Installing BMC Helix Platform Common services 24.4.00

Installation of BMC Helix Platform Common Services installation is a pre-requisite for BMC Helix Service Management 23.3.04.

Important

If you are performing a combined deployment of BMC Helix Service Management and BMC Helix IT Operations Management, and have installed BMC Helix IT Operations Management, do not install BMC Helix Platform Common Services again.

BMC Helix Platform Common Services are deployed with the BMC Helix IT Operations Management deployment.

Before you begin

Make sure that you have created a namespace to install BMC Helix Platform Common Services services.
Verify that nothing is installed in the namespace by using the following command:
kubectl get all -n <namespace>
Make sure that you have configured the nginx-configuration configmap.
For information about the nginx-configuration configmap parameter value requirements, see System-requirements.
Make sure that you have permission to create ServiceAccount, Role, and RoleBinding in the BMC Helix Platform namespace.
If you do not have permission, create a Service account, Role, and RoleBinding.

Important

Do not perform these tasks if you have already installed BMC Helix IT Operations Management (BMC Helix ITOM).

To create ServiceAccount, Role, and RoleBinding

To install BMC Helix Platform Common Services, you must have permission to create ServiceAccount, Role, and RoleBinding in the BMC Helix Platform namespace.

If you do not have permission, an administrator must perform the following steps to create a Service account, Role, and RoleBinding to enable you to install BMC Helix Platform Common Services:

In the commons/yaml_files/serviceAccount.yaml and commons/yaml_files/role_rolebinding.yaml file replace the following values:
1. __SERVICE_ACCOUNT__with the name of the service account that you want to create.
2. __NAMESPACE__with the BMC Helix Platform namespace.
To create a service account, run the following command:
kubectl apply -f serviceAccount.yaml
To create role and rolebinding, run the following command:
kubectl apply -f role_rolebinding.yaml
When you set the CUSTOM_SERVICEACCOUNT_NAME parameter in the infra.config file, replace helix-onprem-sa value with the service account name that you created.

Important

The uninstallation script deletes the custom service account.

If you have created a custom service account, after performing an uninstallation, you must recreate the custom service account.

Task 1: To download and extract the deployment manager

Log in to the controller or bastion machine from where the Kubernetes cluster is accessible.
Download the deployment manager helix-on-prem-deployment-manager-24.4.00-17 from BMC Electronic Product Distribution (EPD) and extract it to a temporary directory, if you haven't already.
Download the deployment manager by selecting the BMC Helix Platform Common Services for Service Management Version 24.4.00 option. To download the files from EPD, see Downloading-the-installation-files.
Run the following command to change the permission of the downloaded file:
chmod a+x helix-on-prem-deployment-manager-<release_version>.sh
To extract the deployment manager, run the following command:
./helix-on-prem-deployment-manager-24.4.00-17
cd helix-on-prem-deployment-manager
The updated files will replace the affected files in the workspace directory.

Task 2: To prepare for password encryption

Go to the commons/certs directory and open the secrets.txt file.
Important
Use the secrets.txt file that you downloaded along with the deployment manager.

Add the following passwords to this file and then save it:

Important: The secrets.txt file is deleted after installation. You will need the values set in the secrets.txt file for future upgrades. Hence, save the secrets.txt in a secure location.

Property	Description
IMAGE_REGISTRY_PASSWORD	Password for the Docker registry. Important: Do not use special characters in the password.
SMTP_PASSWORD	Password to connect to the SMTP server. In the configs/infra.config file, if the value of the SMTP_AUTH parameter file is NONE, leave the SMTP_PASSWORD value blank as shown: SMTP_PASSWORD="" Important: The password must meet the following requirements: Must have a minimum of 7 characters. Must contain at least one uppercase letter [A–Z] and one lowercase letter [a–z]. Must contain at least one digit [0–9]. Must not contain any special character. Must not contain 'admin' and 'bmcuser'.
PG_PASSWD	Password to connect to the PostgreSQL database. Important: The password must meet the following requirements: Must have a minimum of 7 characters. Must contain at least one uppercase letter [A–Z] and one lowercase letter [a–z]. Must contain at least one digit [0–9]. Must contain at least one special character. The supported special characters are - !@#$% Must not start or end with a special character. Must not contain 'admin' and 'bmcuser'.
MINIO_ACCESS_KEY	MinIO access key. Any username can be set as an access key. Important: The password must meet the following requirements: Must have a minimum of 8 characters. Must contain at least one uppercase letter [A–Z] and one lowercase letter [a–z]. Must contain at least one digit [0–9]. Must contain at least one special character. Must not contain 'admin' and 'bmcuser'.
MINIO_SECRET_KEY	MinIO secret key. Any password can be set as the secret key. Important: The password must meet the following requirements: Must have a minimum of 7 characters. Must contain at least one uppercase letter [A–Z] and one lowercase letter [a–z]. Must contain at least one digit [0–9]. Must contain at least one special character. Must not contain 'admin' and 'bmcuser'.
ES_JKS_PASSWORD	This password is used for the Keystore that is created when custom CA-signed certificates are used and mounted inside the Elasticsearch pods. Important: ES_JKS_PASSWORD is required only when you are using a Custom CA certificate, else keep the value as ES_JKS_PASSWORD="". The password must meet the following requirements: Must have a minimum of 7 characters. Must contain at least one uppercase letter [A–Z] and one lowercase letter [a–z]. Must contain at least one digit [0–9]. Must contain at least one special character. The supported special characters are - !@#$% Must not start or end with a special character. Must not contain 'admin' and 'bmcuser'.
LOG_ES_PASSWD	(Optional) Starting with BMC Helix Platform Common Services version 24.3, applications will use a non-default user for Elasticsearch connections for Log Elasticsearch (Log ES). To use a non-default user, change the default value of the LOG_ES_PASSWD parameter. Important: The password must meet the following requirements: Must have a minimum of 7 characters. Must contain at least one uppercase letter [A–Z] and one lowercase letter [a–z]. Must contain at least one digit [0–9]. Must contain at least one special character. The supported special characters are - !@#$% Must not start or end with a special character. Must not contain 'admin' and 'bmcuser'.

Important

Make sure that you provide all passwords in the secrets.txt file. If you fail to add any password in the secrets.txt file, the deployment fails with the following error:

Sample secrets.txt file

# cat commons/certs/secrets.txt
#Please put the passwords in this file
IMAGE_REGISTRY_PASSWORD=password123
SMTP_PASSWORD=test123
SMART_SYSTEM_PASSWORD=password123
PG_PASSWD=pGTest2020
KIBANA_PASSWORD=kibana123
MINIO_ACCESS_KEY=admin
MINIO_SECRET_KEY=admin123
# ES_JKS_PASSWORD is required only when you are using Custom CA certificate, else keep value as ES_JKS_PASSWORD=""
ES_JKS_PASSWORD=test@12

################## End OF THE FILE ####################

Task 3: To install BMC Helix Platform Common Services

In the helix-on-prem-deployment-manager/configs/infra.config file, modify the following parameters that are environment-specific:
Important
- The following load balancer hosts are required. You do not need any subdomains.
  - LB_HOST
    Ensure that the LB_HOST value is not the same as the tenant URL.
- - TMS_LB_HOST
  - MINIO_LB_HOST
  - MINIO_API_LB_HOST
  - KIBANA_LB_HOST
  - Tenant URL that is derived based on the following parameters from the infra.config file:
    $TENANT_NAME-$TENANT_TYPE-$TENANT_ENVIRNONMENT.$DOMAIN
- Make sure that you have created a storage class.
  BMC supports a Bring-Your-Own-Storage-Class model for any block storage supporting high performance IOPS. NFS is not supported for persistent volumes. CephRBD is certified by BMC.

In the helix-on-prem-deployment-manager/configs/deployment.config file, modify the following parameters:

Parameter	Required value
Docker registry project details
BHOM_IMAGE_REGISTRY_ORG	Specify the value as lp0lz. BHOM_IMAGE_REGISTRY_ORG=lp0lz
Infra services options
DEPLOYMENT_SIZE	itsmcompact, itsmsmall, or itsmxlarge If you are installing BMC Helix Platform Common Service in a nonproduction environment, specify the value as itsmcompact. If you are installing BMC Helix Platform Common Service in a production environment, specify the value as itsmsmall. If you are installing BMC Helix Service Management extra large size, specify the value as itsmxlarge. BMC Helix Service Managementdoes not require BMC Helix Platform Common Services resources with deployment sizes such as medium or large. To optimize resources, the deployment sizes, itsmcompact and itsmsmall, are provided for BMC Helix Service Management installation. The itsmcompact size does not support high availability. Use itsmcompact for nonproduction environments. The itsmsmall size supports high availability, so use this size for production environments.
INFRA	yes
_PTPOSTGRESS	yes
_KAFKA	yes
_REDIS	yes
_RSSO	yes
_ELASTICSEARCH	yes
_VICTORIAMETRICS	yes Important: If you are not using BMC Helix ITSM Insights, set this parameter to No.
_MINIO	yes
BMC Helix Dashboard services
HELIX_DASHBOARD_SERVICES	yes
BMC Helix ITSM Insights
(Optional)ITSMINSIGHT_SERVICES	yes If you are not using BMC Helix ITSM Insights, set the ITSMINSIGHT_SERVICES and _VICTORIAMETRICS parameter values to No.
AR System services
ARSERVICES	yes Important: Make sure that you specify the value as yes. This option registers the BMC Helix Innovation Suite services in BMC Helix Platform.
BMC Helix Logging
BMC_HELIX_LOGGING	yes

Perform the following steps to disable the credential service:
1. From the working directory, navigate to helix-on-prem-deployment-manager/configs.
2. In the <deployment size>.json file, in the tms section, in the override_param parameters, add the envMap.env.ADE_CS_ENABLED parameter value as false.
  For example, in the itsmcompact.json file, in the tms override section, add "envMap.env.ADE_CS_ENABLED": "false".
Install the product by running the following command:
./deployment-manager.sh
After the BMC Helix Platform Common Service are deployed, the tenant administrator receives the following emails:
- - An email with details about the BMC Helix Platform account
  - An email to change the BMC Helix Platform account password at the first login
    All installation logs are located in the helix-on-prem-deployment-manager/logs directory.

Task 4: To apply the hotfix

The zombie process generation issue on redis-haproxy-monitor pods and Kafka Zookeeper pods is fixed in the BMC Helix Platform Common Services 24.4.00.00.001 hotfix, addressing the following issues:

DRRE3-7571
DRRE3-7638

For more information about the issues, see Known-and-corrected-issues.

Perform the following steps to apply the hotfix:

Download the BMC_Helix_PCS_for_Service_Management_Version_24.4.00.001.tar.gz file from EPD and save it in the working directory.
You can download the file by selecting the BMC Helix Platform Common Services for Service Management Version 24.4.00.001 option. See Downloading-the-installation-files.
If you are using a local repository for pulling images, make sure that the local image repository has referenced the following images in the 244_Helix_Platform_Images.txt file:
- containers.bmc.com/bmc/lp0lz:24400001-v103-ade-infra-clients-alpine
- containers.bmc.com/bmc/lp0lz:24400001-v102-bitnami-zookeeper-3.9.1-alpine-jdk11
  See Setting-up-a-Harbor-repository-to-synchronize-container-images.
Extract the BMC_Helix_PCS_for_Service_Management_Version_24.4.00.001.tar.gz file to the 24.4.00 workspace folder.
tar -xvf BMC_Helix_PCS_for_Service_Management_Version_24.4.00.001.tar.gz
Run the hf_script.sh hotfix script file providing the full path of the 24.4.00 deployment manager directory.
bash hf_script.sh </path/to/directory/24.4.00>/helix-on-prem-deployment-manager
For example: bash hf_script.sh /data/24.4.00/helix-on-prem-deployment-manager
Important
- This command creates a new directory named /data/24.4.00/helix-on-prem-deployment-manager_HF1.YYYYMMDDHHMMSS, which is a copy of deployment manager directory.
  This directory contains the logs and configuration files.
- No changes are made to the earlier deployment manager directory that was passed as the parameter.

Sample configuration files

Sample infra.config file

#Docker registry details
#IMAGE_REGISTRY_HOST=containers.bmc.com
#IMAGE_REGISTRY_USERNAME=<user name to access registry>
IMAGE_REGISTRY_HOST=
IMAGE_REGISTRY_USERNAME=

# keep double quotes in all variables if not required, don't leave them blank or empty
#Infra details
#NAMESPACE=dark-helmet
#LB_HOST=host-india-app.mydomain.com
#LB_PORT=443
#TMS_LB_HOST=tms-private-poc.mydomain.com
#DOMAIN=mydomain.com
#MINIO_LB_HOST=minio-private-poc.mydomain.com
#KIBANA_LB_HOST=kibana-private-poc.mydomain.com
#TENANT_ENVIRONMENT=<Type of environment>
# The values of ENVIRONMENT is based on kind of setup you are going to create e.g. dev, qa, production, poc, multi-service, canary etc. (this is not based on deployment size compact, small, medium, large etc)
TENANT_ENVIRONMENT=dev
NAMESPACE=
LB_HOST=
LB_PORT=
TMS_LB_HOST=
DOMAIN=
# If minio web access required .Please give LB (e.g.minio.domain.com )which has DNS entry otherwise keep blank "".
MINIO_LB_HOST=
# Use minio api ingress(minio-api.domain.com)
MINIO_API_LB_HOST=
KIBANA_LB_HOST=

#Cluster type can have values openshift or ocp for OpenShift.
#If CLUSTER_TYPE is not set to openshift or ocp then cluster type is treated as kubernetes cluster.
CLUSTER_TYPE=

#Tenant details for onboarding
#COMPANY_NAME=<tenant company name same as in tenant discover appliance url>
#TENANT_EMAIL=<tenant email address>
#TENANT_FIRST_NAME=<tenant first name>
#TENANT_LAST_NAME=<tenant last name>
## TENANT_TYPE= <Tenant type in tenant url same as in tenant discovery appliance url>
## Please use only alphanumeric value in COMPANY_NAME
TENANT_NAME=
TENANT_EMAIL=
TENANT_FIRST_NAME=
TENANT_LAST_NAME=
TENANT_TYPE=
# Ensure that the value of COUNTRY is enclosed within double quotes
TENANT_COUNTRY="Virgin Islands, U.S."

#SMTP Config
#SMTP_HOST=<SMTP host name of IP address accessible from cluster>
#SMTP_PORT=<SMTP server port, e.g. 25>
#SMTP_USERNAME=<SMTP user name>
#SMTP_FROM_EMAIL=<SMTP from email address>
#SMTP_TLS=<true/false>
#This below variable is used by portal team
#SMTP_AUTH=<PLAIN or LOGIN or NONE>
# If you use NONE it will not skip the validation of SMTP but it means that your organization allows you to send email without SMTP authentication.
# PLAIN or LOGIN is used when you have authenticated SMTP user and SMTP password
#This variable is used for getting report email to dahsboard team by default value is true
#SMTP_AUTH_DASHBOARD=<true or false>
#OPS_GROUP_EMAIL=<ops email address>
#APPROVAL_GROUP_EMAIL=<email address for approval>
SMTP_HOST=
SMTP_PORT=
#Ensure blank values for SMTP username password is in double quotes
SMTP_USERNAME=
SMTP_FROM_EMAIL=
## SMTP_TLS value can be true or false.
## If SMTP_TLS is set to true and certificate of SMTP_HOST is signed by a custom or self-signed CA then
## ensure to append custom or self-signed CA certificate (full CA chain) to commons/certs/custom_cacert.pem file.
SMTP_TLS=false
SMTP_AUTH_DASHBOARD=true
SMTP_AUTH=
OPS_GROUP_EMAIL=
APPROVAL_GROUP_EMAIL=

#storage class, set value as per storage class in cluster
#PG_STORAGE_CLASS=onprem-storage
#VMSTORAGE_STORAGE_CLASS=onprem-storage
#VMAGGSTORAGE_STORAGE_CLASS=onprem-storage
#ES_MASTER_STORAGE_CLASS=onprem-storage
#ES_DATA_STORAGE_CLASS=onprem-storage
#MINIO_STORAGE_CLASS=onprem-storage
#EFS_STORAGE_CLASS=onprem-storage
#REDIS_HA_GLOBAL_STORAGECLASS=onprem-storage
#KAFKA_STORAGECLASS=onprem-storage
#ESLOG_MASTER_STORAGE_CLASS=onprem-storage
#ESLOG_DATA_STORAGE_CLASS=onprem-storage
#AIOPS_STORAGE_CLASS=onprem-storage

PG_STORAGE_CLASS=
VMSTORAGE_STORAGE_CLASS=
VMAGGSTORAGE_STORAGE_CLASS=
ES_MASTER_STORAGE_CLASS=
ES_DATA_STORAGE_CLASS=
MINIO_STORAGE_CLASS=
EFS_STORAGE_CLASS=
REDIS_HA_GLOBAL_STORAGECLASS=
KAFKA_STORAGECLASS=
ESLOG_MASTER_STORAGE_CLASS=
ESLOG_DATA_STORAGE_CLASS=
AIOPS_STORAGE_CLASS=

#Optimize storage details
#OPT_STORAGE_CLASS=onprem-storage
OPT_STORAGE_CLASS=

#CUSTOM_CA_SIGNED_CERT_IN_USE=true/false
#if you are using self-signed/custom CA signed certificate please set it to true,
#also ensure you have copied custom CA certificate file at commons/certs directory with file name custom_cacert.pem i.e. commons/certs/custom_cacert.pem
CUSTOM_CA_SIGNED_CERT_IN_USE=false

# If there are no permissions to create ServiceAccount, Role, RoleBinding then, create a serviceaccount and assign it to CUSTOM_SERVICEACCOUNT_NAME by replacing default value of helix_onprem_sa.
# Ensure to create a role and rolebinding from file commons/yaml_files/role_rolebinding.yaml and a serviceAccount from file commons/yaml_files/serviceAccount.yaml.
# If there are permissions to create ServiceAccount, Role, RoleBinding then do not change CUSTOM_SERVICEACCOUNT_NAME from value helix-onprem-sa.
CUSTOM_SERVICEACCOUNT_NAME=helix-onprem-sa

# If you want to use custom JAVA keystore for "RSSO SAML keystore configuration", then you must set variable RSSO_CUSTOM_JAVA_KEYSTORE_IN_USE to true
# and put the custom java keystore file at commons/certs directory with file name rsso_custom_java_keystore
# i.e. commons/certs/rsso_custom_java_keystore
# The file commons/certs/rsso_custom_java_keystore will be mounted inside RSSO container at location /etc/rsso_custom_java_keystore
# SAML Keystore - this is the Keystore used for reading SAML-specific certificates/keys. So, it's an application-level Keystore, used directly by the app.
# While JVM Keystore contains certificates for HTTPS connections, the SAML Keystore is used for storing signing and encryption certificates for communication with SAML v2 IdP.
RSSO_CUSTOM_JAVA_KEYSTORE_IN_USE=false

# Smart Graph
#SMART_SYSTEM_USERNAME=system
SMART_SYSTEM_USERNAME=""

# Ingress class used while deploying Ingress controller
INGRESS_CLASS=nginx

#Binary paths on your system
#HELM_BIN=/usr/local/bin/helm
#KUBECTL_BIN=/usr/bin/kubectl
HELM_BIN=
KUBECTL_BIN=
#OC_BIN path should be set if CLUSTER_TYPE is openshift or ocp
#OC_BIN=/usr/local/sbin/oc
OC_BIN=

# Infra components will run with below Security Context.
# Below 3 variables are considered only for OpenShift cluster
# i.e. if CLUSTER_TYPE is openshift or ocp
# Set correct context as per the OpenShift namespace.
# Else RUN_AS_USER, RUN_AS_GROUP and FS_GROUP must be null.
RUN_AS_USER=null
RUN_AS_GROUP=null
FS_GROUP=null

# Optimize Security Context:
# OPT_FSGROUP must have value 87654321 if CLUSTER_TYPE is openshift or ocp and INSTALL_MODE is upgrade and fresh deployment was performed with 22.2.01 version
# Else OPT_FSGROUP must have value 1001
OPT_FSGROUP=1001

# If CLUSTER_TYPE is openshift or ocp and INSTALL_MODE is fresh then ML_FSGROUP must be same as FS_GROUP mentioned above, else ML_FSGROUP must have value 998
ML_FSGROUP=998

################################### DO NOT CHANGE ANYTHING BELOW THIS LINE ##########################################

#Patroni Postgres config
PG_HOSTNAME=postgres-bmc-pg-ha-pool
PG_USER=postgres
PG_DATABASE=postgres

#Redis HA config
REDIS_HA_HOSTNAME=redis-redis-ha-haproxy

#Kafka & Zookeeper config
KAFKA_HOSTNAME=kafka
ZOOKEEPER_HOSTNAME=kafka-zookeeper

#RSSO Config
RSSO_PG_DB=ade_rsso

#Elasticsearch config
ES_EVENTS_HOSTNAME=elasticsearch-events-opendistro-es-data-svc
ES_LOGS_HOSTNAME=elasticsearch-logs-opendistro-es-data-svc

#MinIO config
MINIO_HOSTNAME=minio

# Misc
IMAGE_REGISTRY_SECRET=bmc-dtrhub
TENANT_PHONE=1234567890
LOGIN_ID=hannah_admin

Sample deployment.config file

#Common config begin
#Size of deployment, values are compact, small, medium, large, itsmcompact, itsmsmall, and itsmxlarge
DEPLOYMENT_SIZE=small

#Docker registry project details
IMAGE_REGISTRY_PROJECT=bmc
IMAGE_REGISTRY_ORG=lp0lz
CORE_IMAGE_REGISTRY_ORG=lp0lz
IA_IMAGE_REGISTRY_ORG=lp0oz
OPTIMIZE_IMAGE_REGISTRY_ORG=lp0pz
BHOM_IMAGE_REGISTRY_ORG=lp0mz
AIOPS_IMAGE_REGISTRY_ORG=la0cz

#Common config end

#Install mode as fresh or upgrade
INSTALL_MODE=fresh

#Flag controlling infra services installation
INFRA=yes

#Flag controlling individual infra services installation
_PTPOSTGRESS=yes
_KAFKA=yes
_REDIS=yes
_RSSO=yes
_VICTORIAMETRICS=yes
_ELASTICSEARCH=yes
_MINIO=yes

# Do not make changes to service flags it will break dependency
#Flag controlling helix dashboard services installation
HELIX_DASHBOARD_SERVICES=yes

#Flag controlling itsminsight services installation
ITSMINSIGHT_SERVICES=no

#Flag controlling aiops services installation
AIOPS_SERVICES=no

#Flag controlling monitor product installation
MONITOR=no

#Flag controlling intelligentintegrations services installation
INTELLI_INT_SERVICES=no

#Flag controlling intelligent automation product installation
INTELLIGENT_AUTOMATION=no

#Flag controlling bmc-helix-logging product installation
BMC_HELIX_LOGGING=yes

#Flag Controlling optimize installation
OPTIMIZE=no

#Flag AR Services installation
ARSERVICES=yes
AUTOANAMOLY=no

Where to go from here

Next task	Proceed with Setting-up-the-installation-environment
Back to process	If you are finished setting up the installation environment, return to the appropriate installation, update, or upgrade process: Installing Upgrading-BMC-Helix-Service-Management-to-22-1-06 Migrating-Remedy-on-premises-to-BMC-Helix-Service-Management-on-premises

Installing BMC Helix Platform Common services 24.4.00

Before you begin

To create ServiceAccount, Role, and RoleBinding

Task 1: To download and extract the deployment manager

Task 2: To prepare for password encryption

Task 3: To install BMC Helix Platform Common Services

Task 4: To apply the hotfix

Sample configuration files

Where to go from here

On this page