Default language.

Installing encryption on BMC Remedy applications


This topic describes how to install Performance and Premium encryption on Remedy AR System servers and clients. Use the same procedure for both Microsoft Windows and UNIX platforms.

To install encryption on third-party or user applications that use the AR System API to communicate with AR System servers, see Installing-encryption-on-non-BMC-Remedy-applications.

Warning

If you update the Oracle Java runtime environment (JRE) or Java development kit (JDK) on a computer after installing Performance Security or Premium Security, you must reinstall encryption after upgrading Java. See Enabling or disabling Remedy Encryption Security on AR System server in Remedy AR System documentation.

Ensure that all the Remedy components where you install a Remedy Encryption Security product are of the same version as the Remedy AR System server. An older version of an encrypted component might not be able to connect to the latest version of the encrypted AR System server.

Before you begin

Best practice
Install Remedy Encryption Security on all your Remedy clients (Mid-Tier, SmartIT, DWP, RSSO, Developer Studio, etc.), before installing Remedy Encryption Security on the AR System server.

Verify the following items:

  • All servers and clients on which you plan to install a Remedy Encryption Security product are using the latest version of Remedy AR System.
  • The Remedy Encryption Security products are compatible with your system. See FIPS 140-2 certification in Activating FIPS encryption and connecting to LDAP.

  • The appropriate AR Encryption license is added to each server on which you plan to install encryption. (For information about adding licenses to servers, Working with BMC Remedy AR System licenses in Remedy AR System documentation)

To install encryption on Remedy AR System servers and clients

  1. Unzip the installer into a common location on the server. 
  2. Navigate to the <Download_directory>\Premium Security 20.02.00\Disk1 directory, then run the setup.exe file on Windows or setup.bin file on Linux. 
  3. The installer will start, on the Welcome page click Next. 
  4. Read and Agree to the license agreement, then click Next. 
  5. On the AR System Component page, the installer will detect the components already installed on your system and display them in a table. 
    The installer currently supports the following components: 

    • AR System Server 
    • MidTier 
    • Email Engine 
    • Flashboards 
    • Developer Studio 
    • Data Import Tool 
    • Atrium Core 
    • Smart IT 
    • Migrator 
    • Smart Reporting 
  6. If there is a product you have installed that isn’t detected, you can add it to the list by clicking the Add to List button. A new row gets added, where you can select the component from a drop down list.  When you’re ready to indicate the installation path, click Browse to select the path. 
    Picture1.png

    It is extremely uncommon for customers to need to select their component or path.  If you see something missing that you have installed, please verify if the installation of that component is successful.

  7. If you do not want to install encryption on a component, you can remove it from the list. Select the item from the table and click Remove.  
  8. Once the table has been populated, click Next.  
  9. The Validation Results page is a warning that the AR System Server will be restarted. Make time for an outage on this server while doing the installation. Click Next.
    This page will only appear if you’re installing on an AR System Server.    
  10. In the Java Platform Selection Panel, click Add to add the location of your Java installation.  
    This page will only appear if at least one of the components you selected is a Java-based component. 
    Navigate to the installation path of your Java Installation and click “Open”. You should then see the Java instance included in the list.  Once you’re ready to continue, click Next.

    Best practice
    We recommend you to have only one instance of Java installed on your system. Please remove any excess Java installs before continuing. 

    Picture2.png


  11. On the Security Mode information page, you can select the type of encryption you need. After selecting, click Next.
    This page will only appear if you’re installing on an AR System Server. Whatever selection you make here will be applied after the installation is complete. If you only want to install encryption but do not want to enable it, do not select these policies.
    Picture3.png
  12. The Installation Preview page will give you an overview of the installation. Click Install to start the installation. 
    Once the installation is complete, either view the log or click Done to exit the installer.  

If you want to enable, disable, or change any of the encryption configurations, see Enabling or disabling Remedy Encryption Security on AR System server

Important

Restart all the clients to connect them to an encrypted AR System Server. 

Some Remedy applications (Digital Workplace, Digital Workplace Catalog, and Remedy Single Sign On) are not available using this installer. To install encryption on them, see Installing-encryption-on-non-BMC-Remedy-applications. They’re all considered Java-based applications. 

Post installation validation checks for Remedy Encryption Security

Remedy Encryption Security contains two basic encryption methods - encryption for Java-based products and encryption for C-based products.

Check the files in your system after installing Remedy Encryption Security.

The files added to your system by Java-based products (AR System Server, Java Plugin Servers, Mid-Tier, and other Tomcat-based processes) and C-based processes (Reconciliation Engine, AR System Dispatcher, AR System C Plugin Server) are described as follows:

Java-based encryption

When you install encryption on Java-based components, the installer will modify your Java installation. The installer changes some security settings for the Java Virtual Machine (JVM) and adds new JAR files as extensions for the JVM that runs from that instance. If you face issues with this, make sure that you have only one instance of Java installed on a single machine. Multiple instances of Java on the same system cause conflicts and is not advised.

After the installation, check for the following files in your system:

Changes made to Java-based products

Files added to Java 11+:

  • %JAVA_HOME%\lib\bmcext\cryptojce.jar
  • %JAVA_HOME%\lib\bmcext\cryptojcommon.jar
  • %JAVA_HOME%\lib\bmcext\jcmFIPS.jar
  • %JAVA_HOME%\conf\security\local_policy.jar
  • %JAVA_HOME%\conf\security\US_export_policy.jar

Files modified in Java 11+:

  1. %JAVA_HOME%\conf\security\java.security

Adds the following security providers:

  • com.rsa.jsafe.provider.JsafeJCE

Adds the FIPS Mode:

  • fips140initialmode

Files added to Java 8:

  • %JAVA_HOME%\lib\ext\cryptojce.jar
  • %JAVA_HOME%\lib\ext\cryptojcommon.jar
  • %JAVA_HOME%\lib\ext\jcmFIPS.jar
  • %JAVA_HOME%\lib\ext\bcprov-jdk15on-1.60.jar
  • %JAVA_HOME%\lib\security\local_policy.jar
  • %JAVA_HOME%\lib\security\US_export_policy.jar

Files modified in Java 8:

  1. %JAVA_HOME%\lib\security\java.security

Adds the following security providers:

  • com.rsa.jsafe.provider.JsafeJCE
  • org.bouncycastle.jce.provider.BouncyCastleProvider

Adds the FIPS Mode:

  • fips140initialmode

If these files are missing, please run the Remedy Encryption Security installation again, and choose the correct Java path. If you are installing Encryption Security on a custom Java client (not provided by BMC), add these files manually to the JVM used by that client. BMC does not support adding these files manually even though it is possible. 

Changes made to C-based products

When you install Encryption Security on C-based components, the installer will only add two files to the directory of the executable. For example, if the reconciliation engine is located in the location: "\AtriumCore\cmdb\server64\bin\arrecond.exe", then the installer will copy the files in the same location.

After the installation, check for the following files in your system:

Windows:

  • arencrypt91_build007.dll
  • arencrypt91_build007_win64.dll

Linux (non-FIPS):

Linux (FIPS):

Important

Before installing Remedy Encryption Security, please know the type of the C program - 32-bit or 64-bit. For the preceding example of the reconciliation engine, the installer will only need the 64-bit library because it is a 64-bit application. For other applications like the AR System Dispatcher, the installer will require the 32-bit library.

If these files are missing, please run the Remedy Encryption Security installation again, and choose the correct components. If you are installing Encryption Security on a custom C client (not provided by BMC), add these files manually to the same directory as the executable used by that client. BMC does not support adding these files manually even though it is possible.

Where to go from here

To modify a server's encryption settings after installation, see Enabling or disabling Remedy Encryption Security on AR System serverin the Remedy AR System documentation.

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*