This documentation supports the 18.05 version of Remedy Action Request System.

To view the latest version, select the version from the Product version menu.

General security guidelines

This topic presents security guidelines to consider when using BMC Remedy Action Request System (BMC Remedy AR System).

BMC Remedy AR System provides BMC Remedy Encryption Performance Security and BMC Remedy Encryption Premium Security components that you can install to provide well-protected communication among BMC Remedy AR System components.

  • BMC Remedy Performance Security includes a Federal Information Processing Standard (FIPS) encryption option. When this option is enabled, network traffic is encrypted using Advanced Encryption Standard (AES) cipher-block chaining (CBC) with a 128-bit key for data encryption and a 1,024-bit modulus for the RSA key exchange. It uses a secure hash algorithm (SHA-1) for message authentication. This option supports the minimum FIPS 140-2 encryption requirements.
  • BMC Remedy Premium Security includes a premium FIPS encryption option. When this option is enabled, network traffic is encrypted using AES CBC with a 256-bit key for data encryption and a 2,048-bit modulus for the RSA key exchange. It uses SHA-1 for message authentication. This option supports premium FIPS 140-2 encryption requirements.

BMC Remedy AR System uses transport layer security and digital signatures to perform end-to-end validation after a connection is made.

 Use secure socket layer (SSL) to encrypt the traffic between the HTTP web server and the browser client. Configuring the environment for SSL support is beyond the scope of guidance that BMC provides.

Note

Enabling SSL can impact performance due to the extra overhead required to encrypt and decrypt traffic.

Using this technique, attackers make victims perform actions that they did not intend to, such as logging out, purchasing items, or other functions provided by the vulnerable website. The user's browser is tricked into issuing a command to a vulnerable web application.
The vulnerability is caused by browsers automatically including user authentication data such as a session ID, IP address, or Microsoft Windows domain credentials with each request.

The AR System disables web server scripting in the mid tier. The processes that run on the AR System server is restricted by the AR System permissions model, and are restricted to specific directories on the server.

Because the Tomcat JSP engine is bundled with the mid tier, the BMC Remedy AR System installation script performs the following clean-up tasks to ensure that security issues in Tomcat are resolved:

  • Removes the contents of the root directory from the <TomcatInstallationDirectory>/webapps directory
  • Adds an index.html file to the root directory, which appears if the administrator enters http://<localhost>:8080 in a browser and Tomcat is running properly
  • Removes the tomcat-docs directory from the <TomcatInstallationDirectory>/webapps directory
  • Removes the host-manager and manager web default web applications from the <TomcatInstallationDirectory>/webapps/server/webapps directory.
  • Removes the deployment descriptors for the host-manager and manager applications, host-manager.xml and manager.xml, from the <TomcatInstallationDirectory>/conf/Catalina/<localhost> directory
  • Removes all unused ports from service (in particular, port 8080), stripping the default server.xml configuration file from the Tomcat installation directory so that the installation supports only the mid tier

These tasks make the Tomcat installation more secure; however, determining whether the mid tier or the Tomcat engine suffered an incorrect installation can be difficult, because all extraneous services are removed. To ease this problem, an index.html page is also installed that is displayed when Tomcat is running.

If the mid tier fails to run after installation, complete the following steps to determine whether the problem is the Tomcat installation or the mid tier installation:

  1. Stop Tomcat.
  2. Open the <TomcatInstallationDirectory>/conf/server.xml file and uncomment the Connector entry at port 8080.
  3. Restart Tomcat.
  4. In a browser on the same computer as the Tomcat installation, go to http://<localhost>:8080.
    If the Tomcat engine is running correctly, the following message is displayed in the browser: Tomcat is running

HTTP TRACE is a default function in many web servers, primarily used for debugging. The client sends an HTTP TRACE request with all header information, including cookies, and the server simply responds with that same data.

To prevent cross-site tracing (XST) attacks that use XSS and the HTTP TRACE function, the HTTP TRACE function in the mid tier is disabled by default. To disable the HTTP TRACE function completely, you must also disable HTTP TRACE on the application server hosting the mid tier. For information about how to enable the TRACE function, see HTTP tracing in the mid tier.

To protect against MITM attacks, enable the HSTS filter (Strict-Transport-Security) in web.xml.

 To mark all cookies as secure, you must uncomment the secure cookie filter.

Note

Enable this filter only when BMC Remedy Mid Tier is configured to work with HTTPS or a reverse proxy configured to work with HTTPS. When using a reverse proxy, you can access the mid tier either through a proxy or by connecting to the computer that hosts the mid tier.

If the reverse proxy is configured with HTTP, do not enable the secure cookie filter and access the mid tier either by connecting through the URL that is configured as the proxy (for example, http://xyz:8080/arsys) or by accessing the mid tier from the same computer on which it is installed (for example, http://<localhost>:8080/arsys).

If the reverse proxy is configured with HTTPS, you must enable the secure cookie filter and access the mid tier only by connecting through the URL that is configured as the proxy (for example, https://xyz:8080/arsys). You cannot, however, access the mid tier from the same computer on which it is installed.

To mark cookies as secure:

  1. Edit the web.xml file in the <midTierInstallDirectory>/WEB-INF directory.
  2. Locate the following secure cookie filter entry:

    <!-- Secure Cookie Filter
        <filter>
            <filter-name>SecureCookieFilter</filter-name>
            <filter-class>com.remedy.arsys.stubs.SecureCookieFilter</filter-class>
        </filter>
        <filter-mapping>
            <filter-name>SecureCookieFilter</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>
     -->
  3. Remove <!- and -> from before and after the entry to uncomment the entry.
  4. Save the web.xml file.
  5. Restart the mid tier.

 By default, security is disabled for data passed through the mid tier by using the data visualization model plug-ins. To enable mid-tier security for the plug-ins, you must add the following option to the config.properties file:

arsystem.plugin_securitycheck=true

The Return Back parameter in a URL allows a user to alter a base return URL when the URL is sent back to the browser from the web server. This behavior could make the system vulnerable to a phishing attack. For example, http://hostname/arsys/shared/login.jsp?http://www.google.com returns to www.google.com.

The default value of the Return Back parameter is true. You must change the value to false to prevent the mid tier from allowing the use of a URL containing a Return Back parameter (http://www.google.com in the example). With the parameter set to false the mid tier redirects users to their default Home page form.

To prevent the use of URLs with a Return Back value:

  1. Add the following setting to the config.properties file:

    arsystem.allow.returnback.url=false
  2. Restart the mid tier.

To prevent frame phishing vulnerabilities in the mid tier, the mid tier verifies that it is not placed inside a portlet container or displayed in third-party frames or iFrames. If a portlet container, third-party frame, or iFrame is detected, the mid tier automatically disconnects from the object and displays the content in a single window.

When encryption is employed, unsafe key generation, non-rotating keys, and weak algorithm usage is common. The use of weak or unsalted hashes to protect passwords is also common.

All sensitive data is encrypted within AR System. All communication between the web browser and the web server can be encrypted using HTTPS. All communication between the web server and the AR System server can be encrypted using API encryption.

 Mid tier access might be prevented if your security software blocks URLs with special characters such as < (left angle bracket), > (right angle bracket) and '(apostrophe). To resolve this issue, change the arsystem.xmlhttp.get setting in the config.properties file from true to false and enable the use of HTTP POST for backchannel calls.

Note

Enabling the XSS filter impacts the BMC Remedy AR System server performance.

To change the arsystem.xmlhttp.get setting

  1. Shut down the mid tier.
  2. Open the config.properties file, located in the <MidtierInstallDirectory>/WEB-INF/classes/ directory.
  3. Change arsystem.xmlhttp.get=true to arsystem.xmlhttp.get=false.

To enable the XSS filter

  1. Change the arsystem.xmlhttp.get setting in the config.properties file from true to false.
  2. Edit the web.xml file in the <MidtierInstallDirectory>/WEB-INF/ directory.
  3. Enable the cross-site scripting (XSS) filter by deleting the lines (in boldface font) that comment out the filter in the XSS Filter code block as shown in the following example:

    Example

    <!-- XSS Filter
    <filter>
    <filter-name>XSSFILTER</filter-name>
    <filter-class>com.remedy.arsys.stubs.XSSFilter</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>XSSFILTER</filter-name>
    <url-pattern>/plugins/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
    <filter-name>XSSFILTER</filter-name>
    <url-pattern>/pluginsignal/*</url-pattern>
    </filter-mapping>
    -->
  4. Save the web.xml file.
  5. Restart the mid tier.

You can add an inclusion list of URLs to be redirected to when you log on to the mid tier and when you log out of the mid tier. An inclusion list of URLs is allowed in the goto request parameter of LoginServlet and LogoutServlet so that the user is automatically redirected to the specified URL.

To add an inclusion list, add the following property in the <midTierInstallDirectory>/WEB-INF/classes/config.properties file:

arsystem.inclusion_goto_urls=http://www.google.com,http://www.microsoft.com,
http://<midTierServer>/

Note

The inclusion list must also contain the mid tier's own URL to allow the mid tier to redirect to itself.

To prevent XSS attacks using some attachments, mid tier allows you to add an inclusion list of supported file extensions for attachment.

To add an inclusion list, add the following property in the <midTierInstallDirectory>/WEB-INF/classes/config.properties file:

arsystem.inclusion_attachment_extension=<Comma seperated list of  File extensions>

  • HIPAA Compliance is about the business itself and the processes within that organization. A software product itself cannot be HIPAA compliant, but can support the HIPAA compliance goal of an organization. BMC Remedy AR System provides number of features that support customers in building HIPAA compliant processes. For example, forced (re-)authentication for approval and electronic signature.
  • When used correctly, BMC Remedy AR System and applications built on BMC Remedy AR System, like, BMC Remedy IT Service Management (ITSM), provide the necessary capabilities for a business to meet HIPAA guidelines.
  • There is no standardization around using an authenticated RSS feed with a RSS feed client.
  • The subscription to RSS feed in BMC Remedy AR System requires an additional factor of security, as it asks for authentication credentials and encrypts them using RSA Asymmetric cryptography as part of the RSS feed URL. For more information, see Subscribing to RSS feeds.
  • When the user accesses an RSS feed using an RSS feed client, the encrypted credentials from the RSS feed URL are used by BMC Remedy AR System server for authenticating the user and querying the data requested based on the user's permissions.

Note

The end user needs to ensure that no unauthorized person can get access his RSS Feed URL.

Cookies carrying sensitive information can be marked as HTTPOnly. The browsers supporting this attribute prevent access to such Cookies by client-side script (JavaScript).

The SessionID cookie (JSessionID) is the only cookie used by BMC Remedy Mid Tier that carries information about user's SessionID. By default, all SessionID cookies are marked as HTTPOnly to prevent unauthorized access to the SessionID cookies.

There is a newly reported TLS POODLE vulnerability. For more information, see https://community.qualys.com/blogs/securitylabs/2014/12/08/poodle-bites-tls. There is a new critical vulnerability reported for this issue on F5 load balancers. It appears that F5 load balancer is vulnerable to this TLS POODLE vulnerability. For more information, see https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8730.

It is important to apply the F5 hot fix if you are using a F5 load balancer. If you are using any other load balancer, confirm with your load balancer vendor if it suffers from the TLS POODLE vulnerability and get a hotfix for the issue. For more information, see https://www.imperialviolet.org/2014/12/08/poodleagain.html which lists other load balancer vendors affected by this vulnerability.

Use the SSL Labs SSL Server Test tool https://www.ssllabs.com/ssltest/ to check your server for SSL related vulnerabilities.

When you configure the list of trusted host headers, the server checks whether the request is received from the header that is listed in its trusted host headers list. This prevents any redirections from a tampered host header. The request is rejected if the header is not listed.

There is no default configuration for trusted host headers. Perform the following steps to configure trusted host headers:

The following procedure is applicable only when you apply BMC Remedy AR System 9.1 patch 1 (9.1.00.001)

  1. Edit the config.properties file in the <midTierInstallDirectory>/WEB-INF/classes directory.
  2. Add the comma separated host header list in the arsystem.host.header_list.

    Example

    arsystem.host.header_list=host1.bmc.com,host2.customer.com

  3. Edit the web.xml file in the <midTierInstallDirectory>/WEB-INF directory.
  4. Add the HEADERVALIDFILTER filter and filter mapping. Uncomment the filter and the filter mapping as shown below.

    <filter>      
    	<filter-name>HEADERVALIDFILTER</filter-name>       
    	<filter-class>com.remedy.arsys.stubs.HeaderValidFilter</filter-class>    
    	</filter> 
    <filter-mapping>       
    	<filter-name>HEADERVALIDFILTER</filter-name>       
    	<url-pattern>/*</url-pattern>   
    </filter-mapping>    


  5. Restart Mid Tier

When an internal server error occurs, the error message displays the Apache Tomcat version and internal Remedy classes.

To hide the Apache Tomcat version and internal Remedy classes from the error description, set the value of showServerInfo and showReport attributes to false in the server.xml file, located in the <Install directory>\Apache Software Foundation\<Apache Tomcat installation directory>\conf folder. Ensure that you set the attributes in the <Host> tag.

Refer to the following example:

<Valve className="org.apache.catalina.valves.ErrorReportValve" showServerInfo="false" showReport=" false "/> 

For information about Apache Tomcat security consideration, see Security considerations Open link in the Apache Tomcat 7.0 documentation.

For information about Apache Tomcat attributes, see The Valve Component Open link in the Apache Tomcat 7.0 documentation.

Related topic

Cookies used by BMC Remedy Mid Tier


 

Was this page helpful? Yes No Submitting... Thank you

Comments