Thanks Danny... I will be in contact with your company shortly re: assembling our team for a product Demo and Q&A.
Cheers! On Mar 30, 12:11 pm, Danny Kellett <danny.kell...@strategicworkflow.com> wrote: > Konrad, > > That's incorrect. We do not use the authentication string any more as many > of the BMC products have bugs in them which prevent SSO being implemented > correctly and safely. I can provide an official list of SW numbers if you > wish, where the authentication string is not passed correctly. To name a > few, Crystal Reports integration and Flashboards within the Windows User > Tool. So good luck when you find your first customer who wants to use > reports on the web or flashboards in the WUT. > > Sean, et al, > > Java System Solutions has been working with BMC as an SSO solution provider > for four years now. We have partners that support and sell our product such > as BMC themselves, Materna in Germany and Denmark, at which this month they > have published an article about our solution in their magazine (including an > embarrassing picture of John Baker and myself, I'm only 34 years old > honest!), Comfort in Poland from which Konrad used to work for, SoftwareOne > and Zones. So we have customers which are Banks where security has become an > priority and we were happy to modify our product as required, in partnership > with these customers. > > So I can confidently let you know, and provide references, from customers > and partners who can verify our security. > > In version 2.1, for the WUT SSO, we did store a password in the registry > encrypted by AEShttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard > This was seen as secure enough for two large American banks and one Polish > Bank. > In version 3.0, due for release in April, we have added another layer of > encryption for the WUT where the password uses rotating keys very similar > tohttp://www.freshpatents.com/Rotation-of-keys-during-encryption-decryp... > 20061214ptan20060280298.php > Again, all this is passed in the password field instead of the > authentication field, and thus is again encrypted by BMCs own DES encryption > over the wire. > > I believe with all that above, we are confidently happy with our product and > so could many BMC representatives and partners alike. > > Elry, > > This is turning into a bit of an advert, and for that I apologise Dan/List, > but you can find out more information fromwww.javasystemsolutions.comor > send me an email off the list dkell...@javasystemsolutions.com > > Kind regards > Danny > > -----Original Message----- > From: Action Request System discussion list(ARSList) > > [mailto:arsl...@arslist.org] On Behalf Of Konrad Banasiak > Sent: 30 March 2010 16:17 > To: arsl...@arslist.org > Subject: Re: Top Positions SSO Solution > > Sean, > > Java System's plugin use authentication password saved in the windows > register on all workstations to authenticate users through the RUT. > All users have the same password. In my opinion it is not very save method. > > Mid-tier use the ARSAPI to communicate with ARS so communication between mt > and ars is crypted. > Of course we must believe that crypted method between ars an mt used by BMC > is save. > > In this document you can read about ars > security.http://documents.bmc.com/supportu/documents/22/39/92239/92239.pdf > > Cheers > > Konrad > > TopPositions > Really only one secure Plugin SSO for BM Remedy AR System. > Http://www.remedy-sso.com > > -----Original Message----- > From: Action Request System discussion list(ARSList) > [mailto:arsl...@arslist.org] On Behalf Of Elry > Sent: Tuesday, March 30, 2010 4:54 PM > To: arsl...@arslist.org > Subject: Re: Top Positions SSO Solution > > Thanks for all the responses... > > Konrad - quick question: Seems like you are saying that by signing on > through the WUT - there is a secure protocol that is followed when > using java system's plugin. > > Are there any issues when trying to do SSO through the Mid-Tier? > > Not that I perceive this as an issue for us, since we are primarily > focused on the WUT. > > On Mar 30, 10:35 am, Konrad Banasiak <gene...@remedy-sso.com> wrote: > > Sean, > > > You have right. I agree with you. > > I will try to explain you how Plugin SSO works from TopPositions. > > > If you connect to ARS through the Mid-Tier. Md-Tier is authenticating in > the ARS through the special password. > > Of course the mid-tier-ip is on the whitelist (see the Installation guide > page 15, MidTier-IP parameter). > > > But if client connect to ARS through the Windows client you have the > followed process: > > 1. Remedy User authenticate user in the special Authentication Service > through the NTLM negotiation(NTLMv2) in the Domain Controler. > > 2. If user is confirmed the Service return generated token to the Remedy > User. (Token is unique for every User) > > 3. Remedy User passed into the "Authentication" field in area this token > to ARESSO. > > 4. AREA SSO confirm in the Authentication Service this token, If token is > correct user is authenticate, if no user is no authenticate. Of course the > Authentication Service confirm client IP address. And the token expired if > is not use to long time. > > > Cheers > > > Konrad > > > TopPositions > > Really only one secure Plugin SSO for BM Remedy AR System. > > Http://www.remedy-sso.com > > > -----Original Message----- > > From: Action Request System discussion list(ARSList) > [mailto:arsl...@arslist.org] On Behalf Of Garrison, Sean (Norcross) > > Sent: Tuesday, March 30, 2010 4:01 PM > > To: arsl...@arslist.org > > Subject: Re: Top Positions SSO Solution > > > Without being too technical I don't really trust an ARS SSO integration > that much. In order to build an sso you have to follow a process: > > > 1. Modify the authentication to the mid-tier to check the users > credentials. > > 2. If the user is valid allow them to log into remedy > > 3. If the user is from mid-tier and they have valid credentials bypass > the AREA authentication and let them in. > > > It is at step 3 where I believe the security hole lies in an SSO > implementation. Granted there is some security but it is relatively weak. > Typically they ask you to enter in a list of ip addresses and a password of > some type. This password is usually passed into the "Authentication" field > in area. The IP address is a "whitelist" to tell area whether or not this > is a mid-tier ip. So let's say you added your ip address to the whitelist > that you configure for the sso implementation. Using the User tool you > enter in the mid-tier password into the authentication field and put in your > username leaving the password field blank. My guess is that you would log > right into ars with no problems. Go further and you could probably spoof > one of the mid-tier ip addresses so that ars thinks your ip address is one > of the mid-tiers you could do the same thing with entering in no password > just the mid-tier password. I don't know what java system solutions does > for this issue nor what the remedy-sso does. But in both flowcharts you see > a little arrow going from mid-tier to ARS. Before implementing either SSO I > would recommend validating with the vendor how secure that data is that is > passed between mid-tier and ars and your comfort level with this type of > security. The only reason I know this is because I have tried to build an > SSO solution before. > > > Thanks, > > > Sean > > > -----Original Message----- > > From: Action Request System discussion list(ARSList) > [mailto:arsl...@arslist.org] On Behalf Of Shellman, David > > Sent: Tuesday, March 30, 2010 8:25 AM > > To: arsl...@arslist.org > > Subject: Re: Top Positions SSO Solution > > > Top Positions is spamming every email address that they can associate with > an Remedy Admin. They hit a new email address of mine that was added to > thewww.wwrug.comwebsitea couple of weeks ago. > > Dave > > ------------------------- > > dave.shell...@tycoelectronics.com > > (Wireless) > > > ----- Original Message ----- > > From: Action Request System discussion list(ARSList) > > ____________________________________________________________________________ > ___ > > UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org > > attend wwrug10www.wwrug.comARSlist:"Where the Answers Are" > > ____________________________________________________________________________ > ___ > UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org > attend wwrug10www.wwrug.comARSlist: "Where the Answers Are" > > ____________________________________________________________________________ > ___ > UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org > attend wwrug10www.wwrug.comARSlist: "Where the Answers Are" > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org > attend wwrug10www.wwrug.comARSlist: "Where the Answers Are" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: "Where the Answers Are"
