This documentation supports the 20.02 version of Remedy Action Request (AR) System.

To view an earlier version, select the version from the Product version menu.


Enabling or disabling Remedy Encryption Security on AR System server

This section explains how to enable or disable Remedy Encryption Performance Security and Remedy Encryption Premium Security on Remedy AR System server. 

Clients (Mid-Tier, Developer Studio, Smart Reporting) do not need to enabled or disable encryption, as this is negotiated on the initial connection to AR System Server. Clients however, will need to have the encryption bits installed (if using Premium or Performance encryption) and will need to be restarted if any changes are made to server.

You can configure Remedy Encryption Security in two ways:

Best Practice

We recommend you to enable or disable Remedy Encryption Security using the Centralized Configuration.

Important

Enabling and Disabling all modes of encryption requires a restart of AR Server.  If you enable or disable Encryption on AR Server, all clients including but not limited to Mid-Tier, Smart IT, RSSO, and others must be restarted after you restart AR System Server.

To enable or disable Remedy Encryption Security using Centralized Configuration

To enable or disable the Remedy Encryption Security using Centralized Configuration, identify the five parameters used to configure encryption, their values and description.

  1. Log in to Remedy AR System using Mid Tier.
  2. On the Home Page, navigate to Applications > AR System Administration > AR System Administration Console.
  3. On the AR System Administration Console, navigate to System > General > Centralized Configuration.
  4. On the Centralized Configuration form, choose a component name of "com.bmc.arsys.server > %ServerName%”.


  5. After you select the component, it will display all the AR Server configurations for this individual server:


    Use the following table to select the values of Encryption:

    ParameterValueDescription
    Encrypt-Security-Policy 

    0 – Allows clients to communicate with encryption or without encryption.  It will prefer encrypted traffic based on the data and public key selected. 

    1 – Requires clients to communicate with encryption defined by the data and public keys. 

    2 – Disables the ability for clients to communicate with any encryption.  (Default) 

    Integer value that defines if encryption is required, optional, or not allowed when a client communicates with AR Server.   
    Encrypt-Data-Encryption-Algorithm 

    1 – DES-56 (Default) 

    2 – RC4-128 

    3 – RC4-2048 

    6 – AES-128 (Cipher Blocker Chaining) 

    7 – AES-256 (Cipher Blocker Chaining) 

    8 – AES-128 (Cipher Blocker Chaining) (FIPS Compliant) 

    9 – AES-256 (Cipher Blocker Chaining) (FIPS Compliant) 

    Integer value that defines the algorithm used to encrypt data between AR System Server and its clients. 
    Encrypt-Data-Key-Expire 

    <integer> 

    2700 (Default) 

    Integer value that defines the lifespan (in seconds) of the data algorithm key that is generated. 

    Note: Generating the keys more frequently provides higher security, while marginally impacting performance. 

    Encrypt-Public-Key-Algorithm 

    4 – RSA-672 

    5 – RSA-2048 

    6 – RSA-4096 

    Integer value that defines the key size shared at the beginning of the API session and when the data key expires.  All encryption levels use RSA’s algorithm. 
    Encrypt-Public-Key-Expire 

    <integer> 

    86400 (Default) 

    Integer value that defines the lifespan (in seconds) of the public algorithm key that is generated. 

    Note: Generating the keys more frequently provides higher security, while marginally impacting performance. 


  6. This page will display the value of current configuration in the Setting Value column. To update this setting, change the current value to the value you want it to be. Once you’re ready to apply the settings, click Apply.
  7. Restart the Remedy AR Server to apply these changes.



Best Practice

You can make these settings effectively GLOBAL by choosing the “*” instead of the individual server name in the “com.bmc.arsys.server” section. This will now follow the same rules as other configurations for global-level configurations.  For more information, see Managing AR Server Group components by setting global-level and local-level configurations. 


Important

Using this method, you can change the configuration for AR System Server. If you are using Remedy versions prior to version 19.08, it will not update these settings for the Java-Based plugin servers. This includes the Default Java Plugin Server, the FTS Searcher Plugin Server, Shared CMDB Plugin Server, Normalization Plugin Server, or others. To set the Java Plugin Servers Encryption values, please see Setting plugin server configuration options.



To enable or disable Remedy Encryption Security using the Server Information form


  1. Log in to Remedy AR System using Mid Tier.
  2. On the Home Page, navigate to Applications > AR System Administration > AR System Administration Console.
  3. On the AR System Administration Console, navigate to System > General > Server Information. 
  4. On the Server Information form, click on the Encryption tab.
    This form is broken down into 3 different sections: 

    FieldInformation
    Encryption Level AvailableThis is a read-only field that tells you what type of encryption you have installed.  In the following example, this section is highlighted in GREEN, and this server has had Premium encryption installed. And AR System Server will now support that level of encryption. This will only change when you reboot the AR System Server and it automatically detects the type of encryption available to it.

    Active Encryption Settings

    This is a read only section that shows what type of encryption you are CURRENTLY running. This is pulled from memory and indicates how AR System is accepting connections.  In the following example this section is highlighted in BLUE, and this server has encryption Disabled.
    New Encryption SettingsIn this section you can set your new parameters for enabling encryption. This section will write the new changes to the ar.cfg file for THIS SERVER ONLY (check the Platform tab to know which server you’re connected to), this will not change this configuration for other servers in the group.  In the following example, this section is outlined in RED, and you can see the Security Policy is set to Optional, where FIPS compliance is not enabled, with AES 128 set as the data key details, and RSA 2048 set as the public key details.  Notice that both Key Expire Interval fields are left null. In this scenario, they will NOT update the already set values of 2700 (45 minutes) and 86400 (1 day). 




    If you do not plan on changing these values for your next reboot, click Close.

  5. Set new values as per the following table and click Apply. The new values will take effect on your next reboot of the AR System server.

    Use the following table to select the values of Encryption:

    ParameterValueDescription
    Encryption Level Available 

    Standard (Default) 

    Performance 

    Premium

    This is a read only field that tells you what type of encryption you have installed. 

    This will only change on reboot of AR System Server and it automatically detects the type of encryption available to it. 

    Security Policy

    Disabled (Default) 

    Required 

    Optional 

    This setting defines if encryption is required, optional, or not allowed when a client communicates with AR Server.  If this setting is set, and you don’t define Data or Public key details, it will choose either Standard encryption or the last used algorithm. 
    FIPS Enabled 

    Cleared (Default) 

    Selected 

    This setting defines if FIPS Compliance is enforced.  This setting does not directly change the encryption algorithm, but it does ensure that you can not select options that will fall outside of the FIPS scope.  For more information, see FIPS encryption options.
    Data Key Algorithm 

    DES (Default) 

    RC4-128 

    RC4-2048 

    AES-128 

    AES-256 

    This defines the algorithm used to encrypt data between AR System Server and its clients. 

    Note: In some versions this might add (FIPS) at the end when the FIPS Enabled box is checked.  This does not change the algorithm used. 

    Data Key Expire Interval 

    Number displayed in seconds. 

    2700 (Default) 

    Integer value that defines the lifespan (in seconds) of the data algorithm key that is generated. 

    Note: Generating the keys more frequently provides higher security, while marginally impacting performance. 

    Public Key Algorithm 

    RSA 512 (Default) 

    RSA 2048 

    RSA 4096 

    This setting defines the key size shared at the beginning of the API session and when the data key expires.  All encryption levels use RSA’s algorithm. 

    Note: Even though it says RSA 512, it is actually using RSA 672.  This is a visual only defect. 

    Public Key Expire Interval 

    Number displayed in seconds. 

    86400 (Default) 

    Integer value that defines the lifespan (in seconds) of the public algorithm key that is generated. 

    Note: Generating the keys more frequently provides higher security, while marginally impacting performance. 


    This method of updating the AR Server Encryption configuration is no longer recognized as the best method and is 
    used for the graphical representation of the values. We recommend system administrators to use the Centralized Configuration form to manage these settings. The Server Information form only changes the settings for this singular server. In server group environments, this can cause confusion and it is difficult to manage especially when there are multiple mid-tiers, load balancers, and back-end servers. Centralized Configuration solves these issues. 

    Important

    This update must be done individually for EACH server in the server group.  This is NOT a shared setting.  (If you have 5 servers in your group, you’ll need to make this change 5 times, once for each server) 

Related topics

Secure AR System data by using Remedy Encryption Security

Installing BMC Remedy Encryption Security

Was this page helpful? Yes No Submitting... Thank you

Comments