Security planning

Administrators use the following information to run BMC Helix Continuous Optimization in their environment securely. 

BMC Helix Continuous Optimization is divided into two major parts, BMC Helix Continuous Optimization in the cloud, and the Remote ETL Engine and related components that you need to install to collect data from your on-premises environment. For details, see Architecture.

Security planning for on-premises components

• Communication between the on-premises components and BMC Helix Continuous Optimization is always encrypted, and sent over HTTPS.
• All communication between the on-premises components and BMC Helix Continuous Optimizationis always initiated by on-premises components. Communication is never initiated by the BMC Helix Continuous Optimization in the cloud. 
• Use the API key and Helix host URL while installing the Remote ETL Engine to ensure that:
  • The connection between the Remote ETL Engine and BMC Helix Continuous Optimization is authenticated.
  • BMC Helix Continuous Optimization connects only with the registered Remote ETL Engines.
• The only port required is 443 for the Remote ETL Engine. For environments with a firewall, enable the access by specifying the firewall rule for outgoing communication with port 443 using the DNS or IP address of BMC Helix Portal. 

Enabling (TLS) server certificate validation for ETLs

Server certificate validation is disabled by default for following ETLs:

• BMC-TrueSight-Operations-Management-10-7-11-0-11-3-extractor
• BMC-TrueSight-Operations-Management-10-7-11-0-11-3-Generic-extractor
• BMC-Discovery-11-x-Extractor
• OpenStack-OpenStack-API-Extractor-Service
• VMware-vCenter-Extractor-Service
• VMware-vCenter-and-ESX-Server-History-Extractor

To enable server certificate validation for these ETLs, perform the following steps:

1. Create customenv.sh file in the /opt/bmc/BCO folder on the remote ETL engine server.
   Ensure that the customenv.sh file is created using the cpit user.
2. Add the following commands in the customenv.sh file:
   SSL_STRICT_CERTIFICATE_VALIDATION=true
   export SSL_STRICT_CERTIFICATE_VALIDATION
3. Import the server certificates into the ETL's truststore located at /opt/bmc/BCO/jre/lib/security/cacerts
   
4. Restart the Remote ETL Engine.
5. Rerun the ETLs.

Security planning for BMC Helix Continuous Optimization in the cloud

BMC Helix services are designed based upon National Institute of Standards and Technology (NIST) 800-53, Rev 4 controls and standards in order to provide enterprise-grade security for our customers. BMC utilizes an in-depth defense methodology that focuses on redundant controls to prevent and mitigate impacts to the confidentiality, availability, and integrity of customer data and services. For details, see Security.