System requirements

Before you deploy the product, make sure that your environment meets the hardware and software requirements.

System requirements

Make sure that your environment meets the following requirements:

Component

Supported Versions

Orchestration platforms

Kubernetes 1.28 – 1.32

OpenShift 4.15 – 4.18

Important:

To use a restricted namespace for your existing BMC Helix Service Management environment, complete the BMC Helix Service Management upgrade first and then change the namespace to restricted pod security.
You can use the container runtime supported by the orchestration platform that you want to use.
For example, containerd, CRI-O, and Docker Engine are the container runtimes supported with Kubernetes and OpenShift.

Supported Kubernetes and OpenShift platforms

The following Kubernetes and OpenShift based platforms are supported with the underlying Kubernetes or OpenShift versions as listed in the previous row.

Kubernetes management tools
- VMware Tanzu
- Rancher Kubernetes
OKD (Community Edition OpenShift)
- Due to a lack of vendor support, BMC recommends that you do not use OKD for enterprise production usage.
  Refer to additional system requirements for OpenShift in Preparing-to-install-in-an-OpenShift-cluster.
Public Cloud Managed Kubernetes
- Oracle Cloud Infrastructure Container Engine for Kubernetes (OKE) with underlying Kubernetes 1.28.x – 1.32.x

- Amazon Elastic Kubernetes Service (EKS) with underlying Kubernetes 1.28.x – 1.32.x

- Google Kubernetes Engine (GKE) with underlying Kubernetes 1.28.x – 1.32.x

- Microsoft Azure Kubernetes Service (AKS) with underlying Kubernetes 1.28.x – 1.32.x

Important: Kubernetes clusters that use only the Internet Protocol version 4 (IPv4) are supported.

Ingress controller

Ingress

NGINX Ingress Controller¹

1.11.5, 1.12.1

Important:

BMC has certified using the Nginx Ingress Controller version 1.12.1 with Kubernetes version 1.32.

BMC has certified using the Nginx Ingress Controller version 1.11.5 with Kubernetes version 1.31, 1.30, 1.29, and 1.28.

NGINX Ingress Controller is installed by default in the ingress-nginx namespace. Review the following parameter value requirements in the nginx-configuration configmap:

enable-underscores-in-headers: "true"
allow-snippet-annotations: "true"
proxy-body-size: 250m
server-name-hash-bucket-size: "1024"

ssl-redirect: "false"
use-forwarded-headers: "true"
proxy-connect-timeout: "300"
proxy-read-timeout: "600"
proxy-send-timeout: "600"

You can use the following command to view the parameters in the nginx-configuration configmap:

kubectl describe cm nginx-configuration -n ingress-nginx

Important: If you are using Nginx Ingress Controller version 1.12.1, add the annotations-risk-level: Critical parameter to the nginx-configuration configmap.

F5 NGINX Plus Ingress Controller

The enterprise edition of the F5 NGINX Plus Ingress Controller is supported.

For more information, see Deploying and configuring the F5 NGINX Plus Ingress Controller.

Important: F5 NGINX Plus Ingress Controller is not supported with BMC Helix ITSM Insights.

Package Manager

Helm 3.17 for Kubernetes version 1.32
Helm 3.16 for Kubernetes version 1.31
Helm 3.15 for Kubernetes version 1.30
Helm 3.14 for Kubernetes version 1.29 and 1.28

Load Balancer

Load Balancer

F5 load balancer or other load balancer.

The following load balancer SSL methods are supported:

SSL Offloading at the load balancer
SSL Passthrough to offload at the Ingress Controller
SSL Full Proxy
Allow X-Forwarded- Headers Upstream of Ingress
Reverse Proxy http back to https

Important: Make sure that you configure the following headers for SSL Offloading at the load balancer:

X-Forwarded-Proto—https
X-Forwarded-Host
X-Forwarded-Port—443

Storage and security certificates

Persistent or Elastic Storage

BMC supports a Bring-Your-Own-Storage-Class model, for any block storage supporting high performance IOPS.

CephRBD is certified by BMC.

Security Certificates

DigiCert and R3 certificates.

Custom CA signed certificates and self-signed certificates are supported.

Important: If you are using a self-signed or custom CA certificate, make sure that you use the same custom certificate during BMC Helix Platform and BMC Helix Service Management installation.

Other system requirements

Java

Java 17 and later for AR System clients, such as Developer Studio, and Atrium Integrator.

Important: The Atrium Integrator client is compatible only with JDK 17 and does not support any later versions of Java.

Container Host OS

You can use any x86_64 GNU/Linux OS supported by your Kubernetes or OpenShift platform and release version.

Host OS Bash Shell

Bash Shell 4.2 or later

Docker Registry

Direct access to BMC's Docker Trusted Registry (DTR) at https://containers.bmc.com
The latest version of Harbor synchronized with BMC’s Docker Trusted Registry.
BMC certifies the use of the open-source Harbor repository to synchronize the container images with BMC DTR. You can choose any container repository solution that is compatible with the BMC Helix Service Management deployment.
Docker Engine or Podman is required for pulling the container images from BMC DTR.

DB Support

Oracle Database 19.16 or a later patch
The supported version is Oracle 19, with a minimum patch level of 16.

Microsoft SQL Server 2019
Microsoft SQL Server 2022
PostgreSQL 13.x – 17.x

Notes:

You must set up the database server outside the Kubernetes clusters on a physical or virtual machine.
BMC Helix Service Management installation supports both case-insensitive and sensitive Oracle databases.
BMC Helix Service Management installation supports both case-insensitive and sensitive PostgreSQL databases.
In general, BMC recommends running on the latest Service Pack, Maintenance Level, or other such update to listed databases.
AR System server and BMC Helix CMDB support 'AlwaysOn' for Microsoft SQL Server.
AR System and BMC Helix CMDB server support Oracle Real Application Clusters (Oracle RAC) feature of Oracle Database.
Pluggable/un-pluggable Oracle database is supported.

Email Engine

Microsoft Exchange Server 2016 (64-bit) and Microsoft Office 365 Exchange

Notes:

BMC internally certifies Email Engine with Microsoft Exchange Server and Microsoft Office 365 Exchange. Because Email Engine makes use of JavaMail API that is capable of working with other SMTP servers, SMTP servers that are not listed in this table might still operate correctly with AR System. You might be able to run AR System in a configuration not listed as supported. However, BMC has not certified the integration of Email Engine with such SMTP servers in their labs.

Microsoft has discontinued MAPI support in Microsoft Exchange Server 2016; Support for EWS (exchange web service) is available for Microsoft Exchange Server 2016 only.
See, https://docs.microsoft.com/en-us/exchange/new-features/discontinued-features?view=exchserver-2016.
OAuth 2.0 based authentication is required for Microsoft Office 365 Exchange starting with 20.02.01 and later
Starting with AR System 20.02.01 (also known as 20.02 Patch 1), Email Engine supports OAuth 2.0 based authentication for the Exchange Web Services (EWS) protocol to access Microsoft Office 365 Exchange.
For more information, see AR System 20.08 enhancements in the AR System online documentation.

BMC Helix Platform Common Services

BMC Helix Platform Common Services 25.2.00

BMC Helix Platform Common Services 25.1.00

BMC Helix Service Managementinstallation uses the following services provided by BMC Helix Platform:

Foundational services such as user management, tenant management, and BMC Helix Single Sign-On

Data lake such as Elasticsearch, PostgreSQL, and MinIO

Metrics Server

BMC Helix uses the HorizontalPodAutoscaler (HPA) for its services so that the product can scale based on the customer usage. For the HPA to function, Kubernetes must expose metrics that are used to trigger scaling activities, for which a Metrics Server is required.

For information about the HPA, seethis page in the Kubernetes documentation.

For information about the Metrics Server, seethis page in the Kubernetes documentation

(Optional) Service mesh

You can install service mesh in your Kubernetes cluster.

Important: Installation of service mesh is optional. The node encryption is not supported.

We have certified Cilium service mesh.

For information about service mesh, see Service Mesh in Cilium documentation and How Cilium enhances BMC Helix Innovation Suite in BMC Communities.

The supported Ingress and Helm versions with the Kubernetes orchestration platforms are as follows:

Kubernetes	Ingress	Helm
1.32	1.12.1	3.17
1.31	1.11.5	3.16
1.30	1.11.5	3.15
1.29	1.11.5	3.14
1.28	1.11.5	3.14

The supported Ingress and Helm versions with the OpenShift orchestration platforms are as follows:

Openshift	Ingress	Helm
4.18	1.12.1	3.17
4.17	1.11.5	3.16
4.16	1.11.5	3.15
4.15	1.11.5	3.14

Network port requirements

Review the following components and the ports used:

Source component	Destination	Port	Direction
Local image registry (Harbor) with internet access	BMC Docker Trusted Registry (DTR) (containers.bmc.com)	443	Outbound
Kubernetes cluster (Worker nodes)	Local image registry (Harbor) with internet access	443, 80 The default Harbor port is 80 if Secure Socket Layer (SSL) is not enabled.	Outbound
	Database server	Database port The port varies based on your database type and service. Important: If you are using Oracle Real Application Clusters (RAC), make sure that you open the ONS port 6200 on each server worker node.	Outbound
	SMTP server	SMTP server port	Outbound
End user traffic	Load balancer or HA proxy	443 Important: Only port 443 is supported for application URLs incoming traffic.	Incoming
Load balancer	Ingress controller	Ingress controller service port The port varies based on your Kubernetes platform and Ingress controller service.	Incoming
AR Clients (Developer Studio)	BMC Helix Innovation Suite server Admin service	46262 You can expose this port through EXTERNAL-IP or Nodeport for the platform-admin-ext service.	Inbound
BMC Deployment Engine	Kubernetes cluster	Kubernetes API server port	Outbound
HDM virtual machine	Staging database server	Database port The port varies based on your database type and service.	Outbound

Ports used by BMC Helix Service Management services

You might use the following ports to set your network policy:

Important

All service types are ClusterIP unless specified otherwise.

Service name	Port and protocol
aisplugin	9556/TCP
atriumplugin	9556/TCP
atriumwebsvc	8080/TCP
catalog-itsm-plugin	9822/TCP
clamav	3310/TCP
dwp-tomcat	9000/TCP
emailengine	1100/TCP
itsmplugin	9991/TCP
midtier-int	8080/TCP
midtier-int-dns-lookup	5701/TCP
midtier-user	8080/TCP
normplugin	9555/TCP
openfire	5222/TCP
openfire-dns-lookup	5701/TCP
openfire-ext	7001/TCP,7070/TCP
platform-admin	46262/TCP,8008/TCP,20000/TCP,61617/TCP,7319/TCP,40001/TCP
platform-admin-ext	46262/TCP,8008/TCP,20000/TCP,61617/TCP,7319/TCP,40001/TCP,9999/TCP,9556/TCP This service requires either EXTERNAL-IP, Nodeport, or Load balancer to access external clients like the Developer Studio.
platform-fts	46262/TCP,8008/TCP,20000/TCP,61617/TCP,7319/TCP,40001/TCP,9977/TCP
platform-fts-ext	46262/TCP,8008/TCP,20000/TCP,61617/TCP,7319/TCP,40001/TCP,9977/TCP
platform-int	46262/TCP,8008/TCP,20000/TCP,61617/TCP,7319/TCP,40001/TCP
platform-int-ext	46262/TCP,8008/TCP,20000/TCP,61617/TCP,7319/TCP,40001/TCP
platform-sr	46262/TCP,8008/TCP,20000/TCP,61617/TCP,7319/TCP,40001/TCP
platform-sr-ext	46262/TCP,8008/TCP,20000/TCP,61617/TCP,7319/TCP,40001/TCP
platform-user	46262/TCP,8008/TCP,20000/TCP,61617/TCP,7319/TCP,40001/TCP
platform-user-ext	46262/TCP,8008/TCP,20000/TCP,61617/TCP,7319/TCP,40001/TCP
platformplugin	9999/TCP
reportplugin	9991/TCP
rkmplugin	9556/TCP
smartit	9000/TCP
tsomplugin	9822/TCP
virtualchatplugin	9822/TCP
virtualchatserver	8080/TCP,6226/TCP,6225/TCP
virtualchatserver-ext	8080/TCP,6226/TCP,6225/TCP

To get more information about the ports used by the BMC Helix Service Management services, run the following command:
kubectl get svc -n <Innovation suite namespace>

Ports used by BMC Helix Platform Common Services

You might use the following ports to set your network policy:

Important

All service types are ClusterIP unless specified otherwise.

Service name	Ports and protocol
ade-file-service	50187/TCP,60187/TCP,8093/TCP,9093/TCP,11000/TCP
adeauthsvc	8000/TCP
adereporting	8080/TCP,8000/TCP
adereporting-apiservice	8080/TCP
adereporting-renderer-service	8081/TCP
adereporting-report-generator-service	3002/TCP,3003/TCP
adereporting-rms	8080/TCP
aif-api-service	50197/TCP,60197/TCP,8094/TCP,9094/TCP,11000/TCP
aif-clustering-ingestion-service	50220/TCP,60220/TCP,11000/TCP
aif-clustering-query-service	50219/TCP,60219/TCP,11000/TCP
aif-clustering-service	50221/TCP,60221/TCP,11000/TCP
aif-core-service	50177/TCP,60177/TCP,11000/TCP
aif-incident-ingestion-service	50197/TCP,60197/TCP,11000/TCP
aif-job-manager-service	50207/TCP,60207/TCP,11000/TCP
aif-machine-learning-utilities	50052/TCP,60052/TCP,11000/TCP,8080/TCP,9080/TCP
aif-ticket-service	50217/TCP,60217/TCP,11000/TCP
ans	8000/TCP
aud	8000/TCP
credential	8000/TCP
eventses-exporter-prometheus-elasticsearch-exporter	9108/TCP
featureflag	8000/TCP
ims	8000/TCP
imsportal	8000/TCP,9000/TCP
kafka	9092/TCP
kafka-headless	9092/TCP,9093/TCP
kafka-zookeeper	2181/TCP,2888/TCP,3888/TCP
kafka-zookeeper-headless	2181/TCP,2888/TCP,3888/TCP
metric-gateway-service	50059/TCP,60059/TCP,8093/TCP,9093/TCP,11000/TCP,8080/TCP
metric-gateway-service-svc	50059/TCP,60059/TCP,8093/TCP,9093/TCP,11000/TCP,8080/TCP
metric-ingestion-service	50051/TCP,60051/TCP,8080/TCP
metric-ingestion-service-svc	50051/TCP,60051/TCP,8080/TCP
metric-query-service	50051/TCP,60051/TCP,8091/TCP,8080/TCP
metric-query-service-svc	50051/TCP,60051/TCP,8091/TCP,8080/TCP
minio	9000/TCP,9001/TCP
minio-headless	9000/TCP,9001/TCP
opensearch-events-data	9200/TCP,9300/TCP
opensearch-events-data-headless	9200/TCP,9300/TCP,9600/TCP
opensearch-events-master	9200/TCP,9300/TCP
opensearch-events-master-headless	9200/TCP,9300/TCP,9600/TCP
opensearch-logs-data	9200/TCP,9300/TCP
opensearch-logs-data-headless	9200/TCP,9300/TCP,9600/TCP
opensearch-logs-master	9200/TCP,9300/TCP
opensearch-logs-master-headless	9200/TCP,9300/TCP,9600/TCP
postgres-bmc-pg-ha	5432/TCP
postgres-bmc-pg-ha-config	<none>
postgres-bmc-pg-ha-pool	5432/TCP
postgres-bmc-pg-ha-repl	5432/TCP
redis-redis-ha	6379/TCP,26379/TCP
redis-redis-ha-announce-0	6379/TCP,26379/TCP
redis-redis-ha-announce-1	6379/TCP,26379/TCP
redis-redis-ha-announce-2	6379/TCP,26379/TCP
redis-redis-ha-haproxy	6379/TCP
redis-cluster	6379/TCP
redis-cluster-headless	6379/TCP,16379/TCP
redis-cluster-metrics	9121/TCP
rsso	8080/TCP
smart-graph-api	8000/TCP
smart-graph-controller	25210/TCP,25677/TCP
tas	8000/TCP
tms	8000/TCP,9000/TCP
tmsportal	8000/TCP
ucs	8000/TCP
victoria-metrics-cluster-vminsert	8480/TCP,2003/TCP,2003/UDP,8189/TCP,8189/UDP
victoria-metrics-cluster-vmselect	8481/TCP
victoria-metrics-cluster-vmstorage	8482/TCP,8401/TCP,8400/TCP

To get more information about the ports used by the BMC Helix Platform Common Services , run the following command:

kubectl get svc -n <Platform Common Services namespace>

Important

Make sure that a port exposed over the network is secured by techniques such as whitelisting.

Ports used by BMC Helix Logging

You might use the following ports to set your network policy:

Service name	Ports and protocol
efk-elasticsearch-coordinating-hl	9200/TCP,9300/TCP
efk-elasticsearch-data-hl	9200/TCP,9300/TCP
efk-elasticsearch-efk-elasticsearch-coordinating-hl	9200/TCP,9300/TCP
efk-elasticsearch-ingest-hl	9200/TCP,9300/TCP
efk-elasticsearch-kibana	5601/TCP
efk-elasticsearch-master-hl	9200/TCP,9300/TCP
efk-fluent-bit	9880/TCP

To get more information about the ports used by the BMC Helix Logging, run the following command:
kubectl get svc -n <BMC Helix Logging namespace>

Jenkins server requirements

Review the following requirements for the Jenkins server:

Component	Node	vCPU	Operating System	RAM (GB)	Disk space (GB)
Jenkins server	1	2	RHEL 8.6 or later, RHEL 9.x, Rocky Linux 8.x and 9.x are certified.	Minimum 8 GB	100 Make sure that the /home, /var, /usr mount points have a minimum of 15 GB free space and /tmp has a minimum of 5 GB free space.

For information about setting up BMC Deployment Engine, see Setting-up-BMC-Deployment-Engine.

Harbor repository requirements

Use the latest version of Harbor. For information about Harbor installation requirements, see Harbor Installation and Configuration and Harbor Installation Prerequisites in Harbor documentation.

To access images from a local Harbor repository, make sure that your system has minimum 4 CPU with 8 GB memory and the following disk space:

750 GB disk space when you are setting up the Harbor repository for the first time.
100 GB approximately when you are synchronizing the container images in BMC DTR with the Harbor repository for an upgrade.

For information about setting up Harbor repository, see Setting-up-a-Harbor-repository-to-synchronize-container-images.

Controller machine requirements

If you are using BMC Helix Platform Common Services, make sure that the controller machine supports the following operating systems:

Operating System	Version
Linux	8.5 or higher
Red Hat Enterprise Linux (RHEL)	8 or higher
Ubuntu	20.04.6 or higher

Browser support

Operating System	Browsers
Windows	Firefox Chrome Microsoft Edge HARMAN Packaged Browser
Macintosh OS X	Safari

Namespaces

Review the following requirements for the namespaces in your cluster:

Namespace to install BMC Helix Platform Common Services.
Namespace to install BMC Helix Logging.

Namespace to install BMC Helix Service Management.
Make sure that the namespace name consists of only lowercase alphanumerics and hyphens. Example, 'bmc-itsm'.

Important

In your network policy, you must allow communication between the following namespaces:

The namespace where you will install BMC Helix Platform Common Services and the namespace for BMC Helix Service Management.
2. The namespace for BMC Helix Logging and the namespace for BMC Helix Service Management.

The actual namespace names are specific to your environment.

Important

To support Elastic deployment, increase the maximum number of memory maps on each worker node by running following command:

# echo vm.max_map_count=262144 > /etc/sysctl.d/es-custom.conf

# sysctl -w vm.max_map_count=262144

For more information, see https://www.elastic.co/guide/en/elasticsearch/reference/current//vm-max-map-count.html.

^{1. In this documentation, NGINX Ingress Controller refers to the Open-Source NGINX Ingress Controller maintained by Kubernetes.}

Where to go from here

Next task	Proceed with Downloading-the-installation-files.
Back to process	If you are finished understanding the Persistent Volume Claim requirements, return to the appropriate installation or upgrade process: Installing Migrating-Remedy-on-premises-to-BMC-Helix-Service-Management-on-premises

System requirements