Setting up the core

Setting up the core

To set up the HSSO Sidecar Auth Proxy for authentication, you must use BMC Helix Single Sign-On (BMC Helix Single Sign-On). This integration replaces the default basic authentication system. Enabling the BMC Helix SSO involves several configuration processes, including configuring the BMC Helix SSO server and the authentication proxy (Sidecar Proxy) and making the necessary adjustments in the BMC Helic Edge system.

Before you begin

• Make sure that BMC Helix edge core or edge management is deployed on-premises at the customer's data center.  
• Metric and event data is stored in the BMC Helix cloud.

Task 1: Apply SSL certificate on nginx-ingress-controller

Applying an SSL Certificate on nginx-ingress-controller is crucial for securing HTTPS traffic in Kubernetes-based core deployments. This procedure outlines configuring the Ingress resource to close SSL/TLS traffic at the Ingress controller. Get an SSL certificate for your domain from a trusted Certificate Authority (CA), such as Let's Encrypt or a commercial CA. Make sure that you have both the certificate and private key in the PEM format. 

1. (Skip this step if you have already attached SSL certificate at the Load Balancer.)
   To create a Kubernetes Secret, use the SSL certificate and private key to create a Kubernetes Secret. Encode both the certificate and key in base64 format before creating the Secret. 
   

   bash kubectl create secret tls my-tls-secret --cert=/path/to/cert.pem --key=/path/to/privkey.pem -n ingress-nginx

2. To configure Ingress Resource, perform the following steps:
   1. Modify the Ingress resource in Kubernetes to specify the SSL certificate and close SSL or TLS traffic at the Ingress controller.

   2. Edit the DaemonSet or deployment of nginx-ingress-controller and add the argument --default-ssl-certificate=ingress-nginx/<my-tls-secret>:

      bash kubectl -n ingress-nginx edit daemonset nginx-ingress-controller kubectl -n ingress-nginx edit deployment nginx-ingress-controller

      Example DaemonSet configuration:
      

      ...     spec:       containers:       - args:         - /nginx-ingress-controller         - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller         - --election-id=ingress-controller-leader         - --controller-class=k8s.io/ingress-nginx         - --ingress-class=nginx         - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller         - --validating-webhook=:8443         - --validating-webhook-certificate=/usr/local/certificates/cert         - --validating-webhook-key=/usr/local/certificates/key         - --default-ssl-certificate=ingress-nginx/my-tls-secret

      After adding the certificate, the nginx-ingress-controller pods restart automatically to apply the configuration changes.

Task 2: Set up the BMC Helix SSO integration

1. Select the appropriate tenant for the BMC Helix SSO setup in the BMC Helix SSO server. If you log in as an admin, navigate to the Tenant section and select Tenant for all subsequent operations.
   
   
2. Add the domain name of the BMC Helix Edge Management (core) server to the realm configuration.
   Here is an example: demo-aiops.dsmlab.bmc.com
   

1. Add a BMC Helix Edge client by going to OAuth2 → Clients and select Add Client.
    
2. Fill in the required details and allowed scopes for this client:
   1. Select Enabled.
      Do not select Native client or Multi-tenant client.
   2. Configure the redirect URI as the external URL in the browser.
   3. Select the appropriate option based on the setup:
      • If you are not using Ingress, such as NGINX, use this link:
        http://clm-aus-vpn3l3.bmc.com:13010/auth/code/callback
        where 13010 is the external facing port. 
      • If you are using NGINX, add the following as the redirect URI:
        http://clm-aus-vpn3l3.bmc.com/auth/code/callback
        For Docker Compose, use HTTP instead of HTTPS.
   4. Configure the callback to use HTTPS for Kubernetes-based installations where only the HTTPS port appears.
      For example https://trinity.dsmlab.bmc.com/auth/code/callback
   5. Make sure that you select the corresponding client from the list. 
3. Make sure you select the corresponding client from the list.
4. Under the Allowed Scopes list, select openid and click Save.
   The system displays the ClientID and client secret.
5. Note down the ClientID and the client secret to configure the sidecar proxy.

Task 3: Configure the HSSO Sidecar proxy for authentication

You must update the rsso_external.conf file with tenant-specific information to make sure that the authentication proxy communicates with the BMC Helix SSO server.

1. On the BMC Helix Edge core installer host, navigate to opt > bmc > hedge > hedge-core > helm > hedge > hedge_auth_proxy > files.
2. In Files, open the conf file.
3. In the conf file, update rsso_external_url and rsso_internal_url with the tenant-specific URL.
   For example, https://<Tenant-URL>/rsso.
4. Update the Client ID and Client Secret acquired from BMC Helix Single Sign-On.

Task 3: Retrieve ADE_ACCESS_KEY & ADE_ACCESS_SECRET_KEY

These access keys are essential for authenticating and authorizing BMC Helix Edge to interact with the BMC Helix Autonomous Digital Enterprise environment. Use these keys to establish a secure connection between BMC Helix Edge and the BMC Helix platforms, ensuring proper authentication and access control.

1. Log on to the tenant as a Tenant administrator user.
2. Navigate to User access > Users and Keys.
3. In the Users and Keys page, click the Access Keys tab.
4. In the Access Keys list, click Actions and select Key details to copy the critical information.
   
   
   
5. Note down the ADE_ACCESS_KEY and ADE_ACCESS_SECRET_KEY details.
   The following key is an example API key of an ADE_TENANT_APIKEY:
   Key Details: T19ZBDYI1LDKAQZ4M6GP8KEDV1ZWZM::0hg6ajzgeMVkmL4HoY9VpSKUEb5lQsp50UkLRND9txorUAj4mJ, tenant id: 696405431
6. Navigate to Assignments, and add Groups – Administrators, AI Administrator, Operators, and add Roles – Administrator, AI Admin, Operator, and RBAC Admin.

Task 4: Retrieve ADE_TENANT_APIKEY

ADE_TENANT_APIKEY authenticates and authorizes interactions with the BMC Helix Operations Management environment repository, which is crucial for BMC Helix Edge functionality.

1. Log on to the tenant and navigate to BMC Helix Operations Management.
2. On the BMC Helix Operations Management page, navigate to Administration > Repository.
   
3. On the Repository page, select a deployable package and click Copy API Key.
   BMC Helix Operations Management copies the ADE_TENANT_APIKEY.
   
   The following key is an example API key of an ADE_TENANT_APIKEY:
   696405431::SQVOELPN6O7STQUOEIKNWD85E9ANMX::HYztaJJ91vxSs8SPAhQqhl15VfkR2KbQj6Wp5ItmxVDTmV123D

Task 5: Register BMC Helix Edge on BMC Helix SaaS or BMC Helix IT Operations Management

Before registering BMC Helix Edge as an external application in BMC Helix on the BMC Helix cloud, you must set up the tctl command line utility.

Use the following steps to enable the tctl communication with the BMC Helix environment:

1. Open the tctl command-line utility to interact with TMS (Tenant Management Service). To download and configure the TCTL utility, click here.
2. Run the specific tctl commands to create and activate the BMC Helix Edge service in BMC Helix SaaS.
3. Make sure you provide all necessary configuration files during this process.
   This process registers BMC Helix Edge as an external application in BMC Helix SaaS or BMC Helix IT Operations Management, facilitating its integration into the BMC Helix environment.
4. To register BMC Helix Edge as an external application in BMC Helix SaaS, use the following steps:

   1. Use the following login credentials for tmsrealm:

      User name	Enter the user name as admin.
      Password	Enter the password as bmcAdm1n1#. This password differs from the usual BMC Helix SSO password.

       

   2. Run the tctl command to register BMC Helix Edge as a new service or application in BMC Helix SaaS. Make sure that you provide the necessary configuration .json files. These files must correspond to their fully qualified names in the edge-iot directory.

   3. Create the service by using the following command:

      tctl create service -f ./hedge-deployment/ade_scripts/hedge_service.json

5. Record the service ID from the JSON outcome in step 3.
6. Use the recorded service ID to update the service.

7. Activate the service by using the following command and replacing {service-ID} and {instance-ID} with the appropriate values:
   

   tctl activate service {service-ID} -i {instance-ID} -f /path/to/hedge_service_url.json

   For example, in a BMC Helix development environment, you can use the above command as a reference. 

Task 6: Configure ade-file-service for additional file types.

1. Use SSH to log in to the Apache Zookeeper host by finding the host information in the Rancher tool and then accessing the host.
2. Run the Apache Zookeeper shell to run the sh or an equivalent shell script.
   The script's location might vary, such as /opt/bmc/zookeeper/apache-zookeeper-3.6.0-bin/.
3. Configure the additional file extensions to enable support for other file extensions.

4. Check the existing configurations by using the following command:

   get /conf/ADEFileService/SUPPORTED_FILE_EXTENSIONS To set a new configuration with additional extensions (e.g., .csv, .zip, .json), use the following command: set /conf/ADEFileService/SUPPORTED_FILE_EXTENSIONS .csv,.zip,.json Verify the change by running: get /conf/ADEFileService/SUPPORTED_FILE_EXTENSIONS
5. Configure the additional MIME type to support other MIME types.
   For example: text/csv, text/plain, application/json, and application/zip

6. Check the existing configurations:

   get /conf/ADEFileService/SUPPORTED_MIME_TYPE Set the new configuration with the desired MIME types using the following command: set /conf/ADEFileService/SUPPORTED_MIME_TYPE text/csv,text/plain,application/json,application/zip Verify the change: get /conf/ADEFileService/SUPPORTED_MIME_TYPE

   After these configurations, do not restart the Apache Zookeeper server or the ade-file-service pod.

Task 7: Authenticate programmatically for BMC Helix Edge

Use the following procedure to enable the programmatic authentication for BMC Helix Edge and configure support for additional file types in ade-file-service:

1. Set up the authentication:
   1. Generate the key pair by creating a public and private pair by using OpenSSL for the domain where you installed BMC Helix Edge.
   2. In BMC Helix Single Sign-On, create an OAuth2 client specifically for programmatic authentication and record the clientId and client secret generated for this client. 
   3. In BMC Helix Single Sign-On, navigate to the realm and add a new PreAuth authentication method. Use the public key generated in the method and sub-step 1(a).
   4. Navigate to jwt.io and generate a JSON Web Token (JWT) by using the secret key from step 1(a).

   5. Use the following BMC Helix SSO API endpoint to get access and refresh tokens:

      Endpoint	https://<ADE-RSSO-URL>/rsso/oauth2/v1.1/token
      Authentication Method	Basic authentication with the clientId and client secret obtained in step 1(b).
      Request Body	Include the assertion (JWT token) obtained in step 1(d).

   6. Access the BMC Helix Edge APIs programmatically and include the access token from step 1(e) as a Bearer token in the Authorization header.

Where to go from here

Installing-the-core