Kali,
BMC has a White Paper called "BMC Remedy Action Request System Security", which I believe came out for version 7.1. In there, it states: Password security over the network Passwords are always encrypted when sent over the network by the AR System API. This is the case even if you do not choose to encrypt API communications with the AR System server. NOTE When BMC Remedy User displays a Flashboards object, it retrieves the content from the BMC Remedy Mid Tier. BMC strongly recommends that you configure the web server to use SSL to ensure that all data (including the password) are encrypted over the network and hence secure. Password storage User passwords are always stored in the database as an encrypted one-way hash. Once encrypted and stored, the password is not decrypted by the server at all. Passwords in the configuration files are always stored in an encrypted format. The encryption is a 56 bit DES. BMC recommends that you further protect the configuration files by setting the appropriate file access permissions. There's some other interesting information in there, so I'd look it up on BMC's site if you want all the other security-related information. Additionally, there's a second White Paper called "Security Attacks and AR System" from 2007. It too is pretty interesting and can be used to help facilitate conversations with your security teams. Hope that helps you! Matt Reinfeldt From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Kali Obsum Sent: Wednesday, November 10, 2010 11:03 PM To: arslist@ARSLIST.ORG Subject: Remedy Password Encryption ** Hi, Does anyone know what type of encryption Remedy 7.6 uses for the passwords? Thanks! Regards, Kali NOTICE The information contained in this email is confidential. If you are not the intended recipient, you must not disclose or use the information in this email in any way. If you received it in error, please tell us immediately by return email and delete the document. We do not guarantee the integrity of any e-mails or attached files and are not responsible for any changes made to them by any other person. _attend WWRUG11 www.wwrug.com ARSlist: "Where the Answers Are"_ _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug11 www.wwrug.com ARSList: "Where the Answers Are"
