This documentation applies to the 8.1 version of Remedy Action Request System, which is in "End of Version Support."

To view the latest version, select the version from the Product version menu.

Security considerations for BMC Remedy AR System

When planning an enterprise setup, consult the following topics for security guidelines on the BMC Remedy Action Request System (AR System) components:

BMC Remedy AR System security

Security is an important consideration for AR System. The AR System server addresses security through:

  • Access control — Protects AR System data.
  • BMC Remedy Encryption Security — Protection for data that is passed over the wire. AR System client libraries contain built-in encryption capabilities that you can enable to secure the connection to the AR System server. Higher levels of encryption (BMC Remedy Encryption Performance Security or BMC Remedy Encryption Premium Security) are available if you need stronger encryption. AR System is also tested with database encryption products from your database vendor to ensure that this connection can be encrypted.
  • Protection of the server and network resources to which AR System has access — AR System can be configured to help secure the network resources used by the product. The system can be configured so it runs with limited access privileges, and has access only to certain resources on the host machine. This prevents a user from running malicious scripts or programs on the installed machine. For data and resource protection configuration options, see Configuring clients for AR System servers and BMC Remedy AR System configuration files.
  • Password security — AR System ensures that passwords are always encrypted. An MD5 hash of passwords is stored in the database, ensuring that the system (and therefore a reader of the database) cannot retrieve passwords. In addition, the AR System server allows you to use policies to enforce password changes. For password policy information, see Enforcing a password policy introduction.
  • FIPS Compliance — In version 7.5.00, AR System was enhanced so that data transmitted between AR System servers and clients can comply with FIPS 140-2 encryption requirements. BMC Remedy Encryption Performance Security now includes a FIPS encryption option. For more information, see FIPS encryption options.

Mid tier security

The mid tier provides a secure environment by encrypting sensitive data. All passwords are stored in configuration files as encrypted strings. For the web server, you must add any additional security if required.

Important

BMC recommends to use a secure socket layer (SSL) or HTTPS connection to encrypt the data between the web server and the browser client.

 Enabling SSL can impact performance due to the extra overhead required to encrypt and decrypt on both ends.

Note

You can now log on to BMC Remedy Mid Tier using only HTTP POST requests. Available only in Service Pack 1 for version 8.1.00 and later versions.

Use BMC Remedy Encryption Performance Security or BMC Remedy Encryption Premium Security to encrypt communication between AR System components, including the mid tier.

When securing the mid tier, consider these tips about:

SSL

  • The mid tier works with SSL. SSL encryption is a few layers below the web application (between the HTTP web server and the browser client sending the HTTP requests). All web server vendors provide a method to create and store certificates to enable SSL encryption over HTTP.
  • Configuring the environment for SSL support is beyond the scope of any guidance BMC provides.
  • Apache HTTP server has an SSL mode and, when that mode is enabled, the server can cache the encryption information to speed up performance.

XSS

Cross-site scripting (XSS) is a type of computer security vulnerability (typically found in web application) that allows code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts.

Cross-site scripting is addressed in every release of the mid tier by running the code through a tool to identify potential problems to ensure no vulnerability is introduced. All user-supplied HTML special characters are encoded into character entities, thereby preventing them from being interpreted as HTML.

WebDAV

Web Distributed Authoring and Versioning (WebDAV) extensions on web servers allow users to collaboratively edit and manage files on remote web servers. If your web servers has the WebDAV extensions enabled by default, they should be disabled.

HTTP transport

To ensure that the HTTP transport method POST is used for XML/HTTP requests in the browser, you must set the arsystem_xmlhttp.get flag in the Config.properties file to false.

For more information, see:

Warning

If you use the pwd parameter in a URL, passwords are exposed by the browser in the locator and in bookmarks or favorites. For URLs that include the pwd parameter, use https:// (https://*).

Approval server security

The approval server provides a secure environment by encrypting sensitive data. For example, the password is always encoded and never saved in any file as readable text. You can add any additional security if required.

Use BMC Remedy Encryption Performance Security or BMC Remedy Encryption Premium Security to encrypt communication between AR System components, including the Approval server. Approval server uses the encrypted password for the Remedy Application Service user, which is available in the ar.cfg (ar.conf) file for making any backend calls to AR System.

BMC Atrium CMDB security

The CMDB Class Manager controls permission to access CMDB classes and attributes. This is done by using Role IDs associated with Role definitions from the BMC:Atrium CMDB deployable application. Two roles (-1090 and -1091) are defined to allow unlimited read or read/write access to CMDB data. Two other roles (-1098 and -1099) allow read or read/write access subject to row-level permission. The CMDB administrator should assign these roles to the appropriate groups in production and test environments.

Email Engine and Assignment Engine security

For information on Email Engine security, see Securing incoming and outgoing email.

For information on Assignment Engine security, see Configuring the Assignment Engine.

Additional Information

For more information on security guidelines, see the blog Choose your request methods carefully shared on BMC Communities.

This version of the documentation is no longer supported. However, the documentation is available for your convenience. You will not be able to leave comments.

Comments

  1. Axton Grams

    On the following comment, it leaves users with the wrong impression:

    If you use the pwd parameter in a URL, passwords are exposed by the browser in the locator and in
    bookmarks or favorites. For URLs that include the pwd parameter, use https://.
    If you use the pwd parameter in a URL, passwords are exposed by the browser in the locator and in bookmarks or favorites. For URLs that include the pwd parameter, use https://.

    Using https over http will not make much of a difference.  The credentials are still passed over the wire in plain text, they will be stored in the http access logs.  If you want to safely use the pwd parameter it should be done over https using a POST and not a GET.  This precludes the safe use of the pwd parameter in a URL.

    Sep 24, 2012 02:25
    1. Gregg Kitagawa

      Axton, Thanks you for your feedback on the documentation. The writer responsible for this content is reviewing your comment. If you want to contact Customer Support to log a formal ticket on this issue, click here.

      Sep 24, 2012 03:49
      1. Abhijit Rajwade
        1. Please use https in the above scenario so that GET request parameters are encrypted.
        2. User credentials get exposed in Browser URL bar and can be stored as bookmarks. This is a vulnerability and so use of direct URL’s should                 be avoided.
        Jul 01, 2013 07:04