Re: Encryption and Remedy ARS 6.3

[McKenzie, James J C-E LCMC HQISEC/L3]

Title: RE: Encryption and Remedy ARS 6.3

**

Richard:

 

You are correct.  You are sniffing http traffic and it is ALWAYS sent in the clear.  Thus, to secure it you will need to use https (http protocol secured) and SSL.  This is what I was trying to get across. 

 

1. Traffic between the Web Browser and Mid-Tier server is not secured UNLESS you enable the use of SSL and https.

2.  Traffic between the Mid-Tier server and the ARS server IS secured UNLESS you disable this feature (and I don't know how and don't want to know how) by default.

3. Traffic between the ARS server and your database is NOT secured UNLESS you install the security package provided by your database provider, unless this was build in by BMC.  At the present time, I don't think this is enabled.

 

Thus your statement about using Ethereal and 'sniffing' the wire is true for http (port 80) traffic and is the default when you install the mid-tier to a standard web server.  Once you enable your web server's https service, you should not be able to 'sniff' the wire and gather any intelligible traffic.

 

James McKenzie

 

 

---

From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of McCabe, Richard A. (CMS/CTR)
Sent: Thursday, August 17, 2006 1:00 PM
To: arslist@ARSLIST.ORG
Subject: Re: Encryption and Remedy ARS 6.3

**

James,

Download ethereal (shareware sniffer), and with your Remedy User client bring up a form that uses flashboards. Filter the sniffer for port 80. You will be able to see your login credential if you do not have SSL enabled for your default web path.

 

Thank you,

 

Rick

---

From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of McKenzie, James J C-E LCMC HQISEC/L3
Sent: Thursday, August 17, 2006 3:49 PM
To: arslist@ARSLIST.ORG
Subject: Re: Encryption and Remedy ARS 6.3

**

Richard:
 
SSL is required if you want to encrypt information between the Mid-Tier server and a web browser client.  However, communications between the Mid-Tier server and the ARS server is encrypted by default in ARS 6.3 and ARS 7.0

James McKenzie
 

________________________________

From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of McCabe, Richard A. (CMS/CTR)

Sent: Thursday, August 17, 2006 12:35 PM
To: arslist@ARSLIST.ORG
Subject: Re: Encryption and Remedy ARS 6.3

**
Joe,
We found that this was related to flashboards, and was resolved by using SSL for the default web path, and mid tier.
 

Rick McCabe

________________________________

From: Action Request System discussion list(ARSList) [mailto:arslist@ARSLIST.ORG] On Behalf Of Joe DeSouza
Sent: Thursday, August 17, 2006 12:21 PM
To: arslist@ARSLIST.ORG
Subject: Encryption and Remedy ARS 6.3

**
Hello Listers,
 
To the best of my knowledge the Remedy User Tool sends authentication information as clear text over the network.. Correct me if I am wrong..

So if the above is right, I do remember Remedy used to sell an encryption product. Any information on this would be appreciated.

If no encryption product is used, how does the Mid-Tier client send the authentication information? Clear Text????
 
Rgds
 
Joe D'Souza
Remedy Developer / Consultant,
BearingPoint,
Virginia.
__20060125_______________________This posting was submitted with HTML in it___ __20060125_______________________This posting was submitted with HTML in it___

__20060125_______________________This posting was submitted with HTML in it___ __20060125_______________________This posting was submitted with HTML in it___ __20060125_______________________This posting was submitted with HTML in it___