BMC+Automation+Console+20.02 Home 04 21 2020

BMC Automation Console 20.
02
Home
Date: 2020-04-21 0:44
URL: https://docs.bmc.com/docs/x/i4c3Ng
Contents
Release notes and notices................................................................................................................................................... 13
20.02.01: Patch 1 for TrueSight Automation Console 20.02.............................................................................................14
Known and corrected issues.........................................................................................................................................15
Updates ........................................................................................................................................................................15
Support for creating and approving change requests for patch remediation operations .......................................15
Tagging assets...........................................................................................................................................................15
User experience enhancements...............................................................................................................................15
Supported versions of TrueSight Server Automation ...................................................................................................16
Applying the patch .......................................................................................................................................................16
Downloading the patch ............................................................................................................................................16
Installing the patch ...................................................................................................................................................16
Upgrading to the patch ............................................................................................................................................16
20.02.01: Patch 1 for BMC Helix Automation Console version 20.02 ..............................................................................17
Known and corrected issues.........................................................................................................................................17
Updates ........................................................................................................................................................................17
Support for creating and approving change requests for patch remediation operations .......................................17
Tagging assets...........................................................................................................................................................17
User experience enhancements...............................................................................................................................18
20.02 enhancements........................................................................................................................................................18
Available on the BMC Helix Platform and on-premises................................................................................................19
Creation and approval of change requests...................................................................................................................19
Blind spot detection using BMC Discovery...................................................................................................................19
Vulnerability Dashboard enhancements ......................................................................................................................20
Support for additional user authentication methods...................................................................................................21
Support for executing a patch policy instantly .............................................................................................................21
Vulnerability management enhancements ..................................................................................................................21
Support for additional remediation content to remediate vulnerabilities ...............................................................22
Removing mapping for auto-mapped assets............................................................................................................22
Vulnerability noise reduction ...................................................................................................................................22
Export missing patches and vulnerabilities data to CSV...............................................................................................22
Extended staging window for patch operations...........................................................................................................22
Support for additional search filters.............................................................................................................................23
Ability to sort data in columns .....................................................................................................................................23
BMC Automation Console 20.02 Page 2

Related topic ................................................................................................................................................................23
Known and corrected issues.............................................................................................................................................23
Getting started .................................................................................................................................................................... 27
Overview ..........................................................................................................................................................................27
Product overview .........................................................................................................................................................27
Patch Management ..................................................................................................................................................27
Vulnerability Management.......................................................................................................................................28
Documentation overview.............................................................................................................................................28
Architecture......................................................................................................................................................................29
Endpoint manager........................................................................................................................................................30
Application Server ........................................................................................................................................................30
Database Server ...........................................................................................................................................................32
Related topics...............................................................................................................................................................32
Onboarding BMC Helix subscribers ..................................................................................................................................32
Configuring users and roles..........................................................................................................................................34
Suggested reading ........................................................................................................................................................34
User roles and permissions ..............................................................................................................................................34
License entitlements ........................................................................................................................................................37
End-to-end use cases .......................................................................................................................................................... 38
Use case: Remediating missing patches ...........................................................................................................................38
What do I need to get started? ....................................................................................................................................38
How to identify and remediate? ..................................................................................................................................38
Use case: Remediating vulnerabilities..............................................................................................................................39
What do I need to get started? ....................................................................................................................................39
How to identify and remediate? ..................................................................................................................................39
Planning............................................................................................................................................................................... 42
Deployment scenarios......................................................................................................................................................42
Small deployment ........................................................................................................................................................42
Medium deployment....................................................................................................................................................43
Large deployment ........................................................................................................................................................44
Related topic ................................................................................................................................................................45
Deployment sizing requirements .....................................................................................................................................45
Minimum deployment sizing requirements .................................................................................................................45
What conditions were used to develop these sizing requirements? ...........................................................................47
System requirements .......................................................................................................................................................47

System requirements for BMC Helix Automation Console (SaaS) ................................................................................47
Endpoint manager requirements .............................................................................................................................47
Supported BMC product versions ............................................................................................................................48
Supported browsers .................................................................................................................................................48
System requirements for TrueSight Automation Console (on-premises) .....................................................................48
Endpoint manager requirements .............................................................................................................................48
Supported browsers .................................................................................................................................................49
Supported BMC product versions ............................................................................................................................49
Third-party software ................................................................................................................................................49
Docker requirements and supported operating systems .........................................................................................50
Minimum hardware requirements...........................................................................................................................50
Database requirements and supported versions .....................................................................................................51
Port requirements ....................................................................................................................................................52
Installing .............................................................................................................................................................................. 54
TrueSight Automation Console installation process.........................................................................................................54
What next? .......................................................................................................................................................................55
Preparing for installation..................................................................................................................................................55
Setting up your installation environment.....................................................................................................................56
Setting up Docker in an internet-enabled environment...........................................................................................56
To set up Docker CE on a CentOS computer.........................................................................................................56
To set up Docker EE on an RHEL computer ..........................................................................................................58
Setting up Docker in an air-gapped environment.....................................................................................................60
To set up Docker CE on a CentOS computer in an air-gapped environment ........................................................60
To set up Docker EE on an RHEL computer in an air-gapped environment ..........................................................61
Configuring the product for firewall and Security-Enhanced Linux..........................................................................63
Where to go from here?...............................................................................................................................................64
Downloading the installation files................................................................................................................................64
Installation files ........................................................................................................................................................65
To verify the files ......................................................................................................................................................65
Where to go from here.............................................................................................................................................66
Installing in the interactive mode.....................................................................................................................................66
Installing the Stack Manager tool.................................................................................................................................66
Installing the database .................................................................................................................................................67
Installing the Automation Console application ............................................................................................................69
Where to go next?........................................................................................................................................................72

Installing silently...............................................................................................................................................................72
Installing the Stack Manager tool.................................................................................................................................73
Installing silently...........................................................................................................................................................73
Where to go next?........................................................................................................................................................78
Configuring application clusters .......................................................................................................................................78
Configuring an application cluster using HA Proxy.......................................................................................................78
Related topic ................................................................................................................................................................80
Uninstalling.......................................................................................................................................................................80
Uninstalling the application..........................................................................................................................................81
Uninstalling the database.............................................................................................................................................81
Upgrading............................................................................................................................................................................ 82
Supported upgrade paths.................................................................................................................................................82
TrueSight Automation Console upgrade process .............................................................................................................82
Where to go next?............................................................................................................................................................83
Preparing for upgrade ......................................................................................................................................................83
Setting up your upgrade environment .........................................................................................................................83
Preparing to upgrade TrueSight Automation Console..................................................................................................84
To recreate the repository on a CentOS computer...................................................................................................84
To recreate the repository on an RHEL computer ....................................................................................................85
Where to go from here?...............................................................................................................................................85
Performing the upgrade ...................................................................................................................................................86
Build numbers ..............................................................................................................................................................86
To upgrade TrueSight Automation Console..................................................................................................................86
Where to go next?........................................................................................................................................................89
Configuring connectors ....................................................................................................................................................... 90
Configuring the TrueSight Server Automation connector ................................................................................................90
Overview ......................................................................................................................................................................90
Before you begin ..........................................................................................................................................................90
Installing the Server Automation connector ................................................................................................................91
Updating the TrueSight Server Automation connector ................................................................................................92
Enabling debug mode...................................................................................................................................................92
Configuring the TrueSight Orchestration connector ........................................................................................................93
Overview ......................................................................................................................................................................93
Configuring connector for TrueSight Automation Console ..........................................................................................93
post/api/v1/connectors............................................................................................................................................93

Configuring connector for BMC Helix Automation Console .........................................................................................95
Where to go next?........................................................................................................................................................96
Configuring the BMC Discovery connector ......................................................................................................................96
Overview ......................................................................................................................................................................96
Configuring connector for TrueSight Automation Console ..........................................................................................97
post/api/v1/connectors............................................................................................................................................97
Configuring connector for BMC Helix Automation Console .........................................................................................98
Creating a service account for BMC Discovery .............................................................................................................99
post/api/v1/config/service-accounts .......................................................................................................................99
Where to go next?......................................................................................................................................................101
Using.................................................................................................................................................................................. 102
Logging in .......................................................................................................................................................................102
Accessing the Automation Console............................................................................................................................102
Overview of the Automation Console user interface .................................................................................................103
Common Automation Console UI elements...........................................................................................................103
Changing the security group ......................................................................................................................................104
Using Dashboards...........................................................................................................................................................104
Using the Patch Dashboard ........................................................................................................................................104
Viewing the Patch Dashboard ................................................................................................................................104
Patch Compliance...................................................................................................................................................104
Impacted Assets by SLA..........................................................................................................................................105
Impacted Assets by Severity...................................................................................................................................106
Unique Missing Patches by Age..............................................................................................................................107
Remediation trend .................................................................................................................................................108
Top 10 Missing Patches ..........................................................................................................................................109
Using the Vulnerability Dashboard.............................................................................................................................109
Viewing the Vulnerability Dashboard.....................................................................................................................110
Vulnerabilities.........................................................................................................................................................110
SLA Breakdown by Assets and Vulnerabilities ........................................................................................................111
Severity Breakdown by Assets and Vulnerabilities.................................................................................................112
Vulnerability by Stage.............................................................................................................................................113
Remediation trend .................................................................................................................................................113
Top 10 Missing Vulnerabilities................................................................................................................................114
Top 10 Business Services at Risk.............................................................................................................................115
Patch policies..................................................................................................................................................................115

Where to go from here...............................................................................................................................................116
Working with patch policies .......................................................................................................................................116
Execute patch policy...............................................................................................................................................117
Viewing patch policy results...................................................................................................................................117
Editing a patch policy .............................................................................................................................................118
Disabling and enabling a policy ..............................................................................................................................119
Removing a patch policy.........................................................................................................................................119
Scans ..............................................................................................................................................................................119
Prerequisites for importing scans...............................................................................................................................120
Rapid7 scan file requirement .................................................................................................................................120
Qualys scan file requirements ................................................................................................................................120
Nessus scan file requirements ..................................................................................................120
Validating scans ..........................................................................................................................................................120
Considerations before you import .............................................................................................................................120
Working with scans ....................................................................................................................................................121
Importing a scan.....................................................................................................................................................121
Deleting a scan file .................................................................................................................................................122
Assets .............................................................................................................................................................................122
Working with assets ...................................................................................................................................................123
Viewing assets with missing patches......................................................................................................................123
Viewing assets from a vulnerability scan................................................................................................................123
Mapping and unmapping assets ............................................................................................................................124
Adding tags to assets..............................................................................................................................................124
Removing tags ........................................................................................................................................................125
Viewing assets from BMC Discovery ......................................................................................................................125
Performing an advanced search .............................................................................................................................125
Risks................................................................................................................................................................................126
Missing patches..........................................................................................................................................................126
Vulnerabilities.............................................................................................................................................................126
Auto-mapping process ...........................................................................................................................................126
Manual mapping process .......................................................................................................................................128
Working with risks ......................................................................................................................................................128

Viewing and exporting unique missing patches .....................................................................................................128
Exporting missing patches..................................................................................................................................129
Viewing and exporting vulnerabilities ....................................................................................................................129
Viewing details of a vulnerability .......................................................................................................................129
Viewing details of a remediation........................................................................................................................130
Exporting vulnerabilities.....................................................................................................................................131
Mapping and unmapping vulnerabilities................................................................................................................131
Auto-mapping new vulnerabilities .....................................................................................................................131
Manually mapping vulnerabilities ......................................................................................................................132
Unmapping vulnerabilities .................................................................................................................................133
Operations......................................................................................................................................................................133
Patch operation ..........................................................................................................................................................133
Vulnerability operation...............................................................................................................................................133
Change automation................................................................................................................................................134
Working with operations............................................................................................................................................134
Adding a patch remediation operation ..................................................................................................................134
Adding a vulnerability remediation operation .......................................................................................................136
Viewing results for an operation ............................................................................................................................138
Removing an operation ..........................................................................................................................................139
Administering .................................................................................................................................................................... 140
Service Account..............................................................................................................................................................140
Working with a service account .................................................................................................................................140
Adding a service account........................................................................................................................................140
Editing a service account........................................................................................................................................141
Viewing service account details .............................................................................................................................141
Security groups...............................................................................................................................................................141
Working with security groups ....................................................................................................................................141
Adding a security group .........................................................................................................................................141
Viewing a list of security groups.............................................................................................................................142
Editing a security group..........................................................................................................................................142
Service Level Agreements ..............................................................................................................................................142

Working with Service Level Agreements ....................................................................................................................142
Updating Service Level Agreements.......................................................................................................................143
Catalogs ..........................................................................................................................................................................143
Working with catalogs ................................................................................................................................................144
Adding catalogs .....................................................................................................................................................144
Viewing a list of catalogs ........................................................................................................................................145
Editing catalogs ......................................................................................................................................................145
Disabling, enabling, or removing catalogs..............................................................................................................145
Change automation........................................................................................................................................................145
Overview ....................................................................................................................................................................145
Change automation process flow...............................................................................................................................146
Change automation considerations ...........................................................................................................................146
Enabling change automation......................................................................................................................................147
To enable creating change requests for an operation ............................................................................................147
Where to go from here...........................................................................................................................................148
Using REST API................................................................................................................................................................... 149
Accessing the Swagger host for APIs ..............................................................................................................................149
Login and Administration Service APIs ...........................................................................................................................150
Violations and Dashboard Service APIs ..........................................................................................................................151
Patch Catalog Service APIs .............................................................................................................................................154
Patch Policy and Operations APIs ...................................................................................................................................155
Troubleshooting ................................................................................................................................................................ 158
Working with logs...........................................................................................................................................................158
Troubleshooting operations with change requests ........................................................................................................161
Change templates not displayed when configuring change approval for an operation.............................................161
Operation is configured to create a change request, however, change is not created in BMC Remedy IT Service
Management ..............................................................................................................................................................161
Resolution ..............................................................................................................................................................162
Change request is created in BMC Remedy ITSM, however, the request ID and status is not displayed on the
Operations page .........................................................................................................................................................162
Resolution ..............................................................................................................................................................162
Troubleshooting discovered assets ................................................................................................................................163
Discovered Assets page does not show any assets ....................................................................................................163
Resolution ..............................................................................................................................................................163
No data in the Top 10 Business Services at Risk widget on the Vulnerability Dashboard ..........................................163

Resolution ..............................................................................................................................................................163
Troubleshooting patch management problems .............................................................................................................163
Catalog time is not updated in Automation Console even after the catalog is updated............................................164
Resolution ..............................................................................................................................................................164
Managed Assets page has no asset data....................................................................................................................164
Resolution ..............................................................................................................................................................164
Policy run results do not appear in Automation Console...........................................................................................165
Related topic ..............................................................................................................................................................165
Support information.......................................................................................................................................................... 166
Contacting Customer Support ........................................................................................................................................166
Support status ................................................................................................................................................................166

Automation Console is available as a service, called BMC Helix Automation Console (SaaS), and as an on-premises
product, called TrueSight Automation Console.
Automation Console integrates with TrueSight Server Automation to identify, analyze, and remediate missing patches
and vulnerabilities in your environment. IT operators and administrators use the Automation Console to automate the
patch and vulnerability management process for Windows and Red Hat Linux servers.
BMC Helix Automation Console is a part of the BMC Helix Vulnerability Management service.
Getting Using
started
Work with Automation Console
• Overview
• Architecture Administering
• Onboarding BMC
Helix subscribers Security, configuration, and maintenance
• User roles and
permissions
• License
entitlements
End-to-end use cases

Use cases for remediating missing patches and identified vulnerabilities.

Planning Installing Upgrading
(On-premises only) (On-premises only) (On-premises only)
Plan an installation or Install the product and Upgrade based on

upgrade based on perform initial system your deployment
deployment scenarios, configuration. requirements.
best practices, sizing,
and system
requirements.

Release notes and notices
Learn what's new or changed in this release of BMC Helix Automation Console (SaaS) and TrueSight Automation
Console (on-premises).
Date Title Summary
21 April, 20.02.01: Patch 1 for Patch 1 for TrueSight Automation Console (on-premises), which includes

2020 TrueSight Automation corrected issues and the following updates:
Console 20.02
• Support for creating and approving change requests for patch
remediation operations
• Tagging assets
• User experience enhancements
10 April, 20.02.01: Patch 1 for Patch 1 for BMC Helix Automation Console (SaaS) only, which includes

2020 BMC Helix Automation corrected issues and the following updates:
Console version 20.02
• Support for creating and approving change requests for patch
remediation operations
• Tagging assets
• User experience enhancements
21 20.02 enhancements Features available in this release:

February,
2020 • Available on the Helix Platform and on-premises
• Creation and approval of change requests
• Blind spot detection using BMC Discovery
• Vulnerability Dashboard enhancements
• Ability to execute a patch policy instantly
• Removing mapping for auto-mapped assets
• Vulnerability noise reduction
• Exporting missing patches and vulnerabilities data to a CSV file
• Support for new search filters
• Ability to sort data in columns

 Tips
• To stay informed of changes to this list, click the
icon on the top of this page.
• Ready-made PDFs are available on the PDFs page. You can also create a custom PDF.
Click here to see the steps.
The BMC Documentation portal gives you the ability to generate PDF and Microsoft Word documents of
single pages, and to create PDF exports of multiple pages in a space.
Creating PDF and Word exports

You can create a PDF of a page or a set of pages. (Non-English page exports are not supported.) You can
also create a Word document of the current page.
To export to PDF or Word

a. From the Tools menu in the upper-right, select a format:
• Export to Word to export the current page to Word format
• Export to PDF to export the current page or a set of pages to PDF
b. If exporting to PDF, select what you want to export:

• Only this page to export the current page
• This page and its children to export a set of pages
For example, selecting This page and its children from the home page exports the entire space to
PDF.
20.02.01: Patch 1 for TrueSight Automation Console 20.02

This topic contains information about fixes and updates in Patch 1 for TrueSight Automation Console 20.02, and provides
instructions for downloading and applying the patch.

Known and corrected issues
For information about issues corrected in this patch, see Known and corrected issues.
Updates
This patch contains these updates:
Support for creating and approving change requests for patch remediation operations
When you create operations for applying missing patches on assets, you can now create a change request in the change
management system, which tracks the operation, and goes through a change approval process. In 20.02, integration with
BMC Remedy IT Service Management system was already supported for the vulnerability remediation operations. If you
have enabled the integration, no additional configuration is required to enable change creation and approval for a patch
operation.
For more information, see Change automation.
Tagging assets
On the Scanned Assets page, you can now add tags to the assets imported from a vulnerability scan results file. While
creating a vulnerability remediation operation, you can choose assets based on the tags.
To add tags, you must export the assets data into a CSV file, enter tag information in a key:value pair format, and then
import the updated CSV file back in Automation Console. Alternatively, you can download the CSV template from the
Advanced Search option and upload the same file in Automation Console after entering the information details about
assets and tags.
For more information, see Working with assets.
User experience enhancements

This patch also provides the following miscellaneous enhancements that improve your experience:
Enhancement See topic
Ability to browse and select the Default Depot Path and Default Working with security groups

Job Patch while working with security groups.
Support for viewing and selecting vulnerabilities on the basis of its Working with risks
mapping status added to the advanced filter.
Option to export data from the Risks > Vulnerabilities page to a CSV Working with risks

file.

Number of missing patches on the impacted assets are also Using the Vulnerability Dashboard
displayed on the Vulnerability Dashboard > Top 10 Business
Services at Risk widget.
Deleting a draft vulnerability remediation deletes all sub- Working with operations
operations associated with the draft one.
Supported versions of TrueSight Server Automation
For supported versions, see System requirements.
Applying the patch

When upgrading to the patch, you are required to provide the build number as shown below:
Version Build number
Patch 1 for TrueSight Automation Console 20.02 (20.02.01) 20.02.00.481
Downloading the patch

Patch 1 for TrueSight Automation Console 20.02 contains a full installer. You can download the patch installation file from
the BMC Electronic Product Downloads (EPD) Site.
For instructions, see Downloading the installation files.
Installing the patch

If you are installing this patch as fresh product installation, the process to install this patch is the same as installing any
version. You do not need to provide the build number.
For instructions, see Installing.
Upgrading to the patch

Based on your current version, consult the following table to upgrade to this patch:

Current version Upgrade to
20.02 20.02 Patch 1
19.1 20.02
While upgrading to a patch, ensure that you specify the exact build number applicable to this patch.
For instructions, see Upgrading.
 Do I need to configure the connectors after upgrading?

No. You do not need to configure any connector after applying this patch. Your previous connector configurations
are supported as is.
20.02.01: Patch 1 for BMC Helix Automation Console version 20.02

This topic contains information about the updates and fixes in Patch 1 for BMC Helix Automation Console (SaaS).

For information about issues corrected in this patch, see Known and corrected issues.
Updates
This patch contains these updates:
Support for creating and approving change requests for patch remediation operations
When you create operations for applying missing patches on assets, you can now create a change request in the change
management system, which tracks the operation, and goes through a change approval process. In 20.02, integration with
BMC Remedy IT Service Management system was already supported for the vulnerability remediation operations. If you
have enabled the integration, no additional configuration is required to enable change creation and approval for a patch
operation.
Tagging assets
On the Scanned Assets page, you can now add tags to the assets imported from a vulnerability scan results file. While
creating a vulnerability remediation operation, you can choose assets based on the tags.

To add tags, you must export the assets data into a CSV file, enter tag information in a key:value pair format, and then
import the updated CSV file back in Automation Console. Alternatively, you can download the CSV template from the
Advanced Search option and upload the same file in Automation Console after entering the information details about
assets and tags.
For more information, see Working with assets.
User experience enhancements

This patch also provides the following miscellaneous enhancements that improve your experience:
Ability to browse and select the Default Depot Path and Default Working with security groups

Job Patch while working with security groups.
Support for viewing and selecting vulnerabilities on the basis of its Working with risks
mapping status added to the advanced filter.
Option to export data from the Risks > Vulnerabilities page to a CSV Working with risks

file.
Number of missing patches on the impacted assets are also Using the Vulnerability Dashboard
displayed on the Vulnerability Dashboard > Top 10 Business
Services at Risk widget.
Deleting a draft vulnerability remediation deletes all sub- Working with operations
operations associated with the draft one.
20.02 enhancements
This topic describes the enhancements in the version 20.02 of BMC Helix Automation Console (SaaS) and TrueSight
Automation Console (on-premises).
• Available on the BMC Helix Platform and on-premises

• Creation and approval of change requests
• Blind spot detection using BMC Discovery
• Vulnerability Dashboard enhancements
• Support for additional user authentication methods
• Support for executing a patch policy instantly
• Vulnerability management enhancements
• Export missing patches and vulnerabilities data to CSV
• Extended staging window for patch operations
• Support for additional search filters
• Ability to sort data in columns

Available on the BMC Helix Platform and on-premises
BMC Helix is a portfolio of SaaS offerings delivering service and operations management that is fast, accurate and cost-
effective, across multi-cloud, multi-device, and multi-channel environments. BMC Helix services are delivered from your
cloud location of choice and receive the benefits of BMC's world-class SaaS Operations team and processes.
Automation Console is available as a service, called BMC Helix Automation Console (SaaS), and as an on-premises product,
called TrueSight Automation Console.
Creation and approval of change requests

When operational changes are implemented, administrators need to document and track these changes in a change
management system. When you import a scan file in Automation Console, vulnerabilities and assets get imported. You
first map assets to endpoints in TrueSight Server Automation, and then vulnerabilities to remediation content in
Automation Console. After this, operators create operations for remediating vulnerabilities. As part of the vulnerability
remediation operation, you can now create a change request in the change management system, which tracks the
operations, and goes through a change approval process.
In this release, Automation Console integrates with BMC Remedy IT Service Management (ITSM) to create change
requests and implement an approval process. This is available for a vulnerability remediation operation, and not for a
patch remediation operation. After a change request is approved, the operation runs according to the schedule.
Administrators enable change automation using the TrueSight Orchestration – ITSM Automation runbook. For more
information, see Change automation.
Blind spot detection using BMC Discovery
In this release, Automation Console integrates with BMC Discovery (on-premises only) to find servers in your environment
that are not mapped in the endpoint manager, TrueSight Server Automation, and are not scanned for vulnerabilities. Such
servers or assets are blind spots and can be a potential security risk as there might be critical undiscovered vulnerabilities
on those servers. The Discovered Assets page lists such assets. Key Performance Indicators (KPIs) on the Discovered Assets
page show information about the total number of discovered assets, assets that are discovered but not mapped to
endpoints in Server Automation, and assets that are not yet scanned. You must ensure that the discovered assets are
scanned for missing patches and vulnerabilities.

To enable this integration, you must configure the BMC Discovery connector after installing the product. See Configuring
the BMC Discovery connector.
Vulnerability Dashboard enhancements

In this release, the Vulnerability Dashboard is enhanced to provide the following additional metrics:
• Severity breakdown: Shows the severity levels for vulnerabilities in your environment.
• SLA breakdown: Shows the SLA levels for vulnerabilities in your environment.
• Top 10 Business Services at Risk: Shows the top 10 business services or applications with the maximum number of
vulnerabilities and impacted assets.

You see this information only if Automation Console is integrated with BMC Discovery.
• New Awaiting Approval stage in the Vulnerabilities by Stage widget: Shows the number of vulnerabilities for
which operations are created with change automation configured and the change request is not yet approved.
• New Average Days Awaiting Approval stage in the Remediation Trend widget: Shows the average number of
days for which vulnerabilities in a remediation operation are in the Awaiting Approval stage.
For more information, see Using the Vulnerability Dashboard v20.02.
Support for additional user authentication methods
In 20.02, you can now log in to Automation Console using RSA Secure ID and Lightweight Directory Access Protocol (LDAP)
authentication methods. These methods are supported by the endpoint manager, TrueSight Server Automation.
For more information, see Logging in.
Support for executing a patch policy instantly

In earlier versions, you could run patch policies only according to the schedule. Now, you can run a patch policy
immediately after it is created. For policies that already exist, you can run them in real time irrespective of any schedule.
For more information, see Working with patch policies.
Vulnerability management enhancements

This release consists of the following enhancements to manage vulnerabilities:

Support for additional remediation content to remediate vulnerabilities
With this release, you can now map vulnerabilities to these types of remediation content:
• Patches
• Installshield packages
• Microsoft Installer (MSI) packages
• Operating system service packs
• Red Hat packages
• Custom software
Except for patches, the new types of remediation content are available only when you are manually mapping a
vulnerability.
Existing remediation content, BLPackages and NSH scripts, are now enhanced. While creating a vulnerability remediation
operation, you can configure properties for BLPackages and select additional parameters for NSH scripts. For more
information, see Risks.
Removing mapping for auto-mapped assets

With this release, you can now remove mapping for assets that were automatically mapped to endpoints in TrueSight
Server Automation. For more information, see Working with assets.
Vulnerability noise reduction

An open vulnerability is now closed automatically if the remediation content is similar for multiple vulnerabilities during
the operation.
For more information, see Operations.
Export missing patches and vulnerabilities data to CSV
On the Risks page, you can now export the data for missing patches and vulnerabilities to a CSV file.
For more information, see Working with risks.
Extended staging window for patch operations

While creating a patch operation, the maximum limit of the staging window is now extended from 24 hours to 999 hours.
For more information, see Working with operations.

Support for additional search filters
On the Assets > Managed Assets page, you can now use the Advanced Search option to search for assets using the new Un
ique Missing Patch filter. On the Assets > Scanned assets page, you can search using the Vulnerability Name filter. For
more information, see Working with assets.
Ability to sort data in columns
You can now sort data in columns on the Operations, Manage, and Administration tabs. For Assets and Risks, advanced
filters enable you to filter data that matches your requirement.
Related topic

BMC Confidential. The following information is intended only for registered users of docs.bmc.com.
The following issues are applicable to BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-
premises).
Compo Description Corrected in Defe

nent ct ID
Perfor If the Data Refresh Cycle is set to 30 minutes, database deadlocks 20.02.01 DRS
mance occur, which significantly affect the performance of the application. MP-
3189
Policy Patch policy updates are not reflected accurately in Automation 20.02.01 DRS
Console. MP-
3185
Risks Vulnerabilities are not getting mapped automatically. 20.02.01 DRS

MP-
3184
This issue occurs due to multiple reasons, such as if catalogs are not
getting synchronized accurately, or the scan files do not contain CVE
IDs associated with the vulnerabilities.
Risks When you import a scan file, assets are not getting automatically 20.02.01 DRS
mapped to vulnerabilities. MP-
3018
UI Patch Dashboard displays patch compliance data for installed and 20.02.01 DRS
missing patches that does not match the actual policy scan results. MP-
2808
Assets If an operator (no administrative permissions) deletes a scan file, 20.02.01 DRS
assets in the Scanned Assets page are not deleted. MP-
2942
Policy If an operator (no administrative permissions) deletes a patch policy, 20.02.01 DRS
assets and missing patches identified by the policy are not deleted. MP-
3076
Assets If an asset is recommissioned in TrueSight Server Automation, missing 20.02.01 DRS

patches on the asset are not displayed in TrueSight Automation MP-
Console. 3078

nent ct ID
Assets If an asset is recommissioned in TrueSight Server Automation, missing 20.02.01 DRS

patches on the asset are not displayed in TrueSight Automation MP-
Console. 3079
UI On the Administration > Catalogs page, the Last Updated column does 20.02 DRS
not show the actual date and time when the catalog was updated. MP-
2820
API You can create an operation for a policy that has not identified any 20.02 DRS
missing patches by using REST API. MP-
1983
Scan Scan file import fails for any scan file and the following message is 20.02 DRS
displayed: 413 Request entity too large. MP-
2876
UI You cannot sort data in any column on the UI. 20.02 DRS
MP-
1979
Mappin On the Scanned Assets page, after importing a vulnerability scan file, 20.02 DRS
g you unmap the assets that have got automatically mapped. But after a MP-
data refresh interval, the same unmapped assets get auto-mapped 3025
again. And when you import another vulnerability scan file and you
find a different vulnerability for the same asset that has been
unmapped previously, then instead of the asset getting auto-mapped,
it remains unmapped.
Installat During installation, if you specify the port number for PostgreSQL DRS
ion database server anything apart from the default port, 5432, the MP-
underlying resource database links are not correctly formed. When you 2892
import a scan file, vulnerabilities and assets data is not imported in the
Automation Console.
Ensure that you do not change the default port 5432.
Risks If you delete a catalog from Automation Console, remediation content DRS
(from the catalog) is not deleted, and is still mapped to the MP-
vulnerabilities. 1978

nent ct ID
Scan If you import a vulnerability scan file with a file size more than 500 MB, DRS
the import fails. MP-
1981
UI On the Operations page, sort option does not work on the Status DRS
column. This issue also occurs on the Patch Policies > Asset Scope and MP-
Security Groups > Description columns. 2652
Change When a remediation operation job is successfully complete in DRS

automa Automation Console, the change request status is not updated and MP-
tion remains in the Implementation In Progress state in BMC Remedy 2841
ITSM.
On the Operations page, if you click the change request ID, the status is
shown as Ready to execute.
UI When an Automation Console active session expires, all the dashboard DRS
widgets are still displayed. MP-
2229
UI On the Patch or Vulnerability Dashboard pages, when you place the DRS
mouse cursor on any widget, sometimes it wraps the text on the UI. MP-
2171
BMC Confidential. The preceding information is intended only for registered users of docs.bmc.com.

Getting started
BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-premises) integrate with TrueSight Server
Automation to identify, analyze, and remediate missing patches and vulnerabilities in your environment.
BMC Helix Automation Console (SaaS) is a part of the BMC Helix Vulnerability Management service.
This section helps you to get started with the product as it describes the overview, architecture, and user roles and
permissions for Automation Console. In addition, it provides the onboarding process for BMC Helix Automation
Console (SaaS) subscribers.
• Overview
• Architecture (on-premises only)
• Onboarding BMC Helix subscribers (SaaS only)
• User roles and permissions
• License entitlements
Overview
This topic helps you understand the product and features of BMC Helix Automation Console (SaaS) and TrueSight
Automation Console (on-premises).
• Product overview
• Documentation overview
Product overview
Automation Console is available as a service, called BMC Helix Automation Console (SaaS), and as an on-premises product,
called TrueSight Automation Console. They integrate with the endpoint manager, TrueSight Server Automation, to identify,
analyze, and remediate missing patches and vulnerabilities.
BMC Helix Automation Console is a service offering on the BMC Helix Platform, and is a part of the BMC Helix Vulnerability
Management service.
Patch Management
Organizations spend significant time and effort in monitoring a network of servers to keep track of the patches installed
and configured on the servers, also known as assets. With application vendors releasing patches periodically, an
organization invests a considerable amount of time in obtaining the released patches, evaluating the impact, identifying
gaps, and eventually installing these patches. Most security breaches occur due to known but unpatched vulnerabilities.
Typically, a patch administrator analyzes individual servers to determine the patches to be acquired and installed to
comply with the organizational policies. This process involves significant time and manual effort.
Using Automation Console, an administrator imports patch catalogs from TrueSight Server Automation. These catalogs
store patch metadata released by the vendors. An IT operator creates a patch policy based on a catalog, which runs a
patching job in Server Automation. This job scans the assets according to the policy settings and identifies missing patches

on assets. Operators can then create an operation to install missing patches, restart the assets, and send notifications
after the operation is complete.
The end-to-end patch management process of identifying missing patches and installing them on the assets is done
automatically by integrating seamlessly with TrueSight Server Automation. For more information about the TrueSight
Server Automation patch management process, see Getting started with patch management .
Vulnerability Management
Automation Console helps you maintain the integrity of enterprise computing by analyzing and remediating vulnerabilities
across your environment. By establishing a connection with the endpoint manager, such as TrueSight Server
Automation, Automation Console enables you to remediate vulnerabilities on the endpoints or assets.
Operators first import a vulnerability scan file, which imports asset and vulnerability data in the application. In this
release, Automation Console supports importing data from popular vulnerability scanning tools such as Qualys, Rapid7,
and Nessus. After a successful import, the application automatically maps assets to endpoints in TrueSight Server
Automation, and maps vulnerabilities to remediation content required to resolve the vulnerabilities. The most common
types of remediation content are patches, NSH scripts, and packages. Operators can also map assets and vulnerabilities
manually.
Using Automation Console, operators then create operations that perform actions on assets to remediate vulnerabilities.
In version 20.02, Automation Console integrates with BMC Remedy IT Service Management (ITSM) to create change
requests and implement an approval process.
For more information about the process of importing scans, mapping assets and vulnerabilities, and performing
remediation operations, see Using.
Automation Console provides role-based access to the application. Users access the Automation Console based on the
role assigned to them in TrueSight Server Automation. For details, see User roles and permissions.
Documentation overview
This space provides documentation for BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-
premises).
Topics that are applicable for both begin with an introductory statement that mentions both the product names.
Topics that are applicable for either BMC Helix Automation Console (SaaS) or TrueSight Automation Console (on-premises)
are indicated by appropriate text.
For example, the Planning section, which is applicable only for TrueSight Automation Console (on-premises) has a note
that indicates its relevance.

Architecture
 Note
The Architecture topic is applicable for a TrueSight Automation Console (on-premises) installation only.
BMC Helix Automation Console (SaaS) is available as a service only. For details about subscribing to this service,
see BMC Helix subscriber information.
TrueSight Automation Console (on-premises) uses a microservices-based architecture and comprises an application server
and a database. These components are deployed as a set of Docker containers.
The following figure shows the components, their interaction, and the product architecture:

Endpoint manager
Automation Console uses TrueSight Server Automation as an endpoint manager. Currently, only one-to-one mapping with
the endpoint manager is supported, which means a single instance of Automation Console works with a single TrueSight
Server Automation instance.
To authenticate with Server Automation, you must use one of these authentication methods:
• Secure Remote Password

• Domain Authentication
• RSA Secure ID
• Lightweight Directory Access Protocol
Application Server
Application server comprises the following microservices and components:
Component Description
API gateway Nginx acts as an API gateway and reverse proxy for communication
amongst the services and between the graphical user interface and the
microservices.

Login service Provides APIs for authenticating with the endpoint manager. Provides login,
logout, authentication, and session management APIs.
Also provides connector APIs required for configuring and managing

connectors supported by Automation Console.
This service also supports administrative actions such as configuring Service

Level Agreements, adding security groups, and adding a service account.
UI service Provides UI pages to the user.
Asset (Resource) service Obtains a list of servers or assets in Server Automation, which is retrieved

during the Data Refresh cycle. It keeps an inventory of all enrolled and
decommissioned assets. This microservice is used to generate data on the
Assets page.
Asset state service Stores information about the state of all patches, missing or already
installed, and vulnerabilities identified on all assets.
This service displays data on the Risks > Missing Patches and Risks>
Vulnerabilities pages and on the Patch Dashboard and Vulnerability
Dashboard.
Catalog service Imports catalogs from Server Automation and schedules their update.
ITIL service Acts as a communicator between Policy service and TrueSight

Orchestration connector to create change requests and send and receive
change request data such as change templates, change request ID, change
approval information, change status, and so on.
Policy and Operation service Creates policies and operations in the Automation Console. While using

policies and operations, patching jobs get created in Server Automation.
This microservice supports actions that identify and remediate missing
patches and vulnerabilities.
Data Refresh service Retrieves information about all Windows and Red Hat Linux assets
from Server Automation and sends it to the asset service.
Redis service Used for in-memory session cache. It is also used as a database-cache for
the Work Manager.

Work Manager Provides capabilities to push or pull a set of requests and responses used
by the Automation Console to send requests to the endpoint manager.
TrueSight Server Automation connector Acts as an adapter to communicate with the Server Automation instance. It
fetches requests from the Work Manager and forwards it to
the Automation Console instance. Response from Automation Console is
sent back to the Work Manager.
TrueSight Orchestration connector Acts as an adapter to communicate with TrueSight Orchestration, which
integrates with BMC Remedy IT Service Management for change
automation.
BMC Discovery connector Acts as an adapter to communicate with BMC Discovery to send discovered
assets in your environment to Automation Console.
Database Server
The Automation Console currently supports PostgreSQL server as a database. You can install the database as part of the
product installation or use an existing installation of the PostgreSQL database (supported only on Linux).
Related topics
Planning
System requirements
Onboarding BMC Helix subscribers
 Only for BMC Helix Automation Console

Complete the tasks in this topic only if you have subscribed to BMC Helix Automation Console (SaaS), a service
on the BMC Helix Platform.
This topic helps you get started if you have subscribed to BMC Helix Automation Console (SaaS), which is a part of the
BMC Helix Vulnerability Management service.

Task
1. Register with BMC.
Complete the BMC registration process and understand the subscription information.
Review the welcome email. The welcome email includes login credentials and URL for Automation Console, FTP
folder for downloading the TrueSight Server Automation connector, and general information about accessing and
using your service.
For details, see BMC Helix Vulnerability Management activation .
2. Complete the prerequisite tasks.
Ensure that a compatible TrueSight Server Automation version is installed.
For details, see System requirements.
3. Configure and update the TrueSight Server Automation connector.
You run a TrueSight Server Automation connector in your environment to ensure that the connection between
the Server Automation and Automation Console is established. The connector ensures that Automation Console
receives notifications even if the Server Automation application is in an air-gapped environment. Upgrade the
connector when using the latest version of BMC Helix Automation Console (SaaS).
See Configuring the TrueSight Server Automation connector.
4. (Optional) Configure the TrueSight Orchestration connector.
This release of Automation Console supports integration with BMC Remedy ITSM for creation and approval of
change requests for remediation operations. Change automation is available for vulnerability operations only. To
enable change automation, you must configure the TrueSight Orchestration connector and ensure that other
prerequisite tasks are complete.
See Configuring the TrueSight Orchestration connector.

Task
5. (Optional) Configure the BMC Discovery connector.
This release of Automation Console supports integration with BMC Discovery to find assets in your environment
that are not mapped in TrueSight Server Automation, and are not scanned for vulnerabilities. Using this
information, you can then scan the assets to identify vulnerabilities and remediate them.
See Configuring the BMC Discovery connector.
6. Start managing risks.
Log in to the Automation Console and start managing missing patches and vulnerabilities.
See Logging in.
Configuring users and roles

Automation Console provides role-based access to the application. Users access Automation Console based on the role
assigned to them in TrueSight Server Automation. For details, see User roles and permissions.
Suggested reading
To learn how to use Automation Console for performing end-to-end tasks for identifying and remediating risks, see End-to-
end use cases.
User roles and permissions

BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-premises) provide role-based access to the
application. You access the Automation Console based on the role assigned to you in the endpoint manager, Server
Automation.
When you log in, the security group that you currently belong to appears in the top-right corner of the user interface. If
you are assigned multiple roles in Server Automation, you can change the security group to view the application as per
your defined role. For instructions about changing the security groups, see Logging in – Changing the security group.
Based on their roles, users can perform these tasks for an efficient and automated patch management process:

User role Permissions required in TrueSight Server Tasks
Automation
Administrator • By default, the BLAdmins role in • Configure a service account to enable

Server Automation has administrative data refresh between Automation
permissions in the Automation Console and Server Automation
Console. Users in the BLAdmins role and to obtain the change request
have access to any entity (such as status based on the data refresh cycle.
policies, operations, and catalogs) • Manage security groups to provide
created by other administrative or role-based access to the application.
non-administrative users.
• Define Service Level Agreements that
• The BLAdmin user in Server determine the period within which
Automation has administrative missing patches and vulnerabilities
permissions to Automation Console. must be remediated.
• Import patch catalogs from Server
Automation. These catalogs are used
to create policies for scanning assets.

Automation
Operator • If using Authorization Profiles in Server • Create patch policies that run

Automation, users with roles that have according to a schedule to identify
(Non-administrative user) access to the Manage Patching missing patches on assets.
Job profile, with Roles.Read • Import vulnerability scan files.
authorization have non-administrative
access to the Automation Console. • Monitor the list of missing patches and
identified vulnerabilities.
• If not using Authorization Profiles,
ensure that Server Automation roles • Monitor assets with missing
have access to the following patches,vulnerabilities, and assets that
authorizations: are discovered in your environment
but are not scanned for vulnerabilities.
• BatchJob
• Create operations for installing missing
• BLPackage patches or remediating vulnerabilities
• DeployJob on assets.
• DepotGroup • Monitor the Patch and Vulnerability
• JobFolder dashboards to view the patch and
vulnerability compliance on assets,
• JobGroup and other metrics in your
• NSHScript environment.
• PatchCatalog
• PatchingJob
• PatchSmartGroup
• Server
• ServerGroup
• Provide permissions to the assets or
catalogs to be used by the operator.
• To ensure that operators have access
to artifacts created in Server
Automation, and administrators in the
BLAdmins role have permissions to
update or delete those artifacts
created by operators, do this:
• Create an access control
list (ACL) policy and assign
BLAdmins permission to
the policy.
• Create an ACL template
using this policy.
• Assign the ACL template to
the non-administrative or
operator role.

Automation
For details, see

ACL template - Template Access
Control List
in Server Automation documentation.
License entitlements
BMC Helix Automation Console (SaaS) is a product in the BMC Helix Vulnerability Management service.
For information about BMC Helix Automation Console offerings and license entitlements, see
BMC Helix Vulnerability Management service.

End-to-end use cases
This section provides instructions to identify and remediate risks, which include missing patches and vulnerabilities.
• Use case: Remediating missing patches

• Use case: Remediating vulnerabilities
Use case: Remediating missing patches

This topic provides instructions on how to identify and remediate missing patches.
What do I need to get started?

• A user account with privileges to access either BMC Helix Automation Console or TrueSight Automation Console.
You do not require administrative privileges for this use case.
• A patch administrator must have imported patch catalogs from TrueSight Server Automation.
• A patch administrator must have defined Service Level Agreement deadlines and warning thresholds.
How to identify and remediate?

This describes the steps to identify and remediate missing patches.
1. Create and run a patch policy.
For details, see Working with patch policies.
2. View the policy scan results.
After a policy scans the assets, the results appear on the Manage Patch Policies page and on the Dashboard.
On the Manage Patch Policies page, you can view these results:
• Total number of assets scanned by the policy

• Date, time, and duration of the policy scan
• Number of assets that were scanned successfully or with warnings, and failed scans
• List of assets scanned by the policy and the number of missing and installed patches on these assets
• List of installed and missing patches for each scanned asset
• Logs for each asset, which contains errors and warnings
The Dashboard provides a consolidated graphical view of the patch compliance. On the Dashboard, you can view these
results:
• Patch compliance percentage based on the number of patches installed and the number of missing patches
• Number of impacted assets by Service Level Agreement levels
• Number of impacted assets by patch severity
• Number of unique missing patches by their release age
• Patch remediation trend for the last six weeks

• Top 10 missing patches
For details, see Viewing patch policy results and Using Dashboards.
3. Create an operation to remediate missing patches.
For details, see Working with operations.
Use case: Remediating vulnerabilities

This topic provides instructions on how to identify and remediate vulnerabilities.
What do I need to get started?

• A user account with privileges to access either BMC Helix Automation Console or TrueSight Automation Console.
You do not require administrative privileges for this use case.
• An administrator must have imported patch catalogs from TrueSight Server Automation.
• An administrator must have defined Service Level Agreement deadlines and warning thresholds.
• Results of a vulnerability scan in a supported file format.
For details about the vulnerability scanning tools and supported formats, see Scans.
How to identify and remediate?

This topic describes the steps to identify and remediate vulnerabilities.
1. Import a vulnerability scan results file.
For details, see Working with scans.
2. View asset details, and if required, manually map each asset.
After you import a scan file, assets are automatically mapped to endpoints in the endpoint manager, and the results
appear on the Assets > Scanned Assets page and on the Vulnerability Dashboard.
On the Scanned Assets page, you can view these results:
• Assets imported from a scan, automatically mapped to endpoints

• Number of vulnerabilities identified for each asset
• Host name, IP address, and operating system of each asset
• Vulnerability management scanning tool that has scanned the assets
If assets are not mapped automatically, manually map each asset.
For details, see Working with assets.
The Vulnerability Dashboard provides a graphical view of the assets and vulnerabilities imported from a scan file. On the
dashboard, you can view these results:
• Total number of vulnerabilities and number of mapped and actionable vulnerabilities

• Number of impacted assets by Service Level Agreement levels

• Number of impacted assets by severity
• Number of vulnerabilities by their remediation stages
• Vulnerability remediation trend for the last six weeks
• Top 10 identified vulnerabilities and the number of impacted assets for every single vulnerability
The following figure shows the asset and vulnerability data on the Vulnerability Dashboard.
For details, see Using the Vulnerability Dashboard.
3. View vulnerability results, and if required, manually map each vulnerability with remediation content.
After you import a scan file, vulnerabilities are automatically mapped to remediation content, which includes patches,
NSH scripts, or deploy jobs. The results appear on the Risks > Vulnerabilities page.
On the Vulnerabilities page, you can view these results for each vulnerability:
• Vulnerability name, ID, source, and severity

• CVE IDs associated with vulnerabilities
• Mapping status, whether mapped or unmapped, with remediation content
• Remediation content

• Number of impacted assets for each vulnerability
If vulnerabilities are not mapped to remediation content automatically, manually map each vulnerability.
For details, see Working with risks.
4. Create an operation to remediate vulnerabilities.
For details, see Working with operations.

Planning
 Note
The Planning section is applicable only for a TrueSight Automation Console (on-premises) installation.
BMC Helix Automation Console (SaaS) is not available for on-premises installation. For details about subscribing
to this service, see BMC Helix subscriber information.
This section describes the deployment scenarios, sizing requirements, and system requirements. Administrators can use
this information to plan on-premises installation.
• Deployment scenarios
• Deployment sizing requirements
• System requirements
Deployment scenarios
 Note
This topic is applicable only for a TrueSight Automation Console (on-premises) deployment.
This topic describes scenarios to help you plan the product deployment.
• Small deployment
• Medium deployment
• Large deployment
The number of concurrent end users determines how many TrueSight Automation Console components you must actually
deploy. To determine the deployment size appropriate for your needs, see deployment sizing matrix. The sizing matrix also
provides minimum hardware requirements for the servers where you are installing additional components.
You can install a single TrueSight Automation Console database and the application on the same machine. For large
deployments, you should segregate the TrueSight Automation Console and application to separate nodes. If additional
capacity is necessary, you can install additional instances of the TrueSight Automation Console server.
Small deployment
A small deployment consists of a single database and a single Automation Console application installed on a single host. It
connects to a single instance of the TrueSight Server Automation Application Server.

Typically, a small deployment is used for testing, demonstration, or proof-of-concept purposes.
Medium deployment
A medium deployment consists of two Automation Console application servers installed on separate hosts. This type of
deployment uses a single database and relies on a single TrueSight Server Automation Application Server.

Large deployment
A large deployment allows up to six instances of Automation Console application servers. The Automation Console servers
employ a single database and rely on a single Server Automation Application Server.

Related topic
Deployment sizing requirements
Deployment sizing requirements
 Note
TrueSight Automation Console supports a variety of deployment configurations. Most configurations require the TrueSight
Automation Console database and application to be installed on separate servers.
Minimum deployment sizing requirements

The following table describes minimum requirements based on various deployment sizes.
Requirement Large Medium Small Minimum space required for installation (GB)

Number of 150 50 25
concurrent users
Automation Console server requirements
Number of 6 2 1
Automation Console servers
CPUs per 8 8 8
Automation Console
Server
Automation Console 32 24 16 10
server memory (GB)
Automation Console 100 100 100 10

server disk
space (GB)
Database server requirements
CPUs per 32 16 8
database
server
Database 64 32 16 8
server
memory (GB)
Database 150 120 100 25

disk
space (GB)
A small deployment assumes that the database and the application are hosted on the same server. Memory requirements
refer to total memory, not heap size.
If you require a deployment larger than the Large deployment described above, extrapolate the system requirements
based on the information in the table.

What conditions were used to develop these sizing requirements?
Condition Value
Number of existing missing patches instances in the database 15 million
Number of servers managed by the Automation Console 100000
Number of concurrent users (per node) 25
Maximum scan data file size 1GB
Average number of missing patches per server 300
Number of servers enrolled in the Automation Console 100000
System requirements
This topic describes the system requirements for BMC Helix Automation Console (SaaS) and TrueSight Automation
Console (on-premises).
• System requirements for BMC Helix Automation Console (SaaS)
• System requirements for TrueSight Automation Console (on-premises)
System requirements for BMC Helix Automation Console (SaaS)
BMC Helix Automation Console (SaaS) supports the products, versions, and browsers listed here.
Endpoint manager requirements

The following table describes the supported endpoint manager version.
Endpoint manager Supported versions
TrueSight Server Automation 20.02
8.9.04.01 and later (requires hotfix 1)
For details about obtaining and applying the hotfix, see

Knowledge Article 000188373 .

Supported BMC product versions
The following table describes the supported versions required for integrating with BMC products:
Product Version
BMC Discovery (on-premises only) 11.3
TrueSight Orchestration Platform (Classic deployment only) 20.02
TrueSight Orchestration Content 20.19.02
BMC Remedy IT Service Management (on-premises only) 19.08
Supported browsers
Automation Console supports the following browsers:
• Google Chrome (latest version)

• Mozilla Firefox (latest version)
System requirements for TrueSight Automation Console (on-premises)
TrueSight Automation Console (on-premises) supports the software, hardware, database, and port requirements listed
here.
Endpoint manager requirements

The following table describes the supported endpoint manager version.

Endpoint manager Supported versions
TrueSight Server Automation 20.02
8.9.04.01 and later (requires hotfix 1)
For details about obtaining and applying the hotfix, see

Knowledge Article 000188373 .
Supported browsers
Automation Console supports the following browsers:
• Google Chrome (latest version)

• Mozilla Firefox (latest version)
Supported BMC product versions

The following table describes the supported versions required for integrating with BMC products:
Product Version
BMC Discovery (on-premises only) 11.3
TrueSight Orchestration Platform (Classic deployment only) 20.02
TrueSight Orchestration Content 20.19.02
BMC Remedy IT Service Management (on-premises only) 19.08
Third-party software
Automation Console is bundled with the following third-party software:

Product PostgreSQL Java version Apache Tomcat web server Docker container operating
version version version system
20.02 11.2 AdoptOpenJD 9.0.21 Alpine Linux 3.9

K 11.0.2+9
Docker requirements and supported operating systems

Automation Console is supported on Linux-enabled Docker, and it requires the following version of Docker:
Utility Version
docker 18.09.7 or later (Docker CE)

17.06.2-ee-16 or later (Docker EE)
docker-compose 1.19.0
The following operating systems are supported:
• Red Hat Enterprise Linux 7.x

• CentOS 7.x
Minimum hardware requirements

The following table describes the minimum hardware requirements for a small deployment.
Requirement Small Minimum space required for installation (GB)
Number of 25 -
concurrent users
Automation Console server requirements
Number of 1 -
Automation Console servers
CPUs per 8 -
Automation Console
Server
Automation Console 32 10
server memory (GB)

Automation Console 100 10
server disk
space (GB)
Database server requirements
CPUs per 8 -
database
server
Database 16 8
server
memory (GB)
Database 100 25
disk
space (GB)
For more information about sizing requirements based on deployment scenarios, see Deployment sizing requirements.
Database requirements and supported versions

You can install the database by using the executables provided on the BMC Electronic Product Distribution (EPD) site, or
you can use an existing PostgreSQL installation.
The following table describes the recommendations for a PostgreSQL database that you can use for optimal performance.
Configuration Recommendation
Users, Roles • The first installation of the application automatically creates the users and
roles needed by the Automation Console. The installer requests the
credentials for the PostgreSQL privileged user (usually named postgres).
• Default names are provided for users and roles but they can be customized
during installation.
Schema and Tablespaces • Automation Console database schema uses multiple tablespaces, which

are automatically created during installation.
• Data directories for the containerized database installed by the Stack
Manager are created at the following location:
• /var/lib/postgresql/data (Data Directory location on the
database container)
• /var/bmc/truesight/postgresql/data (Data Directory location
is mapped to the host)
• The /var filesystem must have at least 50 GB of storage space.

Configuration Recommendation
Client Authentication Ensure that the Automation Console computer can access the database server

by allowing access to the pg_hba.conf file.
Recommended configuration in pg_hba.conf is to use MD5 encryption for
passwords.
Instance parameters BMC recommends adding or updating the following parameters in the

configuration of the database server in the postgresql.conf or equivalent file:
listen_addresses = '*'
max_connections = 300
default_statistics_target = 50
constraint_exclusion = on
wal_buffers = 8MB
min_wal_size = 1GB
max_wal_size = 2GB
checkpoint_timeout = 15min
checkpoint_completion_target = 0.9
log_min_messages = fatal
log_min_error_statement = fatal
#following parameters should be tuned according
#to actual memory available to Database server machine
#example of configuration for 8GB RAM
maintenance_work_mem = 512MB
effective_cache_size = 5GB
work_mem = 48MB
shared_buffers = 2GB
After changing these values, restart the database server.
Port requirements
The port on which the Automation Console communicates with an endpoint manager must be open, and the application
and the endpoint manager must be able to communicate with each other.
The following table provides the port numbers that you must enable for the product.
Port Prot Configured on User can change Firewall Description

ocol the port number? exception
needed?
104 TCP Host containing the Yes Yes Secure port used to access

43 Automation Console the Automation Console
application installation application.

needed?
500 TCP Host containing the Yes (at the time of Yes Port used for
0 Automation Console installation) communication with the
application installation Docker repository
844 TCP Host containing Yes Yes Port used for the

3/94 the Automation WorkManager
43 Console application communication
installation
543 TCP Host containing the database No Yes Port used by the database
2 installation (PostgreSQL) for
communication

Installing
 Note
The Installing section is applicable only for a TrueSight Automation Console (on-premises) installation.
The installation process requires you to complete your planning activities before starting with the preparatory, installation,
and post-installation tasks. The following table enables you to install the product smoothly.
TrueSight Automation Console installation process
Step 1: Complete the planning activities
Use this information to plan a new deployment.
Description Procedure
Planning activities include pre-deployment considerations, Planning

sizing recommendations, and deployment options for your
environment.
Step 2: Prepare for installation
Complete the pre-installation tasks.
Download the installation file and complete the pre- Preparing for installation
installation tasks.

Step 3: Install the product (database and application)
An Automation Console deployment consists of two components: database and application. The TrueSight
Automation Console supports PostgreSQL as the database.
You can install the database by using the executables provided on the BMC Electronic Product Distribution (EPD) site
(recommended for demo or test environments), or use an existing PostgreSQL instance in your environment
(recommended for production environments).
Install the Stack Manager tool. Install using one of these modes:
Using a single script in the Stack Manager tool, install the Installing in the interactive mode – Directly provide
database first, and then the application server. inputs on the command line.
Installing silently – Create an inputs file with the
required inputs and then use the file for installing
the product on any number of servers.
What next?
After successfully installing the product, configure the connectors to integrate with BMC Discovery and TrueSight
Orchestration.
For details, see Configuring connectors.
Preparing for installation
 Note
Installation of TrueSight Automation Console requires you to complete these preinstallation tasks. You can download the

installation files from the BMC Electronic Product Distribution (EPD) site.
• Downloading the installation files

• Setting up your installation environment
Setting up your installation environment

Complete the following tasks to set up your environment:
• Ensure that the target computer meets the system requirements.
• Ensure that the servers on which you want to install the application and database are in the same time zone.
• Install a compatible TrueSight Server Automation version.
See Installing TrueSight Server Automation
• Set up Docker in an internet-enabled environment.

OR
• Set up Docker in an air-gapped environment.
 Note
BMC recommends that you install the Automation Console and TrueSight Server Automation on different hosts.
• If you want to install using a non-root user, ensure that the user has read and write permissions to the installation
directory.
This user must also be a part of the docker user group on the host.
• If using an external PostgreSQL database, ensure that it is installed and running in your environment.
Setting up Docker in an internet-enabled environment

This section provides sample procedures for installing the Docker Community Edition (CE) on CentOS and the Docker
Enterprise Edition (EE) on Red Hat Linux Enterprise (RHEL). Commands might vary for other operating system and Docker
edition combinations.
• Setup Docker CE on CentOS

• Setup Docker EE on RHEL
 Note
While setting up Docker in an internet-enabled or an air-gapped environment, the location where Docker is to be
installed must have at least 50 GB storage space.
To set up Docker CE on a CentOS computer
1. Add a Docker repository to your system required to install Docker:
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
2. Install Docker Community Edition:
sudo yum -y install docker-ce device-mapper-libs device-mapper-event-libs
3. Start the Docker daemon:

systemctl start docker
4. Enable the Docker services:
systemctl enable docker.service
5. Download Docker compose:
sudo curl -L https://github.com/docker/compose/releases/download/1.19.0/docker-compose-ùname -s`-

ùname -m` -o /usr/local/bin/docker-compose
 Important
After you download Docker compose, ensure that /usr/local/bin/ is added to the PATH variable.
6. Grant the required permissions to Docker compose:
sudo chmod +x /usr/local/bin/docker-compose
7. To create a local Docker registry to manage Docker images, do the following:

a. Download the TSAC<versionNo>-IMAGES-LIN64.zip file from the BMC Electronic Products Distribution
(EPD).
b. Create a directory on the Docker host (for example, /opt/tsac/dockerrepo) and extract the TSAC<versionNo
>-IMAGES-LIN64.zip into the directory.
Ensure that the file system size of this directory is at least 10 GB.
c. Run the following command to create the local Docker registry. In the following command, replace <Direc
tory> with the directory with its complete path that you created in step b. If there are multiple hosts,
repeat this step on all the Docker hosts.
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v <Directory>:/var/lib/registry \
registry:2
For example,
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v /opt/tsac/dockerrepo:/var/lib/registry \
registry:2
This command creates a local Docker registry on port 5000.

8. Verify that Docker images have been pulled successfully by running the following command:
curl http://localhost:5000/v2/_catalog
Alternatively, you can verify by using the http://localhost:5000/v2/_catalog URL in a browser.
If successful, the command returns the following output:

{"repositories":["bmcsoftware/truesight-app-vulnerability-management-drm","bmcsoftware/truesight-app-
vulnerability-management-drw","bmcsoftware/truesight-app-vulnerability-management-portal","bmcsoftware/
truesight-common-discovery-connector","bmcsoftware/truesight-common-exception-management","bmcsoftware/
truesight-common-orchestration-connector","bmcsoftware/truesight-common-tagging","bmcsoftware/
truesight-common-tsna-connector","bmcsoftware/truesight-common-tssa-connector","bmcsoftware/truesight-
common-workmanager","bmcsoftware/truesight-config-configurator","bmcsoftware/truesight-infra-ext-
consul","bmcsoftware/truesight-infra-ext-redis"]}
To set up Docker EE on an RHEL computer
1. To install Docker EE, you need the URL of the Docker EE repository associated with your trial or subscription, as
follows:
a. Go to https://store.docker.com/my-content. All of your subscriptions and trials are listed.
b. Click the Setup button for Docker Enterprise Edition for Red Hat Enterprise Linux.
c. Copy the URL from Copy and paste this URL to download your Edition and save it for later use.
2. Export the Docker URL:
sudo export DOCKERURL="<DOCKER-EE-URL>"
DOCKER-EE-URL is the URL that you have obtained in step 1.

3. Store the value of the variable, DOCKERURL (from the previous step), in a yum variable in /etc/yum/vars/:
sudo -E sh -c 'echo "$DOCKERURL/rhel" > /etc/yum/vars/dockerurl'
4. Store your OS version string in /etc/yum/vars/dockerosversion. If you are using version 7.2, type the exact
version.
sudo sh -c 'echo "7" > /etc/yum/vars/dockerosversion'
5. Install the required packages. The yum-utils package provides the yum-config-manager utility. The device-
mapper-persistent-data and lvm2 packages are required by the devicemapper storage driver:
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
6. Enable the extras RHEL repository. This ensures access to the container-selinux package required by docker-ee.
sudo yum-config-manager --enable rhel-7-server-extras-rpms
7. Add the Docker repository to your system required to install Docker EE:
sudo yum-config-manager --add-repo "$DOCKERURL/rhel/docker-ee.repo"
8. Install the Docker EE:
sudo yum -y install docker-ee device-mapper-libs device-mapper-event-libs

11. Download and install docker compose:

12. After you download docker compose, add /usr/local/bin/ to the PATH variable.
13. Grant the required permissions to docker compose:
14. Create a local Docker registry to manage Docker images, as follows:

(EPD).
b. Create a directory on the Docker host (for example, /opt/tsac/dockerrepo) and extract
the TSAC<versionNo>-IMAGES-LIN64.zip into the directory.
Ensure that the file system size of this directory is at least 10 GB.
c. Run the following command to create the local Docker registry. Replace <Directory> with the complete
path of the directory that you created in step b. If there are multiple Docker hosts, repeat this step on all
hosts.
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
registry:2
For example,
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
registry:2
{"repositories":["bmcsoftware/truesight-app-vulnerability-management-drm","bmcsoftware/truesight-app-
vulnerability-management-drw","bmcsoftware/truesight-app-vulnerability-management-portal","bmcsoftware/
truesight-common-discovery-connector","bmcsoftware/truesight-common-exception-management","bmcsoftware/
truesight-common-orchestration-connector","bmcsoftware/truesight-common-tagging","bmcsoftware/
truesight-common-tsna-connector","bmcsoftware/truesight-common-tssa-connector","bmcsoftware/truesight-
common-workmanager","bmcsoftware/truesight-config-configurator","bmcsoftware/truesight-infra-ext-
consul","bmcsoftware/truesight-infra-ext-redis"]}

Setting up Docker in an air-gapped environment
This section provides sample procedures for installing the Docker Community Edition (CE) on CentOS and the Docker
Enterprise Edition (EE) on Red Hat Linux Enterprise (RHEL). Commands might vary for other operating system and Docker
edition combinations.
To set up Docker CE on a CentOS computer in an air-gapped environment

1. Ensure that Docker CE is installed on the computer where you want to install the application.
4. Switch to the computer that has internet access and download docker compose using the following command:

5. Copy the downloaded file to the /usr/local/bin directory on the computer where you want to install the
application:
 Important
After you download docker compose, ensure that /usr/local/bin/ is added to the PATH variable.

(EPD) on the computer where you have internet access.
b. Run the following command to download the files required to create the Docker registry:
docker pull registry \

&& docker save docker.io/registry:2 -o docker-io.registry.tar
c. Copy the downloaded file (docker-io.registry.tar) to the computer on which you want to install the

application (Docker host).
d. On the Docker host, run the following command to load the registry image:
docker load -i docker-io.registry.tar
e. Copy the TSAC<versionNo>-IMAGES-LIN64.zip to the computer on the Docker host.

f. Create a directory on the Docker host (for example, /opt/tsac/dockerrepo) and extract
Example:
mkdir -p /opt/tsac/dockerrepo
unzip TSAC-<version>-IMAGES-LIN64.zip -d /opt/tsac/dockerrepo
g. Run the following command to create the local Docker registry. In the following command, replace <Direc
tory> with the directory with its complete path that you created in step f. If there are multiple hosts,
repeat this step on all the Docker hosts.
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
registry:2
Example:
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
registry:2

{"repositories":["bmcsoftware/truesight-app-utilities","bmcsoftware/truesight-app-vulnerability-
management-drm","bmcsoftware/truesight-app-vulnerability-management-drw","bmcsoftware/truesight-app-
vulnerability-management-portal","bmcsoftware/truesight-common-discovery-connector","bmcsoftware/
truesight-common-exception-management","bmcsoftware/truesight-common-itil","bmcsoftware/truesight-
common-orchestration-connector","bmcsoftware/truesight-common-tagging","bmcsoftware/truesight-common-
tsna-connector","bmcsoftware/truesight-common-tssa-connector","bmcsoftware/truesight-common-
workmanager","bmcsoftware/truesight-config-configurator","bmcsoftware/truesight-infra-ext-consul","bmcs
oftware/truesight-infra-ext-redis"]}
To set up Docker EE on an RHEL computer in an air-gapped environment

1. Ensure that Docker EE is installed on the computer where you want to install the application.
2. Run the following command to start the Docker daemon:
4. Connect to the computer that has internet access and download docker compose using this command:

sudo curl -L https://github.com/docker/compose/releases/download/1.19.0/docker-compose-
ùname -s`-ùname -m` -o /usr/local/bin/docker-compose
5. Copy the downloaded file to the /usr/local/bin directory on the computer where you want to install the
application:
 Important
After you download docker compose, ensure that /usr/local/bin/ is added to the PATH variable.

(EPD) on the computer where you have internet access.
b. Run the following command to download the files required to create the Docker registry:
docker pull registry \

&& docker save docker.io/registry:2 -o docker-io.registry.tar
c. Copy the downloaded file (docker-io.registry.tar) to the computer on which you want to install the

application (Docker host).
d. On the Docker host, run the following command to load the registry image:
docker load -i docker-io.registry.tar
e. Copy the TSAC<versionNo>-IMAGES-LIN64.zip to the computer on the Docker host.

f. Create a directory on the Docker host (for example, /opt/tsac/dockerrepo) and extract
Example
mkdir -p /opt/tsac/dockerrepo
unzip TSAC-<version>-IMAGES-LIN64.zip -d /opt/tsac/dockerrep
g. Create the local Docker registry. Replace <Directory> with the complete path of the directory that you
created in step f. If there are multiple Docker hosts, repeat this step on all hosts.
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
registry:2
Example:

docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
registry:2

{"repositories":["bmcsoftware/truesight-app-utilities","bmcsoftware/truesight-app-vulnerability-
management-drm","bmcsoftware/truesight-app-vulnerability-management-drw","bmcsoftware/truesight-app-
vulnerability-management-portal","bmcsoftware/truesight-common-discovery-connector","bmcsoftware/
truesight-common-exception-management","bmcsoftware/truesight-common-itil","bmcsoftware/truesight-
common-orchestration-connector","bmcsoftware/truesight-common-tagging","bmcsoftware/truesight-common-
tsna-connector","bmcsoftware/truesight-common-tssa-connector","bmcsoftware/truesight-common-
workmanager","bmcsoftware/truesight-config-configurator","bmcsoftware/truesight-infra-ext-consul","bmcs
oftware/truesight-infra-ext-redis"]}
Configuring the product for firewall and Security-Enhanced Linux

If firewall is running and SELinux is enabled, follow these instructions to open the ports:
1. Open these ports on the firewall using the following command for each of the ports:
firewall-cmd --permanent --add-port portNumber/tcp

needed?
104 TCP Host containing the Yes Yes Secure port used to access

43 Automation Console the Automation Console
application installation application.
500 TCP Host containing the Yes (at the time of Yes Port used for
0 Automation Console installation) communication with the
application installation Docker repository

needed?
844 TCP Host containing Yes Yes Port used for the

3/9 the Automation WorkManager
443 Console application communication
installation
543 TCP Host containing the No Yes Port used by the database
2 database installation (PostgreSQL) for
communication
2. Restart the firewall by running the following command:
systemctl restart firewalld
3. Stop the Docker service by running the following command:
systemctl stop docker
4. Reset the Docker network adapter by running the following commands:
iptables -t nat -F
ifconfig docker0 down
brctl delbr docker0
5. Start the Docker service by running the following command:
Where to go from here?

After completing the preinstallation tasks, you can begin installing in the interactive mode.
Downloading the installation files
 Note

You obtain the product installation files by downloading them from the BMC Electronic Product Distribution (EPD)
website. You can access product pages on the EPD website based on the license entitlements purchased by your company.
Installation files
The following table provides links to the page in the EPD website that contains the installation files for this product. From
the EPD page, you can select and download the installation files for your platform. Access to the EPD website requires that
you provide your BMC Support credentials. You might also be prompted to complete the Export Compliance Form.
EPD link to product Components
TrueSight Automation • TrueSight Automation Console Installer Container Images

Console 20.02.01
• Third Party Open Source Software
TrueSight Automation • TrueSight Automation Console Docker Container Images

Console 20.02 • Third Party Open Source Software
To verify the files

Locate the file you downloaded and verify the SHA checksum results before installation.
 Tip
You can use any SHA checksum tool to verify the checksum results.
File name SHA256
TSAC-2002-IMAGES-LIN64.zip (Patch 1 for c223fee60f4521b719090a1ddf37a0db092df97732d55fb98a199252afe

TrueSight Automation Console) 1c456
TPS_TSAC2002.zip (Patch 1 for TrueSight 07531d38e2309e7fb69181ab37cbca6b56fc17f973fdde2afa00754cff75

Automation Console) ef0d
TSAC-2002-IMAGES-LIN64.zip 8900be1c5423f251337ce530f3ca5f4489706d60334ddea49cb7dfa0f61
9d01b
TPS_TSAC2002.zip 6759b8dcccd9e934ec0e4e1b974ac7b238875168ec3b9d45c854eb839e
112386

Where to go from here
Complete the other pre-installation tasks listed in the Preparing for installation page.
Installing in the interactive mode
 Note
This topic provides the instructions to install the TrueSight Automation Console database and the application components
using the Stack Manager tool.
 Warning
TrueSight Automation Console is delivered to customers bundled as a set of Docker Containers. The Docker
Containers and the software installed on them should not be taken out of Automation Console or used
separately. Installing additional third-party software or updating existing software packages in the Docker
Containers is not permitted, unless explicitly authorized by BMC Software.
Installing the Stack Manager tool

1. Open a terminal and SSH into the host where you have set up the local registry, and run the following command to
install the Stack Manager tool.
docker run -it --rm --network=host 127.0.0.1:5000/bmcsoftware/truesight-stack-manager
Here, 127.0.0.1:5000 is the host:port of the local registry that contains the BMC Helix Automation
Console images.
You are prompted to specify a location to install the product.
2. Enter a location or continue with the default /opt/bmc location.
3. Enter a username and password.
You can use a root or a non-root user. If using a non-root user, ensure that the user has read and write permissions
to the installation directory and is a part of the docker user group on the host. The Stack Manager tool is installed
at the specified location. You can now continue with installing the database and the application.
 Tip
To see the commands typically used during installation and other help, run this command:
./stackmanager –-help

Installing the database
By default, PostgreSQL database is installed with the product. However, BMC recommends that you do not use the
containerized DB for your production environments. Use an external PostgreSQL database instead.
1. On the host where the Stack Manager tool is installed, run any of the following commands to start installing the
database.
./stackmanager install --deployment=database
or
./stackmanager install --deployment database
2. Verify whether the default Docker registry details are accurate and press Enter to continue.
The End User License Agreement is displayed.
3. Read, and type y to continue with the installation.
4. After accepting the license agreement, you must provide the values that match your environment or accept the
default values:

Field Default value Notes
Docker network subnet prefix - Note: Ensure that the subnet prefix does not

conflict with the subnet CIDR or the IP address
(172.xx.0.0/16) of your datacenter for the docker0
(docker network adapter/ bridge).
The IP address can be set to either a single octet

(For example, 192 which will create the docker
networks as 192.X.X.X and so on) or two octets
(For example, 192.112 which will create docker
networks as 192.112.X.X and so on). This value is
used to create internal docker network
(application and data network) for container
communications and is not visible outside the host
machine.
 Note
You have to avoid the subnet/IP of the
network, the host is connected to.
To view the current docker settings, run the

docker network inspect bridge command.
Alternatively, if you have created a

daemon.json configuration file after setting up
Docker, verify the current settings in the file.
For example, go to cat /etc/docker/daemon.json

The file shows the current setting as { "bip":
"172.17.0.1/16" }.
Port number for PostgreSQL 5432 Do not change the default port number.
server
PostgreSQL Admin username postgres
PostgreSQL Admin password -
PostgreSQL database installation is complete.
5. To verify whether the installation is successful, run the following command:
./stackmanager status --deployment=database
The following status is displayed.

Components status for database:

Name Container Name Version Status
---- -------------- ------- ------
PostgreSQL database-infra-ext-postgres 11.2-alpine running
Now that you have successfully installed the database, you can begin installing the application.
 Note
BMC recommends to install TrueSight Automation Console Application Server and the database on different host
servers. However, for a proof-of-concept or a test environment, both the TrueSight Automation Console
application and database can be installed on the same host.
Installing the Automation Console application
Install the application after successfully installing the database.
1. On the host where the Stack Manager tool is installed, run any of the following commands to start installing the
application.
./stackmanager install --deployment=tsac+
or
./stackmanager install --deployment tsac+
The installer confirms whether the database is already installed. The following message is displayed.
Stack Manager installs the application in a user specified

directory. The default location is /opt/bmc/truesight.

Enter a directory where services will be installed (the
directory will be created if does not exist):

Press Return/Enter to continue.To skip press
'q'|'quit'|'Q'|'Quit' then press Return/Enter.
The End User License Agreement is displayed.
2. Read, and type y to continue with the installation.
3. After accepting the license agreement, you must provide the values that match your environment or accept the
default values:

Field Default value
Docker network subnet prefix Note: Ensure that the subnet prefix does not conflict with

the subnet CIDR or the IP address (172.xx.0.0/16) of your
datacenter for the docker0 (docker network adapter/
bridge).
The IP address can be set to either a single octet (For

example, 192 which will create the docker networks as
192.X.X.X and so on) or two octets (For example, 192.112
which will create docker networks as 192.112.X.X and so
on). This value is used to create internal docker network
(application and data network) for container
communications and is not visible outside the host
machine.
 Note
You have to avoid the subnet/IP of the network,
the host is connected to.
To view the current docker settings, run the docker

network inspect bridge command.
Alternatively, if you have created a

daemon.json configuration file after setting up Docker,
verify the current settings in the file.
For example, go to cat /etc/docker/daemon.json

The file shows the current setting as { "bip":
"172.17.0.1/16" }.
This field is required when you install the database and

application on separate hosts.
Port number for internal application components 9443
Fully-qualified domain name or IP address of the BMC recommends that you do not use the containerized
PostgreSQL server installed in the previous step DB for your production environments. Use an
external PostgreSQL database instead.
Port number of the PostgreSQL server 5432 This field is required when you install the database
and application on separate hosts.
Password for the PostgreSQL Admin user

'postgres':

Field Default value
Name of the database tsac_database
New username for the database tsac_database_user
Password for the new database user -
PostgreSQL tablespace tsac_tablespace
Directory for the system tablespace on the - For containerized PostgreSQL server installed by the

PostgreSQL server StackManager, the default directory, which is not
configurable, is: /var/lib/postgresql/data/
tsac_tablespace - For an external non-containerized
PostgreSQL database, provide a different database
directory.
Automation Console port number 10443
TrueSight Server Automation hostname
TrueSight Server Automation port number 9843
TrueSight Server Automation protocol https
TrueSight Server Automation admin role name BLAdmins
TrueSight Server Automation Service Account BLAdmin
username
TrueSight Server Automation password for the
Service Account user
TrueSight Server Automation role name for the BLAdmins
Service Account user
TrueSight Server Automation login authentication SRP Valid values: SRP, Domain
type for the Service Account user
Automation Console application is installation is complete.

4. To verify whether the installation is successful, run the following command:
./stackmanager status --deployment=application
The following status is displayed.
Components status for application:

---- -------------- ------- ------
Catalog service truesight-app-catalog-service 20.02.00.455 running
Consul truesight-infra-ext-consul 20.02.00.45 running
Discovery OnPrem Connector truesight-common-discovery-onprem-connector 20.02.00.52 running
ITIL service truesight-common-itil 20.02.00.184 running
Login service truesight-common-login 20.02.00.543 running
Nginx truesight-app-nginx 20.02.00.601 running
Patch Manager portal truesight-app-patch-manager-portal 20.02.00.881 running
Patch Manager service truesight-app-patch-manager-core 20.02.00.756 running
Policy service truesight-app-policy-service 20.02.00.706 running
Redis truesight-infra-ext-redis 20.02.00.72 running
Redis-common truesight-infra-ext-redis-common 20.02.00.72 running
Resource service truesight-common-resource-service 20.02.00.493 running
TSSA Connector truesight-common-tssa-connector 20.02.00.441 running
TSO Connector truesight-common-ts0-connector 20.02.00.207 running
TSVM Data Refresh Manager truesight-app-vulnerability-management-drm 20.02.00.3345 running
TSVM Data Refresh Worker truesight-app-vulnerability-management-drw 20.02.00.3345 running
WorkManager truesight-common-workmanager 20.02.00.429 running
Where to go next?
Now that you have installed the product successfully, administrators can start setting up the application for your patch and
vulnerability management needs. You can start using its features based on your role and requirements.
If you want to integrate with BMC Discovery to identify discovered assets, and TrueSight Orchestration to enable change
automation, configure the connectors.
For details, see Configuring connectors.
Installing silently
 Note
This topic provides instructions to create an input file and install the TrueSight Automation Console components silently.

 Warning
TrueSight Automation Console is delivered to customers bundled as a set of Docker Containers. The Docker
Containers and the software installed on them should not be taken out of Automation Console or used
separately. Installing additional third-party software or updating existing software packages in the Docker
Containers is not permitted, unless explicitly authorized by BMC Software.
Installing the Stack Manager tool

1. Open a terminal and SSH into the host where you have set up the local registry earlier and run the following
command to start the Stack Manager tool.
docker run -it --rm --network=host 127.0.0.1:5000/bmcsoftware/truesight-stack-manager
Here, 127.0.0.1:5000 is the host:port of the local registry that contains the TrueSight Automation Console images.
2. Enter a location or continue with the default /opt/bmc location.
3. Enter a username with root level permissions and the password.
The Stack Manager tool is installed at the specified location. You can now continue with installing the database and
the application.
Installing silently
You use the Stack Manager tool to create an inputs file, then install the database, and then the application.
1. Open a terminal and SSH into the host where you have installed the Stack Manager tool and run the following
command to create the input file.
./stackmanager inputs-file create
You are asked for the inputs required for the installation.
2. To create an inputs file, provide the following information required for installing the Automation Console.
Input file for the Automation Console
Field Description Default value
TrueSight application directory Specifies the directory where /opt/bmc/truesight

the Automation Console application will be
installed

Docker network subnet prefix Docker network subnet prefix is composed -

of one to two octets separated by a dot.
Each octet is a number between 0 and 255
(excluding 0 and 255). Leading zero in an
octet is not allowed. The chosen docker
network subnet prefix must not conflict
with docker registry host IP. Examples:
192.168, 10.
Application port number Specifies the port number for 9443

the Automation Console application server
Hostname or IP address of the Specifies the fully qualified domain name No default value. User must
PostgreSQL database server (FQDN) or IP address of the host where the specify a value.
default PostgreSQL database will be
installed. For production environment, use
an external PostgreSQL database.
PostgreSQL database port Specifies the port number for the 5432
number PostgreSQL database
PostgreSQL Admin username Specifies the database administrator postgres

username
PostgreSQL Admin password Specifies the password that matches the -

username
PostgreSQL username Specifies the username for a non- tsac_database_user

administrative user
PostgreSQL password Specifies the password that matches the -

username
PostgreSQL tablespace directory Specifies the directory of the system /var/lib/postgresql/data/

tablespace on the PostgreSQL server tsac_tablespace
Automation Console port Specifies the port number to be used for 10443

number the Automation Console
TrueSight Server Specifies the hostname where Server -

Automation host name Automation is installed, in an FQDN format

Server Automation port number Specifies the port number where Server -
Automation is installed.
Server Automation protocol Specifies the protocol used by Server https

Automation
Server Automation admin role Specifies the administrative role name BLAdmins

for Server Automation
Service Account user name Specifies the username with permissions to BLAdmin
of TrueSight Server access Server Automation
Automation user
Password for the TrueSight Specifies the password for the username -

Server Automation Service
Account user
Role name for the TrueSight Specifies the Server Automation role to BLAdmins

Server Automation Service which the user belongs
Account user
Login authentication type for Specifies the authentication method. Valid SRP
the TrueSight Server values: SRP, Domain Authentication
Automation Service Account user
Currently, only Secure Remote Password
(SRP) and Domain Authentication methods
are supported.
Valid values: SRP, Domain
3. To verify whether the inputs file is created successfully, run the following command:
./stackmanager inputs-file show
Enter the location where the file is created. Default location is /opt/bmc/truesight.
The following figure shows a sample inputs_file.yml file.
Sample inputs_file.yml for the database

products:
docker_registry:
hostname: localhost:5000
nw:
addressPool: '194'
postgres:
port: '5432'
admin:
name: postgres
password: eLu1rc4cvZIWbC8xftxcKN3VBRkBYhMaDA5LK1mKDP/729QW
Sample inputs.yml file for the application

products:
docker_registry:
hostname: localhost:5000
infra:
config:
wmport: '9443'
nw:
addressPool: '193'
tssa-connector:
wmport: '9443'
workerID: tssa-connector
fqUserSuffix: defaulttenant.tssa
host: 172.12.123.123
port: '9843'
protocol: https
adminRole: BLAdmins
serviceUser: BLAdmin
serviceUserPassword: Vtq6yCnBIttq+tt09fMhoo2kRL5sF6+4Q2VKMT4LYgt512W2
serviceUserRole: BLAdmins
serviceUserAuthType: SRP
tssp:
db:
name: tsac_database
hostname: host.com
port: '5432'
admin:
name: postgres
password: NMBs+8Dznqzw02HUWu0M3/pzL70wUbwL8umVse00eQfEeWpX
es:
hostname: localhost
port: '9200'
username: admin
password: 5KsZnikvshF1msDZrAKv7Aop92qEiK0AUWNB5Npid6yuB7Ty//uO6Q==
tsvm:
db:
name: tsac_database
hostname: host.com
port: '5432'
admin:
name: postgres
password: NMBs+8Dznqzw02HUWu0M3/pzL70wUbwL8umVse00eQfEeWpX
user:
name: tsac_database_user
password: 2c+qV4yWg7gA60NpPxYpzCowJA6aZDAiAvCwQDI7OdvIU5dX
tablespaces:
tablespace: tsac_tablespace
directory: /var/lib/postgresql/data/tsac_tablespace
data: tsac_database_user_dat
index: tsac_database_user_idx
es:
hostname: localhost
port: '9200'
username: admin
password: 5KsZnikvshF1msDZrAKv7Aop92qEiK0AUWNB5Npid6yuB7Ty//uO6Q==
4. To install the database silently, run the following command:
./stackmanager install --silent --deployment database
Stack Manager uses the inputs provided in the inputs file and installs the database.
5. To verify whether the database is installed successfully, run the following command:

./stackmanager status --deployment database
6. To install the application silently, run the following command:
./stackmanager install --silent --deployment tsac+
Stack Manager uses the inputs provided in the inputs file, verifies whether the database is installed, and installs
the application.
7. To verify whether the application is installed successfully, run the following command:
./stackmanager status --deployment application
Where to go next?
Now that you have installed the product successfully, administrators can start setting up the application for your patch
management needs. You can start using the features based on your role and requirements.
Configuring application clusters
 Note
For a medium or large sized deployment, an administrator deploys multiple instances of the TrueSight Automation
Console application server component and creates an application cluster. You must configure a cluster of application
servers to replicate information so if one fails, other members of the cluster have access to the same information.
You can use any proxy solution to configure application clusters. This topic provides instructions on how to share data in
a TrueSight Automation Console (on-premises) application cluster using the High Availability Proxy (HA Proxy) solution.
Configuring an application cluster using HA Proxy

1. On a host where the Automation Console application is not installed, run the following command to install HA
Proxy.
yum install haproxy
A configuration file, haproxy.cfg gets created in the /etc/haproxy directory.
2. Navigate to the /etc/haproxy directory and replace the content in the default haproxy.cfg file with the following
content.
Sample haproxy.cfg file

#---------------------------------------------------------------------
#Exmple configuration for a possible web application. See the
# full configuration options online.
#
# http://haproxy.1wt.eu/download/1.4/doc/configuration.txt
#
#---------------------------------------------------------------------

#---------------------------------------------------------------------
# Global settings
#---------------------------------------------------------------------
global
# to have these messages end up in /var/log/haproxy.log you will
# need to:
#
# 1) configure syslog to accept network log events. This is done
# by adding the '-r' option to the SYSLOGD_OPTIONS in
# /etc/sysconfig/syslog
#
# 2) configure local2 events to go to the /var/log/haproxy.log
# file. A line like the following can be added to
# /etc/sysconfig/syslog
#
# local2.* /var/log/haproxy.log
#
log 127.0.0.1 local2

chroot /var/lib/haproxy
pidfile /var/run/haproxy.pid
maxconn 4000
user haproxy
group haproxy
daemon

# turn on stats unix socket
stats socket /var/lib/haproxy/stats

defaults
timeout server 86400000
timeout connect 86400000
timeout client 86400000
timeout queue 1000s

frontend localnodes
bind *:<portNumber>
mode tcp
default_backend http_1

# Learn SSL session ID from both request and response and create affinity.
backend http_1
mode tcp
balance roundrobin

# maximum SSL session ID length is 32 bytes.
stick-table type binary len 32 size 30k expire 30m

acl clienthello req_ssl_hello_type 1
acl serverhello rep_ssl_hello_type 2

# use tcp content accepts to detects ssl client and server hello.
tcp-request inspect-delay 5s
tcp-request content accept if clienthello

# no timeout on response inspect delay by default.
tcp-response content accept if serverhello

# SSL session ID (SSLID) may be present on a client or server hello.
# Its length is coded on 1 byte at offset 43 and its value starts
# at offset 44.
# Match and learn on request if client hello.
stick on payload_lv(43,1) if clienthello

# Learn on response if server hello.
stick store-response payload_lv(43,1) if serverhello

server server1 <IPAddress_hostA>/<FQDN_hostA>:<portNumber>
server server2 <IPAddress_hostB>/<FQDN_hostB>:<portNumber>
3. Open the file in a text editor, and locate the frontend localnodes section and replace <portNumber> with
the secure port used to access the Automation Console application.
Example
frontend localnodes
bind *:10443
mode tcp
default_backend http_1
4. At the end of the file, replace <IPAddress_hostA>/<FQDN_hostA> with the Fully Qualified Domain Name or IP
Address of the application server host and port number with the secure port used to access Automation
Console application.
Increase the number of entries based on the number of applications you have installed. For example, if you have
four instances of application, add four server counter entries.
 Note
You must specify the same port number for all the application servers.
5. Save changes and run the service haproxy restart command to restart the HA Proxy service.
Related topic
Deployment scenarios.
Uninstalling
 Note

This topic describes how to uninstall TrueSight Automation Console application and the database.
Uninstalling the application

Uninstall the application first and then the database.
To uninstall the application, do the following:
1. Navigate to the directory where the Stack Manager launcher is installed.
Default value: /opt/bmc
2. Run the following command:
./stackmanager uninstall --deployment application
 Note
This command only deletes the application directory from the installation directory.
The following directories are not deleted:
/var/bmc/truesight/postgresql/data
<InstallationDirectory>/sm/registry/inputs_file.yml
Ensure that you delete the /var/bmc/truesight/postgresql/data directory before installing the
application again on the same host.
Uninstalling the database

To uninstall the database, do the following:
1. Navigate to the directory where the Stack Manager launcher is installed.
Default value: /opt/bmc
2. Run the following command:
./stackmanager uninstall --deployment database
Note that this command only cleans up the database. It does not delete the /var/bmc/truesight/postgresql/
data and <InstallationDirectory>/sm/registry/inputs_file.yml directories.

Upgrading
 Note
The Upgrading section is applicable only for a TrueSight Automation Console (on-premises) installation.
BMC Helix Automation Console (SaaS) is not available for an on-premises installation.
Complete the steps required to prepare for an upgrade and then upgrade to this version.
Supported upgrade paths

Consult the following table for the supported upgrade paths.
Current version Upgrade to
20.02 20.02 Patch 1 (20.02.01)
19.1 20.02
TrueSight Automation Console upgrade process
Step 1: Prepare for upgrade
Complete the pre-upgrade tasks.
Download the installation file and complete the pre- Preparing for upgrade
upgrade tasks.

Step 2: Upgrade the product
When you upgrade, TrueSight Automation Console application is updated.
Upgrade the Stack Manager tool and then using a single script Performing the upgrade
in the Stack Manager tool, upgrade the application server.
When you upgrade the application, the underlying database

schema are also upgraded.
Where to go next?
After a successful upgrade, the TrueSight Server Automation connector does not need any configuration. If you had
configured the optional TrueSight Orchestration and Discovery connectors before the upgrade, no change is required.
If you had not configured the optional connectors, you can choose to configure them based on your requirements. For
details, see Configuring connectors.
Preparing for upgrade
 Note
Upgrading TrueSight Automation Console requires you to complete these pre-upgrade tasks. You can download the

installation files from the BMC Electronic Product Distribution (EPD) site.
Setting up your upgrade environment

Complete the following tasks to set up your environment:
• Back up the database.

• Back up the installation directories of the database and the application.
• Ensure that you remove the local registry container and its mapped location on the host that contains the Docker
images for the previous release.

• Ensure that the target computers meet the System requirements.
• Download the installation files.
Preparing to upgrade TrueSight Automation Console
You first extract the latest images and then recreate a local registry with the latest Docker images.
To recreate the repository on a CentOS computer

1. To remove the local registry, if it exists, run the following commands:
Stop the registry container
docker stop registry
Remove the registry container
docker rm registry
Remove the registry image
docker rmi -f registry
After removing the registry, manually delete the mapped location from the host.
2. To recreate a local Docker registry, do these:
(EPD).
b. Create a directory on the Docker host (for example, /opt/tsac_<version>/dockerrepo) and extract
c. Run the following command to create the local Docker registry.
In the following command, replace <Directory> with the directory and its complete path that you
created in step b. If there are multiple hosts, repeat this step on all the Docker hosts.
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
registry:2
For example,
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
registry:2

To recreate the repository on an RHEL computer
1. To remove the local registry, if it exists, run the following commands:
Stop the registry container
docker stop registry
Remove the registry container
docker rm registry
Remove the registry image
docker rmi -f registry

(EPD).
b. Create a directory on the Docker host (for example, /opt/tsac_<version>/dockerrepo) and extract
c. Run the following command to create the local Docker registry. Replace <Directory> with the complete
path of the directory that you created in step b. If there are multiple Docker hosts, repeat this step on all
hosts.
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
registry:2
For example,
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
registry:2
Where to go from here?

After completing the pre-upgrade tasks, you can now start Performing the upgrade.

Performing the upgrade
 Note
This topic provides the instructions to upgrade TrueSight Automation Console to the current version. During an upgrade,
you only upgrade the application, which also upgrade the underlying database schema.
Build numbers
You must provide the build number depending on the version that you want to upgrade to.
Version Build number
20.02 Patch 1 (20.02.01) 20.02.00.418
20.02 20.02.00.305
To upgrade TrueSight Automation Console
1. Open a terminal and SSH into the host where you have set up the local registry, and run the following command to
update the Stack Manager tool.
docker run -it --rm --network=host <hostname>:<port>/bmcsoftware/truesight-stack-manager:<build_number>
Example
docker run -it --rm --network=host 127.0.0.1:5000/bmcsoftware/truesight-stack-manager:20.02.00.305
Here, 127.0.0.1:5000 is the host:port of the local registry that contains the BMC Helix Automation
Console images.
2. Enter the location where the previous version is installed.
3. Enter a username with root permissions and a password.
The Stack Manager tool is updated at the specified location.
4. Run the following command to verify whether the Stack Manager tool is updated.
./stackmanager version

This shows the services and their current version as shown in the example below.
Service Version
------- -------
Catalog service 20.02.00.455
Consul 20.02.00.45
Discovery OnPrem Connector 20.02.00.52
ITIL Service 20.02.00.184
Login service 20.02.00.543
Nginx 20.02.00.601
Patch Manager portal 20.02.00.881
Patch Manager service 20.02.00.756
Policy service 20.02.00.706
PostgreSQL 11.2-alpine
Redis 20.02.00.72
Redis-common 20.02.00.72
Resource service 20.02.00.493
TSO Connector 20.02.00.207
TSSA Connector 20.02.00.441
TSVM Data Refresh Manager 20.02.00.3345
TSVM Data Refresh Worker 20.02.00.3345
TSVM Portal 20.02.00.2241
WorkManager 20.02.00.429
You can now continue with upgrading the application.
 Tip
To see the commands typically used during installation and other help, run this command:
./stackmanager --help
5. On the host where the Stack Manager tool is installed, run any of the following commands to start upgrading the
application.
This command also upgrades the database schema.
./stackmanager install --deployment tsac+
./stackmanager install --deployment=tsac+
The existing installation and the END USER LICENSE AGREEMENT is displayed.
[INFO] loading deployment registry from /opt/bmc/sm/registry/sm-deployment-registry.yml

**************************************************
TrueSight Stack Manager <build_number>
**************************************************

The following services are already installed:
Deployment Location
---------- --------
application /opt/bmc/truesight/application
database /opt/bmc/truesight/database

[INFO] Start installation
Press Enter to Read the License Agreement and enter the Appropriate Option
END USER LICENSE AGREEMENT
<Agreement Text>
6. Read, and type y to continue with the upgrade.
TrueSight Automation Console upgrade is complete and the following status is displayed.

TrueSight Automation Console <build_number> can be accessed at: <URL>
Installation is completed successfully.
7. To verify whether the upgrade is successful, run the following command:
To verify the status
The updated services, container names, versions, and their status is displayed. The following figure shows details
after successfully upgrading to version 20.02.01.

---- -------------- ------- ------
Catalog service truesight-app-catalog-service 20.02.00.556 running
Consul truesight-infra-ext-consul 20.02.00.45 running
Discovery OnPrem Connector truesight-common-discovery-onprem-connector 20.02.00.52 running
ITIL Service truesight-common-itil 20.02.00.184 running
Login service truesight-common-login 20.02.00.607 running
Nginx truesight-app-nginx 20.02.00.631 running
Patch Manager portal truesight-app-patch-manager-portal 20.02.00.979 running
Patch Manager service truesight-app-patch-manager-core 20.02.00.886 running
Policy service truesight-app-policy-service 20.02.00.808 running
Redis truesight-infra-ext-redis 20.02.00.72 running
Redis-common truesight-infra-ext-redis-common 20.02.00.72 running
Resource service truesight-common-resource-service 20.02.00.509 running
TSO Connector truesight-common-tso-connector 20.02.00.207 running
TSSA Connector truesight-common-tssa-connector 20.02.00.441 running
TSVM Data Refresh Manager truesight-app-vulnerability-management-drm 20.02.00.3377 running
TSVM Data Refresh Worker truesight-app-vulnerability-management-drw 20.02.00.3377 running
TSVM Portal 20.02.00.2241
WorkManager truesight-common-workmanager 20.02.00.429 running
To verify the version
./stackmanager version
The following figure shows the sample version.

Result
Service Version
------- -------
Catalog service 20.02.00.455
Consul 20.02.00.45
Discovery OnPrem Connector 20.02.00.52
ITIL Service 20.02.00.184
Login service 20.02.00.543
Nginx 20.02.00.601
Patch Manager portal 20.02.00.881
Patch Manager service 20.02.00.756
Policy service 20.02.00.706
Redis 20.02.00.72
Redis-common 20.02.00.72
Resource service 20.02.00.493
TSO Connector 20.02.00.207
TSSA Connector 20.02.00.441
TSVM Data Refresh Manager 20.02.00.3345
TSVM Data Refresh Worker 20.02.00.3345
WorkManager 20.02.00.429
Where to go next?
After a successful upgrade, the TrueSight Server Automation connector does not need any configuration. If you had
configured the optional TrueSight Orchestration and Discovery connectors before the upgrade, no change is required. If
you had not configured the optional connectors, you can choose to configure them based on your requirements. For
details, see Configuring connectors.

Configuring connectors
This section provides an overview of the connectors required by BMC Helix Automation Console (SaaS) and TrueSight
Automation Console (on-premises) to integrate with products, and the steps to configure them.
• Configuring the TrueSight Server Automation connector (only for BMC Helix Automation Console)

• Configuring the TrueSight Orchestration connector
• Configuring the BMC Discovery connector
Configuring the TrueSight Server Automation connector
 Note
The TrueSight Server Automation connector is required only for BMC Helix Automation Console (SaaS).
For TrueSight Automation Console (on-premises), integration with TrueSight Server Automation is configured
during installation.
This topic provides an overview of and instructions to install and configure the TrueSight Server Automation connector.
Overview
TrueSight Server Automation connector is used to establish connection between BMC Helix Automation Console with the
TrueSight Server Automation Application Server. Automation Console sends notifications for jobs such as updating
catalogs, and running patching jobs to the connector, which sends it to the TrueSight Server Automation. The connector
ensures that even if the application server is in an air-gapped environment, communication between Automation
Console and the application server is uninterrupted.
By default, the connector establishes a connection over the HTTPS protocol using out-of-the-box self-signed certificates. To
ensure seamless communication, you must provide the connector information in the hosts file on Server Automation.
Before you begin

Before running the connector, ensure that the connector is installed and run on Windows and Linux operating systems
that match the following criteria:
• Java Runtime Environment (JRE) 11 is installed on the connector host

• Port number 443 is open
Port Protocol From To Notes
443 HTTPS Connector Application Server (web Communication with

services port) and Internet Application Server and
Internet

Port Protocol From To Notes
443 HTTPS Application Server (web Connector Communication between

services port) Application Server and
Connector
Installing the Server Automation connector
If there is no earlier instance of Server Automation connector in your environment, do these steps:
1. Download the connector file from the location provided in the email message when you complete the activation.
2. Extract the tssa_connector.zip file on an internet-enabled server (inbound and outbound).
The host where the connector is installed must be accessible to the Server Automation application server.
3. Go to /config/creds.json file and add the connector token provided by BMC.
The workerId value in the creds.json file must match the workerId value in the /config/application.properties
file.
"connectorToken":<connector-token-value>
Sample creds.json file with connector token information
{
"user": "<worker-id-value>",
"password": "",
"deployment": "private",
"connectorToken": "<connector-token-value>",
"workerId": "<worker-id-value>",
endpoints": {
"pls": "POLICY_ENDPOINT",
"ifi": "",
"ifm": "",
"wmw": "https://tenant-app-url.bmc.com"
}
}

4. On the Server Automation application server, go to the hosts file and add the following:
 Hosts file location

- Windows: C:\Windows\System32\drivers\etc\hosts
- Linux: /etc/hosts
<connector-ip> tssa.connector.bmc.com

 Note
If you choose to use DNS, you must register the connector server in the DNS as
tssa.connector.bmc.com. No other name is currently supported.
5. On the server where the connector.zip is extracted, go to the connector location, and run the following command
to install and start the connector:
• Windows: run.bat
• Linux: run.sh
The Server Automation connector starts running successfully.
Updating the TrueSight Server Automation connector
If you already have a running instance of TrueSight Server Automation connector, do these steps:
1. Download the connector file from the location provided in the email message.
2. Back up the directory where the existing connector is configured and extract the updated tssa_connector.zip file in
a new directory on an internet-enabled server (inbound and outbound).
The host where the connector is installed must be accessible to the TrueSight Server Automation application
server.
3. From the existing connector /config directory, copy the creds.json and application.properties files to the /config
directory where the updated connector file is extracted.
If you have received a connector token in the email message, update the connector token in the creds.json file.
4. Verify whether the workerId value in the /config/creds.json file matches the workerId value in the /config/
application.properties file.
5. On the server where the connector zip is extracted, go to the connector location, and run the following command
• Linux: run.sh
The TrueSight Server Automation connector starts running successfully.
Enabling debug mode

BMC recommends that you do not modify any other configuration files available in the /config directory. However, you
can enable the debug mode on the connector to obtain detailed logging information.
Do this:
1. Press CTRL+C twice to stop the connector.

2. Go to <ConnectorLocation>/config, open the log4j.properties file, and change the logging option to debug.
# Root logger option

log4j.rootLogger=debug, file
3. Start the connector.
Where to go next?

Log in to BMC Helix Automation Console with the appropriate credentials to successfully verify the connector installation.
See Logging in.
Configuring the TrueSight Orchestration connector

This topic provides an overview of and instructions to install and configure the TrueSight Orchestration connector.
Overview
As an administrator, you configure a connector to enable integration with TrueSight Orchestration for change
management. For a vulnerability operation, you can now create a change ticket with an approval process in BMC Remedy
IT Service Management. TrueSight Orchestration connector establishes a connection and enables communication
between TrueSight Orchestration and BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-
premises). For more details, see Change automation.
In version 20.02, you can configure the connector using REST APIs only.
This topic describes the URL, method, and sample configuration for only configuring the connector. For more information
about the supported connector API calls see, Using REST API.
Configuring connector for TrueSight Automation Console
For TrueSight Automation Console (on-premises), the connector is available as a container after the installation is
complete.
To use this REST API, you must first create an authorized session with administrator credentials. For more information,
see, Using REST API.
POST /api/v1/connectors
Request body parameters
Name Description Required
name Specifies the name of the connector. Yes
description Specifies the optional description for the connector. No
type Specifies the type of the connector. Yes
Valid value: TSO
host Specifies the host where TrueSight Orchestration server is installed. Yes

port Specifies the port number on which the TrueSight Orchestration – Grid Yes

Manager component is running.
Default value: 38080
protocol Specifies the Grid Manager protocol. Yes
properties Contains the properties to connect to the TrueSight Orchestration Grid Yes
Manager.
username Specifies the username required to login to the Grid Manager. Yes
Default value: aoadmin
password Specifies the password that matches the username. Yes
grid Specifies the name of the grid. Yes
change_approval_require Specifies whether to enable change approval. Yes

d
Valid values: true, false.
If true, change request creation and approval is mandatory when you create
a vulnerability remediation operation in Automation Console.
If false, you can skip change creation and approval while creating a
vulnerability operation.
Sample request JSON

{
"name": "TSO CONF",
"description": "TSAC AO configuration",
"type": "TSO",
"admin_role": "",
"host": "<hostname>",
"port": 38080,
"protocol": "https",
"properties": {
"username": "aoadmin",
"password": "<password>",
"grid": "MyGrid",
"change_approval_required": "false"
}
}
Sample response JSON
{
"connector_id": "fe11975a-08b8-4184-b497-391f136aa746",
"name": "TSO CONF",
"description": "TSAC AO configuration",
"admin_role": "",
"host": "tso.bmc.com",
"port": 38080,
"type": "TSO",
"properties": {
"username": "aoadmin",
"password": "RKy3Q6NHz05RFC7CCzzKRQ==",
"grid": "MyGrid",
"change_approval_required": "false"
},
"worker_id": "tso-connector"
}
Responses
Code Description
200 OK
401 Unauthorized
500 Internal Server Error
Configuring connector for BMC Helix Automation Console
In a BMC Helix Automation Console environment, you must first configure the connector, then download the connector
file, and run it in your environment.
1. Create an authorized session with administrator credentials by using the POST /api/v1/sessions API call.
See Using REST API.

2. Configure the connector by using the POST /api/v1/connectors REST API call.
See Configuring TrueSight Orchestration connector.
3. Download the connector file using the REST API call: https://<serverName>/api/v1/connectors/download/{type}
4. Extract the tso_connector.zip file on an internet-enabled server (inbound and outbound).
The host where the connector is installed must be accessible to TrueSight Orchestration.
5. On TrueSight Orchestration, go to the hosts file and add the following:

- Linux: /etc/hosts
<connector-ip> tso.connector.bmc.com
 Note
If you choose to use DNS, you must register the connector server in the DNS as tso.connector.bmc.c
om. No other name is currently supported.
6. On the server where the connector file is extracted, go to the connector location, and run the following command
• Linux: run.sh
TrueSight Orchestration connector starts running successfully.
Where to go next?
After successfully configuring the connector, you can now complete the tasks required to enable change automation. See E
nabling change automation.
Configuring the BMC Discovery connector

This topic provides an overview of and instructions to configure the BMC Discovery connector and to create a service
account using REST APIs.
Overview
BMC Discovery connector establishes connection with BMC Discovery (on-premises only) to find all the assets in a
network. BMC discovery obtains information about the assets even if they are not enrolled in the endpoint manager,
TrueSight Server Automation. As an administrator, when you integrate BMC Helix Automation Console and TrueSight
Automation Console with BMC Discovery, you can identify which assets in your environment are not included in
vulnerability scans. These are blind spots, and they represent potential security risks. The blind spot assets appear on the
Discovered Assets page. You must ensure that the discovered assets are scanned for missing patches and vulnerabilities.
In BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-premises) version 20.02, you can
configure the connector and create a service account for BMC Discovery by using REST APIs only.

This topic describes the URL, method, and sample configuration for only configuring the connector. For more information
about the supported connector API calls see, Using REST API.
Configuring connector for TrueSight Automation Console
For TrueSight Automation Console (on-premises), the connector is available as a container after the installation is
complete.
To use this REST API, you must first create an authorized session with administrator credentials. For more information,
see, Using REST API.
POST /api/v1/connectors
name Specifies the name of the connector. Yes
description Specifies the optional description for the connector. No
host Specifies the host name or IP address of the host where BMC Discovery server is installed. Yes
port Specifies the port where BMC Discovery server is installed. Yes
type Specifies the type of connector. Yes
Valid value: DISCOVERY
properties Contains the properties to connect to the BMC Discovery server Yes
username Specifies the username required to login to the BMC Discovery server. Yes
Ensure that this is a valid user in BMC Discovery.
Sample request JSON

{
"description": "connector for Discovery",
"name": "Discovery-Connector",
"port": 443,
"admin_role": "admin",
"type": "DISCOVERY",
"properties": {
"username": "discovery-user",
"password": "<password>"
}
}
Sample response JSON
{
"connector_id": "8a5aafe3-fa9b-4d73-8c94-6ee477a28103",
"name": "Discovery-Connector",
"description": "connector for Discovery",
"admin_role": "admin",
"port": 443,
"type": "DISCOVERY",
"properties": {
"username": "discovery-user",
"password": "VSVu1gc+EpJ7SI5NI33o87OhklK+O2KhSGMPP+2xmXTIP926zdL7W5+XpA=="
},
"worker_id": "discovery-connector"
}
Responses
Code Description
200 OK
401 Unauthorized
Configuring connector for BMC Helix Automation Console

In a BMC Helix Automation Console environment, you must first configure the connector, and then download the
connector file, and then run it in your environment.
1. Create an authorized session with administrator credentials by using the POST /api/v1/sessions API call.
See Using REST API.

2. Configure the connector by using the POST /api/v1/connectors REST API call.
3. Download the connector file using the REST API call: https://<serverName>/api/v1/connectors/download/{type}
For more information, see Using REST API.
4. Extract the discovery_connector.zip file on an internet-enabled server (inbound and outbound).
The host where the connector is installed must be accessible to BMC Discovery.
5. On the BMC Discovery server, go to the hosts file and add the following:

- Linux: /etc/hosts
<connector-ip> discovery.connector.bmc.com
 Note
If you choose to use DNS, you must register the connector server in the DNS as discovery.connector
.bmc.com. No other name is currently supported.
6. On the server where the connector.zip is extracted, go to the connector location, and run the following command
• Linux: run.sh
BMC Discovery connector starts running successfully.
Creating a service account for BMC Discovery

After configuring a connector, create a service account by using this REST API call.
POST /api/v1/config/service-accounts
connector_name Specifies the name of the BMC Discovery connector. Yes
connector_type Specifies the type of the connector. Yes
Valid value: DISCOVERY

delay_in_refresh_cycles Specifies the time interval, in minutes, after which the data should be Yes
refreshed.
Default is 60 minutes.
credential_type Specifies the type of credential. Yes
Valid value: DATA_REFRESH
user_name Specifies the user name to be used to connect with BMC Discovery. Yes
This must be the same user as configured in the connector.
Sample JSON request
{
"connector_name": "<connector-name>",
"connector_type": "DISCOVERY",
"delay_in_refresh_cycles": 6,
"profiles": [
{
"credential_type": "DATA_REFRESH",
"user_name": "discovery-user",
"password": "<password>"
}
]
}
Responses
Code Description
200 OK
401 Unauthorized

Where to go next?
Now that you have successfully configured the connector and added a service account, based on the data refresh cycle
configured in the service account, the assets appear in Automation Console, under Assets > Discovered Assets page. To
view discovered assets, see, Working with assets.

Using
This section describes the tasks that can be performed by operators.
• Logging in
• Using Dashboards
• Patch policies
• Scans
• Assets
• Risks
• Operations
Logging in
This topic provides instructions on logging in to the BMC Helix Automation Console and TrueSight Automation Console.
Accessing the Automation Console
1. From a supported browser, enter the following URL to access the console:
TrueSight Automation Console: https://<FullyQualifiedDomainHostName>:<port>/app/#/login
The default port is 10443.
BMC Helix Automation Console: https://<customerprefix>-xxx.onbmc.com
You will define the <customerprefix> when registering your service in the BMC SaaS registration portal. This prefix
must be unique and may not contain any special characters.
 Can I create a custom URL for my organization?

No. BMC determines the customer-specific URL and custom URL naming conventions are not allowed.
2. Enter your username and password.

3. Select one of the following authentication methods:
• Secure Remote Password: Users authenticate against a registry of authorized users maintained in the
central TrueSight Server Automation database.
If using this method, the user must be included in the registry of authorized users in the Automation
Console database.
• Domain Authentication: Users authenticate by providing a name, domain, and password.
If using this method, your domain must already be registered in TrueSight Server Automation.
• RSA Secure ID: Users authenticate using the username and the token code obtained from an RSA SecurID
token.
If using this method, provide the current token code in the Password field.

• LDAP Authentication: Users authenticate using a username and password, which is maintained in
the directories on an external Lightweight Directory Access Protocol (LDAP) server. TrueSight Server
Automation Authentication Service connects to an LDAP server to authenticate the user.
4. Click Log in.
You are now on the dashboards page.
Overview of the Automation Console user interface
The Automation Console offers role-based access to the application. An administrator has access to all the pages on the
UI. An operator can access all the pages except the Administration page.
The Dashboard page contains a Patch Dashboard, which provides graphical information about missing patches on assets
in your environment. Widgets on the dashboard show specific metrics around patch compliance, remediation trends,
missing patches by age, impacted targets by severity, and Service Level Agreements. The Vulnerability Dashboard
provides information about identified vulnerabilities on the assets imported from a scan file. Widgets on the dashboard
show mapped and actionable vulnerabilities, assets by severity and SLA, vulnerabilities by stage, remediation trends, and
top 10 identified vulnerabilities.
The Assets page shows a list of assets with the missing patches. It also shows assets that are imported from a vulnerability
scan, and assets discovered by integrating with BMC Discovery.
The Risks page shows the list of missing patches and impacted assets for each missing patch. It also shows the
vulnerabilities imported from a scan.
The Operations page shows a list of operations, which perform remediation actions to install missing patches or
vulnerabilities on assets.
The Manage page shows a list of patch policies, which scan the assets in your environment to identify missing patches. It
also shows the list of scan files imported in the product.
Administrators use the Administration menu to perform configuration activities such as adding catalogs, defining Service
Level Agreements (SLAs), and adding security groups to determine access to the Automation Console.
Common Automation Console UI elements
Use this section to know more about the common user interface elements.
• Click the help icon to launch the context-sensitive help topic.
• Click Security Group > About to view the product version and the connector name.
• Click Log out.

Changing the security group
The security group that you belong to appears in the top-right corner of the Automation Console UI. If you are assigned
multiple roles in TrueSight Server Automation, you can change the security group to view the Automation
Console according to your role.
1. On the top-right corner, click Security Group > Change Security Group.

2. Select a group, and click Select.
You now view data according to the permissions assigned to the current security group.
Using Dashboards
This section provides information about the Patch Dashboard and the Vulnerability Dashboard, and instructions to view
details for each widget.
The Patch Dashboard offers a consolidated graphical view of the assets and missing patches in your environment, and
allows you to view the patch compliance health. The Vulnerability Dashboard shows the vulnerabilities identified on
assets, and the vulnerability remediation status.
• Using the Patch Dashboard

• Using the Vulnerability Dashboard
Using the Patch Dashboard

This topic provides instructions to view the patch dashboard and the information each widget displays.
To view information about the Vulnerability Dashboard, see Using the Vulnerability Dashboard.
Viewing the Patch Dashboard

Widgets on the Dashboard display metrics about the assets and the patches (missing or installed). You can drill down to a
widget to view additional data related to the metrics. The Dashboard data refreshes after each policy scan.
To view metrics based on any of the following options, select a filter, and click Apply:
• Operating System
• Severity
• Patch Policy: The metrics from the latest policy scan are displayed.
 Tip
Click PDF to download the current dashboard metrics as a PDF file.
Patch Compliance
This widget shows the percentage of installed and missing patches on all assets in your environment.

 How is patch compliance percentage calculated?
The patch compliance percentage is calculated based on the total number of patches in a catalog and the total
number of patches already installed.
To drill down for more information, click the bar graph on the widget.
In the following image, the number of installed and missing patches and the total number of assets scanned by the policy
are displayed for each policy.
Impacted Assets by SLA

This widget shows the number of assets with missing patches based on their service level agreements (SLA). Using this
data, you can plan remediation steps based on your organizational standards.
If assets are approaching an SLA level, they appear in Approaching SLA. Assets with a severity level other

than Critical appear in Exceeding SLA (Other). Assets that have reached a critical severity appear in the Exceeding SLA
(Critical) graph.
To view the total number of missing patches on each asset according to the SLA level, do the following:
1. Click the bar graph on the widget.

2. Click any SLA level to see the assets based on the SLAs. In the following figure, all assets are in the Within SLA
bracket.
Impacted Assets by Severity

This widget shows the total number of assets and their classification as per the patch severity levels. Assets with missing
patches of different severity levels are counted as belonging to the highest level.
For example, out of 100 assets, if 10 assets have patches with a Critical, High, and Medium severity, those 10 assets
appear in the Critical bracket. If 20 assets have missing patches with a High and Low severity, those assets appear in
the High bracket.
In this figure, 6 assets contain patches with a Critical severity and appear in the Critical bracket.
To view more information, do the following:
1. Click the bar graph to see additional information such as the assets and the missing patches according to severity.

2. Click any severity level icon to see assets as per the severity level.
Unique Missing Patches by Age

This widget shows the total number of unique missing patches on the assets by their release age.
 How is patch age calculated?

Patch age is calculated based on the release date of the patch by the vendor. Patch age is not calculated by when
it is discovered as missing on the assets in your environment. For example, if a patch appears in the 30-90 age
bracket, then it is more than 30 days since the vendor has released this patch.
To see more information, do the following:
1. Click the bar graph to view additional information such as the patch name, number of impacted assets, the exact
patch age, and the classification, and CVE IDs.

2. Click any age bracket icon to see the missing patches according to the bracket.
Remediation trend
This widget shows a cumulative patch remediation trend for the last six weeks, which includes the number of missing and
installed patches on the assets.
This graph also shows:
• Average Days Awaiting Attention: Average number of days since patches are identified as missing and not yet
remediated.
• Average Days Awaiting Execution: Average number of days in which a remediation operation is scheduled for the
missing patches but not executed yet.
• Average Days to Close: Average number of days it takes from identifying a patch as missing to successfully
remediating it.
To view more information, do the following:
1. Click the bar graph.

2. Click Missing Patches or Remediated Patches to view the patches in each category.
Top 10 Missing Patches

This widget shows the top ten missing patches and the total number of impacted assets. This metric also shows the SLA
level for the patches.
Click the Impacted Assets link to see the asset names for each missing patch.
Using the Vulnerability Dashboard

This topic provides instructions to view the vulnerability dashboard and the information each widget displays.
To view information about the missing patches, see Using the Patch Dashboard.

Viewing the Vulnerability Dashboard
Widgets on the dashboard display metrics about the assets and the vulnerabilities. You can drill down to a widget to view
additional data related to the metrics. The Dashboard data refreshes every time after you import a scan, map
vulnerabilities, and run remediation operations to completion.
To view metrics based on any of the following options, select a filter, and click Apply:
• Severity
• Scan File: Lists the scan files imported in BMC Helix Automation Console and TrueSight Automation Console.
 Tip
Click PDF to download the current dashboard metrics as a PDF file.
Vulnerabilities
This widget shows the total number of vulnerabilities imported from a scan file in the Automation Console and their
distribution. Vulnerabilities mapped to remediation content are displayed in the Mapped Vulnerabilities graph.
Vulnerabilities mapped to remediation content and assets are displayed in the Actionable Vulnerabilities graph.
To drill down for more information about the mapped vulnerabilities, click the bar graph. In the following image, the
vulnerability names, CVE IDs, severity, and the number of impacted assets for mapped and unmapped vulnerabilities are
displayed.
To drill down for more information about the actionable vulnerabilities, click the bar graph. In the following image, the
vulnerability names, CVE IDs, severity, and the number of impacted assets for actionable and non-
actionable vulnerabilities are displayed.

SLA Breakdown by Assets and Vulnerabilities
This widget shows the number of assets and vulnerabilities based on the service level agreements (SLA).
To view vulnerabilities as per the service level agreements, use the Vulnerabilities toggle button. Using this data, you can
plan remediation steps based on your organizational standards.
If assets or vulnerabilities are approaching an SLA level, they appear in Approaching SLA. Assets with a severity level other

than Critical appear in Exceeding SLA (Other). Assets or vulnerabilities that have reached a critical severity appear in
the Exceeding SLA (Critical) graph.
To view the number of vulnerabilities for assets based on their SLA, click the bar graph, and then click any SLA level.
In the following image, 10 assets are in the Within SLA bracket.

Severity Breakdown by Assets and Vulnerabilities
This widget shows the total number of assets and vulnerabilities as per the vulnerability severity levels. To view
vulnerabilities as per the severity levels, use the Vulnerabilities toggle button.
 Note
Assets and vulnerabilities with different severity levels are counted as belonging to the highest level.
For example, out of 100 assets, if 10 assets have vulnerabilities with a Critical, High, and Medium severity, those
10 assets appear in the Critical bracket. If 20 assets have vulnerabilities with a High and Low severity, those
assets appear in the High bracket.
To view more information about assets or vulnerabilities based on their severity, click the bar graph and then click each
severity level.
For vulnerabilities, use the toggle button, and then click the bar graph to view more information about the severity level.
In the following image, 5 assets are in the Critical state.

Vulnerability by Stage
After you map vulnerabilities with remediation content, either automatically or manually, you create an operation to
remediate the vulnerabilities. This widget shows the number of vulnerabilities for which an operation is created (Awaiting
Execution) against the number of vulnerabilities where the operation is yet to be created (Awaiting Attention). It also
shows the number of vulnerabilities for which remediation operations are created, and change request approval is
pending (Awaiting Approval).
To view more information, click the bar graph. Vulnerability name, CVE IDs, severity, and the number of impacted assets
are displayed.
Remediation trend
This widget shows a cumulative vulnerability remediation trend for the last six weeks, which includes the total number of
vulnerabilities against the vulnerabilities remediated on the assets.

This graph also shows:
• Average Days Awaiting Attention: Average number of days since vulnerabilities are identified and not yet
remediated.
• Average Days Awaiting Approval: Average number of days in which a remediation operation is created with a
change integration, and the change request is not yet approved.
• Average Days Awaiting Execution: Average number of days in which a remediation operation is scheduled but not
yet executed.
• Average Days to Close: Average number of days it takes from identifying a vulnerability to successfully remediating
it.
To view more information, click the bar graph. The total number of vulnerabilities identified and remediated is displayed.
You can also view these details:
• Vulnerability name
• Impacted assets
• Scan Age: Number of days since the vulnerability is identified in the scan file by a vulnerability management tool.
• Severity
• CVE IDs
Top 10 Missing Vulnerabilities

This widget shows the top ten vulnerabilities and the impacted assets on which the vulnerabilities are identified. This
metric also shows the SLA level for the vulnerabilities.
Click the Impacted Assets link to see the assets and their operating system for each vulnerability.

Top 10 Business Services at Risk
This widget shows the top ten business services or applications with a maximum number of vulnerabilities and the
number of impacted assets. In BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-premises)
version 20.02.01 only, this widget also shows the total number of missing patches on the impacted asset. This data is
generated after patch policies run on those assets.
BMC Discovery sends data about business services at risk to Automation Console.
 Why do I not see the Top 10 Business Services at Risk?

To view this data, you must ensure that the BMC Discovery connector is configured. For more information, see C
onfiguring the BMC Discovery connector.
Patch policies
Patch policies identify missing patches on assets.
Typically, a patch administrator analyzes assets to identify the missing patches and determine the patches to be acquired
to comply with the organizational standards. Using BMC Helix Automation Console and TrueSight Automation Console,
you create a policy that scans all assets. When you create a policy, a Patching Job gets created in TrueSight Server
Automation. During a policy scan, Automation Console analyzes patches installed or missing on the assets based on the
catalog selected in the policy.
Policy results appear on the Assets page and on the Automation Console dashboard. Using these results, you can then a

create a remediation operation to install missing patches on the assets.
Automation Console enables you to create a policy using multiple options:
• Patch Policy Filters:
• Patch Classifications (applicable for Windows only): Enables you to filter the scan based on the patch
classifications such as for security patches, non-security patches, and security tools. You can also choose to
skip scanning the assets for service packs.

• Patch Groups: TrueSight Server Automation allows you to include or exclude patch groups created in Server
Automation. While creating a policy, you can choose to scan the assets based on the patch groups.
• Assets Selection: Enables you to select either all assets or asset groups (server smart groups in Server Automation)
to be scanned by the policy.
Using the Automation Console, you can schedule a policy to run on a daily or a weekly cadence.

To add, edit, enable, disable a patch policy, see Working with patch policies.
Working with patch policies

This topic provides instructions on adding, viewing, editing, disabling, or removing patch policies.
To understand the concept of patch policies, see Patch policies.
Adding a patch policy

On the Manage > Patch Policies page, click Add Policy and do the following:
1. Enter a unique name for the policy.
2. Click Browse to select a catalog.
Catalogs are created in TrueSight Server Automation.
3. Click and choose one of the policy filters:
• Patch Classifications (only for Windows). Select this filter to scan assets based on classifications such as
Security Patches, Security Tools, and Non-Security Patches.
To skip service packs while scanning assets, select Exclude Service Packs.
• Include Patch Groups. Select this filter to scan assets based on the patch groups that exist in Server
Automation.
To exclude a specific set of patches, select one or more patch groups and save your options.
4. To specify targets, do one of the following:
• Select all assets enrolled in the endpoint manager.
• Select Asset Groups (server smart groups in Server Automation) and then select one or more groups.
5. In the Patch Schedule section, specify a schedule for the policy:
• Daily: Click the clock icon in the Time field, and specify the time.
• Weekly:
i. From the Recur Every list, select the number of weeks after which the policy should run again.
ii. Click the clock icon in the Time field, and specify the time.
iii. Specify the days of the week when the schedule should run.
• Monthly: Click the clock icon in the Time field, specify the time, and then specify one of these options:
• Specify the frequency (first, second, third, or fourth) and the day of the week for the schedule.
• Specify the day in every month when the schedule should run.
• Select the last day of every month.
The schedule summary is displayed.

 Can I schedule a policy in another timezone?
No. Automation Console shows the browser time zone. You can only schedule policy scans in the
local time zone.
After you save the patch policy, it is enabled and appears on the Manage Policies page. When you create a policy, in
Server Automation, the policy is saved at the Jobs/<username>_<user_role>/<Policy_Name> location.
Execute patch policy

You can run a patch policy instantly after adding it. You cannot execute a policy that is disabled or already running.
On the Manage > Patch Policies page, do the following:
1. Select a policy and click Actions >Execute now.

2. Click Continue.
Viewing patch policy results
After a policy runs on the selected assets according to the schedule, the results are displayed on the Manage Patch
Policies page.
You can see the policies available in the product and additional information such as name, scope of the policy scan
according to the assets, the date and time of the last run, and the status.
1. Click the policy name.

The Scan Run Results page shows results of each policy scan according to the schedule.
2. To view results for any previous scan, click on the scan in the Scan Start Time column.
The following image shows the results of a policy scan.

The following details are displayed:
• Total number of assets scanned by the policy
• Number of assets that were scanned successfully or with warnings, and failed scans
• List of assets scanned by the policy and the number of missing and installed patches on these assets
• Log for the policy that contains errors and warnings, if any
• Date, time, and duration of the policy scan
2. To view the policy results for each asset, click the asset name.
You can see each installed and missing patch identified on the selected asset.
Editing a patch policy

 Warning
When you edit, disable, or remove a policy, all missing patches displayed after the last scan are removed from
the Automation Console.

1. Select a policy and click Actions > Edit.
2. Update the policy details, and click Update.
Missing patches according to the new configurations are displayed after a successful scan.
Disabling and enabling a policy

You may want to stop running scanning policies for a while or the policy may no longer be relevant. To stop the policy from
running, disable the policy.
On the Manage > Patch Policies page, do these steps:
• Select a policy and click Actions > Disable and click Continue.

The policy status changes to Disabled and the policy no longer runs according to the schedule. It still appears in the
patch policy list.
• To view details of a disabled policy, click Actions > View.
• Select a policy and click Actions > Enable.
The policy status changes to Enabled and the policy runs according to the schedule. New missing patches are
reported after a successful scan.
Removing a patch policy

You cannot delete a policy if it is used by any operation. In such a case, delete the operation first, and then delete the
policy.
When you remove a policy from the Automation Console it continues to exists in TrueSight Server Automation.
1. Select a policy and click Actions >Remove.
2. Click Continue.
Scans
Scans enable you to discover potential issues on the assets in your environment. You can use various vulnerability
management systems such as Qualys, Nessus, and Rapid7 to scan the assets. After scanning, you can export scan results
from these systems and then import them into BMC Helix Automation Console and TrueSight Automation Console. An
exported scan file collects information about assets (such as servers) and the vulnerabilities associated with those assets.
When a vulnerability scan is imported into Automation Console, assets included in the scan are automatically mapped to
endpoints managed by the underlying endpoint manager, TrueSight Server Automation. The automatic asset mapping
process matches the Domain Name Server (DNS) and then the IP address of an asset in a vulnerability scan to an endpoint
managed in TrueSight Server Automation.
You can remediate these assets against the vulnerabilities using Automation Console.
This topic describes prerequisites for importing scans, validate the scans before importing them, and a few considerations
that you need to keep in mind before you import.

Prerequisites for importing scans
Before importing a scan, ensure that the you have exported scan results from the vulnerability management system. The
exported file must meet the requirements listed below.
Rapid7 scan file requirement

The scan file exported from Rapid7 must use the XML Export 2.0 format.
Qualys scan file requirements

The scan file exported from Qualys:
• must comply with the following DTD: https://qualysguard.qg2.apps.qualys.com/scan-1.dtd

• cannot be based on report templates.
• must be in XML format and it must end with the .xml extension.
Nessus scan file requirements
• The scan file exported from Nessus can be based on different types of scans (such as OS or network scans) but at a
minimum, it must include the following details:
• Server name
• Server IP address
• Server operating system
• Associated plugin IDs (a plugin is a check for a vulnerability)
• The scan file must be in XML format, and the file must end with the .nessus extension.
Validating scans
BMC provides a utility that allows you to check the validity of scans that you want to import. The utility counts the number
of servers and vulnerabilities found, checks for any required fields that are missing, and determines whether you can
successfully import the scans. The utility is available as a ZIP file, bmcScanFileProfiler-V4.zip, which you can download
from BMC Communities (login required).
After downloading the ZIP file, do the following to check the validity of the scan file:
1. Set the JAVA_HOME environment variable to the location where Java is installed, as follows:
Search for java.exe. JAVA_HOME should point to the directory that contains the bin directory. For
example, JAVA_HOME=C:\Program Files\Java\jdk1.7.0_75.
2. Extract bmcScanFileProfiler-V4.zip to a temporary directory.
3. From the command line, navigate to the directory, where the ZIP file was extracted.
4. Run the following command to profile the scan file:
bmcScanFileProfiler.bat <pathToScanFile>
Considerations before you import

Before you begin importing scans, consider the following:
• A record is one asset with one vulnerability. For example, two assets with 10 vulnerabilities each equals 20 records.

• If subsequent scans include assets that are already scanned with vulnerabilities that are already found, those
vulnerabilities do not increase the record count.
• To manage record counts, you can reduce the scope of a scan (for example, scanning only for vulnerabilities with
severity 4 and 5) or remove unneeded devices from the scan, such as endpoints not managed with TrueSight
Server Automation.

To import or delete scans, see Working with scans.
Working with scans

This topic provides instructions on importing and deleting scans.
To obtain scans from a vulnerability management system and validate them before importing, see Scans.
Importing a scan
On the Manage > Import page, click Import Scan, and do the following:
1. Select the vulnerability management vendor.

2. Attach the scan file based on the selected vendor.
BMC recommends that you import files larger than 400 MB from a local area network with a latency of less than 50
milliseconds as large scans from remote networks might not succeed. You can also import a compressed file (single
file only).
 Is there a file size limit for importing a scan file?

Yes. You can import files up to 2 GB.
3. To apply filters while importing data from a scan file, do the following:
a. Select the operating systems. If importing data for SuSE devices, select both Linux and Others.
b. Choose one or more vulnerability severity options.
 Severity levels
Qualys, Nessus, and Rapid7 use different scoring for severity levels. Qualys uses scores of 1-5.
Nessus uses scores of 0-4. Rapid7 uses scores of 1-10. To maintain consistency, BMC increases the
Nessus severity levels by one (so they become 1-5) and maps the ten Rapid7 severity levels to five
levels.
c. Specify the IP addresses in the Classless Inter-Domain Routing (CIDR) format.
Data is imported from the scan file only for the servers that belong to the specified IP address range.
Default value is 0.0.0.0/0, which imports data for all the servers from the scan file.
You can specify one of the following values:
• Single IP address. Example: 168.19.13.12/24
• Comma-separated multiple IP addresses. Example: 168.19.13.12/24,10.25.24.12/12
• A combination of the above formats. Example: 168.19.13.12/24, 168.19.13.12/32,10.25.24.12/12
4. Click Import.
After the import is complete, a message confirms that the scan was imported and informs how many assets were

automatically mapped to endpoints.
If you import multiple scan files one after another, the Scanned Assets page and Import page show all the data that
you import, not just the results of the most recent import. When you import a scan, asset and vulnerability
information is added to any information that is already imported.
Importing the same scan file more than once
If you need to import the same scan file more than once, do the following:
• For Qualys and Rapid7, scan files are identified by a unique <SCAN> tag within the XML file. If you are using
those vulnerability management tools and you want to import the same scan more than once, you must
modify the value of the <SCAN> tag. BMC recommends that you change the name of each scan to avoid
confusion.
• For Nessus, you must edit the existing .nessus file and provide a new name value for the <Report> tag. For
example, in a tag such as <Report name="ProdAdmins_Linux" xmlns:cm="http://www.nessus.org/cm">,
the new name value could be, name="NewProdAdmins_Linux"
 If the imported scans do not include a time zone, which time zone is considered?
If no time zone is specified, it is browser's time zone.
Deleting a scan file

When you delete a scan file, all associations between endpoints and vulnerabilities contained in that file are deleted,
unless the same association is also included in another scan file. If an operation is created for the vulnerabilities in the
scan file, the vulnerabilities get removed from the operation when you delete the file. However, if you import the scan file
again, the vulnerabilities are considered in the operation automatically.
When you delete a scan file, depending on the file size, it may take a while before the process is complete.
On the Manage > Import page, click Action > Remove for the required file.
Assets
The Assets page in the application lists the managed, scanned, and discovered assets.
The Managed Assets tab shows a list of assets that are available in TrueSight Server Automation. When patch policies
identify missing patches on assets, the assets with missing patches and other details appear on the Managed Assets page.
Missing patches are identified only for assets with Windows or Linux operating systems.
The Scanned Assets tab shows a list of assets imported from a vulnerability scan file, their mapping to endpoints in an
endpoint manager, and the number of vulnerabilities identified for each asset.
After you import a vulnerability scan file in BMC Helix Automation Console and TrueSight Automation Console, assets are

automatically mapped to endpoints managed by the endpoint manager, TrueSight Server Automation. During auto-
mapping, Automation Console matches the FQDN or hostname and then the IP address of an asset in a scan to the
endpoint. Vulnerabilities are not automatically mapped to remediation content unless assets are mapped. If an asset is
decommissioned in TrueSight Server Automation and an operation is not created for remediating missing patches or
vulnerabilities, the asset gets unmapped in Automation Console.
Automation Console may not always correctly auto-map all the endpoints because the firewalls, load balancers, and
proxies can cause discrepancies in mapping. You can manually map each unmapped asset to a single endpoint only. If you

map an asset to an endpoint, which is already mapped, the existing mapping is overwritten and the asset is mapped to the
new endpoint.
In BMC Helix Automation Console (SaaS) only, on the Scanned Assets page, you can add tags to the assets. To enter tag
information, you export the assets data to a CSV file or in Advanced Search, you can download a CSV template. Later, you
upload the updated CSV file back in Automation Console. In addition to the existing filters, tags provide another criterion
to select a particular asset or a group of assets while creating a vulnerability remediation operation.
The Discovered Assets tab shows the assets that are discovered by BMC Discovery. You configure the BMC Discovery
connector to ensure that unmanaged, unscanned, and total number of discovered assets are sent to Automation Console.
The total number of assets for each category appears at the top of the page. You can perform a basic or advanced search
using filters to look for specific data.

To view a list of discovered assets, assets with vulnerabilities and missing patches, and map assets, see Working with
assets.
Working with assets

This topic provides instructions on viewing a list of assets with identified vulnerabilities and missing patches, mapping
assets to an endpoint, viewing discovered assets, and searching for more information using filters.
To learn more about assets, see Assets.
Viewing assets with missing patches

On Assets > Managed Assets page, view the following details:
• The total number of impacted assets appears near the tab title.
• Host name, IP address, operating system, and number of unique missing patches for an asset.
• To search for an asset, enter a search term, and click Search.
You can search using the host name, IP address, or operating system.
To view the list of unique missing patches for any asset, do the following:
1. Click the link against any asset in the Missing Patches column.
The Risks > Missing Patches page shows the unique missing patches, patch age, severity, classification, and CVE IDs
for each missing patch for the particular asset.
2. Click Clear Filters to view all unique missing patches across all assets.
To view more information about the missing patches, see Working with risks.
Viewing assets from a vulnerability scan

On the Assets > Scanned Assets page, view the following details:
• Total number of assets imported from a scan appears near the tab title.
• Host name, IP address, status, source, operating system, and vulnerabilities identified for each asset.
To view a list of vulnerabilities identified for an asset, do the following:

1. Click the link against any asset in the Vulnerability column.
The Risks > Vulnerabilities page shows the vulnerabilities and their details.
2. Click Clear Filters to view all vulnerabilities imported from the latest scan.
To view more information about vulnerabilities, see Working with risks.
To search for an asset, enter a host name or IP address, and click Search.
Mapping and unmapping assets

On the Assets > Scanned Assets page, do the following:
1. Select an asset and click Map.

2. Select an endpoint and save changes.
The asset status changes to Mapped and the mapped endpoint appears under the asset host name.
To remove mapping, select one or more assets with the status as Mapped, and click Remove Mapping. You cannot
remove mapping for assets for which a remediation operation is created and scheduled.
Adding tags to assets
In BMC Helix Automation Console (SaaS), you can add tags. In TrueSight Automation Console (on-premises), you must
upgrade to 20.02.01: Patch 1 for TrueSight Automation Console 20.02 to use tags.
1. Click Export to get the assets data into a CSV file.
OR
Go to Advanced Search option, select Upload tags metadata, and download the CSV template.
2. In the CSV file, add tag keys and values to be associated with the assets in the new Tags column, in a key:value
format.
OR
If using a template, provide data for assets, and add tag keys and values in the Tags column, in a key:value format.
For example, the CSV template is in the following format, in which you provide the asset data and tags:
Asset ID Scanned Hostname Scanned IP Address Tags
<asset_name> <hostname> <IP_address> LOCATION: Pune; OWNER: Admin
<asset_name> <hostname> <IP_address> LOCATION: USA; OS: Redhat Linux
 Best practices for adding tags

- To add more than one key:value pair, use a semi-colon to separate the list.
- You can add more than one value for a particular key in a key:value pair format.
Example: LOCATION: Pune; LOCATION: Austin
- Tag values provided in the CSV file overwrite the values on the Scanned Assets page.
3. In the Advanced Search option, select Upload tags metadata.

4. Attach the updated CSV file, and then click Upload.
5. Go to Advanced Search and click Tags to view the list of added tags and choose one or more tags to view assets
based on the selected tags.
Removing tags
To remove tags, delete the single or multiple key:value pair(s) in the exported CSV file, and then upload the same file back
in Automation Console.
You can remove tags in BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-premises) version
20.02.01 only.
Viewing assets from BMC Discovery

On the Assets > Discovered Assets page, view the following details:
• The key performance indicators (KPIs) show the following information:
• Total Discovered Assets: Total number of discovered assets by BMC Discovery.
• Unmanaged Assets: Total number of assets that are found by BMC Discovery, but are not mapped to
endpoints in TrueSight Server Automation.
• Unscanned Assets: Total number of assets, either discovered, or mapped in Server Automation, but not yet
scanned for vulnerabilities. For BMC Helix Automation Console, If an auto-mapped asset is unmapped from
the Scanned Assets page, it gets counted in the Unscanned Assets.
• To view all assets for a category, click the KPI link.
For example, if you click Total Discovered Assets, all assets discovered by BMC Discovery appear in the list.
• Host name, IP address, and the operating system for the assets.
• To search for an asset, enter a search term, and click Search.
You can search using the host name, IP address, or operating system of the asset.
• If you want to remove an asset, remove it first from TrueSight Server Automation and then from BMC Discovery.
This change gets reflected in Automation Console based on the Data Refresh Cycle configured on the
Administration > Service Account page.
 Why do I not see any data on the Discovered Assets page after installing Automation Console?
To view discovered assets, you must ensure that the BMC Discovery connector is configured after the
installation. For more information, see Configuring the BMC Discovery connector.
Performing an advanced search

On the Assets > Managed Assets page, do the following:
1. Click Advanced Search and choose one or more of the following options:
• Unique Missing Patch
• Asset
2. Click Clear Filters to go back and view unfiltered data.

• Asset
• Status
• Source
• Vulnerability Name
• Tag (available in BMC Helix Automation Console (SaaS) 20.02 Patch 1 and TrueSight Automation
Console (on-premises) 20.02 Patch 1 only)
On the Assets > Discovered Assets page, do the following:
• Asset
Risks
Risks refer to missing patches and vulnerabilities that are identified on assets.
Missing patches
When patch policies identify missing patches on assets, details about the missing patches are displayed on the Missing
Patches page under Risks. Missing patches are identified only for assets with Windows or Linux operating systems.
Vulnerabilities
You can import scan results for vulnerabilities that are scanned by the vulnerability management systems such as Nessus,
Qualys, and Rapid7. When you import the results in BMC Helix Automation Console (SaaS) or TrueSight Automation
Console (on-premises), vulnerabilities get mapped to the remediation content automatically, or you may need to map
them manually. Imported vulnerabilities are displayed on the Vulnerabilities page under Risks.
Operations to remediate vulnerabilities can only be created if vulnerabilities are mapped to appropriate remediation
content.
Auto-mapping process
When you import a scan file, vulnerabilities get automatically mapped to remediation content (patches only) if both of
these conditions are fulfilled:
• Assets in the scan file are either automatically or manually mapped to endpoints in the endpoint
manager, TrueSight Server Automation.
• Patch catalogs that contain remediation for Common Vulnerability and Exposure (CVE) numbers associated with
the vulnerabilities are already imported in Automation Console.
If you import a patch catalog after importing the scan file, vulnerabilities are not automatically mapped.

By default, Automation Console attempts to match the CVE ID of a vulnerability to a CVE ID associated with a bulletin or
errata in a catalog imported in Automation Console. During auto-mapping, if a vulnerability with a CVE ID is mapped to
patch catalogs of two different operating systems, and that same vulnerability is reported on the assets of different
operating systems too, then Automation Console maps the remediation content to both the assets automatically.
On the Risks > Vulnerabilities page, the vulnerability status shows the remediation content mapping status. Consult the
following table to understand the scenarios for each status.
Vulnerability Status Scenario Action required
Auto-mapped There is a one-to-one mapping between None.

CVE IDs and remediation content.
Remediation operation can be created
For example, each CVE ID is mapped to with no changes required in the mapping.
one remediation content.
Partially Mapped Multiple CVE IDs for a vulnerability, but None.

remediation content is mapped only for
a few CVE IDs. Remediation operation can be created.
However, vulnerability is partially
If an operation is created, this remediated for the CVE IDs for which the
vulnerability is partially remediated and remediation content is available.
no longer appears in the Vulnerabilities
list. Such a vulnerability still appears in
the next scan.
Partially Mapped (Action One CVE ID is mapped to more than one Yes.
Required) remediation content.
Remove the current mapping and
manually map the vulnerability to the
appropriate remediation content. After
mapping the status changes to Mapped.
Now, a remediation operation can be

created.
Unmapped Vulnerability is not mapped to any Yes.

remediation content.
Manually map the vulnerability to an
This can happen if assets are not mapped appropriate remediation content.
to endpoints in the endpoint manager or
patch catalogs are not imported in See Manual mapping process.
Automation Console.

Manual mapping process
If some of vulnerabilities remain unmapped during import or during auto-mapping of new vulnerabilities, you can
manually map them to remediation content. You can perform manual mapping for only one vulnerability at a time.
When mapping manually, the remediation content can be of the following types:
• BLPackages
• Network Shell (NSH) scripts
• Patches
• Installshield packages
• Microsoft Installer (MSI) packages
• Operating system service packs
• Red Hat packages
• Custom software

To view missing patches and vulnerabilities, and map vulnerabilities to remediation content, see Working with risks.
Working with risks

This topic provides instructions on viewing a list of missing patches and vulnerabilities, and mapping and unmapping
vulnerabilities to the remediation content.
To know about the missing patches, and the automatic and manual mapping processes, see Risks.
Viewing and exporting unique missing patches

On the Risks > Missing Patches page, view the list of missing patches.
• Missing Patches contains the following information for each unique missing patch:
• Patch name
• Impacted Assets. Click the link to view a list of impacted assets for the particular patch.
• Patch Age, in days
• Severity
• Classification
• CVE IDs: CVE Identification numbers specified in the patch catalog.
Patch Age, Severity, and CVE IDs are provided by the patch vendor.
• You can either search by patch name, classification, and CVE ID (basic search) or by severity, asset, operating
system, CVE IDs, classification, and patch age (advanced search).
• To view the list of impacted assets for a unique missing patch, do the following:
a. Click the link in the Impacted Assets column.
The Managed Assets page shows the host name, IP address, operating system, and the total number of
unique missing patches for each asset.
b. Click Clear Filters to view all assets and unique missing patches in your environment.

Exporting missing patches
On the Risks > Missing Patches page, click Export and enter a name to save the results in a CSV file.
If you filter data using advanced search options and then export, filtered data appears in the CSV file.
Viewing and exporting vulnerabilities

On the Risks > Vulnerabilities page, view the list of vulnerabilities.
• The Vulnerabilities page contains the following information for each unique vulnerability:
• CVE IDs
• Severity level
• Status (Mapped, Automapped, or Unmapped)
• Source: Expand the vulnerability to view the vulnerability management system that identified the
vulnerability
• Remediation and remediation type for the vulnerability: To view complete remediation details, click the
link.
• Impacted Assets: To view the list of impacted assets by that vulnerability, click the link.
• You can either search by vulnerability name and CVE ID (basic search) or by severity, asset, operating system, CVE
IDs, scan file, and status (advanced search). You can filter by Status in BMC Helix Automation Console (SaaS)
and TrueSight Automation Console (on-premises) version 20.02.01 only.
Click Clear Filters to view unfiltered data.
• To view the list of impacted assets by a vulnerability, do the following:
a. Click the link in the Impacted Assets column.
The Scanned Assets page shows the host name, IP address, mapping status, source, and operating system
that are impacted by the vulnerability.
b. Click Clear Filters to view all assets and the number of vulnerabilities impacting those assets.
Viewing details of a vulnerability

Click the vulnerability name to view its details. The vulnerability panel displays more information, including its severity
level, CVEs that are included, description, links to the related vendor (such as Microsoft), and links to the patches that can
be deployed to fix the vulnerability.
The following panel shows the details of the Microsoft SChannel Remote Code Execution vulnerability.

Viewing details of a remediation
After a vulnerability has been mapped to the remediation content, you can view the remediation details such as type of
content (BLPackage, Patch, or NSH Script), catalog name, patch name, the path to the file, and any target rules that are
defined for deploying the package. If an entry provides information for multiple remediations, the panel lists the
information for each remediation content.
To view details of a remediation, do the following:
• In the Remediation column, click the remediation link.

The remediation panel shows the type of remediation, rules, catalog name, patch name, and the path where the

remediation content is available, as shown in the following figure for a vulnerability.
• To view vulnerability details, expand the vulnerability.

Vulnerability ID, Source, and CVE ID are displayed.
Exporting vulnerabilities
On the Risks > Vulnerabilities page, click Export and enter a name to save the results in a CSV file.
If you filter data using the advanced search options and then export, filtered data appears in the CSV file.
Mapping and unmapping vulnerabilities

Use the instructions in the following sections to map and unmap vulnerabilities.
Auto-mapping new vulnerabilities

If BMC Helix Automation Console is not able to auto-map vulnerabilities during import, you can attempt to auto-map the
unmapped vulnerabilities to remediation content. To auto-map content, patch catalogs must be imported and assets must
be mapped to endpoints in the endpoint manager, TrueSight Server Automation.
On the Risks > Vulnerabilities page, do the following:
1. (Optional) Use the search feature to limit the number of vulnerabilities. For example, you might want to search by
severity level so you can map vulnerabilities with the highest severity first.
2. Click Automap New on the top of the page.
Vulnerabilities that are auto-mapped are marked with a icon in the Status column.

Manually mapping vulnerabilities
If some vulnerabilities remain unmapped during import or during auto-mapping of new vulnerabilities, you can perform a
manual mapping procedure.
On the Risks > Vulnerabilities page, do the following:
1. (Optional) Use the search feature to limit the number of vulnerabilities. For example, you might want to search by
severity level so you can map vulnerabilities with the highest severity first.
2. From Actions, select Map for the vulnerability.
The Vulnerability Mapping page shows the existing mappings, if any.
3. Click + Map Remediation Content.
The Map Content section displays the remediation content.
4. Search for the remediation content that you want to map to the selected vulnerabilities:
a. Choose the remediation content type, NSH Script or Package.
b. Enter a text string in the Search text box.
Your text is matched against the names of any remediation content.
5. Select the remediation package that should be deployed to the targets.
6. If you need to map multiple remediation packages to the same vulnerability, define the target scope that
determines the types of targets where the package should be deployed.
Typically, target scope specifies different packages for different operating systems and architectures.
• Use the default option, All, if you want to map remediation packages to all the targets.
• Click Specify Target Scope if you want to map remediation packages to specific targets.
A set of options appears that establish the scope for deploying the package.
i. In the row defining the scope, for the first field, select any of the following:
• OS–For example, Windows.
• OS Platform–For example, x86_64.
• OS Version–For example, 2008 R2.
• OS Patch Level–For example, SP1, SP2.
• OS Release–For example, 6.1
• OS Vendor–For example, Microsoft.
ii. In the last field of the first row, enter a text string as the search criteria. Evaluation is based on
whether a field contains the string you entered. For example, if you are specifying the Windows
operating system, enter a string such as win. When evaluating targets, if the OS name contains the
string win, the package is deployed there.
iii. In the next row defining the scope, select whether the target must satisfy all or any of the values
you provided in the first row.
iv. To add another rule defining the scope, click Add Criteria. A new row appears. Use its fields to
define an additional rule.
7. To define another set of target scope and rules for another remediation package, click + Map Remediation
Content.
8. Click Save. The selected remediation content items are mapped to the selected vulnerabilities. The Vulnerabilities
page shows the mapped remediation content against the vulnerability when you expand it.
If the mapping is unsuccessful, a message indicating the same is displayed on the GUI.

Unmapping vulnerabilities
You can unmap a vulnerability irrespective of whether it is mapped manually or automatically.
To unmap a vulnerability, from Actions, select Remove Mapping for the vulnerability.
Operations
Operations perform corrective actions on assets in your environment to remediate missing patches and vulnerabilities.
Patch operation
When you create a patch policy in BMC Helix Automation Console and TrueSight Automation Console, a Patch Analysis Job
is created in TrueSight Server Automation. This job scans the servers in your environment and finds missing patches, which
are reported on the Risks > Missing Patches page. You can then create a patch remediation operation in the Automation
Console that creates a Patch Analysis Remediation Job in Server Automation. This job installs missing patches on the
selected assets.
Vulnerability operation
When you import a vulnerability scan file in the Automation Console, assets and vulnerabilities appears on the Assets >
Scanned Assets and Risks> Vulnerabilities page respectively. To remediate vulnerabilities, assets must be mapped to an
endpoint in the endpoint manager, and vulnerabilities must be mapped to remediation content. When you import a scan
file, assets and vulnerabilities are usually automatically mapped depending on the catalogs imported in Automation
Console. If they are not automatically mapped, you must manually map assets, and vulnerabilities.
You can then create a vulnerability remediation operation, which performs the action as per the remediation content
mapped for the vulnerabilities. When you create an operation, depending on the remediation content mapped to the
vulnerabilities, a Patch, NSH, or a Deploy type of jobs are created in Server Automation.
When you create a vulnerability operation, all vulnerabilities that are mapped to a common remediation content
impacting the same asset are resolved. After the operation is successful, these vulnerabilities are closed and no longer
appear in the Risks > Vulnerabilities list. If vulnerabilities mapped to the same remediation content are a part of a
different operation, scheduled at a later period, those vulnerabilities are also remediated and closed.
For a vulnerability, when you create another remediation content under a different security group, then the latest
remediation content overwrites the existing content.
When you create an operation, a pre-analysis, deploy, and post-analysis job is executed in Server Automation.
 Note
You can create an operation using all the available options. However, to configure notification options, you must
configure a mail server in Server Automation. See Configuring a mail server in TrueSight Server Automation .

Change automation
Starting version 20.02, if an administrator has configured change automation in your environment, depending on the
configuration, you can create a change request for a vulnerability operation in BMC Remedy IT Service Management.
Creation of change requests is not available for a patch operation.
In BMC Helix Automation Console (SaaS), you can create a change request for a patch remediation operation too. This
capability is not available in TrueSight Automation Console (on-premises).
After the change request is approved, the operation runs as per the defined schedule. After the operation is successful,
the change request is updated and closed. You can view the status of the change request on the Operations page.
Based on your organization's needs, administrator can make change request creation mandatory, or optional. If it is
mandatory, you must select the change request values to create a change for this operation. If optional, you can skip
change creation and create an operation without a change tracking process.

To create, edit, and remove an operation, and to view the operation results, see Working with operations.
Working with operations

This topic provides instructions to add operations for remediating missing patches or vulnerabilities, and view the results
after an operation is complete.
To understand the concept of operations, see Operations.
Adding a patch remediation operation

On the Operations page, click Add Operation, and do these steps:
1. Enter a unique operation name, and an optional description, and then click Next.

2. On the Patch Selections page, do these steps:
a. Select a patch policy (policy having missing patches).
b. To specify assets, do one of the following:
• Select associated groups (server smart groups imported from the policy).
• Select associated assets and then select individual assets.
3. To specify reboot options for the assets, select one of the following options:
• Honor Patch Reboot Settings: Adheres to the reboot settings defined for the patch in the patch catalog
• Do Not Reboot: Does not reboot automatically after installing the required patches
• Reboot at the End: Reboots all assets after the operation is complete
4. To configure change request creation and approval, select the following options:
You can create a change ticket for a patch operation in BMC Helix Automation Console (SaaS) only.
The Change Approval Management page appears only if change automation is enabled in your environment.
a. Enable Create Change Ticket.
 Is the Create Change Ticket option is mandatory? How can I disable the change request
creation?
You can enable or disable change ticket creation depending on how administrators have
configured the TrueSight Orchestration connector configuration. If the connector is configured
with Change Approval as required, you cannot disable the option or skip this step.
If already selected, continue to select values in other fields for creating a change request.
b. Change Template Name: Templates available in TrueSight Orchestration appear.
c. Urgency
d. Impact
e. Reason for Change
f. ChangeClass
5. To specify a schedule for the operation, select one of the following options:
a. I will do it later: Change approval is not applicable.
b. Set a schedule:
i. Click the calendar icon in the Date and Time field, and specify the date and time.
ii. Select the hours or minutes in the Staging field to specify a staging window.
A staging window determines the time before which the patches and payload data must be
downloaded on the assets before running the remediation operation. Maximum limit is 999 hours.
c. Execute now
6. To configure notifications, select any of the following options:
• Send email to: Specify a comma-separated list of email addresses, and then select one or more of the
following options:
• Select the status to send an email based on the operation status.
• Select Attach patch analysis results to the email, and then specify the email attachment size limit.
• Specify whether to send a list of assets where the operation failed.
• Send SNMP trap to: Specify a hostname or IP address of the server to notify the operation results and then
select one or more status options when a notification should be sent.

7. View the summary of options selected for the operation and save changes.
The operation runs according to the defined schedule.
Adding a vulnerability remediation operation

On the Operations page, click Add Operation, and do these steps:
1. Enter a unique operation name, and an optional description, and then click Next.
2. Select Vulnerability Selections and do these steps:
• Enter a violation name, asset hostname or IP address, or a CVE ID, and click Search.
Assets with vulnerabilities that are mapped to remediation content are displayed.
 Can I perform an empty search?

No. However, you can place your cursor in the search box, add a space, and click Search. All assets
with vulnerabilities mapped to the remediation content are displayed.
• Click Advanced Search and choose one or more of the following options:

• Vulnerability Name
• Severity
• Asset
• CVE ID
• Scan File
• Tag
Assets with vulnerabilities that match the search results are displayed.
To view details about the vulnerabilities, expand the asset name. Vulnerability name, port, CVE IDs,
severity, remediation, and the remediation type are displayed.
3. To configure additional remediation options based on the remediation content, do these steps:
• If there are no configuration options, click Next.
• For a Patch type of operation, select one of the following options:
• Honor Patch Reboot Settings: Adheres to the reboot settings defined for the patch in the patch
catalog
• Do Not Reboot: Does not reboot automatically after installing the required patches
• Reboot at the End: Reboots all assets after the operation is complete
4. To specify a schedule for the operation, select one of the following options:
• I will do it later: Change approval is not applicable.

• Set a schedule: Click the calendar icon in the Date and Time field, and specify the date and time.
• Execute now
5. To configure change request creation and approval, select the following options:
The Change Approval Management page appears only if change automation is enabled in your environment.
a. Enable Create Change Ticket.
 Is the Create Change Ticket option is mandatory? How can I disable the change request
creation?
You can enable or disable change ticket creation depending on how administrators have
configured the TrueSight Orchestration connector configuration. If the connector is configured
with Change Approval as required, you cannot disable the option or skip this step.
If already selected, continue to select values in other fields for creating a change request.
b. Change Template Name: Templates available in TrueSight Orchestration appear.
c. Urgency
d. Impact
e. Reason for Change
f. ChangeClass
6. To configure notifications, select any of the following options:
• Send email to: Specify a comma-separated list of email addresses, and then select one or more of the
following options:
• Select the status to send an email based on the operation status.
• Select Attach patch analysis results to the email, and then specify the email attachment size limit.
• Specify whether to send a list of assets where the operation failed.
• Send SNMP trap to: Specify a hostname or IP address of the server to notify the operation results and then
select one or more status options when a notification should be sent.
7. View the summary of options selected for the operation and save changes.
A draft operation is created, which creates sub-operations based on the remediation type. Depending on the
remediation type such as NSH script, patch, or a deploy type, separate jobs are created in TrueSight Server
Automation. For example, if the vulnerabilities require only an NSH script, and a deploy job, two separate jobs are
created in TrueSight Server Automation and two operations are displayed on the Operations page.
If change approval is configured, after a change request is created, the change request ID appears on the
Operations page for all type of operations. Click the ID to view the status and other details.

Consult the following table to understand the correlation between the change request status and the operation
status and the impact on the vulnerabilities and assets state.
Change request status Operation status Vulnerabilities and assets state
Not applicable yet Awaiting attention Awaiting attention
New Awaiting approval Awaiting approval
Ready to Execute Awaiting execution Awaiting execution
Success (After the operation Closed (After the operation

completes successfully) completes successfully)
Ready to execute Cancelled due to schedule timeout Awaiting attention
Cancelled Cancelled due to approval rejection Awaiting attention
Viewing results for an operation

On the Operations page, do the following:
1. Click the operation name.

The Operation Run Results page shows the following details:
• Date, time, and duration of the operation
• Date, time, and status of the policy scan conducted as part of the operation (for a patch operation only)
• Date, time, and status of the operation (for a vulnerability operation only)
• Total number of assets on which the operation is performed, and their status
• List of assets and the number of patches installed or missing on them (for a patch operation only)

 Are operation results displayed for all operations?
No. Operation results are displayed for operations in a Success state.
3. To view the list of patches installed for each asset, click the asset name (for a patch operation only).
The patch name and the status is displayed. You can view the patch severity for each patch.
4. To view detailed logs for an operation, click logs.
Detailed log messages with a timeline are displayed for each asset.
Removing an operation
An operation can only be run once. You may want to remove operations periodically to ensure that your application does
not contain irrelevant data.
When you delete a vulnerability remediation draft operation, its sub-operations are also removed. This is available in BMC
Helix Automation Console (SaaS) and TrueSight Automation Console (on-premises) version 20.02.01 only.
For a patch remediation operation, no draft operations get created.
On the Operations page, do the following:
1. Select an operation and click Action > Remove.

2. Click Continue.

Administering
This section describes system configuration and maintenance activities. Administrators can use this information to
configure the system and enable operators to perform routine tasks.
• Service Account
• Security groups
• Service Level Agreements
• Catalogs
• Change automation
Service Account
A service account is used to enable the Data Refresh capability in TrueSight Server Automation. In TrueSight Server
Automation, the Data Refresh capability monitors jobs that affect the status of the missing patches and managed assets
and regularly updates the job data in BMC Helix Automation Console and TrueSight Automation Console.
This service account is also used for change automation while obtaining approvals from BMC Remedy IT Service
Management.
The user that you specify in the service account must be assigned to roles with permissions to read information from
the Server Automation application server. The service account user is specified during installation. If the user does not
exist in the endpoint manager or invalid credentials are specified, you are asked to add the account when you log in to
the Automation Console user interface for the first time.
In this release, a single service account is used for a single instance of Automation Console.

To add, edit, and view service accounts, see Working with a service account.
Working with a service account

This topic provides instructions for adding, editing, and viewing a service account.
To understand the concept of a service account, see Service Account.
Adding a service account

The service account user is specified during installation. If the user does not exist in the endpoint manager or invalid
credentials are specified, you are asked to add the account when you log in to the Automation Console user interface for
the first time.
On the Administration > Service Account page, click Add and do the following:
1. Enter a time interval (in minutes) after which you want the data to be refreshed.
By default, the time interval is 60 minutes. Minimum acceptable is 5 minutes and maximum is 10080 minutes.

2. Enter the username, password, role, and select the authentication method of a user that belongs to the BLAdmins
or a role with all administrative permissions in Automation Console, and click Add.
Editing a service account

On the Administration > Service Account page, do the following:
1. In the Actions column, click Edit.
2. Update the data refresh interval or connecting profile details, and click Update.
Viewing service account details

On the Administration > Service Account page, view the service account associated with Automation Console.
Click the link under Host Name to view the service connector host, and the user profile specified for the account.
Security groups
Security groups contain users that inherit a set of permissions based on a role defined in the endpoint manager. In this
release, the BMC Helix Automation Console and TrueSight Automation Console is supported as an endpoint manager.
Security groups in Automation Console must map exactly to the TrueSight Server Automation roles. When you add a
security group in Automation Console, all users assigned to that role in Server Automation can log on to the Automation
Console.
Users belonging to roles with administrative permissions can access all Automation Console tabs. All other users can
access all pages except the Administration page. For example, users belonging to the BLAdmins role in Server
Automation can access and perform all tasks in Automation Console.

To add or edit security groups, see Working with security groups.
Working with security groups

This topic provides instructions on adding and editing security groups.
To understand the concept of security groups, see Security groups.
Adding a security group

On the Administration > Security Groups page, click Add and do these steps:
1. Select a role from the Group Name field, and add an optional description.

The roles available in TrueSight Server Automation appear in the list.
The Server Automation Connector field shows the host name of the TrueSight Server Automation application
server.
2. In the Default Depot Path field, enter the default location in Server Automation where you want to store the depot
items.
Depot items generated by users in this group get stored in this location.

In BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-premises) version 20.02.01 only,
you can also click Browse and select a folder from the list of Depot Paths.
3. In the Default Job Path field, enter the default location in Server Automation where you want to store jobs.
Jobs created by users in this group get stored in this location.
In BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-premises) version 20.02.01 only,
you can also click Browse and select a folder from the list of Job Paths.
4. Click Add.
The security group is added and is displayed on the Manage Security Groups page.
Viewing a list of security groups

On the Administration > Security Groups page, you can view all the groups in Automation Console. Information such as
the name, description, connector type, and the connector host and port details are displayed.
Editing a security group

After a security group is added, you can only make changes to the description, default depot and job paths where the
depot items and jobs are to be saved in Server Automation. You cannot update the role for a security group.
On the Administration > Security Groups page, click Edit against the security group, make changes, and click Update.
Service Level Agreements

SLAs define the period (in days) before which the missing patches or identified vulnerabilities need to be remediated.
While configuring SLAs, you specify a deadline (period in days before which the
missing patches or vulnerabilities must be remediated) and a warning threshold
(period in days after which the missing patches or vulnerabilities run into the risk
of missing the deadline). SLAs for all severity levels are preconfigured with default
values.
By default, warning thresholds are set to 80% of the deadline period. For
example, for a severity level of 5 - Critical, if the Deadline is set as 30 days,
the Warning Threshold is at 24 days.
On the Automation Console Dashboard, the total number of assets in your
environment and the number of assets according to their Service Level Agreement
(SLA) levels appears. For more information, see Using Dashboards.

To update SLAs that match your organizations standards, see Working with Service Level Agreements.
Working with Service Level Agreements

This topic provides instructions on updating Service Level Agreements for patches and vulnerabilities.

To understand the concept of SLAs, see Service Level Agreements.
Updating Service Level Agreements

On the Administration > SLA page, update the values in the Deadline and Warning Threshold fields for the Patch and
Vulnerability Severity levels and save the changes.
The following figure shows the out-of-the-box SLAs defined in the product.
The following table describes the mapping between the vendor severity levels and the patch severity levels in BMC Helix
Automation Console and TrueSight Automation Console.
Severity Windows Red Hat Enterprise Linux (Errata Severity)

(Vendor Impact)
5 - Critical Critical Critical
4 - High Important Important
3 - Medium Moderate Moderate
2 - Low Low Low
1 - Information - -
0 - Unknown Unknown No severity specified.
Click Reset Defaults to restore the default values.
Catalogs
Vendors release patches and metadata for their applications periodically. These patches are stored in a repository using
which an administrator creates patch catalogs in TrueSight Server Automation. A patch catalog contains a list of patches

that can be applied on target servers. You can only import existing catalogs from Server Automation (Windows and Linux
catalogs only).
As an administrator, you add catalogs in the Automation Console and set up a schedule to update the patch catalog with
the latest patches pushed by the vendor. The schedule set in the Automation Console overwrites the patch catalog
schedule configured in TrueSight Server Automation. You must add catalogs after adding security groups in Server
Automation. Security groups added after importing catalogs may not be able to access the catalog. If you add a security
group after adding a catalog, update the catalog. Users in the new security group can now access the catalog.
To know more about patch catalogs, see Setting up the patch catalogs in TrueSight Server Automation documentation.

To add, edit, disable, and remove catalogs, see Working with catalogs.
Working with catalogs

This topic provides instructions on adding, editing, enabling, disabling, and removing patch catalogs.
To understand the concept of patch catalogs, see Catalogs.
Adding catalogs
On the Administration > Manage Catalogs page, click Add and do the following:
1. Click Browse to select a catalog.
The list shows all catalogs available in Server Automation.
2. In the Catalog Schedule section, specify a schedule for the catalog.
• Daily: Click the clock icon in the Time field, and specify the time.
• Weekly:
i. From the Recur Every list, select the number of weeks after which the catalog should be updated.
ii. Click the clock icon in the Time field, and specify the time.
iii. Specify the days of the week when the schedule should run.
• Monthly: Click the clock icon in the Time field, specify the time, and then specify one of these options:
• Select a frequency (first, second, third, or fourth) and the day of the week.
• Specify the day in every month when the schedule should run.
• Select the last day of every month.
 Can I schedule a catalog update in another timezone?

No. Automation Console shows the browser time zone. You can only schedule catalog updates in
the local time zone.
The schedule summary is displayed. Any schedule set in Automation Console overwrites the schedule set
in TrueSight Server Automation.
After you save the catalog, it is enabled, and appears on the Manage Catalogs page.

 Note
You must add catalogs after adding security groups in the BMC Helix Automation Consoleand TrueSight
Automation Console. Users in the security groups that are added after importing catalogs will not be able to
access existing catalogs. If you add a security group after adding a catalog, edit and update the earlier catalogs.
Viewing a list of catalogs

On the Administration > Manage Catalogs page, you can view all catalogs imported from Server Automation. The
Windows and Linux tabs display the catalogs based on the operating system.
Editing catalogs
You can only edit the schedule of a catalog.
On the Administration > Manage Catalogs page, do the following:
1. Select the catalog, and click Actions > Edit.
2. In the Catalog Schedule section, update the schedule.
The catalog is updated with the new schedule. Any schedule set in Automation Console overwrites the schedule
set in TrueSight Server Automation.
Disabling, enabling, or removing catalogs

When you create a catalog, it is enabled by default. If you want, you can disable it, and enable it again later.
On the Administration > Manage Catalogs page, do any of the following:
• Select a catalog and click Action > Disable.
Disabled catalogs remain in the Automation Console, but are not updated according to the schedule.
• Select a catalog and click Action > Enable.
• Select a catalog and click Action > Remove.
A catalog is removed only from the Automation Console. It continues to exist in TrueSight Server Automation
Change automation
This section provides an overview and process flow to enable creating and approving change requests in BMC Remedy IT
Service Management for remediation operations.
Overview
In this release, BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-premises) support creating
and approving change requests in a change management system, called BMC Remedy IT Service Management.
When operational changes such as installing patches are implemented, administrators need to keep a track of these
changes in a change management system. Organizations may use an approval process, where a change is not
implemented unless it is approved. To automate the process of creating a change request, approving it, and then ensuring
that the change is implemented, change automation is enabled.

In BMC Helix Automation Console (SaaS), you can create a change request for a vulnerability or a patch remediation
operation. In TrueSight Automation Console, you must upgrade to 20.02.01: Patch 1 for TrueSight Automation Console
20.02 to avail the functionality to create change requests for patch remediation operations.
This is done by integrating with TrueSight Orchestration – ITSM Automation runbook.
When you create an operation in Automation Console, you can create a change request, with approval settings as
configured in BMC Remedy IT Service Management. The change request ID appears against the operation on the
Operations page. After a change is approved, based on the schedule, the operation runs and remediates the
vulnerabilities.
Change automation ensures continuous compliance to the change process without introducing labor intensive activities.
The integration reduces the risk of unauthorized and unplanned changes through enforced change tracking.
Change automation process flow

The following figure shows the end-to-end process flow for a vulnerability operation with a change approval configured.
Change automation considerations

As administrators, when you implement change automation, consider the following:
• A single change request is created for a single operation.

• Change request creation is only available if you have selected Execute Now or defined a schedule for the
operation.
If you select the Maintenance Schedule as I will do it later, you do not see the option to create a change request.
• When a change is created, the change request ID is updated in the job description in the TrueSight Server
Automation job created for the operation.
• If you update the schedule for an operation in the change request, the updated schedule is reflected for the
operation. After approval, the operation runs according to the new schedule.

• If the operation schedule expires before the change request is approved, the operation and the job is cancelled,
and the status is shown as Cancelled due to schedule timeout.
• If the change request is cancelled or not approved, the operation and the job are cancelled.
Consult the following table to understand the correlation between the change request status and the operation status and
the impact on the vulnerabilities and assets state.
Change request status Operation status Vulnerabilities and assets state
Not applicable yet Awaiting attention Awaiting attention
New Awaiting approval Awaiting approval
Ready to Execute Awaiting execution Awaiting execution
Success (After the operation completes Closed (After the operation completes
successfully) successfully)
Ready to execute Cancelled due to schedule timeout Awaiting attention
Cancelled Cancelled due to approval rejection Awaiting attention

To install and configure the ITSM runbook, and to set up a change request creation, see Enabling change automation.
Enabling change automation

This topic describes the steps to enable change automation for remediation operations in BMC Helix Automation
Console and TrueSight Automation Console.
To understand the concept of change automation, see Change automation.
To enable creating change requests for an operation

1. Install the TrueSight Orchestration ITSM Automation runbook.
For installation instructions, see Installing the ITSM Automation runbook .
2. Configure the ITSM Automation runbook as described in Configuring the ITSM Automation runbook. .
3. Ensure that a connection is established between Automation Console and TrueSight Orchestration.
For more information, see Configuring the TrueSight Orchestration connector.
4. Ensure that permissions are appropriately configured in TrueSight Server Automation.
See User roles and permissions.

 Do I create a new user account to enable change automation?
No. The service account created for using Automation Console can be used for change automation too.

When you create an operation, you can now create a change request and configure approvals for a vulnerability
remediation operation. See Working with operations.

Using REST API
This topic provides instructions to access the Swagger host and a list of API endpoints.
BMC Helix Automation Console (SaaS) or TrueSight Automation Console (on-premises) provides REST API endpoints to
perform all tasks currently supported by the application. These REST API endpoints are documented in the Swagger UI.
The API follows the REST architectural style and uses resources, HTTP verbs, and status codes. JavaScript Object Notation
(JSON) is used to represent data structures in request and response bodies. All endpoints (except the Login API) use the
OAuth 2.0 protocol for authentication.
Accessing the Swagger host for APIs

1. From a supported browser, enter the following URL to access the API documentation in Swagger:
TrueSight Automation Console: https://<FullyQualifiedDomainHostName>:<port>/apidocs
BMC Helix Automation Console: https://<customerprefix>-xxx.onbmc.com/apidocs
On the Swagger UI, you can see the APIs supported by the Automation Console.
2. To try the APIs, first obtain an authorization token for the session:
Go to the login-service > post/api/v1/sessions API call, provide the following credentials, and click Execute:
a. Username to log in to the Automation Console
b. Password, encoded in the Base64 format
3. Copy the token returned by the API call.
Example response
{
"token": "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJCTEFkbWluQGRlZmF1bHR0ZW5hbnQudHNzYSIsIkF1dGhvcml0aWVzIjo
iUk9MRV9BRE1JTiIsImlhdCI6MTU0NTA0NDY0NSwiaXNzIjoid3d3LmJtYy5jb20iLCJleHAiOjE1NDUwNjI2NDV9.
NBWTXJpHeIDcEyIDIJ3iq6jbWgXIvxBqtvzB1z_s0vE"
}
 Note
If you intend to use a REST API client, such as Postman, you must pass the authorization token in the
request header for any REST API call.
4. On the Login and Administration Service APIs page, click Authorize and provide the token in the authorizations
window.
You can now access, try out, and execute any API calls using the Swagger UI.

Login and Administration Service APIs
Contains APIs that support functions related to session management, Service Level Agreements, security groups, and
service accounts.
API call Description
Sessions API
POST /api/v1/sessions Logs in to Automation Console and generates an authorization

token.
DELETE /api/v1/sessions Logs out of the session.
GET /api/v1/sessions Gets user and site details of the current session.
SLAs API
GET /api/v1/config/slas Retrieves the service level agreements defined in the Automation

Console.
PUT /api/v1/config/slas Updates the deadline and warning threshold for SLA severity levels.
Security Groups API
POST /api/v1/config/securitygroups Creates a new security group.
GET /api/v1/config/securitygroups Gets a list of security groups with details such as the group ID, role,
name, description, creation date, and default job path, default
depot path, and site details.
GET /api/v1/config/securitygroups/{id} Gets details of a security group as per the specified group ID.
PUT /api/v1/config/securitygroups/{id} Updates a specified security group by using the group ID.
GET /api/v1/config/tssa/roles Gets all roles created in TrueSight Server Automation.
Service Accounts API

POST /api/v1/config/service-accounts Creates a service account profile for data refresh.
GET /api/v1/config/service-accounts Gets the service account profile specified for this instance of
the Automation Console.
GET /api/v1/config/service-accounts/{type} Gets the service account profile based on the site type, such
as TrueSight Server Automation.
DELETE /api/v1/config/service-accounts/ Deletes service account profile by type (supported only for
DISCOVERY).
{type}
PUT /api/v1/config/service-accounts/{id} Updates a service account as per the specified ID.
Connectors API
POST /api/v1/connectors Creates a connector for the tenant.
GET /api/v1/connectors Gets all the configured connectors.
PUT /api/v1/connectors Updates the connector for tenant.
DELETE /api/v1/connectors Deletes the connector.
GET /api/v1/connectors/download/ Downloads the connector zip.
Violations and Dashboard Service APIs

Contains APIs for the Dashboard, Missing Patches (referred as Violations in the API) and Assets.
Dashboard API

/api/v1/violations/reports/targets/severity/
POST
Generates data for the Impacted Assets by Severity widget on
the dashboard.
summary
POST /api/v1/violations/reports/targets/severity/ Generates asset details by severity levels.

detail
POST/api/v1/violations/reports/targets/patch- Generates data for the Patch Compliance widget on the

dashboard.
compliance/summary
POST/api/v1/violations/reports/targets/patch- Generates patch compliance details such as the number of

installed and missing patches on assets according to the policy
compliance/detail
on the dashboard.
POST /api/v1/violations/reports/{type}/summary Generates data for the Impacted Assets by SLA and Unique

Missing Patches by Age widgets on the dashboard.
POST /api/v1/violations/reports/sla/detail Generates details for the assets and missing patches based on
their SLA levels.
POST /api/v1/violations/reports/trends/weeks Generates data for the Remediation Trend graph on the

dashboard.
POST /api/v1/violations/reports/trends/weeks/ Generates details such as the missing and remediated patches
detail in the Remediation Trend graph.
POST/api/v1/violations/reports/states/average- Gets the average time for a state change in the current week.
days/weeks
POST /api/v1/violations/reports/rank/violations Generates data for the Top 10 Missing Patches widget.
POST /api/v1/violations/reports/rank/violations/ Generates asset details for the Top 10 Missing Patches widget.
detail
POST /api/v1/violations/reports/violations/ Fetches violations count by severity.

severity/summary

/api/v1/violations/reports/violations/sla/
POST
Fetches violations count by SLA.
summary
Missing Patches API
POST /api/v1/violations Creates violations for a specified asset.
GET /api/v1/violations Gets details of the missing patches.
GET /api/v1/violations/{id} Gets details of the missing patches as per the patch ID.
POST /api/v1/violations/reports/patch Exports the patch report in .csv format.
POST /api/v1/violations/search Searches for missing patches based on the provided filters and
updates details for the Unique Missing Patches by Age widget
on the dashboard.
GET /api/v1/violations/metadata/cveid Gets all distinct CVE IDs identified against the missing patches.
Assets API
POST /api/v1/violations/reports/targets/{type} Gets all assets in the endpoint manager.
PUT /api/v1/violations/asset/manual-map/ Maps scanner asset to endpoint targets manually.

{resourceId}
PUT /api/v1/violations/asset/unmap Unmaps scanner asset to endpoint targets.
Vulnerabilities API
POST /api/v1/violations/reports/vulnerability Exports the vulnerability report in .csv format.
POST /api/v1/violations/search/vulnerabilities Gets all assets.
POST /api/v1/violations/search/vats Gets all VATs.

PUT /api/v1/violations/manual-map/{id} Maps remediation content to the given vulnerability manually.
DELETE /api/v1/violations/unmap/{id} Removes mapped remediation contents for the vulnerability.
POST /api/v1/violations/auto-map Maps vulnerabilities with remediation content for all the given
CVE IDs.
Summary
GET /api/v1/services/summary Gets top business services.
/api/v1/violations/reports/targets/sources/
POST
Gets summary of sources.
summary
Patch Catalog Service APIs

Contains APIs for catalogs in the Automation Console.
Catalog-controller API
GET /api/v1/catalogs Gets catalogs imported in the Automation Console.
POST /api/v1/catalogs Imports a new catalog from Server Automation.
GET /api/v1/catalogs/tssa Gets all catalogs available in Server Automation.
GET /api/v1/catalogs/tssa/{catalogId} Gets details for the catalog created in Server Automation based

on the catalog ID.
GET /api/v1/catalogs/{catalogId} Gets details for the catalog imported in the Automation

Console based on the catalog ID.
PUT /api/v1/catalogs/{catalogId} Updates schedule for a specified catalog ID.

DELETE /api/v1/catalogs/{catalogId} Deletes the specified catalog.
Patch-controller API
PUT /api/v1/catalogs/patch Retrieves all the patches based on the patch ID's (part of the
input payload).
PUT /api/v1/catalogs/{catalogId}/patch/search Retrieves all patches from Truesight Automation Console based
on the filter properties.
PUT /api/v1/catalogs/patch/search Gets patches based on CVE IDs.
PUT /api/v2/catalogs/patch/search Gets patches based on CVE IDs.
Patch Policy and Operations APIs

Contains the APIs for creating, updating, running, and deleting patch policies.
Job-run API
GET /api/v1/policies/job/{jobRunId}/summary Retrieves summary for the specified job run ID.
GET /api/v1/policies/job/{jobRunId}/target Retrieves summary for the specified job run ID and target.
GET /api/v1/policies/job/{jobRunId}/target/ Retrieves summary for the specified job run ID and target
ID.
{targetId}
GET /api/v1/policies/policy/{policyId}/jobRuns Retrieves job runs for the specified policy ID.
GET /api/v1/policies/{policyId}/runs/{runId}/logs Retrieves event logs for a specified policy scan run.
Policy API Description
POST /api/v1/policies Creates a new patch policy.

GET /api/v1/policies/bsa/groups/{type} Gets all static groups created in Server Automation.
POST /api/v1/policies/bsa/groups/{type} Creates a static group in Server Automation.
GET /api/v1/policies/bsa/smart-groups/{type} Gets all dynamic groups created in Server Automation.
POST /api/v1/policies/policy/{policyId}/jobRuns Immediately executes the scan policy associated with

specified policy ID.
GET /api/v1/policies/search Gets a list of policies created in the Automation Console.
GET /api/v2/policies Gets a list of policies created in the Automation Console.
POST /api/v1/policies/reports/patch-compliance Gets patch compliance details.
POST /api/v1/policies/reports/patch-compliance/ Gets patch compliance details as per the policies.

detail
GET /api/v1/policies/{policy_id} Gets policy details for the specified ID.
PUT /api/v1/policies/{policy_id} Updates the policy that matches the specified ID.
DELETE /api/v1/policies/{policy_id} Deletes the policy that matches the specified ID.
Vulnerability scan API
POST /api/v1/policies/import-scan Imports vulnerability scan.
TSSA API
GET /api/v1/policies/tssa/nshscripts Retrieves all NSH-Scripts defined in Server Automation.
GET /api/v1/policies/tssa/bl-packages Retrieves all BLPackages defined in Server Automation.

GET /api/v1/policies/tssa/nshscripts/{scriptId} Retrieves NSH Script details from Server Automation.
POST /api/v1/policies/tssa/depots/search Search depot object based on given condition.
Operations API
POST /api/v1/policies/operations Creates Remediation Operation.
POST /api/v1/policies/operations/prepare-list Prepares an operation list.
PATCH /api/v1/policies/operations/execute/ Executes an operation.

{operationId}
ITIL API
GET /api/v1/policies/itil/configurations Gets ITSM Configuration.
GET /api/v1/policies/itil/status/{changeId} Gets change in status from ITSM.

Troubleshooting
This section provides information about how to use logs, troubleshoot problems that occur when using the product,
contact Customer Support.
• Working with logs (on-premises only)

• Troubleshooting operations with change requests
• Troubleshooting discovered assets
• Troubleshooting patch management problems
• Support information
Working with logs
 Note
This topic provides information about the relationship between the product area on the user interface, and the services. It
also lists the log file names and locations.
If a problem occurs in a product area, the following table helps you to identify the services to troubleshoot:
UI area Services
Login Login Service
Dashboard Patch Manager Core
Administration > Catalogs Catalog Service
Administration > SLA Login Service
Administration > Security Groups Login Service
Administration > Service Account Login Service, Data Refresh Manager, Data Refresh Worker
Assets > Managed Assets Patch Manager Core, Resource Service
Assets > Scanned Assets Patch Manager Core, Resource Service

UI area Services
Assets > Discovered Assets Patch Manager Core, Resource Service, Discovery connector, Data

Refresh Manager, Data Refresh Worker
Manage > Patch Policies Policy Service
Manage > Import Policy Service, Resource Service, Patch Manager Core
Operations Policy Service
Operations with change automation Login Service, Policy Service, ITIL Service, Data Refresh Manager,

Data Refresh Worker, TrueSight Orchestration connector
Risks > Missing Patches Patch Manager Core, Policy Service
Risks > Vulnerabilities Patch Manager Core, Policy Service
The following table provides information about the TrueSight Automation Console log file names, location, and
description.
Service Name File Location Description
Catalog Service catalog_service. <InstallationDirectory>/ Contains logs for all catalog operations such
log application/app/ as adding and editing catalogs.
catalog-service/logs
Violations, violation.log <InstallationDirectory>/ Contains logs for all violation operations

Resource application/app/ such as getting, creating, and searching for
Service patch-manager-core/logs violations along with resource service
notification information.
Policy Service policy_service.l <InstallationDirectory>/ Contains logs for all policy operations such
og application/app/ as adding, editing, and running patch
policy_service/logs policies.
Access Service access.log <InstallationDirectory>/ Contains logs for systems from where the
application/app/ application is accessed.
tssp_nginx/logs/
Error Service error.log <InstallationDirectory>/ Contains logs for all errors encountered
application/app/ while using the application.
tssp_nginx/logs

Service Name File Location Description
Data Refresh drm.log <InstallationDirectory>/ Contains logs for the worker

Manager application/app/ manager's capacity and for requests and
vulnerability-management-drm/ response from the Automation Console.
logs
Data Refresh drw.log <InstallationDirectory>/ Contains logs for all data refresh operations.
Worker application/app/
vulnerability-management-drw/
logs
Login Service login-service.log <InstallationDirectory>/ Contains logs for all login and session-
application/common/ related activities.
login/logs
Resource resource- <InstallationDirectory>/ Contains logs for all operations on assets

Service service.log application/common/ such as adding, reconciliation, and
resource-service/logs decommission.
TSSA connector tssa_connector.l <InstallationDirectory>/ Contains logs for all requests and responses
og application/common/ between Automation Console server and
tssa_connector/logs workmanager.
TSO connector tso_connector.l <InstallationDirectory>/ Contains logs for all requests and responses
og application/common/ between Automation Console and
tso_connector/logs TrueSight Orchestration.
Discovery discover_conne <InstallationDirectory>/ Contains logs for all requests and responses
connector ctor.log application/common/ between Automation Console and BMC
discovery_connector/logs Discovery
Works Manager dem.log <InstallationDirectory>/ Contains logs for all requests initiated from
application/common/ the Automation Console and the responses
work-manager/logs sent back with the worker ID and
transaction ID.
Truesight Stack truesight-sm.log <InstallationDirectory>/sm/log Contains logs for installation that includes
Manager application, database, and stack manager
logs.

Troubleshooting operations with change requests
This topic describes the problems that you may encounter while creating change requests for vulnerability operations
in BMC Helix Automation Console(SaaS) and TrueSight Automation Console (on-premises), and provides their resolution.
• Change templates not displayed when configuring change approval for an operation
• Operation is configured to create a change request, however, change is not created in BMC Remedy IT Service
Management
• Change request is created in BMC Remedy ITSM, however, the request ID and status is not displayed on the
Operations page
Change templates not displayed when configuring change approval for an operation
When adding an operation for remediating vulnerabilities, if you are on the Change Approval Management page, the
templates are not displayed in the Change Template Names list.
To troubleshoot, administrators must verify the logs for the following services:
• Policy Service
• ITIL Service
• TrueSight Orchestration connector
If any of these messages appear in the ITIL Service log file, it indicates that the TrueSight Orchestration connector is not
configured or is configured incorrectly.
• ConfigMgmtService::Submitting get config request to workmanager
• ConfigMgmtService::Got response of Get ITSM config
• ConfigMgmtService:: Error message returned for Get ITSM config call
• {statusCode : 500, errorCode : 2220, message : "Error while getting ITSM configuration data."}
Resolution
To resolve this issue, administrators must configure the TrueSight Orchestration connector. For details, see Configuring the
TrueSight Orchestration connector.
Operation is configured to create a change request, however, change is not created in BMC Remedy IT
Service Management
If you have selected the Create Change Ticket option while creating an operation, and provided all the required details, a
change request must be created in BMC Remedy ITSM.
If a change request is not created, administrators must verify the logs for the following services:
• Policy Service
• ITIL Service
If any of these error messages appear in the ITIL Service log file, it indicates that there are problems in the internal
services communication:

• ChangeMgmtService::Submitting Create change request to workmanager
• ChangeMgmtService::Got response of Create change ticket
• ChangeMgmtService:: Error message returned while creating change ticket
• {statusCode : 500, errorCode : 2300, message : "Error while creating ITSM change ticket."}
Resolution
To resolve this issue, administrators must do these:
• Verify whether the connector is configured with correct TrueSight Orchestration credentials using the GET /api/v1/
connectors REST API.
See Using REST API.
• Verify whether change automation is enabled correctly.
See Enabling change automation.
• Verify whether the permissions are appropriately configured in Automation Console.
See User roles and permissions.
Change request is created in BMC Remedy ITSM, however, the request ID and status is not displayed on
the Operations page
While creating a vulnerability operation, change request is created and approved in BMC Remedy ITSM, but the status is
not updated in Automation Console.
If a change request status is not updated, administrators must verify the logs for the following services:
• Policy Service
• ITIL Service
• Data Refresh Worker
If any of these error messages appear in the ITIL Service log file, it indicates that the data refresh cycle is not run and the
status is not yet updated.
• Requested changeIds
• Error while reading ids
• ChangeMgmtService::Got response of GET_CHANGE_STATUS_CI
• ChangeMgmtService:: Error message returned while Get Change Ticket status
• {statusCode : 500, errorCode : 2400, message : "Error while getting change ticket status from ITSM."}
Resolution
To resolve this issue, administrators must do these:
1. On Automation Console, go to Administration > Service Account page and verify the duration specified for a data
refresh cycle.
By default, the time interval is 60 minutes.
2. If the change request status is not updated after the data refresh time interval has passed, verify the drw.log file to
see if the connection with ITIL service is established correctly.

Troubleshooting discovered assets
This topic provides the problems that you may encounter while viewing assets on the Assets > Discovered Assets page
in BMC Helix Automation Console(SaaS) and TrueSight Automation Console (on-premises), and their resolution.
• Discovered Assets page does not show any assets

• No data in the Top 10 Business Services at Risk widget on the Vulnerability Dashboard
Discovered Assets page does not show any assets

No assets are displayed on the Assets > Discovered Assets page.
Resolution
To resolve this issue, administrators must do this:
1. Verify whether the BMC Discovery Connector is configured.
2. Ensure that the service account required for BMC Discovery is created in Automation Console.
No data in the Top 10 Business Services at Risk widget on the Vulnerability Dashboard
On the Vulnerability Dashboard, there is no data in the Top 10 Business Services at Risk widget.
Resolution
1. Verify whether the BMC Discovery Connector is configured.
2. Ensure that the service account required for BMC Discovery is created in Automation Console.
Troubleshooting patch management problems

This topic describes the problems that you may encounter while adding catalogs, creating patch policies, or viewing
managed assets for managing missing patches in BMC Helix Automation Console (SaaS) and TrueSight Automation
Console (on-premises), and provides their resolution.
• Catalog time is not updated in Automation Console even after the catalog is updated
• Managed Assets page has no asset data
• Policy run results do not appear in Automation Console

Catalog time is not updated in Automation Console even after the catalog is updated
On the Manage Catalogs page, the Last Updated column does not reflect the correct time, even if the catalog is updated
in TrueSight Server Automation. This can happen if there are problems while synchronizing the catalogs
between Automation Console and Server Automation.
To troubleshoot, administrators must verify the logs for the following services:
• Work Manager
• Catalog Service
If this error message appears in the Catalog Service logs, it indicates that there is a failure in receiving notifications from
TrueSight Server Automation.
Updating BSA schedule, creating TSSA request..., Executing request with txID : TID_<ID>, W
orkManager response status : failed
Resolution
1. Go to Administration > Manage Catalogs, and click Actions > Edit for a catalog that you want to update.

2. Do not make any changes, and save the catalog.
This ensures that the catalog data gets synced with the catalog in TrueSight Server Automation.
Managed Assets page has no asset data

There are no assets displayed on the Assets > Managed Assets page. This problem may occur if the service account and
the data refresh settings are incorrectly configured.
To troubleshoot, verify whether the Data Refresh Worker logs shows the next scheduled refresh.
Sample status
Update Status received from DataRefreshWorker-8080 for:tsac_BSA_DEFAULT Status:SUCCESS Next Scheduled:Wed Nov
06 11:58:31 GMT YYYY
If the next scheduled refresh does not show a future time, there may be a problem with the data refresh cycle.
Resolution
1. Go to Administration > Service Account, and click Actions > Edit.

2. Ensure that the connector name, refresh interval, and the credentials provided in the Connector Profile section are
accurate.
3. Save changes and check the Managed Assets page.

Policy run results do not appear in Automation Console
You created a patch policy and scheduled its run. After the policy runs successfully, the results do not appear on the
<PolicyName> - Scan Run Results page.
To troubleshoot, administrators must verify the tssa_connector.log for errors in sending notifications to Automation

Console.
Sample error message
[ERROR] [::] [] REST Job Notification : : Exception while sending notification

org.apache.http.conn.HttpHostConnectException: Connect to <hostname>:<port> [<hostname> /<IPAddress>] failed:
Connection timed out: connect
at
org.apache.http.impl.conn.DefaultHttpClientConnectionOperator.connect(DefaultHttpClientConnectionOperator.java
:159)
1. Run the command on the host where the Automation Console application is installed to verify whether
the TrueSight Server Automation connector is running.
If the status of the truesight-common-tssa-connector service is shown as running, perform the next step.
2. Verify whether the hosts file on the TrueSight Server Automation Application Server contains the connector name.
 Hosts file location and connector name

- Linux: /etc/hosts
<IPaddress of the server where the connector is installed> tssa.connector.bmc.com
3. If the entry exists in the hosts file, verify whether the server where the connector is installed is up and running.
Related topic
Working with logs

Support information
This topic contains information about how to contact Customer Support, and the support status for this and other
releases.
Contacting Customer Support

If you have problems with or questions about a BMC product, or for the latest support policies, see the Customer Support
website at https://www.bmc.com/support/support-central.html. You can access product documents, search the
Knowledge Base for help with an issue, and download products and maintenance.
If you do not have access to the web and you are in the United States or Canada, contact Customer Support at 800 537
1813. Outside the United States or Canada, select your country at Contact BMC to view local Support Contacts.
Support status
As stated in the current BMC Product Support Policy, BMC provides technical support for a product based on time rather
than number of releases. For subscription-based product support, see the BMC Software Subscription Services Support
policy.
Date: 2020-04-21 0:44
URL: https://docs.bmc.com/docs/x/i4c3Ng

A O
Orientation 27
Administering 141
D P
Patch 17
Dashboard 104
Patch_policy 116
E
Push_1 17
Enhancements 18
F R
Release_notes 13
Favourite 11, 11, 47
G S
Signing_in 102
Getting_started 27, 27
L U
Using 102
Login 102

© Copyright 2014 – 2019 BMC Software, Inc.
BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with
the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC
trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other
trademarks or registered trademarks are the property of their respective owners.
BladeLogic and the BladeLogic logo are the exclusive properties of BladeLogic, Inc. The BladeLogic trademark is registered
with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other
BladeLogic trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other
countries. All other trademarks or registered trademarks are the property of their respective owners.
AIX and IBM are trademarks or registered trademarks of International Business Machines Corporation in the United
States, other countries, or both.
Linux is the registered trademark of Linus Torvalds.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their
respective owners.
UNIX is the registered trademark of The Open Group in the US and other countries.
BMC Software Confidential.
The information included in this documentation is the proprietary and confidential information of BMC Software, Inc., its
affiliates, or licensors. Your use of this information is subject to the terms and conditions of the applicable End User
License agreement for the product and to the proprietary and restricted rights notices included in the product
documentation.
Click here for the provisions described in the BMC License Agreement and Order related to third party products or
technologies included in the BMC product.
BMC Software Inc.

2101 CityWest Blvd, Houston TX 77042-2827, USA
713 918 8800
Customer Support: 800 537 1813 (United States and Canada) or contact your local support center

BMC+Automation+Console+20.02 Home 04 21 2020

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

BMC+Automation+Console+20.02 Home 04 21 2020

Caricato da

Copyright:

Formati disponibili

BMC Automation Console 20.

BMC Automation Console 20.02 Page 2

BMC Automation Console 20.02 Page 3

BMC Automation Console 20.02 Page 4

BMC Automation Console 20.02 Page 5

BMC Automation Console 20.02 Page 6

BMC Automation Console 20.02 Page 7

BMC Automation Console 20.02 Page 8

BMC Automation Console 20.02 Page 9

BMC Automation Console 20.02 Page 10

End-to-end use cases

BMC Automation Console 20.02 Page 11

Plan an installation or Install the product and Upgrade based on

BMC Automation Console 20.02 Page 12

Date Title Summary

21 April, 20.02.01: Patch 1 for Patch 1 for TrueSight Automation Console (on-premises), which includes

10 April, 20.02.01: Patch 1 for Patch 1 for BMC Helix Automation Console (SaaS) only, which includes

21 20.02 enhancements Features available in this release:

BMC Automation Console 20.02 Page 13

Creating PDF and Word exports

To export to PDF or Word

b. If exporting to PDF, select what you want to export:

20.02.01: Patch 1 for TrueSight Automation Console 20.02

BMC Automation Console 20.02 Page 14

For more information, see Working with assets.

User experience enhancements

Enhancement See topic

Ability to browse and select the Default Depot Path and Default Working with security groups

Option to export data from the Risks > Vulnerabilities page to a CSV Working with risks

BMC Automation Console 20.02 Page 15

Applying the patch

Version Build number

Downloading the patch

For instructions, see Downloading the installation files.

Installing the patch

Upgrading to the patch

BMC Automation Console 20.02 Page 16

20.02 20.02 Patch 1

 Do I need to configure the connectors after upgrading?

20.02.01: Patch 1 for BMC Helix Automation Console version 20.02

Known and corrected issues

BMC Automation Console 20.02 Page 17

For more information, see Working with assets.

User experience enhancements

Enhancement See topic

Ability to browse and select the Default Depot Path and Default Working with security groups

Option to export data from the Risks > Vulnerabilities page to a CSV Working with risks

• Available on the BMC Helix Platform and on-premises

BMC Automation Console 20.02 Page 18

Creation and approval of change requests

Blind spot detection using BMC Discovery

BMC Automation Console 20.02 Page 19

Vulnerability Dashboard enhancements

BMC Automation Console 20.02 Page 20

Support for additional user authentication methods

Support for executing a patch policy instantly

For more information, see Working with patch policies.

Vulnerability management enhancements

BMC Automation Console 20.02 Page 21

Removing mapping for auto-mapped assets

Vulnerability noise reduction

Export missing patches and vulnerabilities data to CSV

For more information, see Working with risks.