2
1
0

 

We have a TM server with Two Factor Authentication ON for /manager.

We want to use TM 5.0.x's SDK to deploy services via Ant builds. What's the best practice to leverage Ant based deployments on this TM server?

Our test server doesn't have 2FA on so we use a system account on that TM to deploy. This allows us to use that TM account as part of our automated builds. But the stage TM instance has 2FA switched ON and we are looking at what's a Avoka suggested best practice to use Ant based deployments.

Cheers,

parth

  1. Ben Warner

    Hey Parth, did you resolve this? If so, please share.

  2. Unknown User (ppandya)

    Hi Ben, No we haven't resolved this yet. I'm hoping that Transact team can guide us. Options I can think of : 1. There is a way to have a system account that can do this deployment via API only. No /manager access is required for this account; or 2. We'll have to force the TM to go in less secure mode by turning off 2FA for deployments. Cheers, Parth

CommentAdd your comment...

2 answers

  1.  
    3
    2
    1

    I tested this and can confirm that the 2FA is bypassed when deploying through API. We found that proper processes and separate role with deployment permission need to be created to make sure that this doesn't get misused.

    Here is the suggested best practice -

    1. Create a 'system' user in TM. Don't tick 2FA on this user and assign Transact Manager portal access to it.
    2. Create a new role in TM with permission to deploy services. Assign this role to the newly created user.
    3. Make sure all other roles don't have service deployment permission so random named user can't deploy and override.
    4. Assign role expiry to that system user so only during the change window that user has the access to deploy to server.
    5. Have some other internal process to enable this user with correct role as part of release planning and change window sign-off procedures.

     

    Good luck.

      CommentAdd your comment...
    1.  
      2
      1
      0

      Hey Parth, I believe that the 2FA is bypassed when calling the API layer. Give it a try and let us know how you go.

      1. Ben Warner

        Have you tried this yet Parth? I'm interested to hear the outcome.

      CommentAdd your comment...