BMC Remedy Action Request System Security.pdf

White Paper
BMC Remedy Action Request
System Security
June 2008
www.bmc.com

Contacting BMC Software
You can access the BMC Software website at http://www.bmc.com. From this website, you can obtain information
about the company, its products, corporate offices, special events, and career opportunities.
United States and Canada
Address BMC SOFTWARE INC
2101 CITYWEST BLVD
HOUSTON TX 77042-2827
USA
Outside United States and Canada
Telephone 713 918 8800 or
800 841 2031
Telephone (01) 713 918 8800 Fax (01) 713 918 8000
Fax 713 918 8000
If you have comments or suggestions about this documentation, contact Information Development by email at
doc_feedback@bmc.com.
© Copyright 2008 BMC Software, Inc.
BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent
and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and
logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the
property of their respective owners.
IBM is a registered trademark of International Business Machines Corporation.
UNIX is a registered trademark of The Open Group.
BMC Software considers information included in this documentation to be proprietary and confidential. Your use of this information is
subject to the terms and conditions of the applicable End User License Agreement for the product and the proprietary and restricted
rights notices included in this documentation.
Restricted Rights Legend
U.S. Government Restricted Rights to Computer Software. UNPUBLISHED -- RIGHTS RESERVED UNDER THE COPYRIGHT LAWS OF
THE UNITED STATES. Use, duplication, or disclosure of any data and computer software by the U.S. Government is subject to
restrictions, as applicable, set forth in FAR Section 52.227-14, DFARS 252.227-7013, DFARS 252.227-7014, DFARS 252.227-7015, and
DFARS 252.227-7025, as amended from time to time. Contractor/Manufacturer is BMC Software, Inc., 2101 CityWest Blvd., Houston, TX
77042-2827, USA. Any contract notices should be sent to this address.

Customer Support
You can obtain technical support by using the Support page on the BMC Software website or by contacting Customer
Support by telephone or email. To expedite your inquiry, please see “Before Contacting BMC Software.”
Support Website
You can obtain technical support from BMC Software 24 hours a day, 7 days a week at
http://www.bmc.com/support_home. From this website, you can
■ Read overviews about support services and programs that BMC Software offers.
■ Find the most current information about BMC Software products.
■ Search a database for problems similar to yours and possible solutions.
■ Order or download product documentation.
■ Report a problem or ask a question.
■ Subscribe to receive email notices when new product versions are released.
■ Find worldwide BMC Software support center locations and contact information, including email addresses, fax
numbers, and telephone numbers.
Support by telephone or email
In the United States and Canada, if you need technical support and do not have access to the Web, call 800 537 1813 or
send an email message to customer_support@bmc.com. (In the Subject line, enter
SupID:, such as SupID:12345.) Outside the United States and Canada, contact
your local support center for assistance.
Before Contacting BMC Software
Have the following information available so that Customer Support can begin working on your issue immediately:
■ Product information
— Product name
— Product version (release number)
— License number and password (trial or permanent)
■ Operating system and environment information
— Machine type
— Operating system type, version, and service pack
— System hardware configuration
— Serial numbers
— Related software (database, application, and communication) including type, version, and service pack or
maintenance level
■ Sequence of events leading to the problem
■ Commands and options that you used
■ Messages received (and the time and date that you received them)
— Product error messages
— Messages from the operating system, such as file system full
— Messages from related software

White Paper
BMC Remedy Action Request System
Security
This document provides a high-level overview of security in the BMC Remedy
Action Request System (AR System), including the AR System server, clients, and
libraries, the network and other resources used by AR System, and the objects and
data in the applications.
The following topics are provided:
File system security (page 6)
Security over the network (page 7)
Database security (page 8)
Password security (page 8)
AR System server security (page 10)
BMC Remedy Action Request System Security 5

White Paper
File system security
Security considerations include the machines that the software is running on, and
the resources that the processes use. This section describes the security of
AR System processes and data in relation to the file system.
Installation and maintenance
On UNIX® platforms, the AR System server does not need to be installed with root
permissions. You can run the installer with non-root permissions as long as the
resources the installer needs are available to it. For information about installing
AR System as a non-root user, see the Installing guide.
Running processes on the file system
The server allows workflow to access and run processes on the file system. This can
be done either on the client machine (in active links), or on the server machine (in
filters and escalations).
Processes on the AR System server computer
AR System allows filters and escalations to invoke external processes on the
AR System server computer. The AR System server has access to processes and
resources on the computer based on the credentials it has been given. To prevent
workflow from accessing programs and resources to which it should not have
access, run the AR System server as a user with limited access to resources. In this
case, the AR System server can only access resources and programs that have the
access permissions of the user who runs the service.
This prevents users of an AR System application from writing workflow that
accesses programs and resources to which they should not have access.
Controlling the use of backquotes in server-side process actions
By default, the AR System server does not allow any workflow commands that run
a process on the server to use backquotes in the process name or its arguments.
This prevents any user from exploiting parameter substitution to gain access to
system information or resources. This behavior is controlled by a configuration
setting. For more information about configuration settings in AR System, see the
Configuring guide.
Processes on the client computer
The AR System allows active links to invoke external processes on the user's
computer when the active link is activated from BMC Remedy User or, in some
cases, from a browser. Since the client is running with the same access privileges
as the person logged in to the client computer, it only has access to programs and
resources to which the user has access. This ensures that an AR System client
cannot access information to which it should not have access.
6 BMC Remedy Action Request System Security

BMC Remedy Action Request System Security
Run a process from a specific directory
The server can be configured so that active link processes can execute only from a
specified directory. For more information about configuration settings in
AR System, see the Configuring guide.
Security over the network
This section describes the protection of AR System data as it is sent over the
network between the AR System server, the database, and the client programs. All
data being passed over the network can be encrypted. This applies to the database
connection, API clients, and browsers. For information about password security on
the network, see “Password security” on page 8.
Security between the AR System server and the database
The AR System is capable of using encrypted connections to the database. It relies
on the database client library capabilities for this encryption, and can work with
any encryption provided with the database client libraries.
Security between the AR System server and API clients
The AR System API is capable of three levels of encryption. The default is 512 bit
encryption, and 1024- and 2048-bit encryption levels are available as an option.
When encryption is configured, all communication between the API client and the
AR System server is encrypted, providing data security over the network.
Any security policy between the AR System server and the API clients can be
enforced. The server can be configured so that it works only with encrypted API
calls or with only unencrypted API calls. Without any enforcement, the server
allows both encrypted and unencrypted calls.
All AR System clients are API-based, so turning on encryption ensures that all
interactions with the server are encrypted. To configure encryption, see the BMC
Remedy Encryption Products 7.1.00 Release Notes and Installation Guide.
Security between the AR System server and the plug-in server
When encryption is configured on the AR System server, the connection with the
plug-in server uses the same encryption as described for the connection between
the AR System server and the API Clients.
Security between a web browser and the mid tier
Communication between a browser and the mid tier is not controlled by the
AR System server in any way. Therefore, protecting network communications
between these two components is dependent on the capabilities of the web server
and browser in use. The customer can take advantage of the strongest level of
encryption made available by his or her choice of web servers.
Security over the network 7

White Paper
The BMC Remedy Mid Tier handles this as all-or-nothing encryption. In other
words, either all the pages served by the mid tier are encrypted, or none of them
are encrypted.
BMC strongly recommends that the web server be configured with SSL
encryption. This ensures that connections from BMC Remedy User can pass user
credentials securely.
Security between BMC Remedy User and the mid tier
When a flashboard is viewed from BMC Remedy User, the client opens a
connection with the mid tier to get the content. To ensure that this communication
is secure, configure the web server to use SSL. This ensures that all data being
passed over the network is encrypted.
Database security
Tablespace
This section describes database security in relation to the AR System database.
The database administrator can create the tablespace and the user to be used by
AR System prior to installing the AR System server. In this case, the person
installing the AR System server does not need to know the SA (database
administrator) credentials, and can use the user created for the installation.
If the database administrator does not pre-create the tablespace, then the person
installing the AR System server must know the SA password. AR System uses this
account only for creating the tablespace and its user. Once this job is done the
AR System server will access the database with its own user ID only.
You can change the database account password used by the AR System server at
any time. For information about how to do so, see the Configuring guide.
User credentials table
The credentials of all registered users in the AR System server are stored in a table
called the user_cache. To prevent the direct manipulation of this information in the
database, each record in this table is protected with an encrypted checksum. This
checksum protects the user names, licenses, groups, and other information.
Changing any of this information directly in the database renders the record
corrupted. In that case, the record must be recreated using an AR System client.
Password security
This section describes password security in AR System.
8BMC Remedy Action Request System Security

BMC Remedy Action Request System Security
Password security over the network
Passwords are always encrypted when sent over the network by the AR System
API. This is the case even if you do not choose to encrypt API communications
with the AR System server.
NOTE
When BMC Remedy User displays a Flashboards object, it retrieves the content
from the BMC Remedy Mid Tier. BMC strongly recommends that you configure
the web server to use SSL to ensure that all data (including the password) are
encrypted over the network and hence secure.
Password storage
User passwords are always stored in the database as an encrypted one-way hash.
Once encrypted and stored, the password is not decrypted by the server at all.
Passwords in the configuration files are always stored in an encrypted format. The
encryption is a 56 bit DES. BMC recommends that you further protect the
configuration files by setting the appropriate file access permissions.
Enforcing a password policy
The AR System server allows password policies to be enforced. With a password
policy, you can:
Force all users or individual users to change their passwords when they log in
for the first time with BMC Remedy User or a browser.
Enforce restrictions on passwords (HIPAA standards are shipped as the default
restrictions.)
Set up password expiration with scheduled warnings.
Disable an account after the expiration period.
Enable users to change their passwords at will.
For information about configuring and enforcing password policies, see the
Configuring guide.
Database password
The account user name and password that the AR System server uses to
communicate with the database is set initially at installation time. This is stored in
the AR System configuration files as an encrypted string. If the password for this
account is changed in the database, you can reset it in the AR System server as well.
To do so, set the new password in the configuration file as a clear text string, and
restart the AR System server. The AR System server reads the clear text string and
replaces it with an encrypted string. See the Configuring guide.
Password security 9

White Paper
AR System server security
User authentication
AR System includes features and restrictions that are part of the AR System
platform that provide security to applications.
The AR System provides several ways to authenticate users.
Users can be registered in the AR System server, with both authentication
information (passwords) and authorization information (data and form access
permissions and license type).
Users can be registered in an external repository such as an LDAP server. The
AR System server can be configured to connect to the external server to
authenticate user login IDs and to retrieve their credentials (licenses, group
information, email address, etc.). This is known as AR System external
authentication (AREA). For information about configuring external
authentication, see the Configuring guide.
NOTE
License information for administrators needs to be maintained in the AR System,
but authentication of administrators can still be done externally.
A combination of the above approaches can be used to authenticate a user
externally while the authorization information is maintained in the AR System
server.
The AR System server provides a mechanism for using multiple authentication
sources, with a fall-back mechanism that chains through these sources. For
example, if the user is not found at the first LDAP authentication server, another
LDAP server can be checked, followed by an attempt to authenticate the user
against the information stored in the AR System server.
LDAP Connection Security
AR System provides a plug-in application that can be configured to talk to an
LDAP server for authentication and authorization. This plug-in can use an SSL
certificate to communicate with the LDAP server, providing a secure connection.
Session protection
The AR System server is stateless, and it carries the user name and password in
each API call, verifying them each time. This enforces the validation of the user on
each API call, rather than just at login.
Data protection
AR System implements the features described in this section to protect AR System
data.
10 BMC Remedy Action Request System Security

SQL issues
Permissions model
BMC Remedy Action Request System Security
The AR System server provides a permissions model that allows data to be
accessible only to the right people. The permissions model is based on access
groups, and users have access to information based on their group membership.
You can use group-based access control permissions to implement access control
at various information levels and object types.
This section describes some the main ways you can implement group-based access
control. For more information about using access control in AR System, see the
Concepts guide and the Form and Application Objects guide.
Form level security
Access to forms is controlled by using groups. Only users who belong to a group
with permissions to the form can access the form.
Field level security
Group membership can also control access to individual fields on a form,
providing a finer level of control. Users might have access to a form, but not to all
fields on the form. They will only see information to which they have access.
Row level security
Each record in the form can have access control as well (row-level security). In this
case, the user sees only the records that he or she has access to.
Active link security
Workflow executing on the client can be protected with group-based access control
as well. The workflow loaded and executed by the client consoles is limited by the
access privileges of the user.
The AR System allows workflow to specify SQL commands to be run on the
database. Only administrators are allowed to specify these commands in active
links, thus enforcing that only trusted users have access to this feature from the
client.
SQL injection
The AR System server encloses all dates in quotes, and it escapes all quotes. This
ensures that users cannot inject SQL commands into queries to access data that is
otherwise hidden from them. However, if a full SQL Command is in a parameter,
users might still get access to the data. BMC applications ensure they do not expose
this functionality. If you customize applications, make sure the customization
prevents this possibility.
SQL command execution
SQL command parameters are resolved each time the command is run. This
ensures that users can only search fields that they have access to at run time, not
when the workflow was first written.
AR System server security 11

White Paper
Cross-site scripting (XSS)
BMC uses IBM® AppScan to test the BMC Remedy Mid Tier against XSS and
response splitting.
The BMC Remedy Mid Tier is safe from all XSS and response splitting attacks as
reported by the current version of AppScan. Any custom modification of the BMC
Remedy Mid Tier web application should be re-validated against these security
risks.
Web services security
The AR System relies on the user name and password being embedded in the
SOAP header. To ensure this information is encrypted when passed over the
network, configure the web server to use secure connections. BMC recommends
that web servers use SSL certificates to provide secure connections.
Data access on search operations
When a user searches for data, the AR System server limits the results to the data
to which that user has access.
If the search is for fields to which the user does have access, the data from these
fields will not be part of the result set.
If the search qualification uses fields that the user does not have access to, those
fields will be ignored and the qualification will be run without them. The
AR System server uses a degrade policy for this purpose.
Limit on number of results
The server can be configured to limit the number of results that are returned on a
search. This allows the server to limit the extent of a denial of service attack.
Unrecognized API calls are rejected immediately, as are users who are not
authenticated. This prevents the server from doing a lot of processing for invalid
calls.
Active links data encryption capability
The AR System workflow has access to Encrypt and Decrypt functions that can be
used as required. For example, an active link can use the Encrypt function to
encrypt data in a regular character field, and then use the Decrypt function in a
filter to convert it to clear text again. This ensures an additional layer of security
over the network.
NOTE
If data is stored in the database in encrypted format, it is not searchable.
12 BMC Remedy Action Request System Security

BMC Remedy Action Request System Security
Server protection
The AR System server provides a number of configuration options that can be
used to control the types of connections accepted. For a comprehensive list of these
options, see the Configuring guide. A few options are presented here.
All connections from particular types of clients, such as ODBC drivers for
reporting, can be blocked out completely, or be restricted to particular time
intervals.
The server can set a minimum API version required, enforcing an upgrade
policy for all client programs.
Guest users can be disallowed from accessing AR System. If allowed, guest
users have only read access to forms and data that are not protected.
AR System server security 13

White Paper
14 BMC Remedy Action Request System Security

*92239*
*92239*
*92239*
*92239*
*92239*