Security architecture and controls

The following illustration shows the Remedy security architecture:

When planning an enterprise setup, consult the following topics for security guidelines:

• • Remedy AR System security
  • Remedy Mid tier security
  • BMC CMDB security
  • Email Engine and Assignment Engine security
  • Remedy Single Sign-On security
  • Additional Information

Remedy AR System security

Security is an important consideration for AR System. The AR System server addresses security through the following controls: 

• Access-control:
  Protects AR System data by controlling which users can open an application, form, or guide in a browser, can perform an action, and can create, view, modify, and delete a request.
  
  

• Remedy Encryption Security options include:

  • Standard security
  • Remedy Encryption Performance Security
  • Remedy Encryption Premium Security
  • Federal Information Processing Standard (FIPS) encryption options

  For information on Remedy Encryption security products, see Secure AR System data by using Remedy Encryption Security.
  
  These options are described in How Remedy Encryption Security enables secure communication between the client and server.

• Client-server security - Protects data that is passed over a network between a client and a server. The AR System client libraries contain built-in encryption capabilities that you can enable to secure the connection to the AR System server. Remedy AR System version is tested with database encryption products to ensure the connection can be encrypted.
  For more information, see https://communities.bmc.com/community/bmcdn/bmc_remedy_ar_system/blog/2017/02/25/trending-in-support-enabling-ssl-encryption-for-ar-to-ms-sql-database-connections-with-91-sp2 
  and https://communities.bmc.com/community/bmcdn/bmc_remedy_ar_system/blog/2017/06/12/trending-in-support-ssl-encryption-for-ar-to-oracle-connections-with-remedy-91-sp2-and-later.
  
  

• Network security - Protection of the server and network resources to which AR System has access—AR System can be configured to help secure the network resources used by the product. The system can be configured so it runs with limited access privileges, and has access only to certain resources on the host machine. This prevents a user from running malicious scripts or programs on the installed machine. For data and resource protection configuration options, see Configuring-clients-for-AR-System-servers and Remedy AR System configuration files.

  Information

  For more information on security of server and network resources which AR System has access, see Tightening BMC Remedy AR System security.

• Password security—AR System ensures that passwords are always encrypted. An SHA-2 256 of passwords is stored in the database, ensuring that the system (and therefore a reader of the database) cannot retrieve passwords. In addition, the AR System server allows you to use policies to enforce password changes. For password policy information, see Enforcing-a-password-policy-introduction.
  
  

• FIPS Compliance- In version 7.5.00, AR System was enhanced so that data transmitted between AR System servers and clients can comply with FIPS 140-2 encryption requirements. Remedy Encryption Performance Security now includes a FIPS encryption option. For more information, see Activating FIPS encryption and connecting to LDAP.
• AR System external authentication- You can use plug-ins and the AR System External Authentication (AREA) API to integrate Remedy AR System with external user authentication services. For more information, see AR-System-external-authentication.

Remedy Mid tier security

Remedy ITSM Suite provides a secure environment by encrypting sensitive data. You will need the AR user based authentication for logging into the Mid Tier configuration pages. Other passwords are stored in configuration files as encrypted strings. For the web server, you must add any additional security if required.

SSL, XSS and WebDAV are common encryption methods for Remedy AR System server, Remedy Mid Tier, Remedy Smart Reporting, Remedy with Smart IT and Atrium Web Services.

Enabling SSL can impact performance due to the extra overhead required to encrypt and decrypt on both ends.

Use Remedy Encryption Performance Security or Remedy Encryption Premium Security to encrypt communication between AR System components, including the Mid Tier.

When securing the mid tier, consider these tips about:

• SSL
• XSS
• WebDAV
• HTTP transport
• Content-Security-Policy (CSP) header

SSL

• The mid tier works with SSL. SSL encryption is a few layers below the web application (between the HTTP web server and the browser client sending the HTTP requests). All web server vendors provide a method to create and store certificates to enable SSL encryption over HTTP.
• Configuring the environment for SSL support is beyond the scope of any guidance BMC provides.

XSS

Cross-site scripting (XSS) is a type of computer security vulnerability (typically found in web application) that allows code injection by malicious web users into the web pages viewed by other users. Examples of such code include HTML code and client-side scripts.

Cross-site scripting is addressed in every release of the mid tier by running the code through a tool to identify potential problems to ensure no vulnerability is introduced. All user-supplied HTML special characters are encoded into character entities, thereby preventing them from being interpreted as HTML.

WebDAV

Web Distributed Authoring and Versioning (WebDAV) extensions on web servers allow users to collaboratively edit and manage files on remote web servers. If your web servers has the WebDAV extensions enabled by default, they should be disabled.

HTTP transport

To ensure that the HTTP transport method POST is used for XML/HTTP requests in the browser, you must set the arsystem.xmlhttp.get flag in the Config.properties file to false.

For more information, see:

• Remedy security certification
• Knowledgebase article, 000029712, How to Install Microsoft Certificate Server and Key Management Server if SSL on IIS
• Encryption security online documentation:
  • BMC Remedy security certification
  • Remedy Encryption Security options
  • Configuring Remedy Encryption Security
  • Troubleshooting Remedy Encryption Security products

Content-Security-Policy (CSP) header

The Content-Security-Policy (CSP) header prevents the browser from ClickJacking Attacks. This header controls;

• Whether your web-page can be loaded in < iframe >, < frame >, < object >, < embed >, or < applet > tags.
• On what domains the web page is loaded.

You can enable the Content-Security-Policy (CSP) header by using the arsystem.security_iframe_allowfromurls parameter in Centralized Configuration.
For more information, see arsystem.security_iframe_allowfromurls parameter.

You can also use the web.xml file located in the <MidTierInstallDir>/WEB-INF folder to enable the Content-Security-Policy (CSP) header. The Centralized Configuration setting overrides the settings in the  web.xml file. For information about enabling the Content-Security-Policy (CSP) header using the web.xml file, see Enabling-cross-launch-to-mid-tier.

Approval server security

The approval server provides a secure environment by encrypting sensitive data. For example, the password is always encoded and never saved in any file as readable text. You can add any additional security if required.

Use Remedy Encryption Performance Security or Remedy Encryption Premium Security to encrypt communication between AR System components, including the Approval server. Approval server uses the encrypted password for the Remedy Application Service user, which is available in the Centralized Configuration for making any backend calls to AR System.

BMC CMDB security

The CMDB Class Manager controls permission to access CMDB classes and attributes. This is done by using Role IDs associated with Role definitions from the BMC:Atrium CMDB deployable application. Two roles (-1090 and -1091) are defined to allow unlimited read or read/write access to CMDB data. Two other roles (-1098 and -1099) allow read or read/write access subject to row-level permission. The CMDB administrator should assign these roles to the appropriate groups in production and test environments.

Email Engine and Assignment Engine security

For information on Email Engine security, see Securing-incoming-and-outgoing-email.

For information on Assignment Engine security, see Configuring-the-Assignment-Engine-server-settings.

Remedy Single Sign-On security

For information on Remedy Single Sign-On security, see Security planning in the Remedy SSO online documentation.

Additional Information

For more information on security guidelines, see the blog Choose your request methods carefully shared on BMC Communities.