Orchestration Connector

BMC Helix Cloud Security offers an incident and change creation feature which enables customers to track non-compliant violations more efficiently. This page covers the principles and on-boarding of Orchestration connector, which aids in incident/change generation.

To access the latest information about this topic and all Cloud Security releases, check out the Release notes and notices.

Understanding the Orchestration connector

An Orchestration connector is essential to automatically create incidents for violations and change for Remediation in BMC Helix Cloud Security. The Orchestration connector can be installed locally using a batch file similar to other Cloud Security on-premise connectors. It can also be installed as a service which enables the connector to run continuously.

The ITSM interaction flow-diagram is as illustrated below:


Completing prerequisites

Ensure that the connector and target environments meet the following prerequisites before on-boarding the Orchestration connector.

Requirements for the computer on which the connector is downloaded (part of the Management VPC/Network)

The connector machine must have internet connectivity so that the connector can communicate with Cloud Security.  The connector machine must also be synced to the BMC Helix Orchestration instance and must have Java OpenJDK 11.0.2 and Google Chrome browser installed.

If you installation OpenJDK 11.0.2 using the zip, set the global path. You will have to restart the machine if you want to configure Orchestration Connector as a Service. You must also obtain the applicable product licenses. 

Requirements at customer station for on-premise connector

An on-premise TSO with TSO workflows should be readily available at the customer end, which will communicate with the ITSM already imported. You must also obtain the applicable product licenses. 

On-boarding the Orchestration connector

To on-board the Orchestration connector, perform the following steps:

StepsSample Screens

Log on to Cloud Security with your registered credentials.

2.Select Configure icon > Connectors.

3.Click Add a Connector.

4.Under Connector Type > On Premise Connectors (Installable), click Orchestration Connector and then click Continue.


In the Add a Connector page, fill in the following credentials:

  • In the Name your connector field, specify a name for the connector. This name must be unique and must not have already been created. If the name entered is not already displayed on the Manage Connectors page, a green check mark and available label will appear next to the field.
  • In the TSO Connection String field, type in the IP address or fully-qualified host name of the TSO Configuration Distributor Peer (CDP) server.

    The host name of TSO should be in the format https://<hostname>.

  • In the TSO Port field, insert the port number used to connect to the TSO CDP.
  • In the TSO User Name field, specify the name of the TSO user used to log on to the CDP. The user must be associated to the ADMIN role in TSO.
  • In the TSO Password field, give the TSO password for the specified user.
  • In the TSO Grid Name field, specify the name defined for the TSO grid, which is a logical collection of servers where the TSO platform is installed.

6.Click Continue.


If the download does not start automatically, click Download Connector setup and unzip the Orchestration Connector.zip file using any standard compression tool.
The zip file will have the name that you specified for the connector in Step 4.

  1. (Windows) Double-click run.bat to run the connector in your target environment.
  2. (Linux) Execute the command chmod +x run.sh to grant execute permissions to the run.sh file. Then run the connector using the run.sh command.

8.Click Continue.


The connector is authenticated, pushed to and available in Cloud Security. As soon as the connector begins sending data, it displays in the green 'Running' state.

Pre-requisites for running Orchestration Connector

The machine on which the TSO connector should run needs to have a TSO Certificate, which can be imported as follows:


Open the following link on your browser: https://<TSO hostname>:38080/baocdp. A message will be displayed stating that your connection is not private.

2.Click the Not secure icon located near the top left corner of the page.

3.From the cascading menu that appears, select Certificate(Invalid).

4.From the Certificate pop-up that appears, select the Details tab. Click Copy to File and then click OK.

5.Browse any folder in your system in the Certificate Export Wizard and save under any name. Click Next.

6.Click Finish.

7.A notification indicates successful export. Click OK.


Copy and paste the following into any run command and hit enter.

keytool -importcert -alias tomcat -file <TSO Certificate filename> -keystore "%JAVA_HOME%\lib\security\cacerts>" -storepass changeit

Proof-read the pasted text to check for accidental inclusions of unnecessary punctuations.

Running the Orchestration connector as a service (Windows)

As an alternative to running the Orchestration connector with a batch file, you can run the connector as a service on Windows using the install.bat file that is downloaded with the connector during onboarding.


To run the connector as a service, the install.bat file must be run as an Administrator.

  1. Locate the install.bat file in your connector setup location where you downloaded the Orchestration connector.

  2. At a Command Prompt, at the same location as the install.bat file, type the following command:

    install.bat install

    The Orchestration connector service is created and started.

  3. In the Windows Start menu, type services to open the Services dialog.
  4. Scroll down and locate Orchestration Connector in the list and verify that the Status is Running.

  5. To check the status of the service, at a Command Prompt, type install.bat status.
    To start or stop the service, type start or stop after the install.bat command.
    For help with all available commands with the service and their usage, type install.bat help.
    When the Orchestration connector is started, it runs continuously without any predefined schedule.

Running the Orchestration Connector as a service (Linux)

You can also run the connector as a service on Linux systems using the install.sh file that is downloaded with the connector during onboarding.


To run the connector as a service, the install.sh file must be run as Administrator and as root.

  1. Locate the install.sh file in your connector setup location where you downloaded the Orchestration connector.

  2. Install the connector using the install.sh command.
    The Orchestration connector service is created and started.
    When the Orchestration connector is started, it runs continuously without any predefined schedule. 

Performing next steps

To manage connector configuration and settings, see Managing connectors.

To assess the resources including why a rule failed, see Managing resources.

Back to top

Was this page helpful? Yes No Submitting... Thank you