White Paper BMC Remedy Action Request System Security

Transcription

1 White Paper BMC Remedy Action Request System Security June

2 Contacting BMC Software You can access the BMC Software website at From this website, you can obtain information about the company, its products, corporate offices, special events, and career opportunities. United States and Canada Address BMC SOFTWARE INC 2101 CITYWEST BLVD HOUSTON TX USA Outside United States and Canada Telephone or Telephone (01) Fax (01) Fax If you have comments or suggestions about this documentation, contact Information Development by at Copyright 2008 BMC Software, Inc. BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other trademarks or registered trademarks are the property of their respective owners. IBM is a registered trademark of International Business Machines Corporation. UNIX is a registered trademark of The Open Group. BMC Software considers information included in this documentation to be proprietary and confidential. Your use of this information is subject to the terms and conditions of the applicable End User License Agreement for the product and the proprietary and restricted rights notices included in this documentation. Restricted Rights Legend U.S. Government Restricted Rights to Computer Software. UNPUBLISHED -- RIGHTS RESERVED UNDER THE COPYRIGHT LAWS OF THE UNITED STATES. Use, duplication, or disclosure of any data and computer software by the U.S. Government is subject to restrictions, as applicable, set forth in FAR Section , DFARS , DFARS , DFARS , and DFARS , as amended from time to time. Contractor/Manufacturer is BMC Software, Inc., 2101 CityWest Blvd., Houston, TX , USA. Any contract notices should be sent to this address.

3 Customer Support You can obtain technical support by using the Support page on the BMC Software website or by contacting Customer Support by telephone or . To expedite your inquiry, please see Before Contacting BMC Software. Support Website You can obtain technical support from BMC Software 24 hours a day, 7 days a week at From this website, you can Read overviews about support services and programs that BMC Software offers. Find the most current information about BMC Software products. Search a database for problems similar to yours and possible solutions. Order or download product documentation. Report a problem or ask a question. Subscribe to receive notices when new product versions are released. Find worldwide BMC Software support center locations and contact information, including addresses, fax numbers, and telephone numbers. Support by telephone or In the United States and Canada, if you need technical support and do not have access to the Web, call or send an message to customer_support@bmc.com. (In the Subject line, enter SupID:<yourSupportContractID>, such as SupID:12345.) Outside the United States and Canada, contact your local support center for assistance. Before Contacting BMC Software Have the following information available so that Customer Support can begin working on your issue immediately: Product information Product name Product version (release number) License number and password (trial or permanent) Operating system and environment information Machine type Operating system type, version, and service pack System hardware configuration Serial numbers Related software (database, application, and communication) including type, version, and service pack or maintenance level Sequence of events leading to the problem Commands and options that you used Messages received (and the time and date that you received them) Product error messages Messages from the operating system, such as file system full Messages from related software

4

5 White Paper BMC Remedy Action Request System Security This document provides a high-level overview of security in the BMC Remedy Action Request System (AR System), including the AR System server, clients, and libraries, the network and other resources used by AR System, and the objects and data in the applications. The following topics are provided: File system security (page 6) Security over the network (page 7) Database security (page 8) Password security (page 8) AR System server security (page 10) BMC Remedy Action Request System Security 5

6 White Paper File system security Security considerations include the machines that the software is running on, and the resources that the processes use. This section describes the security of AR System processes and data in relation to the file system. Installation and maintenance On UNIX platforms, the AR System server does not need to be installed with root permissions. You can run the installer with non-root permissions as long as the resources the installer needs are available to it. For information about installing AR System as a non-root user, see the Installing guide. Running processes on the file system The server allows workflow to access and run processes on the file system. This can be done either on the client machine (in active links), or on the server machine (in filters and escalations). Processes on the AR System server computer AR System allows filters and escalations to invoke external processes on the AR System server computer. The AR System server has access to processes and resources on the computer based on the credentials it has been given. To prevent workflow from accessing programs and resources to which it should not have access, run the AR System server as a user with limited access to resources. In this case, the AR System server can only access resources and programs that have the access permissions of the user who runs the service. This prevents users of an AR System application from writing workflow that accesses programs and resources to which they should not have access. Controlling the use of backquotes in server-side process actions By default, the AR System server does not allow any workflow commands that run a process on the server to use backquotes in the process name or its arguments. This prevents any user from exploiting parameter substitution to gain access to system information or resources. This behavior is controlled by a configuration setting. For more information about configuration settings in AR System, see the Configuring guide. Processes on the client computer The AR System allows active links to invoke external processes on the user's computer when the active link is activated from BMC Remedy User or, in some cases, from a browser. Since the client is running with the same access privileges as the person logged in to the client computer, it only has access to programs and resources to which the user has access. This ensures that an AR System client cannot access information to which it should not have access. 6 BMC Remedy Action Request System Security

7 BMC Remedy Action Request System Security Run a process from a specific directory The server can be configured so that active link processes can execute only from a specified directory. For more information about configuration settings in AR System, see the Configuring guide. Security over the network This section describes the protection of AR System data as it is sent over the network between the AR System server, the database, and the client programs. All data being passed over the network can be encrypted. This applies to the database connection, API clients, and browsers. For information about password security on the network, see Password security on page 8. Security between the AR System server and the database The AR System is capable of using encrypted connections to the database. It relies on the database client library capabilities for this encryption, and can work with any encryption provided with the database client libraries. Security between the AR System server and API clients The AR System API is capable of three levels of encryption. The default is 512 bit encryption, and and 2048-bit encryption levels are available as an option. When encryption is configured, all communication between the API client and the AR System server is encrypted, providing data security over the network. Any security policy between the AR System server and the API clients can be enforced. The server can be configured so that it works only with encrypted API calls or with only unencrypted API calls. Without any enforcement, the server allows both encrypted and unencrypted calls. All AR System clients are API-based, so turning on encryption ensures that all interactions with the server are encrypted. To configure encryption, see the BMC Remedy Encryption Products Release Notes and Installation Guide. Security between the AR System server and the plug-in server When encryption is configured on the AR System server, the connection with the plug-in server uses the same encryption as described for the connection between the AR System server and the API Clients. Security between a web browser and the mid tier Communication between a browser and the mid tier is not controlled by the AR System server in any way. Therefore, protecting network communications between these two components is dependent on the capabilities of the web server and browser in use. The customer can take advantage of the strongest level of encryption made available by his or her choice of web servers. Security over the network 7

8 White Paper The BMC Remedy Mid Tier handles this as all-or-nothing encryption. In other words, either all the pages served by the mid tier are encrypted, or none of them are encrypted. BMC strongly recommends that the web server be configured with SSL encryption. This ensures that connections from BMC Remedy User can pass user credentials securely. Security between BMC Remedy User and the mid tier When a flashboard is viewed from BMC Remedy User, the client opens a connection with the mid tier to get the content. To ensure that this communication is secure, configure the web server to use SSL. This ensures that all data being passed over the network is encrypted. Database security This section describes database security in relation to the AR System database. Tablespace The database administrator can create the tablespace and the user to be used by AR System prior to installing the AR System server. In this case, the person installing the AR System server does not need to know the SA (database administrator) credentials, and can use the user created for the installation. If the database administrator does not pre-create the tablespace, then the person installing the AR System server must know the SA password. AR System uses this account only for creating the tablespace and its user. Once this job is done the AR System server will access the database with its own user ID only. You can change the database account password used by the AR System server at any time. For information about how to do so, see the Configuring guide. User credentials table The credentials of all registered users in the AR System server are stored in a table called the user_cache. To prevent the direct manipulation of this information in the database, each record in this table is protected with an encrypted checksum. This checksum protects the user names, licenses, groups, and other information. Changing any of this information directly in the database renders the record corrupted. In that case, the record must be recreated using an AR System client. Password security This section describes password security in AR System. 8BMC Remedy Action Request System Security

9 BMC Remedy Action Request System Security Password security over the network Passwords are always encrypted when sent over the network by the AR System API. This is the case even if you do not choose to encrypt API communications with the AR System server. NOTE When BMC Remedy User displays a Flashboards object, it retrieves the content from the BMC Remedy Mid Tier. BMC strongly recommends that you configure the web server to use SSL to ensure that all data (including the password) are encrypted over the network and hence secure. Password storage User passwords are always stored in the database as an encrypted one-way hash. Once encrypted and stored, the password is not decrypted by the server at all. Passwords in the configuration files are always stored in an encrypted format. The encryption is a 56 bit DES. BMC recommends that you further protect the configuration files by setting the appropriate file access permissions. Enforcing a password policy The AR System server allows password policies to be enforced. With a password policy, you can: Force all users or individual users to change their passwords when they log in for the first time with BMC Remedy User or a browser. Enforce restrictions on passwords (HIPAA standards are shipped as the default restrictions.) Set up password expiration with scheduled warnings. Disable an account after the expiration period. Enable users to change their passwords at will. For information about configuring and enforcing password policies, see the Configuring guide. Database password The account user name and password that the AR System server uses to communicate with the database is set initially at installation time. This is stored in the AR System configuration files as an encrypted string. If the password for this account is changed in the database, you can reset it in the AR System server as well. To do so, set the new password in the configuration file as a clear text string, and restart the AR System server. The AR System server reads the clear text string and replaces it with an encrypted string. See the Configuring guide. Password security 9

10 White Paper AR System server security User authentication AR System includes features and restrictions that are part of the AR System platform that provide security to applications. The AR System provides several ways to authenticate users. Users can be registered in the AR System server, with both authentication information (passwords) and authorization information (data and form access permissions and license type). Users can be registered in an external repository such as an LDAP server. The AR System server can be configured to connect to the external server to authenticate user login IDs and to retrieve their credentials (licenses, group information, address, etc.). This is known as AR System external authentication (AREA). For information about configuring external authentication, see the Configuring guide. NOTE License information for administrators needs to be maintained in the AR System, but authentication of administrators can still be done externally. A combination of the above approaches can be used to authenticate a user externally while the authorization information is maintained in the AR System server. The AR System server provides a mechanism for using multiple authentication sources, with a fall-back mechanism that chains through these sources. For example, if the user is not found at the first LDAP authentication server, another LDAP server can be checked, followed by an attempt to authenticate the user against the information stored in the AR System server. LDAP Connection Security AR System provides a plug-in application that can be configured to talk to an LDAP server for authentication and authorization. This plug-in can use an SSL certificate to communicate with the LDAP server, providing a secure connection. Session protection The AR System server is stateless, and it carries the user name and password in each API call, verifying them each time. This enforces the validation of the user on each API call, rather than just at login. Data protection AR System implements the features described in this section to protect AR System data. 10 BMC Remedy Action Request System Security

11 BMC Remedy Action Request System Security Permissions model The AR System server provides a permissions model that allows data to be accessible only to the right people. The permissions model is based on access groups, and users have access to information based on their group membership. You can use group-based access control permissions to implement access control at various information levels and object types. This section describes some the main ways you can implement group-based access control. For more information about using access control in AR System, see the Concepts guide and the Form and Application Objects guide. Form level security Access to forms is controlled by using groups. Only users who belong to a group with permissions to the form can access the form. Field level security Group membership can also control access to individual fields on a form, providing a finer level of control. Users might have access to a form, but not to all fields on the form. They will only see information to which they have access. Row level security Each record in the form can have access control as well (row-level security). In this case, the user sees only the records that he or she has access to. Active link security Workflow executing on the client can be protected with group-based access control as well. The workflow loaded and executed by the client consoles is limited by the access privileges of the user. SQL issues The AR System allows workflow to specify SQL commands to be run on the database. Only administrators are allowed to specify these commands in active links, thus enforcing that only trusted users have access to this feature from the client. SQL injection The AR System server encloses all dates in quotes, and it escapes all quotes. This ensures that users cannot inject SQL commands into queries to access data that is otherwise hidden from them. However, if a full SQL Command is in a parameter, users might still get access to the data. BMC applications ensure they do not expose this functionality. If you customize applications, make sure the customization prevents this possibility. SQL command execution SQL command parameters are resolved each time the command is run. This ensures that users can only search fields that they have access to at run time, not when the workflow was first written. AR System server security 11

12 White Paper Cross-site scripting (XSS) BMC uses IBM AppScan to test the BMC Remedy Mid Tier against XSS and response splitting. The BMC Remedy Mid Tier is safe from all XSS and response splitting attacks as reported by the current version of AppScan. Any custom modification of the BMC Remedy Mid Tier web application should be re-validated against these security risks. Web services security The AR System relies on the user name and password being embedded in the SOAP header. To ensure this information is encrypted when passed over the network, configure the web server to use secure connections. BMC recommends that web servers use SSL certificates to provide secure connections. Data access on search operations When a user searches for data, the AR System server limits the results to the data to which that user has access. If the search is for fields to which the user does have access, the data from these fields will not be part of the result set. If the search qualification uses fields that the user does not have access to, those fields will be ignored and the qualification will be run without them. The AR System server uses a degrade policy for this purpose. Limit on number of results The server can be configured to limit the number of results that are returned on a search. This allows the server to limit the extent of a denial of service attack. Unrecognized API calls are rejected immediately, as are users who are not authenticated. This prevents the server from doing a lot of processing for invalid calls. Active links data encryption capability The AR System workflow has access to Encrypt and Decrypt functions that can be used as required. For example, an active link can use the Encrypt function to encrypt data in a regular character field, and then use the Decrypt function in a filter to convert it to clear text again. This ensures an additional layer of security over the network. NOTE If data is stored in the database in encrypted format, it is not searchable. 12 BMC Remedy Action Request System Security

13 BMC Remedy Action Request System Security Server protection The AR System server provides a number of configuration options that can be used to control the types of connections accepted. For a comprehensive list of these options, see the Configuring guide. A few options are presented here. All connections from particular types of clients, such as ODBC drivers for reporting, can be blocked out completely, or be restricted to particular time intervals. The server can set a minimum API version required, enforcing an upgrade policy for all client programs. Guest users can be disallowed from accessing AR System. If allowed, guest users have only read access to forms and data that are not protected. AR System server security 13

14 White Paper 14 BMC Remedy Action Request System Security

15

16 *92239* *92239* *92239* *92239* *92239*