Integrating BMC Helix Service Management with the CyberArk vault
The deployment of BMC Helix Service Management includes service and internal accounts other than the end-user accounts, each configured in different locations. To enhance security, you can integrate BMC Service Management with a CyberArk vault. The vault serves as a secure digital repository for storing sensitive information, particularly privileged account credentials and secrets.
You can manage the passwords for the following account types by using the CyberArk vault:
- Service accounts—These accounts are used for integration between the components, such as hannah_admin user.
- Internal accounts—These accounts are used to connect to the external systems, such as database users, Elasticsearch users, and Openfire users.
By maintaining these account passwords in the vault, you can easily update or rotate them. Whenever you make changes to the passwords in the vault, your on-premises environment will automatically use the new passwords.
BMC Helix Service Management creates a master secret file ar_global_secret to set up the global secret. The global secret contains all the secrets utilized during the BMC Helix Service Management deployment. The HELIX_ONPREM_DEPLOYMENT pipeline retrieves these secrets from the global secret. Additionally, the pipeline deploys a controller responsible for updating the global secret when any changes occur in the CyberArk vault.
Before you begin
Install a CyberArk vault to manage the service account and internal account user passwords.
To integrate BMC Helix Service Management with the CyberArk vault
- To integrate BMC Helix Service Management with the CyberArk vault, see Integrations in the CyberArk documentation.
- While installing or upgrading BMC Helix Service Management, in the the HELIX_ONPREM_DEPLOYMENT pipeline, select the EXTERNAL_VAULT check box.
See Performing the BMC Helix Service Management installation.
Considerations for updating passwords in the CyberArk vault
While updating the passwords in the CyberArk vault, consider the following points:
- Do not update the passwords in the CyberArk vault during pod restarts.
- When you update a password for any account, make sure that you update the corresponding application password.
For example, if you update the password for the Mid Tier service, make sure you update the password for the Mid Tier application.
Components that require a restart after a password change
The following table list the BMC Helix Service Management components that require a restart after you change or rotate the component password in the CyberArk vault:
| Component password | Parameter | Pods/Plug-ins to restart |
| BMC Helix Innovation Suite user password | AR_DB_PASSWORD | Platform, Smart IT, DWP |
| Smart Reporting database password | AR_SR_DB_PASSWORD | Platform Smart Reporting, Smart Reporting |
| Atrium administrator password | ATWS_AR_PASSWORD | Atrium plug-in |
| UDDI database administrator user password | ATWS_UDDI_ADMIN_PASSWORD | Atrium plug-in |
| UDDI database user password | ATWS_UDDI_DB_PASSWORD | Atrium plug-in |
| BMC Digital Workplace tenant administrator password | DWP_TENANT_ADMIN_PASSWORD | BMC Digital Workplace, BMC HelixGPT |
| BMC Digital Workplace Catalog tenant administrator password | DWPC_TENANT_ADMIN_PASSWORD | BMC Digital Workplace |
| BMC Helix Digital Workplace user password | DWP_AR_PASSWORD | BMC Digital Workplace |
| BMC Helix Digital Workplace subtenant administrator user password | DWP_SUBTENANT_ADMIN_PASSWORD | BMC Digital Workplace |
| BMC Digital Workplace API key | DWP_API_KEY | BMC Digital Workplace |
| BMC Digital Workplace API secret | DWP_API_SECRET | BMC Digital Workplace |
| Application service password | AR_RAS_PASSWORD | Smart IT, Mid Tier, plug-ins, platform, Secret Controller |
| DSO user password | AR_DSO_PASSWORD | Mid Tier, Platform |
| Mid Tier service password | AR_MIDTIER_SERVICE_PASSWORD | Mid Tier, Platform |
| CACERTS SSL trust store password | CACERTS_PASSWORD | Restart all pods except the BMC HelixGPT pods |
| Smart IT chat server administrator password | SMARIT_CHAT_ADMIN_PASSWORD | Smart IT |
| Openfire administrator password | OPENFIRE_ADMIN_PASSWORD | Openfire, Smart IT |
| OpenSearch user password | GPT_OS_PASSWORD | BMC HelixGPT |
| Elasticsearch user password | AR_FTS_ES_PASSWORD | Platform |
| BMC Live Chat user password | VC_AR_PASSWORD | BMC Live Chat plug-in server |
| BMC Live Chat RKM user password | VC_RKM_PASSWORD | BMC Live Chat plug-in server |
| DataConnect Engine source rest password | DCE_REST_PASSWORD | DataConnect Engine |
Use the HELIX_RESTART pipeline to restart the components. The pipeline restarts the platform first, followed by the applications such as Mid Tier, Smart IT, and so on. For information about how to restart components, see the To restart application pods section in Performing the BMC Helix Service Management installation topic.
Components that do not require a restart after a password change
The following table list the BMC Helix Service Management components that do not require a restart after you change or rotate the component password in the CyberArk vault:
| Component password | Parameter | Pods/Plug-ins to restart |
| BMC Helix Innovation Suite database administrator password | DB_ADMIN_PASSWORD | NA |
| AR System server administrator user password | SCCM_AR_PASSWORD | NA |
| BMC Helix Client Management and CMDB integration user password | BCM_AR_PASSWORD | NA |
| BMC Helix Client Management and CMDB database integration user password | BCM_DB_PASSWORD | NA |
| ODBC password | ODBC_PASSWORD | NA |
| BMC Helix Digital Workplace Config Business Workflows system user password | DWP_BWF_SYSTEM_PASSWORD | NA |
| BMC Digital Workplace Catalog connector password | DWPC_PLATFORM_CONNECTOR_PASSWORD | NA |
| SBE system user password | DWP_SBE_SYSTEM_PASSWORD | NA |
| HKM activation user password | HKM_ACTIVATION_PASSWORD | NA |
| KAFKA user password | AR_MESSAGING_PASSWORD | NA |
| KAFKA administrator user password | AR_MESSAGING_ADMIN_PASSWORD | NA |
| Integration service user password | INTS_PASSWORD | NA |
| Integration server database user password | SCCM_DB_PASSWORD | NA |
| Summarization service user password | SUMMARIZATION_SERVICE_PASSWORD | NA |
| Data streaming super user password | DATA_STREAMING_SU_PASSWORD | NA |
| Telemetry administrator user password | TELEMETRY_ADMIN_PASSWORD | NA |
To verify the password updates
- Verify that the platform and application component pods are running by using the following command:kubectl get pod -n <BMC Helix Innovation Suite namespace>
- In the AR System:ESO_Audit audit form, verify that the component password update is reflected.
For information about how to preview the form, see Previewing form updates in BMC Helix Innovation Suite documentation. - To check the global secrets, run the following commands:
kubectl get secret ar-global-secret -n <BMC Helix Innovation Suite namespace>
kubectl describe secret ar-global-secret -n <BMC Helix Innovation Suite namespace> - To view controller logs, perform the following steps:
- Check for the controller pod name by using the following command:kubectl get pods -n <BMC Helix Innovation Suite namespace>
- Connect to the controller pod by using the following command:kubectl exec -it <controller pod name> -n <BMC Helix Innovation Suite namespace>
Example:
kubectl exec -it secret-controller-85bdbfdcb4-nqj86 -n <BMC Helix Innovation Suite namespace> - Navigate to the logs folder by using the following command:cd bin/logs
- View the logs by using the following command:vi secretcontroller.log
- Check for the controller pod name by using the following command:kubectl get pods -n <BMC Helix Innovation Suite namespace>
Where to go from here
Performing the BMC Helix Service Management installation