You are not logged in. Click here to log in.

Codebeamer Application Lifecycle Management (ALM)
Log in Projects Wiki
Last ModifiedRecently Visited Items
Search In Project
Search inClear
anonymous
[WIKIPAGE-4413338] General Security Awareness
Tags:  not added yet

Table of Contents
 

1.1General Security Awareness

Codebeamer is a tool and every tool needs maintenance administration regular bases. Security administration is also an important key factor which needs to be take care and check against malicious hack attempts.

Here are we sort some key factors how to treat with your databases and passwords securely.

1.1.1Use HTTPS Instead of HTTP

Codebeamer communicates with client browsers by default with HTTP protocol which is a not secure protocol. If you log into Codebeamer your username and password will be sent over this protocol as plain text. It is strongly recommended using only Strong SSL Trusted Certificate (see below) to avoid password stealing. Using HTTPS protocol, all data including usernames and passwords will be encrypted by a trusted provider.

It is strongly recommended disabling all HTTP connectors thus only HTTPS based connectors are available.

1.1.2Trusted Certificate

There are several SSL Certificate providers but some of their Certificate are not strong enough and hackers may break their encryption. We strongly suggest to select Trusted and Strong Certificate providers to mitigate the impact of hack attempts. (Some examples: Geo Trust, Rapid SSL, Symantec, DigiCert, Comodo)

1.1.3VPN

If working via Internet is it strongly recommended using VPN connection to make communication more secure.

1.1.4Attachment and Document Storage

As default, all attachments and documents (under Documents tab) are stored to the file system without any encryption. With Oracle, it can be configured in general.xml file to store such data into the database as below: 

<document store-into-db="true" ...


This configuration is recommended only with Oracle!

Additionally file system with encryption is also recommended.

1.1.5Rest API Uses Basic Authentication Protocol

Basic Authentication is a simplest way to provide your username and password to the given server, as described before here the passwords are posted to the server as Plain text message and can cause security problems without HTTPS protocol usage.

1.1.6Secure Your Database Password

Starting from Codebeamer 9.2.0

Database passwords stored as plain text by default in general.xml file but starting from Codebeamer 9.2.0 administrators can select encryption methods to make sure passwords can not be accessed by non authorised members. Encrypted passwords may not part of the general.xml as well we store it into Codebeamer home directory and will only be accessible for Codebeamer user.

It is possible to set the storage type of the database connection password in the 'database' tag in the general.xml as an attribute: 'JDBC_Password_Storage'.

Possible values:

  • plain - the password will be stored in the general.xml as a plain text
  • encrypted - the password will be stored in the general.xml in encrypted format
  • external - the password will be stored in an external file in the config folder in encrypted format

When Codebeamer is starting then it will check the JDBC_Password attribute in the general.xml. If there is a not encrypted password and the storage type is encrypted or external then the password will be encrypted automatically. If the storage type is external then the JDBC_Password attribute will be removed from the general.xml.

For example: 

<database
	JDBC_Driver="oracle.jdbc.driver.OracleDriver"
	JDBC_ConnectionURL="jdbc:oracle:thin:@localhost:1521/orcl12"
	JDBC_Username="user"
	JDBC_Password_Storage="external"
	/>

1.1.7Secure Your Repository Passwords

Starting from Codebeamer 9.2.0

Repository passwords stored as plain text in database for Repositories but starting from Codebeamer 9.2.0 all SCM repository passwords are also encrypted automatically after the creation or modification process of Repository metadata.

1.1.7.1Authentication Handling with Subversion, Git and Mercurial

Accessing Subversion Using Apache


Subversion is accessible across Apache using HTTP and HTTPS protocols. But Archiving that to access managed Codebeamer Subversion repositories using Client Applications, the Codebeamer user md5 password hashes are stored in Apache .htaccess file. This solution is now not secure. Instead of, alternative Apache authentication is recommend. Storing passwords in md5 format into .htaccess can be disabled in general.xml with using the scc / htaccess="false" attribute. More information is available about these settings here.


Accessing Subversion Using SVN Protocol


It is strongly not recommend to use Subversion using svn:// protocol. SVN stores passwords as plain text in passdb file. By default SVN passwords are not stored in file system but it is configurable in the general.xml with using the svn / export_passwords="false" attribute. For more information, see page The general.xml configuration file.


Git and Mercurial Authentication


Git and Mercurial authentication over HTTP(S) is performed by Codebeamer directly thus .htaccess is not required.
Fast Links

codebeamer Overview
What is new?
How-to videos

codebeamer Knowledge Base
User's Guide (user manual)
Administrator's Guide
Installation Guide
Developer's Guide
Localization Guide

Services by Intland Software
Product Support
Consulting
Training

Integrations