Security requirements

This chapter only applies if you use the Tricentis Authentication Service.

To make Tosca Server secure, ensure that you take the security measures described in this chapter.

Tricentis uses the Identity Server as the Identity and Access Control solution.

HTTPS certificate

We recommend to use an HTTPS binding to further secure Tosca Server. If you do so, your certificate must meet certain security requirements to ensure validity and avoid warnings in your browser.

For more information, see chapter "Certificate requirements".

Token sign certificate

The Authentication Service additionally requires a token sign certificate. It needs an asymmetric key pair to sign and validate JSON Web Tokens (JWT).

Tricentis recommends that you use a different certificate for token signing than for securing via HTTPS. Due to increased security, the private key should only be known to the Authentication Service.

To start the Tricentis Authentication Service, ensure that the certificate includes the private key.

If no certificate is defined or it cannot be found in the store, a temporary Token Sign Certificate is created.

However, in this case, only requests to localhost will be allowed. All other requests with a different origin will be blocked. If this is the case, you will find a message in the log file, such as "Using temporary signing credentials...".