Configuring the TrueSight Environment for the BMC Helix Change Management integration

Do the following to configure the TrueSight environment for the BMC Helix Service Resolution integration:

  1. Ensure that the integration with BMC Helix CMDB is configured.
  2. Import certificates into the TrueSight Presentation Server server.
  3. Configure the Helix Client Gateway.
  4. Configure the BMC Helix Change Management integration in the TrueSight console.
  5. Verify the integration.

This section explains each procedure in detail.


Step 1: Integrating with BMC Helix CMDB

Ensure that the integration with BMC Helix CMDB is configured. For more information, see Integrating with BMC Helix CMDB.


Step 2: Importing certificates into the TrueSight Presentation Server

Do the following:

  1. Obtain the certificates from the Helix Network team or use the following URL to download them:
    https://testssl.onbmc.com/
    The following certificates are required:

    • Name: digicert_global_root.cer
      Alias: rootCA

    • Name: digicert_sha_256.cer
      Alias: intermediateCA

    • Name: onbmc_wildcard.cer
      Alias: onbmc_wildcardCA

  2. For TrueSight Operations Management version 11.3.02 or later, do the following to install the certificates in the TrueSight Operations Management keystore/truststore.
    1. On the TrueSight Presentation Server run the following command:
      tssh certificate import ChangeManagement
    2. Enter a backup directory.
    3. Enter the Change Management server details <host:port> to download the certificates.
      The port number is optional. If you do not enter the port number, the default port 443 is used.

  3. For TrueSight Operations Management version 11.3.01 or earlier, do the following to install the certificates in the TrueSight Operations Management keystore/truststore.

    1. Copy the digicert_global_root.cer  , digicert_sha_256.cer, and Onbmc_wildcard.cer certificates to the <TrueSight Presentation Server Installation Directory>/truesightpserver/conf/secure directory.

    2. Copy the loginvault.ks keystore file and rename it to loginvalt-orig.ks.

    3. Run the following commands in the order shown below to import the certificates:

      1. keytool -importcert -trustcacerts -alias rootCA -keystore loginvault.ks -storepass changeit -file digicert_global_root.cer
        When prompted with the Trust this certificate? question, type Yes.

      2. keytool -importcert -trustcacerts -alias intermediateCA -keystore loginvault.ks - storepass changeit -file digicert_sha_256.cer
        When prompted with the Trust this certificate? question, type Yes.

      3.  keytool -importcert -alias onbmc_wildcardCA -keystore loginvault.ks -storepass changeit -file onbmc_wildcard.cer
        When prompted with the Trust this certificate? question, type Yes.

  4. Copy tspstrustore.ts to tspstrustore-orig.ts.

  5. Run the following command:
    keytool -importcert -alias onbmc_wildcardCA -keystore tspstrustore.ts -storepass changeit -file onbmc_wildcard.cer

  6. Navigate to the following directory, where the cacerts keystore is located.

    • Windows: <TrueSight Presentation Server Installation Directory>/truesightpserver/modules/jre/lib/security

    • Linux<TrueSight Presentation Server Installation Directory>/truesightpserver/modules/jre/lib/security
  7. Copy the digicert_global_root.cer  , digicert_sha_256.cer, and Onbmc_wildcard.cer certificates to the current directory. 

  8. Copy cacerts keystore file and rename it as cacerts-orig. 

  9. Import the certificates into the cacerts keystore by running the following commands in the given order:

    1. keytool -importcert -trustcacerts -alias rootCA -keystorecacerts -storepasschangeit -file digicert_global_root.cer
      When prompted with the Trust this certificate? question, type Yes

    2. keytool -importcert -trustcacerts -alias intermediateCA -keystorecacerts -storepasschangeit -file digicert_sha_256.cer
      When prompted with the Trust this certificate? question, type Yes

    3. keytool -importcert -alias Onbmc_wildcard -keystorecacerts -storepasschangeit -file Onbmc_wildcard.cer
      When prompted with the Trust this certificate? question, type Yes

  10. Restart the primary TrueSight Presentation Server. 


Step 3: Configuring the BMC Helix client gateway

  1. Install the Helix client gateway. For information, see the  BMC Helix documentation .
  2. Back up the <gateway installed location>\<gateway_name>\kwic-5.9.13\conf\kwic_config.xml file.
  3. Copy the kwic_config.xml file to the proper location that you obtain from the BMC Helix network team.

     Click here to see an example of the kwic_config.xml file...
    <?xml version="1.0" encoding="UTF-8" standalone="no"?> 
    <!-- 
     
        Copyright (c) 2007-2013, Kaazing Corporation. All rights reserved. 
     
    --><gateway-config xmlns="http://xmlns.kaazing.com/2012/09/gateway"> 
    <properties> 
     
         <property> 
          <name desc="Local client gateway host name">gateway.hostname</name> 
          <value>localhost</value> 
        </property> 
     
        <property> 
          <name desc="Local client gateway IP">gateway.ip</name> 
    <value>127.0.0.1</value> 
     </property> 
     
     
        <property> 
          <name desc="Local client gateway management port">gateway.base.port</name> 
          <value>8000</value> 
        </property> 
     
        <property> 
          <name desc="BMC End Port">bmc.port</name> 
          <value>443</value> 
        </property> 
     
    </properties> 
     
     
      <service> 
        <name>commandcenter-directory</name> 
        <description>Directory service for the Command Center files</description> 
        <accept>http://${gateway.hostname}:${gateway.base.port}/commandcenter</accept> 
        <type>directory</type> 
        <properties> 
          <directory>/commandcenter</directory> 
          <welcome-file>index.html</welcome-file> 
          <error-pages-directory>/error-pages</error-pages-directory> 
          <options>indexes</options> 
        </properties> 
      </service> 
       
       
      <service> 
        <name><customer name>-tsom-api-chi.onbmc.com</name> 
        <accept>pipe://customer name>-tsom-api-chi.onbmc.com</accept> 
        <connect>tcp://<TSPS FQDN>:8043</connect> 
        <type>proxy</type> 
        <accept-options> 
          <pipe.transport>socks://<customer name>-api-chi.onbmc.com:443</pipe.transport> 
          <socks.mode>reverse</socks.mode> 
          <socks.retry.maximum.interval>10 seconds</socks.retry.maximum.interval> 
          <socks.transport>wss://<customer name>-api-chi.onbmc.com:443/tsom</socks.transport> 
          <ws.inactivity.timeout>55 seconds</ws.inactivity.timeout> 
        </accept-options> 
      </service> 
     
      <!-- Security configuration --> 
      <security> 
        <!-- 
        The keystore element is used to configure the keystore that contains 
        encryption keys for secure communications with Kaazing WebSocket Gateway. 
        --> 
        <keystore> 
          <type>JCEKS</type> 
          <file>keystore.db</file> 
          <password-file>keystore.pw</password-file> 
        </keystore> 
     
        <!-- 
        The truststore element is used to configure the truststore that 
        contains digital certificates for certificate authorities 
        trusted by Kaazing WebSocket Gateway. 
        --> 
        <truststore> 
          <file>truststore.db</file> 
        </truststore> 
     
        <!-- 
        This is the element that associates an authenticated user with a set 
        of authorized roles. 
        --> 
        <realm> 
          <name>demo</name> 
          <description>Kaazing WebSocket Gateway Demo</description> 
     
          <!-- 
          This is the element that specifies how authentication of users 
          is undertaken for the realm. 
          --> 
          <authentication> 
     
            <!-- 
            Specifies how the Gateway issues HTTP challenges when 
            unauthorized connections are made. Standard HTTP "Basic" 
            and "Negotiate" are supported, with the Application variants: 
            "Application Basic", and "Application Negotiate".  For custom 
            HTTP challenge schemes, use "Application Token". 
            --> 
            <http-challenge-scheme>Application Basic</http-challenge-scheme> 
     
            <!-- 
            The HTTP items below specify how the Gateway accepts credentials 
            when connections are made.  In addition to the standard HTTP 
            "Authorization" header, the Gateway can access credentials sent in 
            custom HTTP headers, query parameters and cookies. 
            --> 
     
            <!-- 
            <http-header>Custom-Header-Name</http-header> 
            <http-query-parameter>Query-Parameter-Name</http-query-parameter> 
            <http-cookie>Cookie-Name</http-cookie> 
            --> 
     
            <!-- 
            The period of time for which authorized connections 
            remain valid without re-authorizing. 
            --> 
            <authorization-timeout>1800</authorization-timeout> 
     
            <!-- 
            The login modules below specify how the Gateway communicates 
            with a "user database" to validate user credentials, and 
            to determine a set of authorized roles. 
            --> 
            <login-modules> 
              <!-- 
              The login module communicates with a user database to 
              validate user's credentials and to determine a set of 
              authorized roles. By default, the file-based module is used. 
              --> 
              <login-module> 
                <type>file</type> 
                <success>required</success> 
                <options> 
                  <file>jaas-config.xml</file> 
                </options> 
              </login-module> 
                                    </login-modules> 
          </authentication> 
        </realm> 
     
        <!--  
        The realm used by the Command Center for authentication. The SNMP 
         management service should be the only one to use this realm.  
        --> 
        <realm> 
          <name>commandcenter</name> 
          <description>Command Center</description> 
     
          <authentication> 
            <http-challenge-scheme>Application Basic</http-challenge-scheme> 
     
            <http-cookie>kaazingCommandCenter</http-cookie> 
     
            <authorization-timeout>1800</authorization-timeout> 
     
            <login-modules> 
              <!-- 
              The login module communicates with a user database to 
              validate user's credentials and to determine a set of 
              authorized roles. By default, the file-based module is used. 
              --> 
              <login-module> 
                <type>file</type> 
                <success>required</success> 
                <options> 
                  <file>jaas-config.xml</file> 
                </options> 
              </login-module> 
            </login-modules> 
          </authentication> 
        </realm> 
      </security> 
     
     
     
      <!--  
      JMX Management service. 
      --> 
      <service> 
        <name>JMX Management</name> 
        <description>JMX management service</description> 
     
        <type>management.jmx</type> 
     
        <properties> 
          <connector.server.address>jmx://${gateway.hostname}:2020/</connector.server.address> 
        </properties> 
     
        <realm-name>demo</realm-name> 
     
        <authorization-constraint> 
          <require-role>ADMINISTRATOR</require-role> 
        </authorization-constraint> 
      </service> 
     
      <!-- 
      SNMP Management service. 
     
      <service> 
        <name>SNMP Management</name> 
        <description>SNMP management service</description> 
        <accept>ws://${gateway.hostname}:${gateway.base.port}/snmp</accept> 
     
        <type>management.snmp</type> 
     
        <realm-name>commandcenter</realm-name> 
     
        <authorization-constraint> 
          <require-role>ADMINISTRATOR</require-role> 
        </authorization-constraint> 
     
        <cross-site-constraint> 
          <allow-origin>*</allow-origin> 
        </cross-site-constraint> 
      </service> 
     
      <!-- 
      ############################################################################# 
      ############################################################################# 
                                Do not remove closing element 
      ############################################################################# 
      ############################################################################# 
      --> 
     
    </gateway-config> 
  4. Restart the Helix client gateway.


Step 4: Configure the BMC Helix Change Management integration in TrueSight Operations Management

For TrueSight Operations Management 11.3.04 or later, do the following:

  1. Open the TrueSight console.
  2. Click Administration > Integrations.

  3. Under Remedy ITSM, BMC Helix ITSM and BMC CMDB Integrations, click the Configure TrueSight Presentation Server with ITSM Change Management menu and then click Edit.
  4. On the Change Management Integration page, do the following:
    1. Add the following information:
      • CMDB user name and password
      • UDDI host name
      • CMDB UDDI port number, user name, and password
    2. Select the HTTP or HTTPS protocol for the mid-tier server.'
    3. Select Activate Integration. If you do not want to activate the integration at this time, you can do it later.
      The TrueSight Infrastructure Management connects to the Helix UDDI server and updates the CHG:CHGBPM:BPPMAdapter form with the TrueSight Infrastructure Management URL and port. This ensures that the necessary rest services endpoints are enabled and the TrueSight Infrastructure Management csm_user and csm_user password are set.
    4. Disable the CSRF Filter. Use the command prompt and run the following commands in the given order:
      1. tssh properties set csrFilter false
      2. tssh properties reload
        The BMC Helix network team updates the port in the CHG:CHGBPM:BPPM form to use the server gateway port.
  5. Click Save.
    You can see the integration added on the Change Management Integration page.
    The connects to the Helix UDDI server and updates the CHG:CHGBPM:BPPMAdapter form with the URL and port. This ensures that the necessary rest services endpoints are enabled and the csm_user and csm_user password are set.


Step 5: Verifying the integration

  1. Log in to BMC Helix Change Management, and go to Application Administration Console > Custom Configuration > Change Management > Advanced Options > Change CI Event Notification to BPPM > BPPM Subscription.
  2. Click Test Connection to verify that the connectivity between BMC Helix Change Management and TrueSight Presentation Server is established.

  3. If the connection test fails, do the following:

    • Error: 400
      Resolution: This error might appear if multiple entries of the CI are present in the system. See the arjavaplugin.log file or information about the error. 
    • Error: 401: Please check if you have manually change the password of default user (csm_user).
      Resolution: Change the password from the CAI:AdapterConfiguration form.

    • Error: 403
      Resolution: Ensure that the CSRF filter in TrueSight Presentation Server is disabled.

  4. Create a change request in BMC Helix Change Management and click Submit.

    Important: CI must be previously published

    The CI must have been published previously from CMDB to TrueSight.

  5. Login to the TrueSight console and verify that you have received a change event.

  6. Log in to the TrueSight Administrator console, and verify that a blackout policy is created that is similar to the one below:





Was this page helpful? Yes No Submitting... Thank you

Comments