Category: vRealize Automation

In part 1 of this blog post, I demonstrated the impact of configuring vRA Directories Management using IWA in a disjointed namespace. In this blog post, I will now cover the procedure to remediate and recover vRA to an operational state.

The high level steps required to remediate vRA are listed in order below:

1. Take a snapshot of all vRA nodes
2. Change the Master vRealize Automation Appliance Host Name – Change the Master vRA Appliance Host Name
3. Change a Replica vRealize Automation Appliance Host Name – (if applicable) (on all replica nodes) – Change a Replica vRA Appliance Host Name
4. Reset RabbitMQ cluster from the primary vRA appliance VAMI – Reset RabbitMQ
5. Re-install the vRA IaaS management agents on each vRA IaaS node

 

I will assume readers of this blog know how to take a snapshot of all the vRA nodes and detail from step 2 onwards.

Change the Master vRealize Automation Appliance Host Name

Ensure your DNS A and PTR records are updated if required. In my use case, I did not need to update any DNS records.

Go to the vRealize Automation master appliance management console by opening a connection using its FQDN:

Example: https://vratestlab01.testlab.com:5480/

Log in with the root username and password.

Select Network > Address and enter the required FQDN of the master vRA appliance in the hostname field

Click Save Settings

Logon to the console of the master vRA Appliance and run the following script:

/usr/lib/vcac/tools/change-hostname/change-hostname.sh old-master-FQDN new-master-FQDN

Example:
/usr/lib/vcac/tools/change-hostname/change-hostname.sh vratestlab01.offprem.cloud.test.group vratestlab01.testlab.com

Validate the hostname change by entering hostname -f after the script completes

Logon to the console of all replica vRA Appliance and run the following script:
Note: This script is only executed on all replica nodes and not the master/primary node.

sed -i “s/old-master-FQDN/new-master-FQDN/g” “/etc/haproxy/conf.d/10-psql.cfg” “/etc/haproxy/conf.d/20-vcac.cfg”

Example:
sed -i “s/vratestlab01.offprem.cloud.test.group/vratestlab01.testlab.com/g” “/etc/haproxy/conf.d/10-psql.cfg” “/etc/haproxy/conf.d/20-vcac.cfg”

Change a Replica vRealize Automation Appliance Host Name

Ensure your DNS A and PTR records are updated if required. In my use case, I did not need to update any DNS records.

Go to the vRealize Automation replica appliance management console by opening a connection using its FQDN:

Example: https://vratestlab02.testlab.com:5480/

Log in with the root username and password.

Select Network > Address and enter the required FQDN of the replica vRA appliance in the hostname field

Click Save Settings

Logon to the console of the replica vRA Appliance and run the following script:

/usr/lib/vcac/tools/change-hostname/change-hostname.sh old-replica-FQDN new-replica-FQDN

Example:
/usr/lib/vcac/tools/change-hostname/change-hostname.sh vratestlab02.offprem.cloud.test.group vratestlab02.testlab.com

Validate the hostname change by entering hostname -f after the script completes

Logon to the console of all other vRA Appliances in the cluster, including the master and run the following script:

sed -i “s/old-replica-FQDN/new-replica-FQDN/g” “/etc/haproxy/conf.d/10-psql.cfg” “/etc/haproxy/conf.d/20-vcac.cfg”

Example:
sed -i “s/vratestlab02.offprem.cloud.test.group/vratestlab02.testlab.com/g” “/etc/haproxy/conf.d/10-psql.cfg” “/etc/haproxy/conf.d/20-vcac.cfg”

Reset RabbitMQ Cluster

Go to the vRealize Automation master appliance management console by opening a connection using its FQDN:

Example: https://vratestlab01.testlab.com:5480/

Log in with the root username and password.

 

Select vRA Settings > Messaging

Click Reset RabbitMQ Cluster

Click OK to confirm

Restart the master vRealize Automation appliance.

Restart all replica vRealize Automation appliances, one at a time.

Re-install the vRA IaaS management agents on each vRA IaaS node

Logon to the first vRA IaaS node and open a browser.

Navigate to the vRealize Automation IaaS Installation page at https://<vra-appliance-fqdn&gt;:5480/installer

Click Management Agent Installer

Browse to the local directory where you saved the installer, on the IaaS node.
Note: You will need to uninstall the vRA IaaS Management Agent first.

Right click on the vCAC-IaaSManagementAgent-Setup.msi file and select Install.

When the setup wizard opens, click Next.

On the End-User License Agreement screen of the Management Agent Setup Wizard, check the box I accept the terms of this agreement.

Click Next.

On the Destination Folder screen, select a destination folder by clicking Change, or accept the default installation path.

Click Next.

On the Management Site Service screen:

In the vRA appliance load balancer address text box, specify the vRealize Automation appliance URL, for example: <https://vra-portal.testlab.com:5480&gt;

In the Root username text box, enter the vRealize Automation appliance username <root>.

In the Password text box, enter the vRealize Automation appliance <password>.

In the Management Site Service certificate SHA1 fingerprint text box, click Load.

Select the I confirm the fingerprint matches the Management Site SSL Certificate check box.

Click Next.

Enter the AD domain service account details for the vRA Management Agent, for example, testlab\svc_vra_mgr01

Enter the password for the AD service account

Click Next.

 Click Install

Once the installation has completed successfully, click Finish to exit the Management Agent installation wizard.

Verify the VMware vRealize Automation Management Agent is running on the primary IaaS Web Server in Server Manager by going to Tools > Computer Management > Services.

Verify the Logon as Service account is configured to use the vRealize Automation Service Account, for example, testlab\svc_vra_iaas01.

Verify the vRealize Automation Management agents config file is updated to the changed FQDN for the vRealize Automation appliance nodes in the deployment.

The file is located at: <install_path>\VMware\vCAC\Management Agent\VMware.IaaS.Management.Agent.exe.Config

Re-install the vRA IaaS Management agents on all remaining vRA IaaS nodes, verifying the endpoint addresses are updated to the required FQDN on each node.

Go to the vRealize Automation master appliance management console by opening a connection using its FQDN: https://vratestlab01.testlab.com:5480/

Log in with the root username and password.

Navigate to vRA Settings > Cluster and verify the configuration. Expand the Host / Node Name to validate the roles assigned to each node.

Verify all nodes now appear are in a healthy state by checking their Last Connected time from the VAMI of the primary vRA appliance

 

• Ensure the IaaS nodes have a last connected time of less than 30 seconds
• Ensure the vRA appliances have a last connected time of less than 10 minutes

Navigate to vRA Settings > Database and verify the configuration.

Ensure the replication mode is Asynchronous

Check the Connection Status is CONNECTED

Verify the primary vRA appliance is the MASTER node and the secondary vRA appliance is the REPLICA node.

Ensure both Postgres DB nodes have a status of Up

Navigate to Services and confirm all services have a status of REGISTERED.

Note: Verify the vRA Appliance services on all vRA nodes.

Navigate to vRA Settings > Messaging

Verify the Connection Status is CONNECTED

Verify the RabbitMQ Process is Running

Verify the status of the RabbitMQ Cluster and all nodes are Connected

Note: Reset the RabbitMQ Cluster from the master vRA Appliance if you have errors.

Login to the vRA portal, navigate to Administration > Directories Management > Directories

Verify directory synchronisation is now successful.

Verify you are now able to login to the vRA portal with an Active Directory account.

This concludes the blog post and whilst I appreciate this may be a corner case, hopefully, you have found this information useful. I’m expecting the public VMware documentation to updated for this use case, although, there are not any guarantees.

 

 

During a recent vRA 7.3 enterprise deployment at a customer site, I was required to configure vRA Directories Management to support AD user authentication. The customer had the following constraints, which impacted the expected outcome of this configuration.

• Non-Windows machines were not allowed to register their DNS A or PTR records in the Active Directory integrated DNS domain.
• Active Directory integration must be configured using Integrated Windows Authentication if the product supports IWA and LDAP is not permitted
• Computer objects will be pre-staged in the Active Directory domain
• vRA appliances and vRA IaaS nodes DNS records were located in different namespaces

This meant we needed to configure an Active Directory IWA to support user authentication using the Directory Management feature however, the AD domain name and DNS zone was a different namespace to the FQDN of the vRA appliances.

In this blog post, I will recreate this use case using the domains below to demonstrate the impact of configuring vRA Directories Management using IWA in a disjointed namespace. I will cover the procedure to remediate the configuration in a part 2.

For further information on disjointed namespaces, please refer to the Microsoft article: Disjoint Namespace

• vRealize Automation appliances and vRA IaaS nodes are using an AD domain named testlab.com. All these host are configured as <hostname>.testlab.com and name resolution is provided by AD integrated DNS. The vRA IaaS Windows servers are members of the testlab.com domain.
• vRA is required to support user authentication from an Active Directory domain named offprem.cloudtest.com, as such, considering the constraints, vRA Directories Management will be required to use offprem.cloudtest.com as an identity source for synchronisation

Configure a vRA Active Directory over IWA Connection for Directories Management

Login to the vRA default tenant as a local user with Tenant Administrator privileges

Select Administration > Directories Management > Directories

Click Add Directory and select Add Active Directory over LDAP/IWA.

On the Add Directory page, specify the following:

Enter a Directory Name for the AD domain in the Directory Name text box.

Select the Active Directory (Integrated Windows Authentication) radio button

Select the primary vRA appliance as the Sync Connector from the dropdown list

Do you want this Connector to also perform authentication? Select the Yes radio button

Select sAMAccountName  as the Directory Search Attribute

Enter the name of the AD domain to join and the domain admin credentials.

Enter the Bind User Details in UPN format

Click Save & Next

On the Select the Domains page, select the domains which should be associated with this AD connection.

Click Next

The Directories Management attributes are mapped to the Active Directory attributes. Review and update as required.

Click Next

Select the groups you would like to synchronise from Active Directory

Click Next

Select the users you would like to synchronise from Active Directory

Click Next

Review the page to see how many users and groups will be syncing to the directory.

Click Sync Directory

Symptoms of Configuring Active Directory IWA with a Disjointed Namespace

Configure Directories Management for High Availability

When configuring Directories Management for High Availability, you add the secondary connector to the identity provider, save the settings successfully but the configuration does not remain persistent.

Select Administration > Directories Management > Identity Providers

Click the Add a Connector drop-down list, and select the connector that corresponds to your secondary vRealize Automation appliance.

Enter the appropriate password in the Bind DN and Domain Admin Password fields.

Click Save.

The connector configuration is not saved. This could but just be a UI issue but is an observed symptom I have only witnessed in this use case.

vRA Appliance Hostname

The vRA Appliance hostname in the VAMI network tab has been updated to use the short name.

The hostname of the appliance in the OS has been updated with the FQDN of the IWA AD domain, which in my use case is not resolvable.

vRealize Automation VAMI Cluster

When viewing the vRA Cluster information in the VAMI, the node list is empty.

vRA IaaS Management Agents

The vRealize Automation Management agents config file is updated to the changed FQDN for the vRealize Automation appliance on every vRA IaaS node in the deployment.

The file is located at: <install_path>\VMware\vCAC\Management Agent\VMware.IaaS.Management.Agent.exe.Config

In part 2 of this blog, I will demonstrate how to remediate this use case, and complete the configuration of vRA Directories Management using Active Directory with Integrated Windows Authentication in a disjointed namespace.

Following on from the vRA 7 Enterprise Deployment Part 4, this blog continues the series with the installation of the vRealize Automation Deployment Wizard to complete the Enterprise Deployment vRealize Automation. Since vRA 7.0 release, the vRA deployment wizard was introduced to complete the pre-requisite configuration and automated deployment of the vRA IaaS components. It is initiated by default after the deployment of a vRealize Automation appliance and can be accessed from primary vRA virtual appliance Virtual Appliance Management Interface (VAMI) on port 5480. You will need to logon as the root account and then you are presented with the vRA Deployment Wizard.

Installation Steps using the Installation Wizard

Log in to the first IaaS Web Server host with the domain service account that will be used to perform the installation and will also run the Windows service for the vCAC Management Agent.
Example first Web Server: vratestlab03.testlab.com
Example Domain Service Account: (testlab\svc_vra_iaas01) ensure member of local admins and remote desktop users

Go to the first deployed vRealize Automation appliance management console by opening a connection using its FQDN: https://vratestlab01.testlab.com:5480/

Note: You need to perform these steps on the first Windows Server you will use as the primary IaaS Web Server host, ensuring that the server has full network access to all vRealize Automation and IaaS Web, Manager, DEM, and Proxy Agent servers to perform the Management Agent installation.

Click I Understand the Risks, and click Add Exception to accept the certificate.

Click Confirm Security Exception.

Log in using the user name root and the password you specified when you deployed the vRealize Automation appliance.

Click Login.

On the Welcome to the vRealize Automation Wizard page.

Click Next to continue.

On the End User License Agreement page, click I accept the terms of this agreement.

Click Next to continue.

On the Deployment Type page, select the Enterprise deployment option.

Click Next to continue.

Ensure Install Infrastructure as a Service is selected

On the Installation Prerequisites page:

Select one of the appropriate NTP time synchronization options to use among virtual appliances and IaaS servers. For the Virtual Appliance Time Sync. Mode, choose between the Use Host Time or Use Time Server radio button options.

Click Change Time Settings to save the time synchronization method.

Check that the list of IaaS Server host names matches those in the IaaS Management Agent Deployment Information table.

Note: If one of the Windows servers does not appear in the list of IaaS Host Name and does not show it is connected, do not proceed with the installation until the problem is identified and resolved with the IaaS Management Agent. When all Windows servers with IaaS Management Agents report as connected, proceed with the vRealize Automation Installation Wizard.

Click Next.

On the vRealize Appliances page:

Click the green  to add the second vRealize Automation Appliance:

Host: Example: vratestlab02.testlab.com

Admin User: root

Password: Enter your root password

 

Click Next to continue.

Click OK to proceed after the warning for untrusted host message is displayed.

On the Server Roles page, check off the following server roles applicable to the vRealize Automation high availability deployment:

Primary Web (with Model Manager data) Service:

<vratestlab03.testlab.com>

Other Webs:

<vratestlab04.testlab.com>

Manager Service:

• <vratestlab05.testlab.com>
• <vratestlab06.testlab.com>

DEM & Proxy Agent:

• <vratestlab07.testlab.com>
• <vratestlab08.testlab.com>

Click Next to continue.

On the Pre-requisite Checker page, click Run.

The prerequisite checker will check for installation prerequisites and display the validation results on the Pre-requisite Checker page.

Wait for the prerequisite checker Status to reflect the validation status by changing from pending to Ok.

After the prerequisites checker validation has completed, verify that the status is reported as OK for all IaaS hosts.

For any IaaS hosts that report prerequisites are not met, click Show Details to expand the view and show the Action required to fix the prerequisites

Click the Hide Details link to collapse the Show Details view.

Click Fix to allow the prerequisites checker to perform any required fixes.

A Loading message will be displayed while the background processes start to fix the reported prerequisite issues.

On the Prerequisites Checker page, wait for the prerequisites checker to complete the fix for each IaaS Host in the IaaS Host Name list.

After the prerequisites checker has completed all fixes to IaaS hosts, the Status column should report OK with all green check marks.

Click Next to continue.

On the next vRealize Automation Host page, enter the vRealize Address that is the DNS Alias or FQDN of the vRealize Automation Load Balancer.

DO NOT CLICK NEXT AT THIS POINT!

You must first create the DNS Alias (CNAME) in DNS (before proceeding) if the initial deployment is not already configured with a load balancer, but you plan to configure the load balancer after the installation is completed.

If, at this point in the deployment a load balancer is introduced, verify that the load balancer VIPs and monitors are configured correctly.

Ensure you have setup your load balancer as per the vRA Load Balancing guide and test resolution of your DNS records.

vRealize Automation Load Balancing

Click Next to continue.

On the Single Sign-On page, enter the following:

• Administrator password: <password>
• Confirm password: <password>

Click Next to continue.

On the IaaS Host page, enter the following:

IaaS Web Address: <web-service load balancer address FQDN>

For example: vra-web.testlab.com

Manager Service Address: <vra-manager service load balancer address FQDN>

For example: vra-mgr.testlab.com

Security Passphrase: <passphrase>

Confirm Passphrase: <passphrase>

Click Next to continue.

On the Microsoft SQL Server page, enter the following:

Server name: <sqlserver\instance>

For example: sqltestlab01\inst01

Database name: <dbname>

For example: IaaS01

Select the Windows Authentication check box.

Note: If your SQL server uses SSL certificates, deselect Default settings for further configuration options.

Click Validate to verify Microsoft SQL Server connectivity and permissions to create the database.

After the validation is successful, a green check mark will appear, indicating all parameters are valid.

Click Next to continue.

On the Web Role page, enter the following:

 

Website Name: <Default Web Site>

Example: Default Web Site

Port: <443>

Example default port: 443

In the IaaS Web Servers section of the page, enter the following information for all of the IaaS hosts listed:

 

Username: testlab\svc_vra_iaas01

Password: <password>

Installation Path: <optional>

Click Validate to validate the authentication to the IaaS Web Server hosts.

After the validation is successful, a green check mark will appear indicating that all parameters are valid.

Click Next to continue.

On the Manager Service Role page, enter the following:

Select the Active checkbox box for the Manager service role corresponding to an IaaS hostname,

Example:  vratestlab05.testlab.com

Username: testlab\svc_vra_mgr01

Password: <password>

Installation Path: <optional>

Click Validate to validate the authentication to the IaaS Manager Service Hosts.

After the validation is successful, a green check mark will appear indicating that all the parameters are valid.

Click Next to continue.

On the Distributed Execution Managers page, enter the following:

(Optional) Select the Green   plus sign to add more Distributed Execution Manager hosts.

Select the IaaS host name service role from the drop-down,

Example: vratestlab07.testlab.com

Username: testlab\svc_vra_demw01

Password: <password>

Installation Description: <optional>

Installation Path: <optional>

Click Validate to validate the authentication to the IaaS DEM hosts.

After the validation is successful, a green check mark will appear indicating that all parameters are valid.

Click Next to continue.

On the Agents page, enter the following:

(Optional) Select the Green  plus sign to add more Agent hosts.

Select the IaaS Host Name service role from the drop-down,

Example: vratestlab07.testlab.com

Select the Agent Type from the drop-down, for example: vSphere

Agent Name: vmatestlab02

Endpoint:  vmatestlab02

Installation Description: <optional>

Username: testlab\svc_vra_vc01

Installation Path: <optional>

Note: Ensure the Agent Name and Endpoint name match.

Click Validate to validate the authentication to the IaaS DEM hosts.

After the validation is successful, a green check mark will appear indicating that all parameters are valid.

Click Next to continue.

On the vRealize Appliance Certificate page, select Import for the PEM-encoded certificate generated from a certificate authority for the vRealize Automation Appliance.

Open the vra-portal.key file for your vRealize Automation appliances in a text editor and paste the contents of the file into the RSA Private Key text box.

Open the vra-portal.pem file for your vRealize Automation appliances in a text editor and paste the contents into the Certificate Chain text box.

Enter the password used when generating the certificates into the Pass Phrase text box.

Click Save Imported Certificate.

Click Next to continue.

On the Web Certificate page, select Import Certificate for the PEM-encoded certificate generated from a certificate authority for the vRealize Automation IaaS Web Server hosts.

Open the vra-web.key file for your IaaS Web Server hosts in a text editor and paste the contents of the file into the RSA Private Key text box.

Open the vra-web.pem file for your IaaS Web Server hosts in a text editor and paste the contents into the Certificate Chain text box.

Enter the password used when generating the certificates into the Pass Phrase text box.

Click Save Imported Certificate.

Click Next to continue.

On the Manager Service Certificate page, select Import Certificate for the PEM-encoded certificate generated from a certificate authority for the vRealize Automation IaaS Manager Server hosts.

Open the vra-mgr.key file for your IaaS Manager Server hosts in a text editor and paste the contents of the file into the RSA Private Key text box.

Open the vra-mgr.pem file for your IaaS Manager Server hosts in a text editor and paste the contents into the Certificate Chain text box.

Enter the password used when generating the certificates into the Pass Phrase.

Click Save Imported Certificate.

Click Next to continue.

On the Load Balancers page, review the configuration of vRealize Automation components.

Verify the entries for Load Balancer Address and the Load Balancer members are correct.

Example load balancer addresses:

• vra-portal.testlab.com
• vra-web.testlab.com
• vra-mgr.testlab.com

Click Next to continue.

On the Validation page, click Validation.

On the Validation page, the status is updated to reflect Validation is in progress.

Wait for the validation to report status on each Host Name\Instance and change from Pending to Succeeded in the Command Status column.

Wait for all validation tests to report 100% with validation completed.

Note: If any of the Validation tasks fail, do not click Next until every problem is resolved. The validation can be run again after problems are corrected with each hostname or instance.

Click Next to continue.

 

Next, within vCenter, create VM snapshots of all vRealize Automation appliances and IaaS Server hosts. Wait for the VM snapshots to complete before proceeding.

On the Create Snapshots page, click Next to continue.

On the Installation Details page, click Install.

As the installation continues, the Installation Details page reports the status of the Installation in progress with the percentage complete.

After the installation is finished, click Next to continue.

On the Licensing page:

Enter the New License Key: <license key>

Click Submit Key.

Click Next to continue.

On the Telemetry page, select your option then click Next to continue.

On the Initial Content Configuration page, click Next to continue.

After the Installation Wizard reports that installation was successful, click Finish to complete the installation.

 

vRA 7 Deployment Validation

Once the installation has completed, connect to the primary vRA appliance VAMI to validate the configuration.

Log in using the user name  root and the password you specified when you deployed the vRealize Automation appliance.

Click Login.

Navigate to vRA Settings > Host Settings and verify the configuration.

Verify the Host Name is set to the FQDN of the ViP DNS name.

Verify the SSL Configuration is using the imported certificate

Navigate to vRA Settings > Cluster and verify the configuration. Expand the Host / Node Name to validate the roles assigned to each node.

Verify all nodes are in a healthy state by checking their Last Connected time from the VAMI of the primary vRA appliance

• Ensure the IaaS nodes have a last connected time of less than 30 seconds
• Ensure the vRA appliances have a last connected time of less than 10 minutes
  • Note: The screenshot is from my vRA 7.3 environment

Navigate to vRA Settings > Database and verify the configuration.

Ensure the replication mode is Asynchronous

Check the Connection Status is CONNECTED

Verify the primary vRA appliance is the MASTER node and the secondary vRA appliance is the REPLICA node.

Ensure both Postgres DB nodes have a status of Up

Navigate to Services and confirm all services have a status of REGISTERED.

This concludes part 5 of this vRealize Automation Enterprise installation series and vRealize Automation is now installed. I will continue with the vRA 7 series, where we can now start configuring the post vRA 7 deployment elements.

 

 

 

 

 

 

Following on from the vRA 7 Enterprise Deployment Part 3, this blog continues the series with the installation of the vRealize Automation IaaS management agent on the IaaS nodes.

Since vRA 7.0 release, the vRA deployment wizard was introduced to complete the pre-requisite configuration and automated deployment of the vRA IaaS components. This is a massive improvement over the vRA 6.x procedure and more reliable. Before proceeding with the vRA Deployment Wizard, each vRA IaaS node requires the vRA Management Agent to be installed. Once installed, the host is registered with the primary vRA appliance.

Exception:  Java 64-bit is required on the IaaS Web servers and cannot be pushed by the deployment wizard. You must install a supported 64-bit version of Java and add the “JAVA_HOME” system variable on each IaaS Web server you plan to use prior to commencing with the vRA Deployment Wizard.

Further information can be found in the VMware documentation here: IaaS Web Service and Model Manager Server Requirements

As per the vRealize Automation Reference Architecture document, vRealize Automation 7 Reference Architecture, as per the Enterprise (previously known as Large) deployment model, you need to prepare 8 Windows Server VMs ensuring you meet the prerequisites for the vRA deployment wizard. This deployment guide assumes you have a Microsoft SQL Server already deployed which can be used to host the vRA IaaS database.

Ensure you adhere to the vRealize Automation Support Matrix and the Interoperability Guides.

Once you have prepared the following, you can continue with the vRealize Automation installation:

• 8 x Windows Server VMs
• Installed a supported version of JRE x64
• Configure the JAVA_HOME system variable
• Ensure you have a supported Load Balancer configured with only the primary nodes enabled in the LB pools
• Created and validated DNS Alias addressed to use for the vRA installation

vRealize Automation Load Balancing

vRealize Automation IaaS Management Agent Installation

Download and Install IaaS Management Agents on the First IaaS Web Server host

Log in to the first IaaS Web Server host with the domain service account that will be used to perform the installation and will also run the Windows service for the vCAC Management Agent.

Note: Ensure the accounts have been setup as per Part 1 of this series.

Example first Web Server: vratestlab03.testlab.com

Example Domain Service Account: (testlab\svc_vra_iaas01) ensure member of local admins and remote desktop users

Go to the first deployed vRealize Automation appliance management console by opening a connection using its FQDN:

https://vratestlab01.testlab.com:5480/

Note: You need to perform these steps on the first Windows Server you will use as the primary IaaS Web Server host, ensuring that the server has full network access to all vRealize Automation and IaaS Web, Manager, DEM, and Proxy Agent servers to perform the Management Agent installation.

Click I Understand the Risks, and click Add Exception to accept the certificate.

Click Confirm Security Exception.

Log in using the user name root and the password you specified when you deployed the vRealize Automation appliance.

Click Login.

On the Welcome to the vRealize Automation Wizard page.

Click Next to continue.

On the End User License Agreement page, click I accept the terms of this agreement.

Click Next to continue.

On the Deployment Type page, select the Enterprise deployment option.

Click Next to continue.

Ensure Install Infrastructure as a Service is selected

On the Installation Prerequisites page:

Click on the vCAC-IaaSManagmentAgent-Setup.msi hyperlink to begin the download the Management Agent installer.

Click Save File to save the installer to a local folder on the primary IaaS Web Server host where you are performing the Management Agent installation from.

 

Browse to the local directory where you saved the installer, on the primary IaaS Web Server host.

Right click on the vCAC-IaaSManagementAgent-Setup.msi file and select Install.

When the setup wizard opens, click Next.

On the End-User License Agreement screen of the Management Agent Setup Wizard, check the box I accept the terms of this agreement.

Click Next.

On the Destination Folder screen, select a destination folder by clicking Change, or accept the default installation path.

Click Next.

On the Management Site Service screen:

In the vRA appliance load balancer address text box, specify the vRealize Automation appliance URL, for example: <https://vra-portal.testlab.com:5480>

In the Root username text box, enter the vRealize Automation appliance username <root>.

In the Password text box, enter the vRealize Automation appliance <password>.

In the Management Site Service certificate SHA1 fingerprint text box, click Load.

Select the I confirm the fingerprint matches the Management Site SSL Certificate check box.

Click Next.

Enter the AD domain service account details for the

vRA Management Agent, for example: testlab\svc_vra_mgr01

Enter the password for the AD service account

Click Next.

Click Install

Once the installation has completed successfully, click Finish to exit the Management Agent installation wizard.

Verify the VMware vRealize Automation Management Agent is running on the primary IaaS Web Server in Server Manager by going to Tools > Computer Management > Services.

Verify the Logon as Service account is configured to use the vRealize Automation Service Account, for example, testlab\svc_vra_iaas01.

Download and Install IaaS Management Agents on all remaining IaaS Web, Manager, DEM, and Agent Servers

The following table lists the host name information for the vRA IaaS nodes in my homelab, where the IaaS Management Agent for each IaaS Server component will be installed. You can use this table as a reference to complete the vRealize Automation Management Agent on all of the vRA IaaS Nodes.

IaaS Management Agent Deployment Information

 

This concludes part 4 of this vRealize Automation Enterprise installation series. I will continue with the vRA 7 deployment in part 5 of this series, where we can now start deploying vRA using the Deployment Wizard.

 

 

Following on from vRA 7 Enterprise Deployment Part 1, this blog continues the series with some further planning and preparation before starting with the initial vRA Appliances deployment.

Generating Certificates

A production, distributed vRealize Automation deployment utilises Certificate Authority (CA) signed security certificates as each component communicates exclusively over SSL. While it is possible to import self-signed certificates on necessary components, this is not recommended in a production environment.

In my home lab, I have installed a Microsoft Certificate Authority. I followed this blog article to setup my Microsoft CA:

How to setup Microsoft Active Directory Certificate Services [AD CS]

I then referenced the VMware KB article for creating a CA template to use for my vRA deployment:

Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009)

Creating and Publishing a Certificate Template

Referencing the KB article, I created the certificate template using the following steps.

Open the MMC console for Certificate Templates:

• Click File and select Add/Remove Snap-in
• Select Certificate Templates in Available Snap-Ins and click Add
• Click OK
• From the right pane, right-click Web Server template
• Click Duplicate Template

 

In the Properties of New Template dialog box:

• Click the General tab
• Type the name of the template in Template name text box

In the Properties of New Template dialog box:

• Click the Subject Name tab
• Select the Supply in the request radio button

In the Properties of New Template dialog box:

• Click the Security tab
• Assign Full Control privileges to the domain administrator
• Assign Full Control privileges to the computer issuing this certificate
• Click OK

Open the MMC console for Certification Authority for the domain:

• Right-click Certificate Templates
• Select New > Certificate Template to Issue

In the Enable Certificate Templates dialog box:

• Select the certificate created in the above steps
• Click OK

Now the certificate template is published and ready to use. The table below details the certificates which are required for an enterprise large deployment with HA using embedded vRO instances.

vRealize Automation Certificate Requirements for High Availability

Certificate Common Name	Application Role	Encoding Needed
vra-portal.testlab.com	vRealize Automation Appliances	PEM and unencrypted key
vra-web.testlab.com	IaaS Web Servers	PKCS12
vra-mgr.testlab.com	IaaS Manager Services	PKCS12

 

Generating SSL Certificates

Now we will create the PKCS12 formatted certificates for the vRA IaaS Windows components and the PEM encoded certificate for the vRA appliances. You will need a machine with OpenSSL installed to generate the Certificate Signing Requests and format conversions plus access to the Certificate Services server to generate the signed certificates. The process shown below uses a Microsoft Active Directory Certificate Services.

Prepare for certificate generation using the following procedure:

• Install OpenSSL on the machine where you will generate the certificates.
• Create a base folder (D:\Certs in this example) with separate sub-folders for each vRealize Automation component.
• Within the base folder, create three subfolders named as follows:
  • vrava
  • IaaSWeb
  • IaaSMgr

Log in to the Microsoft Certificate Authority web interface, for example:

• http://dctestlab001.testlab.com/certsrv
• Click Download a CA certificate, certificate chain, or CRL.

From the Download a CA Certificate, Certificate Chain, or CRL page:

• Click Base 64
• Click the Download CA certificate chain link
• Save the certificate chain as cachain.p7b in the D:\Certs folder
• Click the Download CA certificate link
• Save the CA certificate as RootCA.crt in the D:\Certs folder

Create a configuration file for the vRealize Automation appliances using the format shown below:

• Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
• Save the configuration file to D:\Certs\vRAva\vra-portal.cfg

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vra-portal, DNS: vra-portal.testlab.com, DNS: vratestlab01, DNS: vratestlab01.testlab.com, DNS: vratestlab02, DNS: vratestlab02.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomation

commonName = vra-portal.testlab.com

 

Run the following OpenSSL command to generate the certificate request and the private key for this certificate:

openssl req -new -nodes -out D:\Certs\vRAva\vra-portal.csr -keyout D:\Certs\vRAva\vra-portal.key -config D:\Certs\vRAva\vra-portal.cfg

NOTE: Remember to replace the path and file names as required.

Run the following OpenSSL command to convert the keys to the RSA format required by the vRA appliances:

openssl rsa -in D:\Certs\vRAva\vra-portal.key -out D:\Certs\vRAva\vra-portal.key

 

Go back to the home page of the Certificate Server.

Click Request a certificate.

Click advanced certificate request.

Click Submit a certificate Request by using a base- 64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

On the Submit a Certificate Request or Renewal Request page:

• Open the vra-portal.csr file, generated in the step above, in notepad or notepad++
• Copy and paste the contents into the Base-64-encoded certificate request text box
• Select the template created using the Certificate Template process, VRA
• Click Submit

Click the Base-64 encoded radio button on the certificate-issued screen. Click the Download Certificate link.

Save the certificate as vra-portal in the folder D:\Certs\vRAva\vra-portal.cer

Click the Download Certificate chain link.

Save the certificate chain as cachain.p7b file and navigate to D:\Certs\vRAva\cachain.p7b.

Go to D:\Certs\vRAva and double-click the cachain.p7b file.

Right-click the root certificate, select All Actions > Export, and click Next.

Select Base64-encoded X.509 (.CER) and click Next.

 

Save the export to your D:\Certs\Root64.cer

Click Next

Click Finish then OK

Run the following OpenSSL command to convert the certificates to PKCS12 format:

openssl pkcs12 -export -in D:\Certs\vRAva\vra-portal.cer -inkey D:\Certs\vRAva\vra-portal.key -certfile D:\Certs\Root64.cer -name vra-portal -passout pass:VMware1! -out D:\Certs\vRAva\vra-portal.pfx

 

Run the following OpenSSL command to convert the certificates to PEM format:

openssl pkcs12 -nokeys -in D:\Certs\vRAva\vra-portal.pfx -inkey D:\Certs\vRAva\vra-portal.key -out D:\Certs\vRAva\vra-portal.pem -nodes -passin pass:VMware1!

 

Once this has completed, you now have the CA signed SSL certificates for the vRA appliances.

Repeat the above steps to generate the certificate for the vRealize Automation IaaS Web servers, remembering you do not need to complete the last step converting the certificates to PEM format.

Create a configuration file for the vRealize Automation IaaS Web servers using the format shown below:

• Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
• Save the configuration file to D:\Certs\IaaSWeb\vra-web.cfg

 

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vratestlab03, DNS:vratestlab03.testlab.com, DNS: vratestlab04, DNS:vratestlab04.testlab.com, DNS: vra-web, DNS: vra-web.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomationIaaSWeb

commonName = vra-web.testlab.com

 

Repeat the above steps to generate the certificate for the vRealize Automation IaaS Manager servers, remembering you do not need to complete the last step converting the certificates to PEM format.

Create a configuration file for the vRealize Automation IaaS Web servers using the format shown below:

• Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
• Save the configuration file to D:\Certs\IaaSMgr\vra-mgr.cfg

 

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vratestlab05, DNS: vratestlab05.testlab.com, DNS: vratestlab06, DNS: vratestlab06.testlab.com, DNS: vra-mgr, DNS: vra-mgr.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomationIaaSMgr

commonName = vra-mgr.testlab.com

 

I will continue with the vRA 7 deployment in part 3 of this series, where we can now start deploying the vRA Appliances.

This post will be part of a series detailing the steps required to deploy a vRealize Automation 7 large deployment implementation from the reference architecture. I would recommend reading the reference architecture before commencing with any vRA 7 install.

The vRealize Automation Reference Architecture document can be found here:

vRealize Automation 7 Reference Architecture

vRealize Automation Overview

Just in case you are not aware of VMware’s Automation product, here’s a brief introduction – VMware vRealize Automation provides a secure portal where authorised administrators, developers, or business users can request new IT services. In addition, they can manage specific cloud and IT resources that enable IT organisations to deliver services that can be configured to their lines of business in a self- service catalog.

vRealize Automation provides a secure portal where authorised administrators, developers or business users can request new IT services and manage specific cloud and IT resources, while ensuring compliance with business policies. Requests for IT service, including infrastructure, applications, desktops, and many others, are processed through a common service catalog to provide a consistent user experience.

You can improve cost control by using vRealize Automation to monitor resource and capacity usage. For further cost control management, you can integrate vRealize Business Advanced or Enterprise Edition with your vRealize Automation instance to expose the cost of cloud and virtual machine resources, and help you better manage capacity, cost, and efficiency.

The vRealize Automation documentation can be found at the VMware vRealize Automation Information Center:

VMware vRealize Automation Information Center

New Features in vRealize Automation 7 since 6.2 release

vRealize Automation 7 includes several architectural changes that simplify configuration and deployment. The deployment wizard is a major improvement over the vRA 6.x release providing a more reliable and robust deployment method. The previous release was very sensitive, especially with the IaaS components.

Architectural Changes

• The appliance database is now clustered automatically within the appliance. There is no longer any need for an external database load balancer or DNS entry.
• The instance of vRealize Orchestrator is now clustered automatically within the vRA appliance.
• Authentication is now handled by an embedded instance of VMware Identity Manager, known as Directories Management, within vRealize Automation.
• vRealize Application Services functionality has been merged into vRealize Automation.

Deployment Changes

• vRealize Automation deployments require two less load balanced endpoints as there is no need to balance the appliance database and an external SSO provider.
• Four virtual machines can potentially be removed from the footprint for most deployments, though an external vRealize Orchestrator instance is still recommended for some situations.
• A new deployment wizard which offers two types of installs, simple and enterprise. Simple is for installing vRA in a monolithic (non-distributed) fashion, enterprise assumes a fully distributed install

Deployment Recommendations

• Keep the vRealize Automation, vRealize Business and vRealize Orchestrator appliances in the same time zone with their clocks synchronised. Otherwise, data synchronisation might be delayed.
• Install vRealize Automation, vRealize Business Standard Edition, and vRealize Orchestrator on the same management cluster. Provision machines to a cluster that is separate from the management cluster so that user workload and server workload can be isolated.
• Deploy Proxy Agents in the same data center as the Endpoint with which they communicate. VMware does not recommended placing DEM Workers in Remote Data Centers unless there is an express workflow skill based use case that requires it. All components except the Proxy Agents and DEM Workers must be deployed in the same Data Center or Data Centers within a Metro Area Network. Latency must be less than 5 milliseconds, and bandwidth must not be less than 1 GB/s between the Data Centers in the Metro Area Network.
• For more information including a support statement, see the VMware Knowledge Base article Installing VMware vRealize Automation on a distributed multi-site instance

Support

A large deployment can support the following items:

• 50,000 managed machines
• 2500 catalog items
• 100 concurrent machine provisions

Components

An installation consists of the following components:

• vRealize Automation appliance, which deploys the management console, manages Single Sign-On (SSO) capabilities for authorization and authentication, and includes an instance of vRealize Orchestrator.
• Infrastructure as a Service (IaaS) components, which are installed on a Windows machine (virtual or physical), and appear largely under the Infrastructure tab on the console.

• An MS SQL Server Database, which is deployed during the IaaS installation.

Requirements

A large enterprise HA deployment requires the following systems:

Virtual Appliances

• vRealize Automation Appliance x 2
• vRealize Orchestrator Appliance x 2 (or use the embedded vRO instances on the vRealize Automation Appliances)

Windows Server Virtual Machines

• Infrastructure Web Server x 2
• Infrastructure Manager Server x 2
• Infrastructure DEM Server x 2
• Infrastructure Agent Server x 2
• Cluster Microsoft SQL Database

Load Balancer

• vRealize Automation Appliance nodes
• Infrastructure Web Server nodes
• Infrastructure Manager Server nodes
• vRealize Orchestrator Appliance (optional if using external vRO Appliances)

The following illustration outlines the vRA architecture for an enterprise deployment

The following table outlines the hardware specifications for the vRA components using the large deployment model in the reference architecture:

Server Role	Components	Required Hardware Specifications	Recommended Hardware Specifications
vRealize Automation Appliance	vRealize Automation Services, vRealize Orchestrator, vRealize Automation Appliance Database	CPU: 4 vCPU RAM: 18 GB (this may need to be increased for Directories Management  sync) Disk: 108 GB Network: 1 GB/s	Same as required hardware specifications.
Infrastructure Web Server	Web site	CPU: 2 vCPU RAM: 2 GB Disk: 40 GB Network: 1 GB/s	CPU: 2 vCPU RAM: 4 GB Disk: 40 GB Network: 1 GB/s
Infrastructure Manager Server	Manager Service, DEM Orchestrator	CPU: 2 vCPU RAM: 2 GB Disk: 40 GB Network: 1 GB/s	CPU: 2 vCPU RAM: 4 GB Disk: 40 GB Network: 1 GB/s
Infrastructure DEM Server	(One or more) DEM Workers	CPU: 2 vCPU RAM: 2 GB Disk: 40 GB Network: 1 GB/s (Per DEM Worker)	CPU: 2 vCPU RAM: 6 GB Disk: 40 GB Network: 1 GB/s (Per DEM Worker)
Infrastructure Agent Server	(One or more) Proxy Agent	CPU: 2 vCPU RAM: 4 GB Disk: 40 GB Network: 1 GB/s	Same as required hardware specifications
MSSQL Database Server	Infrastructure Database	CPU: 2 vCPU RAM: 8 GB Disk: 40 GB Network: 1 GB/s	CPU: 8 vCPU RAM: 16 GB Disk: 80 GB Network: 1 GB/s

Note: Typically disk sizes for vRA components host on Windows Servers are driven by customer standard build specifications. These need to be considered with the above table.

DNS and Host Name Resolution

• All vRA components must be able to resolve each other by using a fully qualified domain name (FQDN).
• The Model Manager Web service, Manager Service and Microsoft SQL Server database must also be able to resolve each other by their Windows Internet Name Service (WINS) name.

Note: vRA does not allow the use of an underscore (_) in host names.

Password Considerations

The vRealize Automation administrator password that you define during installation must not contain special characters.

In vRA 7.0.1, the following special characters are known to cause errors:

• Double quote marks (“)
• Commas (,)
• A trailing equal sign (=)
• Blank spaces
• Non-ASCII or extended ASCII characters

Note: Passwords that contain special characters might be accepted when you enter them, but cause failures when you perform operations later.

Time Synchronisation

All systems must synchronise their clocks from an accurate time source. Installation will fail if system clocks are not synchronised.

Installation Accounts

The following table outlines the accounts required for a distributed installation, I used separate accounts for the IaaS components but you can consolidate the account requirements if your setup allows this:

Component	Account	Access
vRealize Automation Appliance (VMware Identity Manager)	root
Default Tenant	administrator@vsphere.local
Website and Model Manager	testlab\svc_vra_iaas01	Access to IaaS SQL DB Local Administrator on IaaS Web Servers
Manager Service and DEM Orchestrator	testlab\svc_vra_mgr01	Access to IaaS SQL DB Local Administrator on IaaS Manager Web Servers
DEM Worker	testlab\svc_vra_pxy01	Local Administrator on IaaS DEM-W/Agent Servers
Proxy Agent	testlab\svc_vra_pxy01	Local Administrator on IaaS DEM-W/Agent Servers
vRA to vCenter	testlab\svc_vra_vc01
vRA to AD	testlab\svc_vra_ad01
vRO to AD	testlab\svc_vro_ad01
vRA to vRO	testlab\svc_vra_vro01

Load Balancer

The following table outlines the load balanced components required for a distributed installation:

Component	Load Balancer	Server FQDN and IP Address
vRealize Automation Appliance	vra-portal.testlab.com <192.168.140.24>	vratestlab01.testlab.com <192.168.140.10> vratestlab02.testlab.com <192.168.140.11>
Website and Model Manager Data	vra-web.testlab.com <192.168.140.25>	vratestlab03.testlab.com <192.168.140.13> vratestlab04.testlab.com <192.168.140.14>
Manager Service DEM Orchestrator	vra-mgr.testlab.com <192.168.140.26>	vratestlab05.testlab.com <192.168.140.15> vratestlab06.testlab.com <192.168.140.16>
DEM Workers and Agents	N/A	vratestlab07.testlab.com <192.168.140.17> vratestlab08.testlab.com <192.168.140.18>

 

I will continue with the vRA 7 deployment in part 2 of this series.