Yup I don't it when some sites do not like to change that default, when even loosing the new password in documentations is not a reason good enough. With the way its designed, you do not need to really know the new password in order to change it. You do not even need to remember the Demo password (thank you arcache). All you need to remember is the system password and given that permission as a AR Admin, you can hack your way in, if all documentations on these passwords is lost. You can't even call that a hack as that tool is designed for accidental loss of admin account recovery.
The only good reason I can come up with is that they probably trust their people very much and they can live with that trust and not worry about little things like system passwords :-). Joe _____ From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Jason Miller Sent: Wednesday, March 13, 2013 6:01 PM To: [email protected] Subject: Re: Mid Tier administration password ** I had a similar experience the first day on the job as the first ever dedicated Remedy admin. The role of admin had either been contractors or the Help Desk manager. I was waiting for my account to be created when I decided to try Demo without a password. Built my own account thank you very much. And added a password to Demo shortly after :) And even though I didn't have root access on the app server Remedy was running as root. I built a console to issue command via Remedy as root. Problem solved! I joke about the ARAdmin password but we ran with the default for many years. More years then I would like to admit. Security used to be an afterthought. Even worse other systems were using that account for integrations I took a lot of flak when I finally decided enough is enough and changed it from the default. Jason On Wed, Mar 13, 2013 at 12:32 PM, Joe D'Souza <[email protected]> wrote: ** You're funny Jason :-) I recall many years ago, when I was fairly new to Remedy, I was at a site, and waiting on a MS-SQL system administrator on the sa password for something (not an install or upgrade but just to login as sa to do something on the server), and could not get in touch with that person, so for fun I attempted to login into that DB (which was a standalone DB for the AR Server) with sa and a blank password, and it went right in! And later found out that many of the SQL servers on their network were having blank passwords for sa :-) When I brought it to their attention, they had no idea these were unprotected. They had several other network logins into these servers that they had forgotten about the sa login.. Joe _____ From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Jason Miller Sent: Wednesday, March 13, 2013 10:16 AM To: [email protected] Subject: Re: Mid Tier administration password ** Great, now we have to change our production db password. Thanks for publishing it! On Mar 13, 2013 2:06 AM, "John Baker" <[email protected]> wrote: Steve: It is difficult to compare a decade-old open-source enterprise-wide solution (ie Atrium/OpenSSO), that is not well integrated with AR System, with a modern solution built for AR System that sits neatly in Mid Tier and is well supported/respected by BMC customers/partners. :) Matt's found a very nice video and it only goes to highlight the importance of protecting against brute-force attacks, such as automatically locking accounts in AR System after a number of failed login attempts. And of course, changing the default AR#Admin# database password. Joe: An alternative mechanism of integrating Mid Tier and AR System would be to use SSL client certificates. This is how the HP Service Manager web application is integrated with the SM server side application (ie ARS in this world). The down side of this approach is the complexity: SSL client certs is far more complicated to configure than simply entering a password. John _ARSlist: "Where the Answers Are" and have been for 20 years_ _ARSlist: "Where the Answers Are" and have been for 20 years_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
