How is the security improved in Exalate?

No, the invitation could be applied only to the invited side. It includes an Invitation code that helps to secure Connection data.  

Once the Connection set-up is finished, Exalate generates the shared secret. The secret is used to define a secure connection between both Instances.

It is shared only once to generate a JWT token. The token is temporary and is generated for every communication request between Exalate on both Instances.

The following information is exchanged between Instances:

• shared secret;
• information about the type of the connection with the Destination instance;
• Connection name;
• information about the Connection initiator
  • Exalate app version, including supported features
  • Instance type and version ( JIRA Server, JIRA Cloud or HP QC/ALM)
  • Instance URL and Exalate URL
  • Instance UID, which is a unique instance identifier

The JWT token generates on every communication request between Instances. It authenticated the request so the destination side can be sure they are getting data from the expected Instance.

Instance URL, Instance version, Exalate URL, a unique instance identifier.

For more details check Atlassian security overview.

On the configuration stage of the Exalate app for HP QC/ALM you need to specify HP QC /ALM Instance(issue tracker) user and password. The credentials are used to communicate with the HP QC/ALM Instance.