Security requirements

Tricentis uses the Identity Server as the Identity and Access Control solution.

To make the services you use secure, ensure that you take the security measures described in this chapter.

Your certificate has to meet the following requirements to ensure validity and avoid warnings in your browser:

  • It must be placed in your machine's certificate store.

  • It must be RSA encrypted and use Signature Hash Algorithm SHA256.

  • The private key must be included in your certificate.

  • The key size must be at least 2048.

  • The subject must be the DNS name of the machine.

  • The subject alternative name must be set to your DNS names to avoid warnings in your browser.

    For example: localhost, machineName, machineName.domain.com

  • It must have a valid from and to date that define a time span that includes the current date.

  • It must have a valid issuer, which is installed as a root certificate on the machine.

HTTPS Certificate

Tricentis does not enforce the use of secure HTTPS, but for production it is mandatory for every interaction with the Tosca Server.

Every component should be secured by HTTPS to ensure the integrity of the whole system. All components on the same machine can share the same HTTPS certificate.

Token Sign Certificate

The Authentication Service additionally requires a token sign certificate. It needs an asymmetric key pair to sign and validate JSON Web Tokens (JWT).

Tricentis recommends that you use a different certificate for token signing than for securing via HTTPS. Due to increased security, the private key should only be known to the Authentication Service.

To start the Tricentis Authentication Service, ensure that the certificate includes the private key.

If no certificate is defined or it cannot be found in the store, a temporary Token Sign Certificate is created.

However, in this case, only requests to localhost will be allowed. All other requests with a different origin will be blocked. If this is the case, you will find a message in the log file, such as "Using temporary signing credentials...".