Default language.

Activating FIPS encryption and connecting to LDAP

The U.S. Federal government agencies use software that complies with Federal Information Processing Standard (FIPS) 200. According to FIPS 200, software that complies with FIPS 140-2 must handle the information that needs cryptographic protection.

The built-in BMC Remedy Encryption Standard Security product does not include a FIPS option. If you need stronger levels of encryption, deploy and activate BMC Remedy Encryption Performance Security or BMC Remedy Encryption Premium Security.

  • BMC Remedy Encryption Performance Security—When you activate this option, AR System encrypts network traffic by using AES CBC with a 128-bit key for data encryption and a 2048-bit modulus for the RSA key exchange, and SHA-1 for message authentication.
  • BMC Remedy Encryption Premium Security—When you activate this option, AR System encrypts network traffic by using AES CBC with a 256-bit key for data encryption and a 4096-bit modulus for the RSA key exchange, and SHA-1 for message authentication.

Both options support the minimum FIPS 140-2 encryption requirements.

If required, after you install BMC Remedy Encryption Performance Security or BMC Remedy Encryption Premium Security, configure FIPS encryption.

Activating FIPS encryption

If BMC Remedy Encryption Performance Security or BMC Remedy Encryption Premium Security 20.02 is installed on a server, use the FIPS Enabled option in the Encryption tab (see Encryption tab) in conjunction with the Security Policy setting to switch compliance with Federal Information Processing Standard (FIPS) 140-2 on or off:

FIPS Enabled option

Security Policy value

Is server FIPS compliant?

Description

Selected

Required

Yes

  • Only FIPS-compatible clients can communicate with the server
  • Clients communicating with the server can communicate only with other FIPS-compliant servers.

Selected

Disabled

No

Clients communicating with the server cannot communicate with FIPS-compliant servers.

Cleared

Optional, Required, or Disabled

No

Clients communicating with the server cannot communicate with FIPS-compliant servers.


Note

For Java-based clients such as BMC Remedy Developer Studio and the mid tier, the first server that a client connects to determines whether the client is restricted to interacting with FIPS-compliant or noncompliant servers. Logging out of the client does not terminate the FIPS restriction. Instead, the client must be restarted.

Transition tips

If you are in the process of converting to a FIPS-compliant environment, consider these tips:

  • Do not select the FIPS Enabled option for a server until all clients that must communicate with that server have the appropriate BMC Remedy Encryption Performance Security or BMC Remedy Encryption Premium Security 20.02 installed.
  • During the transition phase, set the Security Policy to Optional on all servers that have BMC Remedy Encryption Performance Security or BMC Remedy Encryption Premium Security 20.02 installed so that they can communicate with clients that have not yet been upgraded to 20.02.
  • Be aware that when a server's Security Policy is set to Optional and a client cannot support the encryption algorithm (such as AES) required by the server, communication between the server and client is unencrypted.

To activate FIPS compliance

  1. Ensure that one of these products is installed on the appropriate BMC Remedy AR System server and on any clients that will communicate with the server:
    • BMC Remedy Encryption Performance Security

    • BMC Remedy Encryption Premium Security

      Note

      You can also activate FIPS compliance while installing these products. See Installing BMC Remedy Encryption Security in BMC Remedy ITSM Deployment documentation.

  2. Log on to the server.
  3. Open the AR System Administration Console.
  4. Click System > General > Server Information.
  5. In the AR System Administration: Server Information form, click the Encryption tab.
  6. In the New Encryption Settings area, select the FIPS Enabled option.
  7. In the Security Policy list, select Required.

  8. In the Data Key Details area, select an AES algorithm.
    See Configuring the data key.

    Note

    DES and RC4 algorithms are not FIPS compliant.

  9. In the Public Key Details area, select an RSA algorithm.
    See Configuring the public key.
  10. Click Apply.

  11. Restart the server.
    In the AR System server configuration file, servers use one of these encryption configurations when FIPS compliance is on:

  12. Relog on to any clients that are connected to the server.
  13. From AR System Administration: Plugin Server Configuration form update the following settings:
    1. Set integer to 8 (Performance Security) or 9 (Premium Security):
      <dataEncryptionAlg> integer</dataEncryptionAlg>
    2. Ensure that integer is set to 1 (Required).
      <encryptionPolicy> integer</encryptionPolicy>
  14. Save the settings.
  15. Restart the Java plug-in server.

Note

BMC Remedy AR System, Remedy Single Sign On integration is FIPS compliant. For more information, seeConfiguring an external Tomcat instance for FIPS-140andConfiguring FIPS-140 mode in BMC Remedy Single Sign-On documentation.

FIPS-compliant AREA and ARDBC LDAP plug-ins

When you install the AR System server, the FIPS-certified Network Security Services (NSS) 3.11.4 libraries from Mozilla are added to the following LDAP plug-ins:

  • AR System External Authentication (AREA)
  • AR System Database Connectivity (ARDBC)

To connect to the LDAP server

To comply with FIPS 140-2, the plug-ins must use Secure Sockets Layer (SSL) to connect to the LDAP server. The FIPS-certified Network Security Services (NSS) 3.11.4 libraries provide the capability to comply with FIPS 140-2. To make your LDAP environment actually compliant with FIPS 140-2, you must further configure your LDAP server. For more information, see the Federal government FIPS 200 and 140-2 guidelines and your LDAP server documentation.

FIPS 140-2 certification

BMC Remedy Encryption Performance Security and BMC Remedy Encryption Premium Security use the latest versions of the FIPS-certified libraries. The following FIPS-certified libraries provide the cryptography used by the Performance and Premium FIPS encryption options:

  • Network Security Services (NSS) 3.11.4
  • OpenSSL FIPS 1.2
  • RSA BSAFE Crypto-J 6.2.4 FIPS-140

The latest JAR files are used in these applications, which are compatible with the Federal Information Processing Standards Publication 140-2: Security Requirements for Cryptographic Modules (FIPS 140-2).

For more information about the FIPS-certified modules, see:

To configure Crypto-J

To operate Crypto-J in compliance with FIPS 140-2 requirements, edit the java.security file and set the following security properties:

  • Set com.rsa.cryptoj.fips140initialmode to one of the following values:
    • FIPS140_MODE (default)
    • FIPS140_SSL_MODE
    • FIPS140_ECC_MODE
    • FIPS140_SSL_ECC_MODE
  • Set com.rsa.cryptoj.fips140auth to the required FIPS-140 Security Level.
    The recognized values are as follows:
    • LEVEL1—Security Level 1 (default)
    • LEVEL2—Security Level 2

Notes

  • For encryption to work properly, you must encrypt both the Remedy clients and servers, so that the client can connect to the server.
  • If encryption is applied by installing either Performance Security or Premium Security to the AR server of version 19.02, the APIs of only the version 19.02 or later can communicate with the AR server of version 19.02. The APIs of version earlier than 19.02 cannot communicate with the AR server of version 19.02.

FIPS Compliance for the entire Remedy system

Remedy Encryption Performance Security and Remedy Encryption Premium Security only enable FIPS compliance for AR System RPC API calls. They do not enable FIPS compliance for other components. The components which are FIPS compliant include components such as: 

  • AR System Database connections 
  • LDAP connections 
  • External Database Connections with Atrium Integrator 
  • Web browser traffic to Mid-Tier 
  • Web browser traffic to Smart IT 
  • REST API connections 
  • SOAP UI/Web Services 
  • Email Engine to Email Server connections 

To learn more about how to configure encryption for these other connections, please see the following documentation and contact the system administration for each of these external systems: 

  • HTTP(S) Tomcat 
  • AREA LDAP 
  • ARDBC LDAP 
  • External Database (AI) 
  • REST API 
  • Email Engine 

Remedy Single Sign-On has other instructions to configure Remedy Encryption Security. For more information, see <link>.

Related topics

Installing-BMC-Remedy-Encryption-Security

Installing-an-application-that-communicates-with-encrypted-servers

Installing-encryption-on-BMC-Remedy-applications

Installing-encryption-on-non-BMC-Remedy-applications

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*