Retiring Certifications and Exams

VMware has recently announced the following VMware Certified Advanced Professional exams are due to expire at the end of September 2018. If you are currently studying for one of these exams, you may want to accelerate your study and schedule the exam soon before availability reduces.

2.3.1

All available exams and certification are detailed on VMware’s certification site and announcements are made in the Education Services blog. For a list of retired or retiring certification exams, you can find information in the Retired Certifications and Exams document.

 

vRA 7.3 AD Integration with a Disjointed Namespace – Part 2

In part 1 of this blog post, I demonstrated the impact of configuring vRA Directories Management using IWA in a disjointed namespace. In this blog post, I will now cover the procedure to remediate and recover vRA to an operational state.

The high level steps required to remediate vRA are listed in order below:

  1. Take a snapshot of all vRA nodes
  2. Change the Master vRealize Automation Appliance Host Name – Change the Master vRA Appliance Host Name
  3. Change a Replica vRealize Automation Appliance Host Name – (if applicable) (on all replica nodes) – Change a Replica vRA Appliance Host Name
  4. Reset RabbitMQ cluster from the primary vRA appliance VAMI – Reset RabbitMQ
  5. Re-install the vRA IaaS management agents on each vRA IaaS node

 

I will assume readers of this blog know how to take a snapshot of all the vRA nodes and detail from step 2 onwards.

Change the Master vRealize Automation Appliance Host Name

Ensure your DNS A and PTR records are updated if required. In my use case, I did not need to update any DNS records.

Go to the vRealize Automation master appliance management console by opening a connection using its FQDN:

Example: https://vratestlab01.testlab.com:5480/

Log in with the root username and password.

2.0.1

Select Network > Address and enter the required FQDN of the master vRA appliance in the hostname field

Click Save Settings

2.0.2

Logon to the console of the master vRA Appliance and run the following script:

/usr/lib/vcac/tools/change-hostname/change-hostname.sh old-master-FQDN new-master-FQDN

Example:
/usr/lib/vcac/tools/change-hostname/change-hostname.sh vratestlab01.offprem.cloud.test.group vratestlab01.testlab.com

Validate the hostname change by entering hostname -f after the script completes

2.0.3

Logon to the console of all replica vRA Appliance and run the following script:
Note: This script is only executed on all replica nodes and not the master/primary node.

sed -i “s/old-master-FQDN/new-master-FQDN/g” “/etc/haproxy/conf.d/10-psql.cfg” “/etc/haproxy/conf.d/20-vcac.cfg”

Example:
sed -i “s/vratestlab01.offprem.cloud.test.group/vratestlab01.testlab.com/g” “/etc/haproxy/conf.d/10-psql.cfg” “/etc/haproxy/conf.d/20-vcac.cfg”

2.0.4

Change a Replica vRealize Automation Appliance Host Name

Ensure your DNS A and PTR records are updated if required. In my use case, I did not need to update any DNS records.

Go to the vRealize Automation replica appliance management console by opening a connection using its FQDN:

Example: https://vratestlab02.testlab.com:5480/

Log in with the root username and password.

2.0.5

Select Network > Address and enter the required FQDN of the replica vRA appliance in the hostname field

Click Save Settings

2.0.6

Logon to the console of the replica vRA Appliance and run the following script:

/usr/lib/vcac/tools/change-hostname/change-hostname.sh old-replica-FQDN new-replica-FQDN

Example:
/usr/lib/vcac/tools/change-hostname/change-hostname.sh vratestlab02.offprem.cloud.test.group vratestlab02.testlab.com

Validate the hostname change by entering hostname -f after the script completes

2.0.7

Logon to the console of all other vRA Appliances in the cluster, including the master and run the following script:

sed -i “s/old-replica-FQDN/new-replica-FQDN/g” “/etc/haproxy/conf.d/10-psql.cfg” “/etc/haproxy/conf.d/20-vcac.cfg”

Example:
sed -i “s/vratestlab02.offprem.cloud.test.group/vratestlab02.testlab.com/g” “/etc/haproxy/conf.d/10-psql.cfg” “/etc/haproxy/conf.d/20-vcac.cfg”

2.0.8

Reset RabbitMQ Cluster

Go to the vRealize Automation master appliance management console by opening a connection using its FQDN:

Example: https://vratestlab01.testlab.com:5480/

Log in with the root username and password.

2.0.9

 

Select vRA Settings > Messaging

Click Reset RabbitMQ Cluster

Click OK to confirm

2.0.10

2.0.11

Restart the master vRealize Automation appliance.

Restart all replica vRealize Automation appliances, one at a time.

Re-install the vRA IaaS management agents on each vRA IaaS node

Logon to the first vRA IaaS node and open a browser.

Navigate to the vRealize Automation IaaS Installation page at https://<vra-appliance-fqdn&gt;:5480/installer

Click Management Agent Installer

2.0.12

Browse to the local directory where you saved the installer, on the IaaS node.
Note: You will need to uninstall the vRA IaaS Management Agent first.

Right click on the vCAC-IaaSManagementAgent-Setup.msi file and select Install.

When the setup wizard opens, click Next.

2.0.13

On the End-User License Agreement screen of the Management Agent Setup Wizard, check the box I accept the terms of this agreement.

Click Next.

2.0.14

On the Destination Folder screen, select a destination folder by clicking Change, or accept the default installation path.

Click Next.

2.0.15

On the Management Site Service screen:

In the vRA appliance load balancer address text box, specify the vRealize Automation appliance URL, for example: <https://vra-portal.testlab.com:5480&gt;

In the Root username text box, enter the vRealize Automation appliance username <root>.

In the Password text box, enter the vRealize Automation appliance <password>.

In the Management Site Service certificate SHA1 fingerprint text box, click Load.

Select the I confirm the fingerprint matches the Management Site SSL Certificate check box.

Click Next.

2.0.16

Enter the AD domain service account details for the vRA Management Agent, for example, testlab\svc_vra_mgr01

Enter the password for the AD service account

Click Next.

2.0.17

 Click Install

2.0.18

Once the installation has completed successfully, click Finish to exit the Management Agent installation wizard.

2.0.19

Verify the VMware vRealize Automation Management Agent is running on the primary IaaS Web Server in Server Manager by going to Tools > Computer Management > Services.

Verify the Logon as Service account is configured to use the vRealize Automation Service Account, for example, testlab\svc_vra_iaas01.

2.0.20

Verify the vRealize Automation Management agents config file is updated to the changed FQDN for the vRealize Automation appliance nodes in the deployment.

The file is located at: <install_path>\VMware\vCAC\Management Agent\VMware.IaaS.Management.Agent.exe.Config

2.0.21

Re-install the vRA IaaS Management agents on all remaining vRA IaaS nodes, verifying the endpoint addresses are updated to the required FQDN on each node.

Go to the vRealize Automation master appliance management console by opening a connection using its FQDN: https://vratestlab01.testlab.com:5480/

Log in with the root username and password.

Navigate to vRA Settings > Cluster and verify the configuration. Expand the Host / Node Name to validate the roles assigned to each node.

Verify all nodes now appear are in a healthy state by checking their Last Connected time from the VAMI of the primary vRA appliance

 

  • Ensure the IaaS nodes have a last connected time of less than 30 seconds
  • Ensure the vRA appliances have a last connected time of less than 10 minutes

2.0.23

Navigate to vRA Settings > Database and verify the configuration.

Ensure the replication mode is Asynchronous

Check the Connection Status is CONNECTED

Verify the primary vRA appliance is the MASTER node and the secondary vRA appliance is the REPLICA node.

Ensure both Postgres DB nodes have a status of Up

2.0.24

Navigate to Services and confirm all services have a status of REGISTERED.

Note: Verify the vRA Appliance services on all vRA nodes.

Navigate to vRA Settings > Messaging

Verify the Connection Status is CONNECTED

Verify the RabbitMQ Process is Running

Verify the status of the RabbitMQ Cluster and all nodes are Connected

Note: Reset the RabbitMQ Cluster from the master vRA Appliance if you have errors.

2.0.26

Login to the vRA portal, navigate to Administration > Directories Management > Directories

Verify directory synchronisation is now successful.

Verify you are now able to login to the vRA portal with an Active Directory account.

2.0.27

This concludes the blog post and whilst I appreciate this may be a corner case, hopefully, you have found this information useful. I’m expecting the public VMware documentation to updated for this use case, although, there are not any guarantees.

 

 

vRA 7.3 AD Integration with a Disjointed Namespace – Part 1

During a recent vRA 7.3 enterprise deployment at a customer site, I was required to configure vRA Directories Management to support AD user authentication. The customer had the following constraints, which impacted the expected outcome of this configuration.

  • Non-Windows machines were not allowed to register their DNS A or PTR records in the Active Directory integrated DNS domain.
  • Active Directory integration must be configured using Integrated Windows Authentication if the product supports IWA and LDAP is not permitted
  • Computer objects will be pre-staged in the Active Directory domain
  • vRA appliances and vRA IaaS nodes DNS records were located in different namespaces

This meant we needed to configure an Active Directory IWA to support user authentication using the Directory Management feature however, the AD domain name and DNS zone was a different namespace to the FQDN of the vRA appliances.

In this blog post, I will recreate this use case using the domains below to demonstrate the impact of configuring vRA Directories Management using IWA in a disjointed namespace. I will cover the procedure to remediate the configuration in a part 2.

For further information on disjointed namespaces, please refer to the Microsoft article: Disjoint Namespace

  • vRealize Automation appliances and vRA IaaS nodes are using an AD domain named testlab.com. All these host are configured as <hostname>.testlab.com and name resolution is provided by AD integrated DNS. The vRA IaaS Windows servers are members of the testlab.com domain.
  • vRA is required to support user authentication from an Active Directory domain named offprem.cloudtest.com, as such, considering the constraints, vRA Directories Management will be required to use offprem.cloudtest.com as an identity source for synchronisation

Configure a vRA Active Directory over IWA Connection for Directories Management

Login to the vRA default tenant as a local user with Tenant Administrator privileges

1.9.1

Select Administration > Directories Management > Directories

1.9.2

Click Add Directory and select Add Active Directory over LDAP/IWA.

1.9.3

On the Add Directory page, specify the following:

Enter a Directory Name for the AD domain in the Directory Name text box.

Select the Active Directory (Integrated Windows Authentication) radio button

Select the primary vRA appliance as the Sync Connector from the dropdown list

Do you want this Connector to also perform authentication? Select the Yes radio button

Select sAMAccountName  as the Directory Search Attribute

Enter the name of the AD domain to join and the domain admin credentials.

Enter the Bind User Details in UPN format

Click Save & Next

1.9.4

1.9.5

On the Select the Domains page, select the domains which should be associated with this AD connection.

Click Next

1.9.6

The Directories Management attributes are mapped to the Active Directory attributes. Review and update as required.

Click Next

1.9.7

Select the groups you would like to synchronise from Active Directory

Click Next

1.9.8

Select the users you would like to synchronise from Active Directory

Click Next

1.9.9

Review the page to see how many users and groups will be syncing to the directory.

Click Sync Directory

1.9.10

1.9.11

1.9.12

Symptoms of Configuring Active Directory IWA with a Disjointed Namespace

Configure Directories Management for High Availability

When configuring Directories Management for High Availability, you add the secondary connector to the identity provider, save the settings successfully but the configuration does not remain persistent.

Select Administration > Directories Management > Identity Providers

1.9.13

Click the Add a Connector drop-down list, and select the connector that corresponds to your secondary vRealize Automation appliance.

Enter the appropriate password in the Bind DN and Domain Admin Password fields.

Click Save.

1.9.14

1.9.15

The connector configuration is not saved. This could but just be a UI issue but is an observed symptom I have only witnessed in this use case.

vRA Appliance Hostname

The vRA Appliance hostname in the VAMI network tab has been updated to use the short name.

1.9.17

The hostname of the appliance in the OS has been updated with the FQDN of the IWA AD domain, which in my use case is not resolvable.

1.9.18

vRealize Automation VAMI Cluster

When viewing the vRA Cluster information in the VAMI, the node list is empty.

1.9.19

vRA IaaS Management Agents

The vRealize Automation Management agents config file is updated to the changed FQDN for the vRealize Automation appliance on every vRA IaaS node in the deployment.

The file is located at: <install_path>\VMware\vCAC\Management Agent\VMware.IaaS.Management.Agent.exe.Config

1.9.20

In part 2 of this blog, I will demonstrate how to remediate this use case, and complete the configuration of vRA Directories Management using Active Directory with Integrated Windows Authentication in a disjointed namespace.

vRA 7 Enterprise Deployment – Part 5 – vRealize Automation Deployment Wizard

Following on from the vRA 7 Enterprise Deployment Part 4, this blog continues the series with the installation of the vRealize Automation Deployment Wizard to complete the Enterprise Deployment vRealize Automation. Since vRA 7.0 release, the vRA deployment wizard was introduced to complete the pre-requisite configuration and automated deployment of the vRA IaaS components. It is initiated by default after the deployment of a vRealize Automation appliance and can be accessed from primary vRA virtual appliance Virtual Appliance Management Interface (VAMI) on port 5480. You will need to logon as the root account and then you are presented with the vRA Deployment Wizard.

Installation Steps using the Installation Wizard

Log in to the first IaaS Web Server host with the domain service account that will be used to perform the installation and will also run the Windows service for the vCAC Management Agent.
Example first Web Server: vratestlab03.testlab.com
Example Domain Service Account: (testlab\svc_vra_iaas01) ensure member of local admins and remote desktop users

Go to the first deployed vRealize Automation appliance management console by opening a connection using its FQDN: https://vratestlab01.testlab.com:5480/

Note: You need to perform these steps on the first Windows Server you will use as the primary IaaS Web Server host, ensuring that the server has full network access to all vRealize Automation and IaaS Web, Manager, DEM, and Proxy Agent servers to perform the Management Agent installation.

Click I Understand the Risks, and click Add Exception to accept the certificate.

Click Confirm Security Exception.

1.8.1

Log in using the user name root and the password you specified when you deployed the vRealize Automation appliance.

Click Login.

1.8.2

On the Welcome to the vRealize Automation Wizard page.

Click Next to continue.

1.8.3

On the End User License Agreement page, click I accept the terms of this agreement.

Click Next to continue.

1.8.4

On the Deployment Type page, select the Enterprise deployment option.

Click Next to continue.

Ensure Install Infrastructure as a Service is selected

1.8.5

On the Installation Prerequisites page:

Select one of the appropriate NTP time synchronization options to use among virtual appliances and IaaS servers. For the Virtual Appliance Time Sync. Mode, choose between the Use Host Time or Use Time Server radio button options.

Click Change Time Settings to save the time synchronization method.

Check that the list of IaaS Server host names matches those in the IaaS Management Agent Deployment Information table.

Note: If one of the Windows servers does not appear in the list of IaaS Host Name and does not show it is connected, do not proceed with the installation until the problem is identified and resolved with the IaaS Management Agent. When all Windows servers with IaaS Management Agents report as connected, proceed with the vRealize Automation Installation Wizard.

Click Next.

1.8.6

On the vRealize Appliances page:

Click the green 1.8.0 to add the second vRealize Automation Appliance:

Host: Example: vratestlab02.testlab.com

Admin User: root

Password: Enter your root password

 

Click Next to continue.

Click OK to proceed after the warning for untrusted host message is displayed.

1.8.7

1.8.8

On the Server Roles page, check off the following server roles applicable to the vRealize Automation high availability deployment:

Primary Web (with Model Manager data) Service:

<vratestlab03.testlab.com>

Other Webs:

<vratestlab04.testlab.com>

Manager Service:

  • <vratestlab05.testlab.com>
  • <vratestlab06.testlab.com>

DEM & Proxy Agent:

  • <vratestlab07.testlab.com>
  • <vratestlab08.testlab.com>

Click Next to continue.

1.8.9

1.8.10

On the Pre-requisite Checker page, click Run.

1.8.11

The prerequisite checker will check for installation prerequisites and display the validation results on the Pre-requisite Checker page.

Wait for the prerequisite checker Status to reflect the validation status by changing from pending to Ok.

After the prerequisites checker validation has completed, verify that the status is reported as OK for all IaaS hosts.

For any IaaS hosts that report prerequisites are not met, click Show Details to expand the view and show the Action required to fix the prerequisites

1.8.12

1.8.13

Click the Hide Details link to collapse the Show Details view.

Click Fix to allow the prerequisites checker to perform any required fixes.

A Loading message will be displayed while the background processes start to fix the reported prerequisite issues.

On the Prerequisites Checker page, wait for the prerequisites checker to complete the fix for each IaaS Host in the IaaS Host Name list.

After the prerequisites checker has completed all fixes to IaaS hosts, the Status column should report OK with all green check marks.

Click Next to continue.

1.8.14

On the next vRealize Automation Host page, enter the vRealize Address that is the DNS Alias or FQDN of the vRealize Automation Load Balancer.

DO NOT CLICK NEXT AT THIS POINT!

You must first create the DNS Alias (CNAME) in DNS (before proceeding) if the initial deployment is not already configured with a load balancer, but you plan to configure the load balancer after the installation is completed.

If, at this point in the deployment a load balancer is introduced, verify that the load balancer VIPs and monitors are configured correctly.

Ensure you have setup your load balancer as per the vRA Load Balancing guide and test resolution of your DNS records.

vRealize Automation Load Balancing

Click Next to continue.

1.8.15

On the Single Sign-On page, enter the following:

  • Administrator password: <password>
  • Confirm password: <password>

Click Next to continue.

1.8.16

On the IaaS Host page, enter the following:

IaaS Web Address: <web-service load balancer address FQDN>

For example: vra-web.testlab.com

Manager Service Address: <vra-manager service load balancer address FQDN>

For example: vra-mgr.testlab.com

Security Passphrase: <passphrase>

Confirm Passphrase: <passphrase>

Click Next to continue.

1.8.17

On the Microsoft SQL Server page, enter the following:

Server name: <sqlserver\instance>

For example: sqltestlab01\inst01

Database name: <dbname>

For example: IaaS01

Select the Windows Authentication check box.

Note: If your SQL server uses SSL certificates, deselect Default settings for further configuration options.

Click Validate to verify Microsoft SQL Server connectivity and permissions to create the database.

1.8.19

After the validation is successful, a green check mark will appear, indicating all parameters are valid.

Click Next to continue.

1.8.20

On the Web Role page, enter the following:

 

Website Name: <Default Web Site>

Example: Default Web Site

Port: <443>

Example default port: 443

In the IaaS Web Servers section of the page, enter the following information for all of the IaaS hosts listed:

 

Username: testlab\svc_vra_iaas01

Password: <password>

Installation Path: <optional>

Click Validate to validate the authentication to the IaaS Web Server hosts.

1.8.21

After the validation is successful, a green check mark will appear indicating that all parameters are valid.

Click Next to continue.

1.8.22

On the Manager Service Role page, enter the following:

Select the Active checkbox box for the Manager service role corresponding to an IaaS hostname,

Example:  vratestlab05.testlab.com

Username: testlab\svc_vra_mgr01

Password: <password>

Installation Path: <optional>

Click Validate to validate the authentication to the IaaS Manager Service Hosts.

1.8.23

After the validation is successful, a green check mark will appear indicating that all the parameters are valid.

Click Next to continue.

1.8.24

On the Distributed Execution Managers page, enter the following:

(Optional) Select the Green 1.8.0  plus sign to add more Distributed Execution Manager hosts.

Select the IaaS host name service role from the drop-down,

Example: vratestlab07.testlab.com

Username: testlab\svc_vra_demw01

Password: <password>

Installation Description: <optional>

Installation Path: <optional>

Click Validate to validate the authentication to the IaaS DEM hosts.

1.8.25

After the validation is successful, a green check mark will appear indicating that all parameters are valid.

Click Next to continue.

1.8.26

On the Agents page, enter the following:

(Optional) Select the Green 1.8.0 plus sign to add more Agent hosts.

Select the IaaS Host Name service role from the drop-down,

Example: vratestlab07.testlab.com

Select the Agent Type from the drop-down, for example: vSphere

Agent Name: vmatestlab02

Endpoint:  vmatestlab02

Installation Description: <optional>

Username: testlab\svc_vra_vc01

Installation Path: <optional>

Note: Ensure the Agent Name and Endpoint name match.

Click Validate to validate the authentication to the IaaS DEM hosts.

1.8.27

After the validation is successful, a green check mark will appear indicating that all parameters are valid.

Click Next to continue.

1.8.28

On the vRealize Appliance Certificate page, select Import for the PEM-encoded certificate generated from a certificate authority for the vRealize Automation Appliance.

Open the vra-portal.key file for your vRealize Automation appliances in a text editor and paste the contents of the file into the RSA Private Key text box.

Open the vra-portal.pem file for your vRealize Automation appliances in a text editor and paste the contents into the Certificate Chain text box.

Enter the password used when generating the certificates into the Pass Phrase text box.

Click Save Imported Certificate.

Click Next to continue.

1.8.29

1.8.30

On the Web Certificate page, select Import Certificate for the PEM-encoded certificate generated from a certificate authority for the vRealize Automation IaaS Web Server hosts.

Open the vra-web.key file for your IaaS Web Server hosts in a text editor and paste the contents of the file into the RSA Private Key text box.

Open the vra-web.pem file for your IaaS Web Server hosts in a text editor and paste the contents into the Certificate Chain text box.

Enter the password used when generating the certificates into the Pass Phrase text box.

Click Save Imported Certificate.

Click Next to continue.

1.8.31

1.8.32

On the Manager Service Certificate page, select Import Certificate for the PEM-encoded certificate generated from a certificate authority for the vRealize Automation IaaS Manager Server hosts.

Open the vra-mgr.key file for your IaaS Manager Server hosts in a text editor and paste the contents of the file into the RSA Private Key text box.

Open the vra-mgr.pem file for your IaaS Manager Server hosts in a text editor and paste the contents into the Certificate Chain text box.

Enter the password used when generating the certificates into the Pass Phrase.

Click Save Imported Certificate.

Click Next to continue.

1.8.33

1.8.34

On the Load Balancers page, review the configuration of vRealize Automation components.

Verify the entries for Load Balancer Address and the Load Balancer members are correct.

Example load balancer addresses:

  • vra-portal.testlab.com
  • vra-web.testlab.com
  • vra-mgr.testlab.com

Click Next to continue.

1.8.35

On the Validation page, click Validation.

1.8.36

On the Validation page, the status is updated to reflect Validation is in progress.

Wait for the validation to report status on each Host Name\Instance and change from Pending to Succeeded in the Command Status column.

Wait for all validation tests to report 100% with validation completed.

Note: If any of the Validation tasks fail, do not click Next until every problem is resolved. The validation can be run again after problems are corrected with each hostname or instance.

Click Next to continue.

1.8.37

 

Next, within vCenter, create VM snapshots of all vRealize Automation appliances and IaaS Server hosts. Wait for the VM snapshots to complete before proceeding.

On the Create Snapshots page, click Next to continue.

1.8.39

On the Installation Details page, click Install.

1.8.40

As the installation continues, the Installation Details page reports the status of the Installation in progress with the percentage complete.

After the installation is finished, click Next to continue.

1.8.42

1.8.43

On the Licensing page:

Enter the New License Key: <license key>

Click Submit Key.

Click Next to continue.

1.8.46

1.8.47

On the Telemetry page, select your option then click Next to continue.

1.8.48

On the Initial Content Configuration page, click Next to continue.

After the Installation Wizard reports that installation was successful, click Finish to complete the installation.

1.8.52

 

vRA 7 Deployment Validation

Once the installation has completed, connect to the primary vRA appliance VAMI to validate the configuration.

Log in using the user name  root and the password you specified when you deployed the vRealize Automation appliance.

Click Login.

1.8.54

Navigate to vRA Settings > Host Settings and verify the configuration.

Verify the Host Name is set to the FQDN of the ViP DNS name.

Verify the SSL Configuration is using the imported certificate

1.8.55

Navigate to vRA Settings > Cluster and verify the configuration. Expand the Host / Node Name to validate the roles assigned to each node.

Verify all nodes are in a healthy state by checking their Last Connected time from the VAMI of the primary vRA appliance

  • Ensure the IaaS nodes have a last connected time of less than 30 seconds
  • Ensure the vRA appliances have a last connected time of less than 10 minutes
    • Note: The screenshot is from my vRA 7.3 environment

1.8.56

Navigate to vRA Settings > Database and verify the configuration.

Ensure the replication mode is Asynchronous

Check the Connection Status is CONNECTED

Verify the primary vRA appliance is the MASTER node and the secondary vRA appliance is the REPLICA node.

Ensure both Postgres DB nodes have a status of Up

1.8.57

Navigate to Services and confirm all services have a status of REGISTERED.

1.8.58

This concludes part 5 of this vRealize Automation Enterprise installation series and vRealize Automation is now installed. I will continue with the vRA 7 series, where we can now start configuring the post vRA 7 deployment elements.

 

 

 

 

 

 

vRA 7 Enterprise Deployment – Part 4 – vRealize Automation IaaS Management Agent Installation

Following on from the vRA 7 Enterprise Deployment Part 3, this blog continues the series with the installation of the vRealize Automation IaaS management agent on the IaaS nodes.

Since vRA 7.0 release, the vRA deployment wizard was introduced to complete the pre-requisite configuration and automated deployment of the vRA IaaS components. This is a massive improvement over the vRA 6.x procedure and more reliable. Before proceeding with the vRA Deployment Wizard, each vRA IaaS node requires the vRA Management Agent to be installed. Once installed, the host is registered with the primary vRA appliance.

Exception:  Java 64-bit is required on the IaaS Web servers and cannot be pushed by the deployment wizard. You must install a supported 64-bit version of Java and add the “JAVA_HOME” system variable on each IaaS Web server you plan to use prior to commencing with the vRA Deployment Wizard.

Further information can be found in the VMware documentation here: IaaS Web Service and Model Manager Server Requirements

As per the vRealize Automation Reference Architecture document, vRealize Automation 7 Reference Architecture, as per the Enterprise (previously known as Large) deployment model, you need to prepare 8 Windows Server VMs ensuring you meet the prerequisites for the vRA deployment wizard. This deployment guide assumes you have a Microsoft SQL Server already deployed which can be used to host the vRA IaaS database.

Ensure you adhere to the vRealize Automation Support Matrix and the Interoperability Guides.

Once you have prepared the following, you can continue with the vRealize Automation installation:

  • 8 x Windows Server VMs
  • Installed a supported version of JRE x64
  • Configure the JAVA_HOME system variable
  • Ensure you have a supported Load Balancer configured with only the primary nodes enabled in the LB pools
  • Created and validated DNS Alias addressed to use for the vRA installation

vRealize Automation Load Balancing

vRealize Automation IaaS Management Agent Installation

Download and Install IaaS Management Agents on the First IaaS Web Server host

Log in to the first IaaS Web Server host with the domain service account that will be used to perform the installation and will also run the Windows service for the vCAC Management Agent.

Note: Ensure the accounts have been setup as per Part 1 of this series.

Example first Web Server: vratestlab03.testlab.com

Example Domain Service Account: (testlab\svc_vra_iaas01) ensure member of local admins and remote desktop users

Go to the first deployed vRealize Automation appliance management console by opening a connection using its FQDN:

https://vratestlab01.testlab.com:5480/

Note: You need to perform these steps on the first Windows Server you will use as the primary IaaS Web Server host, ensuring that the server has full network access to all vRealize Automation and IaaS Web, Manager, DEM, and Proxy Agent servers to perform the Management Agent installation.

Click I Understand the Risks, and click Add Exception to accept the certificate.

Click Confirm Security Exception.

1.7.1

Log in using the user name root and the password you specified when you deployed the vRealize Automation appliance.

Click Login.

1.7.2

On the Welcome to the vRealize Automation Wizard page.

Click Next to continue.

1.7.3

On the End User License Agreement page, click I accept the terms of this agreement.

Click Next to continue.

1.7.4

On the Deployment Type page, select the Enterprise deployment option.

Click Next to continue.

Ensure Install Infrastructure as a Service is selected

1.7.5

1.7.6

On the Installation Prerequisites page:

Click on the vCAC-IaaSManagmentAgent-Setup.msi hyperlink to begin the download the Management Agent installer.

Click Save File to save the installer to a local folder on the primary IaaS Web Server host where you are performing the Management Agent installation from.

1.7.7

 

Browse to the local directory where you saved the installer, on the primary IaaS Web Server host.

Right click on the vCAC-IaaSManagementAgent-Setup.msi file and select Install.

When the setup wizard opens, click Next.

1.7.8

On the End-User License Agreement screen of the Management Agent Setup Wizard, check the box I accept the terms of this agreement.

Click Next.

1.7.9

On the Destination Folder screen, select a destination folder by clicking Change, or accept the default installation path.

Click Next.

1.7.10

On the Management Site Service screen:

In the vRA appliance load balancer address text box, specify the vRealize Automation appliance URL, for example: <https://vra-portal.testlab.com:5480>

In the Root username text box, enter the vRealize Automation appliance username <root>.

In the Password text box, enter the vRealize Automation appliance <password>.

In the Management Site Service certificate SHA1 fingerprint text box, click Load.

Select the I confirm the fingerprint matches the Management Site SSL Certificate check box.

Click Next.

1.7.11

Enter the AD domain service account details for the

vRA Management Agent, for example: testlab\svc_vra_mgr01

Enter the password for the AD service account

Click Next.

1.7.12

Click Install

1.7.13

Once the installation has completed successfully, click Finish to exit the Management Agent installation wizard.

1.7.14

Verify the VMware vRealize Automation Management Agent is running on the primary IaaS Web Server in Server Manager by going to Tools > Computer Management > Services.

Verify the Logon as Service account is configured to use the vRealize Automation Service Account, for example, testlab\svc_vra_iaas01.

1.7.15

Download and Install IaaS Management Agents on all remaining IaaS Web, Manager, DEM, and Agent Servers

The following table lists the host name information for the vRA IaaS nodes in my homelab, where the IaaS Management Agent for each IaaS Server component will be installed. You can use this table as a reference to complete the vRealize Automation Management Agent on all of the vRA IaaS Nodes.

IaaS Management Agent Deployment Information

Component

IaaS Management Agent

Required or N/A

Server FQDN

vRealize Automation Appliances

Appliance

(Management Agent N/A)

vratestlab01.testlab.com

vratestlab02.testlab.com

vRealize Automation Websites

IaaS Web Servers

(Management Agents Required)

vratestlab03.testlab.com

vratestlab04.testlab.com

Manager Service and DEM Orchestrator

IaaS Manager Servers

(Management Agents Required)

vratestlab05.testlab.com

vratestlab06.testlab.com

DEM Workers and Agents

IaaS Agent Servers

(Management Agents Required)

vratestlab07.testlab.com

vratestlab08.testlab.com

Microsoft SQL Server 2012

vRealize Automation IaaS Database

(Management Agent N/A)

sqltestlab01.testlab.com

 

This concludes part 4 of this vRealize Automation Enterprise installation series. I will continue with the vRA 7 deployment in part 5 of this series, where we can now start deploying vRA using the Deployment Wizard.

 

 

vRA 7 Enterprise Deployment – Part 3 – Deploy vRealize Automation Appliances

Following on from the vRA 7 Enterprise Deployment Part 2, this blog continues the series with the initial vRA Appliances deployment.

Deploy the First vRealize Automation Appliance

In the vSphere Web Client, select Actions > Deploy OVF Template

1.6.1

On the Select source page:

  1. Select the Local file option and click Browse.
  2. Go to the location of the identity appliance file having an .ova or .ovf extension, select the file, and click Open.
  3. Click Next to continue.

1.6.2

On the Review details page, review the summary details.

Click Next to continue.

1.6.3

Click Accept on the Accept EULAs page to accept the license agreement.

Click Next to continue.

1.6.4

On the Select name and folder page:

  1. Enter a unique name for the virtual appliance in the Name text box, following the required naming convention. For example: vratestlab01
  2. Select the datacenter and folder location where you want to deploy the virtual appliance.
  3. Click Next to continue.

1.6.5

On the Select a resource page, select the cluster where you want to deploy the virtual appliance.

Click Next to continue.

1.6.6

On the Select storage page, select a datastore with sufficient space.

Click Next to continue.

1.6.7

On the Setup networks page, select the network you want to connect the virtual appliance to, using the Destination drop-down menu.

Click Next.

1.6.8

On the Customize Template page:

  1. Expand Application.
  2. For the Initial root password, provide entries for the Enter password, and Confirm password fields.
  3. Select the Enable SSH service in the appliance check box to enable SSH service.
  4. For Hostname, enter the appliance hostname FQDN, for example: vratestlab01.testlab.com

1.6.9

In the Customize Template dialog box, expand Network Properties and enter the following network properties:

In the Default Gateway text box, enter the default gateway address for the VM, for example: 192.168.140.1

In the Domain Name text box, enter the domain name of this VM, for example: testlab.com

In the Domain Search Path text box, enter the domain search path for this VM, for example: testlab.com

In the Domain Name Servers text box, enter the DNS servers, for example: 192.168.140.4

In the Network 1 IP Address text box, enter the appliance IP Address, for example: 192.168.140.10

In the Network 1 Netmask, enter the appliance Netmask, for example: 255.255.255.0

Click Next to continue.

1.6.10

On the Ready to Complete page, select the Power on after deployment check box.

Click Finish.

1.6.11

Within the vCenter Web Client, verify vRealize Automation has deployed successfully.

Log in to the first Realize Automation Appliance, for example: vratestlab01.testlab.com

1.6.12

Deploy the Second vRealize Automation Appliance

In the vSphere Web Client, select Actions > Deploy OVF Template.

1.6.13

In the Select source dialog box, click Local file and click Browse.

Go to the location of the identity appliance file, having an .ova or .ovf extension, and click Open.

Click Next.

1.6.14

On the Review details page, review the summary details.

Click Next.

1.6.15

Click Accept on the Accept EULAs page to accept the license agreement.

Click Next.

1.6.16

On the Select name and folder page, enter a unique name for the virtual appliance in the Name text box, following the required naming convention.

For example: vratestlab02

Select the datacenter and folder location where you want to deploy the virtual appliance.
Click Next.

 

1.6.17

On the Select a resource page, select the cluster where you want to deploy the virtual appliance.

Click Next.

1.6.18

In the Select storage dialog box, select a datastore with sufficient space.

Click Next.

1.6.19

On the Setup networks page, select the network to which you want to connect the virtual appliance, using the Destination drop-down menu.

Click Next.

1.6.20

In the Customize Template dialog box, expand Application and enter the following application settings:

Specify entries for the Active Directory domain name In the Initial root password, Enter password, and Confirm password text boxes.

Select the Enable SSH service in the appliance check box, to enable SSH service.

In the Hostname text box, enter the appliance hostname FQDN, for example: vratestlab02.testlab.com

1.6.21

On the Customize Template page, expand Network Properties and enter the following properties:

In the Default Gateway text box, enter the default gateway address for the VM. For example: 192.168.140.1

In the Domain Name text box, enter the domain name of this VM. For example: vratestlab02

In the Domain Search Path text box, enter the domain search path for this VM. For example: testlab.com

In the Domain Name Servers text box, enter the DNS servers. For example: 192.168.140.4

In the Network 1 IP Address text box, enter the appliance IP Address: For example: 192.168.140.11

In the Network 1 Netmask, enter the appliance Netmask: For example: 255.255.255.0

Click Next to continue.

1.6.22

On the Ready to Complete page, select the Power on after deployment check box.

Click Finish.

1.6.23

In vCenter Web Client verify vRealize Automation has deployed successfully on the second vRealize Automation Appliance: vratestlab02.testlab.com

1.6.24

vRealize Automation Appliance Deployment Verification

Verify the Deployment of the First vRealize Automation Appliance

Go to the vRealize Automation appliance management console by opening a connection using its FQDN: https://vratestlab01.testlab.com:5480/

1.6.26

Accept the certificate by clicking I Understand the Risks and then clicking Add Exception.

Click Confirm Security Exception.

Log in with the user name root and the password you specified when deploying the vRealize Automation appliance.

1.6.28

The vRealize Automation Installation Wizard is displayed.

Caution – Stop Here and Do NOT Click Next. Verify that all other vRealize Automation appliances have been deployed and are running before proceeding to the next step

Do not cancel or exit out of the wizard at any time. If you exit the wizard, the tool assumes that you will be going through a manual installation and will not let you restart the wizard. Leave this page open and continue on to the next section.

1.6.29

Verify the Deployment of the Second vRealize Automation Appliance

Go to the vRealize Automation appliance management console by opening a connection using its FQDN. For example: https://vratestlab02.testlab.com:5480/

1.6.30

Accept the certificate exception by clicking I Understand the Risks, and clicking Add Exception.

Click Confirm Security Exception.

Log in using the user name root and the password you specified when deploying the vRealize Automation appliance.

1.6.31

The vRealize Automation Installation Wizard is displayed.

Caution – Stop Here and Do NOT Click Next. Verify that all other vRealize Automation appliances have been deployed and are running before proceeding to the next step

Do not cancel or exit out of the wizard at any time. If you exit the wizard, the tool assumes that you will be going through a manual installation and will not let you restart the wizard. Leave this page open and continue on to the next section.

1.6.32

I will continue with the vRA 7 deployment in part 4 of this series, where we can now start deploying the vRA IaaS nodes.

 

 

vRA 7 Enterprise Deployment – Part 2 – Generating Certificates

Following on from vRA 7 Enterprise Deployment Part 1, this blog continues the series with some further planning and preparation before starting with the initial vRA Appliances deployment.

Generating Certificates

A production, distributed vRealize Automation deployment utilises Certificate Authority (CA) signed security certificates as each component communicates exclusively over SSL. While it is possible to import self-signed certificates on necessary components, this is not recommended in a production environment.

In my home lab, I have installed a Microsoft Certificate Authority. I followed this blog article to setup my Microsoft CA:

How to setup Microsoft Active Directory Certificate Services [AD CS]

I then referenced the VMware KB article for creating a CA template to use for my vRA deployment:

Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009)

Creating and Publishing a Certificate Template

Referencing the KB article, I created the certificate template using the following steps.

Open the MMC console for Certificate Templates:

  • Click File and select Add/Remove Snap-in
  • Select Certificate Templates in Available Snap-Ins and click Add
  • Click OK
  • From the right pane, right-click Web Server template
  • Click Duplicate Template

 

1.2.1

In the Properties of New Template dialog box:

  • Click the General tab
  • Type the name of the template in Template name text box

1.2.2

1.2.3

In the Properties of New Template dialog box:

  • Click the Subject Name tab
  • Select the Supply in the request radio button

1.2.4

In the Properties of New Template dialog box:

  • Click the Security tab
  • Assign Full Control privileges to the domain administrator
  • Assign Full Control privileges to the computer issuing this certificate
  • Click OK

1.2.5

Open the MMC console for Certification Authority for the domain:

  • Right-click Certificate Templates
  • Select New > Certificate Template to Issue

1.2.6

In the Enable Certificate Templates dialog box:

  • Select the certificate created in the above steps
  • Click OK

1.2.7

1.2.8

Now the certificate template is published and ready to use. The table below details the certificates which are required for an enterprise large deployment with HA using embedded vRO instances.

vRealize Automation Certificate Requirements for High Availability

Certificate Common Name Application Role Encoding Needed
vra-portal.testlab.com vRealize Automation Appliances PEM and unencrypted key
vra-web.testlab.com IaaS Web Servers PKCS12
vra-mgr.testlab.com IaaS Manager Services PKCS12

 

Generating SSL Certificates

Now we will create the PKCS12 formatted certificates for the vRA IaaS Windows components and the PEM encoded certificate for the vRA appliances. You will need a machine with OpenSSL installed to generate the Certificate Signing Requests and format conversions plus access to the Certificate Services server to generate the signed certificates. The process shown below uses a Microsoft Active Directory Certificate Services.

Prepare for certificate generation using the following procedure:

  • Install OpenSSL on the machine where you will generate the certificates.
  • Create a base folder (D:\Certs in this example) with separate sub-folders for each vRealize Automation component.
  • Within the base folder, create three subfolders named as follows:
    • vrava
    • IaaSWeb
    • IaaSMgr

1.2.9

Log in to the Microsoft Certificate Authority web interface, for example:

1.2.10

From the Download a CA Certificate, Certificate Chain, or CRL page:

  • Click Base 64
  • Click the Download CA certificate chain link
  • Save the certificate chain as cachain.p7b in the D:\Certs folder
  • Click the Download CA certificate link
  • Save the CA certificate as RootCA.crt in the D:\Certs folder

1.2.11

1.2.12

1.2.13

1.2.14

Create a configuration file for the vRealize Automation appliances using the format shown below:

  • Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
  • Save the configuration file to D:\Certs\vRAva\vra-portal.cfg

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vra-portal, DNS: vra-portal.testlab.com, DNS: vratestlab01, DNS: vratestlab01.testlab.com, DNS: vratestlab02, DNS: vratestlab02.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomation

commonName = vra-portal.testlab.com

 

Run the following OpenSSL command to generate the certificate request and the private key for this certificate:

openssl req -new -nodes -out D:\Certs\vRAva\vra-portal.csr -keyout D:\Certs\vRAva\vra-portal.key -config D:\Certs\vRAva\vra-portal.cfg

NOTE: Remember to replace the path and file names as required.

1.2.15

1.2.16

Run the following OpenSSL command to convert the keys to the RSA format required by the vRA appliances:

openssl rsa -in D:\Certs\vRAva\vra-portal.key -out D:\Certs\vRAva\vra-portal.key

 

1.2.17

Go back to the home page of the Certificate Server.

Click Request a certificate.

1.2.18

Click advanced certificate request.

1.2.19

Click Submit a certificate Request by using a base- 64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

1.2.20

On the Submit a Certificate Request or Renewal Request page:

  • Open the vra-portal.csr file, generated in the step above, in notepad or notepad++
  • Copy and paste the contents into the Base-64-encoded certificate request text box
  • Select the template created using the Certificate Template process, VRA
  • Click Submit

1.2.21

Click the Base-64 encoded radio button on the certificate-issued screen. Click the Download Certificate link.

Save the certificate as vra-portal in the folder D:\Certs\vRAva\vra-portal.cer

1.2.22

Click the Download Certificate chain link.

Save the certificate chain as cachain.p7b file and navigate to D:\Certs\vRAva\cachain.p7b.

Go to D:\Certs\vRAva and double-click the cachain.p7b file.

Right-click the root certificate, select All Actions > Export, and click Next.

1.2.23

Select Base64-encoded X.509 (.CER) and click Next.

 

1.2.24

Save the export to your D:\Certs\Root64.cer

Click Next

1.2.25

Click Finish then OK

1.2.26

1.2.27

Run the following OpenSSL command to convert the certificates to PKCS12 format:

openssl pkcs12 -export -in D:\Certs\vRAva\vra-portal.cer -inkey D:\Certs\vRAva\vra-portal.key -certfile D:\Certs\Root64.cer -name vra-portal -passout pass:VMware1! -out D:\Certs\vRAva\vra-portal.pfx

 

1.2.28

Run the following OpenSSL command to convert the certificates to PEM format:

openssl pkcs12 -nokeys -in D:\Certs\vRAva\vra-portal.pfx -inkey D:\Certs\vRAva\vra-portal.key -out D:\Certs\vRAva\vra-portal.pem -nodes -passin pass:VMware1!

 

1.2.29

Once this has completed, you now have the CA signed SSL certificates for the vRA appliances.

Repeat the above steps to generate the certificate for the vRealize Automation IaaS Web servers, remembering you do not need to complete the last step converting the certificates to PEM format.

Create a configuration file for the vRealize Automation IaaS Web servers using the format shown below:

  • Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
  • Save the configuration file to D:\Certs\IaaSWeb\vra-web.cfg

 

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vratestlab03, DNS:vratestlab03.testlab.com, DNS: vratestlab04, DNS:vratestlab04.testlab.com, DNS: vra-web, DNS: vra-web.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomationIaaSWeb

commonName = vra-web.testlab.com

 

Repeat the above steps to generate the certificate for the vRealize Automation IaaS Manager servers, remembering you do not need to complete the last step converting the certificates to PEM format.

Create a configuration file for the vRealize Automation IaaS Web servers using the format shown below:

  • Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
  • Save the configuration file to D:\Certs\IaaSMgr\vra-mgr.cfg

 

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vratestlab05, DNS: vratestlab05.testlab.com, DNS: vratestlab06, DNS: vratestlab06.testlab.com, DNS: vra-mgr, DNS: vra-mgr.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomationIaaSMgr

commonName = vra-mgr.testlab.com

 

I will continue with the vRA 7 deployment in part 3 of this series, where we can now start deploying the vRA Appliances.