vRA 7 Enterprise Deployment – Part 2 – Generating Certificates

Following on from vRA 7 Enterprise Deployment Part 1, this blog continues the series with some further planning and preparation before starting with the initial vRA Appliances deployment.

Generating Certificates

A production, distributed vRealize Automation deployment utilises Certificate Authority (CA) signed security certificates as each component communicates exclusively over SSL. While it is possible to import self-signed certificates on necessary components, this is not recommended in a production environment.

In my home lab, I have installed a Microsoft Certificate Authority. I followed this blog article to setup my Microsoft CA:

How to setup Microsoft Active Directory Certificate Services [AD CS]

I then referenced the VMware KB article for creating a CA template to use for my vRA deployment:

Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.0 (2112009)

Creating and Publishing a Certificate Template

Referencing the KB article, I created the certificate template using the following steps.

Open the MMC console for Certificate Templates:

  • Click File and select Add/Remove Snap-in
  • Select Certificate Templates in Available Snap-Ins and click Add
  • Click OK
  • From the right pane, right-click Web Server template
  • Click Duplicate Template

 

1.2.1

In the Properties of New Template dialog box:

  • Click the General tab
  • Type the name of the template in Template name text box

1.2.2

1.2.3

In the Properties of New Template dialog box:

  • Click the Subject Name tab
  • Select the Supply in the request radio button

1.2.4

In the Properties of New Template dialog box:

  • Click the Security tab
  • Assign Full Control privileges to the domain administrator
  • Assign Full Control privileges to the computer issuing this certificate
  • Click OK

1.2.5

Open the MMC console for Certification Authority for the domain:

  • Right-click Certificate Templates
  • Select New > Certificate Template to Issue

1.2.6

In the Enable Certificate Templates dialog box:

  • Select the certificate created in the above steps
  • Click OK

1.2.7

1.2.8

Now the certificate template is published and ready to use. The table below details the certificates which are required for an enterprise large deployment with HA using embedded vRO instances.

vRealize Automation Certificate Requirements for High Availability

Certificate Common Name Application Role Encoding Needed
vra-portal.testlab.com vRealize Automation Appliances PEM and unencrypted key
vra-web.testlab.com IaaS Web Servers PKCS12
vra-mgr.testlab.com IaaS Manager Services PKCS12

 

Generating SSL Certificates

Now we will create the PKCS12 formatted certificates for the vRA IaaS Windows components and the PEM encoded certificate for the vRA appliances. You will need a machine with OpenSSL installed to generate the Certificate Signing Requests and format conversions plus access to the Certificate Services server to generate the signed certificates. The process shown below uses a Microsoft Active Directory Certificate Services.

Prepare for certificate generation using the following procedure:

  • Install OpenSSL on the machine where you will generate the certificates.
  • Create a base folder (D:\Certs in this example) with separate sub-folders for each vRealize Automation component.
  • Within the base folder, create three subfolders named as follows:
    • vrava
    • IaaSWeb
    • IaaSMgr

1.2.9

Log in to the Microsoft Certificate Authority web interface, for example:

1.2.10

From the Download a CA Certificate, Certificate Chain, or CRL page:

  • Click Base 64
  • Click the Download CA certificate chain link
  • Save the certificate chain as cachain.p7b in the D:\Certs folder
  • Click the Download CA certificate link
  • Save the CA certificate as RootCA.crt in the D:\Certs folder

1.2.11

1.2.12

1.2.13

1.2.14

Create a configuration file for the vRealize Automation appliances using the format shown below:

  • Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
  • Save the configuration file to D:\Certs\vRAva\vra-portal.cfg

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vra-portal, DNS: vra-portal.testlab.com, DNS: vratestlab01, DNS: vratestlab01.testlab.com, DNS: vratestlab02, DNS: vratestlab02.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomation

commonName = vra-portal.testlab.com

 

Run the following OpenSSL command to generate the certificate request and the private key for this certificate:

openssl req -new -nodes -out D:\Certs\vRAva\vra-portal.csr -keyout D:\Certs\vRAva\vra-portal.key -config D:\Certs\vRAva\vra-portal.cfg

NOTE: Remember to replace the path and file names as required.

1.2.15

1.2.16

Run the following OpenSSL command to convert the keys to the RSA format required by the vRA appliances:

openssl rsa -in D:\Certs\vRAva\vra-portal.key -out D:\Certs\vRAva\vra-portal.key

 

1.2.17

Go back to the home page of the Certificate Server.

Click Request a certificate.

1.2.18

Click advanced certificate request.

1.2.19

Click Submit a certificate Request by using a base- 64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

1.2.20

On the Submit a Certificate Request or Renewal Request page:

  • Open the vra-portal.csr file, generated in the step above, in notepad or notepad++
  • Copy and paste the contents into the Base-64-encoded certificate request text box
  • Select the template created using the Certificate Template process, VRA
  • Click Submit

1.2.21

Click the Base-64 encoded radio button on the certificate-issued screen. Click the Download Certificate link.

Save the certificate as vra-portal in the folder D:\Certs\vRAva\vra-portal.cer

1.2.22

Click the Download Certificate chain link.

Save the certificate chain as cachain.p7b file and navigate to D:\Certs\vRAva\cachain.p7b.

Go to D:\Certs\vRAva and double-click the cachain.p7b file.

Right-click the root certificate, select All Actions > Export, and click Next.

1.2.23

Select Base64-encoded X.509 (.CER) and click Next.

 

1.2.24

Save the export to your D:\Certs\Root64.cer

Click Next

1.2.25

Click Finish then OK

1.2.26

1.2.27

Run the following OpenSSL command to convert the certificates to PKCS12 format:

openssl pkcs12 -export -in D:\Certs\vRAva\vra-portal.cer -inkey D:\Certs\vRAva\vra-portal.key -certfile D:\Certs\Root64.cer -name vra-portal -passout pass:VMware1! -out D:\Certs\vRAva\vra-portal.pfx

 

1.2.28

Run the following OpenSSL command to convert the certificates to PEM format:

openssl pkcs12 -nokeys -in D:\Certs\vRAva\vra-portal.pfx -inkey D:\Certs\vRAva\vra-portal.key -out D:\Certs\vRAva\vra-portal.pem -nodes -passin pass:VMware1!

 

1.2.29

Once this has completed, you now have the CA signed SSL certificates for the vRA appliances.

Repeat the above steps to generate the certificate for the vRealize Automation IaaS Web servers, remembering you do not need to complete the last step converting the certificates to PEM format.

Create a configuration file for the vRealize Automation IaaS Web servers using the format shown below:

  • Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
  • Save the configuration file to D:\Certs\IaaSWeb\vra-web.cfg

 

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vratestlab03, DNS:vratestlab03.testlab.com, DNS: vratestlab04, DNS:vratestlab04.testlab.com, DNS: vra-web, DNS: vra-web.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomationIaaSWeb

commonName = vra-web.testlab.com

 

Repeat the above steps to generate the certificate for the vRealize Automation IaaS Manager servers, remembering you do not need to complete the last step converting the certificates to PEM format.

Create a configuration file for the vRealize Automation IaaS Web servers using the format shown below:

  • Use the configuration details (shown in the sample code block below) and alter items highlighted in red.
  • Save the configuration file to D:\Certs\IaaSMgr\vra-mgr.cfg

 

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

 

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS: vratestlab05, DNS: vratestlab05.testlab.com, DNS: vratestlab06, DNS: vratestlab06.testlab.com, DNS: vra-mgr, DNS: vra-mgr.testlab.com

 

[ req_distinguished_name ]

countryName = UK

stateOrProvinceName = Kent

localityName = Staplehurst

0.organizationName = Testlab

organizationalUnitName = vRealizeAutomationIaaSMgr

commonName = vra-mgr.testlab.com

 

I will continue with the vRA 7 deployment in part 3 of this series, where we can now start deploying the vRA Appliances.

vRA 7 Enterprise Deployment – Part 1 – Planning and Pre-requisites

This post will be part of a series detailing the steps required to deploy a vRealize Automation 7 large deployment implementation from the reference architecture. I would recommend reading the reference architecture before commencing with any vRA 7 install.

The vRealize Automation Reference Architecture document can be found here:

vRealize Automation 7 Reference Architecture

vRealize Automation Overview

Just in case you are not aware of VMware’s Automation product, here’s a brief introduction – VMware vRealize Automation provides a secure portal where authorised administrators, developers, or business users can request new IT services. In addition, they can manage specific cloud and IT resources that enable IT organisations to deliver services that can be configured to their lines of business in a self- service catalog.

vRealize Automation provides a secure portal where authorised administrators, developers or business users can request new IT services and manage specific cloud and IT resources, while ensuring compliance with business policies. Requests for IT service, including infrastructure, applications, desktops, and many others, are processed through a common service catalog to provide a consistent user experience.

You can improve cost control by using vRealize Automation to monitor resource and capacity usage. For further cost control management, you can integrate vRealize Business Advanced or Enterprise Edition with your vRealize Automation instance to expose the cost of cloud and virtual machine resources, and help you better manage capacity, cost, and efficiency.

The vRealize Automation documentation can be found at the VMware vRealize Automation Information Center:

VMware vRealize Automation Information Center

New Features in vRealize Automation 7 since 6.2 release

vRealize Automation 7 includes several architectural changes that simplify configuration and deployment. The deployment wizard is a major improvement over the vRA 6.x release providing a more reliable and robust deployment method. The previous release was very sensitive, especially with the IaaS components.

Architectural Changes
  • The appliance database is now clustered automatically within the appliance. There is no longer any need for an external database load balancer or DNS entry.
  • The instance of vRealize Orchestrator is now clustered automatically within the vRA appliance.
  • Authentication is now handled by an embedded instance of VMware Identity Manager, known as Directories Management, within vRealize Automation.
  • vRealize Application Services functionality has been merged into vRealize Automation.
Deployment Changes
  • vRealize Automation deployments require two less load balanced endpoints as there is no need to balance the appliance database and an external SSO provider.
  • Four virtual machines can potentially be removed from the footprint for most deployments, though an external vRealize Orchestrator instance is still recommended for some situations.
  • A new deployment wizard which offers two types of installs, simple and enterprise. Simple is for installing vRA in a monolithic (non-distributed) fashion, enterprise assumes a fully distributed install
Deployment Recommendations
  • Keep the vRealize Automation, vRealize Business and vRealize Orchestrator appliances in the same time zone with their clocks synchronised. Otherwise, data synchronisation might be delayed.
  • Install vRealize Automation, vRealize Business Standard Edition, and vRealize Orchestrator on the same management cluster. Provision machines to a cluster that is separate from the management cluster so that user workload and server workload can be isolated.
  • Deploy Proxy Agents in the same data center as the Endpoint with which they communicate. VMware does not recommended placing DEM Workers in Remote Data Centers unless there is an express workflow skill based use case that requires it. All components except the Proxy Agents and DEM Workers must be deployed in the same Data Center or Data Centers within a Metro Area Network. Latency must be less than 5 milliseconds, and bandwidth must not be less than 1 GB/s between the Data Centers in the Metro Area Network.
  • For more information including a support statement, see the VMware Knowledge Base article Installing VMware vRealize Automation on a distributed multi-site instance

Support

A large deployment can support the following items:

  • 50,000 managed machines
  • 2500 catalog items
  • 100 concurrent machine provisions

Components

An installation consists of the following components:

  • vRealize Automation appliance, which deploys the management console, manages Single Sign-On (SSO) capabilities for authorization and authentication, and includes an instance of vRealize Orchestrator.
  • Infrastructure as a Service (IaaS) components, which are installed on a Windows machine (virtual or physical), and appear largely under the Infrastructure tab on the console.
  • An MS SQL Server Database, which is deployed during the IaaS installation.

Requirements

A large enterprise HA deployment requires the following systems:

Virtual Appliances
  • vRealize Automation Appliance x 2
  • vRealize Orchestrator Appliance x 2 (or use the embedded vRO instances on the vRealize Automation Appliances)
Windows Server Virtual Machines
  • Infrastructure Web Server x 2
  • Infrastructure Manager Server x 2
  • Infrastructure DEM Server x 2
  • Infrastructure Agent Server x 2
  • Cluster Microsoft SQL Database
Load Balancer
  • vRealize Automation Appliance nodes
  • Infrastructure Web Server nodes
  • Infrastructure Manager Server nodes
  • vRealize Orchestrator Appliance (optional if using external vRO Appliances)

The following illustration outlines the vRA architecture for an enterprise deployment

vRA 7 Architecture

The following table outlines the hardware specifications for the vRA components using the large deployment model in the reference architecture:

Server Role Components Required Hardware Specifications Recommended Hardware Specifications
vRealize Automation Appliance vRealize Automation Services,

vRealize Orchestrator, vRealize Automation Appliance Database

CPU: 4 vCPU

RAM: 18 GB (this may need to be increased for Directories Management  sync)

Disk: 108 GB

Network: 1 GB/s

Same as required hardware specifications.
Infrastructure Web Server Web site CPU: 2 vCPU

RAM: 2 GB

Disk: 40 GB

Network: 1 GB/s

CPU: 2 vCPU

RAM: 4 GB

Disk: 40 GB

Network: 1 GB/s

Infrastructure Manager Server Manager Service, DEM Orchestrator CPU: 2 vCPU

RAM: 2 GB

Disk: 40 GB

Network: 1 GB/s

CPU: 2 vCPU

RAM: 4 GB

Disk: 40 GB

Network: 1 GB/s

Infrastructure DEM Server (One or more) DEM Workers CPU: 2 vCPU

RAM: 2 GB

Disk: 40 GB

Network: 1 GB/s (Per DEM Worker)

CPU: 2 vCPU

RAM: 6 GB

Disk: 40 GB

Network: 1 GB/s (Per DEM Worker)

Infrastructure Agent Server (One or more) Proxy Agent CPU: 2 vCPU

RAM: 4 GB

Disk: 40 GB

Network: 1 GB/s

Same as required hardware specifications
MSSQL Database Server Infrastructure Database CPU: 2 vCPU

RAM: 8 GB

Disk: 40 GB

Network: 1 GB/s

CPU: 8 vCPU

RAM: 16 GB

Disk: 80 GB

Network: 1 GB/s

Note: Typically disk sizes for vRA components host on Windows Servers are driven by customer standard build specifications. These need to be considered with the above table.

DNS and Host Name Resolution

  • All vRA components must be able to resolve each other by using a fully qualified domain name (FQDN).
  • The Model Manager Web service, Manager Service and Microsoft SQL Server database must also be able to resolve each other by their Windows Internet Name Service (WINS) name.

Note: vRA does not allow the use of an underscore (_) in host names.

Password Considerations

The vRealize Automation administrator password that you define during installation must not contain special characters.

In vRA 7.0.1, the following special characters are known to cause errors:

  • Double quote marks (“)
  • Commas (,)
  • A trailing equal sign (=)
  • Blank spaces
  • Non-ASCII or extended ASCII characters

Note: Passwords that contain special characters might be accepted when you enter them, but cause failures when you perform operations later.

Time Synchronisation

All systems must synchronise their clocks from an accurate time source. Installation will fail if system clocks are not synchronised.

Installation Accounts

The following table outlines the accounts required for a distributed installation, I used separate accounts for the IaaS components but you can consolidate the account requirements if your setup allows this:

Component Account Access
vRealize Automation Appliance

(VMware Identity Manager)

root
Default Tenant administrator@vsphere.local
Website and Model Manager testlab\svc_vra_iaas01 Access to IaaS SQL DB

Local Administrator on IaaS Web Servers

Manager Service and DEM Orchestrator testlab\svc_vra_mgr01 Access to IaaS SQL DB

Local Administrator on IaaS Manager Web Servers

DEM Worker testlab\svc_vra_pxy01 Local Administrator on IaaS DEM-W/Agent Servers
Proxy Agent testlab\svc_vra_pxy01 Local Administrator on IaaS DEM-W/Agent Servers
vRA to vCenter testlab\svc_vra_vc01
vRA to AD testlab\svc_vra_ad01
vRO to AD testlab\svc_vro_ad01
vRA to vRO testlab\svc_vra_vro01

Load Balancer

The following table outlines the load balanced components required for a distributed installation:

Component Load Balancer Server FQDN and IP Address
vRealize Automation Appliance vra-portal.testlab.com <192.168.140.24> vratestlab01.testlab.com <192.168.140.10>

vratestlab02.testlab.com <192.168.140.11>

Website and Model Manager Data vra-web.testlab.com <192.168.140.25> vratestlab03.testlab.com <192.168.140.13>

vratestlab04.testlab.com <192.168.140.14>

Manager Service

DEM Orchestrator

vra-mgr.testlab.com <192.168.140.26> vratestlab05.testlab.com <192.168.140.15>

vratestlab06.testlab.com <192.168.140.16>

DEM Workers and Agents N/A vratestlab07.testlab.com <192.168.140.17>

vratestlab08.testlab.com <192.168.140.18>

 

I will continue with the vRA 7 deployment in part 2 of this series.