This documentation supports the 9.0 version of Remedy Action Request System.

To view the latest version, select the version from the Product version menu.

WhiteHat Sentinel PE security penetration testing

BMC Remedy ITSM 9.0 and BMC Remedy AR System 9.0 use the WhiteHat Sentinel Premium Edition (WhiteHat Sentinel PE) service, a dynamic application security tool (DAST), for security penetration testing. By performing security penetration testing, BMC can identify whether applications are vulnerable to web attacks and implement the required countermeasures to reduce vulnerabilities.

As of April 6, 2015, BMC Remedy ITSM 9.0 and BMC Remedy AR System 9.0 do not have any security penetration vulnerabilities.

This topic contains the following information:

Note

For BMC Remedy ITSM 9.0 and BMC Remedy AR System 9.0, BMC schedules automated security scans with WhiteHat Security that are run on the SaaS-based WhiteHat Sentinel platform. Automated scans are augmented by manual penetration tests performed by WhiteHat security experts. After the tests are completed, BMC receives vulnerability assessment reports. For more information about WhiteHat Sentinel, see https://www.whitehatsec.com/sentinel_services/benefits.html.

For BMC Remedy ITSM 9.0 and BMC Remedy AR System 9.0, security penetration tests were performed using a BMC Remedy OnDemand instance deployed in the following environment:

WhiteHat security vulnerability tests

As of April 6, 2015, WhiteHat Security has run 242 automated security scans of BMC Remedy AR System 9.0 and BMC Remedy ITSM 9.0. Whitehat Security performs manual testing by further exploring areas found during the automated testing. 

WhiteHat Security employs the following types of tests during the security testing:

  • Authentication tests (brute force, insufficient authentication, weak password recovery, cross-site request forgery, credential/session prediction, insufficient authorization, insufficient session expiration, session fixation)
  • Client-side attack tests (content spoofing, cross-site scripting, HTTP response splitting)
  • Command execution tests (buffer overflow, format string attack, LDAP injection, OS commanding, SQL injection, server-side include injection, XPath injection)
  • Information disclosure tests (directory indexing, information leakage, path traversal, predictable resource location)
  • Logical attack tests (abuse of functionality, denial of service, insufficient anti-automation, insufficient process validation)

For more information about WhiteHat Security, see the website security statement for WhiteHat Security.

Whitehat PCI Compliance Testing

Whitehat also test for compliance with the Payment Card Industry Data Security Standard (PCI-DSS Version 3.0), which includes requirements that web applications be built to secure coding guidelines and that applications be subject to routine vulnerability checks. The following categories of PCI tests are employed:

  • Injection flaws
  • Buffer overflow
  • Insecure Cryptographic Storage
  • Insecure Communications
  • Improper Error Handling
  • Cross Site Scripting
  • Improper Access Control
  • Cross Site Request Forgery
  • Broken Authentication and Session Management

Whitehat reports

For more information about the WhiteHat Sentinel PE tests that were used and the results, which are zero technical and business logic vulnerabilities, see the following reports:

BMC and Whitehat Security are continually running tests as BMC augments the environment or adds new security tests.

Test environment

ComponentServer specificationsVM used?Operating system
BMC Remedy Mid Tier 9.0
  • 2 CPUs (Intel® Xeon® CPU E7 4870 @ 2.40 GHz)
  • 8 GB RAM
  • 25 GB drive for BMC Remedy applications
  • 15 GB drive for paging
YesCentOS release 6.5 (Final)

BMC Atrium Single Sign-on 8.8.00.01.05

  • 2 CPUs (Intel® Xeon® CPU E7- 4870  @ 2.40GHz
  • 8 GB RAM
Yes

CentOS

BMC Remedy AR System 9.0

BMC Remedy ITSM 9.0

  • 2 CPUs (Intel® Xeon® CPU E7 4870 @ 2.40 GHz)
  • 8 GB RAM
  • 39.9 GB drive for BMC Remedy applications
  • 15 GB drive for paging
YesMicrosoft Windows Server 2008 R2 (64-bit)

BMC Remedy Smart Reporting

  • 2 CPUs (Intel Xeon CPU E7 4870 @ 2.40 GHZ)
  • 16 GB RAM
  • 25 GB drive for BMC Remedy Applications
  • 15 GB drive for paging

Yes

CentOS release 6.2 (Final)

Note

Refer to BMC Atrium Single Sign-on security settings for a complete list of security settings used in this environment.

Changes required for on-premise and BMC Remedy OnDemand environments

The following changes are required for on-premise and BMC Remedy OnDemand environments to achieve zero technical and business logic vulnerabilities in BMC Remedy 9.0 and BMC Remedy AR System 9.0:

Configuring Apache Tomcat settings to disable directory listings

To prevent a security vulnerability from directory listings, BMC used the following procedure to disable directory listings on the Tomcat web server hosting BMC Remedy Mid Tier:

  1. Stop the Tomcat server.
  2. Use a text editor to edit the <CATALINA_HOME>\conf\web.xml file. 
  3. Change the param-value for the listings parameter to false.
  4. Save the change.
  5. Restart the Tomcat server.

When you disable the directory listings, you will also disable online help. To enable online help:

  1. Install a separate Tomcat instance on a different port on the BMC Remedy Mid Tier computer.
  2. Install online help in the Tomcat container in the Root folder of the Tomcat instance.
  3. Log on to BMC Remedy Mid Tier as an administrator and open the SHARE:Application_Properties Form.
  4. Search for Property Name = Help File Path.
  5. Update the Property Value for all search result entries to point to the new online Help URL with the correct port number.

    If you are using a reverse proxy (load balancer), further changes may be required to allow access to the new online help URL.

Creating an SSL profile on the reverse proxy to disable RC4 ciphers

RC4 ciphers are vulnerable to web attacks. The following procedure is an example of how BMC modified the default cipher support of the reverse proxy (load balancer) to disable Secure Sockets Layer (SSL) version 3 and RC4 ciphers:

The following procedure is specific to how BMC Remedy OnDemand uses SSL. An on-premise installation requires changes to the Apache Tomcat configuration to disable the RC4 ciphers.

  1. Log on to the Configuration utility for the reverse proxy (load balancer).
  2. Click Local Traffic.
  3. Click Profiles.
  4. From the SSL menu, select Client.
  5. Click Create.
  6. Type a name for the SSL profile.
  7. From the Parent Profile menu, select clientssl.
  8. From the Configuration menu, select Advanced.
  9. Click the Custom box for Ciphers.
  10. In the Ciphers box, enter the following string:
    DEFAULT:!SSLV3:!RC4
  11. Click Finished.
  12. Associate the SSL profile with the virtual server.

Restricting attachments by using Attachment Security

BMC used the Attachment Security feature provided with BMC Remedy AR System 8.1 SP1. This feature helps to prevent users from uploading malicious attachments and viewing them in the BMC Remedy Mid Tier. BMC defined the following attachment extensions as the only attachment extensions allowed for attachment uploads:

  • .txt
  • .png
  • .jpg

To restrict attachments, BMC used the following procedure to make the changes to the Attachment Security tab of the AR System Administration: Server Information form:

  1. Select the following options:
    • Allow attachments with following extensions option in the Attachment criteria field
    • Allow display of attachments with the following extensions option in the Display criteria field
  2. Define the list of attachment extensions (.txt, .png, .jpg) in the Comma separated list of limit extensions and Comma separated list of display extensions fields.
  3. Click Apply.

For additional information about how to restrict attachments, see Setting security restrictions on file uploads.

The following image shows the changes made to the Attachment Security tab.

AR System Administration: Server Information form — Attachment Security tab

Enabling Login Failure Lockout in BMC Atrium SSO

With the Atrium SSO Login Failure Lockout procedure, an account can be locked after a number of failed login attempts. The number of failed attempts that triggers the lockout and the duration of the lockout are both configurable. For the BMC WhiteHat security testing, Login Failure Lockout was configured to lock the account for 15 minutes after three unsuccessful login attempts.

Use the Atrium SSO Realm Editor to configure Login Failure Lockout. For instructions on configuring the Realm Editor including Login Failure Lockout, refer to the BMC Atrium SSO Realm Editor topic.

Enabling Valid Forwarding Domains in BMC Atrium SSO

The Valid Forwarding Domains feature provides a limit to the domains that the BMC Atrium Single Sign-On server will forward to the browser after authentication. To enable this feature, you must provide at least one URL to the list of Valid Forwarding Domains. An empty list indicates that the feature is disabled.

To add a URL to the list of valid forwarding domains

  1. Insert the URL in the Trusted Domain field.
  2. Click Add.
  3. For the changes to take effect, restart the BMC Atrium Single Sign-on server.

Note

Ensure that you provide the absolute path for the URL that you enter in the list of Valid Forwarding Domains, such as:

https://sample.bmc.com:8080/test

If you try to access a URL that is not present in Valid Forwarding Domains, you are redirected to a page that has an error message and a link to log out of the BMC Atrium Single Sign-On server.

The following Valid Forwarding Domains settings were used in the Whitehat security testing:


Enforcing the default password policy in BMC Remedy AR System

BMC Remedy AR System uses an MD5 hash of passwords stored in the database, ensuring that passwords cannot be retrieved. To enable and configure a password policy, refer to the topic Enforcing a password policy introduction. For the BMC WhiteHat security testing, the default password policy was enabled.

Securing BMC Atrium Single Sign-On as a stand-alone server

A recommended procedure is to secure BMC Atrium Single Sign-On as a stand-alone server, using the Server Configuration Editor to set the HTTP Only and HTTPS Only options. The HTTP Only parameter marks the BMC Atrium Single Sign-On cookie to prevent non-HTTP APIs such as JavaScript from accessing the cookie. When enabled, the HTTPS Only parameter marks the cookie with the Secure option, which ensures that the cookie is transmitted only over HTTPS connections from the browser to the server.

  1. Open the Edit Server Configuration tab on the BMC Atrium SSO Admin Console.
  2. Select the HTTP Only and HTTPS Only check boxes, and click Save.
  3. Restart the BMC Atrium Single Sign-On server.
  4. Clear all cookies from the browser history.


For more information, refer to Server Configuration Editor

F5 Load Balancer hotfix

In certain F5 Load Balancers, an active attacker may be able to recover plain text, such as authentication cookies, from a TLS1.x connection. The solution is to upgrade the F5 Local Traffic Manager (LTM) to the version 11.6 hotfix. Refer to the F5 support document https://support.f5.com/kb/en-us/solutions/public/15000/800/sol15882.html for additional information.

BMC Remedy Mid Tier security settings

The following table lists the BMC Remedy Mid Tier settings used for Whitehat security testing:

ParameterSetting
Use Post for Backchannel calls

Added following parameter in midtier/WEB-INF/classes/config.properties

arsystem.xmlhttp.get=false

Plugin XSS Security Check

Added following parameter in midtier/WEB-INF/classes/config.properties:

arsystem.plugin_securitycheck=true

Turn on SecureCookieFilter

Uncommented following from midtier/WEB-INF/web.xml:

<filter>
    <filter-name>SecureCookieFilter</filter-name>
    <filterclass>com.remedy.arsys.stubs.SecureCookieFilter</fliter-class>
</filter>

<filter-mapping>
    <filter-name>SecureCookieFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

 Turn on XSSFilter

Uncommented following from midtier/WEB-INF/web.xml:

<filter>
        <filter-name>XSSFILTER</filter-name>
        <filter-class>com.remedy.arsys.stubs.XSSFilter</filter-class>
</filter>

<filter-mapping>
       <filter-name>XSSFILTER</filter-name>
       <url-pattern>/plugins/*</url-pattern>

</filter-mapping>
<filter-mapping>
      <filter-name>XSSFILTER</filter-name>
      <url-pattern>/pluginsignal/*</url-pattern>
</filter-mapping>

Turn on CLICKJACKFILTER

Uncommented following from midtier/WEB-INF/web.xml:

<filter>
        <filter-name>CLICKJACKFILTER</filter-name>
        <filter-class>com.remedy.arsys.support.ClickJackFilter</filter-class>
                <init-param>
            <param-name>mode</param-name>
            <param-value>SAMEORIGIN</param-value>
        </init-param>
</filter>
<filter-mapping>
        <filter-name>CLICKJACKFILTER</filter-name>
        <url-pattern>/*</url-pattern>
</filter-mapping>
Was this page helpful? Yes No Submitting... Thank you

Comments

  1. Mohammad nayeem Shaik

    Dear Team,

    I have enabled both XSSFILTER (X-XSS-Protection) & CLICKJACKFILTER (X-Frame-Options) using the steps provided here, but I see only CLICKJACKFILTER got enabled when I scanned a Remedy page (people form url). 

    Can you please let me know how to apply XSSFILTER (X-XSS-Protection) for all remedy pages? Also please let me know how to implement the following filters in Remedy?

    • Strict-Transport-Security
    •  X-Content-Type-Options
    •  Content-Security-Policy
    •  Public-Key-Pins
    •  Referrer-Policy

    Regards,

    Mohammad Nayeem

    Aug 21, 2017 06:59
    1. Anagha Deshpande

      Hello Mohammad Nayeem,

      I will check this with the SME and will write back to you.

      Regards,

      Anagha 

      Aug 21, 2017 11:30
  2. Giriprasad Gunalan


    i have a similar requirement as with

    Mohammad nayeem Shaik

    . Please suggest



    Jun 26, 2018 09:10
    1. Onkar Telkikar

      Hello Giriprasad,

      We will discuss your requirement with the SME and will get back to you shortly.

      Regards,

      Onkar

      Jun 27, 2018 04:29
      1. Anagha Deshpande

        Hello Giriprasad,

        Following are the updates for the similar requirement:

        1. I have enabled both XSSFILTER (X-XSS-Protection) & CLICKJACKFILTER (X-Frame-Options) using the steps provided here, but I see only CLICKJACKFILTER got enabled when I scanned a Remedy page (people form url). 
          Answer — XSS Filter  is used to set compatibility between mid tier and CA SiteMinder rules for bad URL characters such as,  ', <, >
          You also need to set the arsystem.xmlhttp.get parameter in the config.propertiesfile to False.
        2. Strict-Transport-Security (HSTS) : Enable the HSTSFilter filter in the web.xml file to protect against MIM attacks.
        3. The following filters are not implemented out-of-the-box:
          X-Content-Type-Options
          Content-Security-Policy
          Public-Key-Pins
          Referrer-Policy

        Please let us know if you need any more information.

        Regards,

        Anagha

        Jul 04, 2018 12:37