HP SM934 Security Guide
-
Upload
abhijeetkhewale -
Category
Documents
-
view
9 -
download
1
description
Transcript of HP SM934 Security Guide
-
1
HP Service Manager
Software Version: 9.34
Security Guide
Document Release Date: October 2014
-
2
Legal Notices
Warranty
HP provides the following recommendations for increasing the security of your overall
infrastructure for informational purposes only. These are only recommendations and
are not intended to be a guarantee of protection against all potential vulnerabilities
and attacks. Please note that some security measures may impact the features and
functionality of your overall system; it is recommended that every customer become
aware of those impacts when implementing any changes to your environment.
Use of this HP Software Product, [Service Manager] may require the pre-installation
of certain third-party components that are not provided by HP (Third Party Components). HP recommends that its customers check frequently for the most current updates to the Third Party Components, which may include fixes or patches
for security vulnerabilities.
The only warranties for HP products and services are set forth in the express warranty
statements accompanying such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall not be liable for technical
or editorial errors or omissions contained herein.
The information contained herein is subject to change without notice.
Restricted Rights Legend
Confidential computer software. Valid license from HP required for possession, use or
copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software,
Computer Software Documentation, and Technical Data for Commercial Items are
licensed to the U.S. Government under vendor's standard commercial license.
Copyright Notices
Copyright 2014 Hewlett-Packard Development Company, L.P.
Trademark Notices
Adobe is a trademark of Adobe Systems Incorporated.
Java is a registered trademark of Oracle and/or its affiliates.
Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation.
Oracle is a registered US trademark of Oracle Corporation, Redwood City, California.
UNIX is a registered trademark of The Open Group.
-
3
For a complete list of open source and third party acknowledgements, visit the HP
Software Support Online web site and search for the product manual called HP Service
Manager Open Source and Third Party License Agreements.
-
4
Documentation Updates
The title page of this document contains the following identifying information:
Software Version number, which indicates the software version.
The number before the period identifies the major release number.
The first number after the period identifies the minor release number.
The second number after the period represents the minor-minor release
number.
Document Release Date, which changes each time the document is updated.
Software Release Date, which indicates the release date of this version of the
software.
To check for recent updates or to verify that you are using the most recent edition, visit
the following URL:
https://softwaresupport.hp.com/
This site requires that you register for an HP Passport and sign-in. To register for an
HP Passport ID, go to:
https://hpp12.passport.hp.com/hppcf/login.do
You will also receive updated or new editions if you subscribe to the appropriate
product support service. Contact your HP sales representative for details.
-
5
Support
You can visit the HP Software support web site at:
www.hp.com/go/hpsoftwaresupport
This web site provides contact information and details about the products, services,
and support that HP Software offers.
HP Software online software support provides customer self-solve capabilities. It
provides a fast and efficient way to access interactive technical support tools needed to
manage your business. As a valued support customer, you can benefit by using the
support site to:
Search for knowledge documents of interest
Submit and track support cases and enhancement requests
Download software patches
Manage support contracts
Look up HP support contacts
Review information about available services
Enter into discussions with other software customers
Research and register for software training
Most of the support areas require that you register as an HP Passport user and sign
in. Many also require an active support contract. To find more information about
support access levels, go to the following URL:
http://h20230.www2.hp.com/new_access_levels.jsp
To register for an HP Passport ID, go to the following URL:
http://h20229.www2.hp.com/passport-registration.html
-
6
Contents
1 Welcome to This Guide ............................................................ 9
Introduction .............................................................................................................................. 9
2 Secure Implementation and Deployment ................................... 10
Technical System Landscape ................................................................................................. 10
Security in Basic & Clustered SM Configurations ............................................................... 10
External Authentication ........................................................................................................ 11
Proxy Authentication Support ............................................................................................... 12
Common Security Considerations ......................................................................................... 12
3 Service Manager Security Parameters ...................................... 14
Secure File Storage ................................................................................................................. 14
Secure Debug Features .......................................................................................................... 15
Secure Access to SM ............................................................................................................... 15
Best Practice ........................................................................................................................... 15
4 Installation Security ................................................................ 17
Supported Operating Systems ............................................................................................... 17
Web Application Server Security Recommendations ........................................................... 17
Web Server Security Recommendations ............................................................................... 18
Database Security Recommendations ................................................................................... 19
Application Server Security Recommendations ................................................................... 19
Best Practice ........................................................................................................................... 21
-
7
5 Network and Communication Security ..................................... 22
Secure Topology ...................................................................................................................... 22
Reverse Proxy Overview......................................................................................................... 24
Reverse Proxy Security .......................................................................................................... 24
FAQ .......................................................................................................................................... 26
6 Administration Interface .......................................................... 27
7 User Management and Authentication...................................... 28
Authentication Model ............................................................................................................. 28
Authentication Administration and Configurations ............................................................ 29
Best Practice ........................................................................................................................... 29
8 Authorization ........................................................................ 31
Authorization Model ............................................................................................................... 31
Authorization Configuration .................................................................................................. 31
FAQ .......................................................................................................................................... 32
9 Data Integrity ........................................................................ 33
10 Encryption ............................................................................ 34
TLS/SSL Data Transmission ................................................................................................. 34
Encryption of stored database fields ..................................................................................... 34
Digital Signatures .................................................................................................................. 35
11 Logs ..................................................................................... 36
Log and Trace Model .............................................................................................................. 36
FAQ .......................................................................................................................................... 37
-
8
12 APIs and Web Services Security .............................................. 38
Authentication Model ............................................................................................................. 38
Security Considerations ......................................................................................................... 38
SM Smart Analytics Server Recommendations .................................................................... 39
-
9
1 Welcome to This Guide
Introduction
Welcome to the HP Service Manager Security Guide.
This guide is intended for Service Manager implementers and system
administrators who need to implement their Service Manager environment in
a secure manner.
-
10
2 Secure Implementation and
Deployment
This chapter provides information on implementing and deploying HP
Service Manager (SM) in a secure manner.
Technical System Landscape
HP Service Manager is a suite of enterprise applications based on various
industry standard technologies. Service Manager Server (RTE) is written
using Java and C++ programming languages. The Service Manager Web Tier
and Windows Eclipse client are written in Java and utilize Java EE and SE
technologies and JavaScript. When deployed together, these applications
comprise a typical Service Manager system running in a three-tier
architecture.
For more information about typical deployment schemes and options please
reference the Service Manager Deployment Sizing Guide available through
the HP Software Support Online website and the HP Service Manager Online
Help Center topic, Server Implementation Options available from the HP
Service Manager installation media.
Security in Basic & Clustered SM Configurations
HP Service Manager configurations may be deployed in the following distinct
implementations. For more information, please reference the Service
Manager Deployment Sizing Guide available through the HP Software
Support Online website and the HP Service Manager Online Help Center
topic, Server Implementation Options available from the HP Server Manager
installation media.
1) Single servlet implementation (non-clustered basic configuration)
2) Vertical scaling implementation (simple clustering)
3) Horizontal scaling implementation (advanced clustering)
-
11
All of these implementations share the same basic out-of-the-box security
configuration options.
1) In an out-of-the-box default installation, there is no TLS/SSL security
enabled between the individual components of HP Service Managers three-tier architecture. This is primarily due to the ease of installation
requirements needed in support of allowing consultants, system
administrators and customers the ability to quickly setup demonstration,
proof-of-concept and test environments.
2) In an out-of-the-box default installation, HP Service Manager requires
users to enter username and password credentials to gain access to the
application. This basic authentication & authorization provider for HP
Service Manager consists of a non-FIPS 140-2 compliant module that
utilizes industry standard cryptography such as PBEWithMD5AndDES.
Information about the FIPS 140-2 configuration can be found in the HP
Service Manager Online Help Center topic, FIPS mode.
3) With additional configuration, it is possible to enable strong TLS/SSL
security between the individual components of HP Service Managers three-tier architecture. In addition, SM provides two-factor
authentication with its CAC support and Trusted Sign-On features. The
steps for enabling TLS/SSL are documented in the HP Service Manager
Online Help Center topic, Secure Sockets Layer (SSL) encryption and
server certificates. Information on SMs CAC and TSO features can be found in the External Authentication section of this chapter.
External Authentication
With additional configuration, it is possible to supplement or replace the
default authentication & authorization provider for HP Service Manager by
using a variety of industry-standard protocols and tools such as LDAP, CAC,
Windows Integrated Authentication, Kerberos, Single Sign-On and Trusted
Sign-On. For additional information on these options, please refer to the
following White Papers available through the HP Service Manager Online
Help Center or via HP Software Support Online:
a. Integrating Service Manager with Directory Services using LDAP
b. Setting up Single Sign-On in Service Manager
c. HP Service Manager Online Help topics:
i. Trusted Sign-On
ii. Common Access Card (CAC) sign-on
-
12
iii. Using LW-SSO with integrations
Proxy Authentication Support
SM supports the use of proxy servers that require authentication. As
described previously, SM can run in a number of distinct implementations
that can extend the tiers of the standard SM three-tier architecture. One
example is the SM Webtier component running on a standard Java-based
application server that must be accessed by a web browser. If there is a
security requirement to separate the end users browsers from the SM Webtier component via a proxy device that requires authentication, this is
supported transparently as the authenticated proxy configuration is specified
in the users web browser settings. For information on how to configure a proxy server for your browser, please refer to the following:
Microsoft Internet Explorer
http://support2.microsoft.com/kb/135982
Mozilla Firefox
https://support.mozilla.org/en-US/kb/advanced-settings-browsing-network-
updates-encryption#w_connection
Google Chrome
https://support.google.com/chrome/answer/96815
Common Security Considerations
HP Service Manager components may be deployed on numerous industry
standard operating systems and run on numerous third-party web-tier
infrastructure software such as Apache HTTP Server, IBM Websphere,
JBOSS application Server, Oracle Weblogic, and Apache Tomcat. As such, it
is recommended to keep up-to-date on vendor-provided best practices and
security hardening guides for each of the third-party components used in
support of your HP Service Manager deployment. Below are some resources
that can serve as a starting point for researching these recommended
security considerations:
-
13
IBM Websphere
Advanced security hardening in WebSphere Application Server V7, V8 and
V8.5, Part 1: Overview and approach to security hardening
http://www.ibm.com/developerworks/websphere/techjournal/1210_lansche/121
0_lansche.html
Apache Tomcat
Security Considerations
https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html
JBoss
Hardening Guidelines
https://docs.jboss.org/author/display/AS72/Hardening+Guidelines?_sscc=t
Apache HTTP Server
Security Tips
https://httpd.apache.org/docs/current/misc/security_tips.html
Oracle 11g database server
Oracle Database Documentation Library: Security
http://docs.oracle.com/cd/E11882_01/nav/portal_25.htm
Microsoft SQL Server
Database Engine Security Checklist Database Engine Security Configuration
http://social.technet.microsoft.com/wiki/contents/articles/1256.database-
engine-security-checklist-database-engine-security-configuration.aspx
-
14
3 Service Manager Security
Parameters
This chapter contains reference to some of the Service Manager parameters
that are relevant to security. For a comprehensive list of parameters, please
reference the Service Manager Online Help Center topic, System Security.
Secure File Storage
SM allows users to upload files to the Service Manager Server (RTE)
component. This is accomplished mainly via the two main client-types, the
Service Manager Windows (Eclipse) and Service Manager Webtier clients.
This feature allows users to upload attachments to SM records such as
incidents, changes, and knowledge articles. All files uploaded to the server
must be validated, since they can contain viruses, malicious code, or trojans.
An attacker or a malicious user can upload malicious files from one account
and then download them to diverse clients. However, because file
attachments are stored in the SM database as BLOB data, it is not possible
to perform virus or malware scanning once a file has been uploaded to the SM
Server component.
As a result, it is strongly recommended to implement proper antivirus
protection for the file storage allocated in the SM Webtier clients deployed WAR file and in the SM Windows (Eclipse) clients installation directory.
For the SM Webtier client, this is typically referred to as the scratch or
temporary directory of your Java application server hosting SM Webtier
client.
E.g.
/work/Catalina/localhost//attachments
Example: C:\Program Files\Apache Software Foundation\Tomcat
7.0\work\Catalina\localhost\webtier-9.34\attachments
Your path may vary greatly depending on the Java application server used to
host SM Webtier client.
For the SM Windows (Eclipse) client, the path is referred to as the workspace
directory.
-
15
E.g.
%USERPROFILE%/Service
Manager/workspace/.metadata/.plugins/com.hp.ov.sm.client.eclipse.user/at
tachments/
Example:
C:\Users\Administrator\ServiceManager\workspace\.metadata\.plugins\co
m.hp.ov.sm.client.eclipse.user\attachments
Secure Debug Features
Service Manager provides a set of tools for troubleshooting and to provide
better supportability. These features, which can expose sensitive internal
information about the system and about activities performed on the system,
are disabled by default. It is recommended to validate that the parameters
are reset to the default values immediately after using the debug parameter.
The debug related parameters are fully documented in the HP Service
Manager Online Help Center topic, Debugging parameters.
Secure Access to SM
Please see Chapter 9 of this document for information on the parameters
required to access HP Service Manager in a secure fashion.
Best Practice
The Service Manager administrator can limit the types and sizes of files that
can be uploaded to SM and downloaded by SM clients. For complete and
detailed information please reference these HP Service Manager Online Help
Center topics:
a. Support for blocking attachments with certain file extensions
b. Customize the forbidden list of attachment file extensions
c. Setting file attachment limits
-
16
During attachment file processing on the Service Manager Web tier, it is
possible to configure a white list (allowed list) of file extensions that may be
uploaded by users. This is an additional layer of filtering & protection that
will occur at the SM Web tier before the file ever reaches the SM Server
(RTE) for additional processing. It is recommended to use the attachment
whitelisting feature by adding the following parameter in the
SM Webtiers web.xml:
Attachment upload servlet for AJAX
request
Attachment Upload Servlet for AJAX
request
AttachmentUploadAjax
com.hp.ov.sm.client.webtier.FileUploadAjaxServlet
allowed
bmp,jpg,jpeg,png,gif,doc,xls,rtf,txt,docx,xlsx,ppt,pptx,pdf,m
sg,zip,tar,gz,tgz,log,unl
This setting may be added for any of the listed upload
servlets in the SM Webtiers web.xml file that has the following value:
com.hp.ov.sm.client.webtier.FileUploadServlet
Please give thoughtful consideration to the list of files as the defaults may be
too restrictive. This parameter specifies the allowed list of file extensions that
may be attached to a SM record such as an Incident, Change, Interaction or
Problem record.
-
17
4 Installation Security
This chapter provides information on aspects of installation security.
Supported Operating Systems
For the list of supported system environments, refer to the Support Matrix.
Note: The supported environment information in the Support Matrix is
accurate for the Service Manager 9.34 release, but there may be subsequent
updates. For the most up-to-date supported environments, refer to the HP
Software Support Matrix Web site using the following URL:
http://support.openview.hp.com/sc/support_matrices.jsp
Web Application Server Security
Recommendations
Service Manager recommends enabling TLS/SSL communications between
the SM web application server and the web browser. This may be
implemented through the secureLogin and sslPort parameters in the web tier
configuration file (web.xml), and requires TLS/SSL be configured on the web
application server (e.g. Tomcat, JBoss, etc).
Information about the secureLogin and sslPort parameters are available in
these HP Service Manager Online Help Center topics:
Web parameter: secureLogin
Web parameter: sslPort
If you integrate a HTTP web server such as Microsoft IIS or Apache HTTP
server with your web application server such as Tomcat, JBoss, etc, it is not
necessary to use the secureLogin and sslPort parameters as described above
because each web server has its own set of instructions for implementing
TLS/SSL communications.
Please note that the Service Manager Webitier stores TLS/SSL certificate
information in a standard Java Keystore file format. Beginning with 9.34.P2,
-
18
the password for the Java keystore file is now encrypted in the file
webtier.properties. Additional details on this new feature can be found in the
SM 9.34.P2 Release Notes.
The steps for enabling TLS/SSL communications are varied depending on
your combination of third-party products used in support of Service Manager.
As such, HP cannot document all possible combinations. The proceeding URL
links are helpful pointers that discuss the available options for enabling
TLS/SSL communications between the SM web servers/SM web application
servers and web browsers.
Apache Tomcat
See http://tomcat.apache.org/tomcat-6.0-doc/index.html and
http://tomcat.apache.org/tomcat-7.0-doc/index.html for information on
Apache Tomcat SSL configuration and other security considerations.
IBM WebSphere Application Server (WAS)
See https://www.ibm.com/developerworks/websphere/zones/was/security/
for information on WebSphere Application Server SSL configuration and
other security considerations.
Oracle WebLogic
See http://docs.oracle.com/cd/E24329_01/web.1211/e24446/security.htm
for information on Oracle WebLogic SSL configuration and other security
considerations.
JBoss EAP
See https://access.redhat.com/site/documentation/en-
US/JBoss_Enterprise_Application_Platform/5/pdf/Security_Guide/JBoss_Enterpris
e_Application_Platform-5-Security_Guide-en-US.pdf for information on JBoss
EAP SSL configuration and other security considerations.
Web Server Security Recommendations
IIS Web Server
See http://www.iis.net/ for information on enabling SSL for all interactions
with the web server.
-
19
Note: SSL should be enabled for the entire IIS web server under which you
installed the Service Manager application.
To disable weak ciphers on IIS, refer to
http://support.microsoft.com/kb/187498/en-us.
Apache Web Server
See http://httpd.apache.org/docs/current/ssl/ssl_howto.html for
information on enabling SSL for all interactions with the web server and on
enforcing strong security.
Database Security Recommendations
Oracle
See http://www.oracle.com/us/technologies/security/overview/index.html
for information about Oracle database security solutions.
SQL Server
See http://msdn.microsoft.com/en-
us/library/bb669074%28v=vs.110%29.aspx for information about SQL
Server database security features.
DB2
See http://www-01.ibm.com/software/data/db2/linux-unix-
windows/security/ for information about DB2 database security features.
Application Server Security Recommendations
When configuring TLS/SSL on the Service Manager Server, keep your Java
keystore file in a private directory with restricted access. The keystore is
password protected. Although the Java keystore is password protected, it is
vulnerable as long as the default value of changeit was not changed.
Please note
Always change default passwords.
-
20
Always use the minimal possible permissions when installing and running
Service Manager.
Action Permissions Needed for User
Installing Service
Manager Windows: Administrator permissions
UNIX: You can install with non -root
permissions using the sudo command. For
details, see the Service Manager Installation
and Upgrade Documentation Center available in
the Service Manager Online Help Center
documentation.
Running Service
Manager Windows: Windows service runs as the system
user or a specific user (the user must have
access to the file repository).
UNIX: See the Service Manager Installation
and Upgrade Documentation Center for the set
of required permissions.
Database connection The login user permissions must be set properly
according to the recommendations in the Service
Manager Installation and Upgrade Documentation
Center. Do not use a higher level of permissions.
than required. Do not use the default password
when creating the schema.
-
21
Best Practice
Please refer to Chapter 10 of this document for information on additional
recommendations with regard to securing the log files generated by the
various HP Service Manager product components, and the third-party
software components such as Apache Tomcat, Microsoft IIS, etc... Log files
contain sensitive security information (especially when they contain debug or
tracing data) and as such must be given careful consideration as to who may
access them.
-
22
5 Network and Communication
Security
This chapter provides information on network and communication security.
Secure Topology
SM is designed to be part of a secure architecture, and can meet the
challenge of dealing with the security threats to which it could potentially be
exposed.
Several measures are recommended to securely deploy Service Manager:
Use of the TLS/SSL communication protocol
The SSL protocol secures the connection between two communication
end-points, typically the client and the server. URLs that require a secure
connection start with HTTPS instead of HTTP. Enable TLS/SSL
communications between:
o The browsers and the SM Webtier
o The browsers and the SM Mobility webtier
o The browsers and the SM SRC webtier
o The SM Webtier and SM Server (RTE)
o The SM Mobility webtier and SM Server (RTE)
o The SM SRC webtier and SM Server (RTE)
o SM Server (RTE) and optional Directory Services Server (LDAP
server)
o SM Server (RTE) and optional Smart Analytics Server (IDOL)
o SM Server (RTE) and third-party Web Services integrations
Information on enabling TLS/SSL between these components is available
in Chapter 1 of this document. In addition, please reference the following
white papers and HP Service Manager Online Help Center topics:
-
23
o HP Service Manager Smart Analytics Administrators Guide: Configure SSL between SM and Smart Analytics available via the
HP Software Support Online (SSO) website.
o Help Center Topics:
Secure Sockets Layer (SSL) encryption and server certificates.
Enable SSL encryption for external Web Services
Enable LDAP over SSL
Reverse proxy architecture
SM supports reverse proxy architecture as well as secure reverse proxy
architecture. Reverse and secure reverse proxy server environments are
typically implemented in support of the SM Webtier component. That is,
browsers that need access to SM will do so via the reverse or secure
reverse proxy server. In addition, hardware load balancing devices such
as F5 provide equivalent reverse and secure reverse proxy server
capabilities when managing traffic between the SM Webtier component
and the SM Server (RTE) component.
For information on load balancing please see the HP Service Manager
Online Help Center topic, Hardware load balancers.
DMZ architecture using a firewall
The basic concept is to create a complete separation, and to avoid direct
access, between the SM clients and the SM servers. This is especially
important when opening access to SM to external clients from outside of
your organization.
Separation between web servers, application servers, load balancers, and
database servers
-
24
Reverse Proxy Overview
A reverse proxy is an intermediate server that is positioned between the
client machine and the web servers. To the client machine, the reverse proxy
seems like a standard web server that serves the client machines HTTP or HTTPS protocol requests, with no dedicated client configuration required.
The client machine sends ordinary requests for web content, using the name
of the reverse proxy instead of the name of a web server. The reverse proxy
then sends the request to one of the web servers. Although the response is
sent back to the client machine by the web server through the reverse proxy,
it appears to the client machine as if it is being sent by the reverse proxy.
Reverse Proxy Security
A reverse proxy functions as a bastion host. It is configured as the only
machine to be addressed directly by external clients, and thus obscures the
rest of the internal network. Use of a reverse proxy enables the application
server to be placed on a separate machine in the internal network, which is a
significant security objective.
DMZ is a network architecture in which an additional network is
implemented, enabling you to isolate the internal network from the external
one. Although there are a few common implementations of DMZs, this
-
25
chapter discusses the use of a DMZ and reverse proxy in a back-to-back
topology environment.
The following are the main security advantages of using a reverse proxy in
such an environment:
No DMZ protocol translation occurs. The incoming protocol and outgoing
protocol are identical (only a header change occurs).
Only HTTP or HTTPS access to the reverse proxy is allowed, which
means that stateful packet inspection firewalls can better protect the
communication.
A static, restricted set of redirect requests can be defined on the reverse
proxy.
Most of the web server security features are available on the reverse
proxy (authentication methods, encryption, and more).
The reverse proxy screens the IP addresses of the real servers as well as
the architecture of the internal network.
The only accessible client of the web server is the reverse proxy.
This configuration supports NAT firewalls.
The reverse proxy requires a minimal number of open ports in the
firewall.
The reverse proxy provides good performance compared to other bastion
solutions.
Using a secure reverse proxy architecture is easier to maintain. You can
add patches to your reverse proxy as needed
Note:
The SM server components do not by default have TLS/SSL enabled. It is
expected and recommended that the front end server (load balancer or
reverse proxy) will be configured to require TLS/SSL.
-
26
Follow security guidelines for third-party LDAP servers and Oracle or
SQL databases.
FAQ
Question
Are exceptions required to be added to the firewall policy?
Answer
Typically this is not required when browsers access SM via standard HTTP
or HTTPS ports (TCP/80 and TCP/443 respectively). If using custom ports,
then firewall exceptions for the incoming traffic are likely required.
Communication ports for the SM Webtier are controlled by the configuration
files of your web application and web server components (IIS or Apache). For
SM Windows (Eclipse) clients, the port is determined by the sm.cfg
configuration file located at the SM Server (RTE) component; the default is
TCP/13080 and for HTTPS access, TCP/13443.
-
27
6 Administration Interface
HP Service Manager does not provide a separate administration interface.
The Windows client is intended for system administrators to perform
administrative tasks in Service Manager, most of which can also be
performed in the web client.
-
28
7 User Management and
Authentication
This chapter provides information related to user management and
authentication.
Authentication Model
Service Manager supports the following authentication methods:
Username and password authentication
In an out-of-the-box default installation, HP Service Manager requires
users to enter username and password credentials to gain access to the
application. This basic authentication & authorization provider for HP
Service Manager consists of a non-FIPS 140-2 compliant module that
utilizes industry standard cryptography such as PBEWithMD5AndDES.
LDAP authentication
You can integrate HP Service Manager to an LDAP directory service to
share contact information across your network.
Trusted Single Sign-On (TSO)
You can configure HP Service Manager clients to automatically log on
using the same authentication information as users entered when they
logged onto their client workstation's operating system. When you enable
trusted sign-on, users bypass the Service Manager logon screen and
directly enter the application
Lightweight Single Sign-On (LW-SSO)
Is an optional but highly recommended for some integrations such as
Release Control. Enabling LW-SSO for integrations will bypass the login
prompts when connecting two HP products.
-
29
Common Access Card (CAC) Sign-On
CAC sign-on enables users to log in to the web client directly with a
smart card that stores a valid user certificate, and users only need to
enter a card PIN, instead of a user name and password.
Authentication Administration and
Configurations
For additional information on these options, please refer to the following
White Papers available through the HP Service Manager Online Help Center
or via HP Software Support Online:
a. Integrating Service Manager with Directory Services using LDAP
b. Setting up Single Sign-On in Service Manager
c. HP Service Manager Online Help Center topics:
iv. Trusted Sign-On
v. Common Access Card (CAC) sign-on
vi. Using LW-SSO with integrations
Best Practice
Service Manager Server comes out-of-the-box with demo data. This data includes
demonstration operator (user) logins. This data is often used in proof-of-concept
and demo scenarios for validating and evaluating product features. When
implementing SM in a production environment, it is recommended to remove or
delete the demo data, especially the out-of-box operators.
Failure to do so will result in false-positive reports generated by security
penetration testing software that is evaluating SM. Specifically, the false-positive
reports may detect the presence of a weak default password policy. For additional
information please refer to the following SM Online Help Center topics:
Set password format restrictions
Set password maximum lifetimes
-
30
In addition, it is recommended that in production environments, SM
administrators take advantage of additional account security management
features such as user account lockouts. For detailed information please see the
SM Online Help Center topic, Lockout feature.
It may be desirable in some cases to prevent SM operator (user) IDs from being
viewable by all operators. To prevent the harvesting of SM operator IDs, it is
recommended to perform the following steps whenever a link line in a SM format
displays SM operator data:
1. Find the link that the SM format in question used
2. Open the link line for the field and set the QBE format to
operator.nologinname.qbe.g
3. Add the following line in POST Expressions:
a. $login.names1={opened.by in $L.source}
b. $contact.names1=jscall("reportscheduleHelp.getContactName",
$login.names1)
4. Open the format using Format Designer and set the Value List and
Display List values to: $login.names1 and $contact.names1.
-
31
8 Authorization
This chapter provides information related to user authorization in HP Service
Manager.
Authorization Model
Access to HP Service Manager resources is authorized based on the users following settings:
User role
Profile
Capability words
Max Logins
Session & Inactivity timer timeouts
Password expiration policy
For full detail on the authorization model of SM, please refer to the SM
Online Help Center topic, Controlling user access and security and the best
practice whitepaper, HP Service Manager Processes and Best Practices Guide.
Authorization Configuration
For detailed information on authorization configuration, please refer to the
best practice whitepaper, HP Service Manager Processes and Best Practices
Guide and the following SM Online Help Center topics:
Application setup
Controlling user access and security
-
32
FAQ
Question
Can SM inherit users information and authorization profiles from an external repository, such as LDAP?
Answer
No.
Question
Is Role Management (access to different views and access and edit permission
to separate parts) supported?
Answer
Yes.
Question
Does SM support limitations associated with user profiles and roles (for
example, maximum number of group profiles, predefined profiles, and so on)?
Answer
No.
Question
Is Access Control supported at Field Level?
Answer
Yes.
-
33
9 Data Integrity
The database server is used as a simple data store and is responsible for all
persistent storage. While the database contains definitions describing
business logic, no processing is actually performed in this tier, other than
create, read, update, and delete (CRUD) operations in response to requests
from the HP Service Manager Server. Referential integrity is enforced by the
application, thereby protecting transactions. In addition, the database
captures a complete audit log of all changes to data.
For more information on the audit features of SM, please refer to the Online
Help Center topic, Database record auditing
The data backup procedure is also an integral part of data integrity and
while SM does not provide native backup capabilities, the following
guidelines should be considered:
Database backup is especially important before critical actions such as
upgrades. See the SM Online Help Center topic, Service Manager
documentation set Upgrade Documentation Center for details.
Backup files should be stored properly according to the industry best
practices to avoid unauthorized access.
Since database backup can be a resource intensive process, it is strongly
recommended to avoid running backups during peak demand times.
-
34
10 Encryption
This chapter provides information on data encryption in HP Service
Manager.
TLS/SSL Data Transmission
In production environments, Service Manager must be configured to use
TLS/SSL to transmit data between the server and clients, as well as between
the web application server and web browser so that data being transmitted is
encrypted.
For information on different TLS/SSL implementations for vertical and
horizontal scaling environments and how to configure TLS/SSL in Service
Manager, see the Server implementation options section and System Security
section in the HP Service Manager Online Help Center system.
For information on the TLS/SSL parameters of the Service Manager server
and Windows and web clients, see the System Configuration Parameters
section in the Service Manager Help Center.
Encryption of stored database fields
HP Service Manager uses proprietary algorithms when encrypting data
stored in the database. For example, passwords for operators are stored using
SHA-512 a one-way encryption algorithm. In production environments that
require stronger encryption algorithms, SM offers FIPS 140-2 compliant
encryption modules for enhanced security. Details about FIPS 140-2
configuration can be found in the HP Service Manager Online Help Center
topic, FIPS mode.
The encryption key used to encrypt data in your SM system is stored in the
sm.ini configuration file. The value of this encryption key may be modified.
For details see the HP Service manager Online Help Center topic, Change the
encryption key value.
SM clients (Web and Windows) use a two-way encryption process that utilizes
PBE with MD5 and DES to secure user/operator passwords when
-
35
communicating with SM Server. In production environments that require
stronger encryption algorithms, SM offers FIPS 140-2 compliant encryption
modules for enhanced security. Details about FIPS 140-2 configuration can be
found in the HP Service Manager Online Help Center topic, FIPS mode.
Digital Signatures
HP digitally signs Windows executable binaries such as sm.exe (SM Server)
and ServiceManager.exe (SM Windows client) using Microsoft Authenticode
technology. To view the details of the digital signature, right-click on the
Windows executable, select Properties, and click the Digital Signatures tab.
Select the Hewlett-Packard Company signature and click the Details button. Windows will verify if the digital signature is valid or not.
In cases where your Windows operating system may not have the latest CA
Root Certificates installed, the digital signature of the HP Windows
executable (sm.exe and/or ServiceManager.exe) may display an error such as:
The certificate in the signature cannot be verified.
To resolve this issue, either enable Windows Update to download the latest
updates available for your operating system or download and install the G5
Root certificate as documented here:
https://knowledge.verisign.com/support/ssl-certificates-
support/index?page=content&id=SO19140
Service Manager Server can be configured to secure outbound emails with an
S/MIME signature. The recipients can verify the signature on their mail
system (for example, Microsoft Outlook), to make sure that the email
messages are truly originated from Service Manager without being
intercepted in transit.
This feature requires that TLS/SSL be enabled for SMTP operations through
the emailout parameter in the sm.ini file and an S/MIME keystore deployed
in the Service Manager servers RUN folder. For details, see the topic Append an S/MIME digital signature to outbound emails.
-
36
11 Logs
This chapter provides information related to logs.
Log and Trace Model
There are several types of logs generated by SM Server and Clients
Client logs
o sm.log generated by SM Webtier client
o .log generated by SM Windows (Eclipse) client
Server log
o sm.log generated by SM Server (RTE)
Recommendations:
Pay attention to the log level and do not leave tracing or debug
parameters enabled unnecessarily.
o The debug related parameters are fully documented in the HP
Service Manager Online Help Center topic, Debugging
parameters
Pay attention to log rotation/switching.
o See the SM Online Help Center topic, Enable log switching for
details
Restrict user access to the log directory. Ensure only those user IDs that
need access to the log files can do so and disallow other user IDs.
If logs archiving is needed, create your own archiving policy as HP
Service Manager does not provide this feature.
-
37
FAQ
Question
Does SM provide tools to prevent unauthorized access to log files generated
by SM Server and SM Clients?
Answer
No. However, through the use of standard security and access control
lists/permissions available through the operating system where SM resides, it
is possible to restrict access to only those users that require access to view the
log files.
Question
Is the period of time that data in the log files retained configurable?
Answer
Yes, see the SM Online Help Center topic, Enable log switching for details
Question
Does SM support auditing for access and changes to application data?
Answer
Yes, see Chapter 8 Data Integrity of this document for details.
-
38
12 APIs and Web Services Security
This chapter provides information on the authentication model and security
considerations of HP Service Manager APIs and web services.
Authentication Model
HP Service Manager provides both a SOAP and a RESTful API framework.
The RESTful API framework re-implements most of the functionality of the
Service Manager SOAP implementation.
Both the SOAP and RESTful API frameworks support the following
authentication methods:
HTTP Basic Authentication
CAC (Common Access Card)
TSO (Trusted Sign-On)
LW-SSO (Light Weight Single Sign-On)
For more information, see the Service Manager Web Services Guide, which is
available from the Service Manager Online Help Center.
Security Considerations
The Service Manager server requires that each Web Service request provide a
valid operator name and password combination. These must be supplied in a
standard HTTP Basic Authorization header. The Web Service toolkits
universally support this authentication mechanism. It is recommended to
enable TLS/SSL if you are concerned about the possibility of someone using a
network monitoring tool to discover passwords. Basic Authorization by itself
does not encrypt the password; it simply encodes it using Base 64.
Note: Only ASCII operator names are supported in Service Manager Web
Service integrations. When Service Manager is handling an incoming Web
Service request, the authorization string is decoded by BASE64Decoder.
-
39
Service Manager uses the decoded string value to construct a UTF-8 string
that is used in the RTE. However, the authorization string is in the header
and Service Manager does not know the charset or encoding of the underling
string value, which is BASE64 encoded. Therefore, if the underlying string
value is not UTF-8, Web Service clients will fail to connect to Service
Manager. In Service Manager, when fetching an operator from the database,
no matter what collation the database uses, the operator finally will get a
UTF-8 operator value. However, even if users put the same value in the
authorization header, the operator name may differ because of the
charset/encoding issue.
In addition to having a valid login, the operator must have the SOAP API or
RESTful API capability word to access the Web Services. If the Web Service
request does not contain valid authorization information, then the server
sends a response message containing 401 (Unauthorized). If the request is valid, then the server sends a response message containing the results of
your Web Services operation. The response message contains only the
information the operator is allowed to see. The security settings of the user's
profile, Mandanten security settings, and conditions defined in the Document
Engine are maintained by all Web Services.
When working with the Service Manager RESTful web services, keep in mind
that SM returns output in a standard JSON format. As such, third-party
clients that rely on this output must properly encode it into HTML such that
it may be read or displayed successfully by your custom clients. Please note
that Service Manager RESTful output includes the HTTP header below to
prevent execution of JSON output:
X-Content-Type-Options: nosniff
SM Smart Analytics Server Recommendations
When installing SM Smart Analytic Server, you are presented with
numerous installation options. One of these options is to specify the Service
Manager Server that is allowed to send administrative and query actions to
the Smart Analytic server. Please ensure that you only specify the IP
addresses or hostnames of the Service Manager Server.
To review the current values of your installation, please open the
AutonomyIDOLServer.cfg file in a text editor and verify the [Service] and
[Server] sections contain the IP addresses or hostnames of your Service
Manager Servers.
-
40
For additional details, please see the HP Service Manager Smart Analytics
Administrators Guide available via the HP Software Support Online (SSO) website.
WarrantyRestricted Rights LegendTrademark NoticesContents1 Welcome to This Guide2 Secure Implementation and Deployment3 Service Manager Security Parameters4 Installation Security5 Network and Communication Security6 Administration Interface7 User Management and Authentication8 Authorization9 Data Integrity10 Encryption11 Logs12 APIs and Web Services Security