Integration Bridge security

The Integration Bridge does not expose any internal information. Additionally, HPE application JAR files are signed by HPE, helping to validate the code's origin.

Communication with ALM Octane using OAuth authentication

The Integration Bridge uses OAuth authentication when connecting to ALM Octane, instead of using the credentials of an ALM Octane user.

Back to top

Communication via SSL

Communication between the Integration Bridge and ALM Octane is secured by SSL.

The bridge logs in to ALM Octane using the ALM Octane user credentials or client ID and secret provided during installation, or later as described in Set ALM Octane credentials.

Connections using a certificate that is not signed by a well-known Certificate Authority

If you connect to a secured ALM Octane or ALM server using a certificate that is not signed by a well-known Certificate Authority, you must establish trust for the certificate.

To establish this trust, import the issuer's certificate to the JRE's truststore in the following directory:

<Integration Bridge installation directory>\product\util\3rd-party\jre1.7.0_51\jre\lib\security\ (On Linux, reverse the slashes in this path and the ones below)

Do the following:

  1. With ALM Octane or ALM open in your browser window, export the certificate from the browser, and save it to a file named server.cer.

  2. On the Integration Bridge machine, place the server.cer file in the <Integration Bridge installation\product\util\3rd-party\jre1.7.0_51\jre\bin directory.

  3. Use the keytool command from the <Integration Bridge installation>\product\util\3rd-party\jre1.7.0_51\jre\bin directory to import the server.cer file to the <Integration Bridge installation>\product\util\3rd-party\jre1.7.0_51\jre\lib\security\cacerts directory.

    For example:

    (Windows) keytool.exe -import -v -trustcacerts -alias <alias> -file server.cer -storepass <password> -keystore <Integration Bridge installation>\product\util\3rd-party\jre1.7.0_51\jre\lib\security\cacerts

    Note: You may need to repeat this command for the rest of the certificate chain, using a different alias each time.

  4. Restart the Integration Bridge.

Back to top

Password encryption

Passwords for connecting to endpoints are encrypted and saved on the customer's machine, preventing credentials from being transferred to another machine.

The encryption method uses keys that are randomly generated during installation. The bridge uses AES 128 as the main encryption method.

Back to top

Security recommendations

Download sources Do not download the Integration Bridge installation file or updates from unknown sources.
Integration Bridge machine Install the Integration Bridge on a dedicated, hardened machine.
Integration Bridge network

Deploy the Integration Bridge in an isolated network, with a firewall between the bridge and the target on-premise application.

  • Port 443 must be open for communication with ALM Octane.

  • Additional ports may be required to be opened for internal communications with other on-premise applications.

Integration Bridge permissions

Windows only

By default, the Integration Bridge service runs using the Windows Local System service user.

To increase system security, assign a simple Windows user to run the Integration Bridge.

  • Install the Integration Bridge in a folder other than the Program Files folder. This will enable you to grant the simple user permissions on the Integration Bridge installation folder.
  • Grant the user full permissions (Read/Write/Execute) on the installation folder.
  • Grant the user permissions to manage the Integration Bridge Windows service.
  • Open the Windows Service Manager, modify the HPE Integration Bridge service to run using the simple user's account and then restart the service.

Tip: You can protect the Integration Bridge installation folder by granting permissions to that folder only to administrators, the Local System service user, and the dedicated user you created.

Integration Bridge permissions

Linux only

The Integration Bridge runs using the permissions of the Linux user that installed it, and this user will have full read, write, and execute permissions on all of the folders and files installed with the bridge.

Therefore, you may want to consider installing the Integration Bridge as a non-root user. If you do:

  1. We recommend creating a dedicated user for managing the Integration Bridge. Use this user to install the bridge, and to manage the bridge activation manually when necessary.
  2. Protect the following files by changing their owner to root:

    • <Integration Bridge installation>/product/bin/HPEIntegrationBridge.sh
    • <Integration Bridge installation>/product/conf/wrapper.properties
Installing multiple Integration Bridges

If you install multiple bridges, we recommend that you use a separate set of ALM Octane credentials (client ID and secret) for each bridge.

Integration Bridge user

The ALM Octane user with the Integration Bridge role should not have any other additional roles.

On-premise application users

When defining permissions for users of on-premise applications that communicate with ALM Octane, such as ALM users, limit permissions to specifically required operations only.

Back to top

Integration Bridge automatic upgrades

When a new version of the Integration Bridge is available, it is automatically downloaded from ALM Octane. The HPE signature on the downloaded file is verified before the new version is installed.

Back to top