Installing encryption on BMC Remedy applications

This topic describes how to install Performance and Premium encryption on Remedy AR System servers and clients. Use the same procedure for both Microsoft Windows and UNIX platforms.

To install encryption on third-party or user applications that use the AR System API to communicate with AR System servers, see Installing encryption on non-BMC Remedy applications.

Warning

If you update the Oracle Java runtime environment (JRE) or Java development kit (JDK) on a computer after installing Performance Security or Premium Security, you must reinstall encryption after upgrading Java. See Configuring the data key Open link in Remedy AR System documentation.

Ensure that all the Remedy components where you install a Remedy Encryption Security product are of the same version as the Remedy AR System server. An older version of an encrypted component might not be able to connect to the latest version of the encrypted AR System server.

Before you begin

Best practice

Install Remedy Encryption Security on all your Remedy clients (Mid-Tier, SmartIT, DWP, RSSO, Developer Studio, etc.), before installing Remedy Encryption Security on the AR System server.

Verify the following items:

All servers and clients on which you plan to install a Remedy Encryption Security product are using the latest version of Remedy AR System.
The Remedy Encryption Security products are compatible with your system. See FIPS 140-2 certification in FIPS encryption options.
The appropriate AR Encryption license is added to each server on which you plan to install encryption. (For information about adding licenses to servers, Working with BMC Remedy AR System licenses in Remedy AR System documentation)

To install encryption on Remedy AR System servers and clients

Go to the directory that contains the encryption installer.
Run the appropriate installer:
Operating system
Encryption level
Installer
Windows
Performance
setup.exe
Windows
Premium
setup.exe
UNIX
Performance
setup.bin
UNIX
Premium
setup.bin
If the Notification screen appears, follow the instructions on the screen.
If you restart your computer to comply with the instructions, you must also restart the installer.
In the Welcome screen, click Next.
Note

At any time during setup, you can click Cancel to exit the installer.
Select I agree to the terms of the license agreement , and click Next.
(Optional) In the Directory Selection screen, click Browse to change the temporary installation directory.
Click Next.
In the Select AR Component screen, select the components to install encryption on.
If you do not want to install encryption on a preselected component, clear the component's check box.
To add a component to the list:
1. In the Add Component area, select the component in the Component list.
2. Click Browse.
3. Navigate to a folder in which to install the component's encryption library.
  Note
  
  The encryption library must be stored in the folder that contains the component's arapi75.dll file.
4. Select the folder, and click Open.
5. Click Add to List.
Click Next.
(Installing on a server only) When the AR Components Detection Validation Result screen notifies you that the installer will restart the server, click Next, and proceed to step 13.
(Installing on Java only) From the Java Platform Selection panel, select the JRE directories used by the Java components.
Select both the JDK JRE directory and the public JRE directory.
Note

Java-based components include Remedy Mid Tier, Remedy Developer Studio, the Remedy Flashboards server, Remedy Email Engine, the Java plug-in server, and user-developed clients that use the Remedy AR System Java API.

Add a JRE directory to the table:
1. Click Add.
2. Navigate to the folder that contains the definition.
3. Select the folder, and click Open.
(Installing on Java only) Click Next.
(Installing on a server only)From the Security Mode Information window, select one of the following options and click Next.
- FIPS Compliant — If you select this option, your encryption configuration will comply with Federal Information Processing Standard (FIPS) 140-2. See FIPS encryption options
- Encryption Algorithm — Select an encryption algorithm:
- AES — Advanced Encryption Standard (AES) is a block cipher. It is the U.S. Federal government-approved encryption algorithm and provides a higher level of security than RC4.
- RC4 — Rivest Cipher 4 (RC4) is a stream cipher. It is less secure than AES but faster. This option is not available for FIPS-compliant servers.
- Security Policy— Select a security policy:
  - Optional — Clients with and without encryption installed can communicate with the server. This option is not available for FIPS-compliant servers.
  - Required — Only clients with encryption installed can communicate with the server.
  - Disabled — Whether encryption is installed on a client or not, communication with the server is not encrypted.
    See Configuring the data key in Remedy AR System documentation.
In the Installation Preview window, perform one of the following tasks:
- To change the installation setup, click the Previous button and return to the windows that need editing.
- To start the installation, click Install.
  The installer copies the encryption libraries into the specified folder for each component you selected in step 8 and updates product log files and registry entries. If you are installing encryption on a server, it also restarts the server.
When the installation is finished, do one or both:
1. (Optional) To review the install log file, click View Log.
2. To exit the wizard, click Done.

Note

If you install Performance Security or Premium Security on a Remedy AR System server before adding the appropriate Remedy AR System Encryption Performance or Premium license to the server, the installation program automatically disables encryption. To activate encryption, you must add the license to your server (see Configuring) and then activate encryption (see Configuring the data key Open link ) in Remedy AR System documentation.

Post installation validation checks for Remedy Encryption Security

Remedy Encryption Security contains two basic encryption methods - encryption for Java based products and encryption for C based products.

Check the files in your system after installing Remedy Encryption Security.

The files added in your system by Java based products (AR System Server, Java Plugin Servers, Mid-Tier and other Tomcat based processes) and C based processes (Reconciliation Engine, AR System Dispatcher, AR System C Plugin Server) are described as follows:

Java-based encryption

When you install encryption on Java-based components, the installer will modify your Java installation. The installer changes some security settings for the Java Virtual Machine (JVM) and adds new JAR files as extensions for the JVM that runs from that instance. If you face issues with this, make sure that you have only one instance of Java installed on a single machine. Multiple instances of Java on the same system cause conflicts and is not advised.

After the installation, check for the following files in your system:

Changes made to Java-based products

Files added to Java 11+:

%JAVA_HOME%\lib\bmcext\cryptojce.jar
%JAVA_HOME%\lib\bmcext\cryptojcommon.jar
%JAVA_HOME%\lib\bmcext\jcmFIPS.jar
%JAVA_HOME%\lib\bmcext\bcprov-jdk15on-1.60.jar
%JAVA_HOME%\conf\security\local_policy.jar
%JAVA_HOME%\conf\security\US_export_policy.jar

Files modified in Java 11+:

%JAVA_HOME%\conf\security\java.security

Adds the following security providers:

com.rsa.jsafe.provider.JsafeJCE
org.bouncycastle.jce.provider.BouncyCastleProvider

Adds the FIPS Mode:

fips140initialmode

Files added to Java 8:

%JAVA_HOME%\lib\ext\cryptojce.jar
%JAVA_HOME%\lib\ext\cryptojcommon.jar
%JAVA_HOME%\lib\ext\jcmFIPS.jar
%JAVA_HOME%\lib\ext\bcprov-jdk15on-1.60.jar
%JAVA_HOME%\lib\security\local_policy.jar
%JAVA_HOME%\lib\security\US_export_policy.jar

Files modified in Java 8:

%JAVA_HOME%\lib\security\java.security

Adds the following security providers:

com.rsa.jsafe.provider.JsafeJCE
org.bouncycastle.jce.provider.BouncyCastleProvider

Adds the FIPS Mode:

fips140initialmode

If these files are missing, please run the Remedy Encryption Security installation again, and choose the correct Java path. If you are installing Encryption Security on a custom Java client (not provided by BMC), add these files manually to the JVM used by that client. BMC does not support adding these files manually even though it is possible.

Changes made to C-based products

When you install Encryption Security on C-based components, the installer will only add two files to the directory of the executable. For example, if the reconciliation engine is located in the location: "\AtriumCore\cmdb\server64\bin\arrecond.exe", then the installer will copy the files in the same location.

After the installation, check for the following files in your system:

Windows:

arencrypt91_build007.dll
arencrypt91_build007_win64.dll

Linux (non-FIPS):

Linux (FIPS):

Note

Before installing Remedy Encryption Security, please know the type of the C program - 32 bit or 64 bit. For the preceding example of the reconciliation engine, the installer will only need the 64 bit library because it is a 64 bit application. For other applications like the AR System Dispatcher, the installer will require the 32 bit library.

If these files are missing, please run the Remedy Encryption Security installation again, and choose the correct components. If you are installing Encryption Security on a custom C client (not provided by BMC), add these files manually to the same directory as the executable used by that client. BMC does not support adding these files manually even though it is possible.

Where to go from here

To modify a server's encryption settings after installation, see Configuring BMC Remedy Encryption Security Open link in the Remedy AR System documentation.

Operating system	Encryption level	Installer
Windows	Performance	setup.exe
Windows	Premium	setup.exe
UNIX	Performance	setup.bin
UNIX	Premium	setup.bin