Enabling or disabling Remedy Encryption Security on AR System server

This section explains how to enable or disable Remedy Encryption Performance Security and Remedy Encryption Premium Security on Remedy AR System server. 

Clients (Mid-Tier, Developer Studio, Smart Reporting) do not need to enabled or disable encryption, as this is negotiated on the initial connection to AR System Server. Clients however, will need to have the encryption bits installed (if using Premium or Performance encryption) and will need to be restarted if any changes are made to server.

You can configure Remedy Encryption Security in two ways:

To enable or disable Remedy Encryption Security using Centralized Configuration

To enable or disable the Remedy Encryption Security using Centralized Configuration, identify the five parameters used to configure encryption, their values and description.

1. Log in to Remedy AR System using Mid Tier.
2. On the Home Page, navigate to Applications > AR System Administration > AR System Administration Console.
3. On the AR System Administration Console, navigate to System > General > Centralized Configuration.
4. On the Centralized Configuration form, choose a component name of "com.bmc.arsys.server > %ServerName%”.
   
   
   

5. After you select the component, it will display all the AR Server configurations for this individual server:
   
   
   Use the following table to select the values of Encryption:
   

   Parameter	Value	Description
   Encrypt-Security-Policy	0 – Allows clients to communicate with encryption or without encryption.  It will prefer encrypted traffic based on the data and public key selected.  1 – Requires clients to communicate with encryption defined by the data and public keys.  2 – Disables the ability for clients to communicate with any encryption.  (Default)	Integer value that defines if encryption is required, optional, or not allowed when a client communicates with AR Server.
   Encrypt-Data-Encryption-Algorithm	1 – DES-56 (Default)  2 – RC4-128  3 – RC4-2048  6 – AES-128 (Cipher Blocker Chaining)  7 – AES-256 (Cipher Blocker Chaining)  8 – AES-128 (Cipher Blocker Chaining) (FIPS Compliant)  9 – AES-256 (Cipher Blocker Chaining) (FIPS Compliant)	Integer value that defines the algorithm used to encrypt data between AR System Server and its clients.
   Encrypt-Data-Key-Expire	<integer>  2700 (Default)	Integer value that defines the lifespan (in seconds) of the data algorithm key that is generated.  Note: Generating the keys more frequently provides higher security, while marginally impacting performance.
   Encrypt-Public-Key-Algorithm	4 – RSA-672  5 – RSA-2048  6 – RSA-4096	Integer value that defines the key size shared at the beginning of the API session and when the data key expires.  All encryption levels use RSA’s algorithm.
   Encrypt-Public-Key-Expire	<integer>  86400 (Default)	Integer value that defines the lifespan (in seconds) of the public algorithm key that is generated.  Note: Generating the keys more frequently provides higher security, while marginally impacting performance.

   
   

6. This page will display the value of current configuration in the Setting Value column. To update this setting, change the current value to the value you want it to be. Once you’re ready to apply the settings, click Apply.
7. Restart the Remedy AR Server to apply these changes.

To enable or disable Remedy Encryption Security using the Server Information form

1. Log in to Remedy AR System using Mid Tier.
2. On the Home Page, navigate to Applications > AR System Administration > AR System Administration Console.
3. On the AR System Administration Console, navigate to System > General > Server Information. 

4. On the Server Information form, click on the Encryption tab.
   This form is broken down into 3 different sections: 
   

   Field	Information
   Encryption Level Available	This is a read-only field that tells you what type of encryption you have installed.  In the following example, this section is highlighted in GREEN, and this server has had Premium encryption installed. And AR System Server will now support that level of encryption. This will only change when you reboot the AR System Server and it automatically detects the type of encryption available to it.
   Active Encryption Settings	This is a read only section that shows what type of encryption you are CURRENTLY running. This is pulled from memory and indicates how AR System is accepting connections.  In the following example this section is highlighted in BLUE, and this server has encryption Disabled.
   New Encryption Settings	In this section you can set your new parameters for enabling encryption. This section will write the new changes to the ar.cfg file for THIS SERVER ONLY (check the Platform tab to know which server you’re connected to), this will not change this configuration for other servers in the group.  In the following example, this section is outlined in RED, and you can see the Security Policy is set to Optional, where FIPS compliance is not enabled, with AES 128 set as the data key details, and RSA 2048 set as the public key details.  Notice that both Key Expire Interval fields are left null. In this scenario, they will NOT update the already set values of 2700 (45 minutes) and 86400 (1 day).

   
   
   
   If you do not plan on changing these values for your next reboot, click Close.
   
   

5. Set new values as per the following table and click Apply. The new values will take effect on your next reboot of the AR System server.
   

   Use the following table to select the values of Encryption:

   Parameter	Value	Description
   Encryption Level Available	Standard (Default)  Performance  Premium	This is a read only field that tells you what type of encryption you have installed.  This will only change on reboot of AR System Server and it automatically detects the type of encryption available to it.
   Security Policy	Disabled (Default)  Required  Optional	This setting defines if encryption is required, optional, or not allowed when a client communicates with AR Server.  If this setting is set, and you don’t define Data or Public key details, it will choose either Standard encryption or the last used algorithm.
   FIPS Enabled	Cleared (Default)  Selected	This setting defines if FIPS Compliance is enforced.  This setting does not directly change the encryption algorithm, but it does ensure that you can not select options that will fall outside of the FIPS scope.  For more information, see FIPS encryption options.
   Data Key Algorithm	DES (Default)  RC4-128  RC4-2048  AES-128  AES-256	This defines the algorithm used to encrypt data between AR System Server and its clients.  Note: In some versions this might add (FIPS) at the end when the FIPS Enabled box is checked.  This does not change the algorithm used.
   Data Key Expire Interval	Number displayed in seconds.  2700 (Default)	Integer value that defines the lifespan (in seconds) of the data algorithm key that is generated.  Note: Generating the keys more frequently provides higher security, while marginally impacting performance.
   Public Key Algorithm	RSA 512 (Default)  RSA 2048  RSA 4096	This setting defines the key size shared at the beginning of the API session and when the data key expires.  All encryption levels use RSA’s algorithm.  Note: Even though it says RSA 512, it is actually using RSA 672.  This is a visual only defect.
   Public Key Expire Interval	Number displayed in seconds.  86400 (Default)	Integer value that defines the lifespan (in seconds) of the public algorithm key that is generated.  Note: Generating the keys more frequently provides higher security, while marginally impacting performance.

   
   This method of updating the AR Server Encryption configuration is no longer recognized as the best method and is used for the graphical representation of the values. We recommend system administrators to use the Centralized Configuration form to manage these settings. The Server Information form only changes the settings for this singular server. In server group environments, this can cause confusion and it is difficult to manage especially when there are multiple mid-tiers, load balancers, and back-end servers. Centralized Configuration solves these issues. 
   
   

   Important

   This update must be done individually for EACH server in the server group.  This is NOT a shared setting.  (If you have 5 servers in your group, you’ll need to make this change 5 times, once for each server)