How is the Security Improved with Exalate?


    In Exalate 4.x, there is no need to share access credentials anymore, even if your instance requires authentication.
    Starting from 4.0.0 version in the Exalate app for JIRA Server, 4.1.0 in the Exalate app for JIRA Cloud and 2.0.0 in the Exalate app for HP ALM/QC, Exalate is using a new security approach.

    Learn more about Exalate security and architecture by downloading this whitepaper.

    Below you can find answers to the most common security questions.

    What if the invitation was sent to the wrong person - could it be applied?

    No, the invitation could be applied only to the invited side. It includes an Invitation code that helps to secure Connection data.

    What information is exchanged with the other side?

    Once the Connection setup is finished, Exalate generates the shared secret. The secret is used to define a secure connection between both Instances.

    It is shared only once to generate a JWT token. The token is temporary and is generated for every communication request between Exalate in both Instances.

    The following information is exchanged between Instances:

    • shared secret;
    • information about the type of connection with the Destination instance;
    • Connection name;
    • information about the Connection initiator
      • Exalate app version, including supported features
      • Instance type and version ( JIRA Server, JIRA Cloud or HP ALM/QC)
      • Instance URL and Exalate URL
      • Instance UID, which is a unique instance identifier
    How is the data transfer secured?

    The JWT token generates on every communication request between Instances. It authenticated the request so the destination side can be sure they are getting data from the expected Instance.

    What information is stored locally?

    Instance URL, Instance version, Exalate URL, a unique instance identifier.

    How the connection is secured and authenticated between the Exalate app for Jira Cloud and Jira Cloud Instance?

    For more details check the Atlassian security overview.

    How the connection is secured and authenticated between the Exalate app for HP QC/ALM and HP QC/ALM Instance?

    In the configuration stage of the Exalate app for HP ALM/QC, you need to specify HP QC /ALM Instance(issue tracker) user and password. The credentials are used to communicate with the HP ALM/QC Instance.