Security requirements

This chapter only applies if you use the Tricentis Authentication Service.

To make Tosca Server secure, ensure that you take the security measures described in this chapter.

Your certificate has to meet the following requirements to ensure validity and avoid warnings in your browser:

  • It must be placed in your machine's certificate store.

  • It must be RSA encrypted and use Signature Hash Algorithm SHA256.

  • The private key must be included in your certificate.

  • The key size must be at least 2048.

  • The subject must be the DNS name of the machine.

    Note: you can't use wildcards. The certificate must contain the real DNS name.

  • The subject alternative name must be set to your DNS names to avoid warnings in your browser.

    For example: localhost, machineName,

  • It must have a valid from and to date that define a time span that includes the current date.

  • It must have a valid issuer, which is installed as a root certificate on the machine.

  • The certificate is only stored in a single certificate store location of the local machine certificate store. That's the certificate store which is local to the machine and global to all its users.

Tricentis uses the Identity Server as the Identity and Access Control solution.

HTTPS certificate

Tricentis doesn't enforce the use of secure HTTPS, but recommends using HTTPS for interactions with the Tosca Server.

Token sign certificate

The Authentication Service additionally requires a token sign certificate. It needs an asymmetric key pair to sign and validate JSON Web Tokens (JWT).

Tricentis recommends that you use a different certificate for token signing than for securing via HTTPS. Due to increased security, the private key should only be known to the Authentication Service.

To start the Tricentis Authentication Service, ensure that the certificate includes the private key.

If no certificate is defined or it cannot be found in the store, a temporary Token Sign Certificate is created.

However, in this case, only requests to localhost will be allowed. All other requests with a different origin will be blocked. If this is the case, you will find a message in the log file, such as "Using temporary signing credentials...".