Installing encryption on BMC Remedy applications
This topic describes how to install Performance and Premium encryption on Remedy AR System servers and clients. Use the same procedure for both Microsoft Windows and UNIX platforms.
To install encryption on third-party or user applications that use the AR System API to communicate with AR System servers, see Installing encryption on non-BMC Remedy applications.
Warning
If you update the Oracle Java runtime environment (JRE) or Java development kit (JDK) on a computer after installing Performance Security or Premium Security, you must reinstall encryption after upgrading Java. See Configuring the data key in Remedy AR System documentation.
Ensure that all the Remedy components where you install a Remedy Encryption Security product are of the same version as the Remedy AR System server. An older version of an encrypted component might not be able to connect to the latest version of the encrypted AR System server.
Before you begin
Best practice
- All servers and clients on which you plan to install a Remedy Encryption Security product are using the latest version of Remedy AR System.
- The Remedy Encryption Security products are compatible with your system. See FIPS 140-2 certification in FIPS encryption options.
The appropriate AR Encryption license is added to each server on which you plan to install encryption. (For information about adding licenses to servers, Working with BMC Remedy AR System licenses in Remedy AR System documentation)
To install encryption on Remedy AR System servers and clients
- Go to the directory that contains the encryption installer.
Run the appropriate installer:
Operating system
Encryption level
Installer
Windows
Performance
setup.exe
Windows
Premium
setup.exe
UNIX
Performance
setup.bin
UNIX
Premium
setup.bin
- If the Notification screen appears, follow the instructions on the screen.
If you restart your computer to comply with the instructions, you must also restart the installer. In the Welcome screen, click Next.
Note
At any time during setup, you can click Cancel to exit the installer.
- Select I agree to the terms of the license agreement , and click Next.
- (Optional) In the Directory Selection screen, click Browse to change the temporary installation directory.
- Click Next.
- In the Select AR Component screen, select the components to install encryption on.
If you do not want to install encryption on a preselected component, clear the component's check box.
To add a component to the list:- In the Add Component area, select the component in the Component list.
- Click Browse.
Navigate to a folder in which to install the component's encryption library.
Note
The encryption library must be stored in the folder that contains the component's arapi75.dll file.
- Select the folder, and click Open.
- Click Add to List.
- Click Next.
- (Installing on a server only) When the AR Components Detection Validation Result screen notifies you that the installer will restart the server, click Next, and proceed to step 13.
(Installing on Java only) From the Java Platform Selection panel, select the JRE directories used by the Java components.
Select both the JDK JRE directory and the public JRE directory.Note
Java-based components include Remedy Mid Tier, Remedy Developer Studio, the Remedy Flashboards server, Remedy Email Engine, the Java plug-in server, and user-developed clients that use the Remedy AR System Java API.
Add a JRE directory to the table:- Click Add.
- Navigate to the folder that contains the definition.
- Select the folder, and click Open.
- (Installing on Java only) Click Next.
- (Installing on a server only)From the Security Mode Information window, select one of the following options and click Next.
FIPS Compliant — If you select this option, your encryption configuration will comply with Federal Information Processing Standard (FIPS) 140-2. See FIPS encryption options
Encryption Algorithm — Select an encryption algorithm:
AES — Advanced Encryption Standard (AES) is a block cipher. It is the U.S. Federal government-approved encryption algorithm and provides a higher level of security than RC4.
RC4 — Rivest Cipher 4 (RC4) is a stream cipher. It is less secure than AES but faster. This option is not available for FIPS-compliant servers.
Security Policy— Select a security policy:
Optional — Clients with and without encryption installed can communicate with the server. This option is not available for FIPS-compliant servers.
Required — Only clients with encryption installed can communicate with the server.
Disabled — Whether encryption is installed on a client or not, communication with the server is not encrypted.
See Configuring the data key in Remedy AR System documentation.
- In the Installation Preview window, perform one of the following tasks:
- To change the installation setup, click the Previous button and return to the windows that need editing.
- To start the installation, click Install.
The installer copies the encryption libraries into the specified folder for each component you selected in step 8 and updates product log files and registry entries. If you are installing encryption on a server, it also restarts the server.
- When the installation is finished, do one or both:
- (Optional) To review the install log file, click View Log.
- To exit the wizard, click Done.
Note
If you install Performance Security or Premium Security on a Remedy AR System server before adding the appropriate Remedy AR System Encryption Performance or Premium license to the server, the installation program automatically disables encryption. To activate encryption, you must add the license to your server (see Configuring) and then activate encryption (see Configuring the data key ) in Remedy AR System documentation.
Post installation validation checks for Remedy Encryption Security
Remedy Encryption Security contains two basic encryption methods - encryption for Java based products and encryption for C based products.
Check the files in your system after installing Remedy Encryption Security.
The files added in your system by Java based products (AR System Server, Java Plugin Servers, Mid-Tier and other Tomcat based processes) and C based processes (Reconciliation Engine, AR System Dispatcher, AR System C Plugin Server) are described as follows:
Java-based encryption
When you install encryption on Java-based components, the installer will modify your Java installation. The installer changes some security settings for the Java Virtual Machine (JVM) and adds new JAR files as extensions for the JVM that runs from that instance. If you face issues with this, make sure that you have only one instance of Java installed on a single machine. Multiple instances of Java on the same system cause conflicts and is not advised.
After the installation, check for the following files in your system:
Changes made to Java-based products
Files added to Java 11+:
- %JAVA_HOME%\lib\bmcext\cryptojce.jar
- %JAVA_HOME%\lib\bmcext\cryptojcommon.jar
- %JAVA_HOME%\lib\bmcext\jcmFIPS.jar
- %JAVA_HOME%\lib\bmcext\bcprov-jdk15on-1.60.jar
- %JAVA_HOME%\conf\security\local_policy.jar
- %JAVA_HOME%\conf\security\US_export_policy.jar
Files modified in Java 11+:
- %JAVA_HOME%\conf\security\java.security
Adds the following security providers:
- com.rsa.jsafe.provider.JsafeJCE
- org.bouncycastle.jce.provider.BouncyCastleProvider
Adds the FIPS Mode:
- fips140initialmode
Files added to Java 8:
- %JAVA_HOME%\lib\ext\cryptojce.jar
- %JAVA_HOME%\lib\ext\cryptojcommon.jar
- %JAVA_HOME%\lib\ext\jcmFIPS.jar
- %JAVA_HOME%\lib\ext\bcprov-jdk15on-1.60.jar
- %JAVA_HOME%\lib\security\local_policy.jar
- %JAVA_HOME%\lib\security\US_export_policy.jar
Files modified in Java 8:
- %JAVA_HOME%\lib\security\java.security
Adds the following security providers:
- com.rsa.jsafe.provider.JsafeJCE
- org.bouncycastle.jce.provider.BouncyCastleProvider
Adds the FIPS Mode:
- fips140initialmode
If these files are missing, please run the Remedy Encryption Security installation again, and choose the correct Java path. If you are installing Encryption Security on a custom Java client (not provided by BMC), add these files manually to the JVM used by that client. BMC does not support adding these files manually even though it is possible.
Changes made to C-based products
When you install Encryption Security on C-based components, the installer will only add two files to the directory of the executable. For example, if the reconciliation engine is located in the location: "\AtriumCore\cmdb\server64\bin\arrecond.exe", then the installer will copy the files in the same location.
After the installation, check for the following files in your system:
Windows:
- arencrypt91_build007.dll
- arencrypt91_build007_win64.dll
Linux (non-FIPS):
Linux (FIPS):
Note
Before installing Remedy Encryption Security, please know the type of the C program - 32 bit or 64 bit. For the preceding example of the reconciliation engine, the installer will only need the 64 bit library because it is a 64 bit application. For other applications like the AR System Dispatcher, the installer will require the 32 bit library.
If these files are missing, please run the Remedy Encryption Security installation again, and choose the correct components. If you are installing Encryption Security on a custom C client (not provided by BMC), add these files manually to the same directory as the executable used by that client. BMC does not support adding these files manually even though it is possible.
Where to go from here
To modify a server's encryption settings after installation, see Configuring BMC Remedy Encryption Security in the Remedy AR System documentation.
Comments
Log in or register to comment.