Deploying the on-premises gateway by using Podman containers

Use the Podman container images to deploy the BMC Helix Intelligent Integrations on-premises gateway in your on-premises environment.

Before you begin

Before you deploy the BMC Helix Intelligent Integrations on-premises gateway, review the system requirements and download the container images and utility files.

Related topics

Setting-up-and-going-live

Supported-out-of-the-box-integrations-for-BMC-Helix-Intelligent-Integrations



To deploy the on-premises gateway by using Podman containers

  1. Go to the server where you want to deploy the on-premises gateway.
  2. Copy the following files that you received from BMC Support to the /opt/bmc directory:
    • Container images: bmc-hii-docker-images-<buildNumber>.tgz
    • Utility file: hii-bmc-<buildNumber>.zip
  3. Disable SELinux:
    1. Open the /etc/selinux/config file with a text editor.

    2. Set SELINUX to disabled.

      # This file controls the state of SELinux on the system.
      # SELINUX= can take one of these three values:
      #       enforcing - SELinux security policy is enforced.
      #       permissive - SELinux prints warnings instead of enforcing.
      #       disabled - No SELinux policy is loaded.
      SELINUX=disabled
      # SELINUXTYPE= can take one of these two values:
      #       targeted - Targeted processes are protected,
      #       mls - Multi Level Security protection.
      SELINUXTYPE=targeted

  4. Reboot the server:

    /sbin/reboot now

  5. Disable firewalld:

    systemctl disable firewalld

  6. Set the HOSTNAME variable to the fully-qualified domain name of the server if not set already, as shown in the following example:

    echo "export HOSTNAME=hostA.mycompany.com" >> ~/.bash_profile
    source ~/.bash_profile

  7. Load the container images:

    podman load --input /opt/bmc/bmc-hii-docker-images-<buildNumber>.tgz

  8. Extract hii-bmc-<buildNumber>.zip to the /opt/bmc directory.

    tar -xvf <path to hii-bmc-<buildNumber>.zip> -C /opt/bmc

  9. Change permissions on the /opt/bmc/hii/logs directory to 777:

    chmod 777 /opt/bmc/hii/logs

  10. Create a file with the following contents and name it ade-default-destination-min.json:

    [
      {
        "entityKind": "Destination",
        "configWithSchema": {
          "config": {
            "connection": {
      "proxyUsername": "",
              "proxyPassword": "",
              "accessSecretKey": "CHANGEME",
              "allowUnsignedCertificate": false,
              "logResponses": false,
              "pipeLiningLimit": 1,
              "proxyHost": "",
              "logRequests": false,
              "timeout": {
                "unit": "MINUTES",
                "value": 15
              },
              "proxyPort": 8888,
              "maxResponseSize": 1000000,
              "usesHttps": true,
              "accessKey": "CHANGEME",
              "port": 443,
              "minConnections": 0,
              "tenantId": "CHANGEME",
              "connectingTimeout": {
                "unit": "SECONDS",
                "value": 30
              },
              "host": "CHANGEME - BMC Helix tenant host name - for example: swp-2021-1840-disceks1.abc.com",
              "poolTimeout": {
                "unit": "MINUTES",
                "value": 30
              },
              "maxOpenRequests": 1024,
              "maxConnections": 5,
              "maxRedirects": 5,
              "usesProxy": false
            },
            "poolTimeout": {
              "unit": "MINUTES",
              "value": 30
            }
          }
        },
        "instanceName": "BMC",
        "tenantId": "CHANGEME - Must match the tenantId specified in the previous occurrence",
        "typeName": "BmcDestination",
        "id": "CHANGEME - GENERATE NEW UUID using https://www.uuidgenerator.net/version4 e.g. 2643e089-18a8-4b0d-a58a-c022926812e0  MUST BE UNIQUE in a stack",
        "moduleId": "bmc"
      }
    ]
  11. Update the values of the following parameters in the file wherever you see the CHANGEME occurrences and save the file:
    • proxyUsername: User name for the proxy.
    • proxyPassword: Password for the proxy.
    • proxyPort: Proxy port number.
    • proxyHost: Host name of the proxy.
    • usesProxy: Whether proxy should be used for communication. Set its value to true or false depending on whether proxy should be used. 

    • accessKey and accessSecretKey: Access key and secret key required to the access the BMC Helix applications.
      For instructions about how to generate the access key and secret key, see Setting up access keys for programmatic access.

      Important

      The keys are generated in the following format: key:<access key>::<secret key>,tenant id: <tenant ID>. Enter <access key> and <secret key> as the values of the accessKey and accessSecretKey parameters.

      The access key and secret key must have the Administrators group and the Administrator role assigned.


    • tenantId (in two occurrences): Tenant ID.
      Copy the tenant ID from the access key (key:<access key>::<secret key>,tenant id: <tenant ID>) that you generated earlier.
    • host: BMC Helix tenant host name.
      For example, if the tenant URL is https://swp-2021-1840-disceks1.abc.com, enter swp-2021-1840-disceks1.abc.com.
    • id: Universally unique identifier (UUID).
      Access https://www.uuidgenerator.net/version4 to generate UUID.
  2. Configure SSL, see Enabling SSL for BMC Helix Intelligent Integrations.

  3. If you have not started the podman-compose service during SSL configuration, navigate to the /opt/bmc/hii directory and start the service:

    podman-compose -f podman-compose.yaml up -d

  4. Access the BMC Helix Intelligent Integrations UI by using the following URL :
    https://<hostName>:7443/swpui

    Important

    BMC Helix Portal does not display any tile for the BMC Helix Intelligent Integrations on-premises gateway. Access the UI by using the URL specified in this step. 

  5. Import the ade-default-destination-min.json file by using the Backup/Restore option to create the destination.
    For more information, see Backing-up-and-restoring-connector-configurations.
  6. Edit the destination connection details:
    1. On the CONNECTORS tab, click Configure MediatorConfigureMediator_icon.png on the DESTINATIONS panel.
    2. Replace the existing values in the Access Key and Access Secret Key fields with the values that you have copied in the ade-default-destination-min.json file in step 11. 
    3. Click Validate to validate the connection.
    4. Click Save & Close.

Configuring SSL for BMC Helix Intelligent Integrations

  1. Obtain the self-signed certificate from your organization or CA-signed certificate and private keys from Certificate Authority.
  2. Create the hii/conf/certs directory if it does not exist.
  3. Copy the files <hostName>.<domainName>.crt and <hostName>.<domainName>.key to the hii/conf/certs directory.
  4. Open the /opt/bmc/hii/podman-compose.yaml file with a text editor.

  5. Add the following line in the volumes section under the nginx section:

           - ./conf/certs:/etc/nginx/certs:ro  #<-- mounted certificates

    The modified file looks like the following:

    Click here to see the modified file.
    version: '3'
    services:
      nginx:
        image: nginx:latest
        init: true
        restart: always
        container_name: swp-nginx
        ports:
          - 7457:8080
          - 7443:7443
        depends_on:
          - backup
          - mediator
          - ui
        volumes:
          - ./conf/nginx.conf:/etc/nginx/nginx.conf
          - ./conf/certs:/etc/nginx/certs:ro  #<-- mounted certificates.
        #      - /etc/letsencrypt/:/etc/letsencrypt/
        logging:
          driver: journald
          options:
            tag: swp.nginx

    Important

    You need to map the internal ports (443 and 8080) of the nginx container to the ports (7443 and 7457) of the host computer to access the BMC Helix Intelligent Integrations URLs, for example, http://<hostName>:7457/swpui and https://<hostName>:7443/swpui, outside the Docker container.

  6. Update the VIRTUAL_HOST parameter:
    1. Navigate to the ui: section.

    2. Replace host.youcompany.com with the fully-qualified domain name of the computer where BMC Helix Intelligent Integrations is installed, as shown in the following example:

      VIRTUAL_HOST: localhost ,hostA.mycompany.com

  7. Save and close the file.
  8. In the hii/conf/nginx.conf file, do the following changes:

    1. Add the following SSL configuration:

      ssl_certificate /etc/nginx/certs/hostA.mycompany.com.crt;  #certificate path
      ssl_certificate_key /etc/nginx/certs/hostA.mycompany.com.key;  #certificate key 

    2. Uncomment the last line:

      # listen 7443 ssl;

      The modified hii/conf/nginx.conf file looks like the following:

      Click here to see the modified file.
      http {
        server {
          server_name localhost;
          ssl_certificate /etc/nginx/certs/hostA.mycompany.com.crt;  #certificate path
          ssl_certificate_key /etc/nginx/certs/hostA.mycompany.com.key;  #certificate key
          gzip on;
          gzip_disable "msie6";
          gzip_vary on;
          gzip_proxied any;
          gzip_comp_level 6;
          gzip_buffers 16 8k;
          gzip_http_version 1.1;
          gzip_min_length 0;
          gzip_types text/plain application/javascript text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/vnd.ms-fontobject application/x-font-ttf font/opentype;

          location /swpui/api/backup {
            rewrite /swpui/(.*) /$1  break;
            proxy_pass http://swp-backup:9000;
          }

          location /swpui/api/mediator {
            rewrite /swpui/(.*) /$1  break;
            proxy_pass http://swp-mediator:9000;
          }

          location /swpui/api/system {
            rewrite /swpui/(.*) /$1  break;
            proxy_pass http://swp-mediator:9000;
          }

          location /hii/api/mediator/v3/push {
            proxy_pass http://swp-mediator:9000;
          }

          location /swpui {
            proxy_pass http://swp-ui:7457/swpui;
          }

          location / {
            proxy_pass http://swp-ui:7457/swpui;
          }


          listen 8080;
          listen 7443 ssl;
        }
      }
  9. Save and close the file. 

  10. Restart the podman-compose service.

    podman-compose -f podman-compose.yaml down
    podman-compose -f podman-compose.yaml up -d
  11. Access the BMC Helix Intelligent IntegrationsUI by using the following URL:
    https://<hostName>:7443/swpui


Troubleshooting SSL issues

Problem

Possible root cause

Possible resolution

Containers restart due to the permission-denied errors.

Containers don't have permission to read the mounted directory.

  1. Grant read permission to the mounted directory on the host.
  2. Disable SELinux.

You are not able to access the URL with the host name.

Firewall is blocking the connection.

Disable the firewall.

The swp-nginx container is not starting.

The nginx.conf file contains an invalid configuration.

Check the swp-nginx container logs.

Sometimes, missing semi-colon(;) at the end of the line causes an issue.

Where to go from here

After you deploy the gateway, configure connections with the required third-party products to collect data:

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*