In Exalate 4.x, there is no need to share access credentials anymore, even if your instance requires authentication.
Starting from 4.0.0 version in the Exalate app for JIRA Server, 4.1.0 in the Exalate app for JIRA Cloud and 2.0.0 in the Exalate app for HP QC/ALM, Exalate is using a new security approach.
Below you can find answers to the most common security questions.
No, the invitation could be applied only to the invited side. It includes an Invitation code that helps to secure Connection data.
Once the Connection set-up is finished, Exalate generates the shared secret. The secret is used to define a secure connection between both Instances.
It is shared only once to generate a JWT token. The token is temporary and is generated for every communication request between Exalate on both Instances.
The following information is exchanged between Instances:
- shared secret;
- information about the type of the connection with the Destination instance;
- Connection name;
- information about the Connection initiator
- Exalate app version, including supported features
- Instance type and version ( JIRA Server, JIRA Cloud or HP QC/ALM)
- Instance URL and Exalate URL
- Instance UID, which is a unique instance identifier
The JWT token generates on every communication request between Instances. It authenticated the request so the destination side can be sure they are getting data from the expected Instance.
Instance URL, Instance version, Exalate URL, a unique instance identifier.
For more details check Atlassian security overview.
On the configuration stage of the Exalate app for HP QC/ALM you need to specify HP QC /ALM Instance(issue tracker) user and password. The credentials are used to communicate with the HP QC/ALM Instance.