Configuring security options for Smart IT
This topic describes the security options that you can set for Smart IT.
Limiting access to Openfire chat data
If you have implemented chat, you can also configure Openfire to limit the domains that have access to Smart IT chat data.
The default setting in Openfire chat allows access to data from all domains. BMC recommends that you change the value to allow access only from a specific domain (or domains).
To limit access to Openfire chat data, perform the following steps:
- In the openfire/conf/cross-domain-policy.xml file, change the value of the allow-access-from domain property to allow access from a specific domain (or whitelisted domains) as shown in the following figure. (The allow-access-from element allows a requesting domain to read data from the target domain.)
(Optional) Add more domains on separate lines; for example:
<allow-access-from domain="domain1.com" to ports="5222,5223,7070,7443" secure="true"/> <allow-access-from domain="domain2.com" to ports="5222,5223,7070,7443" secure="true"/>
- Restart the Openfire service.
For more information about Openfire setup, see "Installing Chat on a remote server" in Related topics.
Restricting attachment file types in Smart IT (BMC Remedy 8.1.02 and later)
In BMC Remedy version 8.1.02 and later, you can prevent users from attaching certain file types to Smart IT records by setting options in the BMC Remedy AR System Server (AR System server). For example, you might want to prohibit users from attaching executable files or scripts to the Activity feed to prevent malicious code from executing when the attachment is opened. When you restrict attachment file types, an error message is displayed if users try to attach those file types in the following contexts:
- Ticket details (for example, when adding an attachment to the Description field on incidents, work orders, problem investigations, and known errors)
- Asset profiles (for example, profile images)
- People profiles (for example, profile images)
- Activity feed
- Change request documents
- Knowledge articles
You restrict attachments by updating Attachment Security settings in the AR System server, as explained in the following procedure. For more information about these settings, see "Setting security restrictions on file uploads" in Related topics.
- Attachments can only be restricted when Smart IT is running on BMC Remedy 8.1.02 and later versions. In earlier versions, all attachment types are allowed.
- By default, the Attachment Security settings are blank, which allows all attachment types.
To restrict attachment file types in Smart IT, perform the following steps:
- Log in to BMC Remedy ITSM as an administrator.
- Open the AR System Administration Console, and select System > General > Server Information.
The AR System Administration: Server Information form appears.
- On the Server Information form, click the Attachment Security tab.
- From the Attachment Criteria list, select an option to allow or disallow attachments with specific file extensions.
- In the Comma separated list of limit extensions field, enter a comma-separated list of file extensions such as exe,com.
- Click Apply.
- Clear the Smart IT cache.
Updating the content security policy
Smart IT uses a content security policy (CSP) to determine which resources are allowed to load in the application UI. Use of a CSP reduces the risk of cross-site scripting (XSS) attacks. The CSP is defined as a set of properties stored in the SHARE:Application_Properties form. For example, the CSP defines the source domains that are valid for loading scripts and objects. Smart IT supports the connect-src, object-src, script-src, img-src, and media-src directives, which are described in the Content Security Policy (CSP) Quick Reference Guide at http://content-security-policy.com/.
Smart IT includes out-of-the-box directives that are defined in the following properties: smartItCsp_connect-src_0, smartItCsp_object-src_0, and smartItCsp_script-src_0. You must not remove or update these properties.
Do not remove or modify any of the following default properties, or Smart IT will not function properly:
CSP properties ending in _0 and _n00 are reserved by BMC, such as smartItCsp_script-src_0, smartItCsp_script-src_100, smartItCsp_script-src_200, and so on.
You can add your own directives to the CSP, according to the requirements of your organization. For example, you might want to allow users to add images from external sources to knowledge articles. To do so, you must add a new property to the SHARE:Application_Properties form in the following format:
|Property Name||Property Value|
Where directive-name is the name of a supported CSP directive (such as object-src), and number is a whole number identifier for your customer property, such as 1. For example:
For the property value, include a space-separated list of allowed sources, up to 255 characters total. For example:
If the list of allowed sources exceeds 255 characters, you can create additional properties for the same directive as needed. For example:
If you add a new img-src property (smartItCsp_img-src_1), you must include 'self' as the first allowed source in the property value. If 'self' is not included in this manner, images added from internal Smart IT sources (such as profile images) do not appear in the Smart IT UI.
If you are installing or upgrading to Smart IT 1.5, ensure that your users are running minimum supported browsers and mobile OS versions to support the content security policy (CSP) functionality. See the BMC Remedy with Smart IT 1.5.00 Compatibility Matrix (PDF), available in BMC Remedy ITSM Suite compatibility matrix (log in required).
To update the content security policy, perform the following steps:
- Log in to BMC Remedy Mid Tier as an administrator.
- Open the SHARE:Application_Properties form.
- Search for properties prefixed with smartItCsp_.
- Copy the Application ID value from an existing smartItCsp_ property to a text editor.
- Click New Request.
On the SHARE:Application_Properties form, enter values as shown:
Field Value Application ID The value you copied from an existing smartItCsp_ property in step 4. Property Name The name of the new CSP property, such as smartItCsp_img-src_1. For more information, see Updating the content security policy. Property Value A space-separated list of allowed sources, up to 255 characters, such as
CSP directive Property name Property value media-src smartItCsp_media-src_1 bmctube.bmc.com img-src smartItCsp_img-src_1 'self' http://company.domain.com
- Save the new property record.
- Clear the Smart IT cache.
Configuring source editing for knowledge articles
By default, the Source button is disabled when users create or update knowledge articles, so they cannot edit the source code. If you want to enable source editing (not recommended), you must open the isCKEditorSourceEditable property in the SHARE:Application_Properties form and change its value from false to true. For information about updating properties in the SHARE:Application_Properties form, see Updating the content security policy.