Configuring security options for Smart IT
This topic describes the security options that you can set for Smart IT.
To limit access to Openfire chat data
The default setting in Openfire chat allows access to data from all domains. BMC recommends that you change the value to allow access only from a specific domain (or domains).
- In the openfire/conf/cross-domain-policy.xml file, change the value of the allow-access-from domain property to allow access from a specific domain (or whitelisted domains) as shown in the following figure. (The allow-access-from element allows a requesting domain to read data from the target domain.)
(Optional) Add more domains on separate lines; for example:
<allow-access-from domain="domain1.com" to ports="5222,5223,7070,7443" secure="true"/> <allow-access-from domain="domain2.com" to ports="5222,5223,7070,7443" secure="true"/>
- Restart the Openfire service.
For more information about Openfire setup, see "Installing Chat on a remote server" in Related topics.
To restrict attachment file types in Smart IT
You can prevent users from attaching certain file types to Smart IT records by setting options in the BMC Remedy AR System Server (AR System server). For example, you might want to prohibit users from attaching executable files or scripts to the Activity feed to prevent malicious code from executing when the attachment is opened. When you restrict attachment file types, an error message is displayed if users try to attach those file types in the following contexts:
- Ticket details (for example, when adding an attachment to the Description field on incidents, work orders, problem investigations, and known errors)
- Asset profiles (for example, profile images)
- People profiles (for example, profile images)
- Activity feed
- Change request documents
- Knowledge articles
By default, the Attachment Security settings are blank, which allows all attachment types.
You restrict attachments by updating Attachment Security settings in the AR System server, as explained in the following procedure.
To restrict attachment file types in Smart IT, perform the following steps:
- Log in to BMC Remedy ITSM as an administrator.
- Open the AR System Administration Console, and select System > General > Server Information.
The AR System Administration: Server Information form appears.
- On the Server Information form, click the Attachment Security tab.
- From the Attachment Criteria list, select an option to allow or disallow attachments with specific file extensions.
- In the Comma separated list of limit extensions field, enter a comma-separated list of file extensions such as exe,com.
- Click Apply.
- Clear the Smart IT cache.
To update the content security policy
Smart IT uses a content security policy (CSP) to determine which resources are allowed to load in the application UI. Use of a CSP reduces the risk of cross-site scripting (XSS) attacks. The CSP is defined as a set of properties stored in the Centralized configuration for Smart IT 2.0 and onward versions. For Smart IT 2.0 and onward version, you can use AR System Configuration Component Setting to set or modify the CSP properties. For example, the CSP defines the source domains that are valid for loading scripts and objects. Smart IT supports the connect-src, object-src, script-src, img-src, and media-src directives, which are described in the Content Security Policy (CSP) Quick Reference Guide at http://content-security-policy.com/.
Smart IT includes out-of-the-box directives that are defined in the following properties: smartItCsp_connect-src_0, smartItCsp_object-src_0, and smartItCsp_script-src_0. You must not remove or update these properties.
CSP properties ending in _0 and _n00 are reserved by BMC, such as smartItCsp_script-src_0 , smartItCsp_script-src_100 , smartItCsp_script-src_200 , and so on.
Do not remove or modify any of the following default properties, or Smart IT will not function properly:
You can add your own directives to the CSP, according to the requirements of your organization. For example, you might want to allow users to add images from external sources to knowledge articles. To do so, you must add a new property to the Centralized configuration in the following format:
|Property Name||Property Value|
Where directive-name is the name of a supported CSP directive (such as object-src), and number is a whole number identifier for your customer property, such as 1. For example:
For the property value, include a space-separated list of allowed sources, up to 255 characters total. For example:
If the list of allowed sources exceeds 255 characters, you can create additional properties for the same directive as needed. For example:
If you add a new img-src property (smartItCsp_ img-src_1), you must include 'self' as the first allowed source in the property value. If 'self' is not included in this manner, images added from internal Smart IT sources (such as profile images) do not appear in the Smart IT UI.
To configure source editing for knowledge articles
By default, the Source button is disabled when users create or update knowledge articles, so they cannot edit the source code. If you want to enable source editing (not recommended), you must open the isCKEditorSourceEditable property in the Centralized configuration form and change its value from false to true.
To allow the preview of PDF document when CSP is applied
If you are using Smart IT 2.0 and onward versions, use AR System Configuration Component Setting to set the smartItCsp_object-src_ property value to blob:
- Open Form AR System Configuration Component Setting from Mid Tier.
- Search for property with SettingName > smartItCsp_ . You will see smartItCsp_object-src_.
- Update the Setting value by adding blob.
- Save the setting.
- Restart Smart IT server or wait for 30 minutes.
To enable Strict-Transport-Security response header
To enable Strict-Transport-Security response header for Smart IT to tell browsers that it should only be accessed using HTTPS, instead of using HTTP, uncomment the following code in Smart_IT_Install_Directory/smartit/WEB-INF/web.xml and restart Smart IT:
<init-param> <param-name>Strict-Transport-Security</param-name> <param-value>max-age=16070400</param-value> </init-param>