This documentation supports the 20.02 version of Remedy with Smart IT.

To view an earlier version, select the version from the Product version menu.

Security configuration options

Smart IT provides the following configuration options to secure data:

AreaOptionDescription
Openfire chat dataCross-domain-policy

If you have implemented chat, you can also configure Openfire to limit the domains that have access to Smart IT chat data. The default setting in Openfire chat allows access to data from all domains.

Best practice: We recommend that you change the value to allow access only from a specific domain (or domains).

For information about how to configure these security options, see Configuring security options for Smart IT.

File attachment typesAttachment Security

You can configure Remedy Action Request System server to prevent users from attaching certain file types to Smart IT records. For example, you might want to block users from attaching executable files or scripts to the Activity feed to prevent malicious code from executing when the attachment is opened. If you restrict attachment file types, an error message is displayed when users try to attach those file types in the following contexts:

  • Ticket details (for example, when adding an attachment to the Description field on incidents, work orders, problem investigations, and known errors)
  • Asset profiles (for example, profile images)
  • People profiles (for example, profile images)
  • Activity feed
  • Email
  • Broadcasts
  • Change request documents
  • Knowledge articles

By default, the Attachment Security settings are blank, which allow all attachment types. For more information about these settings, see  Setting security restrictions on file uploads Open link .

For information about how to configure these security options, see Configuring security options for Smart IT.
Content security policyCSP properties

You can configure the content security policy option in Central Configuration. Smart IT uses this content security policy (CSP) to determine which resources are allowed to load in the application UI. Use of a CSP reduces the risk of cross-site scripting (XSS) attacks. The CSP is defined as a set of properties stored in the SHARE:Application_Properties form. For example, the CSP defines the source domains that are valid for loading scripts and objects. Smart IT supports the connect-src, object-src, script-src, img-src, and media-src directives, which are described in the Content Security Policy (CSP) Quick Reference Guide at http://content-security-policy.com/.

Central Configuration includes out-of-the-box directives that are defined in the following properties: smartItCsp_connect-src_0, smartItCsp_object-src_0, and smartItCsp_script-src_0. You must not remove or update these properties.

You can add your own directives to the CSP, according to the requirements of your organization. For example, you might want to allow users to add images from external sources to knowledge articles.

For information about how to configure these security options, see Configuring security options for Smart IT.

Strict-Transport-Security response headerStrict-Transport-Security

You can enable the Strict-Transport-Security response header for Smart IT to tell browsers that it should only be accessed using HTTPS, instead of using HTTP. Otherwise, even when you configure HTTPS, browsers can connect by both HTTP and HTTPS.

Cross-Frame ScriptingX-FRAME-OPTIONS

The default setting for this parameter denies Cross-Frame Scripting (XFS) through an iFrame. The XFS is an attack that combines malicious JavaScript with an iFrame that loads a legitimate page to steal information from an unsuspecting user. This attack becomes successful when it is combined with social engineering.

On the Mid-Tier server in the web.xml file, you can set the value to SAMEORIGIN, which allows only the current site to frame the content. If you set ALLOW-FROM uri, it will allow the specified uri to frame the page. You need to restart the Mid-Tier services after modifying this value.

For information about how to configure these security options, see Configuring security options for Smart IT.

Secured connection to access Smart IT android application

usesCleartextTraffic

The default setting for this property is true. This property is available in the AndroidManifest.xml file. We recommend using TLS 1.2 connections to the Smart IT server in production.

Was this page helpful? Yes No Submitting... Thank you

Comments