This documentation supports the 1.6 version of Remedy with Smart IT.

To view the latest version, select the version from the Product version menu.

Configuring security options for Smart IT


This topic describes the security options that you can set for Smart IT.

To limit access to Openfire chat data

If you have implemented chat, you can also configure Openfire to limit the domains that have access to Smart IT chat data.

Warning

The default setting in Openfire chat allows access to data from all domains. BMC recommends that you change the value to allow access only from a specific domain (or domains). 

To limit access to Openfire chat data, perform the following steps:

  1. In the openfire/conf/cross-domain-policy.xml file, change the value of the allow-access-from domain property to allow access from a specific domain (or whitelisted domains) as shown in the following figure. (The allow-access-from element allows a requesting domain to read data from the target domain.)
  2. (Optional) Add more domains on separate lines; for example:
     

    <allow-access-from domain="domain1.com" to ports="5222,5223,7070,7443" secure="true"/>
    <allow-access-from domain="domain2.com" to ports="5222,5223,7070,7443" secure="true"/> 
  3. Restart the Openfire service.

To restrict attachment file types in Smart IT (BMC Remedy 8.1.02 and later)

In BMC Remedy version 8.1.02 and later, you can prevent users from attaching certain file types to Smart IT records by setting options in the BMC Remedy AR System Server (AR System server). For example, you might want to prohibit users from attaching executable files or scripts to the Activity feed to prevent malicious code from executing when the attachment is opened. When you restrict attachment file types, an error message is displayed if users try to attach those file types in the following contexts:

  • Ticket details (for example, when adding an attachment to the Description field on incidents, work orders, problem investigations, and known errors)
  • Asset profiles (for example, profile images)
  • People profiles (for example, profile images)
  • Activity feed
  • Email
  • Broadcasts
  • Change request documents
  • Knowledge articles

You restrict attachments by updating Attachment Security settings in the AR System server, as explained in the following procedure. For more information about these settings, see "Setting security restrictions on file uploads" in  Related topics .

Notes

  • Attachments can only be restricted when Smart IT is running on BMC Remedy 8.1.02 and later versions. In earlier versions, all attachment types are allowed.
  • By default, the Attachment Security settings are blank, which allows all attachment types.

To restrict attachment file types in Smart IT, perform the following steps:

  1. Log in to BMC Remedy ITSM as an administrator.
  2. Open the AR System Administration Console, and select System > General > Server Information.
    The AR System Administration: Server Information form appears.
  3. On the Server Information form, click the Attachment Security tab. 
  4. From the Attachment Criteria list, select an option to allow or disallow attachments with specific file extensions.
  5. In the Comma separated list of limit extensions field, enter a comma-separated list of file extensions such as exe,com.
  6. Click Apply.
  7. Clear the Smart IT cache.

To update the content security policy

Smart IT uses a content security policy (CSP) to determine which resources are allowed to load in the application UI. Use of a CSP reduces the risk of cross-site scripting (XSS) attacks. The CSP is defined as a set of properties stored in the SHARE:Application_Properties form. For example, the CSP defines the source domains that are valid for loading scripts and objects. Smart IT supports the connect-src, object-src, script-src, img-src, and media-src directives, which are described in the Content Security Policy (CSP) Quick Reference Guide at http://content-security-policy.com/.

Smart IT includes out-of-the-box directives that are defined in the following properties: smartItCsp_connect-src_0, smartItCsp_object-src_0, and smartItCsp_script-src_0. You must not remove or update these properties.

Warning

Do not remove or modify any of the following default properties, or Smart IT will not function properly:

smartItCsp_connect-src_0

smartItCsp_object-src_0

smartItCsp_script-src_0

Note

CSP properties ending in _0 and _n00 are reserved by BMC, such as smartItCsp_script-src_0, smartItCsp_script-src_100, smartItCsp_script-src_200, and so on.

You can add your own directives to the CSP, according to the requirements of your organization. For example, you might want to allow users to add images from external sources to knowledge articles. To do so, you must add a new property to the SHARE:Application_Properties form in the following format:

Property NameProperty Value
smartItCsp_ directive-name _ number http://company.domain.com http://company.domain2.net

Where directive-name is the name of a supported CSP directive (such as object-src), and number is a whole number identifier for your customer property, such as 1. For example:

smartItCsp_object-src_1

For the property value, include a space-separated list of allowed sources, up to 255 characters total. For example:

http://company.domain.com http://company.domain2.net http://company.domain3.org

If the list of allowed sources exceeds 255 characters, you can create additional properties for the same directive as needed. For example:

smartItCsp_ object-src_1

smartItCsp_ object-src_2

smartItCsp_ object-src_3

Warning

If you add a new img-src property (smartItCsp_ img-src_1), you must include 'self' as the first allowed source in the property value. If 'self' is not included in this manner, images added from internal Smart IT sources (such as profile images) do not appear in the Smart IT UI.

Example: 'self' http://company.domain.com http://company.domain2.net


Note

If you are installing or upgrading to Smart IT 1.6, ensure that your users are running minimum supported browsers and mobile OS versions to support the content security policy (CSP) functionality. See the Remedy with Smart IT 1 6 Compatibility (PDF).

To update the content security policy, perform the following steps:

  1. Log in to BMC Remedy Mid Tier as an administrator.
  2. Open the SHARE:Application_Properties form.
  3. Search for properties prefixed with smartItCsp_.
  4. Copy the Application ID value from an existing smartItCsp_ property to a text editor.
  5. Click New Request.
  6. On the SHARE:Application_Properties form, enter values as shown:

    FieldValue
    Application IDThe value you copied from an existing smartItCsp_ property in step 4.
    Property NameThe name of the new CSP property, such as smartItCsp_img-src_1.
    Property ValueA space-separated list of allowed sources, up to 255 characters, such as http://company.domain.com http://company.domain2.net.

    Examples:

    CSP directiveProperty nameProperty value
    media-srcsmartItCsp_media-src_1bmctube.bmc.com
    img-srcsmartItCsp_img-src_1'self' http://company.domain.com  

    Warning: For the img-src directive, you must include 'self' as the first allowed source in the list, or images added from internal Smart IT sources (such as profile images) will not appear in the Smart IT UI.

  7. Save the new property record.
  8. Clear the Smart IT cache.

To configure source editing for knowledge articles

By default, the Source button is disabled when users create or update knowledge articles, so they cannot edit the source code. If you want to enable source editing (not recommended), you must open the isCKEditorSourceEditable property in the SHARE:Application_Properties form and change its value from false to true

To allow the preview of PDF document when CSP is applied

To allow the preview of PDF document when CSP is applied, set the smartItCsp_object-src_ property value to blob by using the SHARE:Application_Properties form, and restart Smart IT server or wait for 30 minutes.

Related topics

Setting security restrictions on file uploads

Installing Chat on a remote server

Clearing the Smart IT cache

Was this page helpful? Yes No Submitting... Thank you

Comments