Configuring security options for Smart IT

To limit access to Openfire chat data

The default setting in Openfire chat allows access to data from all domains. 

1. In the openfire/conf/cross-domain-policy.xml file, change the value of the allow-access-from domain property to allow access from a specific domain (or whitelisted domains) as shown in the following figure. (The allow-access-from element allows a requesting domain to read data from the target domain.) 
   

2. (Optional) Add more domains on separate lines; for example: 
    

   <allow-access-from domain="domain1.com" to ports="5222,5223,7070,7443" secure="true"/>
   <allow-access-from domain="domain2.com" to ports="5222,5223,7070,7443" secure="true"/> 
3. Restart the Openfire service.

For more information about Openfire setup, see "Installing Chat on a remote server" in Related topics.

To restrict attachment file types in Smart IT

You can prevent users from attaching certain file types to Smart IT records by setting options in the BMC Remedy AR System Server (AR System server). For example, you might want to prohibit users from attaching executable files or scripts to the Activity feed to prevent malicious code from executing when the attachment is opened. When you restrict attachment file types, an error message is displayed if users try to attach those file types in the following contexts:

• Ticket details (for example, when adding an attachment to the Description field on incidents, work orders, problem investigations, and known errors)
• Asset profiles (for example, profile images)
• People profiles (for example, profile images)
• Activity feed
• Email
• Broadcasts
• Change request documents
• Knowledge articles

By default, the Attachment Security settings are blank, which allows all attachment types.

You restrict attachments by updating Attachment Security settings in the AR System server, as explained in the following procedure. For more information about these settings, see Setting security restrictions on file uploads.

To restrict attachment file types in Smart IT, perform the following steps:

1. Log in to BMC Remedy ITSM as an administrator.
2. Open the AR System Administration Console, and select System > General > Server Information.
   The AR System Administration: Server Information form appears.
3. On the Server Information form, click the Attachment Security tab. 
   
4. From the Attachment Criteria list, select an option to allow or disallow attachments with specific file extensions.
5. In the Comma separated list of limit extensions field, enter a comma-separated list of file extensions such as exe,com.
6. Click Apply.
7. Clear the Smart IT cache.

To update the content security policy

Smart IT uses a content security policy (CSP) to determine which resources are allowed to load in the application UI. Use of a CSP reduces the risk of cross-site scripting (XSS) attacks. The CSP is defined as a set of properties stored in the Centralized configuration. You can use AR System Configuration Component Setting to set or modify the CSP properties. For example, the CSP defines the source domains that are valid for loading scripts and objects. Smart IT supports the connect-src, object-src, script-src, img-src, and media-src directives, which are described in the Content Security Policy (CSP) Quick Reference Guide at http://content-security-policy.com/.

Smart IT includes out-of-the-box directives that are defined in the following properties: smartItCsp_connect-src_0, smartItCsp_object-src_0, and smartItCsp_script-src_0. You must not remove or update these properties.

You can add your own directives to the CSP, according to the requirements of your organization. For example, you might want to allow users to add images from external sources to knowledge articles. To do so, you must add a new property to the Centralized configuration in the following format:

Where directive-name is the name of a supported CSP directive (such as object-src), and number is a whole number identifier for your customer property, such as 1. For example:

For the property value, include a space-separated list of allowed sources, up to 255 characters total. For example:

http://company.domain.com http://company.domain2.net http://company.domain3.org

If the list of allowed sources exceeds 255 characters, you can create additional properties for the same directive as needed. For example:

To configure source editing for knowledge articles

By default, the Source button is disabled when users create or update knowledge articles, so they cannot edit the source code. If you want to enable source editing (not recommended), you must open the isCKEditorSourceEditable property in the Centralized configuration form and change its value from false to true.

To allow the preview of PDF document when CSP is applied

Use AR System Configuration Component Setting to set the smartItCsp_object-src_  property value to blob:

1. Open Form AR System Configuration Component Setting from Mid Tier.
2. Search for property with SettingName > smartItCsp_ . You will see smartItCsp_object-src_.
3. Update the Setting value by adding blob.
4. Save the setting.
5. Restart Smart IT server or wait for 30 minutes.

To enable Strict-Transport-Security response header

To enable Strict-Transport-Security response header for Smart IT to tell browsers that it should only be accessed using HTTPS, instead of using HTTP, uncomment the following code in Smart_IT_Install_Directory/smartit/WEB-INF/web.xml and restart Smart IT: