Integrating with BMC Helix Change Management

For detailed information about installing, configuring, and using this solution, see the BMC Helix Change Management documentation. The following diagram depicts the architecture of this integration:

Internal processes involved in the TrueSight Operations Management environment

Rest Webservice EventProvider component
 This component will receive the event notifications from the ITSM change management in Json format over rest webservice, and this component convert this event notification into the NGP event and send it to Jserver (event processor component) via Jserver facade.
  

Event Processor

This component receives the NGP event from the webservices Eventprovider component and do any pre-processing required on the event then send the event to cell.

Event Selector

This Component comes into picture once event is received by Gateway Event handler, Event selector is a thread pool, its purpose is to receives the event from gatewayEvent handler and if this event is a Change Event or some other event of concern, event Selector will send this event to RuleConfigurator asynchronously.
  

Rule Configurator

This Component itself have two major components, RuleConfiguratorConsumer, and RuleConfiguratorWorker. RuleConfiguratorConsumer's are controlled by RuleConfiguratorConsumerManager, which gets started while the initialization of JSERVER.
This RuleConfiguratorManager starts the different RuleConfiguratorConsumer's thread, which in itself feeds the data to RuleConfigurator's i.e PolicyConfigurator and ScheduleConfigurator. PolicyConfigurator and Scheduleconfigurator uses BlackOutPolicyCrud and ScheduleConfiguratorCrud API's to create policy and schedule down time respectively

Configuring the Helix Environment for the BMC Helix Change Management integration

1. In the Helix portal, create a work order requesting a new integration by using the client gateway from Helix to the TrueSight Operations Management on-prem environment. Provide the following information:
   • URL: For example, https://acme-smartit.onbmc.com.

   • Inbound connection to Helix:

   • Outbound connection from Helix:
2. Specify the CMDB extensions to be installed in the Helix enviroment.

The BMC Helix network team does the following:

1. Configures the host mapping to map the TrueSight Infrastructure Management sever host to the gateway server IP address.
2. Creates and configures the gateway configuration file.
3. Schedules a full restart of TrueSight Infrastructure Management for the host mapping to take effect.
4. Provides a copy of the client gateway configuration file.
5. Provides a copy of the Helix certificates for importing into the on-prem TrueSight Infrastructure Management environment.
6. Provides a copy of the CMDB extensions to be installed on the TrueSight Infrastructure Management server.

Configuring the TrueSight Environment for the BMC Helix Change Management integration

Do the following to configure the TrueSight environment for the BMC Helix Service Resolution integration:

1. Import certificates into the TrueSight Infrastructure Management server.
2. Import certificates into the TrueSight Infrastructure Management server.
3. Configure the Helix Client Gateway.
4. Configure the BMC Helix Change Management integration in TrueSight Infrastructure Management.
5. Verify the integration.

This section explains each procedure in detail.

Step 1: Importing certificates into the TrueSight Presentation Server

Do the following:

1. Obtain the certificates from the Helix Network team or use the following URL to download them:
   https://testssl.onbmc.com/
   The following certificates are required:
   • Name: digicert_global_root.cer
     Alias: rootCA
   • Name: digicert_sha_256.cer
     Alias: intermediateCA
   • Name: onbmc_wildcard.cer
     Alias: onbmc_wildcardCA
2. Copy the digicert_global_root.cer, digicert_sha_256.cer, and onbmc_wildcard.cer files to the <TrueSight Presentation Server Installation Directory>/truesightpserver/conf/secure directory.
3. Copy the loginvault.ks keystore file and rename it as loginvalt-orig.ks. <Copy from where to where?>
4. Import the certificates to the loginvault.ks keystore. <keystore location?> Run the following commands in the given order.
   For each command, type Yes when prompted with the Trust this certificate? question.
   1. keytool -importcert -trustcacerts -alias rootCA -keystore loginvault.ks -storepass changeit -file digicert_global_root.cer
   2. keytool -importcert -trustcacerts -alias intermediateCA -keystore loginvault.ks -  storepass changeit -file digicert_sha_256.cer
   3. keytool -importcert -alias onbmc_wildcardCA -keystore loginvault.ks -storepass changeit -file onbmc_wildcard.cer
5. Copy the tspstrustore.ks keystore file and rename it as tspstrustore-orig.ks. <Copy from where to where?>
6. Import the onbmc_wildcardCA certificate to the tspstrustore.ks keystore. <keystore location?> Run the following command:
   keytool -importcert -alias onbmc_wildcardCA -keystore tspstrustore.ts -storepass changeit -file onbmc_wildcard.cer

7. Navigate to the directory where the cacerts keystore is located. <Both locations look the same. Please give the correct locations.>
   (Windows)  <

   TrueSight Infrastructure Management

   Installation Directory>/truesightpserver/modules/jre/lib/security
   (Linux) <

   TrueSight Infrastructure Management

   Installation Directory>/truesightpserver/modules/jre/lib/security

8. Copy the digicert_global_root.cer, digicert_sha_256.cer, and onbmc_wildcard.cer certificates to the current directory. <Current means which directory?>
9. Copy the <TrueSight Infrastructure Management Installation Directory>/truesightpserver/modules/jre/lib/security/cacerts keystore file and rename it as cacerts-orig. <Copy to where?>
10. Import the certificates to the <TrueSight Presentation Server Installation Directory>/truesightpserver/modules/jre/lib/security/cacerts keystore. Run the following commands in the given order.
    For each command, type Yes when prompted with the Trust this certificate? question.
    1. keytool -importcert -trustcacerts -alias rootCA -keystore cacerts -storepass changeit -file digicert_global_root.cer
    2. keytool -importcert -trustcacerts -alias intermediateCA -keystore cacerts -storepass changeit -file digicert_sha_256.cer
    3. keytool -importcert -alias Onbmc_wildcard -keystore cacerts -storepass changeit -file Onbmc_wildcard.cer
11. Restart the TrueSight Infrastructure Management.

Step 2: Importing certificates into the TrueSight Infrastructure Management server

Do the following:

1. Obtain the certificates from the Helix Network team or use the following URL to download them:
   https://testssl.onbmc.com/
   The following certificates are required:
   • Name: digicert_global_root.cer
     Alias: rootCA
   • Name: digicert_sha_256.cer
     Alias: intermediateCA

   • Name: onbmc_wildcard.cer
     Alias: onbmc_wildcardCA

     Keystore location

     The cacerts keystore is located at <

     Some content is unavailable due to permissions.

     Installation Directory>/pw/jre/lib/security.

     The pnserver.ks keystore is located at <

     Some content is unavailable due to permissions.

     Installation Directory>/pw/pronto/conf.

2. On the computer where the TrueSight Infrastructure Management server is installed, back up the following files:

   • <

     TrueSight Infrastructure Management

      Installation Directory>/pw/jre/bin/lib/security/cacerts

   • <

     TrueSight Infrastructure Management

      Installation Directory>/pw/jre/bin../../pronto/conf/pnserver.ks

3. Run the following commands in the order shown below:
   1. keytool -printcert -sslserver <helix server name:port> -rfc | keytool -importcert -keystore ../lib/security/cacerts -storepass changeit -noprompt -alias rootCA -file digicert_global_root.cer
   2. keytool -printcert -sslserver <helix server name:port> -rfc | keytool -importcert -keystore ../lib/security/cacerts -storepass changeit -noprompt -alias intermediateCA -file digicert_sha_256.cer
   3. keytool -printcert -sslserver <helix server name:port> -rfc | keytool -importcert -keystore ../lib/security/cacerts -storepass changeit -noprompt -alias onbmc_wildcard -file onbmc_wildcard.cer
   4. keytool -printcert -sslserver <helix server name:port> -rfc | keytool -importcert -keystore ../../pronto/conf/pnserver.ks -storepass get2net -noprompt -alias rootCA -file digicert_global_root.cer
   5. keytool -printcert -sslserver <helix server name:port> -rfc | keytool -importcert -keystore ../../pronto/conf/pnserver.ks -storepass get2net -noprompt -alias intermediateCA -file digicert_sha_256.cer
   6. keytool -printcert -sslserver <helix server name:port> -rfc | keytool -importcert -keystore ../../pronto/conf/pnserver.ks -storepass get2net -noprompt -alias onbmc_wildcard -file onbmc_wildcard.cer
4. Restart the TrueSight Infrastructure Management server.

Step 3: Configuring the BMC Helix client gateway

1. Install the Helix client gateway. For information, see the BMC Helix documentation.

2. Back up the kwic_config.xml file. <Where is the file located?>
3. Copy the kwic_config.xml file to the proper location. <Need info. From where do you copy it? What is the proper location to paste?>

Step 3: Configure the BMC Helix Change Management integration in the TrueSight Presentation Server

1. Log in to the TrueSight console.
2. Go to Administration > Integration.
3. Under Change Management Integration, click the menu for Configure TrueSight Presentation Server with ITSM Change Management and click Edit.
4. Enter information in the following fields:
   • CMDB User
   • CMDB Password
   • UDDI Hostname: <customer name>-<dev or qa or prod>.onbmc.com
   • UDDI Port: 8080 or 443
   • UDDI User
   • UDDI Password
5. Select a protocol for the integration.
6. Click the Activate Integration check box and click Save.
   The TrueSight Infrastructure Management connects to the Helix UDDI server and updates the CHG:CHGBPM:BPPMAdapter form with the TrueSight Infrastructure Management URL and port. This ensures that the necessary rest services endpoints are enabled and the TrueSight Infrastructure Management csm_user and csm_user password are set.
7. If the activation fails, check the following logs to understand the reason and proceed:
   • %TSPS_HOME%/ truesightpserver/logs/TrueSight.log
   • %TSPS_HOME%/ truesightpserver/logs/ rest-access.log
8. Disable the CSRF Filter. Use the command prompt and run the following commands in the given order:
   1. tssh properties set csrFilter false
   2. tssh properties reload
      The port in the CHG:CHGBPM:BPPM form is automatically updated to use the server gateway port. (Orginal: BMC will have to update the port in the CHG:CHGBPM:BPPM form to use the server gateway port. Is the change fine?)

Step 4: Verifying the integration

1. Log in to BMC Helix Change Management, and go to Application Administration Console > Custom Configuration > Change Management > Advanced Options > Change CI Event Notification to BPPM > BPPM Subscription.
2. Click Test Connection to verify that the connectivity between BMC Helix Change Management and TrueSight Infrastructure Management is established.
3. If the connection test fails, do the following:
   • Error: 400
     Resolution: This error might appear if multiple entries of the CI are present in the system. See the arjavaplugin.log (file location?) file or information about the error. (Original: TSPS will not process the event if it found multiple entries of resource (CI) present. Changed: The first sentence. Is the change correct?)
   • Error: 401: Please check if you have manually change the password of default user (csm_user).
     Resolution: Change the password from the CAI:AdapterConfiguration form. (Which password? and is the form name correct?)
   • Error: 403
     Resolution: Ensure that the CSRF filter in TrueSight Infrastructure Management is disabled.

4. Create a change request in BMC Helix Change Management and click Submit. (original:submit)

   Important: CI must be previously published

   The CI must have been published previously from CMDB to TrueSight.

5. Login to the TrueSight Infrastructure Management and verify that you have received a change event similar to the one below:
   
6. Log in to the TrueSight Administrator console, and verify that a blackout policy is created that is similar to the one below:
   
   
   

Troubleshooting the integration

If there are connectivity issues even after verifying the integration, take the following steps in any order:

• Use the following curl command to diagnose connectivity issues:  (Is from Helix to TrueSight Presentation Server: required? If yes, should it be Helix Change Management?)
  curl -k -v -XPOST -H "Content-Type: application/json" --data "{\"username\":\"csm_user\",\"p\":\"csm_user12345\",\"tenantName\":\"*\"}" https://<customer tsps host name>:<gateway server port>/tsws/10.0/api/authenticate/login
• Ensure that the TrueSight Infrastructure Management server to which the CI belongs is correctly registered to the TrueSight Infrastructure Management, and is in the Connected state.
• Delete existing events from the ITSM CAI:Events form and clear the BMC Remedy mid-tier cache.
• See the arjavaplugin.log file (location?) and the ARfilter logs for further information.