Konrad, The desktop client is on the endangered species list. It's not going to be much longer before it is extinct.
Also I do not appreciate getting email sent to the email address listed on www.wwrog.com from your company. That email address has only been listed there for less than two weeks. It is not the email address I use to post to the ARS List. Technically those emails should include a way to opt out. There wasn't any. ------Original Message------ From: Konrad Banasiak To: Arslist ReplyTo: Arslist Subject: Re: Top Positions SSO Solution Sent: Mar 30, 2010 4:07 PM Danny, You have right it is Bug in BMC Remedy User tool. But this problem is independent of use SSO or no. You can always use for example http analyzer software to listen tcp port, because the flashboards are provide through the mid-tier. The worst situation is when you use to authenticate user arealdap plugin from BMC, because then you can snaffle the password for domain username. So it is very dangerous situation. It is little better when passwords to remedy you store in user form, because this time when you snaffle the password, you will have only permission to remedy. The best situation is when you use Plugin SSO from Top Positions. In Plugin SSO user to authentication in remedy use special token with is generate for any users and ip address, so if somebody snaffle this token he will login only to the Remedy, of course token has expired. Another worst situation is when all people use the same key, because then if somebody snaffle the password he will affect who wants. So if you want to have very save system, you have two possibilities: 1. Don't use BMC Remedy User tools (Only web) 2. You can configure SSL on Tomcat. (Because flashboards server, srm, crystal reports are provide by the mid-tier). Danny wrote: In version 2.1, for the WUT SSO, we did store a password in the registry encrypted by AES http://en.wikipedia.org/wiki/Advanced_Encryption_Standard This is really a bug I want to show you how you can decrypt this password? So I think you should public information on your site that your plugin is not to much save. Danny wrote This was seen as secure enough for two large American banks and one Polish Bank. Polish Bank don't use SSO for RUT because they know the bug. Cheers Konrad TopPositions Really only one secure Plugin SSO for BM Remedy AR System. Http://www.remedy-sso.com -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Danny Kellett Sent: Tuesday, March 30, 2010 6:12 PM To: arslist@ARSLIST.ORG Subject: Re: Top Positions SSO Solution Konrad, That's incorrect. We do not use the authentication string any more as many of the BMC products have bugs in them which prevent SSO being implemented correctly and safely. I can provide an official list of SW numbers if you wish, where the authentication string is not passed correctly. To name a few, Crystal Reports integration and Flashboards within the Windows User Tool. So good luck when you find your first customer who wants to use reports on the web or flashboards in the WUT. Sean, et al, Java System Solutions has been working with BMC as an SSO solution provider for four years now. We have partners that support and sell our product such as BMC themselves, Materna in Germany and Denmark, at which this month they have published an article about our solution in their magazine (including an embarrassing picture of John Baker and myself, I'm only 34 years old honest!), Comfort in Poland from which Konrad used to work for, SoftwareOne and Zones. So we have customers which are Banks where security has become an priority and we were happy to modify our product as required, in partnership with these customers. So I can confidently let you know, and provide references, from customers and partners who can verify our security. In version 2.1, for the WUT SSO, we did store a password in the registry encrypted by AES http://en.wikipedia.org/wiki/Advanced_Encryption_Standard This was seen as secure enough for two large American banks and one Polish Bank. In version 3.0, due for release in April, we have added another layer of encryption for the WUT where the password uses rotating keys very similar to http://www.freshpatents.com/Rotation-of-keys-during-encryption-decryption-dt 20061214ptan20060280298.php Again, all this is passed in the password field instead of the authentication field, and thus is again encrypted by BMCs own DES encryption over the wire. I believe with all that above, we are confidently happy with our product and so could many BMC representatives and partners alike. Elry, This is turning into a bit of an advert, and for that I apologise Dan/List, but you can find out more information from www.javasystemsolutions.com or send me an email off the list dkell...@javasystemsolutions.com Kind regards Danny -----Original Message----- From: Action Request System discussion ------Original Message Truncated------ Dave ------------------------- dave.shell...@tycoelectronics.com (Wireless)
