General Security Awareness
Codebeamer is a tool and every tool needs maintenance administration regular bases. Security administration is also an important key factor which needs to be take care and check against malicious hack attempts.
Here are we sort some key factors how to treat with your databases and passwords securely.
Use HTTPS Instead of HTTP
Codebeamer communicates with client browsers by default with HTTP protocol which is a not secure protocol. If you log into Codebeamer your username and password will be sent over this protocol as plain text. It is strongly recommended using only Strong SSL Trusted Certificate (see below) to avoid password stealing. Using HTTPS protocol, all data including usernames and passwords will be encrypted by a trusted provider.
It is strongly recommended disabling all HTTP connectors thus only HTTPS based connectors are available.
Trusted Certificate
There are several SSL Certificate providers but some of their Certificate are not strong enough and hackers may break their encryption. We strongly suggest to select Trusted and Strong Certificate providers to mitigate the impact of hack attempts. (Some examples: Geo Trust, Rapid SSL, Symantec, DigiCert, Comodo)
VPN
If working via Internet is it strongly recommended using VPN connection to make communication more secure.
Attachment and Document Storage
As default, all attachments and documents (under Documents tab) are stored to the file system without any encryption. With Oracle, it can be configured in general.xml file to store such data into the database as below:
<document store-into-db="true" ...
This configuration is recommended only with Oracle!
Additionally file system with encryption is also recommended.
Rest API Uses Basic Authentication Protocol
Basic Authentication is a simplest way to provide your username and password to the given server, as described before here the passwords are posted to the server as Plain text message and can cause security problems without HTTPS protocol usage.
Secure Your Database Password
Starting from Codebeamer 9.2.0
Database passwords stored as plain text by default in general.xml file but starting from Codebeamer 9.2.0 administrators can select encryption methods to make sure passwords can not be accessed by non authorised members. Encrypted passwords may not part of the general.xml as well we store it into Codebeamer home directory and will only be accessible for Codebeamer user.
It is possible to set the storage type of the database connection password in the 'database' tag in the general.xml as an attribute: 'JDBC_Password_Storage'.
Possible values:
- plain - the password will be stored in the general.xml as a plain text
- encrypted - the password will be stored in the general.xml in encrypted format
- external - the password will be stored in an external file in the config folder in encrypted format
When Codebeamer is starting then it will check the JDBC_Password attribute in the general.xml. If there is a not encrypted password and the storage type is encrypted or external then the password will be encrypted automatically. If the storage type is external then the JDBC_Password attribute will be removed from the general.xml.
For example:
<database
JDBC_Driver="oracle.jdbc.driver.OracleDriver"
JDBC_ConnectionURL="jdbc:oracle:thin:@localhost:1521/orcl12"
JDBC_Username="user"
JDBC_Password_Storage="external"
/>
Secure Your Repository Passwords
Starting from Codebeamer 9.2.0
Repository passwords stored as plain text in database for Repositories but starting from Codebeamer 9.2.0 all SCM repository passwords are also encrypted automatically after the creation or modification process of Repository metadata.
Authentication Handling with Subversion, Git and Mercurial
Accessing Subversion Using Apache
Subversion is accessible across Apache using HTTP and HTTPS protocols. But Archiving that to access managed Codebeamer Subversion repositories using Client Applications, the Codebeamer user md5 password hashes are stored in Apache .htaccess file. This solution is now not secure. Instead of, alternative Apache authentication is recommend. Storing passwords in md5 format into .htaccess can be disabled in general.xml with using the scc / htaccess="false" attribute. More information is available about these settings here.
Accessing Subversion Using SVN Protocol
It is strongly not recommend to use Subversion using svn:// protocol. SVN stores passwords as plain text in passdb file. By default SVN passwords are not stored in file system but it is configurable in the general.xml with using the svn / export_passwords="false" attribute. For more information, see page The general.xml configuration file.
Git and Mercurial Authentication
Git and Mercurial authentication over HTTP(S) is performed by Codebeamer directly thus .htaccess is not required.