Joe, ( I know this is now an old thread, but there were some details that were left out that I think are necessary to understand this topic. So here they are.... )
Remedy's API has not passed the password in the clear for years. The password value has been ONLY encoded with an propritary format. (Maybe since v1 if memory serves?) Yes that is not encryption strenght, but it is better than "clear text". And yes the user name was in the clear as well as the rest of the data to/from the ARS server. In v5 Remedy started offering "for cost" encryption packages. In v6 they "give you" a "lowest level" package for free. ( There is some config settings too, but it is all server side as long as your users are using v6 clients. Please verify if the default on your version/patch is on or off. I believe the default is OFF so that they do not break older clients. V7 or V8 might change that. :) The "free" strength is 56 Bit based. Which should be strong enough to keep the rif-raf out. But for the seriously security minded (DOD types) you really need the uber encryption package that is still a "for cost" add on. (and likley a performance drag to some extent. You get nothing for free. Especially when it comes to encryption. :) The other thing of note is that the encryption packages (all of them, even the free one) encryptes all communications and not just password values. (VERY un-like the days of old) So there are other advantages to even using the 56 Bit level. Ref: ConfigGuide-630.pdf Page: 291 (and around that area) Encrypt-Security-Policy Encrypt-Public-Key-Expire Encrypt-Data-Encryption-Algorithm HTH -- Carey Matthew Black Remedy Skilled Professional (RSP) ARS = Action Request System(Remedy) Solution = People + Process + Tools Fast, Accurate, Cheap.... Pick two. Never ascribe to malice, that which can be explained by incompetence. On 8/17/06, Joe DeSouza <[EMAIL PROTECTED]> wrote:
** Hello Listers, To the best of my knowledge the Remedy User Tool sends authentication information as clear text over the network.. Correct me if I am wrong.. So if the above is right, I do remember Remedy used to sell an encryption product. Any information on this would be appreciated. If no encryption product is used, how does the Mid-Tier client send the authentication information? Clear Text???? Rgds Joe D'Souza Remedy Developer / Consultant, BearingPoint, Virginia. __20060125_______________________This posting was submitted with HTML in it___
_______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
