Secure your PulseUno installation

Use recommendations and solutions described in this topic to make your PulseUno installation more secure.

Security recommendations

Follow these recommendations to improve the security of your PulseUno installation:

  • Give write permissions to the PulseUno data directories only to authorized users. For details, see Restrict access to data directories.

  • Give read permissions for the Tomcat configuration file only to the Common Tomcat owner. For details, see Restrict access to Tomcat configuration file.

  • Install agents on a separate machine from the PulseUno server.

  • Do not run PulseUno servers and agents as the root user.

  • Protect the master.key file that is used to encrypt private data in the database. For details, see Safeguard the master.key file.

  • Secure communication between PulseUno servers and agents by setting up SSL mutual authentication. For details, see Set secure agent connections.

  • Define a list of trusted networks from which PulseUno accepts Application Lifecycle Framework (ALF) events. For details, see Set system properties.

  • Configure PulseUno to use SSO authentication. For details, see Use external authentication.

Back to top

Restrict access to data directories

To mitigate the risks of corrupting or losing important data, control who has access to sensitive files and directories in your PulseUno installation.

We recommend that you give write permissions to the following data directories only to those users who are authorized to run the corresponding components:

Directory Description
<pulse_data> The PulseUno server configuration, logs, and application caches.
<git_data> The Git server configuration, logs, caches, and Git repository contents.
<vault_data> The Vault server configuration, logs, caches, and vault artifacts.
<pulseAgentDataDir> The agent configuration, logs, caches, and workspace contents.

For details about data directories, see Installation directories.

The following files in the PulseUno server's configuration directory <pulse_data>\conf are particularly sensitive and should be read-only for most users:

  • startup.properties

  • api-tokens.properties

  • pulse-instance.uuid

  • master.key and all other files in the keys subdirectory.

We recommend that only the Common Tomcat owner account is authorized to write to the <pulse_data>\conf directory. It must not be the root user account.

For details about configuration directories, see Configuration settings.

Back to top

Restrict access to Tomcat configuration file

To mitigate the risk of revealing your keystore and truststore passwords, control who has access to the Tomcat configuration file.

We recommend that you give read permissions for the configuration file <tomcatDir>\conf\server.xml only to the Common Tomcat owner.

For details about the Tomcat directory, see Installation directories.

Back to top

Safeguard the master.key file

PulseUno encrypts all local private data using the master.key file in the <pulse_data>\conf\keys directory. To minimize the risk of losing access to the encrypted data, secure this file:

  • Allow only the Common Tomcat owner account to have write permissions for the master.key.

  • Create a backup copy of the master.key and keep it in a secure place outside the PulseUno server.

Note: If you are running multiple PulseUno web applications (pulse.war) on the same database, ensure that they use the same master.key file.

In a situation when you lose the master.key file, for example, after moving your PulseUno server to another machine or restoring PulseUno from a backup, you need to re-set the following sensitive data:

  • Secrets added in PulseUno.

  • Connection details for secrets providers.

  • Credentials for external connections, such as GitHub, ALM Octane, or Dimensions CM.

If PulseUno cannot find a master.key file upon startup, it automatically generates a new master.key and writes an entry in the server log to indicate that the new master.key was generated. You can check the log file in the following location:

<pulse_data>\_logs\pulse.<date>.<number>.log

Because the new master.key cannot decrypt data from the lost master.key, you need to remove the old data and re-set the lost credentials and connection details.

To clean up and re-set locally encrypted data:

  1. In the <pulse_data>\conf directory, create the following empty files with no extension: resetgitpasswords and resetcredentials.

    Default locations:

    Windows C:\ProgramData\OpenText\PulseUno\pulse_data\conf
    Linux /opt/opentext/pulseuno/data/pulse_data/conf
  2. Launch the PulseUno web application.

    During startup, PulseUno uses the empty files to reset the internal Git connection security and clean up the data encrypted with the old master.key. After that, PulseUno deletes the empty files.

  3. In PulseUno, re-enter any secrets, usernames and passwords, private keys, and connection details for tools and applications with which you are integrating.

Back to top

See also: