Configuring the TrueSight Environment for the BMC Helix CMDB integration

As a TrueSight Operations Management administrator, do the following:

Import certificates into the TrueSight Infrastructure Management server.
Configure the Helix Client Gateway.
Configure the BMC Helix Change Management integration in TrueSight Infrastructure Management.
Verify the integration.

This section explains each procedure in detail.

Step 1: Importing certificates into the TrueSight Infrastructure Management server

Do the following:

Obtain the certificates from the Helix Network team or use the following URL to download them:
https://testssl.onbmc.com/
The following certificates are required:
- Name: digicert_global_root.cer
  Alias: rootCA
- Name: digicert_sha_256.cer
  Alias: intermediateCA
- Name: onbmc_wildcard.cer
  Alias: onbmc_wildcardCA
  Keystore location
  
  The cacerts keystore is located at <TrueSight Infrastructure Management Installation Directory>/pw/jre/lib/security.
  The pnserver.ks keystore is located at <TrueSight Infrastructure Management Installation Directory>/pw/pronto/conf.
For TrueSight Operations Management version 11.3.02 or later, do the following to install the certificates in the TrueSight Operations Management keystore/truststore.
1. On the TrueSight Presentation Server run the following command:
  pw certificate import BSR
2. Enter the BMC Service Resolution server details <host:port> to download the certificates.
  The port number is optional. If you do not enter the port number, the default port 443 is used.
For TrueSight Operations Management version 11.3.01 or earlier, do the following to install the certificates in the TrueSight Operations Management keystore/truststore.
1. On the computer where the TrueSight Infrastructure Management server is installed, back up the following files:
  - <TrueSight Infrastructure Management Installation Directory>/pw/jre/bin/lib/security/cacerts
  - <TrueSight Infrastructure Management Installation Directory>/pw/jre/bin/pw/pronto/conf/pnserver.ks
2. Run the following commands in the order shown below:
  1. keytool -printcert -sslserver <helix server name:port> -rfc | keytool -importcert -keystore ../lib/security/cacerts -storepass changeit -noprompt -alias rootCA -file digicert_global_root.cer
  2. keytool -printcert -sslserver <helix server name:port> -rfc | keytool -importcert -keystore ../lib/security/cacerts -storepass changeit -noprompt -alias intermediateCA -file digicert_sha_256.cer
  3. keytool -printcert -sslserver <helix server name:port> -rfc | keytool -importcert -keystore ../lib/security/cacerts -storepass changeit -noprompt -alias onbmc_wildcard -file onbmc_wildcard.cer
Back up the <TrueSight Infrastructure Management Installation Directory>/pw/pronto/conf/messagebroker.ts file.
Run the following commands in the order shown below:
1. 1. keytool -printcert -sslserver <helix server name:port> -rfc | keytool -importcert -keystore ../../pronto/conf/pnserver.ks -storepass get2net -noprompt -alias rootCA -file digicert_global_root.cer
  2. keytool -printcert -sslserver <helix server name:port> -rfc | keytool -importcert -keystore ../../pronto/conf/pnserver.ks -storepass get2net -noprompt -alias intermediateCA -file digicert_sha_256.cer
  3. keytool -printcert -sslserver <helix server name:port> -rfc | keytool -importcert -keystore ../../pronto/conf/pnserver.ks -storepass get2net -noprompt -alias onbmc_wildcard -file onbmc_wildcard.cer
Restart the TrueSight Infrastructure Management server.

Step 2: Configuring the BMC Helix client gateway

Install the Helix client gateway. For information, see the BMC Helix documentation .
Back up the <gateway installed location>\<gateway_name>\kwic-5.9.13\conf\kwic_config.xml file.

Copy the kwic_config.xml file to the proper location that you obtain from the BMC Helix network team.

Click here to see an example of the kwic_config.xml file...

<?xml version="1.0" encoding="UTF-8" standalone="no"?> 
<!-- 
 
    Copyright (c) 2007-2013, Kaazing Corporation. All rights reserved. 
 
--><gateway-config xmlns="http://xmlns.kaazing.com/2012/09/gateway"> 
<properties> 
 
     <property> 
      <name desc="Local client gateway host name">gateway.hostname</name> 
      <value>localhost</value> 
    </property> 
 
    <property> 
      <name desc="Local client gateway IP">gateway.ip</name> 
<value>127.0.0.1</value> 
 </property> 
 
 
    <property> 
      <name desc="Local client gateway management port">gateway.base.port</name> 
      <value>8000</value> 
    </property> 
 
    <property> 
      <name desc="BMC End Port">bmc.port</name> 
      <value>443</value> 
    </property> 
 
</properties> 
 
 
  <service> 
    <name>commandcenter-directory</name> 
    <description>Directory service for the Command Center files</description> 
    <accept>http://${gateway.hostname}:${gateway.base.port}/commandcenter</accept> 
    <type>directory</type> 
    <properties> 
      <directory>/commandcenter</directory> 
      <welcome-file>index.html</welcome-file> 
      <error-pages-directory>/error-pages</error-pages-directory> 
      <options>indexes</options> 
    </properties> 
  </service> 
   
   
  <service> 
    <name><customer name>-tsom-api-chi.onbmc.com</name> 
    <accept>pipe://customer name>-tsom-api-chi.onbmc.com</accept> 
    <connect>tcp://<TSPS FQDN>:8043</connect> 
    <type>proxy</type> 
    <accept-options> 
      <pipe.transport>socks://<customer name>-api-chi.onbmc.com:443</pipe.transport> 
      <socks.mode>reverse</socks.mode> 
      <socks.retry.maximum.interval>10 seconds</socks.retry.maximum.interval> 
      <socks.transport>wss://<customer name>-api-chi.onbmc.com:443/tsom</socks.transport> 
      <ws.inactivity.timeout>55 seconds</ws.inactivity.timeout> 
    </accept-options> 
  </service> 
 
  <!-- Security configuration --> 
  <security> 
    <!-- 
    The keystore element is used to configure the keystore that contains 
    encryption keys for secure communications with Kaazing WebSocket Gateway. 
    --> 
    <keystore> 
      <type>JCEKS</type> 
      <file>keystore.db</file> 
      <password-file>keystore.pw</password-file> 
    </keystore> 
 
    <!-- 
    The truststore element is used to configure the truststore that 
    contains digital certificates for certificate authorities 
    trusted by Kaazing WebSocket Gateway. 
    --> 
    <truststore> 
      <file>truststore.db</file> 
    </truststore> 
 
    <!-- 
    This is the element that associates an authenticated user with a set 
    of authorized roles. 
    --> 
    <realm> 
      <name>demo</name> 
      <description>Kaazing WebSocket Gateway Demo</description> 
 
      <!-- 
      This is the element that specifies how authentication of users 
      is undertaken for the realm. 
      --> 
      <authentication> 
 
        <!-- 
        Specifies how the Gateway issues HTTP challenges when 
        unauthorized connections are made. Standard HTTP "Basic" 
        and "Negotiate" are supported, with the Application variants: 
        "Application Basic", and "Application Negotiate".  For custom 
        HTTP challenge schemes, use "Application Token". 
        --> 
        <http-challenge-scheme>Application Basic</http-challenge-scheme> 
 
        <!-- 
        The HTTP items below specify how the Gateway accepts credentials 
        when connections are made.  In addition to the standard HTTP 
        "Authorization" header, the Gateway can access credentials sent in 
        custom HTTP headers, query parameters and cookies. 
        --> 
 
        <!-- 
        <http-header>Custom-Header-Name</http-header> 
        <http-query-parameter>Query-Parameter-Name</http-query-parameter> 
        <http-cookie>Cookie-Name</http-cookie> 
        --> 
 
        <!-- 
        The period of time for which authorized connections 
        remain valid without re-authorizing. 
        --> 
        <authorization-timeout>1800</authorization-timeout> 
 
        <!-- 
        The login modules below specify how the Gateway communicates 
        with a "user database" to validate user credentials, and 
        to determine a set of authorized roles. 
        --> 
        <login-modules> 
          <!-- 
          The login module communicates with a user database to 
          validate user's credentials and to determine a set of 
          authorized roles. By default, the file-based module is used. 
          --> 
          <login-module> 
            <type>file</type> 
            <success>required</success> 
            <options> 
              <file>jaas-config.xml</file> 
            </options> 
          </login-module> 
                                </login-modules> 
      </authentication> 
    </realm> 
 
    <!--  
    The realm used by the Command Center for authentication. The SNMP 
     management service should be the only one to use this realm.  
    --> 
    <realm> 
      <name>commandcenter</name> 
      <description>Command Center</description> 
 
      <authentication> 
        <http-challenge-scheme>Application Basic</http-challenge-scheme> 
 
        <http-cookie>kaazingCommandCenter</http-cookie> 
 
        <authorization-timeout>1800</authorization-timeout> 
 
        <login-modules> 
          <!-- 
          The login module communicates with a user database to 
          validate user's credentials and to determine a set of 
          authorized roles. By default, the file-based module is used. 
          --> 
          <login-module> 
            <type>file</type> 
            <success>required</success> 
            <options> 
              <file>jaas-config.xml</file> 
            </options> 
          </login-module> 
        </login-modules> 
      </authentication> 
    </realm> 
  </security> 
 
 
 
  <!--  
  JMX Management service. 
  --> 
  <service> 
    <name>JMX Management</name> 
    <description>JMX management service</description> 
 
    <type>management.jmx</type> 
 
    <properties> 
      <connector.server.address>jmx://${gateway.hostname}:2020/</connector.server.address> 
    </properties> 
 
    <realm-name>demo</realm-name> 
 
    <authorization-constraint> 
      <require-role>ADMINISTRATOR</require-role> 
    </authorization-constraint> 
  </service> 
 
  <!-- 
  SNMP Management service. 
 
  <service> 
    <name>SNMP Management</name> 
    <description>SNMP management service</description> 
    <accept>ws://${gateway.hostname}:${gateway.base.port}/snmp</accept> 
 
    <type>management.snmp</type> 
 
    <realm-name>commandcenter</realm-name> 
 
    <authorization-constraint> 
      <require-role>ADMINISTRATOR</require-role> 
    </authorization-constraint> 
 
    <cross-site-constraint> 
      <allow-origin>*</allow-origin> 
    </cross-site-constraint> 
  </service> 
 
  <!-- 
  ############################################################################# 
  ############################################################################# 
                            Do not remove closing element 
  ############################################################################# 
  ############################################################################# 
  --> 
 
</gateway-config>

Restart the BMC Helix client gateway.

Step 3: Configure the BMC Helix CMDB integration TrueSight Operations Management

Click here to see instructions for TrueSight Operations Management 11.3.04 or later...

Open the TrueSight console.
Click Administration > Integrations.
Under Remedy ITSM, BMC Helix ITSM and BMC CMDB Integrations, click the Configure TrueSight Presentation Server with ITSM Change Management menu and then click Edit.
On the Change Management Integration page, do the following:
1. Add the following information:
  1. CMDB user name and password
  2. UDDI host name
  3. CMDB UDDI port number, user name, and password
2. Select the HTTP or HTTPS protocol for the mid-tier server.'
3. Select Activate Integration. If you do not want to active the integration at this time, you can do it later.
Click Save.
You can see the integration added on the Change Management Integration page.

Click here to see instructions for TrueSight Operations Management 11.3.03 or earlier...

If UDDI is configured for the HTTPS protocol, do the following:
1. In the pw/custom/conf/pronet.conf file, set the following parameter to true:
  bmc.uddi.registryserver.secure.enabled=true
2. Restart the TrueSight Infrastructure Management console.
Edit the (Windows) etc\hosts or (Linux) /etc/hosts file. Add the IP address of the gateway, and point it to ONMBC-s as shown below:
<gateway ipaddress> ONMBC-s
Log in to the TrueSight Infrastructure Management console.
In the top right corner, click Options and then click Administration.
In the Integrations area, click Edit.
Select the BMC AR/CMDB Integration checkbox.
Add information in the following fields for the Helix AR Server:
- AR Server Hostname: ONBMC-s
- AR Server Port: dev-46000, qa-47000, prod-48000
- AR Server User: Obtain the user name from the BMC Helix team.
- AR Server password: Obtain the user name from the BMC Helix team.
Select the Publishing mode.
If you want to enable the cross-launch capability, enter information in the following fields:
- UDDI Hostname: <customer name>-<dev or qa or prod>.onbmc.com
- UDDI Port: 443
- UDDI User: Obtain the user name from the BMC Helix team.
- UDDI Password: Obtain the password from the BMC Helix team.
- Infrastructure Management Server Port: 8080, 443
Select a protocol for the TrueSight Infrastructure Management server.
If you integrate with Atrium CMDB in an AR Server Group, manually configure the pserver.conf file. Edit the ARSGroupMembers in the pserver.conf file and set to all AR Servers of the group that have the reconciliation function enabled.
The pserver.conf file is located here:
Windows: <installation_directory>\pw\server\etc\default
Linux: <installation_directory>/pw/server/etc/default
For more information, see Configuring the Publishing Server to integrate with an AR Server group .
Install the CMDB extension jar files that you received from the BMC Helix team. Do the following:
- Click to see the instructions for Linux...
  1. Back up the pw/server/bin/pserver file.
  2. Stop the pserver. Use the following command:
    pw p e pserver
  3. Edit the in the pw/server/bin/pserver file as follows:
    Comment the older jar files:
    #PS_CP="$PS_CP:$ATRIUM_CMDB_HOME/cmdbapi<old version>.jar"
    #PS_CP="$PS_CP:$ATRIUM_CMDB_HOME/arapi<old version>..jar"
    #PS_CP="$PS_CP:$ATRIUM_CMDB_HOME/arpluginsvr<old version>..jar"
    #PS_CP="$PS_CP:$ATRIUM_CMDB_HOME/noeapi<old version>..jar"
    Add the new jar files:
    PS_CP="$PS_CP:$ATRIUM_CMDB_HOME/cmdbapi<new_version>.jar"
    PS_CP="$PS_CP:$ATRIUM_CMDB_HOME/arapi<new_version>._build001.jar"
    PS_CP="$PS_CP:$ATRIUM_CMDB_HOME/arpluginsvr<new_version>._build001.jar"
    PS_CP="$PS_CP:$ATRIUM_CMDB_HOME/noeapi<new_version>..jar"
  4. Copy the jar files from the CMDB to the pw/cmdb/lib folder and change the permissions to 775 for the new files. Do not remove the existing jar files because they are used by other processes. The new jar files can exist along with the existing files.
  5. Start the pserver. Use the following command:
    pw p s pserver
  6. Close the publishing environment. Use the following command:
    penv close -e PROD
    Important: Closing the publishing environment removes all published data
    
    Closing the publishing environment removes all published data from the Cell and removes all publishing filters and published data from CMDB.
  7. Restart the publishing server.
  8. Once the publishing server starts and the output of psstat is Started, run the publish command to publish the data again.
- Click to see the instructions for Windows...
  1. Back up the in the pw\server\bin pserver.bat file to a backup location.
  2. Stop the pserver. Use the following command:
    pw p e pserver
  3. Edit the pw\server\bin\pserver.bat file as follows:
    Remove the older jar files:
    rem set PS_CP=%PS_CP%;%ATRIUM_CMDB_HOME%\arapi<old version>.jar
    rem set PS_CP=%PS_CP%;%ATRIUM_CMDB_HOME%\arpluginsvr<old version>.jar
    rem set PS_CP=%PS_CP%;%ATRIUM_CMDB_HOME%\cmdbapi<old version>.jar
    rem set PS_CP=%PS_CP%;%ATRIUM_CMDB_HOME%\noeapi<old version>.jar
    Add the new jar files:
    set PS_CP=%PS_CP%;%ATRIUM_CMDB_HOME%\arapi<new version>_build001.jar
    set PS_CP=%PS_CP%;%ATRIUM_CMDB_HOME%\arpluginsvr<new version>__build001.jar
    set PS_CP=%PS_CP%;%ATRIUM_CMDB_HOME%\cmdbapi<new version>.jar
    set PS_CP=%PS_CP%;%ATRIUM_CMDB_HOME%\noeapi<new version>.jar
  4. Copy the jar files from the CMDB to the pw/cmdb/lib folder and change the permissions to 775 for the new files. Do not remove the existing jar files because they are used by other processes. The new jar files can exist along with the existing files.
  5. Start the pserver. Use the following command:
    pw p s pserver
  6. Close the publishing environment. Use the following command:
    penv close -e PROD
    Important: Closing the publishing environment removes all published data
    
    Closing the publishing environment removes all published data from the Cell and removes all publishing filters and published data from CMDB.
  7. Restart the publishing server.
  8. Once the publishing server starts and the output of psstat is Started, run the publish command to publish the data again.
Restart the TrueSight Infrastructure Management server.

Step 4: Verifying the integration

Log in to the BMC Helix MidTier Server as the user given to you by the BMC Helix team.
Go to Atrium Core > Atrium Core console.
Execute the Impact module designer.
Create a test model in the Impact module designer.
Verify that the test model is published in the TrueSight Infrastructure Management.

Configuring the TrueSight Environment for the BMC Helix CMDB integration

Step 1: Importing certificates into the TrueSight Infrastructure Management server

Step 2: Configuring the BMC Helix client gateway

Step 3: Configure the BMC Helix CMDB integration TrueSight Operations Management

Step 4: Verifying the integration

Comments