This documentation supports the 19.02 version of Remedy Deployment.

To view the latest version, select the version from the Product version menu.

FIPS encryption options

The U.S. Federal government agencies use software that complies with Federal Information Processing Standard (FIPS) 200. According to FIPS 200, software that complies with FIPS 140-2 must handle the information that needs cryptographic protection.

The built-in BMC Remedy Encryption Standard Security product does not include a FIPS option. If you need stronger levels of encryption, deploy and activate BMC Remedy Encryption Performance Security or BMC Remedy Encryption Premium Security.

  • BMC Remedy Encryption Performance Security—When you activate this option, AR System encrypts network traffic by using AES CBC with a 128-bit key for data encryption and a 1024-bit modulus for the RSA key exchange, and SHA-1 for message authentication.
  • BMC Remedy Encryption Premium Security—When you activate this option, AR System encrypts network traffic by using AES CBC with a 256-bit key for data encryption and a 2048-bit modulus for the RSA key exchange, and SHA-1 for message authentication.

Both options support the minimum FIPS 140-2 encryption requirements.

If required, after you install BMC Remedy Encryption Performance Security or BMC Remedy Encryption Premium Security, configure FIPS encryption.

To activate FIPS encryption

To activate FIPS encryption, see Activating FIPS compliance  in BMC Remedy AR System documentation.

Note

BMC Remedy AR System, Remedy Single Sign On integration is FIPS compliant. For more information, see Configuring an external Tomcat instance for FIPS-140 and Configuring FIPS-140 mode  in BMC Remedy Single Sign-On documentation.

FIPS-compliant AREA and ARDBC LDAP plug-ins

When you install the AR System server, the FIPS-certified Network Security Services (NSS) 3.11.4 libraries from Mozilla are added to the following LDAP plug-ins:

  • AR System External Authentication (AREA)
  • AR System Database Connectivity (ARDBC)

To connect to the LDAP server

To comply with FIPS 140-2, the plug-ins must use Secure Sockets Layer (SSL) to connect to the LDAP server. The FIPS-certified Network Security Services (NSS) 3.11.4 libraries provide the capability to comply with FIPS 140-2. To make your LDAP environment actually compliant with FIPS 140-2, you must further configure your LDAP server. For more information, see the Federal government FIPS 200 and 140-2 guidelines and your LDAP server documentation.

FIPS 140-2 certification

BMC Remedy Encryption Performance Security and BMC Remedy Encryption Premium Security use the latest versions of the FIPS-certified libraries. The following FIPS-certified libraries provide the cryptography used by the Performance and Premium FIPS encryption options:

  • Network Security Services (NSS) 3.11.4
  • OpenSSL FIPS 1.2
  • RSA BSAFE Crypto-J 6.2.4 FIPS-140

The latest JAR files are used in these applications, which are compatible with the Federal Information Processing Standards Publication 140-2: Security Requirements for Cryptographic Modules (FIPS 140-2).

For more information about the FIPS-certified modules, see:

To configure Crypto-J

To operate Crypto-J in compliance with FIPS 140-2 requirements, edit the java.security file and set the following security properties:

  • Set com.rsa.cryptoj.fips140initialmode to one of the following values:
    • FIPS140_MODE (default)

    • FIPS140_SSL_MODE

    • FIPS140_ECC_MODE

    • FIPS140_SSL_ECC_MODE

  • Set com.rsa.cryptoj.fips140auth to the required FIPS-140 Security Level.
    The recognized values are as follows:
    • LEVEL1—Security Level 1 (default)
    • LEVEL2—Security Level 2

Notes

  • For encryption to work properly, you must encrypt both the Remedy clients and servers, so that the client can connect to the server.
  • If encryption is applied by installing either Performance Security or Premium Security to the AR server of version 19.02, the APIs of only the version 19.02 or later can communicate with the AR server of version 19.02. The APIs of version earlier than 19.02 cannot communicate with the AR server of version 19.02.

Related topics

Installing BMC Remedy Encryption Security

Installing an application that communicates with encrypted servers

Installing encryption on BMC Remedy applications

Installing encryption on non-BMC Remedy applications

Was this page helpful? Yes No Submitting... Thank you

Comments