Security planning

Administrators use the following information to run BMC Helix Continuous Optimization in their environment securely. 

BMC Helix Continuous Optimization is divided into two major parts, BMC Helix Continuous Optimization in the cloud, and the Remote ETL Engine and related components that you need to install to collect data from your on-premises environment. For details, see Architecture.

Security planning for on-premises components

  • Communication between the on-premises components and BMC Helix Continuous Optimization is always encrypted, and sent over HTTPS.
  • All communication between the on-premises components and BMC Helix Continuous Optimizationis always initiated by on-premises components. Communication is never initiated by the BMC Helix Continuous Optimization in the cloud. 
  • Use the API key and Helix host URL while installing the Remote ETL Engine to ensure that:
    • The connection between the Remote ETL Engine and BMC Helix Continuous Optimization is authenticated.
    • BMC Helix Continuous Optimization connects only with the registered Remote ETL Engines.
  • The only port required is 443 for the Remote ETL Engine. For environments with a firewall, enable the access by specifying the firewall rule for outgoing communication with port 443 using the DNS or IP address of BMC Helix Portal. 

Enabling (TLS) server certificate validation for ETLs

Server certificate validation is disabled by default for following ETLs:

To enable server certificate validation for these ETLs, perform the following steps:

  1. Create customenv.sh file in the /opt/bmc/BCO folder on the remote ETL engine server.
    Ensure that the customenv.sh file is created using the cpit user.
  2. Add the following commands in the customenv.sh file:
    SSL_STRICT_CERTIFICATE_VALIDATION=true
    export SSL_STRICT_CERTIFICATE_VALIDATION
  3. Import the server certificates into the ETL's truststore located at /opt/bmc/BCO/jre/lib/security/cacerts
  4. Restart the Remote ETL Engine.
  5. Rerun the ETLs.

If you are upgrading the Remote ETL Engine, take a backup of the cacerts file /opt/bmc/BCO/jre/lib/security/cacerts and restore it back after the upgrade is complete. If not, you need to reimport the server certificates into the ETL's truststore after the upgrade. 

Security planning for BMC Helix Continuous Optimization in the cloud

BMC Helix services are designed based upon National Institute of Standards and Technology (NIST) 800-53, Rev 4 controls and standards in order to provide enterprise-grade security for our customers. BMC utilizes an in-depth defense methodology that focuses on redundant controls to prevent and mitigate impacts to the confidentiality, availability, and integrity of customer data and services. For details, see  Security Open link .

Was this page helpful? Yes No Submitting... Thank you

Comments