I would not be surprised. There are a number of places where the username/password are handed off:
- when user fills in login.jsp, the username/password is sent to the mid-tier server from the browser - when the mid-tier receives the username/password, it is sent to the arserver - when the arserver receives the username/password, it is sent to the ldap server (if using the area/ldap plugin) SSL only addresses the last hand-off. If you want to cover the first hand-off, use https instead of http. If you want to cover the second hand-off, force client based encryption. This still uses a simple algorithm to encrypt the password (DES). For stronger encryption, you can either (1) purchase the remedy encryption products, or (2) create a tunnel of your own. The encryption algorithm used for the free encryption is: 512-bit RSA algorithm with cipher block chaining for the public/private key pair. For the session key, it :uses a DES (Data Encryption Standard) 56-bit algorithm. Axton Grams On 6/4/07, Christian Rom <[EMAIL PROTECTED]> wrote:
** One of our corporate LDAP and security guru's just told me that Remedy 7 mid-tier may be sending passwords in cleartext or at least with a simple cipher algorithm. Does anyone know if this is correct ? I have the AREALDAP and ARDBC plug-ins configured for SSL, so I would expect all traffic to be encrypted. Rgds, Christian H. Rom Schlumberger - Service Desk Engineering __20060125_______________________This posting was submitted with HTML in it___
_______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org ARSlist:"Where the Answers Are"
