Installing encryption on BMC Remedy applications

This topic describes how to install Performance and Premium encryption on Remedy AR System servers and clients. Use the same procedure for both Microsoft Windows and UNIX platforms.

To install encryption on third-party or user applications that use the AR System API to communicate with AR System servers, see Installing-encryption-on-non-BMC-Remedy-applications.

Before you begin

Verify the following items:

• All servers and clients on which you plan to install a Remedy Encryption Security product are using the latest version of Remedy AR System.

• The Remedy Encryption Security products are compatible with your system. See FIPS 140-2 certification in Activating FIPS encryption and connecting to LDAP.

• The appropriate AR Encryption license is added to each server on which you plan to install encryption. (For information about adding licenses to servers, Working with BMC Remedy AR System licenses in Remedy AR System documentation)

To install encryption on Remedy AR System servers and clients

1. Unzip the installer into a common location on the server. 
2. Navigate to the <Download_directory>\Premium Security 20.02.00\Disk1 directory, then run the setup.exe file on Windows or setup.bin file on Linux. 
3. The installer will start, on the Welcome page click Next. 
4. Read and Agree to the license agreement, then click Next. 

5. On the AR System Component page, the installer will detect the components already installed on your system and display them in a table. 
   The installer currently supports the following components: 

   • AR System Server 

   • MidTier 

   • Email Engine 

   • Flashboards 

   • Developer Studio 

   • Data Import Tool 

   • Atrium Core 

   • Smart IT 

   • Migrator 

   • Smart Reporting 

6. If there is a product you have installed that isn’t detected, you can add it to the list by clicking the Add to List button. A new row gets added, where you can select the component from a drop down list.  When you’re ready to indicate the installation path, click Browse to select the path. 
   

   It is extremely uncommon for customers to need to select their component or path.  If you see something missing that you have installed, please verify if the installation of that component is successful.

7. If you do not want to install encryption on a component, you can remove it from the list. Select the item from the table and click Remove.  
8. Once the table has been populated, click Next.  
9. The Validation Results page is a warning that the AR System Server will be restarted. Make time for an outage on this server while doing the installation. Click Next.
   This page will only appear if you’re installing on an AR System Server.    

10. In the Java Platform Selection Panel, click Add to add the location of your Java installation.  
    This page will only appear if at least one of the components you selected is a Java-based component. 
    Navigate to the installation path of your Java Installation and click “Open”. You should then see the Java instance included in the list.  Once you’re ready to continue, click Next.

    Best practice
    We recommend you to have only one instance of Java installed on your system. Please remove any excess Java installs before continuing. 
    

    

    
    

11. On the Security Mode information page, you can select the type of encryption you need. After selecting, click Next.
    This page will only appear if you’re installing on an AR System Server. Whatever selection you make here will be applied after the installation is complete. If you only want to install encryption but do not want to enable it, do not select these policies.
    
12. The Installation Preview page will give you an overview of the installation. Click Install to start the installation. 
    Once the installation is complete, either view the log or click Done to exit the installer.  

If you want to enable, disable, or change any of the encryption configurations, see Enabling or disabling Remedy Encryption Security on AR System server

Post installation validation checks for Remedy Encryption Security

Remedy Encryption Security contains two basic encryption methods - encryption for Java-based products and encryption for C-based products.

Check the files in your system after installing Remedy Encryption Security.

The files added to your system by Java-based products (AR System Server, Java Plugin Servers, Mid-Tier, and other Tomcat-based processes) and C-based processes (Reconciliation Engine, AR System Dispatcher, AR System C Plugin Server) are described as follows:

Java-based encryption

When you install encryption on Java-based components, the installer will modify your Java installation. The installer changes some security settings for the Java Virtual Machine (JVM) and adds new JAR files as extensions for the JVM that runs from that instance. If you face issues with this, make sure that you have only one instance of Java installed on a single machine. Multiple instances of Java on the same system cause conflicts and is not advised.

After the installation, check for the following files in your system:

Changes made to Java-based products

Files added to Java 11+:

• %JAVA_HOME%\lib\bmcext\cryptojce.jar
• %JAVA_HOME%\lib\bmcext\cryptojcommon.jar
• %JAVA_HOME%\lib\bmcext\jcmFIPS.jar
• %JAVA_HOME%\conf\security\local_policy.jar
• %JAVA_HOME%\conf\security\US_export_policy.jar

Files modified in Java 11+:

1. %JAVA_HOME%\conf\security\java.security

Adds the following security providers:

• com.rsa.jsafe.provider.JsafeJCE

Adds the FIPS Mode:

• fips140initialmode

Files added to Java 8:

• %JAVA_HOME%\lib\ext\cryptojce.jar
• %JAVA_HOME%\lib\ext\cryptojcommon.jar
• %JAVA_HOME%\lib\ext\jcmFIPS.jar
• %JAVA_HOME%\lib\ext\bcprov-jdk15on-1.60.jar
• %JAVA_HOME%\lib\security\local_policy.jar
• %JAVA_HOME%\lib\security\US_export_policy.jar

Files modified in Java 8:

1. %JAVA_HOME%\lib\security\java.security

Adds the following security providers:

• com.rsa.jsafe.provider.JsafeJCE
• org.bouncycastle.jce.provider.BouncyCastleProvider

Adds the FIPS Mode:

• fips140initialmode

If these files are missing, please run the Remedy Encryption Security installation again, and choose the correct Java path. If you are installing Encryption Security on a custom Java client (not provided by BMC), add these files manually to the JVM used by that client. BMC does not support adding these files manually even though it is possible. 

Changes made to C-based products

When you install Encryption Security on C-based components, the installer will only add two files to the directory of the executable. For example, if the reconciliation engine is located in the location: "\AtriumCore\cmdb\server64\bin\arrecond.exe", then the installer will copy the files in the same location.

After the installation, check for the following files in your system:

Windows:

• arencrypt91_build007.dll
• arencrypt91_build007_win64.dll

Linux (non-FIPS):

• libarencrypt.so
• libarencrypt_lx64.so

Linux (FIPS):

• libcrypto_BMC_FIPS.so
• libcrypto_BMC_FIPS_lx64.so
  
  

If these files are missing, please run the Remedy Encryption Security installation again, and choose the correct components. If you are installing Encryption Security on a custom C client (not provided by BMC), add these files manually to the same directory as the executable used by that client. BMC does not support adding these files manually even though it is possible.

Where to go from here

To modify a server's encryption settings after installation, see Enabling or disabling Remedy Encryption Security on AR System serverin the Remedy AR System documentation.