Security

The OpenTAP Runner is connected to KS8500 through a secure websocket connection. All traffic is encrypted with TLS between KS8500 and the Runner.

A registered Runner is identified and validated using an ed25519 asymmetric key pair, which is generated uniquely to the specific instance of the Runner. The private key never leaves the local machine, and should never be shared with anyone.

When registering a new runner, the user has to paste in a registrationToken, that can be retrieved by logging into KS8500 with valid credentials into a specific Keycloak realm.

Key revocation

When a Runner is removed from KS8500, the key is being revoked immediately. This ensures that no traffic between KS8500 and the Runner occurs after removal. The private key is added to a revocation list kept on the server. The Runner needs to be re-registered again in order to communicate with KS8500.

User privileges

When the Runner is installed as a Windows service through the installer, it is running as a separate user with limited privileges.

Runner permissions

Per default the Runner is initially registered to a single user, which becomes the owner of the Runner and granted read/write/owner permissions. The owner of a Runner can, however, be share the instance by granting read/write/owner permissions to other users and/or group of users. The fewer users that have access to the runner, the better. Follow the least privilege principle.

Firewall configuration

As all communication to KS8500 is done through a single secure websocket connection, the Runner expects to be able to reach KS8500 on port 443/tcp. Thus only a single ingress firewall rule is required.

Software updates

Ensure to have installed the latest version of the Runner to be on the latest security level. The latest version of the Runner is available here.

Disk encryption

Consider using disk encryption on the system where you plan to use the Runner. This prevents unattended direct access to the content on the disk.

All data concerning the Runner (Test plans, artifacts, results, logs, etc.) will be stored on the device in an amount of time, until it have been transferred to KS8500.