Configuration roadmap for Continuous Compliance for Servers for ServiceNow

The Approval Configuration option enables you to configure whether or not jobs of a given type require ServiceNow approval. By default, the approval for each supported job type is turned off. 

To enable or disable the ServiceNow job approval capability at the job type level, perform the following steps:

1. From the BMC Server Automation Console, select Configuration > Approval Configuration.
2. On the Job Approval Required Configuration dialog, set the Approval Required option for each available job type.
3. Click OK.

All job types with Yes specified for the Approval Required option require that you complete the Approval tab information in the job wizard.

Use this procedure to assign permissions to different Continuous Compliance for Servers users for integrating job execution with ServiceNow.

Assign the appropriate approval type to each user role. When that user logs on, only the job approval type assigned for the user role is listed when running the job wizard.

1. In the RBAC Manager workspace of the BMC Server Automation Console, select Roles.
2. Right-click a role and select Open.
3. Click the Systems tab.
4. Choose from the following RBAC controls to enable specific ServiceNow job approval permissions.

• Automatic
• Manual
• Emergency
• NoApproval
  For example, you may create a role for junior operators that has only Manual permission, ensuring that any jobs they initiate are reviewed and approved by ServiceNow application before execution. By default, the BLAdmins Role has permissions to all approval permissions.

5. To save the updates, click OK.

6. To exit the Update Permissions panel, click OK.

Using the BMC Server Automation Console, you must add the configuration information required to connect to BMC Atrium Orchestrator.

The integration between BMC Continuous Compliance for Server Automation and BMC Atrium Orchestrator supports connections to a single grid only. The connection with BMC Atrium Orchestrator is established through the CDP or through a high availability CDP (HACDP). Other types of peers are not supported.

1. From the BMC Server Automation Console, ensure that your role is granted the AOConfig.* and the AutomationPrincipal.* authorizations.
2. Select Configuration > AO Configuration.
3.  On the AO Configuration dialog box, click Add.

4.  On the Add new AO configuration dialog box, enter the configuration information required to connect to BMC Atrium Orchestrator, and then click OK.

   • Host - IP address or fully-qualified host name of the BMC Atrium Orchestrator CDP server.
   • Port - Port number used to connect to the BMC Atrium Orchestrator CDP.
   • Grid Name - Name defined for the BMC Atrium Orchestrator grid. Specify the name of a grid only if this is the first defined CDP connection. 
     This field is read-only, as all defined connections must be on the same grid.
   • User Name - Name of the BMC Atrium Orchestrator user used to log on to the CDP. This user must be associated with the ADMIN role in BMC Atrium Orchestrator.
   • Password - BMC Atrium Orchestrator password for the specified user.
   • Time-out - Amount of time, in seconds, before a BMC Continuous Compliance for Server Automation job that connects to BMC Atrium Orchestrator times out. 
     The default is 300 seconds (5 minutes).
   • Primary AO - Specifies this CDP as the primary instance. In a high-availability environment with multiple CDP instances, ensure that you select the correct CDP, as defined in BMC Atrium Orchestrator.
   • SSL enabled? - Specifies if the connection to the CDP is SSL-enabled and based on an HTTPS connection (as described in Enabling HTTPS support for the BMC Atrium Orchestrator connection).
5. To test if you can connect to the CDP using the host, port, grid name, user name, and password details that you specified, click Check Connection.
6. To add additional CDP connections to BMC Atrium Orchestrator to ensure high availability, repeat step 2 and step 3 for each additional CDP instance of the same grid.
   If you define multiple BMC Atrium Orchestrator CDP instances, ensure that only one of your CDPs is set as the primary instance (using the Primary AO check box). Multiple CDPs installed on a grid form a High Availability (HACDP) environment and allow communication to continue even if a connection with one CDP fails.
7. In the AO Configuration dialog box, click Close.

Enable HTTPS support on BMC Atrium Orchestrator

To secure the communication of data between BMC Continuous Compliance for Server Automation and BMC Atrium Orchestrator, you must enable an HTTPS connection on both products.

Note: The required steps vary, based on the decisions that you made regarding the BMC Atrium Orchestrator version during its installation. If you are using BMC Atrium Orchestrator 7.6.03, complete the steps below. If you are using BMC Atrium Orchestrator 7.7, the required actions depend on whether HTTPS was left enabled (the default option) during the installation. 

Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"

1. On the system where the BMC Atrium Orchestrator CDP is installed, create the keystore file by entering a command such as the following example:
   keytool -genkey -alias w2k3-sp-vm5 -dname "cn=w2k3-sp-vm5"
-keyalg RSA -keystore C:\.keystore -storepass changeit
   The value entered for the -dname option must match the host name where the BMC Atrium Orchestrator CDP is installed. In this example, the value is w2k3-sp-vm5.
2. Enable HTTPS on an Apache Tomcat server by completing the following steps:
   1. Open the server.xml file.

   2. Uncomment the following block of configuration information 

      <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 
maxThreads="150" scheme="https" secure="true" 
clientAuth="false" sslProtocol="TLS" keystoreFile="C:\.keystore" truststoreFile=
"C:\Program Files\Java\jdk1.5.0_13\jre\lib\security\cacerts" />

   3. Add two attributes as follows:
   • The keystoreFile attribute to point to the location where the keystore file resides.
   • The truststoreFile attribute to point to the CA-issued certs in the JDK installation location.
3. Restart the BMC Atrium Orchestrator CDP.

Enable HTTPS support for BMC Atrium Orchestrator on BMC Server Automation

1. If BMC Atrium Orchestrator is installed on a different computer, copy the C:\.keystore file from the BMC Atrium Orchestrator CDP system to the system where the BMC Server Automation Application Server is installed.

2. On the Application Server, export the public certificate from the keystore file generated for BMC Atrium Orchestrator to a temporary file by entering a command such as the following example:

   keytool -export - alias w2k3-sp-vm5 
   - file C:\cert.csr -keystore C:\. keystore 
   -storepass changeit

   In the command shown above, note the following:

   • file is the name and location of the certificate file that will be created from this command.
   • keystore is the keystore file name and location that you created for BMC Atrium Orchestrator.
   • alias is the name used to distinguish certificates.
3. Add the public certificate from the temporary file to the trusted certificate file by entering a command such as the following example:
   

   keytool \-import \-alias w2k3-sp-vm5 \-file C:\cert.csr
   \-keystore "<keystorePath>"\-keypass changeit

   where <keystorePath> is one of the following, depending on operating system:

   • (Linux) — For a Linux Application Server use 
     <installationDirectory>/NSH/br/java/lib/security/cacerts 
     (for example /opt/bmc/bladelogic /NSH/br/java/lib/security/cacerts) to install certificates.
   • (Windows) — For a Windows Application Server, refer to the path shown in the registry value for 
     SOFTWARE>BladeLogic> Operations Manager > 
     Application Server>-Djava.home. 
     Within this path, look for the lib/security/cacerts directory. 
     This is the directory into which you install the certificates.
4. To check if the certificate is added to the cacerts file, enter the following command:
   

   keytool \-list \-keystore <keystorePath>

5. Restart the BMC Server Automation Application Server.

Compliance

Compliance analysis and remediation are performed based on BMC Server Automation components and component templates. Component templates contain the relevant compliance rules that you want your servers to adhere to, and components encapsulate just the right amount of server configuration to render your Compliance Jobs simple yet powerful.

• To analyze operational compliance, you create custom component templates that contain the compliance rules for your internal corporate policies. Operational compliance involves tracking the properties of operating system objects, such as files, configurations, user accounts, or services.
• To analyze regulatory compliance or security compliance, you use the prebuilt component templates offered by BMC. These templates facilitate compliance analysis when you must adhere to an industry-defined compliance policy, such as CIS, DISA, HIPAA, PCI, or SOX.
• For additional information about building your compliance templates, see Working with components and component templates in the BMC Server Automation documentation.

For the Closed Loop Server Compliance modules, you must add job properties for Batch and Deploy Job system objects in BMC Server Automation, as follows:

1. From the Configuration menu, access the BMC Server Automation Console and select Property Dictionary View.
2. Under Built-in Property Classes, expand the Jobs folder.
3. Select the Batch Job system object.
4. Click the Add New Property icon to add the CHANGE TICKET ID property.
5. In the Add Property window:
   1. In the Name filed, enter CHANGE TICKET ID. 
      This property is used by the Closed Loop Server Audit module and Closed Loop Server Compliance module.
   2. Under Type, click Simple and select String.
   3. Click OK.
6. Click the Add New Property icon to add the COMPLIANCE JOB NAME property.
7. In the Add Property window:
   1. In the Name filed, enter COMPLIANCE JOB NAME.
      This property is used by the Closed Loop Server Compliance module. 
   2. Under Type, click Simple and select String.
   3. Click OK.
8. Repeat the procedure for the Deploy Job system object.

To create a compliance component template, complete the following steps:

1. Open the BMC Server Automation Console and select the Component Template folder.
2. Right-click a component templates folder, and select New > Component Template from the pop-up menu.
3. In the Create New Component Template wizard, on the Create New Component Template (General) window:
   1. Provide a name, description and version (if applicable).
   2. In the Allowed Operations section, select Discover, Browse, Snapshot, Audit, Compliance, and Allow Remediation (under Compliance).
   3. Click Next.
4. In the Create New Component Template (Parts) window:
   1. Click the plus (+ ) sign to add parts to the template.
   2. Select one or more parts from the following objects:
      Servers
      Snapshot Jobs
      Local Config Files
      Local Extended Objects
      Local Server Objects

   3. Click OK to close the Add Part window. You can customize the preferences for each part by clicking the part. The preferences for the selected part appear in the Options section. Select or clear options as needed. Depending on what you select, there might not be any options associated with that part.

   4. Click Next.
5. In the Create New Component Template (Properties) window:
   1. Confirm that the component template properties you have selected are correct. To make changes, click Back to return to the previous step.
   2. Click Next.
6. In the Create New Component Template (Permissions) window, click Finish. Information about the access control list appears.

1. Start the BMC Server Automation Console, and select the Jobs workspace.

2. Right-click the Jobs folder and select New > Job Folder to add a new job folder for Compliance Jobs. You can also use an existing folder to create the Compliance Jobs.

3. Select the Component Template workspace and select one compliance template.
4. Right-click and select Discover.
5. In the New Component Discovery Job window, provide a name for the job and a location in the Save in folder field, and click Next.
6. Specify the template, the target servers, and default notifications on the subsequent wizard pages.
7. On the Schedules page, select Execute Job Now and click Finish.
8. After the discovery job executes successfully, select the Jobs workspace.
9. Select the Compliance Job folder, right-click, and select New > Compliance Job.
10. In the New Compliance Jobs (General) window:
    1. Provide a name and description for the Compliance Job.
    2. Select the folder where you want to save the Compliance Job.

    3. Under Number of Targets to Process in Parallel, select Unlimited to run the job on as many targets as possible simultaneously.

    4. Click Next.
11. In the New Compliance Jobs (Component Templates for Filtering) window:
    1. Select the component templates that form the basis of the Compliance Job.
       Note: For the template to appear on this panel, Compliance operations must be enabled for the template. If the template does not appear, open the template and select the Compliance check box on the General tab. For remediation settings to be enabled (in a subsequent step), select also the Allow Remediation and (optionally) the Allow Auto-Remediation check boxes.
    2. Use the > arrow button to add the selected template.
    3. Click Next.
12. In the New Compliance Jobs (Components) window:
    1. Select the servers on which you want to run the Compliance Job.
    2. Click Next.
13. In the New Compliance Jobs (Auto-remediation) window:
    1. Select the Remediate after compliance analysis completes option to enable automatic remediation of any compliance rule failures that the Compliance Job discovers.
       Note: For this option to be available, the Allow Remediation and (optionally) the Allow Auto-Remediation check boxes must be selected on the General tab of the component template (see Step 11 a for details).
    2. In the Remediation name field, enter a name for the remediation package.
    3. In the Save package in field, select a folder in which to save the remediation package (provided that you already associated a remediation package with the relevant rule, within rule definitions).
    4. In the Save remediation/deploy job in field, select a folder in which to save the Deploy Job for the remediation package.
    5. Click Next.
14. In the New Compliance Jobs (Default Notification) window:

    1. Under Job Run Notifications, select Send SNMP trap to and enter the server name or IP address of your BMC Atrium Orchestrator CDP server. The server that you enter must be a BMC Atrium Orchestrator CDP server with an SNMP Monitor adapter enabled.

    2. For the When status is option, select Success, Failed, and Aborted.
    3. Click Next.
15. In the New Compliance Jobs (Schedules) window, click Next to bypass the Schedules window.
16. In the New Compliance Jobs (Properties) window, click Next to bypass the Properties window.
17. In the New Compliance Jobs (Permissions) window, click Finish. The Compliance Job is created.
18. To run the Compliance Job, right-click the job and select Execute. 

For an example procedure to create a Compliance Job, see Example procedure for creating a Compliance Job.

After the job completes, BMC Server Automation sends an SNMP trap for each inconsistent server-rule combination.

To create the Compliance verification job

1. Start the BMC Server Automation Console, and select the Jobs workspace.
2. In the Compliance folder, right-click the Compliance Job you created and select Copy.
3. Paste the job into the Compliance folder, and open the copied job file.
4. On the General tab, rename the Copy of jobname file, adding the word Verify after the original Compliance Job name. For example, if the name of the Compliance Job is ComplianceJob, the compliance verification file name must be ComplianceJobVerify.
5. On the Default Notifications tab, remove all of the SNMP Job Run Notification settings.
6. Save and close the compliance verification job.

A remediation job consists of an instruction set and files required for implementing configuration changes. Configuration changes can consist of additions, deletions, and modifications to any of the server objects. 

Schedule the start date to:

• Remediate a discrepancy or violation in ServiceNow while approving the change request.
• Schedule the BMC Server Automation remediation jobs.

For additional information, see About remediation packages and remediation jobs in the BMC Server Automation online documentation.

Only one package can exist for each rule in the Compliance component template. There might be some rules in the template that do not have an associated package.

1. Start BMC Server Automation Console, and select the Depot workspace.
2. Right-click the Depot folder and select New > BLPackage.
3. In the Create BLPackage (Package Type) window:
   1. Type a name for the package.
   2. For the Save in field, click the Browse button and navigate to the Depot folder where you want to save the package.
   3. In the Create Package From section, select a method for creating a package, depending on your requirements.
   4. Click Next.
4. In the Create BLPackage (Components) window:
   1. Click the add icon (+ ) to add one or more components to the remediation package.
   2. Select the components and click OK.
   3. Click Next.
5. In the Create BLPackage (Package Options) window:

   1. Under the Depot Asset Options, check or uncheck Soft linked. By soft-linking the contents of a BLPackage, you can change the software or server objects referenced by the BLPackage without updating the BLPackage definition. Soft linking is only available for assets stored in the Depot.

   2. Under File Options, check any of the options of characteristics to control how files are managed when a BLPackage is created.
   3. Under Registry Options, check Collect access control list (ACL) attributes to instruct the BLPackage to gather ACLs for Windows registry entries. This option is available only if you are packaging registry information.
   4. Under Patch Package Options, check Include dependent packages to instruct the BLPackage to gather any patches that are prerequisites for the patches you have included in this BLPackage. 
      The BLPackage sequences patches according to their dependencies. This option is available only if you are packaging patches.
   5. Click Next.
6. In the Create BLPackage (Properties) window, click Next.
7. In the Create BLPackage (Permissions) window, click Finish to create the remediation package.

For more information about deploying the BLPackage, see Creating and modifying Software and BLPackage Deploy Jobs and Creating a Deploy Job in the BMC Server Automation online documentation.