Re: Intermittent, Spotty ARS Performance (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE Norm, You may want to investigate whether you can use BMC or SQL Full Text search options to improve the performance. Alternatively, I've found it helps to interview the culprits to understand how they are utilizing the system to do their job. Often you can add an indexed field that allows them to categorize/track what they are looking for on a repeat basis. Christopher Michaud -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Kaiser, Norm E CIV USAF AFMC 96 CS/SCCE Sent: Tuesday, November 25, 2008 8:25 AM To: arslist@ARSLIST.ORG Subject: Re: Intermittent, Spotty ARS Performance (UNCLASSIFIED) Good suggestion...I'm pretty familiar with the new worklog model in version 7 and its advantages and disadvantages. Unfortunately, that entails a very large coding effort, which I'm not able to do on this system. -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Benedetto Cantatore Sent: Tuesday, November 25, 2008 8:12 AM To: arslist@ARSLIST.ORG Subject: Re: Intermittent, Spotty ARS Performance (UNCLASSIFIED) ** Norm, Perhaps you need to steal an idea from version 7 and make the worklogs a parent-child relationship with the main form. This would accomodate the individuals that need to get to specific information in the worklog and ease up the burden on your database. If you can install version 7 on a server, you'll see how it works and adopt it. Ben Cantatore Remedy Manager (914) 457-6209 Emerging Health IT 3 Odell Plaza Yonkers, New York 10701 [EMAIL PROTECTED] 11/25/08 8:56 AM Yeah, I suspected the same thing going in, but free disk space is abundant. Only about 20% of the disk is used. I have concluded that the issue is the diary searches. I suspected that this was a problem about a month ago, so I created a form and a filter that would capture a record every time a user did a diary search. Sure enough, I discovered users were doing diary searches dozens of times per day. There are now over 500,000 tickets in this system, and each ticket contains diary entries of up to 30 pages (or more) in length. Users were repeatedly searching for things like, The ticket was placed on hold because the customer is unavailable. To prove the theory, I had the administrator at the site repeatedly log on to her User client. That is, TOOL...LOGIN...TOOLS...LOGIN...TOOLS...LOGIN...etc. The User client would faithfully log her on to Remedy in under a second. I told her, Keep doing it! while I went to my client and issued a diary search. Bam! She could no longer log in. She got the dreaded, Setting server port... message that never went away. So I have locked down the diary field to prevent these searches, but I'm already hearing all sorts of dissent: That puts us out of business! We HAVE to be able to search the worklog! So now I'm considering other options. I suppose the only thing I can do is set up some type of archival system, but that comes with two problems: 1) Users will hate it and 2) It doesn't really solve the problem. Putting a voluminous amount of free text on another form and telling users, Go search there, still puts a huge burden on the database to sift through all that garbage. Norm -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Joe DeSouza Sent: Monday, November 24, 2008 8:09 PM To: arslist@ARSLIST.ORG Subject: Re: Intermittent, Spotty ARS Performance (UNCLASSIFIED) ** Another thing could be your disk space getting full on the Remedy server. We had that issue recently when one of the operation some user would do would eventually timeout and would create a temp file on the servers Windows Temp directory that would grow and keep growing even if the user quit the user tool from the client. The disk would eventually be full and the AR Server would get extremely slow and eventually impossible to login. Bouoncing the Remedy Service would kill that temp file and release all the used space.. Joe From: Kaiser, Norm E CIV USAF AFMC 96 CS/SCCE [EMAIL PROTECTED] To: arslist@ARSLIST.ORG Sent: Monday, November 24, 2008 12:58:53 PM Subject: Re: Intermittent, Spotty ARS Performance (UNCLASSIFIED) Yes, that's my suspicion. I have a big suspicion that people are searching the worklog diary field. -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTRUSA MEDCOM USAMITC Sent: Monday, November 24, 2008 11:20 AM To: arslist@ARSLIST.ORG Subject: Re: Intermittent, Spotty ARS Performance (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE Norm, You may want to look closer at the SQL side. Look for locks. Perhaps someone querying a diary or un-indexed field. Also, are you using SQL replication? In
Re: Intermittent, Spotty ARS Performance (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE Norm, You may want to look closer at the SQL side. Look for locks. Perhaps someone querying a diary or un-indexed field. Also, are you using SQL replication? In particular, are snapshots turned on? Christopher Michaud -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Kaiser, Norm E CIV USAF AFMC 96 CS/SCCE Sent: Monday, November 24, 2008 11:03 AM To: arslist@ARSLIST.ORG Subject: Intermittent, Spotty ARS Performance ** Hi everyone: This problem has me perplexed. At a site I support, the Remedy server inexplicably stops responding to requests. It's very intermittent. It runs fine for awhile, then seemingly without warning, it just hangs. Users attempting to log on get stuck at the Setting server port dialog, which eventually times out. Other users who are already logged who try to pull up a ticket get stuck at a blank screen that never comes back. To resolve the issue, they have to bounce the Remedy server service. The system works for awhile...until it hangs up again. Any ideas what might be causing this? - I have monitored CPU utilization when this occurs, and the CPU hums along at about 3% - 5% utilization - Network utilization is flat-lined whenever this occurs (i.e., no spike) - Memory utilization appears normal - CNET bandwidth tests resolve to better than dedicated T1 performance (for what that's worth) Any thoughts are greatly appreciated. The interesting thing is, we have the same exact Remedy apps running on the same exact type of server in the same exact environment in four other locations, and those four other locations never experience any problems. Norm Remedy ARS 6.3 Microsoft SQL 2000 SP4 Microsoft Windows 2000 SP2 100% Custom Apps - No ITSM __Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are html___ Classification: UNCLASSIFIED Caveats: NONE ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Searching Diaries WAS: Intermittent, Spotty ARS Performance (UNCLASSIFIED)
Classification: UNCLASSIFIED
Caveats: NONE
Norm,
To prevent certain Advanced Query searches, you can drop the Reserved
Field (1005) on the form and use and AL to inspect the value (On
Search). Throw an error if the value contains the diary field name
('DIARYNAME'). This will allow you to exclude certain fields from being
used and even prevent use of LIKE statements.
Christopher Michaud
Remedy System Administrator/Developer
US Army Medical Information Technology Center (USAMITC)
Core Technology Division - Systems Engineering Branch
Office: 210.295.3589
DSN: 421-3589
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:[EMAIL PROTECTED] On Behalf Of Kaiser, Norm E CIV USAF AFMC
96 CS/SCCE
Sent: Monday, November 24, 2008 2:49 PM
To: arslist@ARSLIST.ORG
Subject: Re: Searching Diaries WAS: Intermittent, Spotty ARS Performance
No...can't do that. Thanks for the suggestion, but that won't work.
Users still need to construct advanced searches. I just need to block
them from skirting my AL that blocks them from searching the worklog.
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:[EMAIL PROTECTED] On Behalf Of Gayford, Matthew C.
Sent: Monday, November 24, 2008 2:47 PM
To: arslist@ARSLIST.ORG
Subject: Re: Searching Diaries WAS: Intermittent, Spotty ARS Performance
Just turn off the advanced search option from the Form - Current View -
Properties - Menu Access menu.
-Matt
Matthew C. Gayford
Application Developer Remedy Administrator
University of North Carolina Wilmington
(910) 962-7177
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:[EMAIL PROTECTED] On Behalf Of Kaiser, Norm E CIV USAF AFMC
96 CS/SCCE
Sent: Monday, November 24, 2008 3:39 PM
To: arslist@ARSLIST.ORG
Subject: Re: Searching Diaries WAS: Intermittent, Spotty ARS Performance
How do you block searches done on the Advanced Query Bar?
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:[EMAIL PROTECTED] On Behalf Of Rootuja Ghatge
Sent: Monday, November 24, 2008 2:35 PM
To: arslist@ARSLIST.ORG
Subject: Re: Searching Diaries WAS: Intermittent, Spotty ARS Performance
We prevent our users from searching the work log on production server
via an active link firing on search.
It's a given performance killer. They have to use the reporting server
to search the work log.
HTH,
Rootuja
_
Rootuja Ghatge
Senior Application Developer
CenterBeam, Inc.
30 Rio Robles
San Jose, CA 95134
Direct (408) 750-0718
Fax (408) 750-0559
http://www.centerbeam.com
This email may contain confidential and privileged material for the sole
use of the intended recipient. Any review or distribution by others is
strictly prohibited. If you are not the intended recipient please
contact the sender and delete all copies.
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:[EMAIL PROTECTED] On Behalf Of Kaiser, Norm E CIV USAF AFMC
96 CS/SCCE
Sent: Monday, November 24, 2008 12:19 PM
To: arslist@ARSLIST.ORG
Subject: Searching Diaries WAS: Intermittent, Spotty ARS Performance
OK, I'm pretty confident the problem was being caused by users
constantly searching the worklog diary field on a form with 200,000+
tickets. I was able to reproduce the behavior multiple times by doing a
diary search myself.
So...that leads me to wonder, how do the rest of the ARSListers handle
diary searches?
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTR
USA MEDCOM USAMITC
Sent: Monday, November 24, 2008 11:20 AM
To: arslist@ARSLIST.ORG
Subject: Re: Intermittent, Spotty ARS Performance (UNCLASSIFIED)
Classification: UNCLASSIFIED
Caveats: NONE
Norm,
You may want to look closer at the SQL side. Look for locks. Perhaps
someone querying a diary or un-indexed field. Also, are you using SQL
replication? In particular, are snapshots turned on?
Christopher Michaud
-Original Message-
From: Action Request System discussion list(ARSList)
[mailto:[EMAIL PROTECTED] On Behalf Of Kaiser, Norm E CIV USAF AFMC
96 CS/SCCE
Sent: Monday, November 24, 2008 11:03 AM
To: arslist@ARSLIST.ORG
Subject: Intermittent, Spotty ARS Performance
**
Hi everyone:
This problem has me perplexed.
At a site I support, the Remedy server inexplicably stops responding to
requests. It's very intermittent. It runs fine for awhile, then
seemingly without warning, it just hangs. Users attempting to log on
get stuck at the Setting server port dialog, which eventually times
out.
Other users who are already logged who try to pull up a ticket get stuck
at a blank screen that never comes back.
To resolve the issue, they have to bounce the Remedy server service.
The system works for awhile...until it hangs up again.
Any ideas
Re: .NET API CreateField example using VBS (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE Thank you all for your responses. It seems the CreateField option may not be the most straight forward approach. Your responses have given me some other ideas though. Thanks again, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Misi Mladoniczky Sent: Thursday, September 04, 2008 12:47 AM To: arslist@ARSLIST.ORG Subject: Re: .NET API CreateField example using VBS (UNCLASSIFIED) Hi, I would use a supporte API to do something like this, namely C or Java. Most wrapper-APIs has concentrated on reading/writing data to forms, and as a second priority to read information about forms/fields/filter etc. The third priority has been to implement the creation of admin-objects in the server. One solution could be to copy the field with ARGetField from a source form, and then create a duplicate in the other forms. This should work if the field does not belong to ANY view. If the field is supposed to be visible, you will need to handle different view-ids on different forms in the ARDisplayInstanceList. Another favourite of mine is to export the form definitions to a file (def or xml), manipulate it (add your field to the forms), and finally reimport it. Best Regards - Misi, RRR AB, http://www.rrr.se Products from RRR Scandinavia: * RRR|License - Not enough Remedy licenses? Save money by optimizing. * RRR|Log - Performance issues or elusive bugs? Analyze your Remedy logs. * RRR|Translator - Manage and automate your language translations. Find these products, and many free tools and utilities, at http://rrr.se. Classification: UNCLASSIFIED Caveats: NONE All, Does anyone have a VBS example of the syntax required to use the CreateField method, and if possible setting the properties of the new field, using the .NET API? I need to loop through many forms and add the same field and it seems this might be the most efficient way. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 Classification: UNCLASSIFIED Caveats: NONE ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are -- This message was scanned by ESVA and is believed to be clean. ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are Classification: UNCLASSIFIED Caveats: NONE ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: Where the Answers Are
Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE We chose a phased CAC implementation. The first phase was to CAC enable the Mid-Tier via the IIS server. From there I control the users access to Remedy and the Mid-Tier application through a process that performs the CAC validation and then passes the validated CAC user to the correct Mid-Tier starting point based on criteria we determine. This required closing a couple holes in the Mid-Tier product to prevent users from trying to circumvent the validation and directly accessing forms via URLs. In some cases we populate the login id, lock it and require a password to be entered based on Remedy permission level. In other cases, I pass the users directly to specific Mid-Tier forms. This is not true SSO but it does perform the required application access validation via CAC card quite well. Next I'm planning on implementing CAC validation for both the Mid-Tier and the User Tool using simple Remedy-based workflow I've developed. This code does not rely on the DLL hooks to function, but again it performs CAC validation and control - not true SSO. The upside to this is that because it's almost entirely Remedy workflow, it's easy to maintain and customize as needed and it does not need to be updated and recompiled each time your ARS release changes. The last phase will be to work out the SSO capability. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Steve Michadick Sent: Friday, August 29, 2008 7:13 AM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) You can add the US Marine Corps to that list. We, too, are upgrading to ARS 7.1 ITSM 7.0 and have to use CAC login. We have our BMC professional services team working on a solution. I'll have them take a look at the USAF's solution and see if it can work for us. Steve Michadick Remedy Engineer Marine Corps Network Operations and Security Center (MCNOSC) Phone: 703-432-6726 -Original Message- From: Easter, David [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2008 4:42 PM Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) I can try to help a little, although I'm somewhat bound by confidentiality, so I apologize that I can't go into detail beyond what I'll say here. When the Single Sign-On (SSO) and Other Client-Side Login Intercept Technologies interface was created, it was BMC's expectation that customers or partners would take this interface and create point-to-point integrations with solutions in the marketplace. At this time, there are no short term plans for BMC to productize such integrations. If this remains a gap in the marketplace, that decision may be revisited - but I would encourage the development community to share work done in this area among other community members or for an enterprising partner or solution provider to create a marketable solution for such point-to-point integrations to popular SSO environments. Also, There is a Department of Defense Instruction NUMBER 8520.2 (http://www.dtic.mil/whs/directives/corres/html/852002.htm). This Instruction applies to: 2.4. All DoD unclassified and classified information systems including networks (e.g., Non-secure Internet Protocol Router Network , Secret Internet Protocol Router Network, web servers, and e-mail systems. E3.4.1.3. Other Information Systems. For information systems requiring authentication other than network login or web servers, the system owner shall perform a business case analysis to determine if PK-Enabling is warranted. The business case analysis shall be submitted to the DoD Component CIO for review and approval. If warranted, the information system shall be PK-Enabled. This has influenced several U.S. military bases to pursue integrating the CAC with their Remedy systems. Because this request affects multiple branches of the U.S. Armed Services, one would expect that work done at one base could be shared with other bases - although I certainly understand that there may be bureaucratic or other barriers to such sharing. However, if there are any shared DoD resources, you may wish to reach out internally to other bases that have Remedy based solutions. My understanding is that the military has, for the most part, chosen a single vendor for CAC - so work done once should be applicable in most other environments. Of the branches that I'm aware of, I believe the Air Force is currently the farthest along with the Army also making requests for the CAC integration. In addition, if this cannot be solved at a community or partner level, I believe there is some work being done by BMC Professional Services to
Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE Norm, I forgot to mention we can use the option of setting login prompt to By Preference and for most users this would allow them to log in automatically without a prompt. However, when a user shares a system with multiple people, they'll need to set their Preference record to always prompt for login. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTR USA MEDCOM Sent: Tuesday, September 02, 2008 10:55 AM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE Norm: For now, users will still receive a login prompt. However, they can enter their username once and create an account on the client. Following that they can select the username from the dropdown and click OK - no password. My workflow picks up from there. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Kaiser Norm E CIV USAF 96 CS/SCCE Sent: Tuesday, September 02, 2008 10:23 AM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Chris: If you're doing CAC authentication via workflow, how do you overcome the Remedy User tool's need for username and password? That is, one must first be logged onto the client before one can begin executing workflow. Your approach sounds very interesting to me...the username/password challenge is what throws me. Norm -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTR USA MEDCOM Sent: Tuesday, September 02, 2008 10:02 AM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE We chose a phased CAC implementation. The first phase was to CAC enable the Mid-Tier via the IIS server. From there I control the users access to Remedy and the Mid-Tier application through a process that performs the CAC validation and then passes the validated CAC user to the correct Mid-Tier starting point based on criteria we determine. This required closing a couple holes in the Mid-Tier product to prevent users from trying to circumvent the validation and directly accessing forms via URLs. In some cases we populate the login id, lock it and require a password to be entered based on Remedy permission level. In other cases, I pass the users directly to specific Mid-Tier forms. This is not true SSO but it does perform the required application access validation via CAC card quite well. Next I'm planning on implementing CAC validation for both the Mid-Tier and the User Tool using simple Remedy-based workflow I've developed. This code does not rely on the DLL hooks to function, but again it performs CAC validation and control - not true SSO. The upside to this is that because it's almost entirely Remedy workflow, it's easy to maintain and customize as needed and it does not need to be updated and recompiled each time your ARS release changes. The last phase will be to work out the SSO capability. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Steve Michadick Sent: Friday, August 29, 2008 7:13 AM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) You can add the US Marine Corps to that list. We, too, are upgrading to ARS 7.1 ITSM 7.0 and have to use CAC login. We have our BMC professional services team working on a solution. I'll have them take a look at the USAF's solution and see if it can work for us. Steve Michadick Remedy Engineer Marine Corps Network Operations and Security Center (MCNOSC) Phone: 703-432-6726 -Original Message- From: Easter, David [mailto:[EMAIL PROTECTED] Sent: Thursday, August 28, 2008 4:42 PM Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) I can try to help a little, although I'm somewhat bound by confidentiality, so I apologize that I can't go into detail beyond what I'll say here. When the Single Sign-On (SSO) and Other Client-Side Login Intercept Technologies
Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE Users sharing a machine will still have a blank PW. However they won't get the benefit of SSO or auto-login as I prefer to refer to it. CAC validation will still occur after login. In all cases once the login is complete, whether automatic or not, they will be prompted for their CAC PIN. Once they've entered their pin, if they have an invalid CAC (based on whatever criteria you can implement in W/F), they get the boot. For instance, one criteria is that $USER$ value match the People record associated to the unique CAC ID. If not, they get the boot. Otherwise they are redirected to whatever form I want to send them to. The goal here is to let the AD directory manage the User/Password process. We perform nightly imports of AD via LDAP which populates and creates Users. Since the ITSM People record will be updated with expired/disabled accounts, this will in turn be seen by the CAC validation W/F. In short, Remedy PW management becomes moot as long. However, an account having a password and employing password length, complexity, history, and expiration rules will still get CAC validated. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Kaiser Norm E CIV USAF 96 CS/SCCE Sent: Tuesday, September 02, 2008 12:12 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) So for those users you have a hardcoded password in the User form? If yes, are you employing password length, complexity, history, and expiration rules? -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTR USA MEDCOM Sent: Tuesday, September 02, 2008 11:33 AM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE Norm, I forgot to mention we can use the option of setting login prompt to By Preference and for most users this would allow them to log in automatically without a prompt. However, when a user shares a system with multiple people, they'll need to set their Preference record to always prompt for login. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTR USA MEDCOM Sent: Tuesday, September 02, 2008 10:55 AM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE Norm: For now, users will still receive a login prompt. However, they can enter their username once and create an account on the client. Following that they can select the username from the dropdown and click OK - no password. My workflow picks up from there. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Kaiser Norm E CIV USAF 96 CS/SCCE Sent: Tuesday, September 02, 2008 10:23 AM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Chris: If you're doing CAC authentication via workflow, how do you overcome the Remedy User tool's need for username and password? That is, one must first be logged onto the client before one can begin executing workflow. Your approach sounds very interesting to me...the username/password challenge is what throws me. Norm -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTR USA MEDCOM Sent: Tuesday, September 02, 2008 10:02 AM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE We chose a phased CAC implementation. The first phase was to CAC enable the Mid-Tier via the IIS server. From there I control the users access to Remedy and the Mid-Tier application through a process that performs the CAC validation and then passes the validated CAC user to the correct Mid-Tier starting point based on criteria we determine. This required closing a couple holes in the Mid-Tier product to prevent users from trying to circumvent the validation and directly accessing
Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE The Army does the same. You are correct regarding the user not knowing their AD password and for that reason I don't use cross-reference passwords here. Since AD is already doing password length, complexity, expiration enforcement there is no need to repeat this process within Remedy (no different than if we were using Area Authentication) -- we are simply using the CAC w/PIN coupled with a CAC identification/matching process to authenticate. This is the same process you would use if implementing the external DLL and then passing the username and password to the client. So here's the concept behind this -- with this approach you let everyone with a Remedy User account in the door -- technically we are not authenticating users at this point. Once the user passes the AR login piece, the CAC authentication process (PIN prompt) occurs (this is the authentication we care about). If the CAC/PIN authentication fails for any reason, their session is immediately terminated. Otherwise, we next perform CAC identification (matching the presented CAC certificate to an LDAP entry (info stored in the People/User record) and to the $USER$ value. Now we've confirmed that all checks match and they are who they say they are. Lastly, we can now do additional CAC validation to allow/disallow access based on other business rules. Think of it this way, the bouncer at the front door asks you for your name and lets you walk in. The hostess then ensures you have an authentic Drivers ID that has not been suspended, meets the minimum age and matches the person presenting it (including the name you originally provided). Once complete, you get a pretty stamp to show for the rest of your visit and you get to drink all night -- if not you're escorted back out the door which slams behind you. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Kaiser Norm E CIV USAF 96 CS/SCCE Sent: Tuesday, September 02, 2008 1:21 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Hmmm...OK, so I understand, allow me to propose a sample case. Suppose you have a technician with a CAC. I'm not sure how the Army does it, but in the AF, unless a person is added to what they call an exception group all users have a randomized password in the Active Directory that is unknown to the user. Thus, from the user's perspective, he has no password. Thus, turning on CROSS REF BLANK PASSWORD in this case is useless because he doesn't have a password to cross reference. So then how do you do password length, complexity, expiration enforcement? Do folks in the Army still have known passwords in AD? -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTR USA MEDCOM Sent: Tuesday, September 02, 2008 1:12 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE Users sharing a machine will still have a blank PW. However they won't get the benefit of SSO or auto-login as I prefer to refer to it. CAC validation will still occur after login. In all cases once the login is complete, whether automatic or not, they will be prompted for their CAC PIN. Once they've entered their pin, if they have an invalid CAC (based on whatever criteria you can implement in W/F), they get the boot. For instance, one criteria is that $USER$ value match the People record associated to the unique CAC ID. If not, they get the boot. Otherwise they are redirected to whatever form I want to send them to. The goal here is to let the AD directory manage the User/Password process. We perform nightly imports of AD via LDAP which populates and creates Users. Since the ITSM People record will be updated with expired/disabled accounts, this will in turn be seen by the CAC validation W/F. In short, Remedy PW management becomes moot as long. However, an account having a password and employing password length, complexity, history, and expiration rules will still get CAC validated. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Kaiser Norm E CIV USAF 96 CS/SCCE Sent: Tuesday, September 02, 2008 12:12 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) So for those users you
Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE The answer is, it's up to you. The user must supply a username with a password at least once. If you turn login prompt off or make it By Preference the user can then not be prompted subsequently. We aren't really using this account or password to authenticate the user from a security stand-point so we don't care about password management (we'll let AD do that) -- it's only used to validate the user and track them once they have pass through the CAC authentication process. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Kaiser Norm E CIV USAF 96 CS/SCCE Sent: Tuesday, September 02, 2008 2:28 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) I follow you. I think the point I'm just hung up on is the login prompt. When the user double clicks the Remedy User icon, is he presented the User tool login prompt? If yes, what username and password does he supply? -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTR USA MEDCOM Sent: Tuesday, September 02, 2008 2:10 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE The Army does the same. You are correct regarding the user not knowing their AD password and for that reason I don't use cross-reference passwords here. Since AD is already doing password length, complexity, expiration enforcement there is no need to repeat this process within Remedy (no different than if we were using Area Authentication) -- we are simply using the CAC w/PIN coupled with a CAC identification/matching process to authenticate. This is the same process you would use if implementing the external DLL and then passing the username and password to the client. So here's the concept behind this -- with this approach you let everyone with a Remedy User account in the door -- technically we are not authenticating users at this point. Once the user passes the AR login piece, the CAC authentication process (PIN prompt) occurs (this is the authentication we care about). If the CAC/PIN authentication fails for any reason, their session is immediately terminated. Otherwise, we next perform CAC identification (matching the presented CAC certificate to an LDAP entry (info stored in the People/User record) and to the $USER$ value. Now we've confirmed that all checks match and they are who they say they are. Lastly, we can now do additional CAC validation to allow/disallow access based on other business rules. Think of it this way, the bouncer at the front door asks you for your name and lets you walk in. The hostess then ensures you have an authentic Drivers ID that has not been suspended, meets the minimum age and matches the person presenting it (including the name you originally provided). Once complete, you get a pretty stamp to show for the rest of your visit and you get to drink all night -- if not you're escorted back out the door which slams behind you. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Kaiser Norm E CIV USAF 96 CS/SCCE Sent: Tuesday, September 02, 2008 1:21 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Hmmm...OK, so I understand, allow me to propose a sample case. Suppose you have a technician with a CAC. I'm not sure how the Army does it, but in the AF, unless a person is added to what they call an exception group all users have a randomized password in the Active Directory that is unknown to the user. Thus, from the user's perspective, he has no password. Thus, turning on CROSS REF BLANK PASSWORD in this case is useless because he doesn't have a password to cross reference. So then how do you do password length, complexity, expiration enforcement? Do folks in the Army still have known passwords in AD? -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTR USA MEDCOM Sent: Tuesday, September 02, 2008 1:12 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE Users sharing a machine will still have a blank PW. However they won't get the benefit
Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED)
Classification: UNCLASSIFIED Caveats: NONE No API, just Remedy W/F with a simple script. Same code works in both Mid-Tier and the User Tool. I figure this will hold them over for as long as it takes for a true BMC integrated SSO/PKI solution. Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Kaiser Norm E CIV USAF 96 CS/SCCE Sent: Tuesday, September 02, 2008 2:56 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) OK...I'm with you. Then after that to actually authenticate the user via CAC you're calling an API of some sort via a run process? -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTR USA MEDCOM Sent: Tuesday, September 02, 2008 2:48 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE The answer is, it's up to you. The user must supply a username with a password at least once. If you turn login prompt off or make it By Preference the user can then not be prompted subsequently. We aren't really using this account or password to authenticate the user from a security stand-point so we don't care about password management (we'll let AD do that) -- it's only used to validate the user and track them once they have pass through the CAC authentication process. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Kaiser Norm E CIV USAF 96 CS/SCCE Sent: Tuesday, September 02, 2008 2:28 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) I follow you. I think the point I'm just hung up on is the login prompt. When the user double clicks the Remedy User icon, is he presented the User tool login prompt? If yes, what username and password does he supply? -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Michaud, Christopher W Mr CTR USA MEDCOM Sent: Tuesday, September 02, 2008 2:10 PM To: arslist@ARSLIST.ORG Subject: Re: Integrate Remedy User Tool with CAC card (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: NONE The Army does the same. You are correct regarding the user not knowing their AD password and for that reason I don't use cross-reference passwords here. Since AD is already doing password length, complexity, expiration enforcement there is no need to repeat this process within Remedy (no different than if we were using Area Authentication) -- we are simply using the CAC w/PIN coupled with a CAC identification/matching process to authenticate. This is the same process you would use if implementing the external DLL and then passing the username and password to the client. So here's the concept behind this -- with this approach you let everyone with a Remedy User account in the door -- technically we are not authenticating users at this point. Once the user passes the AR login piece, the CAC authentication process (PIN prompt) occurs (this is the authentication we care about). If the CAC/PIN authentication fails for any reason, their session is immediately terminated. Otherwise, we next perform CAC identification (matching the presented CAC certificate to an LDAP entry (info stored in the People/User record) and to the $USER$ value. Now we've confirmed that all checks match and they are who they say they are. Lastly, we can now do additional CAC validation to allow/disallow access based on other business rules. Think of it this way, the bouncer at the front door asks you for your name and lets you walk in. The hostess then ensures you have an authentic Drivers ID that has not been suspended, meets the minimum age and matches the person presenting it (including the name you originally provided). Once complete, you get a pretty stamp to show for the rest of your visit and you get to drink all night -- if not you're escorted back out the door which slams behind you. Thank you, Christopher Michaud Remedy System Administrator/Developer US Army Medical Information Technology Center (USAMITC) Core Technology Division - Systems Engineering Branch Office: 210.295.3589 DSN: 421-3589 -Original Message- From: Action Request System discussion list(ARSList) [mailto:[EMAIL PROTECTED] On Behalf Of Kaiser Norm E CIV USAF 96 CS/SCCE Sent: Tuesday
