Re: Top Positions SSO Solution
Addendum: Just visited their website. Right... Just visited another website: http://www.javasystemsolutions.com. This is more like it. I think I will stick with exploring a solution with: http://www.javasystemsolutions.com The term caveat emptor comes to mind. Still interested in hearing other feedback. On Mar 30, 8:01 am, Elry elryal...@gmail.com wrote: Hi Guys... Got an email from a company called Top Positions. http://www.remedy-sso.com/ They are offering a SSO solution out of the box for Remedy products. Has anyone heard of them or tried their product??? ___ UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org attend wwrug10www.wwrug.comARSlist: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: Top Positions SSO Solution
Top Positions is spamming every email address that they can associate with an Remedy Admin. They hit a new email address of mine that was added to the www.wwrug.com website a couple of weeks ago. Dave - dave.shell...@tycoelectronics.com (Wireless) - Original Message - From: Action Request System discussion list(ARSList) arslist@ARSLIST.ORG To: arslist@ARSLIST.ORG arslist@ARSLIST.ORG Sent: Tue Mar 30 08:19:53 2010 Subject: Re: Top Positions SSO Solution Addendum: Just visited their website. Right... Just visited another website: http://www.javasystemsolutions.com. This is more like it. I think I will stick with exploring a solution with: http://www.javasystemsolutions.com The term caveat emptor comes to mind. Still interested in hearing other feedback. On Mar 30, 8:01 am, Elry elryal...@gmail.com wrote: Hi Guys... Got an email from a company called Top Positions. http://www.remedy-sso.com/ They are offering a SSO solution out of the box for Remedy products. Has anyone heard of them or tried their product??? ___ UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org attend wwrug10www.wwrug.comARSlist: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: Top Positions SSO Solution
Without being too technical I don't really trust an ARS SSO integration that much. In order to build an sso you have to follow a process: 1. Modify the authentication to the mid-tier to check the users credentials. 2. If the user is valid allow them to log into remedy 3. If the user is from mid-tier and they have valid credentials bypass the AREA authentication and let them in. It is at step 3 where I believe the security hole lies in an SSO implementation. Granted there is some security but it is relatively weak. Typically they ask you to enter in a list of ip addresses and a password of some type. This password is usually passed into the Authentication field in area. The IP address is a whitelist to tell area whether or not this is a mid-tier ip. So let's say you added your ip address to the whitelist that you configure for the sso implementation. Using the User tool you enter in the mid-tier password into the authentication field and put in your username leaving the password field blank. My guess is that you would log right into ars with no problems. Go further and you could probably spoof one of the mid-tier ip addresses so that ars thinks your ip address is one of the mid-tiers you could do the same thing with entering in no password just the mid-tier password. I don't know what java system solutions does for this issue nor what the remedy-sso does. But in both flowcharts you see a little arrow going from mid-tier to ARS. Before implementing either SSO I would recommend validating with the vendor how secure that data is that is passed between mid-tier and ars and your comfort level with this type of security. The only reason I know this is because I have tried to build an SSO solution before. Thanks, Sean -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Shellman, David Sent: Tuesday, March 30, 2010 8:25 AM To: arslist@ARSLIST.ORG Subject: Re: Top Positions SSO Solution Top Positions is spamming every email address that they can associate with an Remedy Admin. They hit a new email address of mine that was added to the www.wwrug.com website a couple of weeks ago. Dave - dave.shell...@tycoelectronics.com (Wireless) - Original Message - From: Action Request System discussion list(ARSList) arslist@ARSLIST.ORG To: arslist@ARSLIST.ORG arslist@ARSLIST.ORG Sent: Tue Mar 30 08:19:53 2010 Subject: Re: Top Positions SSO Solution Addendum: Just visited their website. Right... Just visited another website: http://www.javasystemsolutions.com. This is more like it. I think I will stick with exploring a solution with: http://www.javasystemsolutions.com The term caveat emptor comes to mind. Still interested in hearing other feedback. On Mar 30, 8:01 am, Elry elryal...@gmail.com wrote: Hi Guys... Got an email from a company called Top Positions. http://www.remedy-sso.com/ They are offering a SSO solution out of the box for Remedy products. Has anyone heard of them or tried their product??? ___ UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org attend wwrug10www.wwrug.comARSlist: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: Top Positions SSO Solution
Sean, You have right. I agree with you. I will try to explain you how Plugin SSO works from TopPositions. If you connect to ARS through the Mid-Tier. Md-Tier is authenticating in the ARS through the special password. Of course the mid-tier-ip is on the whitelist (see the Installation guide page 15, MidTier-IP parameter). But if client connect to ARS through the Windows client you have the followed process: 1. Remedy User authenticate user in the special Authentication Service through the NTLM negotiation(NTLMv2) in the Domain Controler. 2. If user is confirmed the Service return generated token to the Remedy User. (Token is unique for every User) 3. Remedy User passed into the Authentication field in area this token to ARESSO. 4. AREA SSO confirm in the Authentication Service this token, If token is correct user is authenticate, if no user is no authenticate. Of course the Authentication Service confirm client IP address. And the token expired if is not use to long time. Cheers Konrad TopPositions Really only one secure Plugin SSO for BM Remedy AR System. Http://www.remedy-sso.com -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Garrison, Sean (Norcross) Sent: Tuesday, March 30, 2010 4:01 PM To: arslist@ARSLIST.ORG Subject: Re: Top Positions SSO Solution Without being too technical I don't really trust an ARS SSO integration that much. In order to build an sso you have to follow a process: 1. Modify the authentication to the mid-tier to check the users credentials. 2. If the user is valid allow them to log into remedy 3. If the user is from mid-tier and they have valid credentials bypass the AREA authentication and let them in. It is at step 3 where I believe the security hole lies in an SSO implementation. Granted there is some security but it is relatively weak. Typically they ask you to enter in a list of ip addresses and a password of some type. This password is usually passed into the Authentication field in area. The IP address is a whitelist to tell area whether or not this is a mid-tier ip. So let's say you added your ip address to the whitelist that you configure for the sso implementation. Using the User tool you enter in the mid-tier password into the authentication field and put in your username leaving the password field blank. My guess is that you would log right into ars with no problems. Go further and you could probably spoof one of the mid-tier ip addresses so that ars thinks your ip address is one of the mid-tiers you could do the same thing with entering in no password just the mid-tier password. I don't know what java system solutions does for this issue nor what the remedy-sso does. But in both flowcharts you see a little arrow going from mid-tier to ARS. Before implementing either SSO I would recommend validating with the vendor how secure that data is that is passed between mid-tier and ars and your comfort level with this type of security. The only reason I know this is because I have tried to build an SSO solution before. Thanks, Sean -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Shellman, David Sent: Tuesday, March 30, 2010 8:25 AM To: arslist@ARSLIST.ORG Subject: Re: Top Positions SSO Solution Top Positions is spamming every email address that they can associate with an Remedy Admin. They hit a new email address of mine that was added to the www.wwrug.com website a couple of weeks ago. Dave - dave.shell...@tycoelectronics.com (Wireless) - Original Message - From: Action Request System discussion list(ARSList) ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: Top Positions SSO Solution
Thanks for all the responses... Konrad - quick question: Seems like you are saying that by signing on through the WUT - there is a secure protocol that is followed when using java system's plugin. Are there any issues when trying to do SSO through the Mid-Tier? Not that I perceive this as an issue for us, since we are primarily focused on the WUT. On Mar 30, 10:35 am, Konrad Banasiak gene...@remedy-sso.com wrote: Sean, You have right. I agree with you. I will try to explain you how Plugin SSO works from TopPositions. If you connect to ARS through the Mid-Tier. Md-Tier is authenticating in the ARS through the special password. Of course the mid-tier-ip is on the whitelist (see the Installation guide page 15, MidTier-IP parameter). But if client connect to ARS through the Windows client you have the followed process: 1. Remedy User authenticate user in the special Authentication Service through the NTLM negotiation(NTLMv2) in the Domain Controler. 2. If user is confirmed the Service return generated token to the Remedy User. (Token is unique for every User) 3. Remedy User passed into the Authentication field in area this token to ARESSO. 4. AREA SSO confirm in the Authentication Service this token, If token is correct user is authenticate, if no user is no authenticate. Of course the Authentication Service confirm client IP address. And the token expired if is not use to long time. Cheers Konrad TopPositions Really only one secure Plugin SSO for BM Remedy AR System. Http://www.remedy-sso.com -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Garrison, Sean (Norcross) Sent: Tuesday, March 30, 2010 4:01 PM To: arsl...@arslist.org Subject: Re: Top Positions SSO Solution Without being too technical I don't really trust an ARS SSO integration that much. In order to build an sso you have to follow a process: 1. Modify the authentication to the mid-tier to check the users credentials. 2. If the user is valid allow them to log into remedy 3. If the user is from mid-tier and they have valid credentials bypass the AREA authentication and let them in. It is at step 3 where I believe the security hole lies in an SSO implementation. Granted there is some security but it is relatively weak. Typically they ask you to enter in a list of ip addresses and a password of some type. This password is usually passed into the Authentication field in area. The IP address is a whitelist to tell area whether or not this is a mid-tier ip. So let's say you added your ip address to the whitelist that you configure for the sso implementation. Using the User tool you enter in the mid-tier password into the authentication field and put in your username leaving the password field blank. My guess is that you would log right into ars with no problems. Go further and you could probably spoof one of the mid-tier ip addresses so that ars thinks your ip address is one of the mid-tiers you could do the same thing with entering in no password just the mid-tier password. I don't know what java system solutions does for this issue nor what the remedy-sso does. But in both flowcharts you see a little arrow going from mid-tier to ARS. Before implementing either SSO I would recommend validating with the vendor how secure that data is that is passed between mid-tier and ars and your comfort level with this type of security. The only reason I know this is because I have tried to build an SSO solution before. Thanks, Sean -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Shellman, David Sent: Tuesday, March 30, 2010 8:25 AM To: arsl...@arslist.org Subject: Re: Top Positions SSO Solution Top Positions is spamming every email address that they can associate with an Remedy Admin. They hit a new email address of mine that was added to thewww.wwrug.comwebsite a couple of weeks ago. Dave - dave.shell...@tycoelectronics.com (Wireless) - Original Message - From: Action Request System discussion list(ARSList) ___ UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org attend wwrug10www.wwrug.comARSlist: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: Top Positions SSO Solution
Sean, Java System's plugin use authentication password saved in the windows register on all workstations to authenticate users through the RUT. All users have the same password. In my opinion it is not very save method. Mid-tier use the ARSAPI to communicate with ARS so communication between mt and ars is crypted. Of course we must believe that crypted method between ars an mt used by BMC is save. In this document you can read about ars security. http://documents.bmc.com/supportu/documents/22/39/92239/92239.pdf Cheers Konrad TopPositions Really only one secure Plugin SSO for BM Remedy AR System. Http://www.remedy-sso.com -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Elry Sent: Tuesday, March 30, 2010 4:54 PM To: arslist@ARSLIST.ORG Subject: Re: Top Positions SSO Solution Thanks for all the responses... Konrad - quick question: Seems like you are saying that by signing on through the WUT - there is a secure protocol that is followed when using java system's plugin. Are there any issues when trying to do SSO through the Mid-Tier? Not that I perceive this as an issue for us, since we are primarily focused on the WUT. On Mar 30, 10:35 am, Konrad Banasiak gene...@remedy-sso.com wrote: Sean, You have right. I agree with you. I will try to explain you how Plugin SSO works from TopPositions. If you connect to ARS through the Mid-Tier. Md-Tier is authenticating in the ARS through the special password. Of course the mid-tier-ip is on the whitelist (see the Installation guide page 15, MidTier-IP parameter). But if client connect to ARS through the Windows client you have the followed process: 1. Remedy User authenticate user in the special Authentication Service through the NTLM negotiation(NTLMv2) in the Domain Controler. 2. If user is confirmed the Service return generated token to the Remedy User. (Token is unique for every User) 3. Remedy User passed into the Authentication field in area this token to ARESSO. 4. AREA SSO confirm in the Authentication Service this token, If token is correct user is authenticate, if no user is no authenticate. Of course the Authentication Service confirm client IP address. And the token expired if is not use to long time. Cheers Konrad TopPositions Really only one secure Plugin SSO for BM Remedy AR System. Http://www.remedy-sso.com -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Garrison, Sean (Norcross) Sent: Tuesday, March 30, 2010 4:01 PM To: arsl...@arslist.org Subject: Re: Top Positions SSO Solution Without being too technical I don't really trust an ARS SSO integration that much. In order to build an sso you have to follow a process: 1. Modify the authentication to the mid-tier to check the users credentials. 2. If the user is valid allow them to log into remedy 3. If the user is from mid-tier and they have valid credentials bypass the AREA authentication and let them in. It is at step 3 where I believe the security hole lies in an SSO implementation. Granted there is some security but it is relatively weak. Typically they ask you to enter in a list of ip addresses and a password of some type. This password is usually passed into the Authentication field in area. The IP address is a whitelist to tell area whether or not this is a mid-tier ip. So let's say you added your ip address to the whitelist that you configure for the sso implementation. Using the User tool you enter in the mid-tier password into the authentication field and put in your username leaving the password field blank. My guess is that you would log right into ars with no problems. Go further and you could probably spoof one of the mid-tier ip addresses so that ars thinks your ip address is one of the mid-tiers you could do the same thing with entering in no password just the mid-tier password. I don't know what java system solutions does for this issue nor what the remedy-sso does. But in both flowcharts you see a little arrow going from mid-tier to ARS. Before implementing either SSO I would recommend validating with the vendor how secure that data is that is passed between mid-tier and ars and your comfort level with this type of security. The only reason I know this is because I have tried to build an SSO solution before. Thanks, Sean -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Shellman, David Sent: Tuesday, March 30, 2010 8:25 AM To: arsl...@arslist.org Subject: Re: Top Positions SSO Solution Top Positions is spamming every email address that they can associate with an Remedy Admin. They hit a new email address of mine that was added to thewww.wwrug.comwebsite a couple of weeks ago. Dave - dave.shell...@tycoelectronics.com (Wireless) - Original Message - From
Re: Top Positions SSO Solution
If I remember correctly there was some question as to whether remedy-sso had taken the javasystemsolutions solution and put up a web site. Perhaps either party would like to post to the list to clarify this. If they are not a legitimate company I will block their posts. Dan -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Elry Sent: March 30, 2010 8:20 AM To: arslist@ARSLIST.ORG Subject: Re: Top Positions SSO Solution Addendum: Just visited their website. Right... Just visited another website: http://www.javasystemsolutions.com. This is more like it. I think I will stick with exploring a solution with: http://www.javasystemsolutions.com The term caveat emptor comes to mind. Still interested in hearing other feedback. On Mar 30, 8:01 am, Elry elryal...@gmail.com wrote: Hi Guys... Got an email from a company called Top Positions. http://www.remedy-sso.com/ They are offering a SSO solution out of the box for Remedy products. Has anyone heard of them or tried their product??? __ _ UNSUBSCRIBE or access ARSlist Archives atwww.arslist.org attend wwrug10www.wwrug.comARSlist: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: Top Positions SSO Solution
There is ours as well, DevTechnology Group has its own version of arsso Free to the community that we love... it utilizes CAC authentication, and is configurable. AS presented at RUG 09 Smart Card Integration with BMC Remedy to meet dod common access card and hspd-12 / FIPS 201 PIV Credential requirements. www.devtechnology.com/download.aspx On Tue, Mar 30, 2010 at 8:01 AM, Elry elryal...@gmail.com wrote: Hi Guys... Got an email from a company called Top Positions. http://www.remedy-sso.com/ They are offering a SSO solution out of the box for Remedy products. Has anyone heard of them or tried their product??? ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are -- Patrick Zandi ___ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org attend wwrug10 www.wwrug.com ARSlist: Where the Answers Are
Re: Top Positions SSO Solution
Konrad, That's incorrect. We do not use the authentication string any more as many of the BMC products have bugs in them which prevent SSO being implemented correctly and safely. I can provide an official list of SW numbers if you wish, where the authentication string is not passed correctly. To name a few, Crystal Reports integration and Flashboards within the Windows User Tool. So good luck when you find your first customer who wants to use reports on the web or flashboards in the WUT. Sean, et al, Java System Solutions has been working with BMC as an SSO solution provider for four years now. We have partners that support and sell our product such as BMC themselves, Materna in Germany and Denmark, at which this month they have published an article about our solution in their magazine (including an embarrassing picture of John Baker and myself, I'm only 34 years old honest!), Comfort in Poland from which Konrad used to work for, SoftwareOne and Zones. So we have customers which are Banks where security has become an priority and we were happy to modify our product as required, in partnership with these customers. So I can confidently let you know, and provide references, from customers and partners who can verify our security. In version 2.1, for the WUT SSO, we did store a password in the registry encrypted by AES http://en.wikipedia.org/wiki/Advanced_Encryption_Standard This was seen as secure enough for two large American banks and one Polish Bank. In version 3.0, due for release in April, we have added another layer of encryption for the WUT where the password uses rotating keys very similar to http://www.freshpatents.com/Rotation-of-keys-during-encryption-decryption-dt 20061214ptan20060280298.php Again, all this is passed in the password field instead of the authentication field, and thus is again encrypted by BMCs own DES encryption over the wire. I believe with all that above, we are confidently happy with our product and so could many BMC representatives and partners alike. Elry, This is turning into a bit of an advert, and for that I apologise Dan/List, but you can find out more information from www.javasystemsolutions.com or send me an email off the list dkell...@javasystemsolutions.com Kind regards Danny -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Konrad Banasiak Sent: 30 March 2010 16:17 To: arslist@ARSLIST.ORG Subject: Re: Top Positions SSO Solution Sean, Java System's plugin use authentication password saved in the windows register on all workstations to authenticate users through the RUT. All users have the same password. In my opinion it is not very save method. Mid-tier use the ARSAPI to communicate with ARS so communication between mt and ars is crypted. Of course we must believe that crypted method between ars an mt used by BMC is save. In this document you can read about ars security. http://documents.bmc.com/supportu/documents/22/39/92239/92239.pdf Cheers Konrad TopPositions Really only one secure Plugin SSO for BM Remedy AR System. Http://www.remedy-sso.com -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Elry Sent: Tuesday, March 30, 2010 4:54 PM To: arslist@ARSLIST.ORG Subject: Re: Top Positions SSO Solution Thanks for all the responses... Konrad - quick question: Seems like you are saying that by signing on through the WUT - there is a secure protocol that is followed when using java system's plugin. Are there any issues when trying to do SSO through the Mid-Tier? Not that I perceive this as an issue for us, since we are primarily focused on the WUT. On Mar 30, 10:35 am, Konrad Banasiak gene...@remedy-sso.com wrote: Sean, You have right. I agree with you. I will try to explain you how Plugin SSO works from TopPositions. If you connect to ARS through the Mid-Tier. Md-Tier is authenticating in the ARS through the special password. Of course the mid-tier-ip is on the whitelist (see the Installation guide page 15, MidTier-IP parameter). But if client connect to ARS through the Windows client you have the followed process: 1. Remedy User authenticate user in the special Authentication Service through the NTLM negotiation(NTLMv2) in the Domain Controler. 2. If user is confirmed the Service return generated token to the Remedy User. (Token is unique for every User) 3. Remedy User passed into the Authentication field in area this token to ARESSO. 4. AREA SSO confirm in the Authentication Service this token, If token is correct user is authenticate, if no user is no authenticate. Of course the Authentication Service confirm client IP address. And the token expired if is not use to long time. Cheers Konrad TopPositions Really only one secure Plugin SSO for BM Remedy AR System. Http://www.remedy-sso.com -Original Message- From: Action Request System discussion list(ARSList
Re: Top Positions SSO Solution
Thanks Danny... I will be in contact with your company shortly re: assembling our team for a product Demo and QA. Cheers! On Mar 30, 12:11 pm, Danny Kellett danny.kell...@strategicworkflow.com wrote: Konrad, That's incorrect. We do not use the authentication string any more as many of the BMC products have bugs in them which prevent SSO being implemented correctly and safely. I can provide an official list of SW numbers if you wish, where the authentication string is not passed correctly. To name a few, Crystal Reports integration and Flashboards within the Windows User Tool. So good luck when you find your first customer who wants to use reports on the web or flashboards in the WUT. Sean, et al, Java System Solutions has been working with BMC as an SSO solution provider for four years now. We have partners that support and sell our product such as BMC themselves, Materna in Germany and Denmark, at which this month they have published an article about our solution in their magazine (including an embarrassing picture of John Baker and myself, I'm only 34 years old honest!), Comfort in Poland from which Konrad used to work for, SoftwareOne and Zones. So we have customers which are Banks where security has become an priority and we were happy to modify our product as required, in partnership with these customers. So I can confidently let you know, and provide references, from customers and partners who can verify our security. In version 2.1, for the WUT SSO, we did store a password in the registry encrypted by AEShttp://en.wikipedia.org/wiki/Advanced_Encryption_Standard This was seen as secure enough for two large American banks and one Polish Bank. In version 3.0, due for release in April, we have added another layer of encryption for the WUT where the password uses rotating keys very similar tohttp://www.freshpatents.com/Rotation-of-keys-during-encryption-decryp... 20061214ptan20060280298.php Again, all this is passed in the password field instead of the authentication field, and thus is again encrypted by BMCs own DES encryption over the wire. I believe with all that above, we are confidently happy with our product and so could many BMC representatives and partners alike. Elry, This is turning into a bit of an advert, and for that I apologise Dan/List, but you can find out more information fromwww.javasystemsolutions.comor send me an email off the list dkell...@javasystemsolutions.com Kind regards Danny -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Konrad Banasiak Sent: 30 March 2010 16:17 To: arsl...@arslist.org Subject: Re: Top Positions SSO Solution Sean, Java System's plugin use authentication password saved in the windows register on all workstations to authenticate users through the RUT. All users have the same password. In my opinion it is not very save method. Mid-tier use the ARSAPI to communicate with ARS so communication between mt and ars is crypted. Of course we must believe that crypted method between ars an mt used by BMC is save. In this document you can read about ars security.http://documents.bmc.com/supportu/documents/22/39/92239/92239.pdf Cheers Konrad TopPositions Really only one secure Plugin SSO for BM Remedy AR System. Http://www.remedy-sso.com -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Elry Sent: Tuesday, March 30, 2010 4:54 PM To: arsl...@arslist.org Subject: Re: Top Positions SSO Solution Thanks for all the responses... Konrad - quick question: Seems like you are saying that by signing on through the WUT - there is a secure protocol that is followed when using java system's plugin. Are there any issues when trying to do SSO through the Mid-Tier? Not that I perceive this as an issue for us, since we are primarily focused on the WUT. On Mar 30, 10:35 am, Konrad Banasiak gene...@remedy-sso.com wrote: Sean, You have right. I agree with you. I will try to explain you how Plugin SSO works from TopPositions. If you connect to ARS through the Mid-Tier. Md-Tier is authenticating in the ARS through the special password. Of course the mid-tier-ip is on the whitelist (see the Installation guide page 15, MidTier-IP parameter). But if client connect to ARS through the Windows client you have the followed process: 1. Remedy User authenticate user in the special Authentication Service through the NTLM negotiation(NTLMv2) in the Domain Controler. 2. If user is confirmed the Service return generated token to the Remedy User. (Token is unique for every User) 3. Remedy User passed into the Authentication field in area this token to ARESSO. 4. AREA SSO confirm in the Authentication Service this token, If token is correct user is authenticate, if no user is no authenticate. Of course the Authentication Service
Re: Top Positions SSO Solution
Danny, You have right it is Bug in BMC Remedy User tool. But this problem is independent of use SSO or no. You can always use for example http analyzer software to listen tcp port, because the flashboards are provide through the mid-tier. The worst situation is when you use to authenticate user arealdap plugin from BMC, because then you can snaffle the password for domain username. So it is very dangerous situation. It is little better when passwords to remedy you store in user form, because this time when you snaffle the password, you will have only permission to remedy. The best situation is when you use Plugin SSO from Top Positions. In Plugin SSO user to authentication in remedy use special token with is generate for any users and ip address, so if somebody snaffle this token he will login only to the Remedy, of course token has expired. Another worst situation is when all people use the same key, because then if somebody snaffle the password he will affect who wants. So if you want to have very save system, you have two possibilities: 1. Don't use BMC Remedy User tools (Only web) 2. You can configure SSL on Tomcat. (Because flashboards server, srm, crystal reports are provide by the mid-tier). Danny wrote: In version 2.1, for the WUT SSO, we did store a password in the registry encrypted by AES http://en.wikipedia.org/wiki/Advanced_Encryption_Standard This is really a bug I want to show you how you can decrypt this password? So I think you should public information on your site that your plugin is not to much save. Danny wrote This was seen as secure enough for two large American banks and one Polish Bank. Polish Bank don't use SSO for RUT because they know the bug. Cheers Konrad TopPositions Really only one secure Plugin SSO for BM Remedy AR System. Http://www.remedy-sso.com -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Danny Kellett Sent: Tuesday, March 30, 2010 6:12 PM To: arslist@ARSLIST.ORG Subject: Re: Top Positions SSO Solution Konrad, That's incorrect. We do not use the authentication string any more as many of the BMC products have bugs in them which prevent SSO being implemented correctly and safely. I can provide an official list of SW numbers if you wish, where the authentication string is not passed correctly. To name a few, Crystal Reports integration and Flashboards within the Windows User Tool. So good luck when you find your first customer who wants to use reports on the web or flashboards in the WUT. Sean, et al, Java System Solutions has been working with BMC as an SSO solution provider for four years now. We have partners that support and sell our product such as BMC themselves, Materna in Germany and Denmark, at which this month they have published an article about our solution in their magazine (including an embarrassing picture of John Baker and myself, I'm only 34 years old honest!), Comfort in Poland from which Konrad used to work for, SoftwareOne and Zones. So we have customers which are Banks where security has become an priority and we were happy to modify our product as required, in partnership with these customers. So I can confidently let you know, and provide references, from customers and partners who can verify our security. In version 2.1, for the WUT SSO, we did store a password in the registry encrypted by AES http://en.wikipedia.org/wiki/Advanced_Encryption_Standard This was seen as secure enough for two large American banks and one Polish Bank. In version 3.0, due for release in April, we have added another layer of encryption for the WUT where the password uses rotating keys very similar to http://www.freshpatents.com/Rotation-of-keys-during-encryption-decryption-dt 20061214ptan20060280298.php Again, all this is passed in the password field instead of the authentication field, and thus is again encrypted by BMCs own DES encryption over the wire. I believe with all that above, we are confidently happy with our product and so could many BMC representatives and partners alike. Elry, This is turning into a bit of an advert, and for that I apologise Dan/List, but you can find out more information from www.javasystemsolutions.com or send me an email off the list dkell...@javasystemsolutions.com Kind regards Danny -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Konrad Banasiak Sent: 30 March 2010 16:17 To: arslist@ARSLIST.ORG Subject: Re: Top Positions SSO Solution Sean, Java System's plugin use authentication password saved in the windows register on all workstations to authenticate users through the RUT. All users have the same password. In my opinion it is not very save method. Mid-tier use the ARSAPI to communicate with ARS so communication between mt and ars is crypted. Of course we must believe that crypted method between ars an mt used by BMC is save. In this document you can
Re: Top Positions SSO Solution
Konrad, The desktop client is on the endangered species list. It's not going to be much longer before it is extinct. Also I do not appreciate getting email sent to the email address listed on www.wwrog.com from your company. That email address has only been listed there for less than two weeks. It is not the email address I use to post to the ARS List. Technically those emails should include a way to opt out. There wasn't any. --Original Message-- From: Konrad Banasiak To: Arslist ReplyTo: Arslist Subject: Re: Top Positions SSO Solution Sent: Mar 30, 2010 4:07 PM Danny, You have right it is Bug in BMC Remedy User tool. But this problem is independent of use SSO or no. You can always use for example http analyzer software to listen tcp port, because the flashboards are provide through the mid-tier. The worst situation is when you use to authenticate user arealdap plugin from BMC, because then you can snaffle the password for domain username. So it is very dangerous situation. It is little better when passwords to remedy you store in user form, because this time when you snaffle the password, you will have only permission to remedy. The best situation is when you use Plugin SSO from Top Positions. In Plugin SSO user to authentication in remedy use special token with is generate for any users and ip address, so if somebody snaffle this token he will login only to the Remedy, of course token has expired. Another worst situation is when all people use the same key, because then if somebody snaffle the password he will affect who wants. So if you want to have very save system, you have two possibilities: 1. Don't use BMC Remedy User tools (Only web) 2. You can configure SSL on Tomcat. (Because flashboards server, srm, crystal reports are provide by the mid-tier). Danny wrote: In version 2.1, for the WUT SSO, we did store a password in the registry encrypted by AES http://en.wikipedia.org/wiki/Advanced_Encryption_Standard This is really a bug I want to show you how you can decrypt this password? So I think you should public information on your site that your plugin is not to much save. Danny wrote This was seen as secure enough for two large American banks and one Polish Bank. Polish Bank don't use SSO for RUT because they know the bug. Cheers Konrad TopPositions Really only one secure Plugin SSO for BM Remedy AR System. Http://www.remedy-sso.com -Original Message- From: Action Request System discussion list(ARSList) [mailto:arsl...@arslist.org] On Behalf Of Danny Kellett Sent: Tuesday, March 30, 2010 6:12 PM To: arslist@ARSLIST.ORG Subject: Re: Top Positions SSO Solution Konrad, That's incorrect. We do not use the authentication string any more as many of the BMC products have bugs in them which prevent SSO being implemented correctly and safely. I can provide an official list of SW numbers if you wish, where the authentication string is not passed correctly. To name a few, Crystal Reports integration and Flashboards within the Windows User Tool. So good luck when you find your first customer who wants to use reports on the web or flashboards in the WUT. Sean, et al, Java System Solutions has been working with BMC as an SSO solution provider for four years now. We have partners that support and sell our product such as BMC themselves, Materna in Germany and Denmark, at which this month they have published an article about our solution in their magazine (including an embarrassing picture of John Baker and myself, I'm only 34 years old honest!), Comfort in Poland from which Konrad used to work for, SoftwareOne and Zones. So we have customers which are Banks where security has become an priority and we were happy to modify our product as required, in partnership with these customers. So I can confidently let you know, and provide references, from customers and partners who can verify our security. In version 2.1, for the WUT SSO, we did store a password in the registry encrypted by AES http://en.wikipedia.org/wiki/Advanced_Encryption_Standard This was seen as secure enough for two large American banks and one Polish Bank. In version 3.0, due for release in April, we have added another layer of encryption for the WUT where the password uses rotating keys very similar to http://www.freshpatents.com/Rotation-of-keys-during-encryption-decryption-dt 20061214ptan20060280298.php Again, all this is passed in the password field instead of the authentication field, and thus is again encrypted by BMCs own DES encryption over the wire. I believe with all that above, we are confidently happy with our product and so could many BMC representatives and partners alike. Elry, This is turning into a bit of an advert, and for that I apologise Dan/List, but you can find out more information from www.javasystemsolutions.com or send me an email off the list dkell...@javasystemsolutions.com Kind regards Danny -Original Message- From: Action Request System discussion
