This documentation supports the 18.08 version of Remedy Action Request System.

To view the latest version, select the version from the Product version menu.

Using external DVM communication

The BMC Remedy AR System server and BMC Remedy Mid Tier provide encrypted user password protection for secure external DVM communication. The following two forms store and display encryption data for secure key exchanges:

  • AR System Key Store
  • AR System Server to Key Map

An RSA 2048-bit asymmetric encryption algorithm in the server creates a public and private key pair, using the ARSYS.ARF.RSAKEYPAIRGENERATOR plugin. During installation, the server exports the key pair to the AR System Key Store form (the following figure) and the AR System Server to Key Map form (the following figure.) The key pair is protected with 128-bit Advanced Encryption Standard (AES) encryption.

AR System Key Store form
(Click the image to expand it.)



AR System Key Store form fields

Field

Description

Public Key

The public part of a public-private key pair that is used to encrypt the user password in RSA 2048-bit asymmetric encryption

Private Key

The private part of a public-private key pair that is used to decrypt the user password in RSA 2048-bit asymmetric encryption



Only authorized administrators have access to the AR System Key Store form, which displays the key pair. Public key data for a particular server is distributed to consumers in the AR System Server to Key Map form. The public key is presented in clear text, as shown in the following figure; the private key is stored in an encrypted hexadecimal string. The mid tier uses the private key to decrypt the user password by checking the custom header for X-Encyrpted-Pwd. If the header is present, the mid tier:

  • Selects the password in the header field as opposed to the passwords sent through other means, such as a URL parameter.
  • Retrieves the private key from the AR System Key Store form.
  • Retrieves private key associated with the server name that is sent. The server name that is sent should match the server name string from the server name field in the Server to Key Map form. If the field contains the server's fully qualified name, such as myserver.company.com, the fully qualified name must be sent. If the server name field contains an IP address, the IP address must be sent. The mid tier requires the matching server name to locate the private key.
  • Decrypts the key, using an AES symmetric key algorithm.
  • Constructs the private key.
  • Decrypts the password, using RSA 2048-bit decryption.

AR System Server to Key Map form
(Click the image to expand it.)



AR System Server to Key Map form fields

Field

Description

Server Name

The name of the server requiring a secure password.

Public Key

The hexadecimal string for the encrypted bytes. The modulus and exponent are stored per line and the entire key is encrypted by using AES symmetric encryption.

Web Path

The URL that points to a remote mid tier.


Was this page helpful? Yes No Submitting... Thank you

Comments