Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
02
Home
Date: 2020-04-21 0:44
URL: https://docs.bmc.com/docs/x/i4c3Ng
Contents
Release notes and notices................................................................................................................................................... 13
20.02.01: Patch 1 for TrueSight Automation Console 20.02.............................................................................................14
Known and corrected issues.........................................................................................................................................15
Updates ........................................................................................................................................................................15
Support for creating and approving change requests for patch remediation operations .......................................15
Tagging assets...........................................................................................................................................................15
User experience enhancements...............................................................................................................................15
Supported versions of TrueSight Server Automation ...................................................................................................16
Applying the patch .......................................................................................................................................................16
Downloading the patch ............................................................................................................................................16
Installing the patch ...................................................................................................................................................16
Upgrading to the patch ............................................................................................................................................16
20.02.01: Patch 1 for BMC Helix Automation Console version 20.02 ..............................................................................17
Known and corrected issues.........................................................................................................................................17
Updates ........................................................................................................................................................................17
Support for creating and approving change requests for patch remediation operations .......................................17
Tagging assets...........................................................................................................................................................17
User experience enhancements...............................................................................................................................18
20.02 enhancements........................................................................................................................................................18
Available on the BMC Helix Platform and on-premises................................................................................................19
Creation and approval of change requests...................................................................................................................19
Blind spot detection using BMC Discovery...................................................................................................................19
Vulnerability Dashboard enhancements ......................................................................................................................20
Support for additional user authentication methods...................................................................................................21
Support for executing a patch policy instantly .............................................................................................................21
Vulnerability management enhancements ..................................................................................................................21
Support for additional remediation content to remediate vulnerabilities ...............................................................22
Removing mapping for auto-mapped assets............................................................................................................22
Vulnerability noise reduction ...................................................................................................................................22
Export missing patches and vulnerabilities data to CSV...............................................................................................22
Extended staging window for patch operations...........................................................................................................22
Support for additional search filters.............................................................................................................................23
Ability to sort data in columns .....................................................................................................................................23
Automation Console integrates with TrueSight Server Automation to identify, analyze, and remediate missing patches
and vulnerabilities in your environment. IT operators and administrators use the Automation Console to automate the
patch and vulnerability management process for Windows and Red Hat Linux servers.
BMC Helix Automation Console is a part of the BMC Helix Vulnerability Management service.
Getting Using
started
Work with Automation Console
• Overview
• Architecture Administering
• Onboarding BMC
Helix subscribers Security, configuration, and maintenance
• User roles and
permissions
• License
entitlements
icon on the top of this page.
• Ready-made PDFs are available on the PDFs page. You can also create a custom PDF.
Click here to see the steps.
The BMC Documentation portal gives you the ability to generate PDF and Microsoft Word documents of
single pages, and to create PDF exports of multiple pages in a space.
Updates
This patch contains these updates:
Support for creating and approving change requests for patch remediation operations
When you create operations for applying missing patches on assets, you can now create a change request in the change
management system, which tracks the operation, and goes through a change approval process. In 20.02, integration with
BMC Remedy IT Service Management system was already supported for the vulnerability remediation operations. If you
have enabled the integration, no additional configuration is required to enable change creation and approval for a patch
operation.
For more information, see Change automation.
Tagging assets
On the Scanned Assets page, you can now add tags to the assets imported from a vulnerability scan results file. While
creating a vulnerability remediation operation, you can choose assets based on the tags.
To add tags, you must export the assets data into a CSV file, enter tag information in a key:value pair format, and then
import the updated CSV file back in Automation Console. Alternatively, you can download the CSV template from the
Advanced Search option and upload the same file in Automation Console after entering the information details about
assets and tags.
Support for viewing and selecting vulnerabilities on the basis of its Working with risks
mapping status added to the advanced filter.
Number of missing patches on the impacted assets are also Using the Vulnerability Dashboard
displayed on the Vulnerability Dashboard > Top 10 Business
Services at Risk widget.
Deleting a draft vulnerability remediation deletes all sub- Working with operations
operations associated with the draft one.
Supported versions of TrueSight Server Automation
For supported versions, see System requirements.
Patch 1 for TrueSight Automation Console 20.02 (20.02.01) 20.02.00.481
For instructions, see Installing.
19.1 20.02
While upgrading to a patch, ensure that you specify the exact build number applicable to this patch.
For instructions, see Upgrading.
Updates
This patch contains these updates:
Support for creating and approving change requests for patch remediation operations
When you create operations for applying missing patches on assets, you can now create a change request in the change
management system, which tracks the operation, and goes through a change approval process. In 20.02, integration with
BMC Remedy IT Service Management system was already supported for the vulnerability remediation operations. If you
have enabled the integration, no additional configuration is required to enable change creation and approval for a patch
operation.
For more information, see Change automation.
Tagging assets
On the Scanned Assets page, you can now add tags to the assets imported from a vulnerability scan results file. While
creating a vulnerability remediation operation, you can choose assets based on the tags.
Support for viewing and selecting vulnerabilities on the basis of its Working with risks
mapping status added to the advanced filter.
Number of missing patches on the impacted assets are also Using the Vulnerability Dashboard
displayed on the Vulnerability Dashboard > Top 10 Business
Services at Risk widget.
Deleting a draft vulnerability remediation deletes all sub- Working with operations
operations associated with the draft one.
20.02 enhancements
This topic describes the enhancements in the version 20.02 of BMC Helix Automation Console (SaaS) and TrueSight
Automation Console (on-premises).
Automation Console is available as a service, called BMC Helix Automation Console (SaaS), and as an on-premises product,
called TrueSight Automation Console.
In this release, Automation Console integrates with BMC Remedy IT Service Management (ITSM) to create change
requests and implement an approval process. This is available for a vulnerability remediation operation, and not for a
patch remediation operation. After a change request is approved, the operation runs according to the schedule.
Administrators enable change automation using the TrueSight Orchestration – ITSM Automation runbook. For more
information, see Change automation.
In this release, Automation Console integrates with BMC Discovery (on-premises only) to find servers in your environment
that are not mapped in the endpoint manager, TrueSight Server Automation, and are not scanned for vulnerabilities. Such
servers or assets are blind spots and can be a potential security risk as there might be critical undiscovered vulnerabilities
on those servers. The Discovered Assets page lists such assets. Key Performance Indicators (KPIs) on the Discovered Assets
page show information about the total number of discovered assets, assets that are discovered but not mapped to
endpoints in Server Automation, and assets that are not yet scanned. You must ensure that the discovered assets are
scanned for missing patches and vulnerabilities.
• Severity breakdown: Shows the severity levels for vulnerabilities in your environment.
• SLA breakdown: Shows the SLA levels for vulnerabilities in your environment.
• Top 10 Business Services at Risk: Shows the top 10 business services or applications with the maximum number of
vulnerabilities and impacted assets.
• New Awaiting Approval stage in the Vulnerabilities by Stage widget: Shows the number of vulnerabilities for
which operations are created with change automation configured and the change request is not yet approved.
• New Average Days Awaiting Approval stage in the Remediation Trend widget: Shows the average number of
days for which vulnerabilities in a remediation operation are in the Awaiting Approval stage.
For more information, see Using the Vulnerability Dashboard v20.02.
In 20.02, you can now log in to Automation Console using RSA Secure ID and Lightweight Directory Access Protocol (LDAP)
authentication methods. These methods are supported by the endpoint manager, TrueSight Server Automation.
For more information, see Logging in.
• Patches
• Installshield packages
• Microsoft Installer (MSI) packages
• Operating system service packs
• Red Hat packages
• Custom software
Except for patches, the new types of remediation content are available only when you are manually mapping a
vulnerability.
Existing remediation content, BLPackages and NSH scripts, are now enhanced. While creating a vulnerability remediation
operation, you can configure properties for BLPackages and select additional parameters for NSH scripts. For more
information, see Risks.
For more information, see Operations.
On the Risks page, you can now export the data for missing patches and vulnerabilities to a CSV file.
You can now sort data in columns on the Operations, Manage, and Administration tabs. For Assets and Risks, advanced
filters enable you to filter data that matches your requirement.
Related topic
Known and corrected issues
The following issues are applicable to BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-
premises).
Perfor If the Data Refresh Cycle is set to 30 minutes, database deadlocks 20.02.01 DRS
mance occur, which significantly affect the performance of the application. MP-
3189
Policy Patch policy updates are not reflected accurately in Automation 20.02.01 DRS
Console. MP-
3185
Risks When you import a scan file, assets are not getting automatically 20.02.01 DRS
mapped to vulnerabilities. MP-
3018
UI Patch Dashboard displays patch compliance data for installed and 20.02.01 DRS
missing patches that does not match the actual policy scan results. MP-
2808
Assets If an operator (no administrative permissions) deletes a scan file, 20.02.01 DRS
assets in the Scanned Assets page are not deleted. MP-
2942
Policy If an operator (no administrative permissions) deletes a patch policy, 20.02.01 DRS
assets and missing patches identified by the policy are not deleted. MP-
3076
UI On the Administration > Catalogs page, the Last Updated column does 20.02 DRS
not show the actual date and time when the catalog was updated. MP-
2820
API You can create an operation for a policy that has not identified any 20.02 DRS
missing patches by using REST API. MP-
1983
Scan Scan file import fails for any scan file and the following message is 20.02 DRS
displayed: 413 Request entity too large. MP-
2876
UI You cannot sort data in any column on the UI. 20.02 DRS
MP-
1979
Mappin On the Scanned Assets page, after importing a vulnerability scan file, 20.02 DRS
g you unmap the assets that have got automatically mapped. But after a MP-
data refresh interval, the same unmapped assets get auto-mapped 3025
again. And when you import another vulnerability scan file and you
find a different vulnerability for the same asset that has been
unmapped previously, then instead of the asset getting auto-mapped,
it remains unmapped.
Installat During installation, if you specify the port number for PostgreSQL DRS
ion database server anything apart from the default port, 5432, the MP-
underlying resource database links are not correctly formed. When you 2892
import a scan file, vulnerabilities and assets data is not imported in the
Automation Console.
Risks If you delete a catalog from Automation Console, remediation content DRS
(from the catalog) is not deleted, and is still mapped to the MP-
vulnerabilities. 1978
Scan If you import a vulnerability scan file with a file size more than 500 MB, DRS
the import fails. MP-
1981
UI On the Operations page, sort option does not work on the Status DRS
column. This issue also occurs on the Patch Policies > Asset Scope and MP-
Security Groups > Description columns. 2652
On the Operations page, if you click the change request ID, the status is
shown as Ready to execute.
UI When an Automation Console active session expires, all the dashboard DRS
widgets are still displayed. MP-
2229
UI On the Patch or Vulnerability Dashboard pages, when you place the DRS
mouse cursor on any widget, sometimes it wraps the text on the UI. MP-
2171
BMC Confidential. The preceding information is intended only for registered users of docs.bmc.com.
BMC Helix Automation Console (SaaS) is a part of the BMC Helix Vulnerability Management service.
This section helps you to get started with the product as it describes the overview, architecture, and user roles and
permissions for Automation Console. In addition, it provides the onboarding process for BMC Helix Automation
Console (SaaS) subscribers.
• Overview
• Architecture (on-premises only)
• Onboarding BMC Helix subscribers (SaaS only)
• User roles and permissions
• License entitlements
Overview
This topic helps you understand the product and features of BMC Helix Automation Console (SaaS) and TrueSight
Automation Console (on-premises).
• Product overview
• Documentation overview
Product overview
Automation Console is available as a service, called BMC Helix Automation Console (SaaS), and as an on-premises product,
called TrueSight Automation Console. They integrate with the endpoint manager, TrueSight Server Automation, to identify,
analyze, and remediate missing patches and vulnerabilities.
BMC Helix Automation Console is a service offering on the BMC Helix Platform, and is a part of the BMC Helix Vulnerability
Management service.
Patch Management
Organizations spend significant time and effort in monitoring a network of servers to keep track of the patches installed
and configured on the servers, also known as assets. With application vendors releasing patches periodically, an
organization invests a considerable amount of time in obtaining the released patches, evaluating the impact, identifying
gaps, and eventually installing these patches. Most security breaches occur due to known but unpatched vulnerabilities.
Typically, a patch administrator analyzes individual servers to determine the patches to be acquired and installed to
comply with the organizational policies. This process involves significant time and manual effort.
Using Automation Console, an administrator imports patch catalogs from TrueSight Server Automation. These catalogs
store patch metadata released by the vendors. An IT operator creates a patch policy based on a catalog, which runs a
patching job in Server Automation. This job scans the assets according to the policy settings and identifies missing patches
The end-to-end patch management process of identifying missing patches and installing them on the assets is done
automatically by integrating seamlessly with TrueSight Server Automation. For more information about the TrueSight
Server Automation patch management process, see Getting started with patch management .
Vulnerability Management
Automation Console helps you maintain the integrity of enterprise computing by analyzing and remediating vulnerabilities
across your environment. By establishing a connection with the endpoint manager, such as TrueSight Server
Automation, Automation Console enables you to remediate vulnerabilities on the endpoints or assets.
Operators first import a vulnerability scan file, which imports asset and vulnerability data in the application. In this
release, Automation Console supports importing data from popular vulnerability scanning tools such as Qualys, Rapid7,
and Nessus. After a successful import, the application automatically maps assets to endpoints in TrueSight Server
Automation, and maps vulnerabilities to remediation content required to resolve the vulnerabilities. The most common
types of remediation content are patches, NSH scripts, and packages. Operators can also map assets and vulnerabilities
manually.
Using Automation Console, operators then create operations that perform actions on assets to remediate vulnerabilities.
In version 20.02, Automation Console integrates with BMC Remedy IT Service Management (ITSM) to create change
requests and implement an approval process.
For more information about the process of importing scans, mapping assets and vulnerabilities, and performing
remediation operations, see Using.
Automation Console provides role-based access to the application. Users access the Automation Console based on the
role assigned to them in TrueSight Server Automation. For details, see User roles and permissions.
Documentation overview
This space provides documentation for BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-
premises).
Topics that are applicable for both begin with an introductory statement that mentions both the product names.
Topics that are applicable for either BMC Helix Automation Console (SaaS) or TrueSight Automation Console (on-premises)
are indicated by appropriate text.
For example, the Planning section, which is applicable only for TrueSight Automation Console (on-premises) has a note
that indicates its relevance.
Note
The Architecture topic is applicable for a TrueSight Automation Console (on-premises) installation only.
BMC Helix Automation Console (SaaS) is available as a service only. For details about subscribing to this service,
see BMC Helix subscriber information.
TrueSight Automation Console (on-premises) uses a microservices-based architecture and comprises an application server
and a database. These components are deployed as a set of Docker containers.
The following figure shows the components, their interaction, and the product architecture:
To authenticate with Server Automation, you must use one of these authentication methods:
Application Server
Application server comprises the following microservices and components:
Component Description
API gateway Nginx acts as an API gateway and reverse proxy for communication
amongst the services and between the graphical user interface and the
microservices.
Login service Provides APIs for authenticating with the endpoint manager. Provides login,
logout, authentication, and session management APIs.
Asset state service Stores information about the state of all patches, missing or already
installed, and vulnerabilities identified on all assets.
This service displays data on the Risks > Missing Patches and Risks>
Vulnerabilities pages and on the Patch Dashboard and Vulnerability
Dashboard.
Data Refresh service Retrieves information about all Windows and Red Hat Linux assets
from Server Automation and sends it to the asset service.
Redis service Used for in-memory session cache. It is also used as a database-cache for
the Work Manager.
Work Manager Provides capabilities to push or pull a set of requests and responses used
by the Automation Console to send requests to the endpoint manager.
TrueSight Server Automation connector Acts as an adapter to communicate with the Server Automation instance. It
fetches requests from the Work Manager and forwards it to
the Automation Console instance. Response from Automation Console is
sent back to the Work Manager.
TrueSight Orchestration connector Acts as an adapter to communicate with TrueSight Orchestration, which
integrates with BMC Remedy IT Service Management for change
automation.
BMC Discovery connector Acts as an adapter to communicate with BMC Discovery to send discovered
assets in your environment to Automation Console.
Database Server
The Automation Console currently supports PostgreSQL server as a database. You can install the database as part of the
product installation or use an existing installation of the PostgreSQL database (supported only on Linux).
Related topics
Planning
System requirements
This topic helps you get started if you have subscribed to BMC Helix Automation Console (SaaS), which is a part of the
BMC Helix Vulnerability Management service.
Complete the BMC registration process and understand the subscription information.
Review the welcome email. The welcome email includes login credentials and URL for Automation Console, FTP
folder for downloading the TrueSight Server Automation connector, and general information about accessing and
using your service.
Ensure that a compatible TrueSight Server Automation version is installed.
You run a TrueSight Server Automation connector in your environment to ensure that the connection between
the Server Automation and Automation Console is established. The connector ensures that Automation Console
receives notifications even if the Server Automation application is in an air-gapped environment. Upgrade the
connector when using the latest version of BMC Helix Automation Console (SaaS).
This release of Automation Console supports integration with BMC Remedy ITSM for creation and approval of
change requests for remediation operations. Change automation is available for vulnerability operations only. To
enable change automation, you must configure the TrueSight Orchestration connector and ensure that other
prerequisite tasks are complete.
This release of Automation Console supports integration with BMC Discovery to find assets in your environment
that are not mapped in TrueSight Server Automation, and are not scanned for vulnerabilities. Using this
information, you can then scan the assets to identify vulnerabilities and remediate them.
Log in to the Automation Console and start managing missing patches and vulnerabilities.
Suggested reading
To learn how to use Automation Console for performing end-to-end tasks for identifying and remediating risks, see End-to-
end use cases.
When you log in, the security group that you currently belong to appears in the top-right corner of the user interface. If
you are assigned multiple roles in Server Automation, you can change the security group to view the application as per
your defined role. For instructions about changing the security groups, see Logging in – Changing the security group.
Based on their roles, users can perform these tasks for an efficient and automated patch management process:
License entitlements
BMC Helix Automation Console (SaaS) is a product in the BMC Helix Vulnerability Management service.
For information about BMC Helix Automation Console offerings and license entitlements, see
BMC Helix Vulnerability Management service.
• Patch compliance percentage based on the number of patches installed and the number of missing patches
• Number of impacted assets by Service Level Agreement levels
• Number of impacted assets by patch severity
• Number of unique missing patches by their release age
• Patch remediation trend for the last six weeks
1. Import a vulnerability scan results file.
2. View asset details, and if required, manually map each asset.
After you import a scan file, assets are automatically mapped to endpoints in the endpoint manager, and the results
appear on the Assets > Scanned Assets page and on the Vulnerability Dashboard.
The Vulnerability Dashboard provides a graphical view of the assets and vulnerabilities imported from a scan file. On the
dashboard, you can view these results:
3. View vulnerability results, and if required, manually map each vulnerability with remediation content.
After you import a scan file, vulnerabilities are automatically mapped to remediation content, which includes patches,
NSH scripts, or deploy jobs. The results appear on the Risks > Vulnerabilities page.
On the Vulnerabilities page, you can view these results for each vulnerability:
This section describes the deployment scenarios, sizing requirements, and system requirements. Administrators can use
this information to plan on-premises installation.
• Deployment scenarios
• Deployment sizing requirements
• System requirements
Deployment scenarios
Note
This topic is applicable only for a TrueSight Automation Console (on-premises) deployment.
BMC Helix Automation Console (SaaS) is not available for on-premises installation. For details about subscribing
to this service, see BMC Helix subscriber information.
This topic describes scenarios to help you plan the product deployment.
• Small deployment
• Medium deployment
• Large deployment
The number of concurrent end users determines how many TrueSight Automation Console components you must actually
deploy. To determine the deployment size appropriate for your needs, see deployment sizing matrix. The sizing matrix also
provides minimum hardware requirements for the servers where you are installing additional components.
You can install a single TrueSight Automation Console database and the application on the same machine. For large
deployments, you should segregate the TrueSight Automation Console and application to separate nodes. If additional
capacity is necessary, you can install additional instances of the TrueSight Automation Console server.
Small deployment
A small deployment consists of a single database and a single Automation Console application installed on a single host. It
connects to a single instance of the TrueSight Server Automation Application Server.
Medium deployment
A medium deployment consists of two Automation Console application servers installed on separate hosts. This type of
deployment uses a single database and relies on a single TrueSight Server Automation Application Server.
Note
This topic is applicable only for a TrueSight Automation Console (on-premises) deployment.
BMC Helix Automation Console (SaaS) is not available for on-premises installation. For details about subscribing
to this service, see BMC Helix subscriber information.
TrueSight Automation Console supports a variety of deployment configurations. Most configurations require the TrueSight
Automation Console database and application to be installed on separate servers.
Requirement Large Medium Small Minimum space required for installation (GB)
Number of 6 2 1
Automation Console servers
CPUs per 8 8 8
Automation Console
Server
Automation Console 32 24 16 10
server memory (GB)
CPUs per 32 16 8
database
server
Database 64 32 16 8
server
memory (GB)
A small deployment assumes that the database and the application are hosted on the same server. Memory requirements
refer to total memory, not heap size.
If you require a deployment larger than the Large deployment described above, extrapolate the system requirements
based on the information in the table.
Condition Value
System requirements
This topic describes the system requirements for BMC Helix Automation Console (SaaS) and TrueSight Automation
Console (on-premises).
• System requirements for BMC Helix Automation Console (SaaS)
• System requirements for TrueSight Automation Console (on-premises)
System requirements for BMC Helix Automation Console (SaaS)
BMC Helix Automation Console (SaaS) supports the products, versions, and browsers listed here.
Product Version
Supported browsers
Automation Console supports the following browsers:
System requirements for TrueSight Automation Console (on-premises)
TrueSight Automation Console (on-premises) supports the software, hardware, database, and port requirements listed
here.
Supported browsers
Automation Console supports the following browsers:
Product Version
Third-party software
Automation Console is bundled with the following third-party software:
Utility Version
docker-compose 1.19.0
Number of 25 -
concurrent users
Number of 1 -
Automation Console servers
CPUs per 8 -
Automation Console
Server
Automation Console 32 10
server memory (GB)
CPUs per 8 -
database
server
Database 16 8
server
memory (GB)
Database 100 25
disk
space (GB)
The following table describes the recommendations for a PostgreSQL database that you can use for optimal performance.
Configuration Recommendation
Users, Roles • The first installation of the application automatically creates the users and
roles needed by the Automation Console. The installer requests the
credentials for the PostgreSQL privileged user (usually named postgres).
• Default names are provided for users and roles but they can be customized
during installation.
listen_addresses = '*'
max_connections = 300
default_statistics_target = 50
constraint_exclusion = on
wal_buffers = 8MB
min_wal_size = 1GB
max_wal_size = 2GB
checkpoint_timeout = 15min
checkpoint_completion_target = 0.9
log_min_messages = fatal
log_min_error_statement = fatal
#following parameters should be tuned according
#to actual memory available to Database server machine
#example of configuration for 8GB RAM
maintenance_work_mem = 512MB
effective_cache_size = 5GB
work_mem = 48MB
shared_buffers = 2GB
Port requirements
The port on which the Automation Console communicates with an endpoint manager must be open, and the application
and the endpoint manager must be able to communicate with each other.
The following table provides the port numbers that you must enable for the product.
500 TCP Host containing the Yes (at the time of Yes Port used for
0 Automation Console installation) communication with the
application installation Docker repository
543 TCP Host containing the database No Yes Port used by the database
2 installation (PostgreSQL) for
communication
The installation process requires you to complete your planning activities before starting with the preparatory, installation,
and post-installation tasks. The following table enables you to install the product smoothly.
TrueSight Automation Console installation process
Description Procedure
Description Procedure
Download the installation file and complete the pre- Preparing for installation
installation tasks.
An Automation Console deployment consists of two components: database and application. The TrueSight
Automation Console supports PostgreSQL as the database.
You can install the database by using the executables provided on the BMC Electronic Product Distribution (EPD) site
(recommended for demo or test environments), or use an existing PostgreSQL instance in your environment
(recommended for production environments).
Description Procedure
Install the Stack Manager tool. Install using one of these modes:
Using a single script in the Stack Manager tool, install the Installing in the interactive mode – Directly provide
database first, and then the application server. inputs on the command line.
Installing silently – Create an inputs file with the
required inputs and then use the file for installing
the product on any number of servers.
What next?
After successfully installing the product, configure the connectors to integrate with BMC Discovery and TrueSight
Orchestration.
For details, see Configuring connectors.
Note
This topic is applicable only for a TrueSight Automation Console (on-premises) deployment.
BMC Helix Automation Console (SaaS) is not available for on-premises installation. For details about subscribing
to this service, see BMC Helix subscriber information.
• Ensure that the target computer meets the system requirements.
• Ensure that the servers on which you want to install the application and database are in the same time zone.
• Install a compatible TrueSight Server Automation version.
See Installing TrueSight Server Automation
Note
BMC recommends that you install the Automation Console and TrueSight Server Automation on different hosts.
• If you want to install using a non-root user, ensure that the user has read and write permissions to the installation
directory.
This user must also be a part of the docker user group on the host.
• If using an external PostgreSQL database, ensure that it is installed and running in your environment.
Note
While setting up Docker in an internet-enabled or an air-gapped environment, the location where Docker is to be
installed must have at least 50 GB storage space.
To set up Docker CE on a CentOS computer
1. Add a Docker repository to your system required to install Docker:
Important
After you download Docker compose, ensure that /usr/local/bin/ is added to the PATH variable.
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v <Directory>:/var/lib/registry \
registry:2
For example,
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v /opt/tsac/dockerrepo:/var/lib/registry \
registry:2
curl http://localhost:5000/v2/_catalog
Alternatively, you can verify by using the http://localhost:5000/v2/_catalog URL in a browser.
If successful, the command returns the following output:
To set up Docker EE on an RHEL computer
1. To install Docker EE, you need the URL of the Docker EE repository associated with your trial or subscription, as
follows:
a. Go to https://store.docker.com/my-content. All of your subscriptions and trials are listed.
b. Click the Setup button for Docker Enterprise Edition for Red Hat Enterprise Linux.
c. Copy the URL from Copy and paste this URL to download your Edition and save it for later use.
2. Export the Docker URL:
4. Store your OS version string in /etc/yum/vars/dockerosversion. If you are using version 7.2, type the exact
version.
5. Install the required packages. The yum-utils package provides the yum-config-manager utility. The device-
mapper-persistent-data and lvm2 packages are required by the devicemapper storage driver:
6. Enable the extras RHEL repository. This ensures access to the container-selinux package required by docker-ee.
7. Add the Docker repository to your system required to install Docker EE:
12. After you download docker compose, add /usr/local/bin/ to the PATH variable.
13. Grant the required permissions to docker compose:
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v <Directory>:/var/lib/registry \
registry:2
For example,
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v /opt/tsac/dockerrepo:/var/lib/registry \
registry:2
15. Verify that Docker images have been pulled successfully by running the following command:
curl http://localhost:5000/v2/_catalog
{"repositories":["bmcsoftware/truesight-app-vulnerability-management-drm","bmcsoftware/truesight-app-
vulnerability-management-drw","bmcsoftware/truesight-app-vulnerability-management-portal","bmcsoftware/
truesight-common-discovery-connector","bmcsoftware/truesight-common-exception-management","bmcsoftware/
truesight-common-orchestration-connector","bmcsoftware/truesight-common-tagging","bmcsoftware/
truesight-common-tsna-connector","bmcsoftware/truesight-common-tssa-connector","bmcsoftware/truesight-
common-workmanager","bmcsoftware/truesight-config-configurator","bmcsoftware/truesight-infra-ext-
consul","bmcsoftware/truesight-infra-ext-redis"]}
4. Switch to the computer that has internet access and download docker compose using the following command:
5. Copy the downloaded file to the /usr/local/bin directory on the computer where you want to install the
application:
Important
After you download docker compose, ensure that /usr/local/bin/ is added to the PATH variable.
mkdir -p /opt/tsac/dockerrepo
unzip TSAC-<version>-IMAGES-LIN64.zip -d /opt/tsac/dockerrepo
g. Run the following command to create the local Docker registry. In the following command, replace <Direc
tory> with the directory with its complete path that you created in step f. If there are multiple hosts,
repeat this step on all the Docker hosts.
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v <Directory>:/var/lib/registry \
registry:2
Example:
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v /opt/tsac/dockerrepo:/var/lib/registry \
registry:2
curl http://localhost:5000/v2/_catalog
{"repositories":["bmcsoftware/truesight-app-utilities","bmcsoftware/truesight-app-vulnerability-
management-drm","bmcsoftware/truesight-app-vulnerability-management-drw","bmcsoftware/truesight-app-
vulnerability-management-portal","bmcsoftware/truesight-common-discovery-connector","bmcsoftware/
truesight-common-exception-management","bmcsoftware/truesight-common-itil","bmcsoftware/truesight-
common-orchestration-connector","bmcsoftware/truesight-common-tagging","bmcsoftware/truesight-common-
tsna-connector","bmcsoftware/truesight-common-tssa-connector","bmcsoftware/truesight-common-
workmanager","bmcsoftware/truesight-config-configurator","bmcsoftware/truesight-infra-ext-consul","bmcs
oftware/truesight-infra-ext-redis"]}
4. Connect to the computer that has internet access and download docker compose using this command:
5. Copy the downloaded file to the /usr/local/bin directory on the computer where you want to install the
application:
Important
After you download docker compose, ensure that /usr/local/bin/ is added to the PATH variable.
mkdir -p /opt/tsac/dockerrepo
unzip TSAC-<version>-IMAGES-LIN64.zip -d /opt/tsac/dockerrep
g. Create the local Docker registry. Replace <Directory> with the complete path of the directory that you
created in step f. If there are multiple Docker hosts, repeat this step on all hosts.
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v <Directory>:/var/lib/registry \
registry:2
Example:
curl http://localhost:5000/v2/_catalog
{"repositories":["bmcsoftware/truesight-app-utilities","bmcsoftware/truesight-app-vulnerability-
management-drm","bmcsoftware/truesight-app-vulnerability-management-drw","bmcsoftware/truesight-app-
vulnerability-management-portal","bmcsoftware/truesight-common-discovery-connector","bmcsoftware/
truesight-common-exception-management","bmcsoftware/truesight-common-itil","bmcsoftware/truesight-
common-orchestration-connector","bmcsoftware/truesight-common-tagging","bmcsoftware/truesight-common-
tsna-connector","bmcsoftware/truesight-common-tssa-connector","bmcsoftware/truesight-common-
workmanager","bmcsoftware/truesight-config-configurator","bmcsoftware/truesight-infra-ext-consul","bmcs
oftware/truesight-infra-ext-redis"]}
1. Open these ports on the firewall using the following command for each of the ports:
500 TCP Host containing the Yes (at the time of Yes Port used for
0 Automation Console installation) communication with the
application installation Docker repository
543 TCP Host containing the No Yes Port used by the database
2 database installation (PostgreSQL) for
communication
2. Restart the firewall by running the following command:
3. Stop the Docker service by running the following command:
4. Reset the Docker network adapter by running the following commands:
iptables -t nat -F
ifconfig docker0 down
brctl delbr docker0
Note
This topic is applicable only for a TrueSight Automation Console (on-premises) deployment.
BMC Helix Automation Console (SaaS) is not available for on-premises installation. For details about subscribing
to this service, see BMC Helix subscriber information.
Installation files
The following table provides links to the page in the EPD website that contains the installation files for this product. From
the EPD page, you can select and download the installation files for your platform. Access to the EPD website requires that
you provide your BMC Support credentials. You might also be prompted to complete the Export Compliance Form.
Tip
You can use any SHA checksum tool to verify the checksum results.
TSAC-2002-IMAGES-LIN64.zip 8900be1c5423f251337ce530f3ca5f4489706d60334ddea49cb7dfa0f61
9d01b
TPS_TSAC2002.zip 6759b8dcccd9e934ec0e4e1b974ac7b238875168ec3b9d45c854eb839e
112386
Note
This topic is applicable only for a TrueSight Automation Console (on-premises) deployment.
BMC Helix Automation Console (SaaS) is not available for on-premises installation. For details about subscribing
to this service, see BMC Helix subscriber information.
This topic provides the instructions to install the TrueSight Automation Console database and the application components
using the Stack Manager tool.
Warning
TrueSight Automation Console is delivered to customers bundled as a set of Docker Containers. The Docker
Containers and the software installed on them should not be taken out of Automation Console or used
separately. Installing additional third-party software or updating existing software packages in the Docker
Containers is not permitted, unless explicitly authorized by BMC Software.
Here, 127.0.0.1:5000 is the host:port of the local registry that contains the BMC Helix Automation
Console images.
You are prompted to specify a location to install the product.
2. Enter a location or continue with the default /opt/bmc location.
3. Enter a username and password.
You can use a root or a non-root user. If using a non-root user, ensure that the user has read and write permissions
to the installation directory and is a part of the docker user group on the host. The Stack Manager tool is installed
at the specified location. You can now continue with installing the database and the application.
Tip
To see the commands typically used during installation and other help, run this command:
./stackmanager –-help
1. On the host where the Stack Manager tool is installed, run any of the following commands to start installing the
database.
or
2. Verify whether the default Docker registry details are accurate and press Enter to continue.
The End User License Agreement is displayed.
3. Read, and type y to continue with the installation.
4. After accepting the license agreement, you must provide the values that match your environment or accept the
default values:
Note
You have to avoid the subnet/IP of the
network, the host is connected to.
Port number for PostgreSQL 5432 Do not change the default port number.
server
PostgreSQL database installation is complete.
5. To verify whether the installation is successful, run the following command:
Now that you have successfully installed the database, you can begin installing the application.
Note
BMC recommends to install TrueSight Automation Console Application Server and the database on different host
servers. However, for a proof-of-concept or a test environment, both the TrueSight Automation Console
application and database can be installed on the same host.
Installing the Automation Console application
Install the application after successfully installing the database.
1. On the host where the Stack Manager tool is installed, run any of the following commands to start installing the
application.
or
The installer confirms whether the database is already installed. The following message is displayed.
The End User License Agreement is displayed.
2. Read, and type y to continue with the installation.
3. After accepting the license agreement, you must provide the values that match your environment or accept the
default values:
Note
You have to avoid the subnet/IP of the network,
the host is connected to.
Fully-qualified domain name or IP address of the BMC recommends that you do not use the containerized
PostgreSQL server installed in the previous step DB for your production environments. Use an
external PostgreSQL database instead.
Port number of the PostgreSQL server 5432 This field is required when you install the database
and application on separate hosts.
Automation Console port number 10443
TrueSight Server Automation hostname
TrueSight Server Automation port number 9843
TrueSight Server Automation protocol https
TrueSight Server Automation admin role name BLAdmins
TrueSight Server Automation Service Account BLAdmin
username
TrueSight Server Automation password for the
Service Account user
TrueSight Server Automation role name for the BLAdmins
Service Account user
TrueSight Server Automation login authentication SRP Valid values: SRP, Domain
type for the Service Account user
Automation Console application is installation is complete.
Where to go next?
Now that you have installed the product successfully, administrators can start setting up the application for your patch and
vulnerability management needs. You can start using its features based on your role and requirements.
If you want to integrate with BMC Discovery to identify discovered assets, and TrueSight Orchestration to enable change
automation, configure the connectors.
For details, see Configuring connectors.
Installing silently
Note
This topic is applicable only for a TrueSight Automation Console (on-premises) deployment.
BMC Helix Automation Console (SaaS) is not available for on-premises installation. For details about subscribing
to this service, see BMC Helix subscriber information.
This topic provides instructions to create an input file and install the TrueSight Automation Console components silently.
Here, 127.0.0.1:5000 is the host:port of the local registry that contains the TrueSight Automation Console images.
You are prompted to specify a location to install the product.
2. Enter a location or continue with the default /opt/bmc location.
3. Enter a username with root level permissions and the password.
The Stack Manager tool is installed at the specified location. You can now continue with installing the database and
the application.
Installing silently
You use the Stack Manager tool to create an inputs file, then install the database, and then the application.
1. Open a terminal and SSH into the host where you have installed the Stack Manager tool and run the following
command to create the input file.
You are asked for the inputs required for the installation.
2. To create an inputs file, provide the following information required for installing the Automation Console.
Input file for the Automation Console
Hostname or IP address of the Specifies the fully qualified domain name No default value. User must
PostgreSQL database server (FQDN) or IP address of the host where the specify a value.
default PostgreSQL database will be
installed. For production environment, use
an external PostgreSQL database.
PostgreSQL database port Specifies the port number for the 5432
number PostgreSQL database
Server Automation port number Specifies the port number where Server -
Automation is installed.
Service Account user name Specifies the username with permissions to BLAdmin
of TrueSight Server access Server Automation
Automation user
Login authentication type for Specifies the authentication method. Valid SRP
the TrueSight Server values: SRP, Domain Authentication
Automation Service Account user
Currently, only Secure Remote Password
(SRP) and Domain Authentication methods
are supported.
3. To verify whether the inputs file is created successfully, run the following command:
Enter the location where the file is created. Default location is /opt/bmc/truesight.
The following figure shows a sample inputs_file.yml file.
Sample inputs_file.yml for the database
4. To install the database silently, run the following command:
Stack Manager uses the inputs provided in the inputs file and installs the database.
5. To verify whether the database is installed successfully, run the following command:
Stack Manager uses the inputs provided in the inputs file, verifies whether the database is installed, and installs
the application.
7. To verify whether the application is installed successfully, run the following command:
Where to go next?
Now that you have installed the product successfully, administrators can start setting up the application for your patch
management needs. You can start using the features based on your role and requirements.
Note
This topic is applicable only for a TrueSight Automation Console (on-premises) deployment.
BMC Helix Automation Console (SaaS) is not available for on-premises installation. For details about subscribing
to this service, see BMC Helix subscriber information.
For a medium or large sized deployment, an administrator deploys multiple instances of the TrueSight Automation
Console application server component and creates an application cluster. You must configure a cluster of application
servers to replicate information so if one fails, other members of the cluster have access to the same information.
You can use any proxy solution to configure application clusters. This topic provides instructions on how to share data in
a TrueSight Automation Console (on-premises) application cluster using the High Availability Proxy (HA Proxy) solution.
A configuration file, haproxy.cfg gets created in the /etc/haproxy directory.
2. Navigate to the /etc/haproxy directory and replace the content in the default haproxy.cfg file with the following
content.
Sample haproxy.cfg file
3. Open the file in a text editor, and locate the frontend localnodes section and replace <portNumber> with
the secure port used to access the Automation Console application.
Example
frontend localnodes
bind *:10443
mode tcp
default_backend http_1
4. At the end of the file, replace <IPAddress_hostA>/<FQDN_hostA> with the Fully Qualified Domain Name or IP
Address of the application server host and port number with the secure port used to access Automation
Console application.
Increase the number of entries based on the number of applications you have installed. For example, if you have
four instances of application, add four server counter entries.
Note
You must specify the same port number for all the application servers.
5. Save changes and run the service haproxy restart command to restart the HA Proxy service.
Related topic
Deployment scenarios.
Uninstalling
Note
This topic is applicable only for a TrueSight Automation Console (on-premises) deployment.
BMC Helix Automation Console (SaaS) is not available for on-premises installation. For details about subscribing
to this service, see BMC Helix subscriber information.
To uninstall the application, do the following:
1. Navigate to the directory where the Stack Manager launcher is installed.
Default value: /opt/bmc
2. Run the following command:
Note
This command only deletes the application directory from the installation directory.
The following directories are not deleted:
/var/bmc/truesight/postgresql/data
<InstallationDirectory>/sm/registry/inputs_file.yml
Ensure that you delete the /var/bmc/truesight/postgresql/data directory before installing the
application again on the same host.
1. Navigate to the directory where the Stack Manager launcher is installed.
Default value: /opt/bmc
2. Run the following command:
Note that this command only cleans up the database. It does not delete the /var/bmc/truesight/postgresql/
data and <InstallationDirectory>/sm/registry/inputs_file.yml directories.
Complete the steps required to prepare for an upgrade and then upgrade to this version.
19.1 20.02
TrueSight Automation Console upgrade process
Description Procedure
Download the installation file and complete the pre- Preparing for upgrade
upgrade tasks.
When you upgrade, TrueSight Automation Console application is updated.
Description Procedure
Upgrade the Stack Manager tool and then using a single script Performing the upgrade
in the Stack Manager tool, upgrade the application server.
Where to go next?
After a successful upgrade, the TrueSight Server Automation connector does not need any configuration. If you had
configured the optional TrueSight Orchestration and Discovery connectors before the upgrade, no change is required.
If you had not configured the optional connectors, you can choose to configure them based on your requirements. For
details, see Configuring connectors.
Note
This topic is applicable only for a TrueSight Automation Console (on-premises) deployment.
BMC Helix Automation Console (SaaS) is not available for on-premises installation. For details about subscribing
to this service, see BMC Helix subscriber information.
Preparing to upgrade TrueSight Automation Console
You first extract the latest images and then recreate a local registry with the latest Docker images.
docker rm registry
After removing the registry, manually delete the mapped location from the host.
2. To recreate a local Docker registry, do these:
a. Download the TSAC<versionNo>-IMAGES-LIN64.zip file from the BMC Electronic Products Distribution
(EPD).
b. Create a directory on the Docker host (for example, /opt/tsac_<version>/dockerrepo) and extract
the TSAC<versionNo>-IMAGES-LIN64.zip into the directory.
c. Run the following command to create the local Docker registry.
In the following command, replace <Directory> with the directory and its complete path that you
created in step b. If there are multiple hosts, repeat this step on all the Docker hosts.
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v <Directory>:/var/lib/registry \
registry:2
For example,
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v /opt/tsac/dockerrepo:/var/lib/registry \
registry:2
To recreate the repository on an RHEL computer
1. To remove the local registry, if it exists, run the following commands:
docker rm registry
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v <Directory>:/var/lib/registry \
registry:2
For example,
docker run -d \
-p 5000:5000 \
--restart=always \
--name registry \
-v /opt/tsac/dockerrepo:/var/lib/registry \
registry:2
Note
This topic is applicable only for a TrueSight Automation Console (on-premises) deployment.
BMC Helix Automation Console (SaaS) is not available for on-premises installation. For details about subscribing
to this service, see BMC Helix subscriber information.
This topic provides the instructions to upgrade TrueSight Automation Console to the current version. During an upgrade,
you only upgrade the application, which also upgrade the underlying database schema.
Build numbers
You must provide the build number depending on the version that you want to upgrade to.
20.02 20.02.00.305
To upgrade TrueSight Automation Console
1. Open a terminal and SSH into the host where you have set up the local registry, and run the following command to
update the Stack Manager tool.
Example
Here, 127.0.0.1:5000 is the host:port of the local registry that contains the BMC Helix Automation
Console images.
You are prompted to specify a location to install the product.
2. Enter the location where the previous version is installed.
3. Enter a username with root permissions and a password.
The Stack Manager tool is updated at the specified location.
4. Run the following command to verify whether the Stack Manager tool is updated.
./stackmanager version
Service Version
------- -------
Catalog service 20.02.00.455
Consul 20.02.00.45
Discovery OnPrem Connector 20.02.00.52
ITIL Service 20.02.00.184
Login service 20.02.00.543
Nginx 20.02.00.601
Patch Manager portal 20.02.00.881
Patch Manager service 20.02.00.756
Policy service 20.02.00.706
PostgreSQL 11.2-alpine
Redis 20.02.00.72
Redis-common 20.02.00.72
Resource service 20.02.00.493
TSO Connector 20.02.00.207
TSSA Connector 20.02.00.441
TSVM Data Refresh Manager 20.02.00.3345
TSVM Data Refresh Worker 20.02.00.3345
TSVM Portal 20.02.00.2241
WorkManager 20.02.00.429
You can now continue with upgrading the application.
Tip
To see the commands typically used during installation and other help, run this command:
./stackmanager --help
5. On the host where the Stack Manager tool is installed, run any of the following commands to start upgrading the
application.
This command also upgrades the database schema.
The existing installation and the END USER LICENSE AGREEMENT is displayed.
6. Read, and type y to continue with the upgrade.
TrueSight Automation Console upgrade is complete and the following status is displayed.
7. To verify whether the upgrade is successful, run the following command:
The updated services, container names, versions, and their status is displayed. The following figure shows details
after successfully upgrading to version 20.02.01.
./stackmanager version
The following figure shows the sample version.
Service Version
------- -------
Catalog service 20.02.00.455
Consul 20.02.00.45
Discovery OnPrem Connector 20.02.00.52
ITIL Service 20.02.00.184
Login service 20.02.00.543
Nginx 20.02.00.601
Patch Manager portal 20.02.00.881
Patch Manager service 20.02.00.756
Policy service 20.02.00.706
PostgreSQL 11.2-alpine
Redis 20.02.00.72
Redis-common 20.02.00.72
Resource service 20.02.00.493
TSO Connector 20.02.00.207
TSSA Connector 20.02.00.441
TSVM Data Refresh Manager 20.02.00.3345
TSVM Data Refresh Worker 20.02.00.3345
WorkManager 20.02.00.429
Where to go next?
After a successful upgrade, the TrueSight Server Automation connector does not need any configuration. If you had
configured the optional TrueSight Orchestration and Discovery connectors before the upgrade, no change is required. If
you had not configured the optional connectors, you can choose to configure them based on your requirements. For
details, see Configuring connectors.
Note
The TrueSight Server Automation connector is required only for BMC Helix Automation Console (SaaS).
For TrueSight Automation Console (on-premises), integration with TrueSight Server Automation is configured
during installation.
This topic provides an overview of and instructions to install and configure the TrueSight Server Automation connector.
Overview
TrueSight Server Automation connector is used to establish connection between BMC Helix Automation Console with the
TrueSight Server Automation Application Server. Automation Console sends notifications for jobs such as updating
catalogs, and running patching jobs to the connector, which sends it to the TrueSight Server Automation. The connector
ensures that even if the application server is in an air-gapped environment, communication between Automation
Console and the application server is uninterrupted.
By default, the connector establishes a connection over the HTTPS protocol using out-of-the-box self-signed certificates. To
ensure seamless communication, you must provide the connector information in the hosts file on Server Automation.
Installing the Server Automation connector
If there is no earlier instance of Server Automation connector in your environment, do these steps:
1. Download the connector file from the location provided in the email message when you complete the activation.
2. Extract the tssa_connector.zip file on an internet-enabled server (inbound and outbound).
The host where the connector is installed must be accessible to the Server Automation application server.
3. Go to /config/creds.json file and add the connector token provided by BMC.
The workerId value in the creds.json file must match the workerId value in the /config/application.properties
file.
"connectorToken":<connector-token-value>
{
"user": "<worker-id-value>",
"password": "",
"deployment": "private",
"connectorToken": "<connector-token-value>",
"workerId": "<worker-id-value>",
endpoints": {
"pls": "POLICY_ENDPOINT",
"ifi": "",
"ifm": "",
"wmw": "https://tenant-app-url.bmc.com"
}
}
4. On the Server Automation application server, go to the hosts file and add the following:
<connector-ip> tssa.connector.bmc.com
5. On the server where the connector.zip is extracted, go to the connector location, and run the following command
to install and start the connector:
• Windows: run.bat
• Linux: run.sh
The Server Automation connector starts running successfully.
Updating the TrueSight Server Automation connector
If you already have a running instance of TrueSight Server Automation connector, do these steps:
1. Download the connector file from the location provided in the email message.
2. Back up the directory where the existing connector is configured and extract the updated tssa_connector.zip file in
a new directory on an internet-enabled server (inbound and outbound).
The host where the connector is installed must be accessible to the TrueSight Server Automation application
server.
3. From the existing connector /config directory, copy the creds.json and application.properties files to the /config
directory where the updated connector file is extracted.
If you have received a connector token in the email message, update the connector token in the creds.json file.
4. Verify whether the workerId value in the /config/creds.json file matches the workerId value in the /config/
application.properties file.
5. On the server where the connector zip is extracted, go to the connector location, and run the following command
to install and start the connector:
• Windows: run.bat
• Linux: run.sh
The TrueSight Server Automation connector starts running successfully.
Do this:
Where to go next?
Overview
As an administrator, you configure a connector to enable integration with TrueSight Orchestration for change
management. For a vulnerability operation, you can now create a change ticket with an approval process in BMC Remedy
IT Service Management. TrueSight Orchestration connector establishes a connection and enables communication
between TrueSight Orchestration and BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-
premises). For more details, see Change automation.
In version 20.02, you can configure the connector using REST APIs only.
This topic describes the URL, method, and sample configuration for only configuring the connector. For more information
about the supported connector API calls see, Using REST API.
Configuring connector for TrueSight Automation Console
For TrueSight Automation Console (on-premises), the connector is available as a container after the installation is
complete.
To use this REST API, you must first create an authorized session with administrator credentials. For more information,
see, Using REST API.
POST /api/v1/connectors
Request body parameters
host Specifies the host where TrueSight Orchestration server is installed. Yes
properties Contains the properties to connect to the TrueSight Orchestration Grid Yes
Manager.
username Specifies the username required to login to the Grid Manager. Yes
If true, change request creation and approval is mandatory when you create
a vulnerability remediation operation in Automation Console.
If false, you can skip change creation and approval while creating a
vulnerability operation.
{
"connector_id": "fe11975a-08b8-4184-b497-391f136aa746",
"name": "TSO CONF",
"description": "TSAC AO configuration",
"admin_role": "",
"host": "tso.bmc.com",
"port": 38080,
"protocol": "https",
"type": "TSO",
"properties": {
"username": "aoadmin",
"password": "RKy3Q6NHz05RFC7CCzzKRQ==",
"grid": "MyGrid",
"change_approval_required": "false"
},
"worker_id": "tso-connector"
}
Responses
Code Description
200 OK
401 Unauthorized
Configuring connector for BMC Helix Automation Console
In a BMC Helix Automation Console environment, you must first configure the connector, then download the connector
file, and run it in your environment.
1. Create an authorized session with administrator credentials by using the POST /api/v1/sessions API call.
See Using REST API.
<connector-ip> tso.connector.bmc.com
Note
If you choose to use DNS, you must register the connector server in the DNS as tso.connector.bmc.c
om. No other name is currently supported.
6. On the server where the connector file is extracted, go to the connector location, and run the following command
to install and start the connector:
• Windows: run.bat
• Linux: run.sh
TrueSight Orchestration connector starts running successfully.
Where to go next?
After successfully configuring the connector, you can now complete the tasks required to enable change automation. See E
nabling change automation.
Overview
BMC Discovery connector establishes connection with BMC Discovery (on-premises only) to find all the assets in a
network. BMC discovery obtains information about the assets even if they are not enrolled in the endpoint manager,
TrueSight Server Automation. As an administrator, when you integrate BMC Helix Automation Console and TrueSight
Automation Console with BMC Discovery, you can identify which assets in your environment are not included in
vulnerability scans. These are blind spots, and they represent potential security risks. The blind spot assets appear on the
Discovered Assets page. You must ensure that the discovered assets are scanned for missing patches and vulnerabilities.
In BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-premises) version 20.02, you can
configure the connector and create a service account for BMC Discovery by using REST APIs only.
Configuring connector for TrueSight Automation Console
For TrueSight Automation Console (on-premises), the connector is available as a container after the installation is
complete.
To use this REST API, you must first create an authorized session with administrator credentials. For more information,
see, Using REST API.
POST /api/v1/connectors
Request body parameters
host Specifies the host name or IP address of the host where BMC Discovery server is installed. Yes
port Specifies the port where BMC Discovery server is installed. Yes
properties Contains the properties to connect to the BMC Discovery server Yes
username Specifies the username required to login to the BMC Discovery server. Yes
{
"connector_id": "8a5aafe3-fa9b-4d73-8c94-6ee477a28103",
"name": "Discovery-Connector",
"description": "connector for Discovery",
"admin_role": "admin",
"host": "<hostname>",
"port": 443,
"protocol": "https",
"type": "DISCOVERY",
"properties": {
"username": "discovery-user",
"password": "VSVu1gc+EpJ7SI5NI33o87OhklK+O2KhSGMPP+2xmXTIP926zdL7W5+XpA=="
},
"worker_id": "discovery-connector"
}
Responses
Code Description
200 OK
401 Unauthorized
1. Create an authorized session with administrator credentials by using the POST /api/v1/sessions API call.
See Using REST API.
<connector-ip> discovery.connector.bmc.com
Note
If you choose to use DNS, you must register the connector server in the DNS as discovery.connector
.bmc.com. No other name is currently supported.
6. On the server where the connector.zip is extracted, go to the connector location, and run the following command
to install and start the connector:
• Windows: run.bat
• Linux: run.sh
BMC Discovery connector starts running successfully.
POST /api/v1/config/service-accounts
Request body parameters
delay_in_refresh_cycles Specifies the time interval, in minutes, after which the data should be Yes
refreshed.
Default is 60 minutes.
user_name Specifies the user name to be used to connect with BMC Discovery. Yes
{
"connector_name": "<connector-name>",
"connector_type": "DISCOVERY",
"delay_in_refresh_cycles": 6,
"profiles": [
{
"credential_type": "DATA_REFRESH",
"user_name": "discovery-user",
"password": "<password>"
}
]
}
Responses
Code Description
200 OK
401 Unauthorized
• Logging in
• Using Dashboards
• Patch policies
• Scans
• Assets
• Risks
• Operations
Logging in
This topic provides instructions on logging in to the BMC Helix Automation Console and TrueSight Automation Console.
Accessing the Automation Console
1. From a supported browser, enter the following URL to access the console:
You will define the <customerprefix> when registering your service in the BMC SaaS registration portal. This prefix
must be unique and may not contain any special characters.
Overview of the Automation Console user interface
The Automation Console offers role-based access to the application. An administrator has access to all the pages on the
UI. An operator can access all the pages except the Administration page.
The Dashboard page contains a Patch Dashboard, which provides graphical information about missing patches on assets
in your environment. Widgets on the dashboard show specific metrics around patch compliance, remediation trends,
missing patches by age, impacted targets by severity, and Service Level Agreements. The Vulnerability Dashboard
provides information about identified vulnerabilities on the assets imported from a scan file. Widgets on the dashboard
show mapped and actionable vulnerabilities, assets by severity and SLA, vulnerabilities by stage, remediation trends, and
top 10 identified vulnerabilities.
The Assets page shows a list of assets with the missing patches. It also shows assets that are imported from a vulnerability
scan, and assets discovered by integrating with BMC Discovery.
The Risks page shows the list of missing patches and impacted assets for each missing patch. It also shows the
vulnerabilities imported from a scan.
The Operations page shows a list of operations, which perform remediation actions to install missing patches or
vulnerabilities on assets.
The Manage page shows a list of patch policies, which scan the assets in your environment to identify missing patches. It
also shows the list of scan files imported in the product.
Administrators use the Administration menu to perform configuration activities such as adding catalogs, defining Service
Level Agreements (SLAs), and adding security groups to determine access to the Automation Console.
Common Automation Console UI elements
Use this section to know more about the common user interface elements.
• Click the help icon to launch the context-sensitive help topic.
• Click Security Group > About to view the product version and the connector name.
Using Dashboards
This section provides information about the Patch Dashboard and the Vulnerability Dashboard, and instructions to view
details for each widget.
The Patch Dashboard offers a consolidated graphical view of the assets and missing patches in your environment, and
allows you to view the patch compliance health. The Vulnerability Dashboard shows the vulnerabilities identified on
assets, and the vulnerability remediation status.
To view metrics based on any of the following options, select a filter, and click Apply:
• Operating System
• Severity
• Patch Policy: The metrics from the latest policy scan are displayed.
Tip
Click PDF to download the current dashboard metrics as a PDF file.
Patch Compliance
This widget shows the percentage of installed and missing patches on all assets in your environment.
To drill down for more information, click the bar graph on the widget.
In the following image, the number of installed and missing patches and the total number of assets scanned by the policy
are displayed for each policy.
To view the total number of missing patches on each asset according to the SLA level, do the following:
1. Click the bar graph on the widget.
For example, out of 100 assets, if 10 assets have patches with a Critical, High, and Medium severity, those 10 assets
appear in the Critical bracket. If 20 assets have missing patches with a High and Low severity, those assets appear in
the High bracket.
In this figure, 6 assets contain patches with a Critical severity and appear in the Critical bracket.
1. Click the bar graph to see additional information such as the assets and the missing patches according to severity.
1. Click the bar graph to view additional information such as the patch name, number of impacted assets, the exact
patch age, and the classification, and CVE IDs.
Remediation trend
This widget shows a cumulative patch remediation trend for the last six weeks, which includes the number of missing and
installed patches on the assets.
This graph also shows:
• Average Days Awaiting Attention: Average number of days since patches are identified as missing and not yet
remediated.
• Average Days Awaiting Execution: Average number of days in which a remediation operation is scheduled for the
missing patches but not executed yet.
• Average Days to Close: Average number of days it takes from identifying a patch as missing to successfully
remediating it.
To view more information, do the following:
Click the Impacted Assets link to see the asset names for each missing patch.
To view metrics based on any of the following options, select a filter, and click Apply:
• Operating System
• Severity
• Scan File: Lists the scan files imported in BMC Helix Automation Console and TrueSight Automation Console.
Tip
Click PDF to download the current dashboard metrics as a PDF file.
Vulnerabilities
This widget shows the total number of vulnerabilities imported from a scan file in the Automation Console and their
distribution. Vulnerabilities mapped to remediation content are displayed in the Mapped Vulnerabilities graph.
Vulnerabilities mapped to remediation content and assets are displayed in the Actionable Vulnerabilities graph.
To drill down for more information about the mapped vulnerabilities, click the bar graph. In the following image, the
vulnerability names, CVE IDs, severity, and the number of impacted assets for mapped and unmapped vulnerabilities are
displayed.
To drill down for more information about the actionable vulnerabilities, click the bar graph. In the following image, the
vulnerability names, CVE IDs, severity, and the number of impacted assets for actionable and non-
actionable vulnerabilities are displayed.
To view vulnerabilities as per the service level agreements, use the Vulnerabilities toggle button. Using this data, you can
plan remediation steps based on your organizational standards.
To view the number of vulnerabilities for assets based on their SLA, click the bar graph, and then click any SLA level.
In the following image, 10 assets are in the Within SLA bracket.
Note
Assets and vulnerabilities with different severity levels are counted as belonging to the highest level.
For example, out of 100 assets, if 10 assets have vulnerabilities with a Critical, High, and Medium severity, those
10 assets appear in the Critical bracket. If 20 assets have vulnerabilities with a High and Low severity, those
assets appear in the High bracket.
To view more information about assets or vulnerabilities based on their severity, click the bar graph and then click each
severity level.
For vulnerabilities, use the toggle button, and then click the bar graph to view more information about the severity level.
In the following image, 5 assets are in the Critical state.
To view more information, click the bar graph. Vulnerability name, CVE IDs, severity, and the number of impacted assets
are displayed.
Remediation trend
This widget shows a cumulative vulnerability remediation trend for the last six weeks, which includes the total number of
vulnerabilities against the vulnerabilities remediated on the assets.
• Average Days Awaiting Attention: Average number of days since vulnerabilities are identified and not yet
remediated.
• Average Days Awaiting Approval: Average number of days in which a remediation operation is created with a
change integration, and the change request is not yet approved.
• Average Days Awaiting Execution: Average number of days in which a remediation operation is scheduled but not
yet executed.
• Average Days to Close: Average number of days it takes from identifying a vulnerability to successfully remediating
it.
To view more information, click the bar graph. The total number of vulnerabilities identified and remediated is displayed.
You can also view these details:
• Vulnerability name
• Impacted assets
• Scan Age: Number of days since the vulnerability is identified in the scan file by a vulnerability management tool.
• Severity
• CVE IDs
Click the Impacted Assets link to see the assets and their operating system for each vulnerability.
BMC Discovery sends data about business services at risk to Automation Console.
Patch policies
Patch policies identify missing patches on assets.
Typically, a patch administrator analyzes assets to identify the missing patches and determine the patches to be acquired
to comply with the organizational standards. Using BMC Helix Automation Console and TrueSight Automation Console,
you create a policy that scans all assets. When you create a policy, a Patching Job gets created in TrueSight Server
Automation. During a policy scan, Automation Console analyzes patches installed or missing on the assets based on the
catalog selected in the policy.
Automation Console enables you to create a policy using multiple options:
• Patch Policy Filters:
• Patch Classifications (applicable for Windows only): Enables you to filter the scan based on the patch
classifications such as for security patches, non-security patches, and security tools. You can also choose to
skip scanning the assets for service packs.
To understand the concept of patch policies, see Patch policies.
1. Enter a unique name for the policy.
2. Click Browse to select a catalog.
Catalogs are created in TrueSight Server Automation.
3. Click and choose one of the policy filters:
• Patch Classifications (only for Windows). Select this filter to scan assets based on classifications such as
Security Patches, Security Tools, and Non-Security Patches.
To skip service packs while scanning assets, select Exclude Service Packs.
• Include Patch Groups. Select this filter to scan assets based on the patch groups that exist in Server
Automation.
To exclude a specific set of patches, select one or more patch groups and save your options.
4. To specify targets, do one of the following:
• Select all assets enrolled in the endpoint manager.
• Select Asset Groups (server smart groups in Server Automation) and then select one or more groups.
5. In the Patch Schedule section, specify a schedule for the policy:
• Daily: Click the clock icon in the Time field, and specify the time.
• Weekly:
i. From the Recur Every list, select the number of weeks after which the policy should run again.
ii. Click the clock icon in the Time field, and specify the time.
iii. Specify the days of the week when the schedule should run.
• Monthly: Click the clock icon in the Time field, specify the time, and then specify one of these options:
• Specify the frequency (first, second, third, or fourth) and the day of the week for the schedule.
• Specify the day in every month when the schedule should run.
• Select the last day of every month.
The schedule summary is displayed.
After you save the patch policy, it is enabled and appears on the Manage Policies page. When you create a policy, in
Server Automation, the policy is saved at the Jobs/<username>_<user_role>/<Policy_Name> location.
On the Manage > Patch Policies page, do the following:
After a policy runs on the selected assets according to the schedule, the results are displayed on the Manage Patch
Policies page.
You can see the policies available in the product and additional information such as name, scope of the policy scan
according to the assets, the date and time of the last run, and the status.
You can see each installed and missing patch identified on the selected asset.
Warning
When you edit, disable, or remove a policy, all missing patches displayed after the last scan are removed from
the Automation Console.
On the Manage > Patch Policies page, do these steps:
When you remove a policy from the Automation Console it continues to exists in TrueSight Server Automation.
On the Manage > Patch Policies page, do the following:
1. Select a policy and click Actions >Remove.
2. Click Continue.
Scans
Scans enable you to discover potential issues on the assets in your environment. You can use various vulnerability
management systems such as Qualys, Nessus, and Rapid7 to scan the assets. After scanning, you can export scan results
from these systems and then import them into BMC Helix Automation Console and TrueSight Automation Console. An
exported scan file collects information about assets (such as servers) and the vulnerabilities associated with those assets.
When a vulnerability scan is imported into Automation Console, assets included in the scan are automatically mapped to
endpoints managed by the underlying endpoint manager, TrueSight Server Automation. The automatic asset mapping
process matches the Domain Name Server (DNS) and then the IP address of an asset in a vulnerability scan to an endpoint
managed in TrueSight Server Automation.
You can remediate these assets against the vulnerabilities using Automation Console.
This topic describes prerequisites for importing scans, validate the scans before importing them, and a few considerations
that you need to keep in mind before you import.
Nessus scan file requirements
• The scan file exported from Nessus can be based on different types of scans (such as OS or network scans) but at a
minimum, it must include the following details:
• Server name
• Server IP address
• Server operating system
• Associated plugin IDs (a plugin is a check for a vulnerability)
• The scan file must be in XML format, and the file must end with the .nessus extension.
Validating scans
BMC provides a utility that allows you to check the validity of scans that you want to import. The utility counts the number
of servers and vulnerabilities found, checks for any required fields that are missing, and determines whether you can
successfully import the scans. The utility is available as a ZIP file, bmcScanFileProfiler-V4.zip, which you can download
from BMC Communities (login required).
After downloading the ZIP file, do the following to check the validity of the scan file:
1. Set the JAVA_HOME environment variable to the location where Java is installed, as follows:
Search for java.exe. JAVA_HOME should point to the directory that contains the bin directory. For
example, JAVA_HOME=C:\Program Files\Java\jdk1.7.0_75.
2. Extract bmcScanFileProfiler-V4.zip to a temporary directory.
3. From the command line, navigate to the directory, where the ZIP file was extracted.
4. Run the following command to profile the scan file:
bmcScanFileProfiler.bat <pathToScanFile>
• A record is one asset with one vulnerability. For example, two assets with 10 vulnerabilities each equals 20 records.
To obtain scans from a vulnerability management system and validate them before importing, see Scans.
Importing a scan
On the Manage > Import page, click Import Scan, and do the following:
3. To apply filters while importing data from a scan file, do the following:
a. Select the operating systems. If importing data for SuSE devices, select both Linux and Others.
b. Choose one or more vulnerability severity options.
Severity levels
Qualys, Nessus, and Rapid7 use different scoring for severity levels. Qualys uses scores of 1-5.
Nessus uses scores of 0-4. Rapid7 uses scores of 1-10. To maintain consistency, BMC increases the
Nessus severity levels by one (so they become 1-5) and maps the ten Rapid7 severity levels to five
levels.
c. Specify the IP addresses in the Classless Inter-Domain Routing (CIDR) format.
Data is imported from the scan file only for the servers that belong to the specified IP address range.
Default value is 0.0.0.0/0, which imports data for all the servers from the scan file.
You can specify one of the following values:
• Single IP address. Example: 168.19.13.12/24
• Comma-separated multiple IP addresses. Example: 168.19.13.12/24,10.25.24.12/12
• A combination of the above formats. Example: 168.19.13.12/24, 168.19.13.12/32,10.25.24.12/12
4. Click Import.
After the import is complete, a message confirms that the scan was imported and informs how many assets were
If you import multiple scan files one after another, the Scanned Assets page and Import page show all the data that
you import, not just the results of the most recent import. When you import a scan, asset and vulnerability
information is added to any information that is already imported.
Importing the same scan file more than once
If you need to import the same scan file more than once, do the following:
• For Qualys and Rapid7, scan files are identified by a unique <SCAN> tag within the XML file. If you are using
those vulnerability management tools and you want to import the same scan more than once, you must
modify the value of the <SCAN> tag. BMC recommends that you change the name of each scan to avoid
confusion.
• For Nessus, you must edit the existing .nessus file and provide a new name value for the <Report> tag. For
example, in a tag such as <Report name="ProdAdmins_Linux" xmlns:cm="http://www.nessus.org/cm">,
the new name value could be, name="NewProdAdmins_Linux"
If the imported scans do not include a time zone, which time zone is considered?
If no time zone is specified, it is browser's time zone.
When you delete a scan file, depending on the file size, it may take a while before the process is complete.
On the Manage > Import page, click Action > Remove for the required file.
Assets
The Assets page in the application lists the managed, scanned, and discovered assets.
The Managed Assets tab shows a list of assets that are available in TrueSight Server Automation. When patch policies
identify missing patches on assets, the assets with missing patches and other details appear on the Managed Assets page.
Missing patches are identified only for assets with Windows or Linux operating systems.
The Scanned Assets tab shows a list of assets imported from a vulnerability scan file, their mapping to endpoints in an
endpoint manager, and the number of vulnerabilities identified for each asset.
Automation Console may not always correctly auto-map all the endpoints because the firewalls, load balancers, and
proxies can cause discrepancies in mapping. You can manually map each unmapped asset to a single endpoint only. If you
In BMC Helix Automation Console (SaaS) only, on the Scanned Assets page, you can add tags to the assets. To enter tag
information, you export the assets data to a CSV file or in Advanced Search, you can download a CSV template. Later, you
upload the updated CSV file back in Automation Console. In addition to the existing filters, tags provide another criterion
to select a particular asset or a group of assets while creating a vulnerability remediation operation.
The Discovered Assets tab shows the assets that are discovered by BMC Discovery. You configure the BMC Discovery
connector to ensure that unmanaged, unscanned, and total number of discovered assets are sent to Automation Console.
The total number of assets for each category appears at the top of the page. You can perform a basic or advanced search
using filters to look for specific data.
To learn more about assets, see Assets.
• The total number of impacted assets appears near the tab title.
• Host name, IP address, operating system, and number of unique missing patches for an asset.
• To search for an asset, enter a search term, and click Search.
You can search using the host name, IP address, or operating system.
To view the list of unique missing patches for any asset, do the following:
1. Click the link against any asset in the Missing Patches column.
The Risks > Missing Patches page shows the unique missing patches, patch age, severity, classification, and CVE IDs
for each missing patch for the particular asset.
2. Click Clear Filters to view all unique missing patches across all assets.
To view more information about the missing patches, see Working with risks.
• Total number of assets imported from a scan appears near the tab title.
• Host name, IP address, status, source, operating system, and vulnerabilities identified for each asset.
To view a list of vulnerabilities identified for an asset, do the following:
Adding tags to assets
In BMC Helix Automation Console (SaaS), you can add tags. In TrueSight Automation Console (on-premises), you must
upgrade to 20.02.01: Patch 1 for TrueSight Automation Console 20.02 to use tags.
On the Assets > Scanned Assets page, do the following:
1. Click Export to get the assets data into a CSV file.
OR
Go to Advanced Search option, select Upload tags metadata, and download the CSV template.
2. In the CSV file, add tag keys and values to be associated with the assets in the new Tags column, in a key:value
format.
OR
If using a template, provide data for assets, and add tag keys and values in the Tags column, in a key:value format.
For example, the CSV template is in the following format, in which you provide the asset data and tags:
Removing tags
To remove tags, delete the single or multiple key:value pair(s) in the exported CSV file, and then upload the same file back
in Automation Console.
You can remove tags in BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-premises) version
20.02.01 only.
• The key performance indicators (KPIs) show the following information:
• Total Discovered Assets: Total number of discovered assets by BMC Discovery.
• Unmanaged Assets: Total number of assets that are found by BMC Discovery, but are not mapped to
endpoints in TrueSight Server Automation.
• Unscanned Assets: Total number of assets, either discovered, or mapped in Server Automation, but not yet
scanned for vulnerabilities. For BMC Helix Automation Console, If an auto-mapped asset is unmapped from
the Scanned Assets page, it gets counted in the Unscanned Assets.
• To view all assets for a category, click the KPI link.
For example, if you click Total Discovered Assets, all assets discovered by BMC Discovery appear in the list.
• Host name, IP address, and the operating system for the assets.
• To search for an asset, enter a search term, and click Search.
You can search using the host name, IP address, or operating system of the asset.
• If you want to remove an asset, remove it first from TrueSight Server Automation and then from BMC Discovery.
This change gets reflected in Automation Console based on the Data Refresh Cycle configured on the
Administration > Service Account page.
Why do I not see any data on the Discovered Assets page after installing Automation Console?
To view discovered assets, you must ensure that the BMC Discovery connector is configured after the
installation. For more information, see Configuring the BMC Discovery connector.
1. Click Advanced Search and choose one or more of the following options:
• Unique Missing Patch
• Operating System
• Asset
2. Click Clear Filters to go back and view unfiltered data.
On the Assets > Scanned Assets page, do the following:
1. Click Advanced Search and choose one or more of the following options:
• Asset
• Operating System
2. Click Clear Filters to go back and view unfiltered data.
Risks
Risks refer to missing patches and vulnerabilities that are identified on assets.
Missing patches
When patch policies identify missing patches on assets, details about the missing patches are displayed on the Missing
Patches page under Risks. Missing patches are identified only for assets with Windows or Linux operating systems.
Vulnerabilities
You can import scan results for vulnerabilities that are scanned by the vulnerability management systems such as Nessus,
Qualys, and Rapid7. When you import the results in BMC Helix Automation Console (SaaS) or TrueSight Automation
Console (on-premises), vulnerabilities get mapped to the remediation content automatically, or you may need to map
them manually. Imported vulnerabilities are displayed on the Vulnerabilities page under Risks.
Operations to remediate vulnerabilities can only be created if vulnerabilities are mapped to appropriate remediation
content.
Auto-mapping process
When you import a scan file, vulnerabilities get automatically mapped to remediation content (patches only) if both of
these conditions are fulfilled:
• Assets in the scan file are either automatically or manually mapped to endpoints in the endpoint
manager, TrueSight Server Automation.
• Patch catalogs that contain remediation for Common Vulnerability and Exposure (CVE) numbers associated with
the vulnerabilities are already imported in Automation Console.
If you import a patch catalog after importing the scan file, vulnerabilities are not automatically mapped.
On the Risks > Vulnerabilities page, the vulnerability status shows the remediation content mapping status. Consult the
following table to understand the scenarios for each status.
Partially Mapped (Action One CVE ID is mapped to more than one Yes.
Required) remediation content.
Remove the current mapping and
manually map the vulnerability to the
appropriate remediation content. After
mapping the status changes to Mapped.
When mapping manually, the remediation content can be of the following types:
• BLPackages
• Network Shell (NSH) scripts
• Patches
• Installshield packages
• Microsoft Installer (MSI) packages
• Operating system service packs
• Red Hat packages
• Custom software
To know about the missing patches, and the automatic and manual mapping processes, see Risks.
• Missing Patches contains the following information for each unique missing patch:
• Patch name
• Impacted Assets. Click the link to view a list of impacted assets for the particular patch.
• Patch Age, in days
• Severity
• Classification
• CVE IDs: CVE Identification numbers specified in the patch catalog.
Patch Age, Severity, and CVE IDs are provided by the patch vendor.
• You can either search by patch name, classification, and CVE ID (basic search) or by severity, asset, operating
system, CVE IDs, classification, and patch age (advanced search).
• To view the list of impacted assets for a unique missing patch, do the following:
a. Click the link in the Impacted Assets column.
The Managed Assets page shows the host name, IP address, operating system, and the total number of
unique missing patches for each asset.
b. Click Clear Filters to view all assets and unique missing patches in your environment.
If you filter data using advanced search options and then export, filtered data appears in the CSV file.
• The Vulnerabilities page contains the following information for each unique vulnerability:
• CVE IDs
• Severity level
• Status (Mapped, Automapped, or Unmapped)
• Source: Expand the vulnerability to view the vulnerability management system that identified the
vulnerability
• Remediation and remediation type for the vulnerability: To view complete remediation details, click the
link.
• Impacted Assets: To view the list of impacted assets by that vulnerability, click the link.
• You can either search by vulnerability name and CVE ID (basic search) or by severity, asset, operating system, CVE
IDs, scan file, and status (advanced search). You can filter by Status in BMC Helix Automation Console (SaaS)
and TrueSight Automation Console (on-premises) version 20.02.01 only.
Click Clear Filters to view unfiltered data.
• To view the list of impacted assets by a vulnerability, do the following:
a. Click the link in the Impacted Assets column.
The Scanned Assets page shows the host name, IP address, mapping status, source, and operating system
that are impacted by the vulnerability.
b. Click Clear Filters to view all assets and the number of vulnerabilities impacting those assets.
The following panel shows the details of the Microsoft SChannel Remote Code Execution vulnerability.
Exporting vulnerabilities
On the Risks > Vulnerabilities page, click Export and enter a name to save the results in a CSV file.
If you filter data using the advanced search options and then export, filtered data appears in the CSV file.
1. (Optional) Use the search feature to limit the number of vulnerabilities. For example, you might want to search by
severity level so you can map vulnerabilities with the highest severity first.
2. Click Automap New on the top of the page.
Vulnerabilities that are auto-mapped are marked with a icon in the Status column.
1. (Optional) Use the search feature to limit the number of vulnerabilities. For example, you might want to search by
severity level so you can map vulnerabilities with the highest severity first.
2. From Actions, select Map for the vulnerability.
The Vulnerability Mapping page shows the existing mappings, if any.
3. Click + Map Remediation Content.
The Map Content section displays the remediation content.
4. Search for the remediation content that you want to map to the selected vulnerabilities:
a. Choose the remediation content type, NSH Script or Package.
b. Enter a text string in the Search text box.
Your text is matched against the names of any remediation content.
5. Select the remediation package that should be deployed to the targets.
6. If you need to map multiple remediation packages to the same vulnerability, define the target scope that
determines the types of targets where the package should be deployed.
Typically, target scope specifies different packages for different operating systems and architectures.
• Use the default option, All, if you want to map remediation packages to all the targets.
• Click Specify Target Scope if you want to map remediation packages to specific targets.
A set of options appears that establish the scope for deploying the package.
i. In the row defining the scope, for the first field, select any of the following:
• OS–For example, Windows.
• OS Platform–For example, x86_64.
• OS Version–For example, 2008 R2.
• OS Patch Level–For example, SP1, SP2.
• OS Release–For example, 6.1
• OS Vendor–For example, Microsoft.
ii. In the last field of the first row, enter a text string as the search criteria. Evaluation is based on
whether a field contains the string you entered. For example, if you are specifying the Windows
operating system, enter a string such as win. When evaluating targets, if the OS name contains the
string win, the package is deployed there.
iii. In the next row defining the scope, select whether the target must satisfy all or any of the values
you provided in the first row.
iv. To add another rule defining the scope, click Add Criteria. A new row appears. Use its fields to
define an additional rule.
7. To define another set of target scope and rules for another remediation package, click + Map Remediation
Content.
8. Click Save. The selected remediation content items are mapped to the selected vulnerabilities. The Vulnerabilities
page shows the mapped remediation content against the vulnerability when you expand it.
If the mapping is unsuccessful, a message indicating the same is displayed on the GUI.
To unmap a vulnerability, from Actions, select Remove Mapping for the vulnerability.
Operations
Operations perform corrective actions on assets in your environment to remediate missing patches and vulnerabilities.
Patch operation
When you create a patch policy in BMC Helix Automation Console and TrueSight Automation Console, a Patch Analysis Job
is created in TrueSight Server Automation. This job scans the servers in your environment and finds missing patches, which
are reported on the Risks > Missing Patches page. You can then create a patch remediation operation in the Automation
Console that creates a Patch Analysis Remediation Job in Server Automation. This job installs missing patches on the
selected assets.
Vulnerability operation
When you import a vulnerability scan file in the Automation Console, assets and vulnerabilities appears on the Assets >
Scanned Assets and Risks> Vulnerabilities page respectively. To remediate vulnerabilities, assets must be mapped to an
endpoint in the endpoint manager, and vulnerabilities must be mapped to remediation content. When you import a scan
file, assets and vulnerabilities are usually automatically mapped depending on the catalogs imported in Automation
Console. If they are not automatically mapped, you must manually map assets, and vulnerabilities.
You can then create a vulnerability remediation operation, which performs the action as per the remediation content
mapped for the vulnerabilities. When you create an operation, depending on the remediation content mapped to the
vulnerabilities, a Patch, NSH, or a Deploy type of jobs are created in Server Automation.
When you create a vulnerability operation, all vulnerabilities that are mapped to a common remediation content
impacting the same asset are resolved. After the operation is successful, these vulnerabilities are closed and no longer
appear in the Risks > Vulnerabilities list. If vulnerabilities mapped to the same remediation content are a part of a
different operation, scheduled at a later period, those vulnerabilities are also remediated and closed.
For a vulnerability, when you create another remediation content under a different security group, then the latest
remediation content overwrites the existing content.
When you create an operation, a pre-analysis, deploy, and post-analysis job is executed in Server Automation.
Note
You can create an operation using all the available options. However, to configure notification options, you must
configure a mail server in Server Automation. See Configuring a mail server in TrueSight Server Automation .
In BMC Helix Automation Console (SaaS), you can create a change request for a patch remediation operation too. This
capability is not available in TrueSight Automation Console (on-premises).
After the change request is approved, the operation runs as per the defined schedule. After the operation is successful,
the change request is updated and closed. You can view the status of the change request on the Operations page.
Based on your organization's needs, administrator can make change request creation mandatory, or optional. If it is
mandatory, you must select the change request values to create a change for this operation. If optional, you can skip
change creation and create an operation without a change tracking process.
For more information, see Change automation.
To understand the concept of operations, see Operations.
1. Enter a unique operation name, and an optional description, and then click Next.
Is the Create Change Ticket option is mandatory? How can I disable the change request
creation?
You can enable or disable change ticket creation depending on how administrators have
configured the TrueSight Orchestration connector configuration. If the connector is configured
with Change Approval as required, you cannot disable the option or skip this step.
If already selected, continue to select values in other fields for creating a change request.
b. Change Template Name: Templates available in TrueSight Orchestration appear.
c. Urgency
d. Impact
e. Reason for Change
f. ChangeClass
5. To specify a schedule for the operation, select one of the following options:
a. I will do it later: Change approval is not applicable.
b. Set a schedule:
i. Click the calendar icon in the Date and Time field, and specify the date and time.
ii. Select the hours or minutes in the Staging field to specify a staging window.
A staging window determines the time before which the patches and payload data must be
downloaded on the assets before running the remediation operation. Maximum limit is 999 hours.
c. Execute now
6. To configure notifications, select any of the following options:
• Send email to: Specify a comma-separated list of email addresses, and then select one or more of the
following options:
• Select the status to send an email based on the operation status.
• Select Attach patch analysis results to the email, and then specify the email attachment size limit.
• Specify whether to send a list of assets where the operation failed.
• Send SNMP trap to: Specify a hostname or IP address of the server to notify the operation results and then
select one or more status options when a notification should be sent.
1. Enter a unique operation name, and an optional description, and then click Next.
2. Select Vulnerability Selections and do these steps:
• Enter a violation name, asset hostname or IP address, or a CVE ID, and click Search.
Assets with vulnerabilities that are mapped to remediation content are displayed.
3. To configure additional remediation options based on the remediation content, do these steps:
• If there are no configuration options, click Next.
• For a Patch type of operation, select one of the following options:
• Honor Patch Reboot Settings: Adheres to the reboot settings defined for the patch in the patch
catalog
• Do Not Reboot: Does not reboot automatically after installing the required patches
• Reboot at the End: Reboots all assets after the operation is complete
4. To specify a schedule for the operation, select one of the following options:
• I will do it later: Change approval is not applicable.
Is the Create Change Ticket option is mandatory? How can I disable the change request
creation?
You can enable or disable change ticket creation depending on how administrators have
configured the TrueSight Orchestration connector configuration. If the connector is configured
with Change Approval as required, you cannot disable the option or skip this step.
If already selected, continue to select values in other fields for creating a change request.
b. Change Template Name: Templates available in TrueSight Orchestration appear.
c. Urgency
d. Impact
e. Reason for Change
f. ChangeClass
6. To configure notifications, select any of the following options:
• Send email to: Specify a comma-separated list of email addresses, and then select one or more of the
following options:
• Select the status to send an email based on the operation status.
• Select Attach patch analysis results to the email, and then specify the email attachment size limit.
• Specify whether to send a list of assets where the operation failed.
• Send SNMP trap to: Specify a hostname or IP address of the server to notify the operation results and then
select one or more status options when a notification should be sent.
7. View the summary of options selected for the operation and save changes.
A draft operation is created, which creates sub-operations based on the remediation type. Depending on the
remediation type such as NSH script, patch, or a deploy type, separate jobs are created in TrueSight Server
Automation. For example, if the vulnerabilities require only an NSH script, and a deploy job, two separate jobs are
created in TrueSight Server Automation and two operations are displayed on the Operations page.
If change approval is configured, after a change request is created, the change request ID appears on the
Operations page for all type of operations. Click the ID to view the status and other details.
3. To view the list of patches installed for each asset, click the asset name (for a patch operation only).
The patch name and the status is displayed. You can view the patch severity for each patch.
4. To view detailed logs for an operation, click logs.
Detailed log messages with a timeline are displayed for each asset.
Removing an operation
An operation can only be run once. You may want to remove operations periodically to ensure that your application does
not contain irrelevant data.
When you delete a vulnerability remediation draft operation, its sub-operations are also removed. This is available in BMC
Helix Automation Console (SaaS) and TrueSight Automation Console (on-premises) version 20.02.01 only.
For a patch remediation operation, no draft operations get created.
• Service Account
• Security groups
• Service Level Agreements
• Catalogs
• Change automation
Service Account
A service account is used to enable the Data Refresh capability in TrueSight Server Automation. In TrueSight Server
Automation, the Data Refresh capability monitors jobs that affect the status of the missing patches and managed assets
and regularly updates the job data in BMC Helix Automation Console and TrueSight Automation Console.
This service account is also used for change automation while obtaining approvals from BMC Remedy IT Service
Management.
The user that you specify in the service account must be assigned to roles with permissions to read information from
the Server Automation application server. The service account user is specified during installation. If the user does not
exist in the endpoint manager or invalid credentials are specified, you are asked to add the account when you log in to
the Automation Console user interface for the first time.
In this release, a single service account is used for a single instance of Automation Console.
To understand the concept of a service account, see Service Account.
1. Enter a time interval (in minutes) after which you want the data to be refreshed.
By default, the time interval is 60 minutes. Minimum acceptable is 5 minutes and maximum is 10080 minutes.
1. In the Actions column, click Edit.
2. Update the data refresh interval or connecting profile details, and click Update.
Click the link under Host Name to view the service connector host, and the user profile specified for the account.
Security groups
Security groups contain users that inherit a set of permissions based on a role defined in the endpoint manager. In this
release, the BMC Helix Automation Console and TrueSight Automation Console is supported as an endpoint manager.
Security groups in Automation Console must map exactly to the TrueSight Server Automation roles. When you add a
security group in Automation Console, all users assigned to that role in Server Automation can log on to the Automation
Console.
Users belonging to roles with administrative permissions can access all Automation Console tabs. All other users can
access all pages except the Administration page. For example, users belonging to the BLAdmins role in Server
Automation can access and perform all tasks in Automation Console.
To understand the concept of security groups, see Security groups.
While configuring SLAs, you specify a deadline (period in days before which the
missing patches or vulnerabilities must be remediated) and a warning threshold
(period in days after which the missing patches or vulnerabilities run into the risk
of missing the deadline). SLAs for all severity levels are preconfigured with default
values.
By default, warning thresholds are set to 80% of the deadline period. For
example, for a severity level of 5 - Critical, if the Deadline is set as 30 days,
the Warning Threshold is at 24 days.
On the Automation Console Dashboard, the total number of assets in your
environment and the number of assets according to their Service Level Agreement
(SLA) levels appears. For more information, see Using Dashboards.
The following figure shows the out-of-the-box SLAs defined in the product.
The following table describes the mapping between the vendor severity levels and the patch severity levels in BMC Helix
Automation Console and TrueSight Automation Console.
1 - Information - -
Click Reset Defaults to restore the default values.
Catalogs
Vendors release patches and metadata for their applications periodically. These patches are stored in a repository using
which an administrator creates patch catalogs in TrueSight Server Automation. A patch catalog contains a list of patches
As an administrator, you add catalogs in the Automation Console and set up a schedule to update the patch catalog with
the latest patches pushed by the vendor. The schedule set in the Automation Console overwrites the patch catalog
schedule configured in TrueSight Server Automation. You must add catalogs after adding security groups in Server
Automation. Security groups added after importing catalogs may not be able to access the catalog. If you add a security
group after adding a catalog, update the catalog. Users in the new security group can now access the catalog.
To know more about patch catalogs, see Setting up the patch catalogs in TrueSight Server Automation documentation.
To understand the concept of patch catalogs, see Catalogs.
Adding catalogs
On the Administration > Manage Catalogs page, click Add and do the following:
1. Click Browse to select a catalog.
The list shows all catalogs available in Server Automation.
2. In the Catalog Schedule section, specify a schedule for the catalog.
• Daily: Click the clock icon in the Time field, and specify the time.
• Weekly:
i. From the Recur Every list, select the number of weeks after which the catalog should be updated.
ii. Click the clock icon in the Time field, and specify the time.
iii. Specify the days of the week when the schedule should run.
• Monthly: Click the clock icon in the Time field, specify the time, and then specify one of these options:
• Select a frequency (first, second, third, or fourth) and the day of the week.
• Specify the day in every month when the schedule should run.
• Select the last day of every month.
The schedule summary is displayed. Any schedule set in Automation Console overwrites the schedule set
in TrueSight Server Automation.
After you save the catalog, it is enabled, and appears on the Manage Catalogs page.
Editing catalogs
You can only edit the schedule of a catalog.
On the Administration > Manage Catalogs page, do the following:
1. Select the catalog, and click Actions > Edit.
2. In the Catalog Schedule section, update the schedule.
The catalog is updated with the new schedule. Any schedule set in Automation Console overwrites the schedule
set in TrueSight Server Automation.
On the Administration > Manage Catalogs page, do any of the following:
• Select a catalog and click Action > Disable.
Disabled catalogs remain in the Automation Console, but are not updated according to the schedule.
• Select a catalog and click Action > Enable.
• Select a catalog and click Action > Remove.
A catalog is removed only from the Automation Console. It continues to exist in TrueSight Server Automation
Change automation
This section provides an overview and process flow to enable creating and approving change requests in BMC Remedy IT
Service Management for remediation operations.
Overview
In this release, BMC Helix Automation Console (SaaS) and TrueSight Automation Console (on-premises) support creating
and approving change requests in a change management system, called BMC Remedy IT Service Management.
When operational changes such as installing patches are implemented, administrators need to keep a track of these
changes in a change management system. Organizations may use an approval process, where a change is not
implemented unless it is approved. To automate the process of creating a change request, approving it, and then ensuring
that the change is implemented, change automation is enabled.
This is done by integrating with TrueSight Orchestration – ITSM Automation runbook.
When you create an operation in Automation Console, you can create a change request, with approval settings as
configured in BMC Remedy IT Service Management. The change request ID appears against the operation on the
Operations page. After a change is approved, based on the schedule, the operation runs and remediates the
vulnerabilities.
Change automation ensures continuous compliance to the change process without introducing labor intensive activities.
The integration reduces the risk of unauthorized and unplanned changes through enforced change tracking.
Consult the following table to understand the correlation between the change request status and the operation status and
the impact on the vulnerabilities and assets state.
Success (After the operation completes Closed (After the operation completes
successfully) successfully)
To understand the concept of change automation, see Change automation.
2. Configure the ITSM Automation runbook as described in Configuring the ITSM Automation runbook. .
3. Ensure that a connection is established between Automation Console and TrueSight Orchestration.
For more information, see Configuring the TrueSight Orchestration connector.
4. Ensure that permissions are appropriately configured in TrueSight Server Automation.
See User roles and permissions.
BMC Helix Automation Console (SaaS) or TrueSight Automation Console (on-premises) provides REST API endpoints to
perform all tasks currently supported by the application. These REST API endpoints are documented in the Swagger UI.
The API follows the REST architectural style and uses resources, HTTP verbs, and status codes. JavaScript Object Notation
(JSON) is used to represent data structures in request and response bodies. All endpoints (except the Login API) use the
OAuth 2.0 protocol for authentication.
On the Swagger UI, you can see the APIs supported by the Automation Console.
2. To try the APIs, first obtain an authorization token for the session:
Go to the login-service > post/api/v1/sessions API call, provide the following credentials, and click Execute:
a. Username to log in to the Automation Console
b. Password, encoded in the Base64 format
3. Copy the token returned by the API call.
Example response
{
"token": "eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJCTEFkbWluQGRlZmF1bHR0ZW5hbnQudHNzYSIsIkF1dGhvcml0aWVzIjo
iUk9MRV9BRE1JTiIsImlhdCI6MTU0NTA0NDY0NSwiaXNzIjoid3d3LmJtYy5jb20iLCJleHAiOjE1NDUwNjI2NDV9.
NBWTXJpHeIDcEyIDIJ3iq6jbWgXIvxBqtvzB1z_s0vE"
}
Note
If you intend to use a REST API client, such as Postman, you must pass the authorization token in the
request header for any REST API call.
4. On the Login and Administration Service APIs page, click Authorize and provide the token in the authorizations
window.
You can now access, try out, and execute any API calls using the Swagger UI.
Sessions API
GET /api/v1/sessions Gets user and site details of the current session.
SLAs API
PUT /api/v1/config/slas Updates the deadline and warning threshold for SLA severity levels.
GET /api/v1/config/securitygroups Gets a list of security groups with details such as the group ID, role,
name, description, creation date, and default job path, default
depot path, and site details.
GET /api/v1/config/securitygroups/{id} Gets details of a security group as per the specified group ID.
PUT /api/v1/config/securitygroups/{id} Updates a specified security group by using the group ID.
GET /api/v1/config/service-accounts Gets the service account profile specified for this instance of
the Automation Console.
GET /api/v1/config/service-accounts/{type} Gets the service account profile based on the site type, such
as TrueSight Server Automation.
DELETE /api/v1/config/service-accounts/ Deletes service account profile by type (supported only for
DISCOVERY).
{type}
Connectors API
Dashboard API
POST /api/v1/violations/reports/sla/detail Generates details for the assets and missing patches based on
their SLA levels.
POST /api/v1/violations/reports/trends/weeks/ Generates details such as the missing and remediated patches
detail in the Remediation Trend graph.
POST/api/v1/violations/reports/states/average- Gets the average time for a state change in the current week.
days/weeks
POST /api/v1/violations/reports/rank/violations Generates data for the Top 10 Missing Patches widget.
POST /api/v1/violations/reports/rank/violations/ Generates asset details for the Top 10 Missing Patches widget.
detail
GET /api/v1/violations/{id} Gets details of the missing patches as per the patch ID.
POST /api/v1/violations/search Searches for missing patches based on the provided filters and
updates details for the Unique Missing Patches by Age widget
on the dashboard.
GET /api/v1/violations/metadata/cveid Gets all distinct CVE IDs identified against the missing patches.
Assets API
Vulnerabilities API
POST /api/v1/violations/auto-map Maps vulnerabilities with remediation content for all the given
CVE IDs.
Summary
/api/v1/violations/reports/targets/sources/
POST
Gets summary of sources.
summary
Catalog-controller API
Patch-controller API
PUT /api/v1/catalogs/patch Retrieves all the patches based on the patch ID's (part of the
input payload).
PUT /api/v1/catalogs/{catalogId}/patch/search Retrieves all patches from Truesight Automation Console based
on the filter properties.
Job-run API
GET /api/v1/policies/job/{jobRunId}/summary Retrieves summary for the specified job run ID.
GET /api/v1/policies/job/{jobRunId}/target Retrieves summary for the specified job run ID and target.
GET /api/v1/policies/job/{jobRunId}/target/ Retrieves summary for the specified job run ID and target
ID.
{targetId}
GET /api/v1/policies/policy/{policyId}/jobRuns Retrieves job runs for the specified policy ID.
GET /api/v1/policies/{policyId}/runs/{runId}/logs Retrieves event logs for a specified policy scan run.
PUT /api/v1/policies/{policy_id} Updates the policy that matches the specified ID.
DELETE /api/v1/policies/{policy_id} Deletes the policy that matches the specified ID.
TSSA API
Operations API
ITIL API
Note
This topic is applicable only for a TrueSight Automation Console (on-premises) deployment.
BMC Helix Automation Console (SaaS) is not available for on-premises installation. For details about subscribing
to this service, see BMC Helix subscriber information.
This topic provides information about the relationship between the product area on the user interface, and the services. It
also lists the log file names and locations.
If a problem occurs in a product area, the following table helps you to identify the services to troubleshoot:
UI area Services
Administration > Service Account Login Service, Data Refresh Manager, Data Refresh Worker
Manage > Import Policy Service, Resource Service, Patch Manager Core
The following table provides information about the TrueSight Automation Console log file names, location, and
description.
Catalog Service catalog_service. <InstallationDirectory>/ Contains logs for all catalog operations such
log application/app/ as adding and editing catalogs.
catalog-service/logs
Policy Service policy_service.l <InstallationDirectory>/ Contains logs for all policy operations such
og application/app/ as adding, editing, and running patch
policy_service/logs policies.
Access Service access.log <InstallationDirectory>/ Contains logs for systems from where the
application/app/ application is accessed.
tssp_nginx/logs/
Error Service error.log <InstallationDirectory>/ Contains logs for all errors encountered
application/app/ while using the application.
tssp_nginx/logs
Data Refresh drw.log <InstallationDirectory>/ Contains logs for all data refresh operations.
Worker application/app/
vulnerability-management-drw/
logs
Login Service login-service.log <InstallationDirectory>/ Contains logs for all login and session-
application/common/ related activities.
login/logs
TSSA connector tssa_connector.l <InstallationDirectory>/ Contains logs for all requests and responses
og application/common/ between Automation Console server and
tssa_connector/logs workmanager.
TSO connector tso_connector.l <InstallationDirectory>/ Contains logs for all requests and responses
og application/common/ between Automation Console and
tso_connector/logs TrueSight Orchestration.
Discovery discover_conne <InstallationDirectory>/ Contains logs for all requests and responses
connector ctor.log application/common/ between Automation Console and BMC
discovery_connector/logs Discovery
Works Manager dem.log <InstallationDirectory>/ Contains logs for all requests initiated from
application/common/ the Automation Console and the responses
work-manager/logs sent back with the worker ID and
transaction ID.
Truesight Stack truesight-sm.log <InstallationDirectory>/sm/log Contains logs for installation that includes
Manager application, database, and stack manager
logs.
• Change templates not displayed when configuring change approval for an operation
• Operation is configured to create a change request, however, change is not created in BMC Remedy IT Service
Management
• Change request is created in BMC Remedy ITSM, however, the request ID and status is not displayed on the
Operations page
Change templates not displayed when configuring change approval for an operation
When adding an operation for remediating vulnerabilities, if you are on the Change Approval Management page, the
templates are not displayed in the Change Template Names list.
To troubleshoot, administrators must verify the logs for the following services:
• Policy Service
• ITIL Service
• TrueSight Orchestration connector
If any of these messages appear in the ITIL Service log file, it indicates that the TrueSight Orchestration connector is not
configured or is configured incorrectly.
• ConfigMgmtService::Submitting get config request to workmanager
• ConfigMgmtService::Got response of Get ITSM config
• ConfigMgmtService:: Error message returned for Get ITSM config call
• {statusCode : 500, errorCode : 2220, message : "Error while getting ITSM configuration data."}
Resolution
To resolve this issue, administrators must configure the TrueSight Orchestration connector. For details, see Configuring the
TrueSight Orchestration connector.
Operation is configured to create a change request, however, change is not created in BMC Remedy IT
Service Management
If you have selected the Create Change Ticket option while creating an operation, and provided all the required details, a
change request must be created in BMC Remedy ITSM.
If a change request is not created, administrators must verify the logs for the following services:
• Policy Service
• ITIL Service
• TrueSight Orchestration connector
If any of these error messages appear in the ITIL Service log file, it indicates that there are problems in the internal
services communication:
Resolution
To resolve this issue, administrators must do these:
• Verify whether the connector is configured with correct TrueSight Orchestration credentials using the GET /api/v1/
connectors REST API.
See Using REST API.
• Verify whether change automation is enabled correctly.
See Enabling change automation.
• Verify whether the permissions are appropriately configured in Automation Console.
See User roles and permissions.
Change request is created in BMC Remedy ITSM, however, the request ID and status is not displayed on
the Operations page
While creating a vulnerability operation, change request is created and approved in BMC Remedy ITSM, but the status is
not updated in Automation Console.
If a change request status is not updated, administrators must verify the logs for the following services:
• Policy Service
• ITIL Service
• TrueSight Orchestration connector
• Data Refresh Worker
If any of these error messages appear in the ITIL Service log file, it indicates that the data refresh cycle is not run and the
status is not yet updated.
• Requested changeIds
• Error while reading ids
• ChangeMgmtService::Got response of GET_CHANGE_STATUS_CI
• ChangeMgmtService:: Error message returned while Get Change Ticket status
• {statusCode : 500, errorCode : 2400, message : "Error while getting change ticket status from ITSM."}
Resolution
To resolve this issue, administrators must do these:
1. On Automation Console, go to Administration > Service Account page and verify the duration specified for a data
refresh cycle.
By default, the time interval is 60 minutes.
2. If the change request status is not updated after the data refresh time interval has passed, verify the drw.log file to
see if the connection with ITIL service is established correctly.
Resolution
To resolve this issue, administrators must do this:
1. Verify whether the BMC Discovery Connector is configured.
2. Ensure that the service account required for BMC Discovery is created in Automation Console.
See Configuring the BMC Discovery connector.
No data in the Top 10 Business Services at Risk widget on the Vulnerability Dashboard
On the Vulnerability Dashboard, there is no data in the Top 10 Business Services at Risk widget.
Resolution
To resolve this issue, administrators must do this:
1. Verify whether the BMC Discovery Connector is configured.
2. Ensure that the service account required for BMC Discovery is created in Automation Console.
See Configuring the BMC Discovery connector.
• Catalog time is not updated in Automation Console even after the catalog is updated
• Managed Assets page has no asset data
• Policy run results do not appear in Automation Console
To troubleshoot, administrators must verify the logs for the following services:
• Work Manager
• Catalog Service
If this error message appears in the Catalog Service logs, it indicates that there is a failure in receiving notifications from
TrueSight Server Automation.
Updating BSA schedule, creating TSSA request..., Executing request with txID : TID_<ID>, W
orkManager response status : failed
Resolution
To resolve this issue, administrators must do this:
To troubleshoot, verify whether the Data Refresh Worker logs shows the next scheduled refresh.
Sample status
Update Status received from DataRefreshWorker-8080 for:tsac_BSA_DEFAULT Status:SUCCESS Next Scheduled:Wed Nov
06 11:58:31 GMT YYYY
If the next scheduled refresh does not show a future time, there may be a problem with the data refresh cycle.
Resolution
To resolve this issue, administrators must do this:
1. Run the command on the host where the Automation Console application is installed to verify whether
the TrueSight Server Automation connector is running.
If the status of the truesight-common-tssa-connector service is shown as running, perform the next step.
2. Verify whether the hosts file on the TrueSight Server Automation Application Server contains the connector name.
3. If the entry exists in the hosts file, verify whether the server where the connector is installed is up and running.
Related topic
Working with logs
If you do not have access to the web and you are in the United States or Canada, contact Customer Support at 800 537
1813. Outside the United States or Canada, select your country at Contact BMC to view local Support Contacts.
Support status
As stated in the current BMC Product Support Policy, BMC provides technical support for a product based on time rather
than number of releases. For subscription-based product support, see the BMC Software Subscription Services Support
policy.
Date: 2020-04-21 0:44
URL: https://docs.bmc.com/docs/x/i4c3Ng
BMC, BMC Software, and the BMC Software logo are the exclusive properties of BMC Software, Inc., are registered with
the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other BMC
trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other countries. All other
trademarks or registered trademarks are the property of their respective owners.
BladeLogic and the BladeLogic logo are the exclusive properties of BladeLogic, Inc. The BladeLogic trademark is registered
with the U.S. Patent and Trademark Office, and may be registered or pending registration in other countries. All other
BladeLogic trademarks, service marks, and logos may be registered or pending registration in the U.S. or in other
countries. All other trademarks or registered trademarks are the property of their respective owners.
AIX and IBM are trademarks or registered trademarks of International Business Machines Corporation in the United
States, other countries, or both.
Oracle and Java are registered trademarks of Oracle and/or its affiliates. Other names may be trademarks of their
respective owners.
UNIX is the registered trademark of The Open Group in the US and other countries.
The information included in this documentation is the proprietary and confidential information of BMC Software, Inc., its
affiliates, or licensors. Your use of this information is subject to the terms and conditions of the applicable End User
License agreement for the product and to the proprietary and restricted rights notices included in the product
documentation.
Click here for the provisions described in the BMC License Agreement and Order related to third party products or
technologies included in the BMC product.