • Always use the minimal possible permissions when installing and running.

    Note: It is recommended to limit access to directories to relevant users, such as the site administrator, system administrator, and the user who runs the OpenText Application Quality Management service.

Action Permissions Needed for User
Installing
  • Windows: Administrator permissions
  • Linux: The user who installs must have read/write/execute permissions on all the relevant folders (installation, deployment, repository and temp folders). All related installation operations for the same version, such as patch installations or uninstalling, must be performed by the same user.
Running
  • Windows: Windows service runs as the system user or a specific user (the user must have access to the file repository).

  • Linux: The service runs as a daemon that does not require a superuser privilege. It can be registered to run as a specific user with certain minimal permissions.

Database connection The td user permissions must be set properly according to the recommendations in Prerequisites: Microsoft SQL Database Servers or Prerequisites: Oracle Database Servers. Do not use a higher level of permissions than required. Do not use the default password when creating the schema.

Back to top

FAQ

Question

Does OpenText Application Quality Management ensure that configuration files are not stored in the same directory as user data?

Answer

The user can change the location of the repository and log files according to best practices to avoid mixing user data with configuration files.

Question

Does OpenText Application Quality Management install with unnecessary functionality disabled by default?

Answer

Yes, functionality is license driven.

Question

Are application resources protected with permission sets that allow only an application administrator to modify application resource configuration files?

Answer

Yes, only the user with permission to access specific directories on the OpenText Application Quality Management server machine can modify OpenText Application Quality Management configuration files.

Question

Does OpenText Application Quality Management execute with no more privileges than necessary for proper operation?

Answer

Yes, the permissions model is constantly reviewed and only necessary permissions are required.

Back to top