Skip navigation
1 2 3 Previous Next

Remedy AR System

67 posts

BMC is excited to announce general availability of new Remedy releases as part of our Fall 2017 release cycle:

  • Remedy 9.1.04  (incl. Remedy AR System, CMDB, ITSM applications, Smart Reporting, Remedy Single Sign-on)
  • Remedy with Smart IT 2.0.00
  • BMC Multi-Cloud Service Management 17.11


Here is excerpt of platform specific improvements.


With Remedy platform version 9.1.04, BMC delivers a rich set of platform-related improvements that help Remedy on-premise customers reduce cost of operations and administration for their Remedy environment.


Significant improvements to the Zero Downtime Upgrade capability for the Remedy Platform

9.1.04 delivers significant improvements to the Zero Downtime Upgrade capability for the Remedy Platform: Several manual steps of the process have been automated. If, for some reason, the platform upgrade fails, the platform components and the file system are rolled back to the earlier version. All these enhancements allow customers to safely perform in-place upgrades of the Remedy platform without impact on the overall Remedy ITSM service. This recorded Connect with Remedy webinar session about Zero-Downtime Upgrades provides additional insight into the approach.


Efficient Patching/Hot-fix of Remedy with Deployment Manager

Starting with version 9.1.04, customers can now use the Remedy Deployment Application to easily deploy new Remedy platform patches and hotfixes into their Remedy environment, including new binaries. Remedy administrator no longer have to run patch installers on each server of a server group across multiple environments (Development, QA, and Production) to deploy new binaries. Platform patches are now delivered as deployable packages. When a Remedy administrator deploys such a package on a primary server in a server group, the changes / new binaries provided through the patch or hotfix are applied on all the secondary servers automatically.  Please note that there are also a number of other enhancements in the Remedy Deployment Application v9.1.04.


Centrally enable logging in a Remedy server group environment

Last but not least, Remedy 9.1.04 also makes it easier for Remedy administrator to centrally enable logging in a Remedy server group environment, reduces CPU resource usage on mid-tier server by 50%, and informs users of the mid-tier UI about an upcoming session timeout.


Additional Utilities - Remedy Server Group Administration Console

In support of the new Remedy 9.1.04 release, the Remedy product team also release a number of value-add utilities to the BMC Communities. These are unsupported at this time, but BMC will evaluate based on customer feedback whether to include it in the standard product at a later time.


Some references to additional information about this release:



Also check this blog by Peter Adams for details of other enhancements as part of Remedy 9.1.04 release - Remedy Fall 2017 Release (9.1.04): BMC Continues to Innovate ITSM with New CMDB User Experience, New Cognitive Capabilities in Remedy and New Multi-Cloud Service Management


Thank you for your continued support of the Remedy family of products and we look forward to updating you on more innovative product enhancements in the coming months.


Enjoy the year end and have a great start into 2018.


Rahul Vedak

Remedy Product Manager


The Remedy product management team is looking forward to giving attendees of the T3:Service Management and Automation Conference an opportunity to join onsite customer advisory sessions about specific topic, where you can give direct input to the planning process for the Remedy platform and the ITSM applications.


As room capacity at the conference site is limited, we’re trying to assess, which topics are of biggest interest to our customers. We’ll use this feedback to select, which advisory sessions we’ll organize at the event. If the time at the conference is not sufficient to come to a conclusion, we may continue to the discussion after the conference with virtual sessions.


Please let us know, which topics you are interested in providing feedback on by filling out a 2-min survey at


Thanks, Peter


BMC is proud to be the flagship sponsor for the upcoming T3: Service Management & Automation Conference, taking place during the week of Nov 6, 2017 at the Palms Casino & Resort in Las Vegas. T3: Service Management & Automation Conference - November 06 - 10, 2017 - Las Vegas, Nevada


If you did not make it to BMC Exchange New York City, not to worry, T3 will cover all the DSM topics which was shared there, in addition to 140+ tech sessions including Hands on Labs!


This year’s conference is being put on by T3 to provide an interactive, educational experience for attendees looking to gain mindshare and hands-on views to the latest best-of-breed technologies. This conference will be focused on giving you an in-depth, technical view with valuable training to help you succeed in your roles and accomplishing your business needs!


As the Flagship Sponsor, BMC will have a strong showing at the conference with VIPs, engineers, support technicians, product managers, marketing/sales representatives, and more on site.

•   Come see what is new in Remedy, BMC Innovation Suite, BMC Digital Workplace, BMC Discovery, BMC Remedyforce, BMC Track-It, BMC Client Management, BMCFootprints, TrueSight & more, to include products from vendors such as Numerify, RRR, Mobile Reach, RightStar, Fusion, Partner IT, Scapa Technologies, CyberTrain & RMI Solutions.

•   Come learn more about your products, as well as the latest trends in tools, training and technology, in a variety of breakout sessions to include many hands-on labs.

•   Come listen to our awesome Keynote speakers at the opening and general ceremonies.


There are lots of opportunities to network with BMC and non-BMC personnel who focus on a variety of products, as well as, spend an Evening with the Experts to talk about any of the questions you may have about Remedy platform. In addition, there'll be lots of opportunities to talk to the Remedy product management team about needs of your organization. See separate blog post about customer advisory meetings. If you are interested in a 1:1 meeting with product management team, please work with your BMC or partner sales contact to arrange that.



Register for the T3 Conference at:


We're collection information about use of Crystal Reports with Remedy.


If your organization currently uses Crystal Reports, we'd like to ask you to fill out this very brief survey:

Crystal Reports and Remedy Survey


Thanks very much in advance,


Peter Adams


Just sharing one tip with ARS. A known solution to known problem.

In case if you have  AR Server running on Windows. And if its service stops working due to java updates – you need to make changes (as per new JRE) at below mentioned locations.


  • Update java/jvm path at below location in registry on given system

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\BMC Remedy Action Request System Server <host name>\Parameters


  • Edit <AR Server Install Dir>\arserver.config and update jvm search path (set the upgraded JRE version)


     # JVM search paths (number indicates search order)\Program Files\Java\jre1.8.0_141\bin


  • Edit <AR Server Install Dir>/Conf/armonitor.cfg and update all hardcoded java paths.

In this third post on encryption we're going to show how to enable SSL between an AR System server and its Oracle database.  In previous posts we've seen how to use Oracle's native encryption and SSL with Microsoft SQL Server. The process we're going to follow is similar to the latter.


Again, the high level steps are:


  • obtain a certificate
  • configure the database to use the certificate
  • import the certificate on the client
  • configure the AR System server to use SSL


Oracle databases store their certificates in a set of files called a wallet so, unless you have an existing wallet, we need to create one.  As with most of these steps there are multiple ways to do this.  We could use the Wallet Manager GUI but we're going to stick to the command line and use the orapki utilty:


Create a new wallet with the auto-login property set:


c:\app>orapki wallet create -wallet c:\app\db_wallet -auto_login


We're prompted to enter a password to secure the wallet and I've used password1.  The directory listing shows the files created in the db_wallet directory which will be created if it does not already exist.


We now have an empty wallet to which we need to add a certificate.  As this is a test we'll create a self-signed certificate and add it with one command:


c:\app>orapki wallet add -wallet c:\app\db_wallet -dn "cn=clm-pun-013056,cn=bmc,cn=com" -keysize 2048 -validity 365 -pwd password1 -self_signed

c:\app>orapki wallet display -wallet c:\app\db_wallet -pwd password1


We've used the host name for the -dn option, specified a key length of 2048 bits and validity of a year.  The second command lists the contents of the wallet so that we can confirm that our certificate has been added.


Note that both user and trusted certificates called CN=clm-pun-013056,CN=bmc,CN=com were created and it is the latter that we will export so that it can be used on the AR System server.


Export the certificate to a file called db_CA.cert:


c:\app>orapki wallet export -wallet c:\app\db_wallet -dn "cn=clm-pun-013056,cn=bmc,cn=com" -cert c:\app\db_wallet\db_CA.cert -pwd password1


We've prepared the certificate but we still need to configure Oracle to use it.  To do this we need to edit two files in the ORACLE_HOME\network\admin directory, sqlnet.ora and listner.ora, and add these lines to both of them:






      (DIRECTORY = C:\app\db_wallet)





This specifies the location of the wallet and sets an option to show we're just using encryption, not authentication.


We also need to configure the listener to add a port that the database will use for SSL connections.  In the LISTENER section of the listener.ora file we add:


    (DESCRIPTION = (ADDRESS = (PROTOCOL = TCPS)(HOST = clm-pun-013056)(PORT = 2484)))


Note the protocol is TCPS and we've picked port 2484 which is commonly used.


Finally we need to restart the listener process so that it picks up the changes:



That completes the database setup, the listener output shows we're ready to receive SSL connections on port 2484.


The next step is to copy the certificate that we exported earlier to the AR Server system and add it to the Java cacerts file so that the Oracle JDBC driver can use it.  These steps are similar to those we used for MS SQL.  The certificate file is called db_CA.cert and it has been copied to c:\temp.


Open a command prompt and cd to the jre\lib\security directory of the Java instance that the AR System server is using.  There should already be a cacerts file in this directory, this is the default certificate store used by Java, and we're going to add our certificate to it with the keytool command:


C:\Program Files\Java\jre1.8.0_121\lib\security>..\..\bin\keytool -importcert -file c:\temp\db_CA.cert -alias dbcert       -storepass changeit -noprompt -keystore cacerts



We're almost done, all that is left is to configure the Remedy server to use SSL when connecting to the database.  A typical Remedy server configuration for an Oracle database includes these settings:


Db-Host-Name: clm-pun-013056

Db-Server-Port: 1521

Oracle-Service: orcl


On startup the server uses these to create a JDBC connection string using the format:




When using SSL the PROTOCOL setting needs to be changed from TCP to TCPS.  However, before 9.1 Service Pack 2, there was no way to modify this connection string to do this.  This release introduced a new configuration option called Oracle-JDBC-URL which can be used to provide the full connect string.  If this option is present it is used instead of the one derived from the settings above.  To configure our Remedy server we need to add this option with the appropriate values.  So, the new setting in our ar.cfg/ar.conf will be:


Oracle-JDBC-URL: jdbc:oracle:thin:@(DESCRIPTION=(ADDRESS=(PROTOCOL=tcps)(HOST=clm-pun-013056)(PORT=2484))(CONNECT_DATA=(SERVICE_NAME=orcl)))


The original settings can be left in place as they are ignored when the new option is set.  Switching between SSL and plain text connections is simply a case of commenting out this new option.


Restart the AR System server and we now have an encrypted connection between the server and the Oracle database.  To verify that this is the case we can use the tcpdump or Wireshark tools as detailed in the earlier posts.  Looking at the packets we'll see that the contents are all binary data and no plain text is present. 





We've now looked at three different ways to encrypt data as it is transferred between Remedy and the database.  In each case I've tried to cover the minimum steps required to enable this feature, each one offers many more configuration options, and you can find additional details in the links at the end of the articles.


I hope the information is useful and I welcome suggestions for other topics that would be of interest to the Remedy community.  Please use the comments section below or send me a message with ideas.


Further Reading


Trending in Support: Encrypting Data Between AR Servers and Oracle Databases

Trending in Support: Enabling SSL Encryption for AR to MS SQL Database Connections with Remedy 9.1 SP2 and Later


SSL With Oracle JDBC Thin Driver Advanced Security Configuration

HOW TO: Setting up Encrypted Communications Channels in Oracle Database


Feedback and corrections are always welcome in the comments section below.


Mark Walters


Read more like this -  BMC Remedy Support Blogs

Matthias Minden

Disable IPv6

Posted by Matthias Minden Jun 1, 2017

We currently don't use IPv6 but discovered that the application (java) still wants to use IPv6 even when disabled at the O/S level.  We edited the arconfig file on the server(s) by adding the following to the java entries

     <your java path> -



You can also add these settings to the Developer Studio and Data Import Tool .ini files also!


This post shows how to use a new configuration option, added in AR System Server 9.1 Service Pack 2, to enable encryption of the data moving between a Remedy server and its Microsoft SQL Server database.  In an earlier post (Trending in Support: Encrypting Data Between AR Servers and Oracle Databases ) we saw how to enable Oracle's native encryption for these connections but, this time, we're going to be using SSL.  Microsoft have documentation on their website that describes how the feature is implemented.


Using SSL Encryption | Microsoft Docs


There are several steps necessary to prepare the environment before encryption can be enabled.  At a high level these are:


  • obtain a certificate
  • grant SQL Server access to the certificate
  • configure SQL to use the certificate
  • import the public certificate to the Java instance used by the AR System server
  • enable encryption on the AR System server


If you're configuring a production environment that requires this additional level of security you have probably already obtained an SSL certificate from one of the available commercial certification authorities.  However, for our tests, we're going to use a simple, self-signed, certificate.  There are a number of different ways to generate these but, as we happen to have IIS installed on our SQL Server machine, we'll use that.  Simply start the IIS Manager, goto Server Certificates and right click Create Self-Signed Certificate:



Enter a name and choose a Personal certificate.


Now that we have a certificate we need to make it available to our SQL Server instance.  Start by finding the account name used to run SQL. One way to do this is via the SQL Server Configuration Manager, check the Properties for the selected instance:



Note the Account Name and then launch the MMC management console and add the Certificates snap-in for a Computer Account:



  • in MMC, go to Certificates (Local Computer) > Personal > Certificates

  • the certificate should be listed there (you may have to import it if you did not use IIS to create it)

  • right click > All Tasks > Manage Private Keys

  • add the service account for your instance of SQL Server

  • give the service account Read permissions


While we're here we also need to export the certificate so that it can be imported on the AR System server machine later:


  • right click on the certificate > All Tasks > Export > Next
  • choose No, do not export the private key > Next
  • choose DER encoded binary X.509 (.CER) > Next
  • enter a file name (e.g. export.cer) noting where it is saved


The final step on the SQL Server machine is to configure SQL to use the certificate with the SQL Server Configuration Manager again:



  • start SQL Server Configuration Manager
  • go to SQL Server Network configuration
  • select your instance
  • right click > Properties > Certificate tab
  • choose the certificate from the list
  • restart the SQL service


We're finished with the SQL Server machine, the rest of the work is done on the AR System server host.


Start by copying the exported certificate file (which we called export.cer) created above to the system.  Then, open a command prompt and cd to the jre\lib\security directory of the Java instance that you are using to run your AR System server.


There should already be a cacerts file in this directory, this is a default certificate store used by Java, and we're going to add our certificate to it with the keytool command.



With the commands shown above we:


  • imported the certificate with an alias of arkey using the default store password of changeit
  • listed the certificate to verify it was imported


The final step is to enable the AR System server to use the certificate and encrypt traffic between itself and the database.  To do this we need to make use of a new configuration parameter that was added in 9.1 Service Pack 2 called Db-Custom-Conn-Props:  This allows us to pass one or more key=value pairs to the database driver using a semi-colon separated list.  For example:


Db-Custom-Conn-Props: key1=value1;key2=value2


This option was added in 9.1 SP2 to provide a way for administrators to specify the additional configuration options required for the JDBC driver when enabling features such as encryption.  We'll make use of it again when we look at SSL for Oracle databases in a future post.


Before we move on let's confirm the current state of the data flowing to and from the database.  In the earlier Oracle post we used tcpdump to snoop on the network traffic.  We're going to do the same here but with the graphical Wireshark utility.  This next picture shows some of the data packets coming from the database and we can see that there is plain text legible in their contents:



The above is some of the data being returned when selecting the User form record for the sample user Allen.  The full name and email address are there, along with the start of the list of groups that Allen is a member of.


To enable encryption we need to stop the AR System service add this line to our ar.cfg file;


Db-Custom-Conn-Props: encrypt=true


and then restart the service.  We could also have used the Centralised Configuration forms to add this to our server before restarting.


Now, when we look at the Wireshark captured data, we can immediately see a difference:



Note that the Info column is showing TLS traffic and the packet payload data is no longer in plain text - an encrypted connection!


We've deliberately glossed over some of the complexities that may be required in non-test environments such as:


  • using commercial SSL certificates
  • using alternative Java keystores
  • additional Db-Custom-Conn-Props options that may be need for different SSL configurations such as different keystore locations and passwords


but I hope that this shows that, with 9.1 Service Pack 2 and beyond, AR System server to database encryption is now supported when using Microsoft SQL databases.





Thanks to The Data Specialist blog post for details of configuring SQL Server with a self-signed certificate.

Using a self-signed SSL certificate with SQL Server | The Data Specialist


Further Reading


Using SSL Encryption | Microsoft Docs

Wireshark · Go Deep.



Feedback and corrections are always welcome in the comments section below and, if you have a suggestion for a technical post related to Remedy AR System, please drop me a message via the Communities.


Mark Walters


Read more like this -  BMC Remedy Support Blogs


Regular news coverage of data security breaches has made organisations increasingly aware of the importance of securing the data they own and manage.  As a result, one question that we're beginning to see more often in support is "How do I encrypt the data travelling between my AR server and database?".  The two databases supported by Remedy 9.x servers are Microsoft SQL and Oracle and both have options to provide this type of encryption.  This post covers one way to do this with Oracle; a later post will look at an alternative for this database and Microsoft SQL.


The architecture of a basic AR System installation looks something like this;



Data has multiple steps to take as it travels back and forth between clients and the storage medium used by the database server.  There are options available to encrypt that data during all of the steps but the one we’re focusing on in this post is highlighted in red on the diagram, the step between the AR System Server and an Oracle database.  Often these two servers are on separate machines so the data has to travel over a network and, by default, this transfer takes place in plain text.


To confirm that the data is being passed this way, and that after encryption has been enabled it is no longer in plain text, we’re using a test environment with a version 9.1 AR System Server running on Linux connecting to an Oracle 11g database running on Windows 2012.  We will monitor the network traffic travelling the AR and database servers to see what it looks like before and after the changes to turn on encryption.


Logging on to the Linux system we can use one of the many tools available to capture and display network traffic - in this case it’s tcpdump.  The command below will display the traffic flowing between the AR and Oracle servers in this environment.



To generate some traffic between the systems we use a User Tool client and start looking at records in the User form.  As different records are selected the tcpdump output shows the data being retrieved from the database.



As we can see there is information in the network traffic that can be read.  The screen shot above shows the data for user the Allen, including the full name, email address and a list of group IDs/groups.


If the tcpdump command is left running other legible data will be seen.  SQL statements for example;



Oracle offers both native and SSL options for encrypting the data between a client and the database server, details are available in many places on the web, one such example is here - ORACLE-BASE - Native Network Encryption for Database Connections. 


We’re going to use the native option as it does not require any changes to the client, simply some configuration settings on the database server.  The process for enabling this type of encryption is documented here - Configuring Network Data Encryption and Integrity for Oracle Servers and Clients.


One way to make the changes is to edit the Oracle sqlnet.ora file using a text editor but we’re going to use the Net Manager utility that is installed as part of the database software.


On the database server system launch the Net Manager tool and click on Profile in the tree window.  Select Oracle Advanced Security in the drop down menu and then the Encryption tab.



This is where the various encryption options are selected.  They are all covered in the link above and for this test we use these settings;


Encryption Type:          requested

Encryption Seed:          secretword

Selected Methods:         AES256




Select Save Network Configuration from the File menu and quit Net Manager.


We have now enabled encryption on the database server.  The options we have set request that encryption be enabled if the client supports it and we have specified a seed and algorithm to be used.


If we now go back and repeat the tcpdump test above what do we see?  When we select another user record, Bob's for example;



That doesn't look good - the data is still visible in plain text.  This is because the encryption configuration change is only picked up when a client first connects to the database, so a restart of the AR System Server is required.  Once this is done the test is repeated and the network traffic looks a little different;



The data is no longer in plain text – it is encrypted.  A positive step forward in an increasingly security conscious world!


I’m not sure how widely known this feature of Oracle is but, as we have shown, with a simple change on the database server and a restart of AR, it is possible to encrypt the traffic between these systems.  No changes are necessary on the AR System Server and this should work with any version of AR as it is a feature of the Oracle database and client software. 


In a future post I’ll look at how AR to database encryption can be enabled using SSL with both Oracle and Microsoft SQL.




Many thanks to Martin Rosenbauer for his feedback that led to this article.



Further Reading


A tcpdump Tutorial and Primer with Examples



Feedback and corrections are always welcome in the comments section below and, if you have a suggestion for a technical post related to Remedy AR System, please drop me a message via the Communities.


Mark Walters


Read more like this -  BMC Remedy Support Blogs


When I talk about the advantages of using the REST API, I usually talk about REST-based web services and compare this to SOAP-based web services. And there are a lot of advantages to using the REST API: there’s no need to define a web service since it’s always there, the interaction with the interface is a lot easier since the requests are a lot smaller, but most of all it’s intuitive. I often find that SOAP is a complex mechanism which can be challenging to use.


But that’s only a problem if you’re planning to handle the communication yourself. Say, you’re building an application in Java or need to get data to a different system that runs on PHP, in that case the REST-based web service is the obvious choice since all you’re doing is sending and receiving simple HTTP requests and responses.


ws soap.pngSo is there any need for SOAP at all? I’d argue there is. A SOAP-based web service uses the WSDL to describe in detail how everything works. That includes how the request should be formatted, what operations are on offer and what the response should look like. This means you know everything prior to starting your request. These are usually considered added complexities, but if you use an application that handles all of this for you, this doesn’t really matter that much. Because that’s where I see the added value of SOAP-based web services: if you use an application that can deal with the information in the WSDL and interpret it for you it’s actually easy to use.


Doing the same thing with REST-based clients is a lot trickier. A REST client acts a like a generic client and enters a REST service with little knowledge of the API, except for the entry point. An application might find it difficult to predict all those details that SOAP would store in the WSDL.


One such client is Remedy. When we consume a web service, we act as a SOAP client. During the design phase we read the WSDL file and allow the developer to simply map the fields to the XML elements. The system takes it from there. You don’t have to be concerned with creating SOAP requests, reading the WSDL file, etc.


I think SOAP-based web services work particularly well in a setting where the application can easily interpret the web service. If you have that available and there’s no need to do any coding, SOAP is probably a better choice. To learn more, attend my session, Session 233: Getting the Most out of Your Web Services Integration, at BMC Engage where we’ll be looking at SOAP-based services and REST-based web services.


Hope to see you there,




Don't forget to follow me on Twitter!


BMC Remedy AR System 9.1: Basic Development

For developers! *BMC Remedy AR System 9.1: Basic Development* training offered in July, August and September!!

Gain the knowledge and skills to take full advantage of all that Remedy AR System 9.1 has to offer.


Register now for one of the following instructor-led classes (includes hand-on lab and ebook):


If you have multiple students, contact us to discuss hosting a private class just for your organization.


Details here, or contact Tom Hogan for EMEA training and Brian Hall for AMER training.


Course Overview

This course combines classroom instruction with laboratory exercises to guide students through basic development using Developer Studio. They will leave the course with enough development experience to take a course on how to customize ITSM applications. The lab exercises contain scenarios that simulate real world requirements. By the end of the course, the student will have built deployable applications, forms, and workflow.


Course Objectives

» Create custom objects using Developer Studio

» Set object permissions
» Explore form definitions
» Create active links, filters, and escalations

» Create active link and filter guides
» Explore tables and workflow related to tables

» Understand how to deploy an application



Elaine Miller Geoff Bergren Terri Lawrence Dirk Braune Brian Rock Heather LeventryMarike Owen Tom Luebbe Crystal Mendell Mario Rivas Mahesh Argade Paul CutsuvitisGary Bersh Thomas Hogan Brian Hall Jon Rendle Rayemond Newman Dave GilesKim Wharton susie clare Fabienne de Beaufort sara hepner Antoinette Kaftan-KaemerowErwann Nedele


I’ve written a fair bit about web services before. There’s an article explaining how to analyse problems when consuming SOAP web services, how to read the logs and one of my more recent articles was about how to use the REST API. But I’m going to write a bit more about web services, it is after all one of my favourite subjects these days.


You see, I like SOAP. But apparently I’m a bit of an exception, but what I like about SOAP is the thoroughness. It might not always be the easiest to figure out, but if you know how to read it, the WSDL will tell you exactly what services are on offer, what your requests should look like and what you can expect back. As long as you stick to the rules, nothing can go wrong. What are my operations? Check the WSDL. What should the namespace look like? Check the WSDL. What does my SOAP response look like? Check the WSDL. See, you can’t go wrong.


But it’s the rules part that does tend to make it a bit overbearing. I frequently work on problems where there’s disagreement with regards to the exact interpretation of the WSDL. Minor things mostly, but that’s the big weakness of SOAP-based web services. If you don’t stick to the rules 100% all the time it’s not going to work.


Don’t believe me? Check this SOAP request:



It’s an external web service which is consumed with ARS, this is the error that’s returned:



It’s not a particularly helpful error but after a thorough review of the WSDL I realised the namespace for the attributes was wrong. The SOAP request should look like this:



I know that’s correct because the WSDL tells me exactly what the SOAP request should look like:



Notice the attribute element which itself has two attributes (name and form). The element form has a value of unqualified. Here’s what this means:

  • Qualified: indicates that this attribute must be qualified with the namespace prefix and the no-colon-name (NCName) of the attribute
  • Unqualified: indicates that this attribute is not required to be qualified with the namespace prefix and is matched against the (NCName) of the attribute.


So this would result in: <Customer id='value' /> or possibly: <ns0:Customer id='value' />


We could argue that is not required means that it’s optional, but the fact that they specifically set the attribute form to unqualified can be seen as an indication that the web service does not accept the namespace for the attribute.


Frustrating isn’t it? That tiny detail gave me a lot of headaches and it prevented the whole integration from working. And you really have to get into the details of the WSDL to understand what’s going wrong. Hey I said I like SOAP, I don’t love it.


But I must confess, I absolutely love REST. Yes, I am a true believer in the principles of REST. I love the way it takes advantage of the strengths of the architecture of the web, I love its focus on simplicity, on readability.


I’m not going to get into too much detail into the principles of REST, what I want to look at is how the implementation of a REST-based web service different from SOAP. The principles of REST-based web services are based on a more intuitive way to communicate with another machine. The result is a simpler interface with simpler requests and responses that are easier to read and understand. Consider the following SOAP request:


blog5.pngThere’s quite a lot to it and although we’re retrieving data we’re still using the HTTP method POST. Compare that to a request to a REST-based web service which accomplishes the same thing:



So now we’re GETting data. The URL makes a lot more sense as well and compared to the SOAP request is a lot easier to read.


One of the principles of a REST-based web service is that you don’t require prior knowledge of the web service other than its base URL. BMC’s implementation isn’t true RESTful in that sense as you do need some information to get you started. You need to know how to login and logout and you do need some degree of familiarity of the format of the requests. But other than that it’s really easy to use.


I think SOAP lends itself quite well for communication where two machines are already able to deal with SOAP’s complexities. ARS for example allows you to consume an external SOAP-based web service and it’s just a matter of mapping the elements to the various fields and integrating this in the workflow. You don’t really have to deal with the interpretation of the WSDL or the construction of SOAP requests. ARS does it for you, and unless something goes wrong the web service integration works perfectly.


But if you want to integrate with ARS using a programming language, REST is the better choice. For example, if you use Java and you’re interacting via SOAP there’s quite a lot to it. You can of course just hardcode the whole HTTP request but if you want to do it properly you need rely on an external library like AXIS. There’s nothing wrong with that but it does suddenly get quite complicated. Considering you only want to send small requests to check a status or to get a record, you need a lot of code to get this to work.


That’s where REST’s strengths come in, because using the REST API it suddenly gets a lot easier to do. Since we don’t have to follow the strict rules specified in the WSDL and since the requests are lot smaller it’s actually quite easy to get stuff done. Other than the usual networking libraries I don’t need any 3rd party libraries or frameworks to interact with the system, and since the API is intuitive it’s a lot easier to construct my requests.


Want to know more? I'll be talking about this at Session 233: Getting the Most out of Your Web Services Integration at BMC Engage. We’ll have a detailed look at SOAP, REST and of course at how you’d actually implement all of this. Join me there to learn more!




Don't forget to follow me on twitter!


Some Customers are asking us if AR Server / Mid-Tier is affected by the following Apache Struts vulnerability.


Apache Struts is not used by any version of AR Server / Mid-Tier.

Hence the Apache Struts vulnerability mentioned above or any other Apache Struts vulnerability does not affect AR Server / Mid-Tier.


--- Abhijit Rajwade

BMC Software


Remedy 9 Icon.jpg


April of 2015, BMC introduced Remedy 9. BMC applications run on the BMC AR System Platform. Remedy v9.1 was released in December 2015. In this article I will update, you on the changes made to the curriculum from v8 to v9. A list of all the courses are listed here: BMC Remedy Service Management Suite



The prerequisite for many of the ITSM, CMDB and AR classes was a 16 hour web-Based training in v8. We have shortened the prerequisite to 2 hours. BMC Remedy AR System 9.1: Concepts (Released recently and replaces the 9.0 version) is a great way for IT Managers to get a high level overview of Remedy 9 and will help folks that are new to Remedy learn the basics.


What's New for Remedy Application Admins

Remedy Application Administrators now have a course (BMC Remedy AR System 9.0: Administering) that will help you learn about troubleshooting techniques and server configurations instead of teaching you how to develop custom applications. With this course we were trying to solve the problem of customers who would leave Foundation part 2 wanting to know more about administering and troubleshooting. This is a great course for RemedyOnDemand customers.


What's New for Remedy Application Developers

In the previous learning path we focused on custom application development. The v8 learning path is right for you if you want to learn about custom application development. However, after teaching Remedy for many years, I know that many of you want to know how to tailor ITSM the right way. You left the Developer Part 2 class knowing a lot about Remedy Development, but had no guidance on tailoring ITSM. So, we are going to teach developers how to develop on the platform with ITSM in mind in the BMC Remedy AR System 9.0: Basic Development course and in IT Service Management 9.1: Development we will teach you how to tailor ITSM based on input from BMC Support. Therefore, what we teach is already blessed by BMC Support.


Smart IT and MyIT

If you are looking to enhance your experience with Smart IT and MyIT. We have training available for you. Check out

BMC MyIT 3.x and BMC Remedy with Smart IT 1.x: Administering and Configuring and BMC Remedy with Smart IT 1.3: Using and Administering (WBT).


Getting Certified

We offer an accreditation exam called BMC Accredited Administrator: BMC Remedy AR System 9.0 after you complete BMC Remedy AR System 9.0: Administering. The exam cost is included in the price of the course. Or if you are a BMC Accredited Administrator: BMC Remedy AR System 8.0, you can complete the BMC Remedy AR System 9.0: What's New for Administrators and pay for just the exam.


If you are a BMC Certified Developer: BMC Remedy AR System 8.x. You can upgrade to Remedy 9.1 by taking 

BMC Remedy AR System 9.0: What's New for Administrators (WBT), BMC Remedy AR System 9.0: What's New for Developers (WBT), and passing the BMC Certified Professional: BMC Remedy AR System Development 9.1 Upgrade Exam.

Please let me know if you have questions about the curriculum by commenting below. I have updated this blog to reflect changes since Remedy 9.1 was released.


BMC Remedy Single Sign On Service Provider (SP) certificate shipped with the product, which is used to sign SAML request, will be expired on April 21st 2016.


If you are using out of the box certificate to sign SAML requests in BMC Remedy Single Sign On, the request will fail due to the expiry of certificate.


In this blog, I will be covering the steps to update the BMC Remedy Single Sign On (RSSO) SP certificate so that it has a new expiry date, which will prevent from failure of SAML authentication.


If this certificate has already been replaced with a newer one with a valid future expiry date, you don't have to follow the steps mentioned in this blog.


First of all, how to find the Certificate expiry date of relying party (RSSO) for SAML authentication?


  • An easy way to find the certificate expiry is by logging to ADFS tool and checking the RSSO service provider relying party properties.
  • In the Signature tab, you should see the certificate expiry date.


Likewise, for other IdP tools that you are using with RSSO, you will have to contact your IdP administrator to check the RSSO relying party certificate expiry date.


What steps are necessary to update BMC Remedy Single Sign On (RSSO) SP Certificate?


Important Notes:


(A) The below instructions are written for Windows OS. All paths mentioned below are for Windows OS. Please use relative paths if you're using Linux or Solaris OS.


(B) The file name for the java keystore should be cot.jks. The alias for java keystore (cot.jks) should be test2.  The password for the cot.jks keystore is 'changeit'    Please do not change the password.


(C) Please make sure to set the Path environment to jdk or jre bin folder or else you may get error like ‘unknown internal or external command’. In Windows this means that you'll need to edit the System Environment properties and find the global variable PATH to update it.




Steps to update the certificate:


1. Update java keystore named cot.jks


Perform the following steps on the machine installed with RSSO server by being in <tomcat>\rsso\WEB-INF\classes folder:


a. Take a backup of existing cot.jks from <tomcat>\rsso\WEB-INF\classes folder


b. Delete alias ‘test2’ from existing cot.jks using keytool command line:


keytool -delete -alias test2 -keystore cot.jks


Note:  The password for the cot.jks is "changeit".  Please don't change the password


c. Create a new keypair with alias ‘test2’ in existing cot.jks


keytool -keystore cot.jks -genkey -alias test2 -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 730


Note:  In the above example, we used 730 days as validity, which is equivalent to 2 years validity.  You can use the validity days at your discretion


d. Export ‘test2’ certificate in PEM format


keytool -export -keystore cot.jks -alias test2 -file test2.pem –rfc


e. Take a backup of the updated cot.jks


If you have other RSSO server instances in same cluster, replace cot.jks in <tomcat>\rsso\ rsso\WEB-INF\classes folder with the updated cot.jks in step 1.e


2. Update signing certificate in RSSO Admin console


a. Login RSSO Admin console


b. Go to ‘General->Advanced’ tab


c. Open the file test2.pem which is created in step 1.d in text editor, remove the first line:




and the last line:




Also remove the newline delimiters (\r\n), and then copy the contents.

E.g. If you use Notepad++, you can open ‘replace’ dialog, select ‘Extended’ search mode, find ‘\r\n’ and click ‘Replace All’ button.





d. Paste the copied content in step 2.c to the ‘Signing Certificate’ field, replace existing content in the text area




e. Click ‘Save’ button to save the change


f. Wait for 15 seconds, view the realm using SAML, click ‘View Metadata’ button in ‘Authentication’ tab. Verify the SP metadata is updated with the new signing certificate.


3. Update SP metadata at IdP side


- Export the SP metadata in step 2.f and save it in a local file


- Send the exported SP metadata and the new signing certificate in step 1.d to IdP team for updating.


If the IdP is ADFS, the customer can add the new signing certificate as below:


a. Open ‘Properties’ dialog of the relying party for RSSO
b. Go to ‘Signature’ tab
c. Click ‘Add’ button, select the new signing certificate file and click ‘OK’





Notes for rolling upgrades (Cluster / High Availability environment)


Should you have a requirement for zero-down time in a cluster environment (assuming ADFS is the IdP) for the signing certificate update, then you can take actions with following sequence:


1. Take one RSSO server instance down first, perform step 1 on it
2. Perform step 2
3. Perform step 3 (remember NOT to delete the old signing certificate)
4. Make the RSSO server instance up again
5. Take the second RSSO server instance down, update its cot.jks with the one already updated on first RSSO server instance in step 1.e, then make it up again
6. Repeat step 5 on all other RSSO server instances
7. After the keystore cot.jks is updated on all RSSO server instances, you can remove the old signing certificate on the RSSO relying party at ADFS side.

Filter Blog

By date:
By tag: