vRA 7 Enterprise Deployment – Part 5 – vRealize Automation Deployment Wizard

Following on from the vRA 7 Enterprise Deployment Part 4, this blog continues the series with the installation of the vRealize Automation Deployment Wizard to complete the Enterprise Deployment vRealize Automation. Since vRA 7.0 release, the vRA deployment wizard was introduced to complete the pre-requisite configuration and automated deployment of the vRA IaaS components. It is initiated by default after the deployment of a vRealize Automation appliance and can be accessed from primary vRA virtual appliance Virtual Appliance Management Interface (VAMI) on port 5480. You will need to logon as the root account and then you are presented with the vRA Deployment Wizard.

Installation Steps using the Installation Wizard

Log in to the first IaaS Web Server host with the domain service account that will be used to perform the installation and will also run the Windows service for the vCAC Management Agent.
Example first Web Server: vratestlab03.testlab.com
Example Domain Service Account: (testlab\svc_vra_iaas01) ensure member of local admins and remote desktop users

Go to the first deployed vRealize Automation appliance management console by opening a connection using its FQDN: https://vratestlab01.testlab.com:5480/

Note: You need to perform these steps on the first Windows Server you will use as the primary IaaS Web Server host, ensuring that the server has full network access to all vRealize Automation and IaaS Web, Manager, DEM, and Proxy Agent servers to perform the Management Agent installation.

Click I Understand the Risks, and click Add Exception to accept the certificate.

Click Confirm Security Exception.

1.8.1

Log in using the user name root and the password you specified when you deployed the vRealize Automation appliance.

Click Login.

1.8.2

On the Welcome to the vRealize Automation Wizard page.

Click Next to continue.

1.8.3

On the End User License Agreement page, click I accept the terms of this agreement.

Click Next to continue.

1.8.4

On the Deployment Type page, select the Enterprise deployment option.

Click Next to continue.

Ensure Install Infrastructure as a Service is selected

1.8.5

On the Installation Prerequisites page:

Select one of the appropriate NTP time synchronization options to use among virtual appliances and IaaS servers. For the Virtual Appliance Time Sync. Mode, choose between the Use Host Time or Use Time Server radio button options.

Click Change Time Settings to save the time synchronization method.

Check that the list of IaaS Server host names matches those in the IaaS Management Agent Deployment Information table.

Note: If one of the Windows servers does not appear in the list of IaaS Host Name and does not show it is connected, do not proceed with the installation until the problem is identified and resolved with the IaaS Management Agent. When all Windows servers with IaaS Management Agents report as connected, proceed with the vRealize Automation Installation Wizard.

Click Next.

1.8.6

On the vRealize Appliances page:

Click the green 1.8.0 to add the second vRealize Automation Appliance:

Host: Example: vratestlab02.testlab.com

Admin User: root

Password: Enter your root password

 

Click Next to continue.

Click OK to proceed after the warning for untrusted host message is displayed.

1.8.7

1.8.8

On the Server Roles page, check off the following server roles applicable to the vRealize Automation high availability deployment:

Primary Web (with Model Manager data) Service:

<vratestlab03.testlab.com>

Other Webs:

<vratestlab04.testlab.com>

Manager Service:

  • <vratestlab05.testlab.com>
  • <vratestlab06.testlab.com>

DEM & Proxy Agent:

  • <vratestlab07.testlab.com>
  • <vratestlab08.testlab.com>

Click Next to continue.

1.8.9

1.8.10

On the Pre-requisite Checker page, click Run.

1.8.11

The prerequisite checker will check for installation prerequisites and display the validation results on the Pre-requisite Checker page.

Wait for the prerequisite checker Status to reflect the validation status by changing from pending to Ok.

After the prerequisites checker validation has completed, verify that the status is reported as OK for all IaaS hosts.

For any IaaS hosts that report prerequisites are not met, click Show Details to expand the view and show the Action required to fix the prerequisites

1.8.12

1.8.13

Click the Hide Details link to collapse the Show Details view.

Click Fix to allow the prerequisites checker to perform any required fixes.

A Loading message will be displayed while the background processes start to fix the reported prerequisite issues.

On the Prerequisites Checker page, wait for the prerequisites checker to complete the fix for each IaaS Host in the IaaS Host Name list.

After the prerequisites checker has completed all fixes to IaaS hosts, the Status column should report OK with all green check marks.

Click Next to continue.

1.8.14

On the next vRealize Automation Host page, enter the vRealize Address that is the DNS Alias or FQDN of the vRealize Automation Load Balancer.

DO NOT CLICK NEXT AT THIS POINT!

You must first create the DNS Alias (CNAME) in DNS (before proceeding) if the initial deployment is not already configured with a load balancer, but you plan to configure the load balancer after the installation is completed.

If, at this point in the deployment a load balancer is introduced, verify that the load balancer VIPs and monitors are configured correctly.

Ensure you have setup your load balancer as per the vRA Load Balancing guide and test resolution of your DNS records.

vRealize Automation Load Balancing

Click Next to continue.

1.8.15

On the Single Sign-On page, enter the following:

  • Administrator password: <password>
  • Confirm password: <password>

Click Next to continue.

1.8.16

On the IaaS Host page, enter the following:

IaaS Web Address: <web-service load balancer address FQDN>

For example: vra-web.testlab.com

Manager Service Address: <vra-manager service load balancer address FQDN>

For example: vra-mgr.testlab.com

Security Passphrase: <passphrase>

Confirm Passphrase: <passphrase>

Click Next to continue.

1.8.17

On the Microsoft SQL Server page, enter the following:

Server name: <sqlserver\instance>

For example: sqltestlab01\inst01

Database name: <dbname>

For example: IaaS01

Select the Windows Authentication check box.

Note: If your SQL server uses SSL certificates, deselect Default settings for further configuration options.

Click Validate to verify Microsoft SQL Server connectivity and permissions to create the database.

1.8.19

After the validation is successful, a green check mark will appear, indicating all parameters are valid.

Click Next to continue.

1.8.20

On the Web Role page, enter the following:

 

Website Name: <Default Web Site>

Example: Default Web Site

Port: <443>

Example default port: 443

In the IaaS Web Servers section of the page, enter the following information for all of the IaaS hosts listed:

 

Username: testlab\svc_vra_iaas01

Password: <password>

Installation Path: <optional>

Click Validate to validate the authentication to the IaaS Web Server hosts.

1.8.21

After the validation is successful, a green check mark will appear indicating that all parameters are valid.

Click Next to continue.

1.8.22

On the Manager Service Role page, enter the following:

Select the Active checkbox box for the Manager service role corresponding to an IaaS hostname,

Example:  vratestlab05.testlab.com

Username: testlab\svc_vra_mgr01

Password: <password>

Installation Path: <optional>

Click Validate to validate the authentication to the IaaS Manager Service Hosts.

1.8.23

After the validation is successful, a green check mark will appear indicating that all the parameters are valid.

Click Next to continue.

1.8.24

On the Distributed Execution Managers page, enter the following:

(Optional) Select the Green 1.8.0  plus sign to add more Distributed Execution Manager hosts.

Select the IaaS host name service role from the drop-down,

Example: vratestlab07.testlab.com

Username: testlab\svc_vra_demw01

Password: <password>

Installation Description: <optional>

Installation Path: <optional>

Click Validate to validate the authentication to the IaaS DEM hosts.

1.8.25

After the validation is successful, a green check mark will appear indicating that all parameters are valid.

Click Next to continue.

1.8.26

On the Agents page, enter the following:

(Optional) Select the Green 1.8.0 plus sign to add more Agent hosts.

Select the IaaS Host Name service role from the drop-down,

Example: vratestlab07.testlab.com

Select the Agent Type from the drop-down, for example: vSphere

Agent Name: vmatestlab02

Endpoint:  vmatestlab02

Installation Description: <optional>

Username: testlab\svc_vra_vc01

Installation Path: <optional>

Note: Ensure the Agent Name and Endpoint name match.

Click Validate to validate the authentication to the IaaS DEM hosts.

1.8.27

After the validation is successful, a green check mark will appear indicating that all parameters are valid.

Click Next to continue.

1.8.28

On the vRealize Appliance Certificate page, select Import for the PEM-encoded certificate generated from a certificate authority for the vRealize Automation Appliance.

Open the vra-portal.key file for your vRealize Automation appliances in a text editor and paste the contents of the file into the RSA Private Key text box.

Open the vra-portal.pem file for your vRealize Automation appliances in a text editor and paste the contents into the Certificate Chain text box.

Enter the password used when generating the certificates into the Pass Phrase text box.

Click Save Imported Certificate.

Click Next to continue.

1.8.29

1.8.30

On the Web Certificate page, select Import Certificate for the PEM-encoded certificate generated from a certificate authority for the vRealize Automation IaaS Web Server hosts.

Open the vra-web.key file for your IaaS Web Server hosts in a text editor and paste the contents of the file into the RSA Private Key text box.

Open the vra-web.pem file for your IaaS Web Server hosts in a text editor and paste the contents into the Certificate Chain text box.

Enter the password used when generating the certificates into the Pass Phrase text box.

Click Save Imported Certificate.

Click Next to continue.

1.8.31

1.8.32

On the Manager Service Certificate page, select Import Certificate for the PEM-encoded certificate generated from a certificate authority for the vRealize Automation IaaS Manager Server hosts.

Open the vra-mgr.key file for your IaaS Manager Server hosts in a text editor and paste the contents of the file into the RSA Private Key text box.

Open the vra-mgr.pem file for your IaaS Manager Server hosts in a text editor and paste the contents into the Certificate Chain text box.

Enter the password used when generating the certificates into the Pass Phrase.

Click Save Imported Certificate.

Click Next to continue.

1.8.33

1.8.34

On the Load Balancers page, review the configuration of vRealize Automation components.

Verify the entries for Load Balancer Address and the Load Balancer members are correct.

Example load balancer addresses:

  • vra-portal.testlab.com
  • vra-web.testlab.com
  • vra-mgr.testlab.com

Click Next to continue.

1.8.35

On the Validation page, click Validation.

1.8.36

On the Validation page, the status is updated to reflect Validation is in progress.

Wait for the validation to report status on each Host Name\Instance and change from Pending to Succeeded in the Command Status column.

Wait for all validation tests to report 100% with validation completed.

Note: If any of the Validation tasks fail, do not click Next until every problem is resolved. The validation can be run again after problems are corrected with each hostname or instance.

Click Next to continue.

1.8.37

 

Next, within vCenter, create VM snapshots of all vRealize Automation appliances and IaaS Server hosts. Wait for the VM snapshots to complete before proceeding.

On the Create Snapshots page, click Next to continue.

1.8.39

On the Installation Details page, click Install.

1.8.40

As the installation continues, the Installation Details page reports the status of the Installation in progress with the percentage complete.

After the installation is finished, click Next to continue.

1.8.42

1.8.43

On the Licensing page:

Enter the New License Key: <license key>

Click Submit Key.

Click Next to continue.

1.8.46

1.8.47

On the Telemetry page, select your option then click Next to continue.

1.8.48

On the Initial Content Configuration page, click Next to continue.

After the Installation Wizard reports that installation was successful, click Finish to complete the installation.

1.8.52

 

vRA 7 Deployment Validation

Once the installation has completed, connect to the primary vRA appliance VAMI to validate the configuration.

Log in using the user name  root and the password you specified when you deployed the vRealize Automation appliance.

Click Login.

1.8.54

Navigate to vRA Settings > Host Settings and verify the configuration.

Verify the Host Name is set to the FQDN of the ViP DNS name.

Verify the SSL Configuration is using the imported certificate

1.8.55

Navigate to vRA Settings > Cluster and verify the configuration. Expand the Host / Node Name to validate the roles assigned to each node.

Verify all nodes are in a healthy state by checking their Last Connected time from the VAMI of the primary vRA appliance

  • Ensure the IaaS nodes have a last connected time of less than 30 seconds
  • Ensure the vRA appliances have a last connected time of less than 10 minutes
    • Note: The screenshot is from my vRA 7.3 environment

1.8.56

Navigate to vRA Settings > Database and verify the configuration.

Ensure the replication mode is Asynchronous

Check the Connection Status is CONNECTED

Verify the primary vRA appliance is the MASTER node and the secondary vRA appliance is the REPLICA node.

Ensure both Postgres DB nodes have a status of Up

1.8.57

Navigate to Services and confirm all services have a status of REGISTERED.

1.8.58

This concludes part 5 of this vRealize Automation Enterprise installation series and vRealize Automation is now installed. I will continue with the vRA 7 series, where we can now start configuring the post vRA 7 deployment elements.

 

 

 

 

 

 

vRA 7 Enterprise Deployment – Part 4 – vRealize Automation IaaS Management Agent Installation

Following on from the vRA 7 Enterprise Deployment Part 3, this blog continues the series with the installation of the vRealize Automation IaaS management agent on the IaaS nodes.

Since vRA 7.0 release, the vRA deployment wizard was introduced to complete the pre-requisite configuration and automated deployment of the vRA IaaS components. This is a massive improvement over the vRA 6.x procedure and more reliable. Before proceeding with the vRA Deployment Wizard, each vRA IaaS node requires the vRA Management Agent to be installed. Once installed, the host is registered with the primary vRA appliance.

Exception:  Java 64-bit is required on the IaaS Web servers and cannot be pushed by the deployment wizard. You must install a supported 64-bit version of Java and add the “JAVA_HOME” system variable on each IaaS Web server you plan to use prior to commencing with the vRA Deployment Wizard.

Further information can be found in the VMware documentation here: IaaS Web Service and Model Manager Server Requirements

As per the vRealize Automation Reference Architecture document, vRealize Automation 7 Reference Architecture, as per the Enterprise (previously known as Large) deployment model, you need to prepare 8 Windows Server VMs ensuring you meet the prerequisites for the vRA deployment wizard. This deployment guide assumes you have a Microsoft SQL Server already deployed which can be used to host the vRA IaaS database.

Ensure you adhere to the vRealize Automation Support Matrix and the Interoperability Guides.

Once you have prepared the following, you can continue with the vRealize Automation installation:

  • 8 x Windows Server VMs
  • Installed a supported version of JRE x64
  • Configure the JAVA_HOME system variable
  • Ensure you have a supported Load Balancer configured with only the primary nodes enabled in the LB pools
  • Created and validated DNS Alias addressed to use for the vRA installation

vRealize Automation Load Balancing

vRealize Automation IaaS Management Agent Installation

Download and Install IaaS Management Agents on the First IaaS Web Server host

Log in to the first IaaS Web Server host with the domain service account that will be used to perform the installation and will also run the Windows service for the vCAC Management Agent.

Note: Ensure the accounts have been setup as per Part 1 of this series.

Example first Web Server: vratestlab03.testlab.com

Example Domain Service Account: (testlab\svc_vra_iaas01) ensure member of local admins and remote desktop users

Go to the first deployed vRealize Automation appliance management console by opening a connection using its FQDN:

https://vratestlab01.testlab.com:5480/

Note: You need to perform these steps on the first Windows Server you will use as the primary IaaS Web Server host, ensuring that the server has full network access to all vRealize Automation and IaaS Web, Manager, DEM, and Proxy Agent servers to perform the Management Agent installation.

Click I Understand the Risks, and click Add Exception to accept the certificate.

Click Confirm Security Exception.

1.7.1

Log in using the user name root and the password you specified when you deployed the vRealize Automation appliance.

Click Login.

1.7.2

On the Welcome to the vRealize Automation Wizard page.

Click Next to continue.

1.7.3

On the End User License Agreement page, click I accept the terms of this agreement.

Click Next to continue.

1.7.4

On the Deployment Type page, select the Enterprise deployment option.

Click Next to continue.

Ensure Install Infrastructure as a Service is selected

1.7.5

1.7.6

On the Installation Prerequisites page:

Click on the vCAC-IaaSManagmentAgent-Setup.msi hyperlink to begin the download the Management Agent installer.

Click Save File to save the installer to a local folder on the primary IaaS Web Server host where you are performing the Management Agent installation from.

1.7.7

 

Browse to the local directory where you saved the installer, on the primary IaaS Web Server host.

Right click on the vCAC-IaaSManagementAgent-Setup.msi file and select Install.

When the setup wizard opens, click Next.

1.7.8

On the End-User License Agreement screen of the Management Agent Setup Wizard, check the box I accept the terms of this agreement.

Click Next.

1.7.9

On the Destination Folder screen, select a destination folder by clicking Change, or accept the default installation path.

Click Next.

1.7.10

On the Management Site Service screen:

In the vRA appliance load balancer address text box, specify the vRealize Automation appliance URL, for example: <https://vra-portal.testlab.com:5480>

In the Root username text box, enter the vRealize Automation appliance username <root>.

In the Password text box, enter the vRealize Automation appliance <password>.

In the Management Site Service certificate SHA1 fingerprint text box, click Load.

Select the I confirm the fingerprint matches the Management Site SSL Certificate check box.

Click Next.

1.7.11

Enter the AD domain service account details for the

vRA Management Agent, for example: testlab\svc_vra_mgr01

Enter the password for the AD service account

Click Next.

1.7.12

Click Install

1.7.13

Once the installation has completed successfully, click Finish to exit the Management Agent installation wizard.

1.7.14

Verify the VMware vRealize Automation Management Agent is running on the primary IaaS Web Server in Server Manager by going to Tools > Computer Management > Services.

Verify the Logon as Service account is configured to use the vRealize Automation Service Account, for example, testlab\svc_vra_iaas01.

1.7.15

Download and Install IaaS Management Agents on all remaining IaaS Web, Manager, DEM, and Agent Servers

The following table lists the host name information for the vRA IaaS nodes in my homelab, where the IaaS Management Agent for each IaaS Server component will be installed. You can use this table as a reference to complete the vRealize Automation Management Agent on all of the vRA IaaS Nodes.

IaaS Management Agent Deployment Information

Component

IaaS Management Agent

Required or N/A

Server FQDN

vRealize Automation Appliances

Appliance

(Management Agent N/A)

vratestlab01.testlab.com

vratestlab02.testlab.com

vRealize Automation Websites

IaaS Web Servers

(Management Agents Required)

vratestlab03.testlab.com

vratestlab04.testlab.com

Manager Service and DEM Orchestrator

IaaS Manager Servers

(Management Agents Required)

vratestlab05.testlab.com

vratestlab06.testlab.com

DEM Workers and Agents

IaaS Agent Servers

(Management Agents Required)

vratestlab07.testlab.com

vratestlab08.testlab.com

Microsoft SQL Server 2012

vRealize Automation IaaS Database

(Management Agent N/A)

sqltestlab01.testlab.com

 

This concludes part 4 of this vRealize Automation Enterprise installation series. I will continue with the vRA 7 deployment in part 5 of this series, where we can now start deploying vRA using the Deployment Wizard.

 

 

vRA 7 Enterprise Deployment – Part 3 – Deploy vRealize Automation Appliances

Following on from the vRA 7 Enterprise Deployment Part 2, this blog continues the series with the initial vRA Appliances deployment.

Deploy the First vRealize Automation Appliance

In the vSphere Web Client, select Actions > Deploy OVF Template

1.6.1

On the Select source page:

  1. Select the Local file option and click Browse.
  2. Go to the location of the identity appliance file having an .ova or .ovf extension, select the file, and click Open.
  3. Click Next to continue.

1.6.2

On the Review details page, review the summary details.

Click Next to continue.

1.6.3

Click Accept on the Accept EULAs page to accept the license agreement.

Click Next to continue.

1.6.4

On the Select name and folder page:

  1. Enter a unique name for the virtual appliance in the Name text box, following the required naming convention. For example: vratestlab01
  2. Select the datacenter and folder location where you want to deploy the virtual appliance.
  3. Click Next to continue.

1.6.5

On the Select a resource page, select the cluster where you want to deploy the virtual appliance.

Click Next to continue.

1.6.6

On the Select storage page, select a datastore with sufficient space.

Click Next to continue.

1.6.7

On the Setup networks page, select the network you want to connect the virtual appliance to, using the Destination drop-down menu.

Click Next.

1.6.8

On the Customize Template page:

  1. Expand Application.
  2. For the Initial root password, provide entries for the Enter password, and Confirm password fields.
  3. Select the Enable SSH service in the appliance check box to enable SSH service.
  4. For Hostname, enter the appliance hostname FQDN, for example: vratestlab01.testlab.com

1.6.9

In the Customize Template dialog box, expand Network Properties and enter the following network properties:

In the Default Gateway text box, enter the default gateway address for the VM, for example: 192.168.140.1

In the Domain Name text box, enter the domain name of this VM, for example: testlab.com

In the Domain Search Path text box, enter the domain search path for this VM, for example: testlab.com

In the Domain Name Servers text box, enter the DNS servers, for example: 192.168.140.4

In the Network 1 IP Address text box, enter the appliance IP Address, for example: 192.168.140.10

In the Network 1 Netmask, enter the appliance Netmask, for example: 255.255.255.0

Click Next to continue.

1.6.10

On the Ready to Complete page, select the Power on after deployment check box.

Click Finish.

1.6.11

Within the vCenter Web Client, verify vRealize Automation has deployed successfully.

Log in to the first Realize Automation Appliance, for example: vratestlab01.testlab.com

1.6.12

Deploy the Second vRealize Automation Appliance

In the vSphere Web Client, select Actions > Deploy OVF Template.

1.6.13

In the Select source dialog box, click Local file and click Browse.

Go to the location of the identity appliance file, having an .ova or .ovf extension, and click Open.

Click Next.

1.6.14

On the Review details page, review the summary details.

Click Next.

1.6.15

Click Accept on the Accept EULAs page to accept the license agreement.

Click Next.

1.6.16

On the Select name and folder page, enter a unique name for the virtual appliance in the Name text box, following the required naming convention.

For example: vratestlab02

Select the datacenter and folder location where you want to deploy the virtual appliance.
Click Next.

 

1.6.17

On the Select a resource page, select the cluster where you want to deploy the virtual appliance.

Click Next.

1.6.18

In the Select storage dialog box, select a datastore with sufficient space.

Click Next.

1.6.19

On the Setup networks page, select the network to which you want to connect the virtual appliance, using the Destination drop-down menu.

Click Next.

1.6.20

In the Customize Template dialog box, expand Application and enter the following application settings:

Specify entries for the Active Directory domain name In the Initial root password, Enter password, and Confirm password text boxes.

Select the Enable SSH service in the appliance check box, to enable SSH service.

In the Hostname text box, enter the appliance hostname FQDN, for example: vratestlab02.testlab.com

1.6.21

On the Customize Template page, expand Network Properties and enter the following properties:

In the Default Gateway text box, enter the default gateway address for the VM. For example: 192.168.140.1

In the Domain Name text box, enter the domain name of this VM. For example: vratestlab02

In the Domain Search Path text box, enter the domain search path for this VM. For example: testlab.com

In the Domain Name Servers text box, enter the DNS servers. For example: 192.168.140.4

In the Network 1 IP Address text box, enter the appliance IP Address: For example: 192.168.140.11

In the Network 1 Netmask, enter the appliance Netmask: For example: 255.255.255.0

Click Next to continue.

1.6.22

On the Ready to Complete page, select the Power on after deployment check box.

Click Finish.

1.6.23

In vCenter Web Client verify vRealize Automation has deployed successfully on the second vRealize Automation Appliance: vratestlab02.testlab.com

1.6.24

vRealize Automation Appliance Deployment Verification

Verify the Deployment of the First vRealize Automation Appliance

Go to the vRealize Automation appliance management console by opening a connection using its FQDN: https://vratestlab01.testlab.com:5480/

1.6.26

Accept the certificate by clicking I Understand the Risks and then clicking Add Exception.

Click Confirm Security Exception.

Log in with the user name root and the password you specified when deploying the vRealize Automation appliance.

1.6.28

The vRealize Automation Installation Wizard is displayed.

Caution – Stop Here and Do NOT Click Next. Verify that all other vRealize Automation appliances have been deployed and are running before proceeding to the next step

Do not cancel or exit out of the wizard at any time. If you exit the wizard, the tool assumes that you will be going through a manual installation and will not let you restart the wizard. Leave this page open and continue on to the next section.

1.6.29

Verify the Deployment of the Second vRealize Automation Appliance

Go to the vRealize Automation appliance management console by opening a connection using its FQDN. For example: https://vratestlab02.testlab.com:5480/

1.6.30

Accept the certificate exception by clicking I Understand the Risks, and clicking Add Exception.

Click Confirm Security Exception.

Log in using the user name root and the password you specified when deploying the vRealize Automation appliance.

1.6.31

The vRealize Automation Installation Wizard is displayed.

Caution – Stop Here and Do NOT Click Next. Verify that all other vRealize Automation appliances have been deployed and are running before proceeding to the next step

Do not cancel or exit out of the wizard at any time. If you exit the wizard, the tool assumes that you will be going through a manual installation and will not let you restart the wizard. Leave this page open and continue on to the next section.

1.6.32

I will continue with the vRA 7 deployment in part 4 of this series, where we can now start deploying the vRA IaaS nodes.

 

 

Upgrading vSphere 6.0 U2 to vSphere 6.5d – Part 2

Continuing on from Part 1, where I upgraded the external PSC appliances, Part 2 of this post will now continue the upgrade sequence and upgrade the vCenter Server Appliance 6.0 to the 6.5d release. As previously with the PSC appliance upgrade, the vCSA 6.5 upgrade follows the same two stage approach. The first stage is to deploy a new appliance and the second stage is to copy the data from the 6.0 appliance to the new 6.5 appliance.

Stage 1 – Deploy the new vCenter Server Appliance

In stage 1, I will deploy the OVA file of the vCenter 6.5 appliance. Mount the ISO and navigate to the \vcsa-ui-installer\ directory and then to the required subdirectory for your OS:

  • For Windows OS, go to the win32 subdirectory, and run the installer.exe
  • For Linux OS, go to the lin64 subdirectory, and run the installer
  • For Mac OS, go to the mac subdirectory, and run the Installer.app

Ensure you have a full backup or snapshots of all the required machine before commencing.

I’m running my upgrade from a Windows machine so I will run \vcsa-ui-installer\ win32\installer.exe

1.5.1

Select Upgrade from the vCenter Server Appliance 6.5 Installer

1.5.2

The introduction provides an overview of the stages required to complete the upgrade. Click Next.

1.5.3

Accept the End User License Agreement and click Next

1.5.4

Enter the FQDN of the existing vCenter Server Appliance, this is the first vCSA 6.0 I installed, along with the required credentials. Then enter the ESXi host for the source vCSA. Click Next

1.5.5

Click Yes on the Certificate Warning to continue.

1.5.6

Enter the ESXi host FQDN where you would like the new vCSA 6.5 appliance deployed. Click Next

1.5.7

Click Yes on the Certificate Warning to continue.

1.5.8

Enter the name for the vCSA appliance VM and set a root password. Click Next.

1.5.9

Select the deployment size you would like for your environment. For my home lab, I selected Tiny

1.5.10

Select a datastore for the vCSA and if you would like to enable Thin Disk Mode. Click Next.

1.5.11

Now select a network with ephemeral port binding, this is temporary and the new vCSA appliance can be moved to another network after the upgrade has completed.

Enter the temporary network identity in the required fields. It’s worth noting at this point that the temporary names and IP addresses used during the upgrade all need to be resolvable by DNS. Once the upgrade has completed, the appliance frees the temporary IP address and assumes the network settings of the source 6.0 appliance.

1.5.12

Review the summary on the Ready to complete stage 1 page, verify the settings and then click Finish

1.5.13

Once the deployment has completed, click Continue to progress to Stage 2. If you close, you can continue with Stage 2 by navigating to the VAMI of the newly deployed vCenter Server appliance, https://vma01tmp.testlab.com:5480

1.5.14

Stage 2 – Copy Data from source vCenter Server Appliance to the vCSA 6.5 appliance

After completing stage 1, you will be taken to stage 2 and the introduction page. Click Next.

1.5.15

Confirm the source vCenter Server and ESXi host information. This will be pre-populated from Stage 1 unless you closed the Upgrade after Stage 1. If so, you we need to re-enter the information. Click Next

1.5.16

A pre-upgrade check will run and display it’s results. The check highlighted an internal error during the vSphere ESX Agent Manager upgrade checks. I managed to find a resolution to this error in the VMware communities

https://communities.vmware.com/thread/557876

1.5.17

Navigate to the source vCSA Managed Object Browser, https://vmatestlab01.testlab.com/mob – you will need to authentication with SSO administrator credentials.

Click content

1.5.18

Click ExtensionManager

1.5.19

Click UnregisterExtension and a new window will appear for the UnregisterExtension

1.5.20

Enter com.vmware.vim.eam in the value field and click Invoke Method

1.5.21

This unregisters the plug-in and results in void  

1.5.22

Refresh the Managed Object Browser and verify the plug-in has been unregistered

1.5.23

Stop the vmware-eam service on the source vCSA appliance by running service-control –stop vmware-eam from the shell

Once the vmware-eam service is stopped, you can continue. Click Next

1.5.24

It’s likely you will be required to enter your password again due to the session expiring. Enter your password and click Log in

1.5.25

The pre-upgrade check will run again and display it’s results. This time, the check only highlighted that DRS should not be set to Fully Automated on the cluster where the ESXi host resides during the upgrade process. As in part 1, I configured the DRS Automation Level to manual.

1.5.26

You now need to select the data you would like to migrate form the course vCSA 6.0 appliance, I decided to take all of the data. Select the option for your environment and click Next

1.5.27

Review the summary information on the Ready to complete page, check I have backed up the source vCenter Server and all the required data from the database and click Finish

1.5.28

At this point, the installer will display a notice stating the source vCSA appliance will be shutdown once the network configuration has been enabled on the new vCSA 6.5 appliance. This is a useful option as the source vCSA configuration and data is left intact for easier rollback, if required. Click OK

1.5.29

If all goes well, the data should be copied and the source vCSA shutdown. The new vCSA 6.5 should be powered on and accessible with your source network identity. At this point I renamed the VMs in vCenter for convenience.

1.5.30

You now need to upgrade all vCSAs in your SSO domain before proceeding to upgrade the ESXi hosts. I will finish this blog series in Part 3 when I complete the upgrade of my ESXi hosts.

 

 

 

 

 

 

 

ESXi Preferred Domain Controllers

I was at a customer site recently where they had issues with ESXi hosts reverting to local authentication after joining an Active Directory domain. On further investigation, it transpired that the ESXi hosts can only communicate with some of the AD domain controllers as the majority are behind firewalls. As far as I’m aware, ESXi hosts are not AD site aware so when a query is made to the AD integrated DNS, any of the domain DCs could be returned, including those not accessible behind firewalls.

I was not provided with any further details on the ESXi hosts reverting to local authentication but this appeared to be a good use case for setting preferred domain controllers the ESXi host advanced settings. You can configure UserVars.ActiveDirectoryPreferredDomainControllers with preferred domain controllers, separated by comma, for the ESXi host to use for AD communication.

To specify the preferred domain controller(s):

  1. Select ESXi Server > Configuration > Advanced Settings > UserVars.ActiveDirectoryPreferredDomainControllers
  2. Enter the IP address or FQDN of the preferred domain controller ( I opted for IP Address as the domain controller is also the DNS server)
  3. Click OK to apply the changes

1.4.1

I recommend configuring values for more than one domain controller to avoid a single point of failure. If all the domain controllers are not contactable, the AD user authentication will fail.

Upgrading vSphere 6.0 U2 to vSphere 6.5d – Part 1

With vSphere 6.5 being GA in November 2016, I thought it’s finally time I upgraded my home lab to this version.

My home lab is currently at vSphere 6.0 U2 using externally load balanced PSC’s with a Management and Payload vCenter appliances in the same SSO domain, the topology as below:

1.3.0

I do not have NSX or vSAN installed in my home lab yet, but there are some KBs which are worth noting before embarking on an upgrade and check the product interoperability matrix.

Important information before upgrading to vSphere 6.5 (2147548)

Best practices for upgrading to vCenter Server 6.5 (2147686)

Update sequence for vSphere 6.5 and its compatible VMware products (2147289)

VMware Product Interoperability Matrices

The PSC 6.5 appliance upgrade is broken into two stages, the first stage is to deploy a new appliance and the second stage is to copy the data from the 6.0 appliance to the new 6.5 appliance. Following the update sequence, I need to upgrade my PSCs first followed by my vCenter appliances then the ESXi hosts.

I’ll assume you know how to download the required ISOs from the VMware website.

Stage 1 – Deploy the new Platform Services Controller Appliance

In stage 1, I will deploy the OVA file of the Platform Services Controller 6.5 appliance. Mount the ISO and navigate to the \vcsa-ui-installer\ directory and then to the required subdirectory for your OS:

  • For Windows OS, go to the win32 subdirectory, and run the installer.exe
  • For Linux OS, go to the lin64 subdirectory, and run the installer
  • For Mac OS, go to the mac subdirectory, and run the Installer.app

Ensure you have a full backup or snapshots of all the required machine before commencing.

I’m running my upgrade from a Windows machine so I will run \vcsa-ui-installer\ win32\installer.exe

1.3.1

Select Upgrade from the vCenter Server Appliance 6.5 Installer

1.3.2

The introduction provides an overview of the stages required to complete the upgrade. Click Next.

1.3.3

Accept the End User License Agreement and click Next

1.3.4

Enter the FQDN of the existing Platform Service Controller, this is the first PSC 6.0 I installed, along with the required credentials. Then enter the ESXi host for the source PSC. Click Next.

1.3.5

Click Yes on the Certificate Warning to continue.

1.3.6

Enter the ESXi host FQDN where you would like the new PSC 6.5 appliance deployed. Click Next.

1.3.7

Click Yes on the Certificate Warning to continue.

1.3.8

Enter the name for the PSC appliance VM and set a root password. Click Next.

1.3.9

Select a datastore for the PSC appliance and if you would like to enable Thin Disk Mode. Click Next.

1.3.10

Now select a network with ephemeral port binding, this is temporary and the new PSC appliance can be moved to another network after the upgrade has completed.

Enter the temporary network identity in the required fields. It’s worth noting at this point that the temporary names and IP addresses used during the upgrade all need to be resolvable by DNS. Once the upgrade has completed, the appliance frees the temporary IP address and assumes the network settings of the source 6.0 appliance.

1.3.11

Review the summary on the Ready to complete stage 1 page, verify the settings and then click Finish

1.3.12

Once the deployment has completed, click Continue to progress to Stage 2. If you close, you can continue with Stage 2 by navigating to the VAMI of the newly deployed PSC appliance, https://psc01tmp.testlab.com:5480

Stage 2 – Copy Data from source Platform Services Controller to the PSC 6.5 appliance

After completing stage 1, you will be taken to stage 2 and the introduction page. Click Next.

1.3.14

A pre-upgrade check will run and display it’s results. The check highlighted below that DRS should not be set to Fully Automated on the cluster where the ESXi host resides during the upgrade process. I configured the DRS Automation Level to manual.

1.3.15

Select if you want to participate in VMware’s Customer Improvement Program (CEIP), click Next

1.3.16

Review the summary information on the “Ready to complete” page, check I have backed up the source Platform Services Controller and all the required data from the database and click Finish

1.3.17

At this point, the installer will display a notice stating the source PSC will be shutdown once the network configuration has been enabled on the new PSC 6.5 appliance. As this is my second upgrade attempt, due to upgrade issues with my first VCSA in part 2 and time constraints, this feature proved very useful to revert back to my vSphere 6.0  home lab for another day or so.

Click OK.

1.3.18

If all goes well, the data should be copied and the source PSC shutdown. The new PSC 6.5 should be powered on and accessible with your source network identity. At this point I rename the VMs in vCenter for convenience.

You now need to upgrade all PSCs in your environment before proceeding to upgrade the vCenter appliances. I followed the same procedure to upgrade my second PSC.

1.3.19

I will continue from here in Upgrading vSphere 6.0 U2 to vSphere 6.5d – Part 2 where I will upgrade my vCenter 6.0 appliances and ESXi 6.0 hosts.

 

vRA 7 Enterprise Deployment – Part 2 – Generating Certificates

Following on from vRA 7 Enterprise Deployment Part 1, this blog continues the series with some further planning and preparation before starting with the initial vRA Appliances deployment.

Generating Certificates

A production, distributed vRealize Automation deployment utilises Certificate Authority (CA) signed security certificates as each component communicates exclusively over SSL. While it is possible to import self-signed certificates on necessary components, this is not recommended in a production environment.

In my home lab, I have installed a Microsoft Certificate Authority. I followed this blog article to setup my Microsoft CA:

How to setup Microsoft Active Directory Certificate Services [AD CS]

I then referenced the VMware KB article for creating a CA template to use for my vRA deployment:

Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009)

Creating and Publishing a Certificate Template

Referencing the KB article, I created the certificate template using the following steps.

Open the MMC console for Certificate Templates:

  • Click File and select Add/Remove Snap-in
  • Select Certificate Templates in Available Snap-Ins and click Add
  • Click OK
  • From the right pane, right-click Web Server template
  • Click Duplicate Template

 

1.2.1

In the Properties of New Template dialog box:

  • Click the General tab
  • Type the name of the template in Template name text box

1.2.2

1.2.3

In the Properties of New Template dialog box:

  • Click the Subject Name tab
  • Select the Supply in the request radio button

1.2.4

In the Properties of New Template dialog box:

  • Click the Security tab
  • Assign Full Control privileges to the domain administrator
  • Assign Full Control privileges to the computer issuing this certificate
  • Click OK

1.2.5

Open the MMC console for Certification Authority for the domain:

  • Right-click Certificate Templates
  • Select New > Certificate Template to Issue

1.2.6

In the Enable Certificate Templates dialog box:

  • Select the certificate created in the above steps
  • Click OK

1.2.7

1.2.8

Now the certificate template is published and ready to use. The table below details the certificates which are required for an enterprise large deployment with HA using embedded vRO instances.

vRealize Automation Certificate Requirements for High Availability

Certificate Common Name Application Role Encoding Needed
vra-portal.testlab.com vRealize Automation Appliances PEM and unencrypted key
vra-web.testlab.com IaaS Web Servers PKCS12
vra-mgr.testlab.com IaaS Manager Services PKCS12

 

Generating SSL Certificates

Now we will create the PKCS12 formatted certificates for the vRA IaaS Windows components and the PEM encoded certificate for the vRA appliances. You will need a machine with OpenSSL installed to generate the Certificate Signing Requests and format conversions plus access to the Certificate Services server to generate the signed certificates. The process shown below uses a Microsoft Active Directory Certificate Services.

Prepare for certificate generation using the following procedure:

  • Install OpenSSL on the machine where you will generate the certificates.
  • Create a base folder (D:\Certs in this example) with separate sub-folders for each vRealize Automation component.
  • Within the base folder, create three subfolders named as follows:
    • vrava
    • IaaSWeb
    • IaaSMgr

1.2.9

Log in to the Microsoft Certificate Authority web interface, for example:

1.2.10

From the Download a CA Certificate, Certificate Chain, or CRL page:

  • Click Base 64
  • Click the Download CA certificate chain link
  • Save the certificate chain as cachain.p7b in the D:\Certs folder
  • Click the Download CA certificate link
  • Save the CA certificate as RootCA.crt in the D:\Certs folder

1.2.11

1.2.12

1.2.13

1.2.14

Create a configuration file for the vRealize Automation appliances using the format shown below:

  • Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
  • Save the configuration file to D:\Certs\vRAva\vra-portal.cfg

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vra-portal, DNS: vra-portal.testlab.com, DNS: vratestlab01, DNS: vratestlab01.testlab.com, DNS: vratestlab02, DNS: vratestlab02.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomation

commonName = vra-portal.testlab.com

 

Run the following OpenSSL command to generate the certificate request and the private key for this certificate:

openssl req -new -nodes -out D:\Certs\vRAva\vra-portal.csr -keyout D:\Certs\vRAva\vra-portal.key -config D:\Certs\vRAva\vra-portal.cfg

NOTE: Remember to replace the path and file names as required.

1.2.15

1.2.16

Run the following OpenSSL command to convert the keys to the RSA format required by the vRA appliances:

openssl rsa -in D:\Certs\vRAva\vra-portal.key -out D:\Certs\vRAva\vra-portal.key

 

1.2.17

Go back to the home page of the Certificate Server.

Click Request a certificate.

1.2.18

Click advanced certificate request.

1.2.19

Click Submit a certificate Request by using a base- 64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

1.2.20

On the Submit a Certificate Request or Renewal Request page:

  • Open the vra-portal.csr file, generated in the step above, in notepad or notepad++
  • Copy and paste the contents into the Base-64-encoded certificate request text box
  • Select the template created using the Certificate Template process, VRA
  • Click Submit

1.2.21

Click the Base-64 encoded radio button on the certificate-issued screen. Click the Download Certificate link.

Save the certificate as vra-portal in the folder D:\Certs\vRAva\vra-portal.cer

1.2.22

Click the Download Certificate chain link.

Save the certificate chain as cachain.p7b file and navigate to D:\Certs\vRAva\cachain.p7b.

Go to D:\Certs\vRAva and double-click the cachain.p7b file.

Right-click the root certificate, select All Actions > Export, and click Next.

1.2.23

Select Base64-encoded X.509 (.CER) and click Next.

 

1.2.24

Save the export to your D:\Certs\Root64.cer

Click Next

1.2.25

Click Finish then OK

1.2.26

1.2.27

Run the following OpenSSL command to convert the certificates to PKCS12 format:

openssl pkcs12 -export -in D:\Certs\vRAva\vra-portal.cer -inkey D:\Certs\vRAva\vra-portal.key -certfile D:\Certs\Root64.cer -name vra-portal -passout pass:VMware1! -out D:\Certs\vRAva\vra-portal.pfx

 

1.2.28

Run the following OpenSSL command to convert the certificates to PEM format:

openssl pkcs12 -nokeys -in D:\Certs\vRAva\vra-portal.pfx -inkey D:\Certs\vRAva\vra-portal.key -out D:\Certs\vRAva\vra-portal.pem -nodes -passin pass:VMware1!

 

1.2.29

Once this has completed, you now have the CA signed SSL certificates for the vRA appliances.

Repeat the above steps to generate the certificate for the vRealize Automation IaaS Web servers, remembering you do not need to complete the last step converting the certificates to PEM format.

Create a configuration file for the vRealize Automation IaaS Web servers using the format shown below:

  • Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
  • Save the configuration file to D:\Certs\IaaSWeb\vra-web.cfg

 

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vratestlab03, DNS:vratestlab03.testlab.com, DNS: vratestlab04, DNS:vratestlab04.testlab.com, DNS: vra-web, DNS: vra-web.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomationIaaSWeb

commonName = vra-web.testlab.com

 

Repeat the above steps to generate the certificate for the vRealize Automation IaaS Manager servers, remembering you do not need to complete the last step converting the certificates to PEM format.

Create a configuration file for the vRealize Automation IaaS Web servers using the format shown below:

  • Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
  • Save the configuration file to D:\Certs\IaaSMgr\vra-mgr.cfg

 

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vratestlab05, DNS: vratestlab05.testlab.com, DNS: vratestlab06, DNS: vratestlab06.testlab.com, DNS: vra-mgr, DNS: vra-mgr.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomationIaaSMgr

commonName = vra-mgr.testlab.com

 

I will continue with the vRA 7 deployment in part 3 of this series, where we can now start deploying the vRA Appliances.