Deploying BMC Helix Automation Console on-premises by using the BMC Helix ITOM installer
Deploy BMC Helix Automation Console as part of the BMC Helix IT Operations Management on-premises deployment and use it to identify, analyze, and remediate missing patches, vulnerabilities, and compliance violations in your environment.
By using this method, you can keep data sources on their on-premises networks, yet securely use that on-premises data in BMC Helix services.
Before you begin
- Make sure that you possess the required proficiency in the technologies and skills necessary to perform a container-based deployment of BMC Helix IT Operations Management. For details, see Recommended skill set and trainings .
- Review the BMC Helix Automation Console release notes for known deployment or product issues. For more information, see Release notes and notices.
- Review system requirements to make sure your current systems meet the requirements. For more information, see System requirements.
Deployment process overview
Use the following topics to deploy BMC Helix Automation Console as part of the BMC Helix IT Operations Management on-premises deployment:
| Task | Action | Reference |
|---|---|---|
| Preparing for deployment | ||
| 1 | Configure the controller machine to ensure proper deployment and management. | Set up the controller machine |
| 2 | Set up the Harbor registry to access the BMC Helix IT Operations Management container images hosted on the BMC Docker Trusted Registry (DTR). | Access the container images |
| 3 | Set up a Kubernetes cluster and make sure you meet the Persistent Volume storage class requirements. | Set up a Kubernetes cluster |
| 4 | Configure the F5 Load Balancer to route external URLs to the NGINX Plus Ingress Controller within the Kubernetes cluster. | Configure the F5 Load Balancer |
| 5 | Deploy and configure the Ingress Controller to securely route external traffic to services within the Kubernetes cluster. | Deploy and configure the Ingress Controller |
| 6 | Perform the relevant pre-deployment tasks or any additional preinstallation steps required after installing the individual components. | Perform pre-deployment tasks |
| Deploying BMC Helix Automation Console On-Premises | ||
| 7 | Perform the different actions relevant to the deployment of BMC Helix Automation Console as part of BMC Helix IT Operations Management containers. | Deploy BMC Helix Automation Console On-Premises |
| 8 | Verify your deployment and check the status of services and resources. | Verify and troubleshoot deployment issues |
| Performing post-deployment procedures | ||
| 9 | Perform various post-deployment tasks to configure BMC Helix Automation Console (On-Premises) | Configure BMC Helix Automation Console (On-Premises) |
Task 1: To set up the controller machine
The controller machine hosts the installer and provides a set of scripts and configuration files required for installation. You download and run the installer on your system, and these resources automate and manage the installation process.
Configure the controller machine according to the specifications in the following table and make sure that Helm, Docker, and Kubernetes packages are installed.
| Requirement | Description |
|---|---|
| CPU | 4 core |
| RAM | 16GB |
| Hard disk | 100GB |
| Operating system |
|
Task 2: To access the BMC Helix IT Operations Management container images
The BMC Helix IT Operations Management container images are hosted on the BMC Docker Trusted Registry (DTR), which is available through the Mirantis Kubernetes Engine. To access these images, set up a Harbor registry within your local network and synchronize it with BMC DTR. You can then access the container images from your local Harbor instance. For detailed steps on how to configure Harbor Registry in your environment, see Harbor Installation and Configuration.
The following table lists the host machine requirements for Harbor Registry:
| Requirement | Description |
|---|---|
| CPU | 4 core |
| RAM | 16GB |
| Hard disk | 500GB |
| Network port |
|
For information about how to pull the container images from the Harbor repository, see the Docker Registry component details in the System requirements.
Task 3: To set up a Kubernetes cluster
To enable deployment, you must set up a Kubernetes cluster. Kubernetes provides container orchestration, ensuring high availability, scalability, and automated workload management across multiple nodes.
For persistent data in Kubernetes, a storage class is required to define how volumes are provisioned and managed. BMC Helix supports a Bring-Your-Own-Storage approach, allowing you to use any storage backend that meets the following requirements:
- Dynamic Provisioning: It must automatically create volumes when requested.
- Volume Expansion: It must allow resizing volumes without downtime.
ReadWriteMany Support: It must support ReadWriteMany storage.
The table below lists the minimum computing resources required for each deployment size category that must be provisioned by the Kubernetes cluster for BMC Helix Automation Console deployment. These values include Infrastructure services, Platform, and Common services.
| Deployment size | Minimum worker nodes available | Hard Disk (GB) per node | Total vCPU limits (Millicore) for all nodes | Total Memory limits (GB) for all nodes | Total no. of vulnerability instances supported for all nodes | Total number of assets for all nodes | Number of concurrent users for all nodes | Block Storage (GB) | ReadWriteMany storage (GB) |
| bhaccompact | 4 | 80 | 64,000 | 146 | 1 Million | 1500 | 5 | 874 | 10 |
| bhacsmall | 6 | 80 | 94,000 | 204 | 5 Million | 7500 | 50 | 2374 | 10 |
| bhacmedium | 6 | 80 | 103,000 | 240 | 10 Million | 15000 | 100 | 2854 | 10 |
| bhaclarge | 9 | 80 | 169,000 | 460 | 15 Million | 25000 | 100 | 2854 | 10 |
To compensate for the loss of worker nodes in your cluster, you must provide extra worker nodes with resources equal to your largest worker node. For example, if you have 4 nodes with 10 vCPUs and 50GB of RAM, you will need a 5th node with 10 vCPUs and 50GB of RAM to prevent recovery from being impacted by the loss of one worker node.
Task 4: To configure the F5 load balancer
Use an external load balancer to route external URLs to the NGINX Plus Ingress Controller within the Kubernetes cluster. BMC Helix IT Operations Management supports all standard load balancers; however, the F5 Load Balancer has been certified for BMC Helix Automation Console.
For more information, see Load balancer requirements
For information on how to configure F5 Load Balancer, see Example: Configuring an F5 load balancer.
Task 5: To deploy and configure the Ingress Controller
Before deploying BMC Helix Automation Console, you must deploy and configure an Ingress Controller. The Ingress Controller acts as a reverse proxy and load balancer in Kubernetes. It works by implementing a Kubernetes Ingress, an API object that defines rules for routing external traffic to services within the Kubernetes cluster.
BMC Helix Automation Console supports the following Ingress Controllers, and you can configure either of them:
- F5 NGINX Plus Ingress Controller: A secure, licensed solution certified by BMC Helix.
For more information, see Deploying and configuring the F5 NGINX Plus Ingress Controller. - NGINX Open Source Ingress Controller: An open-source component that manages external access to services running in your Kubernetes cluster. For more information, see Deploying and configuring the NGINX Open Source Ingress Controller.
Task 6: To perform additional pre-deployment tasks
Perform the relevant pre-deployment tasks, as some components may require additional steps during the installation process.
Setting up BMC Discovery is optional for BMC Helix Automation Console standalone services. However, enabling BMC Discovery provides the following additional capabilities:
- Dynamic Service Model: This feature automatically maps and updates relationships between applications, services, and infrastructure components, for which it requires real-time BMC Discovery data.
- Blind Spot Detection: This feature identifies unmanaged or unknown assets, also known as blind spots, within your environment. BMC Discovery scans the network and detects these assets, ensuring they are visible and can be managed.
For more information, see Preparing for deployment.
Task 7: To deploy BMC Helix Automation Console on-premises
Perform the following actions in the controller machine set up in Task 1 to deploy BMC Helix Automation Console as part of BMC Helix IT Operations Management containers:
To download the deployment manager
Download the deployment manager and the token to access container images from the BMC Electronic Product Distribution (EPD) site. For more information, see Downloading the deployment manager.
To prepare for password encryption
For enhanced security, the BMC Helix IT Operations Management uses encrypted passwords for deployments. After you download the product files from the BMC Electronic Product Distribution (EPD), you can prepare for password encryption.
For more information, see Preparing for password encryption.
To prepare the deployment configuration files
Use the following configuration files to determine the applications and settings that you want to deploy in the /config folder of the deployment manager directory:
- infra.config
- deployment.config
Make sure to update the following values in the deployment.config file according to the product you are deploying:
IMAGE_REGISTRY_PROJECT=bmc IMAGE_REGISTRY_ORG=lp0lz CORE_IMAGE_REGISTRY_ORG=lp0lz IA_IMAGE_REGISTRY_ORG=lp0oz OPTIMIZE_IMAGE_REGISTRY_ORG=lp0pz BHOM_IMAGE_REGISTRY_ORG=lp0mz AIOPS_IMAGE_REGISTRY_ORG=la0cz BHAC_IMAGE_REGISTRY_ORG=lpdbt BHAC_COMMON_IMAGE_REGISTRY_ORG=lpcs5 SWP_INTELLIGENT_INTEGRATIONS_IMAGE_REGISTRY_ORG=lp0jz
The file provides an example of the applications and settings that you can deploy in the /config folder of the deployment manager directory.
For more information, see Configuration file settings.
To deploy BMC Helix Automation Console
Run the installer scripts from the controller machine set up in Task 1. Before proceeding, make sure that BMC Helix Automation Console is enabled in the deployment.config file.
The deployment of BMC Helix IT Operations Management includes the following components:
- BMC Helix Platform Common Services
- Infrastructure Services
- BMC Helix Automation Console On-Premises Application Services
Use the deployment manager script (deployment-manager.sh) to deploy these components into your Kubernetes cluster.
For more information, see Deploying BMC Helix IT Operations Management.
Task 8: To verify and troubleshoot deployment issues
To verify your deployment, use kubectl commands to interact with your Kubernetes cluster and check the status of services and resources. If issues occur, review the logs to identify and resolve errors.
For detailed troubleshooting steps, see Troubleshooting deployment issues.
Task 9: To configure BMC Helix Automation Console on-premises post-deployment
Perform the following actions to configure BMC Helix Automation Console post-deployment:
To register with BMC Helix and activate BMC Helix Portal
As a tenant administrator, use these steps to register, activate, and set up your BMC Helix Automation Console environment:
- Log on to BMC Helix Portal by using the default login credentials. After the first login, you will be prompted to set the tenant administrator password.
- Click the BMC Helix Automation Console tile to launch BMC Helix Automation Console. Selecting this tile opens the Vulnerability Dashboard in BMC Helix Automation Console.
- To get started, configure your preferred connectors to collect and process data from third-party sources. This enables automated vulnerability management and remediation workflows.
For more information, see Managing connectors.
To configure the Tenable.sc connector
You must configure the Tenable.sc connector to integrate BMC Helix Automation Console with Tenable.sc. The Tenable.sc connector retrieves vulnerability data from Tenable.sc scanners and feeds it into BMC Helix Automation Console for analysis and remediation planning.
For more information, see Configuring the Tenable.sc connector.
To configure the scanner connector
You can configure different types of scanner connectors to manage vulnerabilities detected by Qualys, Tenable.io, and Rapid7 scanners. This connector enables you to integrate various types of scanners to identify security risks and vulnerabilities across your IT infrastructure.
BMC Helix Automation Console currently supports the Qualys, Tenable.io, and Rapid7 scanners under this Scanner connector.
For more information, see Configuring the Scanner connector.
To configure the TrueSight Server Automation connector
You must connect the TrueSight Server Automation endpoint with BMC Helix Automation Console to automate patching, compliance checks, and other server management tasks across your infrastructure. To configure this connector, enable the TrueSight Server Automation endpoint for Remedy Single Sign-On (RSSO). For detailed instructions, see Configuring BMC Helix Single Sign-on for BMC Helix Automation Console.
After you enable Remedy Single Sign-On (RSSO), you can connect to TrueSight Server Automation by configuring the TrueSight Server Automation connector in BMC Helix Automation Console. For detailed instructions, see Configuring the TrueSight Server Automation connector.
To configure the TrueSight Network Automation connector
You must connect the TrueSight Network Automation endpoint with BMC Helix Automation Console to automate network configuration changes, enforce policy compliance, and execute remediation workflows across network devices. To configure this connector, enable the TrueSight Network Automation endpoint for Remedy Single Sign-On (RSSO). For detailed instructions, see Configuring BMC Helix Single Sign-on for BMC Helix Automation Console.
After you enable Remedy Single Sign-On (RSSO), you can connect to TrueSight Network Automation by configuring the TrueSight Network Automation connector in BMC Helix Automation Console. For detailed instructions, see Configuring the TrueSight Network Automation connector.
To configure the BMC Discovery connector
You must configure the Discovery Cloud connector to integrate with BMC Discovery to identify all assets and related services, including business services, technical services, and business applications, within your network. By using this connector, you can identify the assets in your environment that are not included in vulnerability scans. These blind spots represent potential security risks that must be remediated.
For detailed instructions, see Configuring the BMC Discovery connector.
To configure the TrueSight Orchestration connector
You must configure the TrueSight Orchestration connector to integrate with TrueSight Orchestration for automated change management. You can create change tickets with an approval process in BMC Helix IT Service Management or ServiceNow for patching, vulnerability remediation, compliance enforcement, and template-based operations.
For detailed instructions, see Configuring the TrueSight Orchestration connector.