Administering security

You might want to administer security for HCL OneTest™ Server after the software is installed to configure additional user authentication such as password policies and email verification.

HCL OneTest Server uses a default security model that is provided by Keycloak. You can perform certain tasks with this default security model.

HCL OneTest Server also supports a Lightweight Directory Access Protocol and Active Directory (LDAP/AD) security model that is provided by Keycloak. If you already have access to an LDAP/AD provider, you can configure Keycloak to use that provider. For more information, see User Storage Federation in the Keycloak documentation.

The following sections describe some of the tasks that you can perform by using the default security model.

User sign up

By default, a user can sign up themselves with a minimum password length but without email verification. Therefore identities must not be trusted until configuration changes are made to appropriately authenticate users.

Users can visit the Login page at the following URL: https://<fully-qualified-dns-name>:443 and click Sign up.

Keycloak Admin Console login

An administrator must log in to the Keycloak Admin Console to administer default security.

The authentication and authorization implementation is provided by Keycloak (https://www.keycloak.org/). Day-to-day operations do not require access to the Keycloak Admin Console, but where necessary an administrator can log in to that console.

Log in at the following URL: https://<fully-qualified-dns-name>:443/auth/admin/

Note: The default user name for the Keycloack administrator is admin. The password is randomly generated when the software is installed. To see the password, find KEYCLOAK_ADMIN_SECRET in the .env file located in the installation directory.

Email settings

By default, the testserver realm sets the Forgot Password switch on. However, as an administrator, you must enable Keycloak to send an email to the user with instructions to reset their password. If you want to verify an email, you must also enable Keycloak to send an email to the user to verify their email address.

You must provide SMTP server settings for Keycloak to send an email. After you log in to the Keycloak Admin Console as admin, see Email Settings in the Keycloak documentation.

Then, to set up the email verification, see Forgot Password in the Keycloak documentation.

Password policy

By default, the testserver realm has a password policy where the minimum length of a password is 8. As an administrator, you can update password policies in Keycloak.

After you log in to the Keycloak Admin Console as admin, see Password Policies in the Keycloak documentation.

Server administrator

By default, there is no administrator for the server. Such an administrator is required for accessing additional functions, which includes claiming ownership of server projects and unarchiving them. But you can promote any user as an administrator.

Note: When you promote a user as an administrator, do not use that admin user to perform non-administration tasks. Instead, sign up another user. For more information, see User sign up.

After you log in to the Keycloak Admin Console as admin, see Groups in the Keycloak documentation.

User password

If you did not enable Keycloak to send instructions to a user about how to reset a password, you must use the Keycloak Admin Console to change their password for them.

After you log in to the Keycloak Admin Console as admin, see User Credentials in the Keycloak documentation.

User deletion

An administrator might need to log in to Keycloak to delete a user when a user is inactive or no longer needs to access the server.

After you log in to the Keycloak Admin Console as admin, see Deleting Users in the Keycloak documentation.

Feedback