General security guidelines
This topic presents security guidelines to consider when using BMC Remedy Action Request System (BMC Remedy AR System).
BMC Remedy AR System provides BMC Remedy Encryption Performance Security and BMC Remedy Encryption Premium Security components that you can install to provide well-protected communication among BMC Remedy AR System components.
- BMC Remedy Performance Security includes a Federal Information Processing Standard (FIPS) encryption option. When this option is enabled, network traffic is encrypted using Advanced Encryption Standard (AES) cipher-block chaining (CBC) with a 128-bit key for data encryption and a 1,024-bit modulus for the RSA key exchange. It uses a secure hash algorithm (SHA-1) for message authentication. This option supports the minimum FIPS 140-2 encryption requirements.
- BMC Remedy Premium Security includes a premium FIPS encryption option. When this option is enabled, network traffic is encrypted using AES CBC with a 256-bit key for data encryption and a 2,048-bit modulus for the RSA key exchange. It uses SHA-1 for message authentication. This option supports premium FIPS 140-2 encryption requirements.
Secure socket layer
Use secure socket layer (SSL) to encrypt the traffic between the HTTP web server and the browser client. Configuring the environment for SSL support is beyond the scope of guidance that BMC provides.
Enabling SSL can impact performance due to the extra overhead required to encrypt and decrypt traffic.
Secure Tomcat installation
Because the Tomcat JSP engine is bundled with the mid tier, the BMC Remedy AR System installation script performs the following clean-up tasks to ensure that security issues in Tomcat are resolved:
- Removes the contents of the root directory from the <TomcatInstallationDirectory>/webapps directory
- Adds an index.html file to the root directory, which appears if the administrator enters http://<localhost>:8080 in a browser and Tomcat is running properly
- Removes the tomcat-docs directory from the <TomcatInstallationDirectory>/webapps directory
- Removes the host-manager and manager web default web applications from the <TomcatInstallationDirectory>/webapps/server/webapps directory.
- Removes the deployment descriptors for the host-manager and manager applications, host-manager.xml and manager.xml, from the <TomcatInstallationDirectory>/conf/Catalina/<localhost> directory
- Removes all unused ports from service (in particular, port 8080), stripping the default server.xml configuration file from the Tomcat installation directory so that the installation supports only the mid tier
These tasks make the Tomcat installation more secure; however, determining whether the mid tier or the Tomcat engine suffered an incorrect installation can be difficult, because all extraneous services are removed. To ease this problem, an index.html page is also installed that is displayed when Tomcat is running.
If the mid tier fails to run after installation, complete the following steps to determine whether the problem is the Tomcat installation or the mid tier installation:
- Stop Tomcat.
- Open the <TomcatInstallationDirectory>/conf/server.xml file and uncomment the Connector entry at port 8080.
- Restart Tomcat.
- In a browser on the same computer as the Tomcat installation, go to http://<localhost>:8080.
If the Tomcat engine is running correctly, the following message is displayed in the browser:
Tomcat is running
If a session between the web browser and the mid tier is idle for 90 minutes (the default setting) or if you close a browser, the BMC Remedy AR System license is released. To change the default settings, you can configure idle time parameters in the Mid Tier Configuration tool.
By default, all SessionID cookies are marked as
HTTPOnly to prevent unauthorized access to the SessionID cookies.
HTTP TRACE disabled
HTTP TRACE is a default function in many web servers, primarily used for debugging. The client sends an HTTP TRACE request with all header information, including cookies, and the server simply responds with that same data.
To prevent cross-site tracing (XST) attacks that use XSS and the HTTP TRACE function, the HTTP TRACE function in the mid tier is disabled by default. To disable the HTTP TRACE function completely, you must also disable HTTP TRACE on the application server hosting the mid tier. For information about how to enable the TRACE function, see HTTP tracing in the mid tier.
Secure cookie filter
To mark all cookies as secure, you must uncomment the secure cookie filter.
Enable this filter only when BMC Remedy Mid Tier is configured to work with HTTPS or a reverse proxy configured to work with HTTPS. When using a reverse proxy, you can access the mid tier either through a proxy or by connecting to the computer that hosts the mid tier.
If the reverse proxy is configured with HTTP, do not enable the secure cookie filter and access the mid tier either by connecting through the URL that is configured as the proxy (for example, http://xyz:8080/arsys) or by accessing the mid tier from the same computer on which it is installed (for example, http://<localhost>:8080/arsys).
If the reverse proxy is configured with HTTPS, you must enable the secure cookie filter and access the mid tier only by connecting through the URL that is configured as the proxy (for example, https://xyz:8080/arsys). You cannot, however, access the mid tier from the same computer on which it is installed.
To mark cookies as secure
- Edit the web.xml file in the <midTierInstallDirectory>/WEB-INF directory.
Locate the following secure cookie filter entry:
<!-- Secure Cookie Filter <filter> <filter-name>SecureCookieFilter</filter-name> <filter-class>com.remedy.arsys.stubs.SecureCookieFilter</filter-class> </filter> <filter-mapping> <filter-name>SecureCookieFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> -->
->from before and after the entry to uncomment the entry.
- Save the web.xml file.
- Restart the mid tier.
XSS filter enhanced
By default, the mid tier contains an XSS filter that is frequently updated with additional characters.
To protect against MITM attacks, enable the HSTS filter in web.xml.
Data visualization module plug-ins
By default, security is disabled for data passed through the mid tier by using the data visualization model plug-ins. To enable mid-tier security for the plug-ins, you must add the following option to the config.properties file:
Mid-tier Return Back parameter
The Return Back parameter in a URL allows a user to alter a base return URL when the URL is sent back to the browser from the web server. This behavior could make the system vulnerable to a phishing attack. For example,
The default value of the
Return Back parameter is true. You must change the value to false to prevent the mid tier from allowing the use of a URL containing a
Return Back parameter (
in the example). With the parameter set to false the mid tier redirects users to their default Home page form.
To prevent the use of URLs with a Return Back value:
Add the following setting to the config.properties file:
Restart the mid tier.
Mid tier and portlet containers
To prevent frame phishing vulnerabilities in the mid tier, the mid tier verifies that it is not placed inside a portlet container or displayed in third-party frames or iFrames. If a portlet container, third-party frame, or iFrame is detected, the mid tier automatically disconnects from the object and displays the content in a single window.
Mid tier access prevented by some security software
Mid tier access might be prevented if your security software blocks URLs with special characters such as
< (left angle bracket),
> (right angle bracket) and
'(apostrophe). To resolve this issue, change the
arsystem.xmlhttp.get setting in the config.properties file from true to false and enable the use of HTTP POST for backchannel calls.
Enabling the XSS filter impacts the BMC Remedy AR System server performance.
To change the arsystem.xmlhttp.get setting
- Shut down the mid tier.
- Open the config.properties file, located in the <MidtierInstallDirectory>/WEB-INF/classes/ directory.
To enable the XSS filter
- Change the
arsystem.xmlhttp.getsetting in the config.properties file from true to false.
- Edit the web.xml file in the <MidtierInstallDirectory>/WEB-INF/ directory.
Enable the cross-site scripting (XSS) filter by deleting the lines (in boldface font) that comment out the filter in the XSS Filter code block as shown in the following example:
- Save the web.xml file.
- Restart the mid tier.
Adding inclusion list for Mid Tier
You can add an inclusion list of URLs to be redirected to when you log on to the mid tier and when you log out of the mid tier. An inclusion list of URLs is allowed in the goto request parameter of LoginServlet and LogoutServlet so that the user is automatically redirected to the specified URL.
To add an inclusion list, add the following property in the <midTierInstallDirectory>/WEB-INF/classes/config.properties file:
Available only in Service Pack 1 for version 8.1.00 and later versions.