Installing BMC Helix Platform services 22.4.00

The following services provided by BMC Helix Platform are used by BMC Helix Service Management:

• Infrastructure services
• Common services
• BMC Helix Dashboards
• BMC Helix ITSM Insights

Before you begin

1. Create a namespace.

   Expand to see the steps:

   1. Run the following command. The namespace must be a DNS-1123 label. That is, it must consist of lowercase alphanumeric characters or '-', and must start and end with an alphanumeric character.

      kubectl create ns <namespace>
   2. Verify that nothing is installed in the namespace in which you plan to deploy the product.

      1. Run the following command:

         kubectl get all -n <namespace_created_earlier_in_this_procedure>

      2. Make sure that the following message is displayed:

         No resources found.

   For EFK logging

   Create a namespace called bmc-helix-logging by using the following command:

   kubectl create ns bmc-helix-logging

   The Elasticsearch, FluentD, and Kibana services are installed in this namespace. These services are required to access logs from the pods that are running on BMC Helix Platform.

2. Configure the ingress controller.

   Expand to see the steps:

   1. Identify the configmap name by running the following command:

      kubectl get cm -n <ingress_nginx_namespace>

   2. Change the configmap name to use the configmap in your environment by running the following command:

      kubectl edit cm <ingress_nginx_configmap> -n  <ingress_nginx_namespace>
      
      data:
        enable-underscores-in-headers: "true"
        proxy-body-size: 250m
        server-name-hash-bucket-size: "1024"
        ssl-redirect: "false"
        use-forwarded-headers: "true"
       worker-processes: "40"

      Note

      The configurations shown above are mandatory. Apart from these, you can retain any other configurations as per your requirement.

3. The following host names must be created with a DNS entry that points to the load balancer. The property names are used in the infra.config and deployment.config files during deployment. Make sure that the URLs are in the same domain.

   Description	Product	Format	Example	Must be configured in the load balancer?	Must have a DNS entry?	File name	Property name
   Host for Helix RSSO	All	<any unique string>.$DOMAIN	mycomputer-rsso.lab.bmc.com	Yes	Yes	configs/infra.config	LB_HOST
   Host for tenant management system	All	<any unique string>.$DOMAIN	mycomputer-tms.lab.bmc.com	Yes	Yes	configs/infra.config	TMS_LB_HOST
   MinIO storage URL	All	<any unique string>.$DOMAIN	mycomputer-minio.lab.bmc.com	Yes	Yes	configs/infra.config	MINIO_LB_HOST
   Tenant URL	All	$COMPANY_NAME-$TENANT_TYPE-$ENVIRONMENT.$DOMAIN	acme-private-poc.lab.bmc.com	Yes	Yes	configs/deployment.config for ENVIRONMENT and configs/infra.config for the others	COMPANY_NAME TENANT_TYPE ENVIRONMENT DOMAIN
   Discovery Appliance URL	BMC Helix IT Operations Management  BMC Helix Continuous Optimization	$COMPANY_NAME-disc-$TENANT_TYPE-$ENVIRONMENT.$DOMAIN	acme-disc-private-poc.lab.bmc.com	No	Yes	configs/deployment.config for ENVIRONMENT and configs/infra.config for the others	COMPANY_NAME TENANT_TYPE ENVIRONMENT DOMAIN
   BMC Helix Continuous Optimization	BMC Helix Continuous Optimization	$COMPANY_NAME-optimize-$TENANT_TYPE-$ENVIRONMENT.$DOMAIN	acme-optimize-private-poc.lab.bmc.com	No	Yes	configs/deployment.config for ENVIRONMENT and configs/infra.config for the others	COMPANY_NAME TENANT_TYPE ENVIRONMENT DOMAIN

To deploy the BMC Helix Platform services

1. Log in to the controller or bastion machine from where the Kubernetes cluster is accessible.
2. Download the deployment manager BMC_Helix_Platform_Services_for_Service_Management_Version_22.4.00.zip from BMC Electronic Product Distribution (EPD) and extract it, if you haven't already.
   The ZIP file contains the following files:
   
   • helix-on-prem-deployment-manager-22.4.00.sh—This file contains the deployment manager.

1. • hotfix-22.4.00.001-10.tar.gz—This file contains the 22.4.00 hotfix 1 artifacts.
2. Go to the directory where you downloaded the deployment manager from the EPD and give the execute permission to the helix-on-prem-deployment-manager-22.4.00.sh file.
   

3. Self-extract the deployment manager. Run the following command:

   ./helix-on-prem-deployment-manager-22.4.00.sh
   cd helix-on-prem-deployment-manager
4. If you are installing BMC Helix Platform services on Kubernetes 1.24 version, perform the following steps:
   1. Navigate to the commons directory.
   2. Open the preinstall-checker.sh file.
   3. Comment the code for Kubernetes version check.

5. Prepare for password encryption:

   Expand to see the steps:

   1. Go to the commons/certs directory and open the secrets.txt file.

   2. Add the following passwords to this file:
   3. Save the secrets.txt file

   Troubleshooting tip

   Make sure that you provide all passwords in the secrets.txt file. Even if a single password is not added in the secrets.txt file, the deployment fails with an error.

   Sample secrets.txt file

   # cat commons/certs/secrets.txt
   #Please put the passwords in this file
   IMAGE_REGISTRY_PASSWORD=password123
   SMTP_PASSWORD=""
   SMART_SYSTEM_PASSWORD=password123
   PG_PASSWD=Test2020

   ################## End OF THE FILE ####################

6. In the helix-on-prem-deployment-manager/configs/infra.config file, modify the following parameters that are environment-specific.

   Important

   • The following load balancer hosts are required. You do not need any subdomains.
     • LB_HOST
       Ensure that the LB_HOST value is not the same as the tenant URL.

   • • TMS_LB_HOST
     • MINIO_LB_HOST
     • Tenant URL that is derived based on the following parameters from the infra.config file:
       $COMPANY_NAME-$TENANT_TYPE-$ENVIRONMENT.$DOMAIN

   • Make sure that you have created a storage class.

   Parameter	Example value	Description
   IMAGE_REGISTRY_HOST	containers.bmc.com (or local repo if copied down)	Image registry from where the nodes on the cluster download the images. If you have synchronized the images to a local Harbor registry, make sure the Harbor registry is set up with HTTPS.
   IMAGE_REGISTRY_USERNAME	abc@bmc.com	User name to log in to BMC DTR. If you use a local Harbor registry to synchronize with BMC DTR, specify the user name to log in to your local registry.
   ENVIRONMENT	poc	Type of environment such as poc, dev, and qa. Do not use special characters for the environment value. You can use the same environment value while performing the BMC Helix Service Management installation.
   NAMESPACE	dark-helmet	Namespace in which to install the services. You must have separate namespaces to install BMC Helix Platform services and BMC Helix Innovation Suite  and applications.
   LB_HOST	host-india-app.mydomain.com	Host for load balancer for BMC Helix Innovation Suite. Specify the BMC Helix Innovation Suite URL.
   LB_PORT	443	Port for load balancer.
   TMS_LB_HOST	tms-private-poc.mydomain.com	Host for tenant management system. Specify the host of the load balancer that points to the tenant management system service.
   Domain	mydomain.com	Domain name of the Load Balancer
   MINIO_LB_HOST	minio-private-poc.mydomain.com	URL for Minio storage.
   MINIO_API_LB_HOST	minio-api-poc.mydomain.com	Use MinIO API ingress to create buckets by using the command line.
   CLUSTER_TYPE	""	Either values openshift or ocp for OpenShift. If CLUSTER_TYPE is not set to openshift or ocp, cluster type is treated as a Kubernetes cluster.
   COMPANY_NAME	photon2	Parameter in the tenant URL formation like $COMPANY_NAME-$TENANT_TYPE-$ENVIRONMENT.$DOMAIN Do not use special characters for the Company name. COMPANY_NAME value is used to generate the tenant URL.
   TENANT_EMAIL	pqr@mycompany.com	Email address of the admin user of initial tenant.
   TENANT_FIRST_NAME	TestName	First name of the admin user for initial tenant.
   TENANT_LAST_NAME	TestLastName	Last name of the admin user for initial tenant.
   TENANT_TYPE	tyrion	Unique identifier of the tenant. The COMPANY_NAME value is used as the tenant name. In addition to the tenant name, use the TENANT_TYPE parameter to identify the tenant.
   TENANT_DOMAIN_HOST	acme-private-poc.acme.com	The tenant domain. This URL is for BMC Helix Portal. You must enter the parameter value in the following format:$TENANT_NAME-$TENANT_TYPE-$ENVIRONMENT$.DOMAIN
   COUNTRY	"United States"	Matches the value in the OS locale. Important Add the country name within quotation marks. For example:"India" Do not use abbreviation in country names. Click  here to view a list of the supported country names.
   NFS_STORAGE_CLASS	""	Blank "" This parameter is not required for BMC Helix Service Management.
   SMTP_HOST	mailhost.mycompany.com	SMTP host name of IP address accessible from cluster SMTP parameters are required for the emails that are sent to the administrator for tenant activation after the BMC Helix Platform deployment is complete. All SMTP mail servers are supported. To use a temporary SMTP server to receive BMC Helix Platform services installation emails, see the knowledge article000396217.
   SMTP_PORT	25	An integer value for the port of the SMTP server.
   SMTP_USERNAME	abc@mycompany.com	User name to connect to the SMTP server. If SMTP_AUTH value is set to NONE, keep the SMTP_USERNAME and SMTP_PASSWORD values blank as shown below: SMTP_USERNAME="" SMTP_PASSWORD=""
   SMTP_FROM_EMAIL	helix-rd@mycompany.com	A valid email ID for the From address in all emails.
   SMTP_TLS	"false"	The SMTP server TLS. The value can be true or false. If not in use, specify the value as false.
   SMTP_AUTH_DASHBOARD	true	SMTP authentication. Valid values are True or false.
   SMTP_AUTH	PLAIN	SMTP authentication type. One of the following values: PLAIN This value is case sensitive. If you set the value as PLAIN, it is mandatory to set valid values for SMTP_USER and SMTP_PASSWORD. LOGIN This value is case sensitive. If you set the value as LOGIN, it is mandatory to set valid values for SMTP_USER and SMTP_PASSWORD. NONE This value is case sensitive. Use this value when you want to skip SMTP authentication. If you set the value as NONE, set the user name and password values as shown below: SMTP_USERNAME="" SMTP_PASSWORD=""
   OPS_GROUP_EMAIL	ops-grp@mycompany.com	ops email address. All emails related to tenant activities such as tenant creation, tenant registration, and tenant offboarding are sent to your organization's operations team.
   APPROVAL_GROUP_EMAIL	grp-rd@mycompany.com	Email address for approval. When a new tenant is created, an email is sent for tenant approval to this email group.
   PG_STORAGE_CLASS	ceph-block-storage	Storage class used. Usually there is one Storage class configured for all the infra services. Repeat the same value in that case.
   VMSTORAGE_STORAGE_CLASS	onprem-storage	Storage class for VictoriaMetrics.
   VMAGGSTORAGE_STORAGE_CLASS	onprem-storage	Storage class for VictoriaMetrics.
   ES_MASTER_STORAGE_CLASS	block-store-class	Storage class for Elasticsearch master nodes.
   ES_DATA_STORAGE_CLASS	block-store-class	Storage class for Elasticsearch data nodes.
   MINIO_STORAGE_CLASS	onprem-storage	Storage class for Minio.
   EFS_STORAGE_CLASS	""	Blank ""
   REDIS_HA_GLOBAL_STORAGECLASS	block-store-class	Storage class for REDIS.
   KAFKA_STORAGECLASS	block-store-class	Storage class for Kafka.
   ESLOG_MASTER_STORAGE_CLASS	block-store-class	Storage class for Elasticsearch log.
   ESLOG_DATA_STORAGE_CLASS	block-store-class	Storage class for Elasticsearch log.
   MINIO_STORAGE_CLASS	acme-block-storage	Storage class for MinIO. Usually, a single storage class by using block storage is configured for all the infra services. Repeat the same value if configured in this manner.
   AIOPS_STORAGE_CLASS	""	Blank ""
   CUSTOM_CA_SIGNED_CERT_IN_USE	false	Flag to use self-signed or custom CA certificate. Default value is false. If you are using a self-signed or custom CA certificate, set the value to true. Copy the self-signed or custom CA certificate in the commons/certs/ directory. Ensure that the file name of the certificate is custom_cacert.pem Important: If you are using a self-signed or custom CA certificate, make sure that you use the same custom certificate during BMC Helix Platform and BMC Helix Service Management installation.
   OPT_STORAGE_CLASS	""	Blank ""
   REPOPV_MOUNT_PATH	""	Blank ""
   MIGRATORPV_MOUNT_PATH	""	Blank ""
   ETLPV_MOUNT_PATH	""	Blank ""
   CLIENT_ROOT_CERT	""	Blank ""
   SMART_SYSTEM_USERNAME	""	Blank ""
   INGRESS_CLASS	nginx	Ingress class used while deploying Ingress controller. Change if multiple ingress controllers are on the cluster. If you have more than one ingress controllers in your cluster, use INGRESS_CLASS to specify the ingress class name that you want to use.
   INGRESS_API_VERSION	true	Flag to indicate if the Ingress controller version is 1.2.0 or higher. True if your Ingress controller version is 1.2.0 or higher.
   HELM_BIN	/usr/local/bin/helm	Absolute path of the HELM binary.
   KUBECTL_BIN	/usr/bin/kubectl	Absolute path of the kubectl binary.
   OC_BIN	/usr/local/sbin/oc	Cluster type. Set if CLUSTER_TYPE is openshift or ocp.
   KIBANA_LB_HOST		The BMC Helix Logging ingress uses this value. This value depends on the self-signed, CA-signed certificate, or custom certificate. If the value of the CUSTOM_CA_SIGNED_CERT_IN_USE parameter is true, use the DNS configured for the self-signed certificate. If the value of the CUSTOM_CA_SIGNED_CERT_IN_USE parameter is false, use the DNS configured for the CA-signed certificate. If the value of the CUSTOM_CA_SIGNED_CERT_IN_USE parameter is true, use the DNS configured for the self-signed certificate.
   RSSO_CUSTOM_JAVA_KEYSTORE_IN_USE	true	Flag to enable custom JAVA keystore for RSSO SAML keystore. If you want to use custom JAVA keystore for RSSO SAML keystore configuration, set the RSSO_CUSTOM_JAVA_KEYSTORE_IN_USE variable to true. Perform the following steps: Set the RSSO_CUSTOM_JAVA_KEYSTORE_IN_USE variable to true. Rename the java keystore file to rsso_custom_java_keystore. Save this file in the commons/certs directory. The path of this file would be: commons/certs/rsso_custom_java_keystore The commons/certs/rsso_custom_java_keystore file will be mounted in the RSSO container at the following location: /etc/rsso_custom_java_keystore
   RUN_AS_USER	null	The security context that the components will use. This variable is considered only if the value of the CLUSTER_TYPE variable is openshift or ocp. For the Kubernetes cluster, use the following value: null Set the correct context for this variable according to the OpenShift namespace. For example, in OpenShift, run the following command to get the ID range: oc describe namespace <namespace-name>
   FS_GROUP	null	The security context that the components will use. This variable is considered only if the value of the CLUSTER_TYPE variable is openshift or ocp. For the Kubernetes cluster, use the following value: null Set the correct context for this variable according to the OpenShift namespace. For example, in OpenShift, run the following command to get the ID range: oc describe namespace <namespace-name>
   RUN_AS_GROUP	null	The security context that the components will use. This variable is considered only if the value of the CLUSTER_TYPE variable is openshift or ocp. For the Kubernetes cluster, use the following value: null Set the correct context for this variable according to the OpenShift namespace. For example, in OpenShift, run the following command to get the ID range: oc describe namespace <namespace-name> The command will change for each namespace.
   OPT_FSGROUP	""	Blank "" Leave blank. This parameter is not required for BMC Helix Service Management.
   ML_FSGROUP	""	Blank "" This parameter is not required for BMC Helix Service Management.
   CUSTOM_SERVICEACCOUNT_NAME	helix-onprem-sa	Custom service account name. Default value is helix-onprem-sa. If there are no permissions to create ServiceAccount, Role, RoleBinding, perform the following steps: Replace the default value of helix_onprem_sa with the required value. Create a role and rolebinding from the commons/yaml_files/role_rolebinding.yaml file. Create a ServiceAccount from the commons/yaml_files/serviceAccount.yaml file.  If there are permissions to create ServiceAccount, Role, RoleBinding, retain the CUSTOM_SERVICEACCOUNT_NAME value as helix-onprem-sa as shown below: CUSTOM_SERVICEACCOUNT_NAME=helix-onprem-sa

7. In the helix-on-prem-deployment-manager/configs/deployment.config file, modify the following parameters:

8. To install the product, run the following command:

   ./deployment-manager.sh

9. When asked, enter a password of your choice for encryption or decryption.

   This password is used to encrypt all passwords that you added in the commons/certs/secrets.txt file.

   Important

   Save this password. The deployer uses this password in all future product deployments.

   What happens next?

   1. The deployer encrypts all passwords that you added in the secrets.txt file.
   2. The deployer creates a commons/certs/secrets.config file and adds all the encrypted passwords to it.
   3. The deployer deletes the secrets.txt file.

   
   

   What happens if I need to change the encryption password?

   Perform these steps if you forget the encryption password or if you need to change it:

   1. Delete the commons/certs/secrets.config file.
   2. In thecommons/certs directory, create secrets.txt file, and specify the encryption password.
   3. Run the deployer again.
   4. When asked, enter a password of your choice for encryption or decryption.
      The deployer creates a new secrets.config file with the new encryption password.

After the BMC Helix Platform services are deployed, the tenant administrator receives the following emails:

• An email with details about the BMC Helix Platform account
• An email to change the BMC Helix Platform account password at the first login

After the installation, you can see the Elasticsearch, Fluentd, and Kibana pods in the bmc-helix-logging namespace. You can access Kibana with the following URL:

http://<masternodeip>:5601/ 

All installation logs are located in the following directory:

helix-on-prem-deployment-manager/logs

To apply the hotfix

1. Log in to the controller or bastion machine from where the Kubernetes cluster is accessible.
2. Create a new directory; for example, ITOM_HotFix_22.4.00.001. 
3. Copy the hotfix-22.4.00.001-10.tar.gz file that you downloaded from EPD to the new directory.

4. Extract the hotfix-22.4.00.001-10.tar.gz file by using the following command:

   tar xvf hotfix-22.4.00.001-10.tar.gz
5. Navigate to the hotfix directory.
6. If you are using a local repository for accessing container images, make sure that you synchronize the images listed in the hotfix/new-image-list.txt to the local repository.
7. If you have not installed BMC Helix ITSM Insights, in the hotfix/new-service-list.config file, modify the ITSMINSIGHT_SERVICES parameter value to blank, ITSMINSIGHT_SERVICES=

8. Run the hotfix script file hf_script.sh by using the following command:

   bash hf_script.sh <full path of the helix-on-prem-deployment-manager directory> 

   Replace <full path of the helix-on-prem-deployment-manager directory> with the full path of the directory where you installed BMC Helix Platform services 22.4.
   Example:

   bash hf_script.sh /data/22.4.00/helix-on-prem-deployment-manager

   The hf_script.sh script creates a copy of helix-on-prem-deployment-manager in the path that you specified in the command and the directory is named helix-on-prem-deployment-manager_HF1.

   For example, a new directory /data/22.4.00/helix-on-prem-deployment-manager_HF1 is created. No changes are made to the original directory helix-on-prem-deployment-manager.

   The hf_script.sh script installs the following chart:

   • tas chart with version 542
   • ade-arservices-register chart with version 10
   • aif-core-service chart with version 22.4.00.001-8

Sample configuration files

Where to go from here