Month: June 2017

Following on from vRA 7 Enterprise Deployment Part 1, this blog continues the series with some further planning and preparation before starting with the initial vRA Appliances deployment.

Generating Certificates

A production, distributed vRealize Automation deployment utilises Certificate Authority (CA) signed security certificates as each component communicates exclusively over SSL. While it is possible to import self-signed certificates on necessary components, this is not recommended in a production environment.

In my home lab, I have installed a Microsoft Certificate Authority. I followed this blog article to setup my Microsoft CA:

How to setup Microsoft Active Directory Certificate Services [AD CS]

I then referenced the VMware KB article for creating a CA template to use for my vRA deployment:

Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009)

Creating and Publishing a Certificate Template

Referencing the KB article, I created the certificate template using the following steps.

Open the MMC console for Certificate Templates:

• Click File and select Add/Remove Snap-in
• Select Certificate Templates in Available Snap-Ins and click Add
• Click OK
• From the right pane, right-click Web Server template
• Click Duplicate Template

 

In the Properties of New Template dialog box:

• Click the General tab
• Type the name of the template in Template name text box

In the Properties of New Template dialog box:

• Click the Subject Name tab
• Select the Supply in the request radio button

In the Properties of New Template dialog box:

• Click the Security tab
• Assign Full Control privileges to the domain administrator
• Assign Full Control privileges to the computer issuing this certificate
• Click OK

Open the MMC console for Certification Authority for the domain:

• Right-click Certificate Templates
• Select New > Certificate Template to Issue

In the Enable Certificate Templates dialog box:

• Select the certificate created in the above steps
• Click OK

Now the certificate template is published and ready to use. The table below details the certificates which are required for an enterprise large deployment with HA using embedded vRO instances.

vRealize Automation Certificate Requirements for High Availability

Certificate Common Name	Application Role	Encoding Needed
vra-portal.testlab.com	vRealize Automation Appliances	PEM and unencrypted key
vra-web.testlab.com	IaaS Web Servers	PKCS12
vra-mgr.testlab.com	IaaS Manager Services	PKCS12

 

Generating SSL Certificates

Now we will create the PKCS12 formatted certificates for the vRA IaaS Windows components and the PEM encoded certificate for the vRA appliances. You will need a machine with OpenSSL installed to generate the Certificate Signing Requests and format conversions plus access to the Certificate Services server to generate the signed certificates. The process shown below uses a Microsoft Active Directory Certificate Services.

Prepare for certificate generation using the following procedure:

• Install OpenSSL on the machine where you will generate the certificates.
• Create a base folder (D:\Certs in this example) with separate sub-folders for each vRealize Automation component.
• Within the base folder, create three subfolders named as follows:
  • vrava
  • IaaSWeb
  • IaaSMgr

Log in to the Microsoft Certificate Authority web interface, for example:

• http://dctestlab001.testlab.com/certsrv
• Click Download a CA certificate, certificate chain, or CRL.

From the Download a CA Certificate, Certificate Chain, or CRL page:

• Click Base 64
• Click the Download CA certificate chain link
• Save the certificate chain as cachain.p7b in the D:\Certs folder
• Click the Download CA certificate link
• Save the CA certificate as RootCA.crt in the D:\Certs folder

Create a configuration file for the vRealize Automation appliances using the format shown below:

• Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
• Save the configuration file to D:\Certs\vRAva\vra-portal.cfg

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vra-portal, DNS: vra-portal.testlab.com, DNS: vratestlab01, DNS: vratestlab01.testlab.com, DNS: vratestlab02, DNS: vratestlab02.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomation

commonName = vra-portal.testlab.com

 

Run the following OpenSSL command to generate the certificate request and the private key for this certificate:

openssl req -new -nodes -out D:\Certs\vRAva\vra-portal.csr -keyout D:\Certs\vRAva\vra-portal.key -config D:\Certs\vRAva\vra-portal.cfg

NOTE: Remember to replace the path and file names as required.

Run the following OpenSSL command to convert the keys to the RSA format required by the vRA appliances:

openssl rsa -in D:\Certs\vRAva\vra-portal.key -out D:\Certs\vRAva\vra-portal.key

 

Go back to the home page of the Certificate Server.

Click Request a certificate.

Click advanced certificate request.

Click Submit a certificate Request by using a base- 64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

On the Submit a Certificate Request or Renewal Request page:

• Open the vra-portal.csr file, generated in the step above, in notepad or notepad++
• Copy and paste the contents into the Base-64-encoded certificate request text box
• Select the template created using the Certificate Template process, VRA
• Click Submit

Click the Base-64 encoded radio button on the certificate-issued screen. Click the Download Certificate link.

Save the certificate as vra-portal in the folder D:\Certs\vRAva\vra-portal.cer

Click the Download Certificate chain link.

Save the certificate chain as cachain.p7b file and navigate to D:\Certs\vRAva\cachain.p7b.

Go to D:\Certs\vRAva and double-click the cachain.p7b file.

Right-click the root certificate, select All Actions > Export, and click Next.

Select Base64-encoded X.509 (.CER) and click Next.

 

Save the export to your D:\Certs\Root64.cer

Click Next

Click Finish then OK

Run the following OpenSSL command to convert the certificates to PKCS12 format:

openssl pkcs12 -export -in D:\Certs\vRAva\vra-portal.cer -inkey D:\Certs\vRAva\vra-portal.key -certfile D:\Certs\Root64.cer -name vra-portal -passout pass:VMware1! -out D:\Certs\vRAva\vra-portal.pfx

 

Run the following OpenSSL command to convert the certificates to PEM format:

openssl pkcs12 -nokeys -in D:\Certs\vRAva\vra-portal.pfx -inkey D:\Certs\vRAva\vra-portal.key -out D:\Certs\vRAva\vra-portal.pem -nodes -passin pass:VMware1!

 

Once this has completed, you now have the CA signed SSL certificates for the vRA appliances.

Repeat the above steps to generate the certificate for the vRealize Automation IaaS Web servers, remembering you do not need to complete the last step converting the certificates to PEM format.

Create a configuration file for the vRealize Automation IaaS Web servers using the format shown below:

• Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
• Save the configuration file to D:\Certs\IaaSWeb\vra-web.cfg

 

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vratestlab03, DNS:vratestlab03.testlab.com, DNS: vratestlab04, DNS:vratestlab04.testlab.com, DNS: vra-web, DNS: vra-web.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomationIaaSWeb

commonName = vra-web.testlab.com

 

Repeat the above steps to generate the certificate for the vRealize Automation IaaS Manager servers, remembering you do not need to complete the last step converting the certificates to PEM format.

Create a configuration file for the vRealize Automation IaaS Web servers using the format shown below:

• Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
• Save the configuration file to D:\Certs\IaaSMgr\vra-mgr.cfg

 

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vratestlab05, DNS: vratestlab05.testlab.com, DNS: vratestlab06, DNS: vratestlab06.testlab.com, DNS: vra-mgr, DNS: vra-mgr.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomationIaaSMgr

commonName = vra-mgr.testlab.com

 

I will continue with the vRA 7 deployment in part 3 of this series, where we can now start deploying the vRA Appliances.

This post will be part of a series detailing the steps required to deploy a vRealize Automation 7 large deployment implementation from the reference architecture. I would recommend reading the reference architecture before commencing with any vRA 7 install.

The vRealize Automation Reference Architecture document can be found here:

vRealize Automation 7 Reference Architecture

vRealize Automation Overview

Just in case you are not aware of VMware’s Automation product, here’s a brief introduction – VMware vRealize Automation provides a secure portal where authorised administrators, developers, or business users can request new IT services. In addition, they can manage specific cloud and IT resources that enable IT organisations to deliver services that can be configured to their lines of business in a self- service catalog.

vRealize Automation provides a secure portal where authorised administrators, developers or business users can request new IT services and manage specific cloud and IT resources, while ensuring compliance with business policies. Requests for IT service, including infrastructure, applications, desktops, and many others, are processed through a common service catalog to provide a consistent user experience.

You can improve cost control by using vRealize Automation to monitor resource and capacity usage. For further cost control management, you can integrate vRealize Business Advanced or Enterprise Edition with your vRealize Automation instance to expose the cost of cloud and virtual machine resources, and help you better manage capacity, cost, and efficiency.

The vRealize Automation documentation can be found at the VMware vRealize Automation Information Center:

VMware vRealize Automation Information Center

New Features in vRealize Automation 7 since 6.2 release

vRealize Automation 7 includes several architectural changes that simplify configuration and deployment. The deployment wizard is a major improvement over the vRA 6.x release providing a more reliable and robust deployment method. The previous release was very sensitive, especially with the IaaS components.

Architectural Changes

• The appliance database is now clustered automatically within the appliance. There is no longer any need for an external database load balancer or DNS entry.
• The instance of vRealize Orchestrator is now clustered automatically within the vRA appliance.
• Authentication is now handled by an embedded instance of VMware Identity Manager, known as Directories Management, within vRealize Automation.
• vRealize Application Services functionality has been merged into vRealize Automation.

Deployment Changes

• vRealize Automation deployments require two less load balanced endpoints as there is no need to balance the appliance database and an external SSO provider.
• Four virtual machines can potentially be removed from the footprint for most deployments, though an external vRealize Orchestrator instance is still recommended for some situations.
• A new deployment wizard which offers two types of installs, simple and enterprise. Simple is for installing vRA in a monolithic (non-distributed) fashion, enterprise assumes a fully distributed install

Deployment Recommendations

• Keep the vRealize Automation, vRealize Business and vRealize Orchestrator appliances in the same time zone with their clocks synchronised. Otherwise, data synchronisation might be delayed.
• Install vRealize Automation, vRealize Business Standard Edition, and vRealize Orchestrator on the same management cluster. Provision machines to a cluster that is separate from the management cluster so that user workload and server workload can be isolated.
• Deploy Proxy Agents in the same data center as the Endpoint with which they communicate. VMware does not recommended placing DEM Workers in Remote Data Centers unless there is an express workflow skill based use case that requires it. All components except the Proxy Agents and DEM Workers must be deployed in the same Data Center or Data Centers within a Metro Area Network. Latency must be less than 5 milliseconds, and bandwidth must not be less than 1 GB/s between the Data Centers in the Metro Area Network.
• For more information including a support statement, see the VMware Knowledge Base article Installing VMware vRealize Automation on a distributed multi-site instance

Support

A large deployment can support the following items:

• 50,000 managed machines
• 2500 catalog items
• 100 concurrent machine provisions

Components

An installation consists of the following components:

• vRealize Automation appliance, which deploys the management console, manages Single Sign-On (SSO) capabilities for authorization and authentication, and includes an instance of vRealize Orchestrator.
• Infrastructure as a Service (IaaS) components, which are installed on a Windows machine (virtual or physical), and appear largely under the Infrastructure tab on the console.

• An MS SQL Server Database, which is deployed during the IaaS installation.

Requirements

A large enterprise HA deployment requires the following systems:

Virtual Appliances

• vRealize Automation Appliance x 2
• vRealize Orchestrator Appliance x 2 (or use the embedded vRO instances on the vRealize Automation Appliances)

Windows Server Virtual Machines

• Infrastructure Web Server x 2
• Infrastructure Manager Server x 2
• Infrastructure DEM Server x 2
• Infrastructure Agent Server x 2
• Cluster Microsoft SQL Database

Load Balancer

• vRealize Automation Appliance nodes
• Infrastructure Web Server nodes
• Infrastructure Manager Server nodes
• vRealize Orchestrator Appliance (optional if using external vRO Appliances)

The following illustration outlines the vRA architecture for an enterprise deployment

The following table outlines the hardware specifications for the vRA components using the large deployment model in the reference architecture:

Server Role	Components	Required Hardware Specifications	Recommended Hardware Specifications
vRealize Automation Appliance	vRealize Automation Services, vRealize Orchestrator, vRealize Automation Appliance Database	CPU: 4 vCPU RAM: 18 GB (this may need to be increased for Directories Management  sync) Disk: 108 GB Network: 1 GB/s	Same as required hardware specifications.
Infrastructure Web Server	Web site	CPU: 2 vCPU RAM: 2 GB Disk: 40 GB Network: 1 GB/s	CPU: 2 vCPU RAM: 4 GB Disk: 40 GB Network: 1 GB/s
Infrastructure Manager Server	Manager Service, DEM Orchestrator	CPU: 2 vCPU RAM: 2 GB Disk: 40 GB Network: 1 GB/s	CPU: 2 vCPU RAM: 4 GB Disk: 40 GB Network: 1 GB/s
Infrastructure DEM Server	(One or more) DEM Workers	CPU: 2 vCPU RAM: 2 GB Disk: 40 GB Network: 1 GB/s (Per DEM Worker)	CPU: 2 vCPU RAM: 6 GB Disk: 40 GB Network: 1 GB/s (Per DEM Worker)
Infrastructure Agent Server	(One or more) Proxy Agent	CPU: 2 vCPU RAM: 4 GB Disk: 40 GB Network: 1 GB/s	Same as required hardware specifications
MSSQL Database Server	Infrastructure Database	CPU: 2 vCPU RAM: 8 GB Disk: 40 GB Network: 1 GB/s	CPU: 8 vCPU RAM: 16 GB Disk: 80 GB Network: 1 GB/s

Note: Typically disk sizes for vRA components host on Windows Servers are driven by customer standard build specifications. These need to be considered with the above table.

DNS and Host Name Resolution

• All vRA components must be able to resolve each other by using a fully qualified domain name (FQDN).
• The Model Manager Web service, Manager Service and Microsoft SQL Server database must also be able to resolve each other by their Windows Internet Name Service (WINS) name.

Note: vRA does not allow the use of an underscore (_) in host names.

Password Considerations

The vRealize Automation administrator password that you define during installation must not contain special characters.

In vRA 7.0.1, the following special characters are known to cause errors:

• Double quote marks (“)
• Commas (,)
• A trailing equal sign (=)
• Blank spaces
• Non-ASCII or extended ASCII characters

Note: Passwords that contain special characters might be accepted when you enter them, but cause failures when you perform operations later.

Time Synchronisation

All systems must synchronise their clocks from an accurate time source. Installation will fail if system clocks are not synchronised.

Installation Accounts

The following table outlines the accounts required for a distributed installation, I used separate accounts for the IaaS components but you can consolidate the account requirements if your setup allows this:

Component	Account	Access
vRealize Automation Appliance (VMware Identity Manager)	root
Default Tenant	administrator@vsphere.local
Website and Model Manager	testlab\svc_vra_iaas01	Access to IaaS SQL DB Local Administrator on IaaS Web Servers
Manager Service and DEM Orchestrator	testlab\svc_vra_mgr01	Access to IaaS SQL DB Local Administrator on IaaS Manager Web Servers
DEM Worker	testlab\svc_vra_pxy01	Local Administrator on IaaS DEM-W/Agent Servers
Proxy Agent	testlab\svc_vra_pxy01	Local Administrator on IaaS DEM-W/Agent Servers
vRA to vCenter	testlab\svc_vra_vc01
vRA to AD	testlab\svc_vra_ad01
vRO to AD	testlab\svc_vro_ad01
vRA to vRO	testlab\svc_vra_vro01

Load Balancer

The following table outlines the load balanced components required for a distributed installation:

Component	Load Balancer	Server FQDN and IP Address
vRealize Automation Appliance	vra-portal.testlab.com <192.168.140.24>	vratestlab01.testlab.com <192.168.140.10> vratestlab02.testlab.com <192.168.140.11>
Website and Model Manager Data	vra-web.testlab.com <192.168.140.25>	vratestlab03.testlab.com <192.168.140.13> vratestlab04.testlab.com <192.168.140.14>
Manager Service DEM Orchestrator	vra-mgr.testlab.com <192.168.140.26>	vratestlab05.testlab.com <192.168.140.15> vratestlab06.testlab.com <192.168.140.16>
DEM Workers and Agents	N/A	vratestlab07.testlab.com <192.168.140.17> vratestlab08.testlab.com <192.168.140.18>

 

I will continue with the vRA 7 deployment in part 2 of this series.