Secure AR System data by using Remedy Encryption Security
The following illustration shows the Remedy security architecture:
How Remedy Encryption Security enables secure communication between the client and server
Remedy AR System has the ability to encrypt its traffic using industry standard cryptography to protect data while in transit. The encryption services provided by Remedy Encryption Security are data confidentially, integrity, and authentication.
These encryption services enable the Remedy Action Request System Server to communicate with its clients securely over a network by encrypting the RPC messages sent between them. At the beginning of every client and server connection, a key exchange protocol negotiates shared encryption keys between the client and server. These keys encrypt all communication between the client and server, ensuring that the communication is secure and that third parties cannot easily decipher the messages in transit.
Remedy encryption services do not encrypt the communication between the browser and the Remedy Mid Tier, browser and Smart IT, or the browser and Smart Reporting. This is done with a standard SSL/TLS certificate that you’ll configure in each Tomcat or IIS instance. To learn more about this, see Configuring the Mid Tier web server for SSL certificate and also refer theKnowledge article 000288208.
Remedy encryption services do not encrypt the communication between AR System Server and the database. This is done with a SSL/TLS certificate that you’ll need to configure in each database instance. To learn more about this, contact your DBA and refer the following blog posts:
For Oracle database, see Trending in Support: Encrypting Data Between AR Servers and Oracle Databases.
For MS SQL database, see Trending in Support: Enabling SSL Encryption for AR to MS SQL Database Connections with Remedy 9.1 SP2 and Later.
While Remedy encryption services does encrypt the communication between AR System Server and other services like Email Engine or other Plugin Servers, it does not encrypt the data sent externally from the Email Engine to the Mail Server, Plugin Server to LDAP server, or other external connections . This is done with a SSL/TLS certificate that you’ll need to configure for each component. For more information, see Configuring SSL for the email engine.
Types of Remedy Encryption Security levels
Remedy AR System has several types of encryption available to it. These are classified under 3 classifications:
- Remedy Standard Encryption
- Remedy Security Performance Encryption
- Remedy Security Premium Encryption
Remedy Standard Encryption is available with all Remedy products and is built into the Remedy API, no additional installations required. If you choose to implement the Standard Encryption for AR System Server you can SKIP the Remedy Security installation steps, and go right into enabling and disabling encryption.
Remedy Security Performance Encryption and Remedy Security Premium Encryption are components that are installed separately of AR System Server and the client tools, that provide additional functionality. This includes more secure industry standards like AES encryption, larger keys for higher levels of data encryption like 256 bit data keys and 4096 keys for the exchange. Combining these additional functionalities allows Remedy AR System to be compliant with the FIPS 140-2 standard. To learn more about the FIPS standard, see Activating FIPS encryption and connecting to LDAP. If you choose to implement either of the Remedy Security products, you will need to install those products. For information on installing Remedy Encryption Security, see Installing-BMC-Remedy-Encryption-Security.
Here is a table that outlines the different types of encryption along with their cipher strengths:
Standard Encryption
Data Exchange | Key Exchange | ||
Algorithm | Strength | Algorithm | Strength |
DES-CBC | 56-bit | RSA | 672-bit |
Performance Encryption
Data Exchange | Key Exchange | ||
Algorithm | Strength | Algorithm | Strength |
RC4 | 128-bit | RSA | 2048-bit |
AES-CBC | 128-bit | RSA | 2048-bit |
Premium Encryption
Data Exchange | Key Exchange | ||
Algorithm | Strength | Algorithm | Strength |
RC4 | 2048-bit | RSA | 4096-bit |
AES-CBC | 256-bit | RSA | 4096-bit |
All encryption modes use a SHA-1 hash for message authentication.
DES algorithm: The DES algorithm is largely considered to be insecure in today’s security world and has not qualified for current NIST standards for secure encryption since May of 2005. This is provided as a easy means to encryption traffic and ensure that it is not transmitted “on the wire” in plain text. But should not be considered a “secure communication” mechanism.
RC4 cipher: The RC4 cipher is well known for being less taxing (in terms of hardware) to implement than other well known standards, but it also does not qualify for current NIST standards for secure encryption. This is provided as a option to offer larger keys which enhance the strength while not requiring the overhead of the AES algorithm.
RC4 cipher is included in both the Performance and the Premium Encryption products.
AES algorithm: The AES algorithm is the current industry golden standard according to the NIST and has been since 2001. The Remedy Security products enable the use of this algorithm and is the only algorithm that AR System Server will support that is FIPS 140-2 compliant. This standard may be adopted by both Government organizations and non-Government organizations when security is required for public or commercial needs.
AES algorithm is included in both the Performance and the Premium Encryption products.
Remedy Encryption Security includes third-party encryption software developed by the OpenSSL Project for use in the OpenSSL toolkit (see http://www.openssl.org/).