Installing encryption on BMC Remedy applications

This topic describes how to install Performance and Premium encryption on Remedy AR System servers and clients. Use the same procedure for both Microsoft Windows and UNIX platforms.

To install encryption on third-party or user applications that use the AR System API to communicate with AR System servers, see Installing encryption on non-BMC Remedy applications.

Before you begin

• All servers and clients on which you plan to install a Remedy Encryption Security product are using the latest version of Remedy AR System.
• The Remedy Encryption Security products are compatible with your system. See FIPS 140-2 certification in  Activating FIPS encryption and connecting to LDAP .

• The appropriate AR Encryption license is added to each server on which you plan to install encryption. (For information about adding licenses to servers, Working with BMC Remedy AR System licenses  in Remedy AR System documentation)

To install encryption on Remedy AR System servers and clients

1. Unzip the installer into a common location on the server. 

2. Navigate to the <Download_directory>\Premium Security 20.02.00\Disk1 directory, then run the setup.exe file on Windows or setup.bin file on Linux. 

3. The installer will start, on the Welcome page click Next. 

4. Read and Agree to the license agreement, then click Next. 

5. On the AR System Component page, the installer will detect the components already installed on your system and display them in a table.  
   The installer currently supports the following components: 

   • AR System Server 

   • MidTier 

   • Email Engine 

   • Flashboards 

   • Developer Studio 

   • Data Import Tool 

   • Atrium Core 

   • Smart IT 

   • Migrator 

   • Smart Reporting 

6. If there is a product you have installed that isn’t detected, you can add it to the list by clicking the Add to List button. A new row gets added, where you can select the component from a drop down list.  When you’re ready to indicate the installation path, click Browse to select the path. 
   
   

   It is extremely uncommon for customers to need to select their own component or path.  If you see something missing that you have installed, please verify if the installation of that component is successful.

7. If you do not want to install encryption on a component, you can remove it from the list. Select the item from the table and click Remove.  

8. Once the table has been populated, click Next.  

9. The Validation Results page is a warning that AR System Server will be restarted. Make time for a outage on this server while doing the installation. Click Next.
   This page will only appear if you’re installing on AR System Server.    

10. In the Java Platform Selection Panel, click Add to add the location of your Java installation.   
    This page will only appear if at least one of the components you selected is a Java based component. 
    Navigate to the installation path of your Java Installation and click “Open”. You should then see the Java instance included in the list.  Once you’re ready to continue, click Next.
    

    Best Practice

    We recommend you to have only one instance of Java installed on your system. Please remove any excess Java installs before continuing. 
    
    

    

    
    

11. On the Security Mode information page, you can select the the type of encryption you need. After selecting, click Next.
    This page will only appear if you’re installing on AR System Server. Whatever selection you make here will be applied after the installation is complete. If you only want to install encryption but do not want to enable it, do not select these policies.
     

12. The Installation Preview page will give you a overview of the installation. Click Install to start the installation. 
    Once the installation is complete, either view the log, or click Done to exit the installer.  

If you want to enable, disable, or change any of the encryption configurations, see  Enabling or disabling Remedy Encryption Security on AR System server

Post installation validation checks for Remedy Encryption Security

Remedy Encryption Security contains two basic encryption methods - encryption for Java based products and encryption for C based products.

Check the files in your system after installing Remedy Encryption Security.

The files added in your system by Java based products (AR System Server, Java Plugin Servers, Mid-Tier and other Tomcat based processes) and C based processes (Reconciliation Engine, AR System Dispatcher, AR System C Plugin Server) are described as follows:

Java-based encryption

When you install encryption on Java-based components, the installer will modify your Java installation. The installer changes some security settings for the Java Virtual Machine (JVM) and adds new JAR files as extensions for the JVM that runs from that instance. If you face issues with this, make sure that you have only one instance of Java installed on a single machine. Multiple instances of Java on the same system cause conflicts and is not advised.

After the installation, check for the following files in your system:

Changes made to Java-based products

Files added to Java 11+:

• %JAVA_HOME%\lib\bmcext\cryptojce.jar
• %JAVA_HOME%\lib\bmcext\cryptojcommon.jar
• %JAVA_HOME%\lib\bmcext\jcmFIPS.jar
• %JAVA_HOME%\lib\bmcext\bcprov-jdk15on-1.60.jar
• %JAVA_HOME%\conf\security\local_policy.jar
• %JAVA_HOME%\conf\security\US_export_policy.jar

Files modified in Java 11+:

1. %JAVA_HOME%\conf\security\java.security

Adds the following security providers:

• com.rsa.jsafe.provider.JsafeJCE
• org.bouncycastle.jce.provider.BouncyCastleProvider

Adds the FIPS Mode:

• fips140initialmode

Files added to Java 8:

• %JAVA_HOME%\lib\ext\cryptojce.jar
• %JAVA_HOME%\lib\ext\cryptojcommon.jar
• %JAVA_HOME%\lib\ext\jcmFIPS.jar
• %JAVA_HOME%\lib\ext\bcprov-jdk15on-1.60.jar
• %JAVA_HOME%\lib\security\local_policy.jar
• %JAVA_HOME%\lib\security\US_export_policy.jar

Files modified in Java 8:

1. %JAVA_HOME%\lib\security\java.security

Adds the following security providers:

• com.rsa.jsafe.provider.JsafeJCE
• org.bouncycastle.jce.provider.BouncyCastleProvider

Adds the FIPS Mode:

• fips140initialmode

If these files are missing, please run the Remedy Encryption Security installation again, and choose the correct Java path. If you are installing Encryption Security on a custom Java client (not provided by BMC), add these files manually to the JVM used by that client. BMC does not support adding these files manually even though it is possible. 

Changes made to C-based products

When you install Encryption Security on C-based components, the installer will only add two files to the directory of the executable. For example, if the reconciliation engine is located in the location: "\AtriumCore\cmdb\server64\bin\arrecond.exe", then the installer will copy the files in the same location.

After the installation, check for the following files in your system:

Windows:

• arencrypt91_build007.dll
• arencrypt91_build007_win64.dll

Linux (non-FIPS):

• libarencrypt.so
• libarencrypt_lx64.so

Linux (FIPS):

• libcrypto_BMC_FIPS.so
• libcrypto_BMC_FIPS_lx64.so
  
  

If these files are missing, please run the Remedy Encryption Security installation again, and choose the correct components. If you are installing Encryption Security on a custom C client (not provided by BMC), add these files manually to the same directory as the executable used by that client. BMC does not support adding these files manually even though it is possible.

Where to go from here

To modify a server's encryption settings after installation, see  Enabling or disabling Remedy Encryption Security on AR System server in the Remedy AR System documentation.