This documentation applies to the 8.1 version of Remedy Action Request System, which is in "End of Version Support."

To view the latest version, select the version from the Product version menu.

General security guidelines

This topic presents security guidelines to consider when using BMC Remedy Action Request System (BMC Remedy AR System).

Encryption

BMC Remedy AR System provides BMC Remedy Encryption Performance Security and BMC Remedy Encryption Premium Security components that you can install to provide well-protected communication among BMC Remedy AR System components.

  • BMC Remedy Performance Security includes a Federal Information Processing Standard (FIPS) encryption option. When this option is enabled, network traffic is encrypted using Advanced Encryption Standard (AES) cipher-block chaining (CBC) with a 128-bit key for data encryption and a 1,024-bit modulus for the RSA key exchange. It uses a secure hash algorithm (SHA-1) for message authentication. This option supports the minimum FIPS 140-2 encryption requirements.
  • BMC Remedy Premium Security includes a premium FIPS encryption option. When this option is enabled, network traffic is encrypted using AES CBC with a 256-bit key for data encryption and a 2,048-bit modulus for the RSA key exchange. It uses SHA-1 for message authentication. This option supports premium FIPS 140-2 encryption requirements.

Secure socket layer

Use secure socket layer (SSL) to encrypt the traffic between the HTTP web server and the browser client. Configuring the environment for SSL support is beyond the scope of guidance that BMC provides.

Note

Enabling SSL can impact performance due to the extra overhead required to encrypt and decrypt traffic.

Secure Tomcat installation

Because the Tomcat JSP engine is bundled with the mid tier, the BMC Remedy AR System installation script performs the following clean-up tasks to ensure that security issues in Tomcat are resolved:

  • Removes the contents of the root directory from the <TomcatInstallationDirectory>/webapps directory
  • Adds an index.html file to the root directory, which appears if the administrator enters http://<localhost>:8080 in a browser and Tomcat is running properly
  • Removes the tomcat-docs directory from the <TomcatInstallationDirectory>/webapps directory
  • Removes the host-manager and manager web default web applications from the <TomcatInstallationDirectory>/webapps/server/webapps directory.
  • Removes the deployment descriptors for the host-manager and manager applications, host-manager.xml and manager.xml, from the <TomcatInstallationDirectory>/conf/Catalina/<localhost> directory
  • Removes all unused ports from service (in particular, port 8080), stripping the default server.xml configuration file from the Tomcat installation directory so that the installation supports only the mid tier

These tasks make the Tomcat installation more secure; however, determining whether the mid tier or the Tomcat engine suffered an incorrect installation can be difficult, because all extraneous services are removed. To ease this problem, an index.html page is also installed that is displayed when Tomcat is running.

If the mid tier fails to run after installation, complete the following steps to determine whether the problem is the Tomcat installation or the mid tier installation:

  1. Stop Tomcat.
  2. Open the <TomcatInstallationDirectory>/conf/server.xml file and uncomment the Connector entry at port 8080.
  3. Restart Tomcat.
  4. In a browser on the same computer as the Tomcat installation, go to http://<localhost>:8080.
    If the Tomcat engine is running correctly, the following message is displayed in the browser: Tomcat is running

Session management

If a session between the web browser and the mid tier is idle for 90 minutes (the default setting) or if you close a browser, the BMC Remedy AR System license is released. To change the default settings, you can configure idle time parameters in the Mid Tier Configuration tool.

By default, all SessionID cookies are marked as HTTPOnly to prevent unauthorized access to the SessionID cookies.

HTTP TRACE disabled

HTTP TRACE is a default function in many web servers, primarily used for debugging. The client sends an HTTP TRACE request with all header information, including cookies, and the server simply responds with that same data.

To prevent cross-site tracing (XST) attacks that use XSS and the HTTP TRACE function, the HTTP TRACE function in the mid tier is disabled by default. To disable the HTTP TRACE function completely, you must also disable HTTP TRACE on the application server hosting the mid tier. For information about how to enable the TRACE function, see HTTP tracing in the mid tier.

Secure cookie filter

To mark all cookies as secure, you must uncomment the secure cookie filter.

Note

Enable this filter only when BMC Remedy Mid Tier is configured to work with HTTPS or a reverse proxy configured to work with HTTPS. When using a reverse proxy, you can access the mid tier either through a proxy or by connecting to the computer that hosts the mid tier.

If the reverse proxy is configured with HTTP, do not enable the secure cookie filter and access the mid tier either by connecting through the URL that is configured as the proxy (for example, http://xyz:8080/arsys) or by accessing the mid tier from the same computer on which it is installed (for example, http://<localhost>:8080/arsys).

If the reverse proxy is configured with HTTPS, you must enable the secure cookie filter and access the mid tier only by connecting through the URL that is configured as the proxy (for example, https://xyz:8080/arsys). You cannot, however, access the mid tier from the same computer on which it is installed.

To mark cookies as secure

  1. Edit the web.xml file in the <midTierInstallDirectory>/WEB-INF directory.
  2. Locate the following secure cookie filter entry:

    <!-- Secure Cookie Filter
        <filter>
            <filter-name>SecureCookieFilter</filter-name>
            <filter-class>com.remedy.arsys.stubs.SecureCookieFilter</filter-class>
        </filter>
        <filter-mapping>
            <filter-name>SecureCookieFilter</filter-name>
            <url-pattern>/*</url-pattern>
        </filter-mapping>
     -->
  3. Remove <!- and -> from before and after the entry to uncomment the entry.
  4. Save the web.xml file.
  5. Restart the mid tier.

XSS filter enhanced

By default, the mid tier contains an XSS filter that is frequently updated with additional characters.

Strict-Transport-Security (HSTS)

To protect against MITM attacks, enable the HSTS filter in web.xml.

Data visualization module plug-ins

By default, security is disabled for data passed through the mid tier by using the data visualization model plug-ins. To enable mid-tier security for the plug-ins, you must add the following option to the config.properties file:

arsystem.plugin_securitycheck=true

Mid-tier Return Back parameter

The Return Back parameter in a URL allows a user to alter a base return URL when the URL is sent back to the browser from the web server. This behavior could make the system vulnerable to a phishing attack. For example, http://hostname/arsys/shared/login.jsp?http://www.google.com returns to www.google.com.

The default value of the Return Back parameter is true. You must change the value to false to prevent the mid tier from allowing the use of a URL containing a Return Back parameter (http://www.google.com/ in the example). With the parameter set to false the mid tier redirects users to their default Home page form.

To prevent the use of URLs with a Return Back value:

  1. Add the following setting to the config.properties file:

    arsystem.allow.returnback.url=false
  2. Restart the mid tier.

Mid tier and portlet containers

To prevent frame phishing vulnerabilities in the mid tier, the mid tier verifies that it is not placed inside a portlet container or displayed in third-party frames or iFrames. If a portlet container, third-party frame, or iFrame is detected, the mid tier automatically disconnects from the object and displays the content in a single window.

Mid tier access prevented by some security software

Mid tier access might be prevented if your security software blocks URLs with special characters such as < (left angle bracket), > (right angle bracket) and '(apostrophe). To resolve this issue, change the arsystem.xmlhttp.get setting in the config.properties file from true to false and enable the use of HTTP POST for backchannel calls.

Note

Enabling the XSS filter impacts the BMC Remedy AR System server performance.

To change the arsystem.xmlhttp.get setting

  1. Shut down the mid tier.
  2. Open the config.properties file, located in the <MidtierInstallDirectory>/WEB-INF/classes/ directory.
  3. Change arsystem.xmlhttp.get=true to arsystem.xmlhttp.get=false.

To enable the XSS filter

  1. Change the arsystem.xmlhttp.get setting in the config.properties file from true to false.
  2. Edit the web.xml file in the <MidtierInstallDirectory>/WEB-INF/ directory.
  3. Enable the cross-site scripting (XSS) filter by deleting the lines (in boldface font) that comment out the filter in the XSS Filter code block as shown in the following example:

    Example

    <!-- XSS Filter
    <filter>
    <filter-name>XSSFILTER</filter-name>
    <filter-class>com.remedy.arsys.stubs.XSSFilter</filter-class>
    </filter>
    <filter-mapping>
    <filter-name>XSSFILTER</filter-name>
    <url-pattern>/plugins/*</url-pattern>
    </filter-mapping>
    <filter-mapping>
    <filter-name>XSSFILTER</filter-name>
    <url-pattern>/pluginsignal/*</url-pattern>
    </filter-mapping>
    -->

  4. Save the web.xml file.
  5. Restart the mid tier.

Adding inclusion list for Mid Tier

You can add an inclusion list of URLs to be redirected to when you log on to the mid tier and when you log out of the mid tier. An inclusion list of URLs is allowed in the goto request parameter of LoginServlet and LogoutServlet so that the user is automatically redirected to the specified URL.

To add an inclusion list, add the following property in the <midTierInstallDirectory>/WEB-INF/classes/config.properties file:

arsystem.inclusion_goto_urls=http://www.google.com,http://www.microsoft.com,
http://<midTierServer>/

Note

The inclusion list must also contain the mid tier's own URL to allow the mid tier to redirect to itself.

Available only in Service Pack 1 for version 8.1.00 and later versions.

Related topic

Cookies used by BMC Remedy Mid Tier

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Comments

  1. Mohammad nayeem Shaik

    Dear Team,

    I have enabled both XSSFILTER (X-XSS-Protection) & CLICKJACKFILTER (X-Frame-Options) using the steps provided here, but I see only CLICKJACKFILTER got enabled when I scanned a Remedy page (people form url). 

    Can you please let me know how to apply XSSFILTER (X-XSS-Protection) for all remedy pages? Also please let me know how to implement the following filters in Remedy?

    • Strict-Transport-Security
    •  X-Content-Type-Options
    •  Content-Security-Policy
    •  Public-Key-Pins
    •  Referrer-Policy

    Regards,

    Mohammad Nayeem

     

    Aug 21, 2017 07:03
    1. Anagha Deshpande

      Hello Mohammad Nayeem,

      I will check this with the SME and will write back to you.

      Regards,

      Anagha 

      Aug 21, 2017 11:26
    1. Kamalakannan Srinivasan

      Hi Mohammad Nayeem,

      To enable XSS Filter, in addition to editing the web.xml file, you also need to change the arsystem.xmlhttp.get setting in the config.properties file from true to false.

      For Strict-Transport-Security, enable the HSTS filter in web.xml.

      BMC does not support the rest of the filters mentioned in your comment.

      Regards,
      Kamal

      Sep 19, 2017 07:56
  2. Suresh Mayampully

    Ho do we go about protecting against "Reflected File Download" vulnerability in Midtier?

    For instance..going to a url like

    https://server:8443/arsys/forms/server/formname/Default Administrator View/udd.js/rfd.bat 

    prompts me to download rfd.bat (server = your servername and formname = a form)

    Thanks in advance,

    Suresh.


    Mar 29, 2018 11:25
    1. Anagha Deshpande

      Hello Suresh,

      I will check your query with the SME and will respond back.

      Regards,

      Anagha


      Mar 29, 2018 10:23
      1. Anagha Deshpande

        Hello Suresh,

        Apologies for the delayed response.

        We do fix security vulnerability issues in every release on priority.

        Please try using the latest version of Mid Tier and let us know if the issue is still reproducible.

        You can raise this issue with the support and we will do the needful. Click here to contact customer support.

        Regards,

        Anagha


        Sep 18, 2018 04:00