Remedy with Smart IT: How to encrypt Remedy Application Service password in Smart IT 20.02 with Windows Authentication

Knowledge Article

Article Number

000371029

Old Article Number

Article Type

FAQ/Procedural

Title

Remedy with Smart IT: How to encrypt Remedy Application Service password in Smart IT 20.02 with Windows Authentication

Summary

Customer planned to change Remedy Application service password because upgrade was done by some user & customer required to set complex password.

Product

Remedy with Smart IT

Component

Remedy with Smart IT

Applies to

SmartIT 20.02 version onwards

Question

Smart IT requires the Remedy Application Service (RAS) Password to connect with AR Server. If for some reason the RAS password changed, how can the new password be encrypted before updating it in Smart IT's 'SmartIT_System.CONFIGURATION_PARAMETER' and 'SmartIT_System.PROVIDER_SETTINGS' tables?

Answer

This knowledge article may contain information that does not apply to version 21.05 or later which runs in a container environment. Please refer to Article Number 000385088 for more information about troubleshooting BMC products in containers.

For Smart IT versions up until 19.08:

Use the Smart IT Maintenance Tool utility to encrypt the RAS password - this utility is available on the Smart IT Server under '<SmartIT InstallDirectory>/SmartIT/SmartITMaintTool'.

Once encrypted, copy the contents of the Encrypted Password field and place it in below locations of the Smart IT database:

Smart IT Database table SmartIT_System.CONFIGURATION_PARAMETER for column NAME = 'connect.arsystem.password'
Smart IT Database table SmartIT_System.PROVIDER_SETTINGS for KEY 'system.user.password'

For Smart IT version 20.02 and above:

The Smart IT Maintenance Tool should no longer be used to encrypt the password. The utility still has the 'Encrypt'-tab as in the screenshot above, but pressing the 'Encrypt' button does not result in an encoded password in the 'Encrypted Password' field. If you would start the utility from the command line, you would see this error when using the Encrypt button:

Encrypt Exception : java.security.InvalidKeyException: No installed provider supports this key: (null)

You should also not use the Maintenance Tool of a lower Smart IT version to encrypt the password.

For Smart IT 20.02, the new Password Encryption Utility should be used to encrypt the RAS password. This utility can be found on the Smart IT Server in the following location:

<SmartIT InstallDirectory>\SmartITCustomizationUtil\password-encryption-9.1.10.000-BUILD-SNAPSHOT\password-encryption

Example command line for Windows:

passwordencryptdecrypt.bat "DATABASE_VALUE" "SMARTIT_DB_HOST_NAME" "SMARTIT_DB_PORT" "SMARTIT_DB_NAME" "SMARTIT_DB_SYSTEM_USER" "SMARTIT_DB_SYSTEM_PASSWORD" "ALWAYS_ON" "PASSWORD_TO_ENCRYPT_OR_DECRYPT" "ENCRYPT/DECRYPT"

Where:

DATABASE_VALUE : Database type - select from (mssql/oracle/postgres)
SMARTIT_DB_HOST_NAME : Smart IT Database Hostname or IP address
SMARTIT_DB_PORT : Database port
SMARTIT_DB_NAME : Smart IT Database name
SMARTIT_DB_SYSTEM_USER : Name of System user for Smart IT
SMARTIT_DB_SYSTEM_PASSWORD : System User password
ALWAYS_ON : Applicable to MS SQL only (Provide Yes/No) - for other DB types, this setting is ignored but a value must still be provided (see notes below)
PASSWORD_TO_ENCRYPT_OR_DECRYPT : Provide the password you want to encrypt or decrypt
ENCRYPT/DECRYPT : Provide value ENCRYPT for encryption and DECRYPT for decryption

Notes:

Parameters in above command may not always need to be in double quotes, however if there is space in any parameters, it must be entered in double quotes -> ""
While the ALWAYS_ON parameter is applicable to MS SQL only, a (Yes/No) value needs to be provided for other database types as well (but will be ignored). If no value is specified, the following error will be thrown:

Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 8
at com.bmc.smartit.EncryptDecryptPassword.main(EncryptDecryptPassword.java:51)

In case you receive the following error when running the utility, then make sure to set the JAVA_HOME variable and point it to the JRE install path before relaunching the command:

Error: "JAVA_HOME environment variable is not defined"

!! Password Encryption Utility when Windows Authentication is used for the Smart IT database !!

The Password Encryption Utility needs to connect to the Smart IT database to retrieve the encryption key (stored in the 'SmartIT_System.CONFIGURATION_PARAMETER' table) to use during the encryption.

The current version of the encryption utility does not support databases using Windows Authentication and you may see the following error when running the encryption command:

com.microsoft.sqlserver.jdbc.SQLServerException: Login failed for user 'SmartIT_System'. ClientConnectionId:68a22f8a-3707-499a-b1ac-f1b58564c1f6
at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDatabaseError(SQLServerException.java:217)
..
..
at com.bmc.smartit.EncryptDecryptPassword.main(EncryptDecryptPassword.java:96)
Error getting connection plase check db parameters

An Enhancement request is raised for this to have the Password Encryption Utility support Databases with Windows Authentication.

How to overcome this current limitation of the utility for Windows Authentication?

In case the utility is used to encrypt the RAS password to be stored in the 'SmartIT_System.CONFIGURATION_PARAMETER' table (where the password always needs to be entered in encrypted format, plain text will not work), please contact BMC Customer Support who can provide a workaround to encode the new password.
Along with 'SmartIT_System.CONFIGURATION_PARAMETER' value of connect.arsystem.password having the new encrypted password, also ensure the new encrypted password is updated for system.user.password in PROVIDER_SETTINGS table.
In case the utility is being used to encrypt the Smart Reporting (siadmin) password (to store in the reportingServerPassword parameter in Smart IT Centralized Configuration: com.bmc.arsys.smartit -> '*')
- Option 1: Add the password in plain text in Centralized Configuration (CCS) and restart the Smart IT service
- Option 2: In case it is not acceptable to add the password in plain text in CCS, contact BMC Customer Support who can provide a workaround to encode the password

Attachment(s):