HP SM934 Security Guide

1

HP Service Manager

Software Version: 9.34

Security Guide

Document Release Date: October 2014

2

Legal Notices

Warranty

HP provides the following recommendations for increasing the security of your overall

infrastructure for informational purposes only. These are only recommendations and

are not intended to be a guarantee of protection against all potential vulnerabilities

and attacks. Please note that some security measures may impact the features and

functionality of your overall system; it is recommended that every customer become

aware of those impacts when implementing any changes to your environment.

Use of this HP Software Product, [Service Manager] may require the pre-installation

of certain third-party components that are not provided by HP (Third Party Components). HP recommends that its customers check frequently for the most current updates to the Third Party Components, which may include fixes or patches

for security vulnerabilities.

The only warranties for HP products and services are set forth in the express warranty

statements accompanying such products and services. Nothing herein should be

construed as constituting an additional warranty. HP shall not be liable for technical

or editorial errors or omissions contained herein.

The information contained herein is subject to change without notice.

Restricted Rights Legend

Confidential computer software. Valid license from HP required for possession, use or

copying. Consistent with FAR 12.211 and 12.212, Commercial Computer Software,

Computer Software Documentation, and Technical Data for Commercial Items are

licensed to the U.S. Government under vendor's standard commercial license.

Copyright Notices

Copyright 2014 Hewlett-Packard Development Company, L.P.

Trademark Notices

Adobe is a trademark of Adobe Systems Incorporated.

Java is a registered trademark of Oracle and/or its affiliates.

Microsoft and Windows are U.S. registered trademarks of Microsoft Corporation.

Oracle is a registered US trademark of Oracle Corporation, Redwood City, California.

UNIX is a registered trademark of The Open Group.

3

For a complete list of open source and third party acknowledgements, visit the HP

Software Support Online web site and search for the product manual called HP Service

Manager Open Source and Third Party License Agreements.

4

Documentation Updates

The title page of this document contains the following identifying information:

Software Version number, which indicates the software version.

The number before the period identifies the major release number.

The first number after the period identifies the minor release number.

The second number after the period represents the minor-minor release

number.

Document Release Date, which changes each time the document is updated.

Software Release Date, which indicates the release date of this version of the

software.

To check for recent updates or to verify that you are using the most recent edition, visit

the following URL:

https://softwaresupport.hp.com/

This site requires that you register for an HP Passport and sign-in. To register for an

HP Passport ID, go to:

https://hpp12.passport.hp.com/hppcf/login.do

You will also receive updated or new editions if you subscribe to the appropriate

product support service. Contact your HP sales representative for details.

5

Support

You can visit the HP Software support web site at:

www.hp.com/go/hpsoftwaresupport

This web site provides contact information and details about the products, services,

and support that HP Software offers.

HP Software online software support provides customer self-solve capabilities. It

provides a fast and efficient way to access interactive technical support tools needed to

manage your business. As a valued support customer, you can benefit by using the

support site to:

Search for knowledge documents of interest

Submit and track support cases and enhancement requests

Download software patches

Manage support contracts

Look up HP support contacts

Review information about available services

Enter into discussions with other software customers

Research and register for software training

Most of the support areas require that you register as an HP Passport user and sign

in. Many also require an active support contract. To find more information about

support access levels, go to the following URL:

http://h20230.www2.hp.com/new_access_levels.jsp

To register for an HP Passport ID, go to the following URL:

http://h20229.www2.hp.com/passport-registration.html

6

Contents

1 Welcome to This Guide ............................................................ 9

Introduction .............................................................................................................................. 9

2 Secure Implementation and Deployment ................................... 10

Technical System Landscape ................................................................................................. 10

Security in Basic & Clustered SM Configurations ............................................................... 10

External Authentication ........................................................................................................ 11

Proxy Authentication Support ............................................................................................... 12

Common Security Considerations ......................................................................................... 12

3 Service Manager Security Parameters ...................................... 14

Secure File Storage ................................................................................................................. 14

Secure Debug Features .......................................................................................................... 15

Secure Access to SM ............................................................................................................... 15

Best Practice ........................................................................................................................... 15

4 Installation Security ................................................................ 17

Supported Operating Systems ............................................................................................... 17

Web Application Server Security Recommendations ........................................................... 17

Web Server Security Recommendations ............................................................................... 18

Database Security Recommendations ................................................................................... 19

Application Server Security Recommendations ................................................................... 19

Best Practice ........................................................................................................................... 21

7

5 Network and Communication Security ..................................... 22

Secure Topology ...................................................................................................................... 22

Reverse Proxy Overview......................................................................................................... 24

Reverse Proxy Security .......................................................................................................... 24

FAQ .......................................................................................................................................... 26

6 Administration Interface .......................................................... 27

7 User Management and Authentication...................................... 28

Authentication Model ............................................................................................................. 28

Authentication Administration and Configurations ............................................................ 29

Best Practice ........................................................................................................................... 29

8 Authorization ........................................................................ 31

Authorization Model ............................................................................................................... 31

Authorization Configuration .................................................................................................. 31

FAQ .......................................................................................................................................... 32

9 Data Integrity ........................................................................ 33

10 Encryption ............................................................................ 34

TLS/SSL Data Transmission ................................................................................................. 34

Encryption of stored database fields ..................................................................................... 34

Digital Signatures .................................................................................................................. 35

11 Logs ..................................................................................... 36

Log and Trace Model .............................................................................................................. 36

FAQ .......................................................................................................................................... 37

8

12 APIs and Web Services Security .............................................. 38

Authentication Model ............................................................................................................. 38

Security Considerations ......................................................................................................... 38

SM Smart Analytics Server Recommendations .................................................................... 39

9

1 Welcome to This Guide

Introduction

Welcome to the HP Service Manager Security Guide.

This guide is intended for Service Manager implementers and system

administrators who need to implement their Service Manager environment in

a secure manner.

10

2 Secure Implementation and

Deployment

This chapter provides information on implementing and deploying HP

Service Manager (SM) in a secure manner.

Technical System Landscape

HP Service Manager is a suite of enterprise applications based on various

industry standard technologies. Service Manager Server (RTE) is written

using Java and C++ programming languages. The Service Manager Web Tier

and Windows Eclipse client are written in Java and utilize Java EE and SE

technologies and JavaScript. When deployed together, these applications

comprise a typical Service Manager system running in a three-tier

architecture.

For more information about typical deployment schemes and options please

reference the Service Manager Deployment Sizing Guide available through

the HP Software Support Online website and the HP Service Manager Online

Help Center topic, Server Implementation Options available from the HP

Service Manager installation media.

Security in Basic & Clustered SM Configurations

HP Service Manager configurations may be deployed in the following distinct

implementations. For more information, please reference the Service

Manager Deployment Sizing Guide available through the HP Software

Support Online website and the HP Service Manager Online Help Center

topic, Server Implementation Options available from the HP Server Manager

installation media.

1) Single servlet implementation (non-clustered basic configuration)

2) Vertical scaling implementation (simple clustering)

3) Horizontal scaling implementation (advanced clustering)

11

All of these implementations share the same basic out-of-the-box security

configuration options.

1) In an out-of-the-box default installation, there is no TLS/SSL security

enabled between the individual components of HP Service Managers three-tier architecture. This is primarily due to the ease of installation

requirements needed in support of allowing consultants, system

administrators and customers the ability to quickly setup demonstration,

proof-of-concept and test environments.

2) In an out-of-the-box default installation, HP Service Manager requires

users to enter username and password credentials to gain access to the

application. This basic authentication & authorization provider for HP

Service Manager consists of a non-FIPS 140-2 compliant module that

utilizes industry standard cryptography such as PBEWithMD5AndDES.

Information about the FIPS 140-2 configuration can be found in the HP

Service Manager Online Help Center topic, FIPS mode.

3) With additional configuration, it is possible to enable strong TLS/SSL

security between the individual components of HP Service Managers three-tier architecture. In addition, SM provides two-factor

authentication with its CAC support and Trusted Sign-On features. The

steps for enabling TLS/SSL are documented in the HP Service Manager

Online Help Center topic, Secure Sockets Layer (SSL) encryption and

server certificates. Information on SMs CAC and TSO features can be found in the External Authentication section of this chapter.

External Authentication

With additional configuration, it is possible to supplement or replace the

default authentication & authorization provider for HP Service Manager by

using a variety of industry-standard protocols and tools such as LDAP, CAC,

Windows Integrated Authentication, Kerberos, Single Sign-On and Trusted

Sign-On. For additional information on these options, please refer to the

following White Papers available through the HP Service Manager Online

Help Center or via HP Software Support Online:

a. Integrating Service Manager with Directory Services using LDAP

b. Setting up Single Sign-On in Service Manager

c. HP Service Manager Online Help topics:

i. Trusted Sign-On

ii. Common Access Card (CAC) sign-on

12

iii. Using LW-SSO with integrations

Proxy Authentication Support

SM supports the use of proxy servers that require authentication. As

described previously, SM can run in a number of distinct implementations

that can extend the tiers of the standard SM three-tier architecture. One

example is the SM Webtier component running on a standard Java-based

application server that must be accessed by a web browser. If there is a

security requirement to separate the end users browsers from the SM Webtier component via a proxy device that requires authentication, this is

supported transparently as the authenticated proxy configuration is specified

in the users web browser settings. For information on how to configure a proxy server for your browser, please refer to the following:

Microsoft Internet Explorer

http://support2.microsoft.com/kb/135982

Mozilla Firefox

https://support.mozilla.org/en-US/kb/advanced-settings-browsing-network-

updates-encryption#w_connection

Google Chrome

https://support.google.com/chrome/answer/96815

Common Security Considerations

HP Service Manager components may be deployed on numerous industry

standard operating systems and run on numerous third-party web-tier

infrastructure software such as Apache HTTP Server, IBM Websphere,

JBOSS application Server, Oracle Weblogic, and Apache Tomcat. As such, it

is recommended to keep up-to-date on vendor-provided best practices and

security hardening guides for each of the third-party components used in

support of your HP Service Manager deployment. Below are some resources

that can serve as a starting point for researching these recommended

security considerations:

13

IBM Websphere

Advanced security hardening in WebSphere Application Server V7, V8 and

V8.5, Part 1: Overview and approach to security hardening

http://www.ibm.com/developerworks/websphere/techjournal/1210_lansche/121

0_lansche.html

Apache Tomcat

Security Considerations

https://tomcat.apache.org/tomcat-7.0-doc/security-howto.html

JBoss

Hardening Guidelines

https://docs.jboss.org/author/display/AS72/Hardening+Guidelines?_sscc=t

Apache HTTP Server

Security Tips

https://httpd.apache.org/docs/current/misc/security_tips.html

Oracle 11g database server

Oracle Database Documentation Library: Security

http://docs.oracle.com/cd/E11882_01/nav/portal_25.htm

Microsoft SQL Server

Database Engine Security Checklist Database Engine Security Configuration

http://social.technet.microsoft.com/wiki/contents/articles/1256.database-

engine-security-checklist-database-engine-security-configuration.aspx

14

3 Service Manager Security

Parameters

This chapter contains reference to some of the Service Manager parameters

that are relevant to security. For a comprehensive list of parameters, please

reference the Service Manager Online Help Center topic, System Security.

Secure File Storage

SM allows users to upload files to the Service Manager Server (RTE)

component. This is accomplished mainly via the two main client-types, the

Service Manager Windows (Eclipse) and Service Manager Webtier clients.

This feature allows users to upload attachments to SM records such as

incidents, changes, and knowledge articles. All files uploaded to the server

must be validated, since they can contain viruses, malicious code, or trojans.

An attacker or a malicious user can upload malicious files from one account

and then download them to diverse clients. However, because file

attachments are stored in the SM database as BLOB data, it is not possible

to perform virus or malware scanning once a file has been uploaded to the SM

Server component.

As a result, it is strongly recommended to implement proper antivirus

protection for the file storage allocated in the SM Webtier clients deployed WAR file and in the SM Windows (Eclipse) clients installation directory.

For the SM Webtier client, this is typically referred to as the scratch or

temporary directory of your Java application server hosting SM Webtier

client.

E.g.

/work/Catalina/localhost//attachments

Example: C:\Program Files\Apache Software Foundation\Tomcat

7.0\work\Catalina\localhost\webtier-9.34\attachments

Your path may vary greatly depending on the Java application server used to

host SM Webtier client.

For the SM Windows (Eclipse) client, the path is referred to as the workspace

directory.

15

E.g.

%USERPROFILE%/Service

Manager/workspace/.metadata/.plugins/com.hp.ov.sm.client.eclipse.user/at

tachments/

Example:

C:\Users\Administrator\ServiceManager\workspace\.metadata\.plugins\co

m.hp.ov.sm.client.eclipse.user\attachments

Secure Debug Features

Service Manager provides a set of tools for troubleshooting and to provide

better supportability. These features, which can expose sensitive internal

information about the system and about activities performed on the system,

are disabled by default. It is recommended to validate that the parameters

are reset to the default values immediately after using the debug parameter.

The debug related parameters are fully documented in the HP Service

Manager Online Help Center topic, Debugging parameters.

Secure Access to SM

Please see Chapter 9 of this document for information on the parameters

required to access HP Service Manager in a secure fashion.

Best Practice

The Service Manager administrator can limit the types and sizes of files that

can be uploaded to SM and downloaded by SM clients. For complete and

detailed information please reference these HP Service Manager Online Help

Center topics:

a. Support for blocking attachments with certain file extensions

b. Customize the forbidden list of attachment file extensions

c. Setting file attachment limits

16

During attachment file processing on the Service Manager Web tier, it is

possible to configure a white list (allowed list) of file extensions that may be

uploaded by users. This is an additional layer of filtering & protection that

will occur at the SM Web tier before the file ever reaches the SM Server

(RTE) for additional processing. It is recommended to use the attachment

whitelisting feature by adding the following parameter in the

SM Webtiers web.xml:

Attachment upload servlet for AJAX

request

Attachment Upload Servlet for AJAX

request

AttachmentUploadAjax

com.hp.ov.sm.client.webtier.FileUploadAjaxServlet

allowed

bmp,jpg,jpeg,png,gif,doc,xls,rtf,txt,docx,xlsx,ppt,pptx,pdf,m

sg,zip,tar,gz,tgz,log,unl

This setting may be added for any of the listed upload

servlets in the SM Webtiers web.xml file that has the following value:

com.hp.ov.sm.client.webtier.FileUploadServlet

Please give thoughtful consideration to the list of files as the defaults may be

too restrictive. This parameter specifies the allowed list of file extensions that

may be attached to a SM record such as an Incident, Change, Interaction or

Problem record.

17

4 Installation Security

This chapter provides information on aspects of installation security.

Supported Operating Systems

For the list of supported system environments, refer to the Support Matrix.

Note: The supported environment information in the Support Matrix is

accurate for the Service Manager 9.34 release, but there may be subsequent

updates. For the most up-to-date supported environments, refer to the HP

Software Support Matrix Web site using the following URL:

http://support.openview.hp.com/sc/support_matrices.jsp

Web Application Server Security

Recommendations

Service Manager recommends enabling TLS/SSL communications between

the SM web application server and the web browser. This may be

implemented through the secureLogin and sslPort parameters in the web tier

configuration file (web.xml), and requires TLS/SSL be configured on the web

application server (e.g. Tomcat, JBoss, etc).

Information about the secureLogin and sslPort parameters are available in

these HP Service Manager Online Help Center topics:

Web parameter: secureLogin

Web parameter: sslPort

If you integrate a HTTP web server such as Microsoft IIS or Apache HTTP

server with your web application server such as Tomcat, JBoss, etc, it is not

necessary to use the secureLogin and sslPort parameters as described above

because each web server has its own set of instructions for implementing

TLS/SSL communications.

Please note that the Service Manager Webitier stores TLS/SSL certificate

information in a standard Java Keystore file format. Beginning with 9.34.P2,

18

the password for the Java keystore file is now encrypted in the file

webtier.properties. Additional details on this new feature can be found in the

SM 9.34.P2 Release Notes.

The steps for enabling TLS/SSL communications are varied depending on

your combination of third-party products used in support of Service Manager.

As such, HP cannot document all possible combinations. The proceeding URL

links are helpful pointers that discuss the available options for enabling

TLS/SSL communications between the SM web servers/SM web application

servers and web browsers.

Apache Tomcat

See http://tomcat.apache.org/tomcat-6.0-doc/index.html and

http://tomcat.apache.org/tomcat-7.0-doc/index.html for information on

Apache Tomcat SSL configuration and other security considerations.

IBM WebSphere Application Server (WAS)

See https://www.ibm.com/developerworks/websphere/zones/was/security/

for information on WebSphere Application Server SSL configuration and

other security considerations.

Oracle WebLogic

See http://docs.oracle.com/cd/E24329_01/web.1211/e24446/security.htm

for information on Oracle WebLogic SSL configuration and other security

considerations.

JBoss EAP

See https://access.redhat.com/site/documentation/en-

US/JBoss_Enterprise_Application_Platform/5/pdf/Security_Guide/JBoss_Enterpris

e_Application_Platform-5-Security_Guide-en-US.pdf for information on JBoss

EAP SSL configuration and other security considerations.

Web Server Security Recommendations

IIS Web Server

See http://www.iis.net/ for information on enabling SSL for all interactions

with the web server.

19

Note: SSL should be enabled for the entire IIS web server under which you

installed the Service Manager application.

To disable weak ciphers on IIS, refer to

http://support.microsoft.com/kb/187498/en-us.

Apache Web Server

See http://httpd.apache.org/docs/current/ssl/ssl_howto.html for

information on enabling SSL for all interactions with the web server and on

enforcing strong security.

Database Security Recommendations

Oracle

See http://www.oracle.com/us/technologies/security/overview/index.html

for information about Oracle database security solutions.

SQL Server

See http://msdn.microsoft.com/en-

us/library/bb669074%28v=vs.110%29.aspx for information about SQL

Server database security features.

DB2

See http://www-01.ibm.com/software/data/db2/linux-unix-

windows/security/ for information about DB2 database security features.

Application Server Security Recommendations

When configuring TLS/SSL on the Service Manager Server, keep your Java

keystore file in a private directory with restricted access. The keystore is

password protected. Although the Java keystore is password protected, it is

vulnerable as long as the default value of changeit was not changed.

Please note

Always change default passwords.

20

Always use the minimal possible permissions when installing and running

Service Manager.

Action Permissions Needed for User

Installing Service

Manager Windows: Administrator permissions

UNIX: You can install with non -root

permissions using the sudo command. For

details, see the Service Manager Installation

and Upgrade Documentation Center available in

the Service Manager Online Help Center

documentation.

Running Service

Manager Windows: Windows service runs as the system

user or a specific user (the user must have

access to the file repository).

UNIX: See the Service Manager Installation

and Upgrade Documentation Center for the set

of required permissions.

Database connection The login user permissions must be set properly

according to the recommendations in the Service

Manager Installation and Upgrade Documentation

Center. Do not use a higher level of permissions.

than required. Do not use the default password

when creating the schema.

21

Best Practice

Please refer to Chapter 10 of this document for information on additional

recommendations with regard to securing the log files generated by the

various HP Service Manager product components, and the third-party

software components such as Apache Tomcat, Microsoft IIS, etc... Log files

contain sensitive security information (especially when they contain debug or

tracing data) and as such must be given careful consideration as to who may

access them.

22

5 Network and Communication

Security

This chapter provides information on network and communication security.

Secure Topology

SM is designed to be part of a secure architecture, and can meet the

challenge of dealing with the security threats to which it could potentially be

exposed.

Several measures are recommended to securely deploy Service Manager:

Use of the TLS/SSL communication protocol

The SSL protocol secures the connection between two communication

end-points, typically the client and the server. URLs that require a secure

connection start with HTTPS instead of HTTP. Enable TLS/SSL

communications between:

o The browsers and the SM Webtier

o The browsers and the SM Mobility webtier

o The browsers and the SM SRC webtier

o The SM Webtier and SM Server (RTE)

o The SM Mobility webtier and SM Server (RTE)

o The SM SRC webtier and SM Server (RTE)

o SM Server (RTE) and optional Directory Services Server (LDAP

server)

o SM Server (RTE) and optional Smart Analytics Server (IDOL)

o SM Server (RTE) and third-party Web Services integrations

Information on enabling TLS/SSL between these components is available

in Chapter 1 of this document. In addition, please reference the following

white papers and HP Service Manager Online Help Center topics:

23

o HP Service Manager Smart Analytics Administrators Guide: Configure SSL between SM and Smart Analytics available via the

HP Software Support Online (SSO) website.

o Help Center Topics:

Secure Sockets Layer (SSL) encryption and server certificates.

Enable SSL encryption for external Web Services

Enable LDAP over SSL

Reverse proxy architecture

SM supports reverse proxy architecture as well as secure reverse proxy

architecture. Reverse and secure reverse proxy server environments are

typically implemented in support of the SM Webtier component. That is,

browsers that need access to SM will do so via the reverse or secure

reverse proxy server. In addition, hardware load balancing devices such

as F5 provide equivalent reverse and secure reverse proxy server

capabilities when managing traffic between the SM Webtier component

and the SM Server (RTE) component.

For information on load balancing please see the HP Service Manager

Online Help Center topic, Hardware load balancers.

DMZ architecture using a firewall

The basic concept is to create a complete separation, and to avoid direct

access, between the SM clients and the SM servers. This is especially

important when opening access to SM to external clients from outside of

your organization.

Separation between web servers, application servers, load balancers, and

database servers

24

Reverse Proxy Overview

A reverse proxy is an intermediate server that is positioned between the

client machine and the web servers. To the client machine, the reverse proxy

seems like a standard web server that serves the client machines HTTP or HTTPS protocol requests, with no dedicated client configuration required.

The client machine sends ordinary requests for web content, using the name

of the reverse proxy instead of the name of a web server. The reverse proxy

then sends the request to one of the web servers. Although the response is

sent back to the client machine by the web server through the reverse proxy,

it appears to the client machine as if it is being sent by the reverse proxy.

Reverse Proxy Security

A reverse proxy functions as a bastion host. It is configured as the only

machine to be addressed directly by external clients, and thus obscures the

rest of the internal network. Use of a reverse proxy enables the application

server to be placed on a separate machine in the internal network, which is a

significant security objective.

DMZ is a network architecture in which an additional network is

implemented, enabling you to isolate the internal network from the external

one. Although there are a few common implementations of DMZs, this

25

chapter discusses the use of a DMZ and reverse proxy in a back-to-back

topology environment.

The following are the main security advantages of using a reverse proxy in

such an environment:

No DMZ protocol translation occurs. The incoming protocol and outgoing

protocol are identical (only a header change occurs).

Only HTTP or HTTPS access to the reverse proxy is allowed, which

means that stateful packet inspection firewalls can better protect the

communication.

A static, restricted set of redirect requests can be defined on the reverse

proxy.

Most of the web server security features are available on the reverse

proxy (authentication methods, encryption, and more).

The reverse proxy screens the IP addresses of the real servers as well as

the architecture of the internal network.

The only accessible client of the web server is the reverse proxy.

This configuration supports NAT firewalls.

The reverse proxy requires a minimal number of open ports in the

firewall.

The reverse proxy provides good performance compared to other bastion

solutions.

Using a secure reverse proxy architecture is easier to maintain. You can

add patches to your reverse proxy as needed

Note:

The SM server components do not by default have TLS/SSL enabled. It is

expected and recommended that the front end server (load balancer or

reverse proxy) will be configured to require TLS/SSL.

26

Follow security guidelines for third-party LDAP servers and Oracle or

SQL databases.

FAQ

Question

Are exceptions required to be added to the firewall policy?

Answer

Typically this is not required when browsers access SM via standard HTTP

or HTTPS ports (TCP/80 and TCP/443 respectively). If using custom ports,

then firewall exceptions for the incoming traffic are likely required.

Communication ports for the SM Webtier are controlled by the configuration

files of your web application and web server components (IIS or Apache). For

SM Windows (Eclipse) clients, the port is determined by the sm.cfg

configuration file located at the SM Server (RTE) component; the default is

TCP/13080 and for HTTPS access, TCP/13443.

27

6 Administration Interface

HP Service Manager does not provide a separate administration interface.

The Windows client is intended for system administrators to perform

administrative tasks in Service Manager, most of which can also be

performed in the web client.

28

7 User Management and

Authentication

This chapter provides information related to user management and

authentication.

Authentication Model

Service Manager supports the following authentication methods:

Username and password authentication

In an out-of-the-box default installation, HP Service Manager requires

users to enter username and password credentials to gain access to the

application. This basic authentication & authorization provider for HP

Service Manager consists of a non-FIPS 140-2 compliant module that

utilizes industry standard cryptography such as PBEWithMD5AndDES.

LDAP authentication

You can integrate HP Service Manager to an LDAP directory service to

share contact information across your network.

Trusted Single Sign-On (TSO)

You can configure HP Service Manager clients to automatically log on

using the same authentication information as users entered when they

logged onto their client workstation's operating system. When you enable

trusted sign-on, users bypass the Service Manager logon screen and

directly enter the application

Lightweight Single Sign-On (LW-SSO)

Is an optional but highly recommended for some integrations such as

Release Control. Enabling LW-SSO for integrations will bypass the login

prompts when connecting two HP products.

29

Common Access Card (CAC) Sign-On

CAC sign-on enables users to log in to the web client directly with a

smart card that stores a valid user certificate, and users only need to

enter a card PIN, instead of a user name and password.

Authentication Administration and

Configurations

For additional information on these options, please refer to the following

White Papers available through the HP Service Manager Online Help Center

or via HP Software Support Online:

a. Integrating Service Manager with Directory Services using LDAP

b. Setting up Single Sign-On in Service Manager

c. HP Service Manager Online Help Center topics:

iv. Trusted Sign-On

v. Common Access Card (CAC) sign-on

vi. Using LW-SSO with integrations

Best Practice

Service Manager Server comes out-of-the-box with demo data. This data includes

demonstration operator (user) logins. This data is often used in proof-of-concept

and demo scenarios for validating and evaluating product features. When

implementing SM in a production environment, it is recommended to remove or

delete the demo data, especially the out-of-box operators.

Failure to do so will result in false-positive reports generated by security

penetration testing software that is evaluating SM. Specifically, the false-positive

reports may detect the presence of a weak default password policy. For additional

information please refer to the following SM Online Help Center topics:

Set password format restrictions

Set password maximum lifetimes

30

In addition, it is recommended that in production environments, SM

administrators take advantage of additional account security management

features such as user account lockouts. For detailed information please see the

SM Online Help Center topic, Lockout feature.

It may be desirable in some cases to prevent SM operator (user) IDs from being

viewable by all operators. To prevent the harvesting of SM operator IDs, it is

recommended to perform the following steps whenever a link line in a SM format

displays SM operator data:

1. Find the link that the SM format in question used

2. Open the link line for the field and set the QBE format to

operator.nologinname.qbe.g

3. Add the following line in POST Expressions:

a. $login.names1={opened.by in $L.source}

b. $contact.names1=jscall("reportscheduleHelp.getContactName",

$login.names1)

4. Open the format using Format Designer and set the Value List and

Display List values to: $login.names1 and $contact.names1.

31

8 Authorization

This chapter provides information related to user authorization in HP Service

Manager.

Authorization Model

Access to HP Service Manager resources is authorized based on the users following settings:

User role

Profile

Capability words

Max Logins

Session & Inactivity timer timeouts

Password expiration policy

For full detail on the authorization model of SM, please refer to the SM

Online Help Center topic, Controlling user access and security and the best

practice whitepaper, HP Service Manager Processes and Best Practices Guide.

Authorization Configuration

For detailed information on authorization configuration, please refer to the

best practice whitepaper, HP Service Manager Processes and Best Practices

Guide and the following SM Online Help Center topics:

Application setup

Controlling user access and security

32

FAQ

Question

Can SM inherit users information and authorization profiles from an external repository, such as LDAP?

Answer

No.

Question

Is Role Management (access to different views and access and edit permission

to separate parts) supported?

Answer

Yes.

Question

Does SM support limitations associated with user profiles and roles (for

example, maximum number of group profiles, predefined profiles, and so on)?

Answer

No.

Question

Is Access Control supported at Field Level?

Answer

Yes.

33

9 Data Integrity

The database server is used as a simple data store and is responsible for all

persistent storage. While the database contains definitions describing

business logic, no processing is actually performed in this tier, other than

create, read, update, and delete (CRUD) operations in response to requests

from the HP Service Manager Server. Referential integrity is enforced by the

application, thereby protecting transactions. In addition, the database

captures a complete audit log of all changes to data.

For more information on the audit features of SM, please refer to the Online

Help Center topic, Database record auditing

The data backup procedure is also an integral part of data integrity and

while SM does not provide native backup capabilities, the following

guidelines should be considered:

Database backup is especially important before critical actions such as

upgrades. See the SM Online Help Center topic, Service Manager

documentation set Upgrade Documentation Center for details.

Backup files should be stored properly according to the industry best

practices to avoid unauthorized access.

Since database backup can be a resource intensive process, it is strongly

recommended to avoid running backups during peak demand times.

34

10 Encryption

This chapter provides information on data encryption in HP Service

Manager.

TLS/SSL Data Transmission

In production environments, Service Manager must be configured to use

TLS/SSL to transmit data between the server and clients, as well as between

the web application server and web browser so that data being transmitted is

encrypted.

For information on different TLS/SSL implementations for vertical and

horizontal scaling environments and how to configure TLS/SSL in Service

Manager, see the Server implementation options section and System Security

section in the HP Service Manager Online Help Center system.

For information on the TLS/SSL parameters of the Service Manager server

and Windows and web clients, see the System Configuration Parameters

section in the Service Manager Help Center.

Encryption of stored database fields

HP Service Manager uses proprietary algorithms when encrypting data

stored in the database. For example, passwords for operators are stored using

SHA-512 a one-way encryption algorithm. In production environments that

require stronger encryption algorithms, SM offers FIPS 140-2 compliant

encryption modules for enhanced security. Details about FIPS 140-2

configuration can be found in the HP Service Manager Online Help Center

topic, FIPS mode.

The encryption key used to encrypt data in your SM system is stored in the

sm.ini configuration file. The value of this encryption key may be modified.

For details see the HP Service manager Online Help Center topic, Change the

encryption key value.

SM clients (Web and Windows) use a two-way encryption process that utilizes

PBE with MD5 and DES to secure user/operator passwords when

35

communicating with SM Server. In production environments that require

stronger encryption algorithms, SM offers FIPS 140-2 compliant encryption

modules for enhanced security. Details about FIPS 140-2 configuration can be

found in the HP Service Manager Online Help Center topic, FIPS mode.

Digital Signatures

HP digitally signs Windows executable binaries such as sm.exe (SM Server)

and ServiceManager.exe (SM Windows client) using Microsoft Authenticode

technology. To view the details of the digital signature, right-click on the

Windows executable, select Properties, and click the Digital Signatures tab.

Select the Hewlett-Packard Company signature and click the Details button. Windows will verify if the digital signature is valid or not.

In cases where your Windows operating system may not have the latest CA

Root Certificates installed, the digital signature of the HP Windows

executable (sm.exe and/or ServiceManager.exe) may display an error such as:

The certificate in the signature cannot be verified.

To resolve this issue, either enable Windows Update to download the latest

updates available for your operating system or download and install the G5

Root certificate as documented here:

https://knowledge.verisign.com/support/ssl-certificates-

support/index?page=content&id=SO19140

Service Manager Server can be configured to secure outbound emails with an

S/MIME signature. The recipients can verify the signature on their mail

system (for example, Microsoft Outlook), to make sure that the email

messages are truly originated from Service Manager without being

intercepted in transit.

This feature requires that TLS/SSL be enabled for SMTP operations through

the emailout parameter in the sm.ini file and an S/MIME keystore deployed

in the Service Manager servers RUN folder. For details, see the topic Append an S/MIME digital signature to outbound emails.

36

11 Logs

This chapter provides information related to logs.

Log and Trace Model

There are several types of logs generated by SM Server and Clients

Client logs

o sm.log generated by SM Webtier client

o .log generated by SM Windows (Eclipse) client

Server log

o sm.log generated by SM Server (RTE)

Recommendations:

Pay attention to the log level and do not leave tracing or debug

parameters enabled unnecessarily.

o The debug related parameters are fully documented in the HP

Service Manager Online Help Center topic, Debugging

parameters

Pay attention to log rotation/switching.

o See the SM Online Help Center topic, Enable log switching for

details

Restrict user access to the log directory. Ensure only those user IDs that

need access to the log files can do so and disallow other user IDs.

If logs archiving is needed, create your own archiving policy as HP

Service Manager does not provide this feature.

37

FAQ

Question

Does SM provide tools to prevent unauthorized access to log files generated

by SM Server and SM Clients?

Answer

No. However, through the use of standard security and access control

lists/permissions available through the operating system where SM resides, it

is possible to restrict access to only those users that require access to view the

log files.

Question

Is the period of time that data in the log files retained configurable?

Answer

Yes, see the SM Online Help Center topic, Enable log switching for details

Question

Does SM support auditing for access and changes to application data?

Answer

Yes, see Chapter 8 Data Integrity of this document for details.

38

12 APIs and Web Services Security

This chapter provides information on the authentication model and security

considerations of HP Service Manager APIs and web services.

Authentication Model

HP Service Manager provides both a SOAP and a RESTful API framework.

The RESTful API framework re-implements most of the functionality of the

Service Manager SOAP implementation.

Both the SOAP and RESTful API frameworks support the following

authentication methods:

HTTP Basic Authentication

CAC (Common Access Card)

TSO (Trusted Sign-On)

LW-SSO (Light Weight Single Sign-On)

For more information, see the Service Manager Web Services Guide, which is

available from the Service Manager Online Help Center.

Security Considerations

The Service Manager server requires that each Web Service request provide a

valid operator name and password combination. These must be supplied in a

standard HTTP Basic Authorization header. The Web Service toolkits

universally support this authentication mechanism. It is recommended to

enable TLS/SSL if you are concerned about the possibility of someone using a

network monitoring tool to discover passwords. Basic Authorization by itself

does not encrypt the password; it simply encodes it using Base 64.

Note: Only ASCII operator names are supported in Service Manager Web

Service integrations. When Service Manager is handling an incoming Web

Service request, the authorization string is decoded by BASE64Decoder.

39

Service Manager uses the decoded string value to construct a UTF-8 string

that is used in the RTE. However, the authorization string is in the header

and Service Manager does not know the charset or encoding of the underling

string value, which is BASE64 encoded. Therefore, if the underlying string

value is not UTF-8, Web Service clients will fail to connect to Service

Manager. In Service Manager, when fetching an operator from the database,

no matter what collation the database uses, the operator finally will get a

UTF-8 operator value. However, even if users put the same value in the

authorization header, the operator name may differ because of the

charset/encoding issue.

In addition to having a valid login, the operator must have the SOAP API or

RESTful API capability word to access the Web Services. If the Web Service

request does not contain valid authorization information, then the server

sends a response message containing 401 (Unauthorized). If the request is valid, then the server sends a response message containing the results of

your Web Services operation. The response message contains only the

information the operator is allowed to see. The security settings of the user's

profile, Mandanten security settings, and conditions defined in the Document

Engine are maintained by all Web Services.

When working with the Service Manager RESTful web services, keep in mind

that SM returns output in a standard JSON format. As such, third-party

clients that rely on this output must properly encode it into HTML such that

it may be read or displayed successfully by your custom clients. Please note

that Service Manager RESTful output includes the HTTP header below to

prevent execution of JSON output:

X-Content-Type-Options: nosniff

SM Smart Analytics Server Recommendations

When installing SM Smart Analytic Server, you are presented with

numerous installation options. One of these options is to specify the Service

Manager Server that is allowed to send administrative and query actions to

the Smart Analytic server. Please ensure that you only specify the IP

addresses or hostnames of the Service Manager Server.

To review the current values of your installation, please open the

AutonomyIDOLServer.cfg file in a text editor and verify the [Service] and

[Server] sections contain the IP addresses or hostnames of your Service

Manager Servers.

40

For additional details, please see the HP Service Manager Smart Analytics

Administrators Guide available via the HP Software Support Online (SSO) website.

WarrantyRestricted Rights LegendTrademark NoticesContents1 Welcome to This Guide2 Secure Implementation and Deployment3 Service Manager Security Parameters4 Installation Security5 Network and Communication Security6 Administration Interface7 User Management and Authentication8 Authorization9 Data Integrity10 Encryption11 Logs12 APIs and Web Services Security