Thanks Mathew,
Good information. Good to have basic encryption for free I guess but like you said if you want the real good stuff you got to buy it. I think we are more interested in the premium package and are looking on that option currently
Joe.
----- Original Message ----
From: Carey Matthew Black <[EMAIL PROTECTED]>
To: [email protected]
Sent: Monday, August 21, 2006 9:39:28 AM
Subject: Re: Encryption and Remedy ARS 6.3
From: Carey Matthew Black <[EMAIL PROTECTED]>
To: [email protected]
Sent: Monday, August 21, 2006 9:39:28 AM
Subject: Re: Encryption and Remedy ARS 6.3
Joe,
(
I know this is now an old thread, but there were some details that
were left out that I think are necessary to understand this topic. So
here they are....
)
Remedy's API has not passed the password in the clear for years. The
password value has been ONLY encoded with an propritary format. (Maybe
since v1 if memory serves?) Yes that is not encryption strenght, but
it is better than "clear text". And yes the user name was in the clear
as well as the rest of the data to/from the ARS server.
In v5 Remedy started offering "for cost" encryption packages.
In v6 they "give you" a "lowest level" package for free. ( There is
some config settings too, but it is all server side as long as your
users are using v6 clients. Please verify if the default on your
version/patch is on or off. I believe the default is OFF so that they
do not break older clients. V7 or V8 might change that. :) The "free"
strength is 56 Bit based. Which should be strong enough to keep the
rif-raf out. But for the seriously security minded (DOD types) you
really need the uber encryption package that is still a "for cost" add
on. (and likley a performance drag to some extent. You get nothing for
free. Especially when it comes to encryption. :)
The other thing of note is that the encryption packages (all of them,
even the free one) encryptes all communications and not just password
values. (VERY un-like the days of old) So there are other advantages
to even using the 56 Bit level.
Ref:
ConfigGuide-630.pdf Page: 291 (and around that area)
Encrypt-Security-Policy
Encrypt-Public-Key-Expire
Encrypt-Data-Encryption-Algorithm
HTH
--
Carey Matthew Black
Remedy Skilled Professional (RSP)
ARS = Action Request System(Remedy)
Solution = People + Process + Tools
Fast, Accurate, Cheap.... Pick two.
Never ascribe to malice, that which can be explained by incompetence.
On 8/17/06, Joe DeSouza <[EMAIL PROTECTED]> wrote:
> **
>
>
> Hello Listers,
>
> To the best of my knowledge the Remedy User Tool sends authentication
> information as clear text over the network.. Correct me if I am wrong..
>
> So if the above is right, I do remember Remedy used to sell an encryption
> product. Any information on this would be appreciated.
>
> If no encryption product is used, how does the Mid-Tier client send the
> authentication information? Clear Text????
>
> Rgds
>
> Joe D'Souza
> Remedy Developer / Consultant,
> BearingPoint,
> Virginia.
> __20060125_______________________This posting was
> submitted with HTML in it___
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
(
I know this is now an old thread, but there were some details that
were left out that I think are necessary to understand this topic. So
here they are....
)
Remedy's API has not passed the password in the clear for years. The
password value has been ONLY encoded with an propritary format. (Maybe
since v1 if memory serves?) Yes that is not encryption strenght, but
it is better than "clear text". And yes the user name was in the clear
as well as the rest of the data to/from the ARS server.
In v5 Remedy started offering "for cost" encryption packages.
In v6 they "give you" a "lowest level" package for free. ( There is
some config settings too, but it is all server side as long as your
users are using v6 clients. Please verify if the default on your
version/patch is on or off. I believe the default is OFF so that they
do not break older clients. V7 or V8 might change that. :) The "free"
strength is 56 Bit based. Which should be strong enough to keep the
rif-raf out. But for the seriously security minded (DOD types) you
really need the uber encryption package that is still a "for cost" add
on. (and likley a performance drag to some extent. You get nothing for
free. Especially when it comes to encryption. :)
The other thing of note is that the encryption packages (all of them,
even the free one) encryptes all communications and not just password
values. (VERY un-like the days of old) So there are other advantages
to even using the 56 Bit level.
Ref:
ConfigGuide-630.pdf Page: 291 (and around that area)
Encrypt-Security-Policy
Encrypt-Public-Key-Expire
Encrypt-Data-Encryption-Algorithm
HTH
--
Carey Matthew Black
Remedy Skilled Professional (RSP)
ARS = Action Request System(Remedy)
Solution = People + Process + Tools
Fast, Accurate, Cheap.... Pick two.
Never ascribe to malice, that which can be explained by incompetence.
On 8/17/06, Joe DeSouza <[EMAIL PROTECTED]> wrote:
> **
>
>
> Hello Listers,
>
> To the best of my knowledge the Remedy User Tool sends authentication
> information as clear text over the network.. Correct me if I am wrong..
>
> So if the above is right, I do remember Remedy used to sell an encryption
> product. Any information on this would be appreciated.
>
> If no encryption product is used, how does the Mid-Tier client send the
> authentication information? Clear Text????
>
> Rgds
>
> Joe D'Souza
> Remedy Developer / Consultant,
> BearingPoint,
> Virginia.
> __20060125_______________________This posting was
> submitted with HTML in it___
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at http://www.wwrug.org
