Page tree

User Account Lock after X failed login attempts
The number of allowed failed attempts can be defined in the server configuration file:

User Account Lock after X failed login attempts
The number of allowed failed attempts can be defined in the server configuration file:

Account Creation


Creating Projects or non-admin users requires an additional license


The following users can create user accounts:

  1. Cloud Administrator can create a user account and assign it to any project.
  2. Project Administrator can create a user account in his own project.

To create account, login to cloud web portal:

        

Step 1:  Go to More-> Users and click the "Create" button.

        

Step 2: A pop window is opened - enter user details and click the “Add User” button.

Note

All fields are mandatory.

High-Security Mode

If the cloud runs in high-security mode (must-send-passwords-by-email parameter is set to true in cloud server configuration), then the user will get the initial password by email.

Email sender is defined in Email configuration  ( More -> Email Server).

In high-security mode, if the email is not configured, the account creation process cannot be completed.

After that, the user list will be displayed again.

Standard Security Mode

If the cloud runs in standard security mode (must-send-passwords-by-email parameter is set to false in cloud server configuration), then:

  1. If email sender is configured in an email configuration - the user will get the initial password by email.
  2. If email sender is not configured, initial password will be displayed on screen and administrator will have to provide that password to the user.


After clicking on 'Ok' button, users list will be displayed again.

Account Activation

  1. The user receives an email with the link to Cloud Web Portal, its username, and initial password.
  2. The user clicks on the link in the email, and the login screen is displayed:


When the user enters the correct initial password and clicks “Sign In”, set password page will be displayed:

 

The user should enter his new password and confirm it, then click Login.

Password complexity rules are enforced on password (7-25 characters, at least one uppercase letter, at least one lowercase letter).

The user account is activated and a user is redirected its default page:

  1. Cloud Administrator and Project Administrator will see dashboard page.
  2. Users will see devices list page.

Account Removal

Following users can remove user accounts:

  1. Cloud Administrator can remove user account with the following restrictions:
    1. Allowed to remove accounts with any role.
    2. Not allowed to remove his own account.
    3. Not allowed to remove “admin” account.
  2. Project Administrator can remove user account with the following restrictions:
    1. Allowed to remove account only in this project.
    2. Allowed to remove accounts only with Project Administrator or User roles.
    3. Not allowed to remove his own account.
    4. Not allowed to remove “admin” account.

Reset Password

Following users can reset user password:

  1. Cloud Administrator can reset the user account password for any user.
  2. Project Administrator can reset the user account password of users in his own project.

Step 1: Go to More-> Users, and choose a user.

Step 2: Choose a user and press 'Reset Password' button.

 Step 3: A pop-up window is opened. Press the 'Reset' button.

Reset user's password will terminate all the user's active sessions and will release those sessions devices.

After the reset password action: a new temporary password will be provided to a user in the same way as in account creation:

  1. A temporary password will be sent by email (if the email sender is configured).
  2. A temporary password will be displayed on the screen (standard security mode when no email sender is configured).
  3. Reset password action will not be available in high-security mode when the email sender is not configured.

    Read more about Temporary Password email configuration here.

Admin Account

Admin account exists in initial system configuration.

Initial password of “admin” account is “admin”.

Password Aging Policy

Password aging policy can be enforced by changing following parameters in the server configuration file.

 

Parameter

Explanation

user-password-expiration-time-in-days

An active user with the User role will be expire after a given number of days. When expired a user must change his password after login.

admin-password-expiration-time-in-days

An active user with a Cloud Admin or Project Admin role will expire after a given number of days. When expired a user must change his password after login.

initial-password-expiration-time-in-hours

A new user must activate his account (login and change password) within the given amount of hours. If a user doesn’t activate his account within the given amount of hours his account will be locked. Only cloud administrator or project administrator can unlock this user’s account (reset password)


User Passwords of user accounts will expire after a given number of days. The User will have to change his password after next successful login attempt.

Default values of these parameters will be: 36500 (100 years)

When enabling high-security mode in the server configuration file, these parameters should be set to meet company password aging policy.

Password History Policy

Password history policy can be enforced by changing the following parameter in the server configuration file:

password-history-amount-of-passwords

The default value is: 0

When a user changes/sets his password a check will be performed so that new password is different from previous passwords that were used by this user. The number of previous passwords to check is defined in server configuration file.

If a user uses one of his previous passwords, an error message will be displayed and the user will have to choose a different password.

User Account Lock after X failed login attempts

The number of allowed failed attempts can be defined in server configuration file:

max-number-attempts-before-lock

Default value: 1000

When a user performs a defined number of failed login attempts, his account is locked and information message will be displayed: Your account is locked, please contact your cloud administrator.

Cloud administrator will be able to unlock an account using the “Reset Password” action. See “Reset Password” section.

When enabling high-security mode in the server configuration file,  max-number-attempts-before-lock  parameter should be set to meet company account lock policy.

Session Expiration Time

Session expiration time can be defined in the server configuration file:

session-expiration-time-in-minutes

Default value: 180 (3 hours).

After a defined time of inactivity, the user session should expire and the user will have to log in again.

When enabling high-security mode in the server configuration file, this parameter should be set to meet company session timeout policy

If the user-configured value is too long (more than 1 day), the server will reset it to the default.

Import APK from cloud devices with SeeTest

Enable import APK from cloud devices with SeeTest can be defined in the server configuration file:

import-apk-from-cloud-device

Default value: false.

When admin sets the value to true, he enables users to import APK from cloud devices with SeeTest.

Support data configuration


Downloading support data can be prevented using the following parameter in server configuration file:

allow-support-data-download


Default value: true


If downloading support data is not allowed (parameter is set to false) - ZIP file will be downloaded with a single empty file. File name: “download-support-data-not-allowed”.


By default, both configuration and log files are included in support data.

Following parameter can be add to exclude server configuration files from support data:

<exclude-conf-files-from-support-data>true</exclude-conf-files-from-support-data>



Password encryption method and strength


The password may be configured to be encrypted with different types of encryption methods and strengths.


Please add the below tags with your configuration values to the cloud server configuration file, and restart the cloud service to make the changes to take effect.


<password-schema-method> - controls the method of the encryption.

<password-encoder-strength> - controls the strength of the encryption


Supported methods are:

  1. bcrypt.

    1. May be configured with strength value from the range 4 to 15.

    2. If not configured, default strength is 10.

  2. sha (default)

    1. May be configured with one of the following strength 1, 256, 384 or 512.

    2. If not configured, default strength is 256.


Example :

  <password-schema-method> sha </password-schema-method>

  <password-encoder-strength> 512 </password-encoder-strength>


If the tag <password-schema-method> is not specified, a default method is used (sha)


Logging


Cloud Server logs are stored under installation location in /Server/log/ directory.

Device Host Machine logs are stored under installation location in /Agent/log/ directory.

Every log message contains the following information:

  1. Time/Date Stamp of the event.

  2. Thread that executes the action.

  3. Success / Failure indicator and log level (FATAL / ERROR / WARN / INFO / DEBUG / TRACE).

  4. Class from which execution was performed.

  5. Client IP of the machine from which action was executed.

  6. User name that performed the action.

  7. Event details.


Log Examples:



Log message after user login:


Log message after user logout:

Log message about user creation:

Log message about user modification:

Log message about changing user role (user permissions):

Log message about user deletion:

Log message about failed login attempt:

Log message about unauthorized access (for example a user tries to edit another user via url manipulation):


Reset admin password 

Adding the following tag to the cloud server configurations file (located on the Cloud installation folder …\Server\conf\cloudserver.conf.xml) and restarting the cloud server service will reset the admin account to its initial password.

<reset-admin-password/>


 

Password expiration warning message

When the user's password validity period is about to expire, A warning message will appear at the top of the Cloud Web Portal.

The message will start appearing 5 days before the expiration date.

Similar messages will appear also at SeeTest startup.


And on the top of the cloud devices table.


Disable HTTP(s) response caching

The Cloud server response has the corresponding headers to disable browser caching:

Cache-Control: no-cache, no-store, min-age=0, must-revalidate
Pragma: no-cache

This makes sure sensitive information in responses is not stored into the browser/proxy cache and cannot be retrieved by other users who have access to the same computer (or network if there is a proxy there).


Use a whitelist of trusted domains (CORS - Enabled)

Adding the following tag to the cloud server configurations file (located on the Cloud installation folder …\Server\conf\cloudserver.conf.xml) and restarting the cloud server service will add the whitelisted domains you specify.

<domains-allowed-for-cors>http://domain1.com,https://domain2.com</domains-allowed-for-cors>

Adding a domain or more in this tag will enable these domains only with the option of CORS (Cross Origin Resource sharing)

To know more about CORS feel free to check this guide.


Disable Http Method 'Options'

Adding the following tag to the cloud server configurations file (located on the Cloud installation folder …\Server\conf\cloudserver.conf.xml) and restarting the cloud server service will deny the http options method.

<http-options-enabled>false</http-options-enabled>

to enable it :

<http-options-enabled>true</http-options-enabled>

The http method options is enabled by default .

NOTE: if you disable the http options method you will not be able to download Heapdump from Spring Boot admin board.



  • No labels