7.0

ManualsBrandsVMware ManualsApplicationsvRealize Automation

Table Of Contents

Configuring vRealize Automation

Conﬁguring vRealize

Automation

vRealize Automation 7.0

Summary of content (430 pages)

PAGE 1
Configuring vRealize Automation vRealize Automation 7.
PAGE 2
Configuring vRealize Automation You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback to docfeedback@vmware.com VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright © 2015–2018 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc.
PAGE 3
Contents Configuring vRealize Automation Updated Information 7 8 1 External Preparations for Provisioning 9 Preparing Your Environment for vRealize Automation Management 9 Checklist for Preparing NSX Network and Security Configuration 10 Preparing Your vCloud Director Environment for vRealize Automation Preparing Your vCloud Air Environment for vRealize Automation Preparing Your Amazon AWS Environment 14 Preparing Red Hat OpenStack Network and Security Features Preparing Your SCVMM Environment Prep
PAGE 4
Configuring vRealize Automation Managing Access Policies 103 Integrating Alternative User Authentication Products with Directories Management 108 Scenario: Configure an Active Directory Link for a Highly Available vRealize Automation Scenario: Configure Smart Card Authentication for vRealize Automation Generate a Connector Activation Token Deploy the Connector OVA File Configure Connector Settings 130 131 131 132 Apply Public Certificate Authority 133 Create a Workspace Identity Provider 135 Co
PAGE 5
Configuring vRealize Automation Configure an External vRealize Orchestrator Server 168 Log in to the vRealize Orchestrator Configuration Interface Log in to the vRealize Orchestrator Client 169 169 3 Configuring Resources 171 Checklist for Configuring IaaS Resources Store User Credentials 172 Choosing an Endpoint Scenario Create a Fabric Group 174 190 Configure Machine Prefixes Managing Key Pairs 171 191 192 Creating a Network Profile 194 Configuring Reservations and Reservation Policies Sc
PAGE 6
Configuring vRealize Automation Managing the Service Catalog 385 Checklist for Configuring the Service Catalog Creating a Service 386 387 Working with Catalog Items and Actions Creating an Entitlement 389 392 Working with Approval Policies 398 Scenario: Configure the Catalog for Rainpole Architects to Test Blueprints Scenario: Test Your Rainpole CentOS Machine 417 420 Scenario: Make the CentOS with MySQL Application Blueprint Available in the Service Catalog Scenario: Create and Apply CentOS w
PAGE 7
Configuring vRealize Automation Configuring vRealize Automation provides information about configuring vRealize Automation and your external environments to prepare for vRealize Automation provisioning and catalog management. For information about supported integrations, see https://www.vmware.com/pdf/vrealize-automation-70support-matrix.pdf.
PAGE 8
Updated Information This Configuring vRealize Automation is updated with each release of the product or when necessary. This table provides the update history of Configuring vRealize Automation. Revision Description 001836-06 n Updated Prepare a Windows Reference Machine to Support Software. n Updated Prepare a Linux Reference Machine to Support Software. 001836-05 Added note to Specify Tenant Information to indicate that tenant URLs must use only lowercase characters.
PAGE 9
1 External Preparations for Provisioning You may need to create or prepare some elements outside of vRealize Automation to support catalog item provisioning. For example, if you want to provide a catalog item for provisioning a clone machine, you need to create a template on your hypervisor to clone from.
PAGE 10
Configuring vRealize Automation Table 1‑1. Preparing Your Environment for vRealize Automation Integration (Continued) Environment vCloud Air Amazon AWS Red Hat OpenStack SCVMM All other environments Preparations Register for your vCloud Air account, set up your vCloud Air environment, and identify or create appropriate credentials to provide vRealize Automation with access to your environment. See Preparing for vCloud Air and vCloud Director Provisioning.
PAGE 11
Configuring vRealize Automation Table 1‑2. Preparing NSX Networking and Security Checklist Task Location Details Install and configure the NSX plug-in. Install the NSX plug-in in vRealize Orchestrator. See Install the NSX Plug-In on vRealize Orchestrator and the NSX Administration Guide. Configure NSX network settings, including gateway and transport zone settings. Configure network settings in NSX. See the NSX Administration Guide. Create NSX security policies, tags, and groups.
PAGE 12
Configuring vRealize Automation Procedure 1 Download the plug-in file to a location accessible from the vRealize Orchestrator server. The plug-in installer file name format, with appropriate version values, is o11npluginnsx-1.n.n.vmoapp. Plug-in installation files for the VMware NSX ™ networking and security product is available from the VMware product download site at http://vmware.com/web/vmware/downloads. The vCloud Networking and Security plug-in is also available at this site.
PAGE 13
Configuring vRealize Automation Procedure 1 Click the Workflow tab and select NSX > NSX workflows for VCAC. 2 Run the Create NSX endpoint workflow and respond to prompts. 3 Run the Enable security policy support for overlapping subnets workflow. 4 Select the NSX endpoint as the input parameter for the workflow. Use the IP address you specified when you created the vSphere endpoint to register an NSX instance.
PAGE 14
Configuring vRealize Automation Preparing Your vCloud Air Environment for vRealize Automation Before you integrate vCloud Air with vRealize Automation, you must register for your vCloud Air account, set up your vCloud Air environment, and identify or create appropriate credentials to provide vRealize Automation with access to your environment. Configure Your Environment Configure your environment as instructed in the vCloud Air documentation.
PAGE 15
Configuring vRealize Automation The AWS Power User role does not allow management of AWS Identity and Access Management (IAM) users and groups. For management of IAM users and groups, you must be configured with AWS Full Access Administrator credentials. vRealize Automation requires access keys for endpoint credentials and does not support user names and passwords.
PAGE 16
Configuring vRealize Automation Understanding Amazon Web Service Regions Each Amazon Web Services account is represented by a cloud endpoint. When you create an Amazon Elastic Cloud Computing endpoint in vRealize Automation, regions are collected as compute resources. After the IaaS administrator selects compute resources for a business group, inventory and state data collections occur automatically.
PAGE 17
Configuring vRealize Automation n A machine owner can assign an Amazon machine instance to an Amazon VPC. For more information about creating an Amazon VPC, see Amazon Web Services documentation. Using Elastic Load Balancers for Amazon Web Services Elastic load balancers distribute incoming application traffic across Amazon Web Services instances. Amazon load balancing enables improved fault tolerance and performance.
PAGE 18
Configuring vRealize Automation Using Elastic Block Storage for Amazon Web Services Amazon elastic block storage provides block level storage volumes to use with an Amazon machine instance and Amazon Virtual Private Cloud. The storage volume can persist past the life of its associated Amazon machine instance in the Amazon Web Services cloud environment.
PAGE 19
Configuring vRealize Automation n Public IP address. n Private IP address. n Create or identify a CentOS machine on the same local network as your vRealize Automation installation. n Install OpenSSH SSHD Server on both tunnel machines. Procedure 1 Log in to your Amazon AWS tunnel machine as the root user or similar. 2 Disable iptables. # service iptables save # service iptables stop # chkconfig iptables off 3 Edit /etc/ssh/sshd_config to enable AllowTCPForwarding and GatewayPorts.
PAGE 20
Configuring vRealize Automation Preparing Red Hat OpenStack Network and Security Features vRealize Automation supports several features in OpenStack including security groups and floating IP addresses. Understand how these features work with vRealize Automation and configure them in your environment. Using OpenStack Security Groups Security groups allow you to specify rules to control network traffic over specific ports.
PAGE 21
Configuring vRealize Automation n TemporaryProfile n Temporary Profile n Profile Required Network Configuration for SCVMM Clusters SCVMM clusters only expose virtual networks to vRealize Automation, so you must have a 1:1 relationship between your virtual and logical networks. Using the SCVMM console, map each logical network to a virtual network and configure your SCVMM cluster to access machines through the virtual network.
PAGE 22
Configuring vRealize Automation Table 1‑3. Choosing a Machine Provisioning Method to Prepare Scenario Supported Endpoint Agent Support Provisioning Method Pre-provisioning Preparations Depends on the provisioning method you choose. Supported as an additional step in any provisioning method, but you cannot use Visual Basic scripts with Amazon AWS machines.
PAGE 23
Configuring vRealize Automation Table 1‑3. Choosing a Machine Provisioning Method to Prepare (Continued) Scenario Provision a space-efficient copy of a virtual machine by using Net App FlexClone technology. Provision machines by cloning from a template object created from an existing Windows or Linux machine, called the reference machine, and a customization object. Provision vCloud Air or vCloud Director machines by cloning from a template and customization object.
PAGE 24
Configuring vRealize Automation Table 1‑3. Choosing a Machine Provisioning Method to Prepare (Continued) Scenario Supported Endpoint Agent Support Provisioning Method Pre-provisioning Preparations Guest agent is required. You can use PEBuilder to create a WinPE image that includes the guest agent. You can create the WinPE image by using another method, but you must manually insert the guest agent.
PAGE 25
Configuring vRealize Automation Table 1‑4. Running Visual Basic Scripts During Provisioning Checklist Task Location Details Install and configure the EPI agent for Visual Basic scripts. Typically the Manager Service host See Installing vRealize Automation 7.0. Machine where EPI agent is installed vRealize Automation includes a sample Visual Basic script PrePostProvisioningExample.vbs in Create your visual basic scripts. the Scripts subdirectory of the EPI agent installation directory.
PAGE 26
Configuring vRealize Automation You can write your own custom scripts for the guest agent to run on deployed machines, and use custom properties on the machine blueprint to specify the location of those scripts and the order in which to run them. You can also use custom properties on the machine blueprint to pass custom property values to your scripts as parameters.
PAGE 27
Configuring vRealize Automation Install the Guest Agent on a Linux Reference Machine Install the Linux guest agent on your reference machines to further customize machines after deployment. Prerequisites n Identify or create the reference machine. n The guest agent files you download contain both tar.gz and RPM package formats. If your operating system cannot install tar.gz or RPM files, use a conversion tool to convert the installation files to your preferred package format.
PAGE 28
Configuring vRealize Automation 6 If deployed machines are not already configured to trust the Manager Service SSL certificate, you must install the cert.pem file on your reference machine to establish trust. n For the most secure approach, obtain the cert.pem certificate and manually install the file on the reference machine. n For a more convenient approach, you can connect to the manager service load balancer or manager service machine and download the cert.pem certificate.
PAGE 29
Configuring vRealize Automation Procedure 1 Navigate to the vCloud Automation Center Appliance management console installation page. For example: https://vcac-hostname.domain.name:5480/installer/. 2 3 Download and save the Windows guest agent installation file to the C drive of your reference machine. n Windows guest agent files (32-bit.) n Windows guest agent files (64-bit.) Install the guest agent on the reference machine. a Right-click the file and select Properties. b Click General.
PAGE 30
Configuring vRealize Automation What to do next Convert your reference machine into a template for cloning, an Amazon machine image, or a snapshot so your IaaS architects can use your template when creating blueprints. Configuring the Windows Guest Agent to Trust a Server The most secure approach is to install the trusted PEM file manually on each template that uses the guest agent, but you can also allow the guest agent to trust the first machine to which it connects.
PAGE 31
Configuring vRealize Automation Identify or create a reference machine. Are you working in vCenter Server? Yes Install VMware Tools. No Install the guest agent and the software bootstrap agent. Yes Do you want to support software components in your blueprints? No Do you want the ability to customize machines after deployment? Yes Install the guest agent. No Convert your reference machine to a template.
PAGE 32
Configuring vRealize Automation Table 1‑6. Checklist for Preparing to Provision by Cloning Task Location Details Hypervisor See the documentation provided by your hypervisor. (Optional) If you want your clone template to support Software components, install the vRealize Automation guest agent and software bootstrap agent on your reference machine. Reference machine For Windows reference machines, see Prepare a Windows Reference Machine to Support Software.
PAGE 33
Configuring vRealize Automation Required Template and Reservation Information Table 1‑7. Template and Reservation Information Worksheet Required Information My Value Details Template name Reservations on which the template is available, or reservation policy to apply To avoid errors during provisioning, ensure that the template is available on all reservations or create reservation policies that architects can use to restrict the blueprint to reservations where the template is available.
PAGE 34
Configuring vRealize Automation Visual Basic Script Information If you configured vRealize Automation to run your custom Visual Basic scripts as additional steps in the machine life cycle, you must include information about the scripts in the blueprint. Note A fabric administrator can create a property group by using the property sets ExternalPreProvisioningVbScript and ExternalPostProvisioningVbScript to provide this required information.
PAGE 35
Configuring vRealize Automation Table 1‑10. Linux Guest Agent Customization Script Information Worksheet Custom Property My Value Linux.ExternalScript.Name Description Specifies the name of an optional customization script, for example config.sh, that the Linux guest agent runs after the operating system is installed. This property is available for Linux machines cloned from templates on which the Linux agent is installed.
PAGE 36
Configuring vRealize Automation Table 1‑11. Custom Properties for Customizing Cloned Machines with a Guest Agent Worksheet Custom Property VirtualMachine.Admin.AddOwnerToAd mins My Value Description Set to True (default) to add the machine’s owner, as specified by the VirtualMachine.Admin.Owner property, to the local administrators group on the machine. VirtualMachine.Admin.
PAGE 37
Configuring vRealize Automation Table 1‑11. Custom Properties for Customizing Cloned Machines with a Guest Agent Worksheet (Continued) Custom Property VirtualMachine.DiskN.Size My Value Description Defines the size in GB of disk N. For example, to give a size of 150 GB to a disk G, define the custom property VirtualMachine.Disk0.Size and enter a value of 150. Disk numbering must be sequential. By default a machine has one disk referred to by VirtualMachine.Disk0.
PAGE 38
Configuring vRealize Automation Table 1‑11. Custom Properties for Customizing Cloned Machines with a Guest Agent Worksheet (Continued) Custom Property My Value Description VirtualMachine.Admin.CustomizeGue stOSDelay Specifies the time to wait after customization is complete and before starting the guest operating system customization. The value must be in HH:MM:SS format. If the value is not set, the default value is one minute (00:01:00).
PAGE 39
Configuring vRealize Automation Table 1‑11. Custom Properties for Customizing Cloned Machines with a Guest Agent Worksheet (Continued) Custom Property My Value VirtualMachine.SoftwareN.ISOName Description Specifies the path and file name of the ISO file relative to the data store root. The format is /folder_name/subfolder_name/file_ name.iso. If a value is not specified, the ISO is not mounted. VirtualMachine.SoftwareN.
PAGE 40
Configuring vRealize Automation Table 1‑12. Custom Properties for Networking Configuration (Continued) Custom Property VirtualMachine.NetworkN.MacAddr ess My Value Description Specifies the MAC address of a network device N. This property is available for cloning. If the value of VirtualMachine.NetworkN.MacAddres sType is generated, this property contains the generated address. If the value of VirtualMachine.NetworkN.MacAddres sType is static, this property specifies the MAC address.
PAGE 41
Configuring vRealize Automation Table 1‑12. Custom Properties for Networking Configuration (Continued) Custom Property VirtualMachine.NetworkN.Name My Value Description Specifies the name of the network to connect to, for example the network device N to which a machine is attached. This is equivalent to a network interface card (NIC). By default, a network is assigned from the network paths available on the reservation on which the machine is provisioned. Also see VirtualMachine.NetworkN.AddressTy pe.
PAGE 42
Configuring vRealize Automation Table 1‑12. Custom Properties for Networking Configuration (Continued) Custom Property VirtualMachine.NetworkN.Profile Name My Value Description Specifies the name of a network profile from which to assign a static IP address to network device N or from which to obtain the range of static IP addresses that can be assigned to network device N of a cloned machine, where N=0 for the first device, 1 for the second, and so on.
PAGE 43
Configuring vRealize Automation Table 1‑12. Custom Properties for Networking Configuration (Continued) Custom Property VCNS.LoadBalancerEdgePool.Names. name My Value Description Specifies the vCloud Networking and Security load balancing pools to which the virtual machine is assigned during provisioning. The virtual machine is assigned to all service ports of all specified pools. The value is an edge/pool name or a list of edge/pool names separated by commas. Names are case-sensitive.
PAGE 44
Configuring vRealize Automation Table 1‑12. Custom Properties for Networking Configuration (Continued) Custom Property VCNS.SecurityGroup.Names.name My Value Description Specifies the vCloud Networking and Security security group or groups to which the virtual machine is assigned during provisioning. The value is a security group name or a list of names separated by commas. Names are case-sensitive.
PAGE 45
Configuring vRealize Automation Templates that are to be shared across organizations must be public. Only reserved templates are available to vRealize Automation as a cloning source. Note When you create a blueprint by cloning from a template, that template's unique identifier becomes associated with the blueprint. When the blueprint is published to the vRealize Automation catalog and used in the provisioning and data collection processes, the associated template is recognized.
PAGE 46
Configuring vRealize Automation 3 Edit the isolinux/isolinux.cfg or loader/isolinux.cfg to specify the name and location of the configuration file and the appropriate Linux distribution source. 4 Create the boot ISO image and save it to the location required by your virtualization platform. See the documentation provided by your hypervisor for information about the required location. 5 (Optional) Add customization scripts.
PAGE 47
Configuring vRealize Automation 7 Locate each instance of gugent.rpm or gugent.tar.gz and replace the URL rpm.example.net with the location of the guest agent package. For example: rpm -i nfs:172.20.9.59/suseagent/gugent.rpm 8 Save the file to a location accessible to newly provisioned machines. Specify Custom Scripts in a kickstart/autoYaST Configuration File You can modify the configuration file to copy or install custom scripts onto newly provisioned machines.
PAGE 48
Configuring vRealize Automation Preparing for SCCM Provisioning vRealize Automation boots a newly provisioned machine from an ISO image, and then passes control to the specified SCCM task sequence. SCCM provisioning is supported for the deployment of Windows operating systems. Linux is not supported. Software distribution and updates are not supported.
PAGE 49
Configuring vRealize Automation Create a Software Package for SCCM Provisioning The final step in your SCCM task sequence must be to install a software package that includes the vRealize Automation guest agent. Procedure 1 Navigate to the vCloud Automation Center Appliance management console installation page. For example: https://vcac-hostname.domain.name:5480/installer/. 2 Download and save the Windows guest agent files. n Windows guest agent files (32-bit.) n Windows guest agent files (64-bit.
PAGE 50
Configuring vRealize Automation n (Optional) Create any custom scripts you want to use to customize provisioned machines and place them in the appropriate work item directory of your PEBuilder installation. See Specify Custom Scripts in a PEBuilder WinPE. n If you are using VirtIO for network or storage interfaces, you must ensure that the necessary drivers are included in your WinPE image and WIM image. See Preparing for WIM Provisioning with VirtIO Drivers. n Create a WinPE Image by Using PEBuilder.
PAGE 51
Configuring vRealize Automation 3 If the reference machine operating system is Windows Server 2003 or Windows XP, reset the administrator password to be blank. (There is no password.) 4 (Optional) If you want to enable XenDesktop integration, install and configure a Citrix Virtual Desktop Agent.
PAGE 52
Configuring vRealize Automation Table 1‑14. Required SysPrep Settings for reference machine that are not using Windows Server 2003 or Windows XP: (Continued) AutoLogon Settings Value Username username (username and password are the credentials used for auto logon when the newly provisioned machine boots into the guest operating system. Administrator is typically used.
PAGE 53
Configuring vRealize Automation You can use PEBuilder to create a WinPE for use in WIM provisioning. Specify Custom Scripts in a PEBuilder WinPE You can use PEBuilder to customize machines by running custom bat scripts at specified points in the provisioning workflow. Prerequisites Install PEBuilder. Procedure 1 Create or identify the bat script you want to use. Your script must return a non-zero value on failure to prevent machine provisioning failure. 2 Save the script as NN_scriptname.
PAGE 54
Configuring vRealize Automation 4 Create a KVM (RHEV) blueprint for WIM provisioning and select the WinPE ISO option. The custom property VirtualMachine.Admin.DiskInterfaceType must be included with the value VirtIO. A fabric administrator can include this information in a property group for inclusion on blueprints. The custom properties Image.ISO.Location and Image.ISO.Name are not used for KVM (RHEV) blueprints.
PAGE 55
Configuring vRealize Automation 5 Click File > Advanced. Note Do not change the WinPE Architecture or Protocol settings. 6 Select the Include vCAC Guest Agent in WinPE ISO check box. 7 Click OK. 8 Click Build. What to do next Place the WinPE image in the location required by your integration platform. If you do not know the location, please see the documentation provided by your platform. If you are provisioning HP iLO machines, place the WinPE image in a web-accessible location.
PAGE 56
Configuring vRealize Automation PEBuilder has a 32 bit guest agent. If you need to run commands specific to 64 bit, install PEBuilder and then get the 64 bit files from the GugentZipx64.zip file. Prerequisites n Select a Windows system from which the staging area you prepared is accessible and on which .NET 4.5 and Windows Automated Installation Kit (AIK) for Windows 7 (including WinPE 3.0) are installed. n Create a WinPE.
PAGE 57
Configuring vRealize Automation 3 Open doagent.bat in a text editor. 4 Replace all instances of the string #Dcac Hostname# with the fully qualified domain name and port number of the IaaS Manager Service host. Option Description If you are using a load balancer Enter the fully qualified domain name and port of the load balancer for the IaaS Manager Service. For example, manager_service_LB.mycompany.
PAGE 58
Configuring vRealize Automation 5 Replace all instances of the string #Dcac Hostname# with the fully qualified domain name and port number of the Manager Service host. The default port for the Manager Service is 443. Option Description If you are using a load balancer Enter the fully qualified domain name and port of the load balancer for the Manager Service. For example, load_balancer_manager_service.mycompany.
PAGE 59
Configuring vRealize Automation Preparing for Virtual Machine Image Provisioning Before you provision instances with OpenStack, you must have virtual machine images and flavors configured in the OpenStack provider. Virtual Machine Images You can select an virtual machine image from a list of available images when creating blueprints for OpenStack resources. A virtual machine image is a template that contains a software configuration, including an operating system.
PAGE 60
Configuring vRealize Automation The following considerations apply to Amazon machine images in the Amazon Web Services accounts from which you provision cloud machines: n Each blueprint must specify an Amazon machine image. A private Amazon machine image is available to a specific account and all its regions. A public Amazon machine image is available to all accounts, but only to a specific region in each account.
PAGE 61
Configuring vRealize Automation To provision a machine in an Amazon Web Services account, an instance type is applied to the specified Amazon machine image. The available instance types are listed when architects create the Amazon EC2 blueprint. Architects select one or more instance types, and those instance types become choices available to the user when they request to provision a machine. The instance types must be supported in the designated region.
PAGE 62
Configuring vRealize Automation What to do next Add the compute resources from your endpoint to a fabric group. See Create a Fabric Group. Scenario: Prepare vSphere Resources for Machine Provisioning in Rainpole As the vSphere administrator creating templates for vRealize Automation, you want to use the vSphere Web Client to prepare for cloning CentOS machines in vRealize Automation.
PAGE 63
Configuring vRealize Automation Procedure 1 Log in to your reference machine as the root user and prepare the machine for conversion. a Remove udev persistence rules. /bin/rm -f /etc/udev/rules.d/70* b Enable machines cloned from this template to have their own unique identifiers. /bin/sed -i '/^$HWADDR\|UUID$=/d' /etc/sysconfig/network-scripts/ifcfg-eth0 c Power down the machine. shutdown -h now 2 Log in to the vSphere Web Client as an administrator. 3 Click the VM Options tab.
PAGE 64
Configuring vRealize Automation 3 4 Specify properties. a Select Linux from the Target VM Operating System drop-down menu. b Enter Linux in the Customization Spec Name text box. c Enter Rainpole Linux cloning with vRealize Automation in the Description text box. d Click Next. Set computer name. a Select Use the virtual machine name. b Enter the domain on which cloned machines are going to be provisioned in the Domain name text box. For example, rainpole.local. c Click Next.
PAGE 65
Configuring vRealize Automation Table 1‑15. Provisioning Methods that Support Software Machine Type Provisioning Method vSphere Clone A clone blueprint provisions a complete and independent virtual machine based on a vCenter Server virtual machine template. If you want your templates for cloning to support Software components, install the guest agent and software bootstrap agent on your reference machine as you prepare a template for cloning. See Checklist for Preparing to Provision by Cloning.
PAGE 66
Configuring vRealize Automation Software supports scripting with Windows CMD, PowerShell 2.0. Important Because the boot process must not be interrupted, configure the virtual machine so that nothing causes the virtual machine's boot process to pause before reaching the final operating system login prompt. For example, verify that no processes or scripts prompt for user interaction when the virtual machine starts. Prerequisites n Identify or create a reference machine.
PAGE 67
Configuring vRealize Automation d Click Unblock. e Extract the files. f Unzip the installation file to C:\. This produces the directory C:\VRMGuestAgent. Do not rename this directory. 4 Configure the guest agent to communicate with the Manager Service. a Open an elevated command prompt. b Navigate to C:\VRMGuestAgent. c Configure the guest agent to trust your Manager Service machine. d Option Description Allow the guest agent to trust the first machine to which it connects.
PAGE 68
Configuring vRealize Automation 6 Install the Software bootstrap agent. a Open a Windows CMD console and navigate to the \temp folder. b Enter the command to install the agent bootstrap. install.bat password=Password managerServiceHost=manager_service_machine.mycompany.com managerServicePort=443 httpsMode=true cloudProvider=ec2|vca|vcd|vsphere The default port number for the Manager Service is 443. Accepted values for cloudprovider are ec2, vca, vcd, and vsphere. The install.
PAGE 69
Configuring vRealize Automation n n grep n sed n setsid n awk n ifconfig n apt-get n yum n chkconfig n dmidecode n perl If you plan to remotely access the virtual machine using Linux ssh logging for troubleshooting or for other reasons, install the OpenSSH server and client for Linux. n Remove network configuration artifacts from the network configuration files. Procedure 1 Log in to your reference machine as the root user.
PAGE 70
Configuring vRealize Automation 6 Shut down the Linux virtual machine. The script removes any previous installations of the Software bootstrap agent and installs the supported versions of the Java Runtime Environment, the guest agent, and the Software bootstrap agent. What to do next On your hypervisor or cloud provider, turn your reference machine into a template, snapshot, or Amazon Machine Image that your infrastructure architects can use when creating blueprints.
PAGE 71
Configuring vRealize Automation n You must be connected to a vCenter Server to convert a virtual machine to a template. You cannot create templates if you connect the vSphere Client directly to an vSphere ESXi host. Procedure 1 Scenario: Prepare Your Reference Machine for Guest Agent Customizations and Software Components You want your template to support software components, so you must install both the guest agent and the software bootstrap agent on your reference machine.
PAGE 72
Configuring vRealize Automation 2 Download the installation script from your vRealize Automation appliance. wget https://vRealize_VA_Hostname_fqdn:5480/service/software/download/prepare_vra_template.sh If your environment is using self-signed certificates, you might have to use the wget option --nocheck-certificate option. For example: wget --no-check-certificate https://vRealize_VA_Hostname_fqdn: 5480/service/software/download/prepare_vra_template.sh 3 Make the prepare_vra_template.
PAGE 73
Configuring vRealize Automation Procedure 1 Log in to your reference machine as the root user and prepare the machine for conversion. a Remove udev persistence rules. /bin/rm -f /etc/udev/rules.d/70* b Enable machines cloned from this template to have their own unique identifiers. /bin/sed -i '/^$HWADDR\|UUID$=/d' /etc/sysconfig/network-scripts/ifcfg-eth0 c If you rebooted or reconfigured the reference machine after installing the software bootstrap agent, reset the agent.
PAGE 74
Configuring vRealize Automation 3 Click the New icon. 4 Click the New icon. 5 Specify properties. 6 a Select Linux from the Target VM Operating System drop-down menu. b Enter Customspecs in the Customization Spec Name text box. c Enter cpb_centos_63_x84 cloning with vRealize Automation in the Description text box. d Click Next. Set computer name. a Select Use the virtual machine name. b Enter the domain on which cloned machines are going to be provisioned in the Domain name text box.
PAGE 75
Configuring vRealize Automation n Identify or create a CentOS 6.x Linux reference machine with VMware Tools installed. For information about creating virtual machines, see the vSphere documentation. n You must be connected to a vCenter Server to convert a virtual machine to a template. You cannot create templates if you connect the vSphere Client directly to an vSphere ESXi host.
PAGE 76
Configuring vRealize Automation 3 Make the prepare_vra_template.sh script executable. chmod +x prepare_vra_template.sh 4 Run the prepare_vra_template.sh installer script. ./prepare_vra_template.sh You can run the help command ./prepare_vra_template.sh --help for information about noninteractive options and expected values. 5 Follow the prompts to complete the installation. You see a confirmation message when the installation is successfully completed.
PAGE 77
Configuring vRealize Automation c Enable machines cloned from this template to have their own unique identifiers. /bin/sed -i '/^$HWADDR\|UUID$=/d' /etc/sysconfig/network-scripts/ifcfg-eth0 d If you rebooted or reconfigured the reference machine after installing the software bootstrap agent, reset the agent. /opt/vmware-appdirector/agent-bootstrap/agent_reset.sh e Power down the machine. shutdown -h now 2 Log in to the vSphere Web Client as an administrator.
PAGE 78
Configuring vRealize Automation 5 c Enter Dukes Bank customization spec in the Description text box. d Click Next. Set computer name. a Select Use the virtual machine name. b Enter the domain on which you want to provision the Dukes Bank sample application in the Domain name text box. c Click Next. 6 Configure time zone settings. 7 Click Next. 8 Select Use standard network settings for the guest operating system, including enabling DHCP on all network interfaces.
PAGE 79
2 Configuring Tenant Settings Tenant administrators configure tenant settings such as user authentication, and manage user roles and business groups. System administrators and tenant administrators configure options such as email servers to handle notifications, and branding for the vRealize Automation console. You can use the Configuring Tenant Settings Checklist to see a high-level overview of the sequence of steps required to configure tenant settings. Table 2‑1.
PAGE 80
Configuring vRealize Automation Table 2‑1. Checklist for Configuring Tenant Settings (Continued) vRealize Automation Role Details (Optional) Create a custom remote desktop protocol file that IaaS architects use in blueprints to configure RDP settings.
PAGE 81
Configuring vRealize Automation Table 2‑2. Choosing Directories Management Configuration Options (Continued) Configuration Option Procedure (Optional) Edit the default policy to apply custom rules for an Active Directory link. Manage the User Access Policy (Optional) Configure network ranges to restrict the IP addresses through which users can log in to the system, manage login restrictions (timeout, number of login attempts before lock-out).
PAGE 82
Configuring vRealize Automation Important Concepts Related to Active Directory Several concepts related to Active Directory are integral to understanding how Directories Management integrates with your Active Directory environments. Connector The connector, a component of the service, performs the following functions. n Syncs user and group data between Active Directory and the service. n When being used as an identity provider, authenticates users to the service.
PAGE 83
Configuring vRealize Automation The connector syncs user and group data between Active Directory and the service through one or more workers. You cannot have two workers of the Integrated Windows Authentication type on the same connector instance.
PAGE 84
Configuring vRealize Automation Using Directories Management to Create an Active Directory Link After you create vRealize Automation tenants, you must log in to the system console as a tenant administrator and create an Active Directory link to support user authentication.
PAGE 85
Configuring vRealize Automation 4 5 6 Select the appropriate Active Directory communication protocol using the radio buttons under the Directory Name text box. Option Description Windows Authentication Select Active Directory (Integrated Windows Authentication) LDAP Select Active Directory over LDAP. Configure the connector that synchronizes users from the Active Directory to the VMware Directories Management directory in the Directory Sync and Authentication section.
PAGE 86
Configuring vRealize Automation 7 In the Bind User Details section, enter the appropriate credentials to facilitate directory synchronization. For Active Directory over LDAP: Option Description Base DN Enter the search base distinguished name. For example, cn=users,dc=corp,dc=local. Bind DN Enter the bind distinguished name.
PAGE 87
Configuring vRealize Automation 14 Click to select the groups you want to sync from Active Directory to the directory. When you add a group from Active Directory, if members of that group are not in the Users list, they are added. Note The Directories Management user authentication system imports data from Active Directory when adding groups and users, and the speed of the system is limited by Active Directory capabilities.
PAGE 88
Configuring vRealize Automation Configure Directories Management for High Availability You can use Directories Management to configure a high availability Active Directory connection in vRealize Automation. Each vRealize Automation appliance includes a connector that supports user authentication, although only one connector is typically configured to perform directory synchronization. It does not matter which connector you choose to serve as the sync connector.
PAGE 89
Configuring vRealize Automation 7 The main connector appears in the IdP Hostnametext box by default. Change the host name to point to the load balancer. Configure a Bi Directional Trust Relationship Between vRealize Automation and Active Directory You can enhance system security of a basic vRealize Automation Active Directory connection by configuring a bi directional trust relationship between your identity provider and Active Directory Federated Services.
PAGE 90
Configuring vRealize Automation 3 4 Create a new Identity Provider for you deployment. a Select Administration > Directories Management > Identity Providers. b Click Add Identity Provider and complete the fields as appropriate. Option Description Identity Provider Name Enter a name for the new identity provider Identity Provider Metadata (URI or XML) Paste the contents of your Active Directory Federated Services metadata file here.
PAGE 91
Configuring vRealize Automation 5 Using the Active Directory Federated Services management console, or another appropriate tool, set up a relying party trust relationship with the vRealize Automation identity provider. To set up this trust, you must import the Directories Management metadata that you previously downloaded. See the Microsoft Active Directory documentation for more information about configuring Active Directory Federated Services for bi-directional trust relationships.
PAGE 92
Configuring vRealize Automation Table 2‑4. SAML Federation Component Configuration Component Configuration Directories Management Configure SSO2 as a third-party Identity Provider on Directories Management and update the default authentication policy. You can create an automated script to set up Directories Management. SSO2 component Configure Directories Management as a service provider by importing the Directories Management sp.xml file.
PAGE 93
Configuring vRealize Automation i Select the network ranges from which you want users to have access privileges to this identity provider in the Network text box. If you want to authenticate users from an IP addresses, select All Ranges. j Enter a name for the authentication method in the Authentication Methods text box. k Use the SAML Context drop down menu to the right of the Authentication Methods text box to map the authentication method to urn:oasis:names:tc:SAML:2.0:ac:classes:Password.
PAGE 94
Configuring vRealize Automation When running a synchronize operation for a vRealize Automation deployment with a many users and groups, there may be a delay after the Sync is in progress message disappears before the Sync Log details are displayed. Also, the time stamp on the log file may differ from the time that the user interface indicates that the synchronize operation completed. Note You cannot cancel a synchronize operation after it has been initiated.
PAGE 95
Configuring vRealize Automation Select Attributes to Sync with Directory When you set up the Directories Management directory to sync with Active Directory, you specify the user attributes that sync to the directory. Before you set up the directory, you can specify on the User Attributes page which default attributes are required and, if you want, add additional attributes that you want to map to Active Directory attributes.
PAGE 96
Configuring vRealize Automation By default, 4 GB of memory is allocated to the Directories Management service. This is sufficient for many small to medium sized deployments. If you have an Active Directory connection that uses a large number of users or groups, you may need to increase this memory allocation. Increased memory allocation is appropriate for systems with more than 100,000 users , each in 30 groups and 750 groups overall.
PAGE 97
Configuring vRealize Automation 3 Edit the domain_krb.properties file to add the list of the domain to host values. Add the information as =, , . For example, enter the list as example.com=examplehost.com:636, examplehost2.example.com:389 4 Change the owner of the domain_krb.properties file to horizon and group to www. Enter chown horizon:www /usr/local/horizon/conf/domain_krb.properties. 5 Restart the service. Enter service horizon-workspace restart.
PAGE 98
Configuring vRealize Automation Table 2‑7. Default Active Directory Attributes to Sync to Directory Directory Attribute Name Default Mapping to Active Directory Attribute userPrincipalName userPrincipalName distinguishedName distinguishedName employeeId employeeID domain canonicalName. Adds the fully qualified domain name of object. disabled (external user disabled) userAccountControl.
PAGE 99
Configuring vRealize Automation n Click Join Domain to join the connector to a specific Active Directory domain. For example when you configure Kerberos authentication, you must join the Active Directory domain either containing users or having trust relationship with the domains containing users. n When you configure a directory with an Integrated Windows Authentication Active Directory, the connector joins the domain according to the configuration details.
PAGE 100
Configuring vRealize Automation n Active Directory (Integrated Windows Authentication), which always has DNS Service Location lookup enabled When you first create a directory that has DNS Service Location lookup enabled, a domain_krb.properties file is created automatically in the /usr/local/horizon/conf directory of the virtual machine and is auto-populated with domain controllers for each domain.
PAGE 101
Configuring vRealize Automation How Domain Controllers are Selected to Auto-Populate the domain_krb.properties File To auto-populate the domain_krb.
PAGE 102
Configuring vRealize Automation To find the site, the connector determines the subnet on which it resides, based on its IP address and netmask, then uses the Active Directory configuration to identify the site for that subnet. If the subnet of the virtual machine is not in Active Directory, or if you want to override the automatic subnet selection, you can specify a subnet in the runtime-config.properties file. Procedure 1 Log in to the Directories Management virtual machine as the root user.
PAGE 103
Configuring vRealize Automation 3 Edit the domain_krb.properties file to add or edit the list of domain to host values. Use the following format: domain=host:port,host2:port,host3:port For example: example.com=examplehost1.example.com:389,examplehost2.example.com:389 List the domain controllers in order of priority. To connect to Active Directory, the connector tries the first domain controller in the list. If it is not reachable, it tries the second one in the list, and so on.
PAGE 104
Configuring vRealize Automation n The number of hours the authentication is valid. Note The policies do not control the length of time that a Web application session lasts. They control the amount of time that users have to launch a Web application. The Directories Management service includes a default policy that you can edit. This policy controls access to the service as a whole. See Applying the Default Access Policy. To control access to specific Web applications, you can create additional policies.
PAGE 105
Configuring vRealize Automation n In the second scenario, the access policy rule is configured to require users to authenticate with their password and their Kerberos credential. Fallback authentication is set up to require RSA SecurID and a RADIUS for authentication. A user enters the password correctly but fails to enter the correct Kerberos authentication credential. The fallback authentication request is for both the RSA SecurID credential and the RADIUS credential for authentication.
PAGE 106
Configuring vRealize Automation 2 When a user attempts to access a resource, except for Web applications covered by a Webapplication-specific policy, the default portal access policy applies. For example, the re-authentication time for such resources matches the re-authentication time of the default access policy rule.
PAGE 107
Configuring vRealize Automation 3 The service checks the rules in the policy and applies the policy with the ALL RANGES network range since the user request is coming from a Web browser and from the ALL RANGES network range. The user logs in using the RSA SecurID authentication method, but the session just expired. The user is redirected for reauthentication. The reauthentication provides the user with another four hour session and the ability to launch the application.
PAGE 108
Configuring vRealize Automation n Log in to the vRealize Automation console as a tenant administrator. Procedure 1 Select Administration > Directories Management > Policies. 2 Click Edit Policy to add a new policy. 3 Add a policy name and description in the respective text boxes. 4 In the Applies To section, click Select and in the page that appears, select the Web applications that are associated with this policy. 5 In the Policy Rules section, click + to add a rule.
PAGE 109
Configuring vRealize Automation Table 2‑8. User Authentication Types Supported by Directories Management Authentication Types Description Kerberos Kerberos authentication provides domain users with single sign-on access to their apps portal, eliminating the requirement for domain users to sign in to their apps portal again after they log in to the enterprise network. The Directories Management validates user desktop credentials using Kerberos tickets distributed by the key distribution center (KDC).
PAGE 110
Configuring vRealize Automation n Configure RSA SecurID Authentication After Directories Management is configured as the authentication agent in the RSA SecurID server, you must add the RSA SecurID configuration information to the connector. Prepare the RSA SecurID Server The RSA SecurID server must be configured with information about the Directories Management appliance as the authentication agent. The information required is the host name and the IP addresses for network interfaces.
PAGE 111
Configuring vRealize Automation Procedure 1 As a tenant administrator, navigate to Administration > Directories Management > Connectors 2 On the Connectors page, select the Worker link for the connector that is being configured with RSA SecurID. 3 Click Auth Adapters and then click SecurIDldpAdapter. You are redirected to the identity manager sign in page. 4 In the Authentication Adapters page SecurIDldpAdapter row, click Edit. 5 Configure the SecurID Authentication Adapter page.
PAGE 112
Configuring vRealize Automation RADIUS support offers a wide range of alternative two-factor token-based authentication options. Because two-factor authentication solutions, such as RADIUS, work with authentication managers installed on separate servers, you must have the RADIUS server configured and accessible to the identity manager service. When users sign in to their My Apps portal and RADIUS authentication is enabled, a special login dialog box appears in the browser.
PAGE 113
Configuring vRealize Automation n RADIUS shared secret that is used for encryption and decryption in RADIUS protocol messages. n Specific timeout and retry values needed for RADIUS authentication n Log in to the vRealize Automation console as a tenant administrator. Procedure 1 Select Administration > Directories Management > Connectors. 2 On the Connectors page, select the Worker link for the connector that is being configured for RADIUS authentication.
PAGE 114
Configuring vRealize Automation 5 Option Action Realm Suffix (Optional) If you specify a realm suffix, the string is placed at end of the user name. For example, if the suffix is @myco.com, the username jdoe@myco.com is sent to the RADIUS server. Login page passphrase hint Enter the text string to display in the message on the user login page to direct users to enter the correct Radius passcode.
PAGE 115
Configuring vRealize Automation The certificates are copied to the local certificate store on the user's computer. The certificates in the local certificate store are available to all the browsers running on this user's computer, with some exceptions, and therefore, are available to a Directories Management instance in the browser.
PAGE 116
Configuring vRealize Automation If the certificate is revoked, authentication fails. You can configure authentication to fall back to CRL checking if it does not receive a response from the OSCP responder or if the response is invalid. Configure Certificate Authentication for Directories Management You enable and configure certificate authentication from the vRealize Automation administration console Directories Management feature.
PAGE 117
Configuring vRealize Automation Option Description Use email if no UPN in certificate If the user principal name (UPN) does not exist in the certificate, select this checkbox to use the emailAddress attribute as the Subject Alternative Name extension to validate user accounts. Certificate policies accepted Create a list of object identifiers that are accepted in the certificate policies extensions. Enter the object ID numbers (OID) for the Certificate Issuing Policy.
PAGE 118
Configuring vRealize Automation Complete the following tasks prior to using the administration console to add the third-party identity provider instance. n Verify that the third-party instances are SAML 2.0 compliant and that the service can reach the thirdparty instance. n Obtain the appropriate third-party metadata information to add when you configure the identity provider in the administration console.
PAGE 119
Configuring vRealize Automation Form Item Description Network The existing network ranges configured in the service are listed. Select the network ranges for the users, based on their IP addresses, that you want to direct to this identity provider instance for authentication. 3 Authentication Methods Add the authentication methods supported by the third-party identity provider. Select the SAML authentication context class that supports the authentication method.
PAGE 120
Configuring vRealize Automation Define network ranges for your Directories Management deployment based on your network topology. One network range, called ALL RANGES, is created as the default. This network range includes every IP address available on the Internet, 0.0.0.0 to 255.255.255.255. Even if your deployment has a single identity provider instance, you can change the IP address range and add other ranges to exclude or include specific IP addresses to the default network range.
PAGE 121
Configuring vRealize Automation Select Attributes to Sync with Directory When you set up the Directories Management directory to sync with Active Directory, you specify the user attributes that sync to the directory. Before you set up the directory, you can specify on the User Attributes page which default attributes are required and, if you want, add additional attributes that you want to map to Active Directory attributes.
PAGE 122
Configuring vRealize Automation Each rule in the default access policy requires that a set of criteria be met in order to allow user access to the apps portal. You apply a network range, select which type of user can access content and select the authentication methods to use. See Managing Access Policies. The number of attempts the service makes to login a user using a given authentication method varies. The services only makes one attempt at authentication for Kerberos or certificate authentication.
PAGE 123
Configuring vRealize Automation Configuring Kerberos for Directories Management Kerberos authentication provides users who are successfully signed in to their Active Directory domain to access their apps portal without additional credential prompts. You enable Windows authentication to allow the Kerberos protocol to secure interactions between users' browsers and the Directories Management service. You do not need to directly configure Active Directory to make Kerberos function with your deployment.
PAGE 124
Configuring vRealize Automation 3 On the Join Domain page, enter the information for the Active Directory domain. Option Description Domain Enter the fully qualified domain name of the Active Directory. The domain name you enter must be the same Windows domain as the connector server. Domain User Enter the user name of an account in the Active Directory that has permissions to join systems to that Active Directory domain. Domain Password Enter the password associated with the AD Username.
PAGE 125
Configuring vRealize Automation Kerberos authentication works in conjunction with Directories Management on Windows operating systems. Note Do not implement these Kerberos-related steps on other operating systems. Prerequisites Configure the Internet Explorer browser for each user or provide users with the instructions after you configure Kerberos. Procedure 1 Verify that you are logged into Windows as a user in the domain. 2 In Internet Explorer, enable automatic log in.
PAGE 126
Configuring vRealize Automation 5 Verify that Internet Explorer is allowed to pass the Windows authentication to the trusted site. a In the Internet Options dialog box, click the Advanced tab. b Select Enable Integrated Windows Authentication. This option takes effect only after you restart Internet Explorer. c 6 Click OK. Log in to the Web interface to check access. If Kerberos authentication is successful, the test URL goes to the Web interface.
PAGE 127
Configuring vRealize Automation The Kerberos protocol secures all interactions between this Firefox browser instance and Directories Management. Now, users can use single sign-on access their My Apps portal. Configure the Chrome Browser to Access the Web Interface You must configure the Chrome browser if Kerberos is configured for your deployment and if you want to grant users access to the Web interface using the Chrome browser.
PAGE 128
Configuring vRealize Automation In a high availability environment, all nodes must serve the same set of Active Directories, users, authentication methods, etc. The most direct method to accomplish this is to promote the Identity Provider to the cluster by setting the load balancer host as the Identity Provider host. With this configuration, all authentication requests are directed to the load balancer, which forwards the request to either connector as appropriate.
PAGE 129
Configuring vRealize Automation c Select the Select All check box. d Click Select. e Click Next. f Click to add additional users. For example, enter as CN-username,CN=Users,OU-myUnit,DC=myCorp,DC=com. To exclude users, click + to create a filter to exclude some types of users. You select the user attribute to filter by, the query rule, and the value. g 9 Click Next. Review the page to see how many users and groups are syncing to the directory and click Sync Directory.
PAGE 130
Configuring vRealize Automation Scenario: Configure Smart Card Authentication for vRealize Automation As a system administrator, you must configure smart card authentication for your vRealize Automation deployment using Directories Management. Directories Management supports multiple identity providers and connector clusters for each configured Active Directory.
PAGE 131
Configuring vRealize Automation Generate a Connector Activation Token Before you deploy the connector virtual appliance to use for smart card authentication, generate an activation code for the new connector from the vRealize Automation console. The activation code is used to establish communication between Directories Management and the connector. You can configure a single connector or a connector cluster. If you want to use a connector cluster, repeat this procedure for each connector that you need.
PAGE 132
Configuring vRealize Automation Page Description Name and Location Enter a name for the virtual appliance. The name must be unique within the inventory folder and can contain up to 80 characters. Names are case sensitive. Select a location for the virtual appliance. Host / Cluster Select the host or cluster to run the deployed template. Resource Pool Select the resource pool. Storage Select the location to store the virtual machine files. Disk Format Select the disk format for the files.
PAGE 133
Configuring vRealize Automation Procedure 1 To run the Setup wizard, enter the connector URL that was displayed in the Console tab after the OVA was deployed. 2 On the Welcome Page, click Continue. 3 Create strong passwords for the following connector virtual appliance administrator accounts. Strong passwords should be at least eight characters long and include uppercase and lowercase characters and at least one digit or special character.
PAGE 134
Configuring vRealize Automation Prerequisites Generate a Certificate Signing Request (CSR) and obtain a valid, signed certificate from a CA. If your organization provides SSL certificates that are signed by a CA, you can use these certificates. The certificate must be in the PEM format. Procedure 1 Log in to the connector appliance administrative page as an admin user at the following location: Https://myconnector.mycompany:8443/cfg 2 In the administration console, click Appliance Settings.
PAGE 135
Configuring vRealize Automation Certificate Chain Example WdR9Vpg3WQT5+C3HU17bUOwvhp/rjlQvt90+ ... ... ... O05j5xsxzDJfWr1lqBlFF/OkIYCPW53+cyK1 -----END CERTIFICATE---------BEGIN CERTIFICATE----dR9Vpg3WQTjlQvt9W5+C3HU17bUOwvhp/r0+ ... ... ... 5j5xsxzDJfWr1lqW53+O0BlFF/OkIYCPcyK1 -----END CERTIFICATE----Private Key Example -----BEGIN RSA PRIVATE KEY----jlQvtg3WQT5+C3HU17bU9WdR9VpOwvhp/r0+ ... ... ...
PAGE 136
Configuring vRealize Automation 6 Select the external connector or connectors that you configured for smart card authentication. Note If the deployment is located behind a load balancer, enter the load balancer URL. 7 Select the network for access to this identity provider. 8 Click Add. Configure Certificate Authentication and Configure Default Access Policy Rules You must configure your external connection for use with your vRealize Automation Active Directory and domain.
PAGE 137
Configuring vRealize Automation Prerequisites Log in to the vRealize Automation console as a tenant administrator. Procedure 1 Select Administration > Users & Groups > Directory Users & Groups. 2 Enter a user or group name in the Search box and press Enter. Do not use an at sign (@), backslash (\), or slash (/) in a name. You can optimize your search by typing the entire user or group name in the form user@domain. 3 Click the name of the user or group to which you want to assign roles.
PAGE 138
Configuring vRealize Automation 4 (Optional) Enter a description in the New Group Description text box. 5 Select one or more roles from the Add Roles to this Group list. The Authorities Granted by Selected Roles list indicates the specific authorities you are granting. 6 Click Next. 7 Add users and groups to create your custom group. a Enter a user or group name in the Search box and press Enter. Do not use an at sign (@), backslash (\), or slash (/) in a name.
PAGE 139
Configuring vRealize Automation Procedure 1 Select Administration > Users and Groups > Business Groups. 2 Click the Add icon ( 3 Configure the business group details. ). a Enter a name in the Name text box. b Enter a description in the Description text box. c Type one or more user names or group names in the Send manager emails to text box and press Enter. Multiple entries must be separated with commas. For example, JoeAdmin@mycompany.com,WeiMgr@mycompany.com. 4 d Add custom properties.
PAGE 140
Configuring vRealize Automation Fabric administrators can allocate resources to your business group by creating a reservation. Business group managers can create entitlements for members of the business group. What to do next n Create a reservation for your business group based on where the business group provisions machines. See Choosing a Reservation Scenario. n If the catalog items are published and the services exist, you can create an entitlement for the business group members.
PAGE 141
Configuring vRealize Automation Problem When you view user information in environments with a large number of users, the user names are slow to load in the user interface. Cause The extended time required to load the names occurs in environments with a large Active Directory environment. Solution u To reduce the retrieval workload, use Active Directory groups or custom groups whenever possible rather than adding hundreds of individual members by name.
PAGE 142
Configuring vRealize Automation 4 Scenario: Create a Custom Group for Your Rainpole Architects Using your tenant administrator privileges, you create a custom group for members of your IT organization who need highly privileged access to vRealize Automation. You assign roles to this custom group as you configure vRealize Automation.
PAGE 143
Configuring vRealize Automation Option Input Email Enter an email address or use the placeholder test_user@rainpole.com. Username test_user Password VMware1! 11 Click OK. 12 Click the Administrators tab. 13 Enter Rainpole in the Tenant administrators search box and press Enter. Select your Rainpole tenant admin user. The tenant administrator role is assigned to your Rainpole tenant admin user. 14 Click Finish. 15 Log out of the console.
PAGE 144
Configuring vRealize Automation Option Sample Input Bind DN Enter the full distinguished name (DN), including common name (CN), of an Active Directory user account that has privileges to search for users. For example, cn=config_admin infra,cn=users,dc=rainpole,dc=local. Bind DN Password Enter the Active Directory password for the account that can search for users. 6 Click the Test Connection button to test the connection to the configured directory. 7 Click Save & Next.
PAGE 145
Configuring vRealize Automation 2 Deselect the Use default check box. 3 Follow the prompts to create a header. 4 Click Next. 5 Follow the prompts to create a footer. 6 Click Finish. The console is updated with your changes. 7 Select Administration > Branding > Login Screen Branding. 8 Follow the prompts to customize the login screen branding. 9 Click Save. The console is updated with your changes. You updated the look and feel of the console for the default tenant.
PAGE 146
Configuring vRealize Automation Option Description XaaS architect For Advanced and Enterprise licensed users, create and manage XaaS blueprints. Software architect For Enterprise licensed users, create and manage software components and application blueprints. 5 Click Next. 6 Search for corporate active directory users and select users to add to your custom group.
PAGE 147
Configuring vRealize Automation What to do next Using the IaaS administrator privileges you granted your custom group, you can configure your IaaS resources. Create Additional Tenants As a system administrator, you can create additional vRealize Automation tenants so that users can access the appropriate applications and resources that they need to complete their work assignments. A tenant is a group of users with specific privileges who work within a software instance.
PAGE 148
Configuring vRealize Automation 2 Click the Add icon ( 3 Enter a name in the Name text box. 4 (Optional) Enter a description in the Description text box. 5 Enter a unique identifier for the tenant in the URL Name text box. ). This URL token is used to append a tenant-specific identifier to the vRealize Automation console URL. For example, enter mytenant to create the URL https://vrealize-appliancehostname.domain.name/vcac/org/mytenant.
PAGE 149
Configuring vRealize Automation Appoint Administrators You can appoint one or more tenant administrators and IaaS administrators from the identity stores you configured for a tenant. Tenant administrators are responsible for configuring tenant-specific branding, as well as managing identity stores, users, groups, entitlements, and shared blueprints within the context of their tenant.
PAGE 150
Configuring vRealize Automation The Login Screen Branding page displays the currently implemented tenant login branding in the Preview pane. Note After saving new tenant login page branding, there may be a delay of up to five minutes before it becomes visible on all login pages. Prerequisites To use a custom logo or other image with your branding, you must have the appropriate files available. Procedure 1 Log in to vRealize Automation as a system or tenant administrator.
PAGE 151
Configuring vRealize Automation Procedure 1 Log in to vRealize Automation as a system or tenant administrator. 2 Click the Administration tab. 3 Select Branding > Application Branding 4 Click the Header tab if it is not already active. 5 If you want to use the default vRealize Automation branding, click the Use Default check box. 6 To implement custom branding, make the appropriate selections in the fields on the Header and Footer tabs.
PAGE 152
Configuring vRealize Automation Configure an outbound mail server to send notifications. Do you want users to be able to respond to notifications? Yes Configure an inbound mail server to receive notifications. No Enable notifications for any events you want to allow users to receive updates for. Do you want to customize the templates for IaaS notifications? Yes TEMPLATE Edit the configuration files that control IaaS notifications.
PAGE 153
Configuring vRealize Automation Table 2‑9. Checklist for Configuring Notifications Task Configure an outbound email server to send notifications. (Optional) Configure an inbound email server so that users can complete tasks by responding to notifications. Required Role n System administrators configure default global servers. n Tenant administrators configure servers for their tenants. n System administrators configure default global servers.
PAGE 154
Configuring vRealize Automation Configuring Global Email Servers for Notifications Tenant administrators can add email servers as part of configuring notifications for their own tenants. As a system administrator, you can set up global inbound and outbound email servers that appear to all tenants as the system defaults. If tenant administrators do not override these settings before enabling notifications, vRealize Automation uses the globally configured email servers.
PAGE 155
Configuring vRealize Automation 18 Click Add. Create a Global Outbound Email Server System administrators create a global outbound email server to handle outbound email notifications. You can create only one outbound server, which appears as the default for all tenants. If tenant administrators do not override these settings before enabling notifications, vRealize Automation uses the globally configured email server. Prerequisites Log in to the vRealize Automation console as a system administrator.
PAGE 156
Configuring vRealize Automation Add a Tenant-Specific Outbound Email Server Tenant administrators can add an outbound email server to send notifications for completing work items, such as approvals. Each tenant can have only one outbound email server. If your system administrator has already configured a global outbound email server, see Override a System Default Outbound Email Server. Prerequisites n Log in to the vRealize Automation console as a tenant administrator.
PAGE 157
Configuring vRealize Automation 12 Choose whether vRealize Automation can accept self-signed certificates from the email server. This option is available only if you enabled encryption. n Click Yes to accept self-signed certificates. n Click No to reject self-signed certificates. 13 Click Test Connection. 14 Click Add. Add a Tenant-Specific Inbound Email Server Tenant administrators can add an inbound email server so that users can respond to notifications for completing work items, such as approvals.
PAGE 158
Configuring vRealize Automation 9 (Optional) Select Delete From Server to delete from the server all processed emails that are retrieved by the notification service. 10 Choose whether vRealize Automation can accept self-signed certificates from the email server. This option is available only if you enabled encryption. n Click Yes to accept self-signed certificates. n Click No to reject self-signed certificates. 11 Click Test Connection. 12 Click Add.
PAGE 159
Configuring vRealize Automation 11 Choose whether vRealize Automation can accept self-signed certificates from the email server. This option is available only if you enabled encryption. n Click Yes to accept self-signed certificates. n Click No to reject self-signed certificates. 12 Click Test Connection. 13 Click Add. Override a System Default Inbound Email Server If the system administrator has configured a system default inbound email server, tenant administrators can override this global setting.
PAGE 160
Configuring vRealize Automation 10 Choose whether vRealize Automation can accept self-signed certificates from the email server. This option is available only if you enabled encryption. n Click Yes to accept self-signed certificates. n Click No to reject self-signed certificates. 11 Click Test Connection. 12 Click Add. Revert to System Default Email Servers Tenant administrators who override system default servers can revert the settings back to the global settings.
PAGE 161
Configuring vRealize Automation Configuring Templates for Automatic IaaS Emails You can configure the templates for automatic notification emails sent to machine owners by the IaaS service about events involving their machines. The events that trigger these notifications include, for example, the expiration or approaching expiration of archive periods and virtual machine leases.
PAGE 162
Configuring vRealize Automation The WebsiteURIInbox object returns the URL of the Inbox tab on the vRealize Automation console, for example https://vcac.mycompany.com/shell-ui-app/org/mytenant/#cafe.work.items.list. To use this object to provide a link to the My Inbox page in the console, consider the following sample lines. Click here for your assigned tasks.
PAGE 163
Configuring vRealize Automation If the machine does not have the Image.WIM.Name property, nothing is returned. The VirtualMachineTemplateEx object returns a specific item of information about the source blueprint of the machine associated with the even triggering the email. The information is determined by the attribute provided with the object; see the table Selected Attributes of the VirtualMachineTemplateEx Email Object for more information.
PAGE 164
Configuring vRealize Automation n LeaseAboutToExpire n LeaseExpired n LeaseExpiredPowerOff n ManagerLeaseAboutToExpire n ManagerLeaseExpired n ManagerReclamationExpiredLeaseModified n ManagerReclamationForcedLeaseModified n ReclamationExpiredLeaseModified n ReclamationForcedLeaseModified n VdiRegister n VdiUnregister Prerequisites Log in to the IaaS Manager Service host using administrator credentials. Procedure 1 Change to the directory \Templates.
PAGE 165
Configuring vRealize Automation What to do next If you are working in a high availability load balancer environment, repeat this procedure for all the virtual appliances in the HA environment. Subscribe to Notifications If your administrators have configured notifications, you can subscribe to receive notifications from vRealize Automation. Notification events can include the successful completion of a catalog request or a required approval. Prerequisites Log in to the vRealize Automation console.
PAGE 166
Configuring vRealize Automation 6 Copy the Console.rdp file to the directory vRA_installation_dir\Website\Rdp. Your IaaS architects can add the RDP custom properties to Windows machine blueprints, and then catalog administrators can entitle users to the Connect Using RDP action. See Add RDP Connection Support to Your Windows Machine Blueprints.
PAGE 167
Configuring vRealize Automation Your fabric administrator can apply the appropriate location to compute resources located in each datacenter. See Scenario: Apply a Location to a Compute Resource for Cross Region Deployments. Configuring vRealize Orchestrator and Plug-Ins VMware vRealize ™ Orchestrator ™ is an automation and management engine that extends vRealize Automation to support XaaS and other extensibility.
PAGE 168
Configuring vRealize Automation What to do next Repeat the procedure for all of the tenants for which you want to define a default workflow folder. Configure an External vRealize Orchestrator Server You can set up vRealize Automation to use an external vRealize Orchestrator server. System administrators can configure the default vRealize Orchestrator server globally for all tenants. Tenant administrators can configure the vRealize Orchestrator server only for their tenants.
PAGE 169
Configuring vRealize Automation 8 Click Update. You configured the connection to the external vRealize Orchestrator server, and the vCAC workflows folder and the related utility actions are automatically imported. The vCAC > ASD workflows folder contains workflows for configuring endpoints and creating resource mappings. What to do next Configure the vRealize Orchestrator plug-ins as endpoints. See Configuring XaaS Resources.
PAGE 170
Configuring vRealize Automation Procedure 1 Navigate to the vRealize Automation appliance management console by using its fully qualified domain name, https://vra-va-hostname.domain.name. 2 Click vRealize Orchestrator Client. The client file is downloaded. 3 Click the download and following the prompts. 4 On the vRealize Orchestrator log in page, enter the IP or the domain name of the vRealize Automation appliance in the Host name text box, and 443 as the default port number.
PAGE 171
Configuring Resources 3 You can configure resources such as endpoints, reservations, and network profiles to support vRealize Automation blueprint definition and machine provisioning.
PAGE 172
Configuring vRealize Automation Table 3‑1. Checklist for Configuring IaaS Resources Task Store administrator-level credentials to your infrastructure. vRealize Automation Role Details IaaS administrator Store User Credentials.
PAGE 173
Configuring vRealize Automation 5 Enter the user name in the User name text box. Platform Format and Details vSphere domain\username Provide credentials with permission to modify custom attributes. username as specified in the endpoint user interface vCloud Air Provide credentials for an organization administrator with rights to connect by using VMware Remote Console.
PAGE 174
Configuring vRealize Automation What to do next Now that your credentials are stored, you are ready to create an endpoint. See Choosing an Endpoint Scenario. Choosing an Endpoint Scenario You create the endpoints that allow vRealize Automation to communicate with your infrastructure. Depending on your machine provisioning needs, the procedure to create an endpoint differs. Choose an endpoint scenario based on the target endpoint type. Table 3‑2.
PAGE 175
Configuring vRealize Automation Procedure 1 Select Infrastructure > Endpoints > Endpoints. 2 Select New Endpoint > Cloud > Amazon EC2. 3 Enter a name and, optionally, a description. Typically this name indicates the Amazon Web Services account that corresponds to this endpoint. 4 Select the Credentials for the endpoint. Only one endpoint can be associated with an Amazon access key ID.
PAGE 176
Configuring vRealize Automation 3 Add a new instance type, specifying the following parameters. Information about the available Amazon instances types and the setting values that you can specify for these parameters is available from Amazon Web Services documentation in EC2 Instance Types Amazon Web Services (AWS) at aws.amazon.com/ec2 and Instance Types at docs.aws.amazon.com.
PAGE 177
Configuring vRealize Automation 4 Enter the URL for the endpoint in the Address text box. This specifies the fully qualified host name or IP address of the OpenStack keystone identity server. The URL must be of the format FQDN:5000 or IP_address:5000. For example: http://openstack.mycompany.com:5000. Note Do not include the /v2.0 suffix in the endpoint address. 5 Select the Credentials for the endpoint.
PAGE 178
Configuring vRealize Automation 4 Accept the default vCloud Air endpoint address in the Address text box or enter a new one. The default vCloud Air endpoint address is https://vca.vmware.com, as specified in the Default URL for vCloud Air endpoint global property. 5 Select the Credentials for the endpoint. The credentials must be those of thevCloud Air subscription service or OnDemand account administrator.
PAGE 179
Configuring vRealize Automation 2 Select New Endpoint > Cloud > vCloud Director. 3 Enter a name and, optionally, a description. 4 Enter the URL of the vCloud Director server in the Address text box. The URL must be of the type FQDN or IP_address. For example, https://mycompany.com. 5 6 Select the Credentials for the endpoint. n To connect to the vCloud Director server and specify the organization for which the user has the administrator role, use organization administrator credentials.
PAGE 180
Configuring vRealize Automation What to do next Create a Fabric Group. Create a vRealize Orchestrator Endpoint You can configure multiple endpoints to connect to different vRealize Orchestrator servers, but you must configure a priority for each endpoint. When executing vRealize Orchestrator workflows, vRealize Automation tries the highest priority vRealize Orchestrator endpoint first.
PAGE 181
Configuring vRealize Automation You can associate a vRealize Orchestrator endpoint with a machine blueprint to make sure that all of the vRealize Orchestrator workflows for machines provisioned from that blueprint are run using that endpoint. vRealize Automation by default includes an embedded vRealize Orchestrator instance. It is recommended that you use this as your vRealize Orchestrator endpoint for running vRealize Automation workflows in a test environment or creating a proof of concept.
PAGE 182
Configuring vRealize Automation Create a Hyper-V (SCVMM) Endpoint IaaS administrators create endpoints to allow vRealize Automation to communicate with your SCVMM environment and discover compute resources, collect data, and provision machines. Prerequisites n Log in to the vRealize Automation console as an IaaS administrator. n Store User Credentials. Procedure 1 Select Infrastructure > Endpoints > Endpoints. 2 Select New Endpoint > Virtual > Hyper-V (SCVMM). 3 Enter a name in the Name text box.
PAGE 183
Configuring vRealize Automation 2 Enter the fully qualified DNS name of your Hyper-V server in the Compute resource text box. 3 Select the proxy agent that your system administrator installed for this endpoint from the Proxy agent name drop-down menu. 4 (Optional) Enter a description in the Description text box. 5 Click OK. vRealize Automation can now discover your compute resources. What to do next Add the compute resources from your endpoint to a fabric group. See Create a Fabric Group.
PAGE 184
Configuring vRealize Automation Create a vSphere Endpoint You can create endpoints that allow vRealize Automation to communicate with the vSphere environment and discover compute resources, collect data, and provision machines. For configurations that support vCloud Networking and Security or NSX, see Create a vSphere Endpoint with Network and Security Integration. Prerequisites n Log in to the vRealize Automation console as an IaaS administrator.
PAGE 185
Configuring vRealize Automation vRealize Automation can now discover your compute resources. Important Renaming vSphere assets after discovery can cause provisioning to fail. What to do next Add the compute resources from your endpoint to a fabric group. See Create a Fabric Group. Create a vSphere Endpoint with Network and Security Integration You can create endpoints that allow vRealize Automation to communicate with the vSphere environment, and a vCloud Networking and Security or NSX instance.
PAGE 186
Configuring vRealize Automation 7 Configure a networking solution platform. This step is required for enabling NSX networking and security features. a Select Specify manager for network and security platform. b Enter the URL for the vCloud Networking and Security or NSX instance in the Address text box. The URL must be of the type: https://hostname or https://IP_address. For example, https://nsx-manager. c Select the Credentials for the endpoint. 8 (Optional) Add any custom properties.
PAGE 187
Configuring vRealize Automation 5 Click OK. vRealize Automation can now discover your compute resources. What to do next Add the compute resources from your endpoint to a fabric group. See Create a Fabric Group. Create a XenServer Endpoint You can create endpoints to allow vRealize Automation to communicate with the XenServer environment and discover compute resources, collect data, and provision machines. Prerequisites n Log in to the vRealize Automation console as an IaaS administrator.
PAGE 188
Configuring vRealize Automation Table 3‑3. CSV File Fields and Their Order for Importing Endpoints Field Description InterfaceType (Required) You can upload multiple types of endpoints in a single file. n vCloud Air n vCloud Director n vRealize Orchestrator n vSphere n Amazon EC2 n OpenStack n NetAppOnTap n SCVMM n KVM Address (Required for all interface types except Amazon) URL for the endpoint.
PAGE 189
Configuring vRealize Automation 5 Click Open. A CSV file opens that contains a list of endpoints in the following format: InterfaceType,Address,Credentials,Name,Description vCloud,https://abxpoint2vco,svc-admin,abxpoint2vco,abxpoint 6 Click Import. You can edit and manage your endpoints through the vRealize Automation console.
PAGE 190
Configuring vRealize Automation c Enter the expected endpoint name in the Name text box. d Click OK. The proxy agent can commute with the endpoint and data collection is successful. Troubleshooting Locate the vCloud Air Management URL for an Organization Virtual Data Center To create a vCloud Air endpoint, you must provide vRealize Automation with the required vCloud Air region and the management URL.
PAGE 191
Configuring vRealize Automation 3 Enter a name in the Name text box. 4 (Optional) Enter a description in the Description text box. 5 Enter a user name or group name in the Fabric administrators text box and press Enter. Repeat this step to add multiple users or groups to the role. 6 Click one or more Compute resources to include in your fabric group. Only resources that exist on the clusters you select for your fabric group are discovered during data collection.
PAGE 192
Configuring vRealize Automation Procedure 1 Click Infrastructure > Administration > Machine Prefixes. 2 Click New. 3 Enter the machine prefix in the Name text box. 4 Enter the number of counter digits in the Number of Digits text box. 5 Enter the counter start number in the Next Number text box. 6 Click the Save icon ( ). Tenant administrators can create business groups so that users can access vRealize Automation to request machines.
PAGE 193
Configuring vRealize Automation Procedure 1 Select Infrastructure > Reservations > Key Pairs. 2 Click New. 3 Enter a name in the Name text box. 4 Select a cloud region from the Compute resource drop-down menu. 5 Click the Save icon ( ). The key pair is ready to use when the Secret Key column has the value ************. Upload the Private Key for a Key Pair You can upload the private key for a key pair in PEM format.
PAGE 194
Configuring vRealize Automation 3 Click the Export icon ( 4 Browse to the location that you want to save the file and click Save. ). Creating a Network Profile You can use network profiles to specify network settings in reservations, relative to a network path. With some machine types, you can specify a network profile when you work with blueprints in the design canvas. You specify an external network profile when you create reservations and blueprints.
PAGE 195
Configuring vRealize Automation Table 3‑4. Available Network Types for a vRealize Automation Network Profile Network Type Description External Existing physical or logical networks configured on the vSphere server. They are the external part of the NAT and routed networks types. An external network profile can define a range of static IP addresses available on the external network. An external network profile with a static IP range is a prerequisite for NAT and routed networks.
PAGE 196
Configuring vRealize Automation If a network profile is specified in the blueprint (by using the VirtualMAchine.NetworkN.ProfileName custom property) and by a reservation that is used by the blueprint, the network profile specified in the blueprint takes precedence. However, if the custom property is not used in the blueprint, and you select a network profile for a machine NIC, vRealize Automation uses a reservation network path for the machine NIC for which the network profile is specified.
PAGE 197
Configuring vRealize Automation 5 (Optional) Enter the default IP gateway address in the Gateway text box. The gateway address is required for a one-to-one NAT network profile. 6 (Optional) In the DNS/WINS group, enter values as needed. The external network profile provides these values. Configure a Static IP Range in a Network Profile You can define one or more ranges of static IP addresses in the network profile for use in provisioning a machine.
PAGE 198
Configuring vRealize Automation 8 (Optional) Filter IP address entries to only those that match. a Click in the Defined IP Addresses text boxes. b Enter a partial IP address or machine name, or select a date from the Last Modified drop-down calendar. The IP addresses that match the filter criteria appear. 9 Click OK. What to do next You can assign a network profile to a network path in a reservation or a blueprint creator can specify the network profile in a blueprint.
PAGE 199
Configuring vRealize Automation 6 In the DNS/WINS group, enter values as needed. What to do next You can configure IP ranges for static IP addresses. See Configure External Network Profile IP Ranges. Configure External Network Profile IP Ranges You can define zero or more ranges of static IP addresses for use in provisioning a network. An external network profile must have at least one static IP range for use with routed and NAT network profiles.
PAGE 200
Configuring vRealize Automation 8 (Optional) Filter IP address entries to only those that match. a Click in the Defined IP Addresses text boxes. b Enter a partial IP address or machine name, or select a date from the Last Modified drop-down calendar. The IP addresses that match the filter criteria appear. 9 Click OK. Create a NAT Network Profile You can create a NAT network profile template to define a NAT network and assign ranges of static IP and DHCP addresses to it.
PAGE 201
Configuring vRealize Automation 5 6 Select a NAT type from the drop-down menu. Option Description One-to-One Assign an external static IP address to each network adapter. Every machine can access the external network and is accessible from the external network. One-to-Many One external IP address is shared among all machines on the network. An internal machine can have either DHCP or static IP addresses.
PAGE 202
Configuring vRealize Automation 6 Click OK. The newly defined IP address range appears in the Defined Ranges list. The IP addresses in the range appear in the Defined IP Addresses list. 7 (Optional) Upload one or more IP addresses from a CSV file. A row in the CSV file has the format ip_address,mname,status. CSV Field Description ip_address An IP address mname Name of a managed machine in vRealize Automation. If the field is empty, defaults to no name.
PAGE 203
Configuring vRealize Automation Prerequisites n Log in to the vRealize Automation console as a fabric administrator. n Create an External Network Profile. n Verify that the NSX logical router is configured in the vSphere Client to use the routed network profile. See NSX Administration Guide. Procedure 1 Select Infrastructure > Reservations > Network Profiles. 2 Select New Network Profile > Routed. 3 Enter a name and, optionally, a description.
PAGE 204
Configuring vRealize Automation 2 Click Generate Ranges. You must enter the subnet mask, range subnet mask, and base IP addresses on the Network Profile Information tab before you can generate IP ranges. Starting with the base IP address, vRealize Automation generates ranges based on the range subnet mask. For example, vRealize Automation generates ranges of 254 IP addresses if the subnet mask is 255.255.0.0 and the range subnet mask is 255.255.255.0. 3 Click New Network Range.
PAGE 205
Configuring vRealize Automation n OpenStack n SCVMM n XenServer Choosing a Reservation Scenario You can create reservations to allocate resources to business groups. Depending on your scenario, the procedure to create a reservation differs. Choose a reservation scenario based on the target endpoint type. Each business group must have at least one reservation for its members to provision machines of that type.
PAGE 206
Configuring vRealize Automation A business group can have multiple reservations on one endpoint or reservations on multiple endpoints. The allocation model for a reservation depends on the allocation model in the associated datacenter. Available allocation models are Allocation Pool, Pay As You Go, and reservation pool. For information about allocation models, see thevCloud Director or vCloud Air documentation.
PAGE 207
Configuring vRealize Automation n If the request specifies an allocation model, the allocation model in the reservation must match the allocation model in the request. n If the blueprint specifies a reservation policy, the reservation must belong to that reservation policy. Reservation policies are a way to guarantee that the selected reservation satisfies any additional requirements for provisioning machines from a specific blueprint.
PAGE 208
Configuring vRealize Automation When you create an Amazon reservation or configure a machine component in the blueprint, you can choose from the list of security groups that are available to the specified Amazon account region. Security groups are imported during data collection. For information about creating and using security groups in Amazon Web Services, see Amazon documentation.
PAGE 209
Configuring vRealize Automation Prerequisites n Log in to the vRealize Automation console as a fabric administrator. n Verify that a tenant administrator created at least one business group. n Verify that a compute resource exists. n Configure network settings. n (Optional) Configure network profile information. n Verify that you have access to a desired Amazon network. For example, if you want to use VPC, verify that you have access to an Amazon Virtual Private Cloud (VPC) network.
PAGE 210
Configuring vRealize Automation For related information about load balancers, see Configuring vRealize Automation. Prerequisites Specify Amazon Reservation Information. Procedure 1 Click the Resouces tab. 2 Select a compute resource on which to provision machines from the Compute resource drop-down menu. Available Amazon regions are listed. 3 (Optional) Enter a number in the Machine quota text box to set the maximum number of machines that can be provisioned on this reservation.
PAGE 211
Configuring vRealize Automation 9 Select one or more available load balancers from the Load balancers list. If you are using the elastic load balancer feature, select one or more available load balancers that apply to the selected locations or subnets. You can save the reservation now by clicking Save. Or you can add custom properties to further control reservation specifications. You can also configure email alerts to send notifications when resources allocated to this reservation become low.
PAGE 212
Configuring vRealize Automation The reservation is saved and appears in the Reservations list. What to do next You can configure optional reservation policies or begin preparing for provisioning. Users who are authorized to create blueprints can create them now. Create an OpenStack Reservation You must allocate resources to machines by creating a reservation before members of a business group can request machine provisioning. Create an OpenStack reservation.
PAGE 213
Configuring vRealize Automation n Configure network settings. Procedure 1 Select Infrastructure > Reservations > Reservations. 2 Click the New icon ( ) and select the type of reservation to create. Select OpenStack. 3 (Optional) Select an existing reservation from the Copy from existing reservation drop-down menu. Data from the selected reservation appears. You can make changes as required for your new reservation. 4 Enter a name in the Name text box.
PAGE 214
Configuring vRealize Automation 3 (Optional) Enter a number in the Machine quota text box to set the maximum number of machines that can be provisioned on this reservation. Only machines that are powered on are counted towards the quota. Leave blank to make the reservation unlimited. 4 Select a method of assigning key pairs to compute instances from the Key pair drop-down menu. Option Description Not Specified Controls key pair behavior at the blueprint level rather than the reservation level.
PAGE 215
Configuring vRealize Automation Specify Custom Properties and Alerts for OpenStack Reservations You can associate custom properties with a vRealize Automation reservation. You can also configure alerts to send email notifications when reservation resources are low. Custom properties and email alerts are optional configurations for the reservation. If you do not want to associate custom properties or set alerts, click Save to finish creating the reservation.
PAGE 216
Configuring vRealize Automation Create a vCloud Air Reservation You must allocate resources to machines by creating a vRealize Automation reservation before members of a business group can request machine provisioning. Each business group must have at least one reservation for its members to provision machines of that type. Procedure 1 Specify vCloud Air Reservation Information You can create a reservation for each vCloud Air machine subscription or OnDemand resource.
PAGE 217
Configuring vRealize Automation Procedure 1 Select Infrastructure > Reservations > Reservations. 2 Click the New icon ( ) and select the type of reservation to create. The available cloud reservation types are Amazon, OpenStack, vCloud Air, and vCloud Director. Select vCloud Air. 3 (Optional) Select an existing reservation from the Copy from existing reservation drop-down menu. Data from the selected reservation appears. You can make changes as required for your new reservation.
PAGE 218
Configuring vRealize Automation For integrations that use Storage Distributed Resource Scheduler (SDRS) storage, you can select a storage cluster to allow SDRS to automatically handle storage placement and load balancing for machines provisioned from this reservation. The SDRS automation mode must be set to Automatic. Otherwise, select a datastore within the cluster for standalone datastore behavior. SDRS is not supported for FlexClone storage devices.
PAGE 219
Configuring vRealize Automation 8 Configure a network path for machines provisioned by using this reservation. a (Optional) If the option is available, select a storage endpoint from the Endpoint drop-down menu. The FlexClone option is visible in the endpoint column if a NetApp ONTAP endpoint exists and if the host is virtual. If there is a NetApp ONTAP endpoint, the reservation page displays the endpoint assigned to the storage path.
PAGE 220
Configuring vRealize Automation 5 (Optional) Check the Encrypted check box to encrypt the property value. 6 (Optional) Check the Prompt User check box to require that the user enter a value. This option cannot be overridden when provisioning. 7 Click Save. 8 (Optional) Add any additional custom properties. 9 Click the Alerts tab. 10 Enable the Capacity Alerts check box to configure alerts to be sent. 11 Use the slider to set thresholds for available resource allocation.
PAGE 221
Configuring vRealize Automation Specify vCloud Director Reservation Information You can create a reservation for each vCloud Director organization virtual datacenter (VDC). Each reservation is configured for a specific business group to grant them access to request machines on a specified compute resource. You can control the display of reservations when adding, editing, or deleting by using the Filter By Category option on the Reservations page.
PAGE 222
Configuring vRealize Automation 8 Enter a number in the Priority text box to set the priority for the reservation. The priority is used when a business group has more than one reservation. A reservation with priority 1 is used for provisioning over a reservation with priority 2. 9 (Optional) Deselect the Enable this reservation check box if you do not want this reservation active. Do not navigate away from this page. Your reservation is not complete.
PAGE 223
Configuring vRealize Automation 6 Select one or more listed storage paths. The available storage path options are derived from your compute resource selection. a Enter a value in the This Reservation Reserved text box to specify how much storage to allocate to this reservation. b Enter a value in the Priority text box to specify the priority value for the storage path relative to other storage paths that pertain to this reservation. The priority is used for multiple storage paths.
PAGE 224
Configuring vRealize Automation If configured, alerts are generated daily, rather than when the specified thresholds are reached. Important Notifications are only sent if email alerts are configured and notifications are enabled. Alerts are not available for Pay As You Go reservations that were created with no specified limits. Prerequisites Specify Resources and Network Settings for a vCloud Director Reservation. Procedure 1 Click the Properties tab. 2 Click New.
PAGE 225
Configuring vRealize Automation Network-to-Amazon VPC connectivity is only required if you want to use the guest agent to customize provisioned machines, or if you want to include Software components in your blueprints. For a production environment, you would configure this connectivity officially through Amazon Web Services, but because you are working in a proof of concept environment, you configured a temporary SSH tunnel instead.
PAGE 226
Configuring vRealize Automation 2 Click the New icon ( ) and select the type of reservation to create. Select Amazon. 3 Enter Amazon Tunnel POC in the Name text box. 4 Select the business group you created for your blueprint architects from the Business Group dropdown menu. 5 Enter a 1 in the Priority text box to set this reservation as the highest priority.
PAGE 227
Configuring vRealize Automation Procedure 1 Click the Properties tab. 2 Click New. 3 Configure the tunnel custom properties. Use the private IP address of your Amazon AWS tunnel machine and port 1443, which you assigned for vRealize_automation_appliance_fqdn when you invoked the SSH tunnel. 4 Option Value software.ebs.url https://Private_IP:1443/event-broker-service/api software.agent.service.url https://Private_IP:1443/software-service/api agent.download.
PAGE 228
Configuring vRealize Automation The reservation for which a machine is provisioned must satisfy the following criteria: n The reservation must be of the same platform type as the blueprint from which the machine was requested. A generic virtual blueprint can be provisioned on any type of virtual reservation. n The reservation must be enabled. n The compute resource must be accessible and not in maintenance mode.
PAGE 229
Configuring vRealize Automation If multiple reservations meet all of the criteria, the reservation from which to provision a requested machine is determined by the following logic: n Reservations with higher priority are selected over reservations with lower priority. n If multiple reservations have the same priority, the reservation with the lowest percentage of its machine quota allocated is selected.
PAGE 230
Configuring vRealize Automation You select one or more security groups in the reservation to enforce baseline security policy for all component machines provisioned with that reservation in vRealize Automation. Every provisioned machine is added to these specified security groups. Successful provisioning requires the transport zone of the reservation to match the transport zone of a machine blueprint when that blueprint defines machine networks.
PAGE 231
Configuring vRealize Automation You can control the display of reservations when adding, editing, or deleting by using the Filter By Category option on the Reservations page. Note that test agent reservations do not appear in the reservations list when filtering by category. Note After you create a reservation, you cannot change the business group or compute resource associations. Prerequisites n Log in to the vRealize Automation console as a fabric administrator.
PAGE 232
Configuring vRealize Automation Specify Resource and Networking Settings for a Virtual Reservation Specify resource and network settings for provisioning machines from this vRealize Automation reservation. You can select a FlexClone datastore in your reservation if you have a vSphere environment and storage devices that use Net App FlexClone technology. SDRS is not supported for FlexClone storage devices. Prerequisites Specify Virtual Reservation Information. Procedure 1 Click the Resouces tab.
PAGE 233
Configuring vRealize Automation 8 Configure a network path for machines provisioned by using this reservation. a (Optional) If the option is available, select a storage endpoint from the Endpoint drop-down menu. The FlexClone option is visible in the endpoint column if a NetApp ONTAP endpoint exists and if the host is virtual. If there is a NetApp ONTAP endpoint, the reservation page displays the endpoint assigned to the storage path.
PAGE 234
Configuring vRealize Automation 6 (Optional) Check the Prompt User check box to require that the user enter a value. This option cannot be overridden when provisioning. 7 (Optional) Add any additional custom properties. 8 Click the Alerts tab. 9 Enable the Capacity Alerts check box to configure alerts to be sent. 10 Use the slider to set thresholds for available resource allocation. 11 Enter one or more user email addresses or group names to receive alert notifications in the Recipients text box.
PAGE 235
Configuring vRealize Automation Procedure 1 Select Infrastructure > Reservations > Reservations. 2 Point to a reservation and click Edit. 3 Click the Network tab. 4 Assign a network profile to a network path. a Select a network path on which to enable static IP addresses. The network path options are derived from settings on the Resources tab. 5 b Map an available network profile to the path by selecting a profile from the Network Profile dropdown menu.
PAGE 236
Configuring vRealize Automation You can add multiple reservations to a reservation policy, but a reservation can belong to only one policy. You can assign a single reservation policy to more than one blueprint. A blueprint can have only one reservation policy. Note If you have SDRS enabled on your platform, you can allow SDRS to load balance storage for individual virtual machine disks, or all storage for the virtual machine.
PAGE 237
Configuring vRealize Automation Procedure 1 Select Infrastructure > Reservations > Reservation Policies. 2 Click Add. 3 Enter a name in the Name text box. 4 Select Reservation Policy from the Type drop-down menu. 5 Enter a description in the Description text box. 6 Click Update to save the policy. Assign a Reservation Policy to a Reservation You can assign a reservation policy to a reservation when you create the reservation.
PAGE 238
Configuring vRealize Automation A storage reservation policy is essentially a tag applied to one or more datastores or storage profiles by a fabric administrator to group datastores or storage profiles that have similar characteristics, such as speed or price. A datastore or storage profile can be assigned to only one storage reservation policy at a time, but a storage reservation policy can have many different datastores or storage profiles.
PAGE 239
Configuring vRealize Automation Procedure 1 Select Infrastructure > Reservations > Reservation Policies. 2 Click Add. 3 Enter a name in the Name text box. 4 Select Storage Reservation Policy from the Type drop-down menu. 5 Enter a description in the Description text box. 6 Click Update to save the policy. Assign a Storage Reservation Policy to a Datastore You can associate a storage reservation policy to a compute resource.
PAGE 240
Configuring vRealize Automation Configure Tenant Configure IaaS Resources Design OnDemand Services You are here Procedure 1 Scenario: Create a Fabric Group for Rainpole Using your IaaS administrator privileges, you create a fabric group that contains the compute resources discovered when you created the vSphere endpoint. Assign your custom group of vRealize Automation architects and developers to the fabric administrator role for this group.
PAGE 241
Configuring vRealize Automation What to do next Using your fabric administrator privileges, you create a machine prefix for your Rainpole architects to use so any machines they provision during development and testing are easily identified. Scenario: Configure Machine Prefixes for Rainpole Using your fabric administrator privileges, you create a prefix that you can configure to prepend to machines provisioned by your vRealize Automation architects and developers during development and testing.
PAGE 242
Configuring vRealize Automation c Enter true in the Value text box. d Select Prompt User to allow your architects to turn this feature on or off when they request a catalog item. Typically, if one component of a catalog item fails to provision vRealize Automation rolls back all resources for the whole catalog item. You use this custom property to override that behavior so your architects can pinpoint where their blueprints are failing.
PAGE 243
Configuring vRealize Automation 5 Select the Resources tab. 6 Enter the resources information from your deployment environment. Option Input Compute resources Select a resource cluster from the drop-down menu. Machine quota Specify the maximum number of powered on machines for this reservation. Memory Specify the maximum amount of memory (MB) this reservation can consume. Storage Select one or more storage paths and reserve space (GB) for this reservation.
PAGE 244
Configuring vRealize Automation n As a system administrator, define the datacenter locations. See Scenario: Add Datacenter Locations for Cross Region Deployments. Procedure 1 Select Infrastructure > Compute Resources > Compute Resources. 2 Point to the compute resource located in your Boston datacenter and click Edit. 3 Select Boston from the Locations drop-down menu. 4 Click OK. 5 Repeat this procedure as necessary to associate your compute resources to your Boston and London locations.
PAGE 245
Configuring vRealize Automation Prerequisites n Verify that you have access to a Microsoft Active Directory instance. See the Microsoft Active Directory documentation. n Log in to the vRealize Automation console as a tenant administrator. Procedure 1 Select Administration > vRO Configuration > Endpoints. 2 Click the New icon ( 3 Select Active Directory from the Plug-in drop-down menu. 4 Click Next. 5 Enter a name and, optionally, a description. 6 Click Next.
PAGE 246
Configuring vRealize Automation 8 9 Configure the shared session settings. a Enter the user name for the shared session in the User name for the shared session text box. a Enter the password for the shared session in the Password for the shared session text box. Click Finish. You added an Active Directory instance as an endpoint. XaaS architects can use XaaS to publish Active Directory plug-in workflows as catalog items and resource actions.
PAGE 247
Configuring vRealize Automation 8 9 (Optional) Configure proxy settings. a Select Yes to use a proxy from the Use Proxy drop-down menu. b Enter the IP of the proxy server in the Proxy address text box. c Enter the port number to communicate with the proxy server in the Proxy port text box. Click Next. 10 Select the authentication type. Option Action None No authentication is required. OAuth 1.0 Uses OAuth 1.0 protocol. You must provide the required authentication parameters under OAuth 1.0.
PAGE 248
Configuring vRealize Automation Option Action NTLM Provides NT LAN Manager (NTLM) access authentication within the Window Security Support Provider (SSP) framework. The communication with the host is in shared session mode. a b Kerberos Provide the user credentials for the shared session. n Enter the user name for the shared session in the Authentication user name text box. n Enter the password for the shared session in the Authentication password text box.
PAGE 249
Configuring vRealize Automation 7 8 Specify the PowerShell host details. a Enter the name of the host in the Name text box. b Enter the IP address or the FDQN of the host in the Host/IP text box. Select the PowerShell host type to which the plug-in connects. Option Action WinRM a Enter the port number to use for communication with the host in the Port text box under the PowerShell host details. b Select a transport protocol from the Transport protocol drop-down menu.
PAGE 250
Configuring vRealize Automation 7 Provide the details about the SOAP host. a Enter the name of the host in the Name text box. b Select whether to provide the WSDL content as text from the Provide WSDL content drop-down menu. c Option Action Yes Enter the WSDL text in the WSDL content text box. No Enter the correct path in the WSDL URL text box. (Optional) Enter the number of seconds before a connection times out in the Connection timeout (in seconds) text box. The default value is 30 seconds.
PAGE 251
Configuring vRealize Automation Option Action NTLM Provides NT LAN Manager (NTLM) access authentication in the Window Security Support Provider (SSP) framework. The communication with the host is in shared session mode. a b Negotiate Provide the user credentials. n Enter the user name for the shared session in the User name text box. n Enter the password for the shared session in the Password text box. Provide the NTLM settings. n Enter the domain name in the NTLM domain text box.
PAGE 252
Configuring vRealize Automation 7 Provide information about the vCenter Server instance. a Enter the IP address or the DNS name of the machine in the IP or host name of the vCenter Server instance to add text box. This is the IP address or DNS name of the machine on which the vCenter Server instance you want to add is installed. b Enter the port to communicate with the vCenter Server instance in the Port of the vCenter Server instance text box. The default port is 443.
PAGE 253
Providing On-Demand Services to Users 4 You deliver on-demand services to users by creating catalog items and actions, then carefully controlling who can request those services by using entitlements and approvals.
PAGE 254
Configuring vRealize Automation Software Components You can create and publish software components to install software during the machine provisioning process and support the software life cycle. For example, you can create a blueprint for developers to request a machine with their development environment already installed and configured. Software components are not catalog items by themselves, and you must combine them with a machine component to create a catalog item blueprint.
PAGE 255
Configuring vRealize Automation XaaS Blueprints You can publish your vRealize Orchestrator workflows as XaaS blueprints. For example, you can create a custom resource for Active Directory users, and design an XaaS blueprint to allow managers to provision new users in their Active Directory group. You create and manage XaaS components outside of the design tab. You can reuse published XaaS blueprints to create application blueprints, but only in combination with at least one machine component.
PAGE 256
Configuring vRealize Automation Table 4‑1. Choosing Your Import and Export Tool Tool More information vRealize CloudClient https://developercenter.vmware.com/tools vRealize Automation REST API See Programming Guide and REST API Reference in the vRealize Automation documentation at https://www.vmware.com/support/pubs/vcac-pubs.html.
PAGE 257
Configuring vRealize Automation Procedure 1 Scenario: Import the Dukes Bank for vSphere Sample Application You download the Dukes Bank for vSphere application from your vRealize Automation appliance. You import the sample application into your vRealize Automation tenant to view a working sample of a multi-tiered vRealize Automation blueprint that includes multiple machine components with networking and software components.
PAGE 258
Configuring vRealize Automation 8 When prompted, enter your login password. 9 Validate that the DukesBankAppForvSphere.zip content is available. vra content import --path //DukesBankAppForvSphere.zip --dry-run true --resolution overwrite By configuring the resolution to overwrite instead of skip, you allow vRealize Automation to correct conflicts when possible. 10 Import the Dukes Bank sample application. vra content import --path //DukesBankAppForvSphere.
PAGE 259
Configuring vRealize Automation c Configure your blueprint to provision at least two instances of this node by selecting a minimum of 2 instances and a maximum of 10. On the request form, users are able to select to provision at least two and up to ten appserver nodes. d Click the Build Information tab. e Select Cloneworkflow from the Provisioning workflow drop-down menu. f Select your dukes_bank_template from the Clone from dialog.
PAGE 260
Configuring vRealize Automation After you configure your Dukes Bank blueprint to display in the catalog, you can request to provision the sample application. See Scenario: Test the Dukes Bank Sample Application. Scenario: Test the Dukes Bank Sample Application You request the Dukes Bank catalog item, and log in to the sample application to verify your work and view vRealize Automation blueprint functionality.
PAGE 261
Configuring vRealize Automation 7 d Select the Network tab. e Make a note of the IP address. Log in to the Dukes Bank sample application. a Navigate to your load balancer server at http://IP_Apache_Load_Balancer:8081/bank/main.faces. If you want to access the application servers directly, you can navigate to http://IP_AppServer: 8080/bank/main.faces. b Enter 200 in the Username text box. c Enter foobar in the Password text box.
PAGE 262
Configuring vRealize Automation Table 4‑2. Building Your Design Library Catalog Item Role Components Description Details Machines Infrastructur e architect Create machine blueprints on the Blueprints tab. You can create machine blueprints to rapidly deliver virtual, private and public, or hybrid cloud machines to your users.
PAGE 263
Configuring vRealize Automation Table 4‑2. Building Your Design Library (Continued) Catalog Item Role Components Description Details Custom IT Services XaaS architects Create and publish XaaS blueprints on the XaaS tab. You can create XaaS catalog items that extend vRealize Automation functionality beyond machine, networking, security, and software provisioning.
PAGE 264
Configuring vRealize Automation Thin Provisioning Thin provisioning is supported for all virtual provisioning methods. Depending on your virtualization platform, storage type, and default storage configuration, thin provisioning might always be used during machine provisioning. For example, for vSphere ESX Server integrations using NFS storage, thin provisioning is always employed.
PAGE 265
Configuring vRealize Automation Procedure 1 Select Design > Blueprints. 2 Click the New icon ( 3 Follow the prompts on the New Blueprint dialog box to configure general settings. 4 Click OK. 5 Click Machine Types in the Categories area to display a list of available machine types. 6 Drag the type of machine you want to provision onto the design canvas. 7 Follow the prompts on each of the tabs to configure machine provisioning details. 8 Click Finish.
PAGE 266
Configuring vRealize Automation Table 4‑3. General Tab Settings (Continued) Setting Description Archive days You can specify an archival period to temporarily retain deployments instead of destroying deployments as soon as their lease expires. Specify 0 (default) to destroy the deployment when its lease expires. The archival period begins on the day the lease expires. When the archive period ends, the deployment is destroyed.
PAGE 267
Configuring vRealize Automation Table 4‑4. Properties Tab Settings (Continued) Tab Setting Description Name For a list of custom property names and behaviors, see Custom Properties Reference. Value Enter the value for the custom property. Encrypted You can choose to encrypt the property value, for example, if the value is a password. Overridable You can specify that the property value can be overridden by the next or subsequent person who uses the property.
PAGE 268
Configuring vRealize Automation Table 4‑5. General Tab Settings (Continued) Setting Description Reservation policy Apply a reservation policy to a blueprint to restrict the machines provisioned from that blueprint to a subset of available reservations.
PAGE 269
Configuring vRealize Automation Table 4‑6. Build Information Tab Setting Description Blueprint type For record-keeping and licensing purposes, select whether machines provisioned from this blueprint are classified as Desktop or Server. Action The options you see in the action drop-down menu depend on the type of machine you select. The following actions are available: n Create Create the machine component specification without use of a cloning option.
PAGE 270
Configuring vRealize Automation Table 4‑6. Build Information Tab (Continued) Setting Description Clone from For clone or NetApp FlexClone, select a machine template to clone from. For linked clones, select a machine from the list of machines. You only see machines that have available snapshots to clone from, that you manage as a tenant administrator or business group manager. Clone from snapshot For linked clones, select an existing snapshot to clone from based on the selected machine template.
PAGE 271
Configuring vRealize Automation Table 4‑8. Storage Tab Settings Setting Description ID Enter an ID or name for the storage volume. Capacity (GB) Enter the storage capacity for the storage volume. Drive Letter/Mount Path Enter a drive letter or mount path for the storage volume. Label Enter a label for the drive letter and mount path for the storage volume. Storage Reservation Policy Enter the existing storage reservation policy to use with this storage volume.
PAGE 272
Configuring vRealize Automation Table 4‑9. Network Tab Settings (Continued) Setting Description Custom Properties Display custom properties that are configured for the selected network component or network profile. Maximum network adapters Specify the maximum number of network adapters, or NICs, to allow for this machine component. The default is unlimited. Set to 0 to disable adding NICs for the machine components.
PAGE 273
Configuring vRealize Automation Table 4‑11. Properties > Custom Properties Tab Settings Setting Description Name Enter the name of a custom property or select an available custom property from the drop-down menu. For example, enter the custom property name Machine.SSH to specify whether machines provisioned by using this blueprint allow SSH connections. Properties only appear in the drop-down menu if your tenant administrator or fabric administrator created property definitions.
PAGE 274
Configuring vRealize Automation General Tab Configure general settings for a vCloud Air machine component. Table 4‑13. General Tab Settings Setting Description ID Enter a name for your machine component, or accept the default. Description Summarize your machine component for the benefit of other architects. Display location on request In a cloud environment, such as vCloud Air, this allows users to select a region for their provisioned machines.
PAGE 275
Configuring vRealize Automation Table 4‑14. Build Information Tab Setting Description Blueprint type For record-keeping and licensing purposes, select whether machines provisioned from this blueprint are classified as Desktop or Server. Action The options you see in the action drop-down menu depend on the type of machine you select. The following actions are available: n Clone Make copies of a virtual machine from a template and customization object.
PAGE 276
Configuring vRealize Automation Table 4‑16. Storage Tab Settings Setting Description ID Enter an ID or name for the storage volume. Capacity (GB) Enter the storage capacity for the storage volume. Drive Letter/Mount Path Enter a drive letter or mount path for the storage volume. Label Enter a label for the drive letter and mount path for the storage volume. Storage Reservation Policy Enter the existing storage reservation policy to use with this storage volume.
PAGE 277
Configuring vRealize Automation Table 4‑17. Properties > Custom Properties Tab Settings (Continued) Setting Description Overridable You can specify that the property value can be overridden by the next or subsequent person who uses the property. Typically, this is another architect, but if you select Show in request, your business users are able to see and edit property values when they request catalog items.
PAGE 278
Configuring vRealize Automation Table 4‑19. General Tab Settings (Continued) Setting Description Reservation policy Apply a reservation policy to a blueprint to restrict the machines provisioned from that blueprint to a subset of available reservations.
PAGE 279
Configuring vRealize Automation Table 4‑20. Build Information Tab (Continued) Setting Description Key Pair Key pairs are required for provisioning with Amazon Web Services. Key pairs are used to provision and connect to a cloud instance. They are also used to decrypt Windows passwords and to log in to a Linux machine. The following key pair options are available: n Not specified Controls key pair behavior at the blueprint level rather than at the reservation level.
PAGE 280
Configuring vRealize Automation Table 4‑21. Machine Resources Tab (Continued) Setting Description Storage (GB): Minimum and Maximum Enter a minimum and maximum amount of storage that can be consumed by machines that are provisioned by this machine component. For vSphere, KVM (RHEV), SCVMM, vCloud Air, and vCloud Director, minimum storage is set based on what you enter on the Storage tab.
PAGE 281
Configuring vRealize Automation Table 4‑22. Properties > Custom Properties Tab Settings (Continued) Setting Description Overridable You can specify that the property value can be overridden by the next or subsequent person who uses the property. Typically, this is another architect, but if you select Show in request, your business users are able to see and edit property values when they request catalog items.
PAGE 282
Configuring vRealize Automation Table 4‑24. General Tab Settings (Continued) Setting Description Reservation policy Apply a reservation policy to a blueprint to restrict the machines provisioned from that blueprint to a subset of available reservations.
PAGE 283
Configuring vRealize Automation Table 4‑25. Build Information Tab Setting Description Blueprint type For record-keeping and licensing purposes, select whether machines provisioned from this blueprint are classified as Desktop or Server.
PAGE 284
Configuring vRealize Automation Table 4‑25. Build Information Tab (Continued) Setting Description Key Pair Key pairs are optional for provisioning with OpenStack. Key pairs are used to provision and connect to a cloud instance. They are also used to decrypt Windows passwords and to log in to a Linux machine. The following key pair options are available: n Not specified Controls key pair behavior at the blueprint level rather than at the reservation level.
PAGE 285
Configuring vRealize Automation Table 4‑26. Machine Resources Tab Setting Description CPUs: Minimum and Maximum Enter a minimum and maximum number of CPUs that can be provisioned by this machine component. Memory (MB): Minimum and Maximum Enter a minimum and maximum amount of memory that can be consumed by machines that are provisioned by this machine component.
PAGE 286
Configuring vRealize Automation Table 4‑27. Properties > Custom Properties Tab Settings (Continued) Setting Description Overridable You can specify that the property value can be overridden by the next or subsequent person who uses the property. Typically, this is another architect, but if you select Show in request, your business users are able to see and edit property values when they request catalog items.
PAGE 287
Configuring vRealize Automation Table 4‑29. Causes for Common Clone and Linked Clone Blueprints Problems Problem Cause Solution Machines missing You can only create linked clone blueprints by using machines you manage as a tenant administrator or business group manager. A user in your tenant or business group must request a vSphere machine. If you have the appropriate roles, you can do this yourself.
PAGE 288
Configuring vRealize Automation For machine components that do not have a Network or Security tab, you can add network and security custom properties, such as VirtualMachine.Network0.Name, to their Properties tab in the blueprint canvas. However, NSX load balancer properties are only applicable to vSphere machines. You can define custom properties individually or as part of an existing property group by using the Properties tab when configuring a machine component in the design canvas.
PAGE 289
Configuring vRealize Automation Scenario: Create a Blueprint for Your Rainpole Machine Component Using your IaaS architect privileges, create a blueprint and configure the name and description for your vSphere CentOS machine blueprint. A unique identifier is applied to the blueprint, so you can programmatically interact with blueprints or create property bindings if you need to.
PAGE 290
Configuring vRealize Automation 4 Select Use group default from the Machine prefix drop-down menu. If you plan to import these blueprints into your other environments, selecting the group default instead of the specific Rainpole prefix prevents you from configuring your blueprint to work with a machine prefix that might not be available. What to do next You configure the machine component to clone machines from the CentOS template you created.
PAGE 291
Configuring vRealize Automation Software architects and application architects are not allowed to configure machine components, but they can reuse blueprints that contain machines components. When you finish editing your machine component, you publish your blueprint so other architects can reuse your machine blueprint to design their own catalog items. Your published blueprint is also available to catalog administrators and tenant administrators to include in the service catalog.
PAGE 292
Configuring vRealize Automation Configure Tenant Configure IaaS Resources Design OnDemand Services You are here Procedure 1 Scenario: Install the Guest Agent and Software Bootstrap Agent on Your Rainpole Machine Using your business group manager privileges, you log into the Rainpole001 machine you provisioned as the test user. You install the guest agent and the Software bootstrap agent on your machine to prepare for Software provisioning.
PAGE 293
Configuring vRealize Automation 7 Run the prepare_vra_template.sh installer script. ./prepare_vra_template.sh You can run the help command ./prepare_vra_template.sh --help for information about noninteractive options and expected values. 8 Follow the prompts to complete the installation. You see a confirmation message when the installation is successfully completed. If you see an error message and logs in the console, resolve the errors and run the installer script again.
PAGE 294
Configuring vRealize Automation 12 Click Finish. 13 Select the row that contains CentOS for Software Testing and click Publish. You created a linked clone blueprint that you and your architects can use to deliver software on CentOS machines. What to do next Use your software architect privileges to create a Software component for installing MySQL.
PAGE 295
Configuring vRealize Automation 6 Configure RDP settings. a Click New Property. b Enter the RDP custom property names in the Name text box and the corresponding values in the Value text box. Option Description and Value (Required)RDP.File.Name Specifies an RDP file from which to obtain settings, for example My_RDP_Settings.rdp. The file must reside in the Website\Rdp subdirectory of the vRealize Automation installation directory. (Required) VirtualMachine.Rdp.
PAGE 296
Configuring vRealize Automation n Gather the following information about your Active Directory environment: n An Active Directory account user name and password with sufficient rights to delete, disable, rename, or move AD accounts. The user name must be in domain\username format. n n (Optional) The name of the OU to which to move destroyed machines. n (Optional) The prefix to attach to destroyed machines. Create a machine blueprint.
PAGE 297
Configuring vRealize Automation Scenario: Allow Requesters to Specify Machine Host Name As a blueprint architect, you want to allow your users to choose their own machine names when they request your blueprints. So you edit your existing CentOS vSphere blueprint to add the Hostname custom property and configure it to prompt users for a value during their requests.
PAGE 298
Configuring vRealize Automation Scenario: Enable Users to Select Datacenter Locations for Cross Region Deployments As a blueprint architect, you want to allow your users to choose whether to provision machines on your Boston or London infrastructure, so you edit your existing vSphere CentOS blueprint to enable the locations feature. You have a datacenter in London, and a datacenter in Boston, and you don't want users in Boston provisioning machines on your London infrastructure or vice versa.
PAGE 299
Configuring vRealize Automation Designing Machine Blueprints with NSX Networking and Security If you have an NSX instance integrated with vRealize Automation, you can configure your vSphere blueprints to leverage NSX for network and security virtualization. If you have configured vRealize Automation integration with NSX, you can use network, security, and load balancer components in the design canvas to configure your blueprint for machine provisioning.
PAGE 300
Configuring vRealize Automation NSX Settings Tab If you have configured VMware NSX, and installed the NSX plug-in for vRealize Automation, you can specify NSX transport zone, gateway reservation policy, and app isolation settings when you create or edit a blueprint. These settings are available on the NSX Settings tab on the New Blueprint and Blueprint Properties pages. For information about configuring NSX, see NSX Administration Guide. Table 4‑31.
PAGE 301
Configuring vRealize Automation Table 4‑32. Properties Tab Settings Tab Setting Property Groups Property groups are reusable groups of properties that are designed to simplify the process of adding custom properties to blueprints. Your tenant administrators and fabric administrators can group properties that are often used together so you can add the property group to a blueprint instead of individually inserting custom properties.
PAGE 302
Configuring vRealize Automation Applying an NSX Routed Gateway Reservation Policy to a Blueprint You can specify a reservation policy to manage the network communications for machines provisioned by the blueprint. When requesting machine provisioning, the reservation policy is used to group the reservations that can be considered for the deployment. The routed gateway reservation policy is also referred to as an Edge reservation policy. Networking information is contained in each reservation.
PAGE 303
Configuring vRealize Automation The app isolation policy has a lower precedence compared to other security policies in NSX. For example, if the provisioned deployment contains a Web component machine and an App component machine and the Web component machine hosts a Web service, then the service must allow inbound traffic on ports 80 and 443. In this case, users must create a Web security policy in NSX with firewall rules defined to allow incoming traffic to these ports.
PAGE 304
Configuring vRealize Automation Depending on the compute resource, you can select a transport zone that identifies a vSphere endpoint. A transport zone specifies the hosts and clusters that can be associated with logical switches created within the zone. A transport zone can span multiple vSphere clusters. The blueprint and the reservations used in the provisioning must have the same transport zone setting. Transport zones are defined in the NSX and vCloud Networking and Security environments.
PAGE 305
Configuring vRealize Automation Security Policy A security policy is a set of endpoint, firewall, and network introspection services that can be applied to a security group. You can add security policies to a vSphere virtual machine by using an on-demand security group in a blueprint. You cannot add a security policy directly to a reservation. After data collection, the security policies that have been defined in NSX for a compute resource are available for selection in a blueprint.
PAGE 306
Configuring vRealize Automation You can continue configuring security settings by adding additional security components and by selecting settings in the Security tab of a vSphere machine component in the blueprint canvas. Add an On-Demand Security Group Component You can add an on-demand security group component to the design canvas in preparation for associating its settings to one or more vSphere machine components or other available component types in the blueprint.
PAGE 307
Configuring vRealize Automation n Verify that the NSX plug-in for vRealize Automation is installed and that the NSX inventory has executed successfully for your cluster . To use NSX configurations in vRealize Automation, you must install the NSX plug-in and run data collection. n Verify that the NSX plug-in for vRealize Automation is installed and that the NSX inventory has executed successfully for your cluster .
PAGE 308
Configuring vRealize Automation When you associate an existing network component or on-demand network component with a machine component, the NIC information is stored with the machine component. The network profile information that you specify is stored with the network component. You can add multiple network and security components to the blueprint design canvas. For machine components that do not have a Network or Security tab, you can add network and security custom properties, such as VirtualMachine.
PAGE 309
Configuring vRealize Automation 6 (Optional) Click the IP Ranges tab. The IP range or ranges specified in the network profile are displayed. You can change the sort order or column display. For NAT networks, you can also change IP range values. 7 Click Finish to save the blueprint as draft or continue configuring the blueprint.
PAGE 310
Configuring vRealize Automation 3 Enter a name and, optionally, a description. 4 Select an appropriate network profile from the Network Profile drop-down menu. For example, if you are adding an On-Demand NAT Network component, select a NAT network profile. The following network settings are populated based on your network profile selection.
PAGE 311
Configuring vRealize Automation 12 Click Finish to save the blueprint as draft or continue configuring the blueprint. What to do next You can continue configuring network settings by adding additional network components and by selecting settings in the Network tab of a vSphere machine component in the blueprint canvas.
PAGE 312
Configuring vRealize Automation n Verify that at least one vSphere machine component exists in the blueprint design canvas. Procedure 1 Click Network & Security in the Categories section to display the list of available network and security components. 2 Drag an On-Demand Load Balancer component onto the design canvas. 3 Enter a name in the Name text box. 4 Select a machine name from the Machine drop-down menu. The list contains only vSphere machine components in the active blueprint.
PAGE 313
Configuring vRealize Automation The network and security component settings that you add to the blueprint design canvas are derived from your NSX configuration and require that you have installed the NSX plug-in and run data collection for the NSX inventory for vSphere clusters. Network and security components are specific to NSX and are available for use with vSphere machine components only. For information about configuring NSX, see NSX Administration Guide.
PAGE 314
Configuring vRealize Automation Standardization in Software With Software, you can create reusable services using standardized configuration properties to meet strict requirements for IT compliance. Software includes the following standardized configuration properties: n Model-driven architecture that enables adding IT certified machine blueprints and middleware services within the application blueprint.
PAGE 315
Configuring vRealize Automation Table 4‑33. Scripting Examples for the Computed Property Option Sample String Property Script Sytax my_unique_id = "" Bash - $my_unique_id Sample Usage export my_unique_id="012345678 9" Windows CMD - %my_unique_id% set my_unique_id=0123456789 Windows PowerShell - $my_unique_id $my_unique_id = "0123456789" String Property The string property value can be a string or the value bound to another string property. A string value can contain any ASCII characters.
PAGE 316
Configuring vRealize Automation Sample Array Property Script Syntax operating_systems = ["Red Hat","Windows","Ubuntu"] for the entire array of strings Bash - ${operating_systems[@]} ${operating_systems[N]} for the individual array element Windows CMD - %operating_systems_N% where N represents the position of the element in the array Windows PowerShell - $operating_systems for the entire array of strings $operating_systems[N] Sample Usage for (( i = 0 ; i < $ {#operating_systems[@]}; i++ )); do echo $
PAGE 317
Configuring vRealize Automation Binding Software Properties to Other Properties In several deployment scenarios, a component needs the property value of another component to customize itself. In vRealize Automation, this process is called binding to other properties. You can design your components for property bindings, but you configure the binding when you assemble the blueprint.
PAGE 318
Configuring vRealize Automation Follow these best practices when developing Software components. n For a script to run without any interruptions, the return value must be set to zero (0). This setting allows the agent to capture all of the properties and send them to the Software server. n Some installers might need access to the tty console. Redirect the input from /dev/console. For example, a RabbitMQ Software component might use the ./rabbitmq_rhel.
PAGE 319
Configuring vRealize Automation 4 (Optional) If you want to control how your Software component is included in blueprints, select a container type from the Container drop-down menu. Option Description Machines Your Software component must be placed directly on a machine. One of your published Software components If you are designing a Software component specifically to install on top of another Software component that you created, select that Software component from the list.
PAGE 320
Configuring vRealize Automation 8 Script Type Success Status Error Status Bash n return 0 n return non-zero n exit 0 n exit non-zero Unsupported Commands None Windows CMD exit /b 0 exit /b non-zero Do not use exit 0 or exit non-zero codes. PowerShell exit 0 exit non-zero; Do not use warning, verbose, debug, or host calls. Select the Reboot checkbox for any script that requires you to reboot the machine.
PAGE 321
Configuring vRealize Automation 8 Click New and add and configure each of the following properties for the installation script. Click OK to save each property. Architects can configure your Software properties to show to users in the request form. Architects can use the Show in Request option to require or request that users fill in values for properties that you mark as overridable.
PAGE 322
Configuring vRealize Automation c Paste the following script.
PAGE 323
Configuring vRealize Automation echo "" fi export PATH=$PATH:$JAVA_HOME/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin set -e # Tested on CentOS if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then # SELinux can be disabled by setting "/usr/sbin/setenforce Permissive" echo 'SELinux in enabled on this VM template.
PAGE 324
Configuring vRealize Automation c Paste the following script.
PAGE 325
Configuring vRealize Automation echo "" fi export PATH=$PATH:$JAVA_HOME/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin set -e # Locate the my.cnf file my_cnf_file= if [ -f /etc/my.cnf ]; then my_cnf_file=/etc/my.cnf elif [ -f /etc/mysql/my.cnf ]; then my_cnf_file=/etc/mysql/my.cnf fi if [ "x$my_cnf_file" = "x" ]; then echo "Neither /etc/my.cnf nor /etc/mysql/my.cnf can be found, stopping configuration" exit 1 fi # update mysql configuration to handle big packets sed -ie "s/\[mysqld\]/\[my
PAGE 326
Configuring vRealize Automation c Paste the following script. #!/bin/sh echo "The maximum allowed packet size is: " d Place the cursor between the colon and the quote mark. e Select max_allowed_packet_size from the Select a property to insert drop-down menu. The script now includes the property. #!/bin/sh echo "The maximum allowed packet size is: $max_allowed_packet_size" f Click OK. 13 Click Next. 14 Click Finish. 15 Select the row that contains MySQL for Linux Virtual Machines and click Publish.
PAGE 327
Configuring vRealize Automation Table 4‑34. New Software General Settings Setting Description Name Enter a name for your Software component. ID Using the name you specified for your Software component, vRealize Automation creates an ID for the Software component that is unique within your tenant. You can edit this field now, but after you save the blueprint you can never change it.
PAGE 328
Configuring vRealize Automation Table 4‑35. New Software Properties (Continued) Setting Description Overridable Allow architects to edit the value of this property when they are assembling an application blueprint. If you enter a value, it displays as a default. Required Require architects to provide a value for this property, or to accept the default value you supply. Computed Values for computed properties are assigned by the INSTALL, CONFIGURE, or START life cycle scripts.
PAGE 329
Configuring vRealize Automation Creating XaaS Blueprints and Resource Actions The XaaS blueprints can be published as catalog items or used in the blueprint designer. The resource actions are action that you run on provisioned items. XaaS is uses vRealize Orchestrator to run workflows that provision items or run actions. For example, you can configure the workflows to create vSphere virtual machines, Active Directory users in groups, or PowerShell scripts.
PAGE 330
Configuring vRealize Automation Figure 4‑2.
PAGE 331
Configuring vRealize Automation System administrators can install vRealize Orchestrator or deploy the VMware vRealize ™ Orchestrator Appliance™ separately to set up an external vRealize Orchestrator instance and configure vRealize Automation to work with that external vRealize Orchestrator instance. System administrators can also configure vRealize Orchestrator workflow categories per tenant and define which workflows are available to each tenant.
PAGE 332
Configuring vRealize Automation Table 4‑38. Plug-Ins Included by Default in vRealize Orchestrator (Continued) Plug-In Purpose XML A complete Document Object Model (DOM) XML parser that you can implement in workflows. Alternatively, you can use the ECMAScript for XML (E4X) implementation in the vRealize Orchestrator JavaScript API. Mail Uses Simple Mail Transfer Protocol (SMTP) to send email from workflows. Net Wraps the Jakarta Apache Commons Net Library.
PAGE 333
Configuring vRealize Automation Add a Custom Resource You create a custom resource to define the XaaS item for provisioning. By creating a custom resource, you map an object type exposed through the API of a vRealize Orchestrator plug-in as a resource. You create a custom resource to define the output parameter of an XaaS blueprint for provisioning and to define an input parameter of a resource action.
PAGE 334
Configuring vRealize Automation 8 Option Description Delete an element Click the Delete icon ( dialog box click OK. ) next to the element to delete, and in the confirmation Delete a form Click the Delete icon ( box click OK. ) next to the form name, and in the confirmation dialog Click Finish. You created a custom resource and you can see it on the Custom Resources page. What to do next Create a XaaS blueprint. See Create an XaaS Blueprint.
PAGE 335
Configuring vRealize Automation If you create a service blueprint for provisioning without specifying the output parameter, when the consumers request this catalog item, the blueprint does the provisioning but the provisioned items are not added on the Items tab. You cannot perform post-provisioning operations on this type of provisioned resource. You can also create service blueprints for requesting that do not have output parameters and do not result in provisioning.
PAGE 336
Configuring vRealize Automation 9 (Optional) Edit the form of the service blueprint on the Blueprint Form page. By default, the service blueprint form is mapped to the vRealize Orchestrator workflow presentation. You can edit the blueprint form by deleting, editing, and rearranging the elements in the form. You can also add a new form and form pages and drag elements to the new form and form page.
PAGE 337
Configuring vRealize Automation Prerequisites Log in to the vRealize Automation console as an XaaS architect. Procedure 1 Select Design > XaaS > XaaS Blueprints. 2 Select the row of the XaaS blueprint to publish, and click Publish. The status of the XaaS blueprint changes to Published. If you select Administration > Catalog Management > Catalog Items, you can see that the blueprint is published as a catalog item.
PAGE 338
Configuring vRealize Automation By creating a resource action, you associate a vRealize Orchestrator workflow as a post-provisioning operation. During this process, you can edit the default submission and read-only forms. See Designing a Resource Action Form. Prerequisites n Log in to the vRealize Automation console as an XaaS architect. n Create a custom resource corresponding to the input parameter of the resource action. Procedure 1 Select Design > XaaS > Resource Actions.
PAGE 339
Configuring vRealize Automation 11 (Optional) Select the type of the action. Option Description Disposal The input parameter of the resource action workflow is disposed and the item is removed from the Items tab. For example, the resource action is for deleting a provisioned machine. Provisioning The resource action is for provisioning. For example, the resource action is for copying a catalog item. From the drop-down menu, select an output parameter.
PAGE 340
Configuring vRealize Automation You created a resource action and you can see it listed on the Resource Actions page. What to do next Publish the resource action. See Publish a Resource Action. Publish a Resource Action The newly created resource action is in draft state, and you must publish the resource action. Prerequisites Log in to the vRealize Automation console as an XaaS architect. Procedure 1 Select Design > XaaS > Resource Actions.
PAGE 341
Configuring vRealize Automation Create a Resource Mapping vRealize Automation provides resource mappings for vSphere, vCloud Director, and vCloud Air machines. You can create additional resource mappings for other types of catalog resources. Prerequisites n Log in to the vRealize Automation console as an XaaS architect. n Verify that the mapping script or workflow is available in vRealize Orchestrator.
PAGE 342
Configuring vRealize Automation Resource Mapping Script Actions and Workflows You can use the provided resource mappings for vSphere, vCloud Director, or vCloud Air machines or you can create custom vRealize Orchestrator script actions or workflows to map additional vRealize Automation catalog resource types to vRealize Orchestrator inventory types.
PAGE 343
Configuring vRealize Automation Table 4‑39. XaaS Object Types and Associated Forms Object Type Default Form Additional Forms Custom resource Resource details form based on the attributes of the vRealize Orchestrator plug-in inventory type (read-only). n None XaaS blueprint Request submission form based on the presentation of the selected workflow.
PAGE 344
Configuring vRealize Automation you also want to restrict the options to ports that are open. You can add an external value definition to a dual list field and select a custom vRealize Orchestrator script action that queries for open ports. When the request form loads, the script actions runs, and the open ports are presented as options to the user.
PAGE 345
Configuring vRealize Automation Table 4‑40. New Fields in the Resource Action or XaaS Blueprint Form (Continued) Field Description Tree Tree that consumers use to browse and select available objects Map Map table that consumers use to define key-value pairs for properties You can also use the Section header form field to split form pages in sections with separate headings and the Text form field to add read-only informational texts.
PAGE 346
Configuring vRealize Automation Table 4‑41. Constraints in the forms designer (Continued) Constraint Description Maximum value Allows you to set a maximum value of the number input element. Increment Allows you to set an increment for an element such as a Decimal or Integer field. For example, when you want an Integer field to be rendered as a Slider, you can use the value of the step. Minimum count Allows you to set a minimum count of items of the element that can be selected.
PAGE 347
Configuring vRealize Automation You can use external value definitions to supply default or read-only values, to build boolean expressions, to define constraints, or to provide options for consumers to select from lists, check boxes, and so on. Working With the Form Designer When you create XaaS blueprints, custom resource actions, and custom resources, you can edit the forms of the blueprints, actions, and resources by using the form designer.
PAGE 348
Configuring vRealize Automation You can edit how an object is represented in the form designer. For example, you can edit the default VC:VirtualMachine representation and make it a tree instead of a search box. You can also add new fields such as check boxes, drop-down menus, and so on, and apply various constraints.
PAGE 349
Configuring vRealize Automation Edit a Custom Resource Element You can edit some of the characteristics of an element on the custom resource Details Form page. Each default field on the page represents a property of the custom resource. You cannot change the type of a property or the default values, but you can edit the name, size, description. Prerequisites n Log in to the vRealize Automation console as a tenant administrator or XaaS architect. n Add a Custom Resource.
PAGE 350
Configuring vRealize Automation 7 Configure the form. 8 Click Finish. You can delete some of the elements from the original form page and insert them in the new form page, or you can add new fields that use external value definitions to provide information to consumers that is not directly exposed by the vRealize Orchestrator workflow. Insert a Section Header in a Custom Resource Form You can insert a section header to split the form into sections.
PAGE 351
Configuring vRealize Automation Insert an Externally Defined Field in a Custom Resource Form You can insert a new field and assign it an external value definition to dynamically provide read-only information that consumers can see on the item details page when they provision a custom resource. Prerequisites n Log in to the vRealize Automation console as a tenant administrator or XaaS architect. n Add a Custom Resource.
PAGE 352
Configuring vRealize Automation n Add a New XaaS Blueprint Form When you edit the default generated form of a workflow that you want to publish as a XaaS blueprint, you can add a new XaaS blueprint form. n Edit an XaaS Blueprint Element You can edit some of the characteristics of an element on the Blueprint Form page of a XaaS blueprint. You can change the type of an element, its default values, and apply various constraints and values.
PAGE 353
Configuring vRealize Automation 6 7 Select the screen type from the Screen type menu. Option Description Catalog item details A catalog item details page that consumers see when they click a catalog item. Request form The default XaaS blueprint form. The consumers see the request form when they request the catalog item. Submitted request details A request details page that consumers see after they request the item and want to view the request details on the Request tab. Click Submit.
PAGE 354
Configuring vRealize Automation 11 Edit the default value of the element. Option Description Not set Gets the value of the element you are editing from the vRealize Orchestrator workflow presentation. Constant Sets the default value of the element you are editing to a constant value that you specify. Field Binds the default value of the element to a parameter of another element from the representation. Conditional Applies a condition.
PAGE 355
Configuring vRealize Automation 14 Click Submit. 15 Click Finish. Add a New Element When you edit the default generated form of a XaaS blueprint, you can add a predefined new element to the form. For example, if you do not want to use a default generated field, you can delete it and replace it with a new one. Prerequisites n Log in to the vRealize Automation console as a tenant administrator or XaaS architect. n Create an XaaS Blueprint. Procedure 1 Select Design > XaaS > XaaS Blueprints.
PAGE 356
Configuring vRealize Automation What to do next You can edit the element to change the default settings and apply various constraints or values. Insert a Section Header in a XaaS Blueprint Form You can insert a section header to split the form into sections. Prerequisites n Log in to the vRealize Automation console as a tenant administrator or XaaS architect. n Create an XaaS Blueprint. Procedure 1 Select Design > XaaS > XaaS Blueprints. 2 Click the XaaS blueprint you want to edit.
PAGE 357
Configuring vRealize Automation Designing a Resource Action Form When you create a resource action, you can edit the form of the action by adding new fields to the form, modifying the existing fields, deleting, or rearranging fields. You can also create new forms and form pages, and drag and drop new fields to them. Add a New Resource Action Form When you edit the default generated form of a workflow you want to publish as a resource action, you can add a new resource action form.
PAGE 358
Configuring vRealize Automation n Create a Resource Action. Procedure 1 Select Design > XaaS > Resource Actions. 2 Click the resource action you want to edit. 3 Click the Form tab. 4 Drag an element from the New Fields pane and drop it to the Form page pane. 5 Enter the ID of a workflow input parameter in the ID text box. 6 Enter a label in the Label text box. Labels appear to consumers on the forms. 7 (Optional) Select a type for the field from the Type drop-down menu.
PAGE 359
Configuring vRealize Automation Procedure 1 Select Design > XaaS > Resource Actions. 2 Click the resource action you want to edit. 3 Click the Form tab. 4 Locate the element you want to edit. 5 Click the Edit icon ( 6 Enter a new name for the field in the Label text box to change the label that consumers see. 7 Edit the description in the Description text box. 8 Select an option from the Type drop-down menu to change the display type of the element. ).
PAGE 360
Configuring vRealize Automation 13 Add one or more values for the element on the Values tab. The options available depend on the type of element you are editing. Option Description Not set Gets the value of the element you are editing from the vRealize Orchestrator workflow presentation. Predefined values Select values from a list of related objects from the vRealize Orchestrator inventory. Value a Enter a value in the Predefined values search box to search the vRealize Orchestrator inventory.
PAGE 361
Configuring vRealize Automation Prerequisites n Log in to the vRealize Automation console as a tenant administrator or XaaS architect. n Create a Resource Action. Procedure 1 Select Design > XaaS > Resource Actions. 2 Click the resource action you want to edit. 3 Click the Form tab. 4 Drag the Text element from the New Fields pane to the Form page pane. 5 Enter the text you want to add. 6 Click outside of the element to save the changes. 7 Click Finish.
PAGE 362
Configuring vRealize Automation 3 Publish the Create a User Blueprint as a Catalog Item After you create the Create a test user XaaS blueprint, you can publish it as a catalog item. 4 Create a Resource Action to Change a User Password You can create a resource action to allow the consumers of the XaaS create a user blueprint to change the password of the user after they provision the user.
PAGE 363
Configuring vRealize Automation 7 Click Next. 8 Leave the form as is. 9 Click Finish. You created a Test User custom resource and you can see it on the Custom Resources page. What to do next Create an XaaS blueprint. Create an XaaS Blueprint for Creating a User After you created the custom resource, you can create the XaaS blueprint to publish the Create a user in a group workflow as a catalog item. Prerequisites Log in to the vRealize Automation console as an XaaS architect.
PAGE 364
Configuring vRealize Automation You created a blueprint for creating a test user and you can see it on the XaaS blueprints page. What to do next Publish the Create a test user blueprint to make it an active catalog item. Publish the Create a User Blueprint as a Catalog Item After you create the Create a test user XaaS blueprint, you can publish it as a catalog item. Prerequisites Log in to the vRealize Automation console as an XaaS architect. Procedure 1 Select Design > XaaS > XaaS Blueprints.
PAGE 365
Configuring vRealize Automation 10 (Optional) Leave the form as is. 11 Click Add. You created a resource action for changing the password of a user and you can see it listed on the Resource Actions page. What to do next Publish the Change the password of the Test User resource action. Publish the Change a Password Resource Action To use the Change the password of the Test User resource action as a post-provisioning operation, you must publish it.
PAGE 366
Configuring vRealize Automation What to do next Edit the Create a test user catalog item to include it in the service. Associate the Catalog Item with the Create a Test User Service To include the Create a test user catalog item in the Create a Test User service, you must associate it with this service. Prerequisites Log in to the vRealize Automation console as a tenant administrator or catalog administrator. Procedure 1 Select Administration > Catalog Management > Catalog Items.
PAGE 367
Configuring vRealize Automation 7 Enter a user name in the Users & Groups text box and press Enter. The person you select can see the service and the catalog items included in the service in the catalog. 8 Click Next. 9 Enter Create a Test User in the Entitled Services text box and press Enter. 10 Enter Change the password of the Test User in the Entitled Actions text box and press Enter. 11 Click Add. You created an active entitlement and exposed the service to the catalog of the consumers.
PAGE 368
Configuring vRealize Automation 4 Click Next. 5 Select IaaS VC VirtualMachine from the Resource type drop-down menu. 6 Select vm from the Input parameter drop-down menu. 7 Click Next. 8 Leave the name of the resource action and the description as they appear on the Details tab. 9 Click Next. 10 Leave the form as is. 11 Click Finish. You created a resource action for migrating a virtual machine and you can see it listed on the Resource Actions page.
PAGE 369
Configuring vRealize Automation Procedure 1 Create an Action to Migrate a vSphere Virtual Machine With vMotion You can create a custom resource action to allow the service catalog users to migrate a vSphere virtual machine with vMotion after they provision the machine with IaaS. 2 Edit the Resource Action Form The resource action form maps the vRealize Orchestrator workflow presentation.
PAGE 370
Configuring vRealize Automation Procedure 1 Click the Delete icon ( ) to delete the pool element. 2 Edit the host element. a Click the Edit icon ( b Type Target host in the Label text box. c Select Search from the Type drop-down menu. d Click the Constraints tab. e Select Constant from the Required drop-down menu and select Yes. ) next to the host field. You made the host field always required. f 3 Click Submit. Edit the priority element.
PAGE 371
Configuring vRealize Automation When the consumers request the resource action, they see a drop-down menu with three options: poweredOff, poweredOn, and suspended. You edited workflow presentation of the Migrate a virtual machine with vMotion workflow. What to do next Add a Submitted Action Details Form and Save the Action.
PAGE 372
Configuring vRealize Automation Procedure 1 Select Design > XaaS > Resource Actions. 2 Select the row of the Migrate a virtual machine with vMotion action, and lick the Publish button. You created and published a vRealize Orchestrator workflow as a resource action. You can navigate to Administration > Catalog Management > Actions and see the Migrate virtual machine with vMotion resource action in the list of actions. You can assign an icon to the resource action.
PAGE 373
Configuring vRealize Automation 4 Click Next. 5 Select IaaS VC VirtualMachine from the Resource type drop-down menu. 6 Select vm from the Input parameter drop-down menu. 7 Click Next. 8 Leave the name of the resource action and the description as they appear on the Details tab. 9 Click Next. 10 Leave the form as is. 11 Click Add. You created a resource action for taking a snapshot of a virtual machine and you can see it listed on the Resource Actions page.
PAGE 374
Configuring vRealize Automation Procedure 1 Create a Resource Mapping for Amazon Instances You can create a resource mapping to associate Amazon instances provisioned by using IaaS with the vRealize Orchestrator type AWS:EC2Instance exposed by the Amazon Web Services plug-in. 2 Create a Resource Action to Start an Amazon Virtual Machine You can create a resource action so that the consumers can start provisioned Amazon virtual machines.
PAGE 375
Configuring vRealize Automation Prerequisites Log in to the vRealize Automation console as an XaaS architect. Procedure 1 Select Design > XaaS > Resource Actions. 2 Click Add ( 3 Select Orchestrator > Library > Amazon Web Services > Elastic Cloud > Instances and select the Start Instances workflow in the workflows folder. 4 Click Next. 5 Select EC2 Instance from the Resource type drop-down menu. ). This is the name of the resource mapping you previously created.
PAGE 376
Configuring vRealize Automation What to do next Add the start instances action to the entitlement that includes the Amazon catalog item. See Entitle Users to Services, Catalog Items, and Actions. Troubleshooting Incorrect Accents and Special Characters in XaaS Blueprints When you create XaaS blueprints for languages that use non-ASCII strings, the accents and special characters are displayed as unusable strings.
PAGE 377
Configuring vRealize Automation 2 Click Blueprints. 3 Point to the blueprint to publish and click Publish. 4 Click OK. The blueprint is published as a catalog item but you must first entitle it to make it available to users in the service catalog. What to do next Add the blueprint to the catalog service and entitle users to request the catalog item for machine provisioning as defined in the blueprint.
PAGE 378
Configuring vRealize Automation Blueprints can consume other blueprints as components. A blueprint that contains one or more nested blueprints is referred to as an outer blueprint. Stated another way, when you add a blueprint as a component to the design canvas while creating or editing another blueprint, the blueprint component is referred to as a nested blueprint and the container blueprint to which it is added is referred to as the outer blueprint.
PAGE 379
Configuring vRealize Automation n To ensure that NSX network and security components in nested blueprints are uniquely named in a composite blueprint, vRealize Automation prefixes the nested blueprint ID to network and security component names that are not already unique.
PAGE 380
Configuring vRealize Automation Table 4‑43. Provisioning Methods that Support Software (Continued) Machine Type Provisioning Method vCloud Air Clone Amazon AWS Amazon Machine Image Binding Properties to Other Properties in a Blueprint You can bind properties of XaaS, machines, Software, and custom properties to other properties in an application blueprint. For example, your software architect might modify property definitions in the life cycle scripts of a WAR component.
PAGE 381
Configuring vRealize Automation Table 4‑45. Examples of Array Property Bindings Sample Property Type Property Type to Bind Binding Outcome (A binds to B) Array (property A) String (property B="Hi") A="Hi" Array (property A) Content (property B="http://my.com/content") A="http://my.
PAGE 382
Configuring vRealize Automation Configure Tenant Configure IaaS Resources Design OnDemand Services You are here Prerequisites n Create a Software component to install MySQL on Linux machines. See Scenario: Create a MySQL Software Component for Rainpole. n Log in to the vRealize Automation console as a member of the Rainpole architects custom group. See Scenario: Create a Custom Group for Your Rainpole Architects.
PAGE 383
Configuring vRealize Automation 4 Review the generated unique identifier. The identifier field automatically populates based on the name you entered. You can edit this field now, but after you save the blueprint you can never change it. Because identifiers are permanent and unique within your tenant, you can use them to programmatically interact with blueprints and to create property bindings. 5 Enter MySQL Software on vSphere CentOS Machine in the Description text box.
PAGE 384
Configuring vRealize Automation You published a blueprint that includes the CentOS machine and MySQL software component. Scenario: Add Your CentOS with MySQL Catalog Item to the Rainpole Service Using your tenant administrator privileges, add your new blueprint to the Rainpole catalog service so you can verify your work. Procedure 1 Select Administration > Catalog Management > Services. 2 Select the Rainpole catalog service row in the Services list and click Manage Catalog Items.
PAGE 385
Configuring vRealize Automation What to do next n Plan for installing a production environment. See Reference Architecture. n Learn about more options for configuring vRealize Automation, designing and exporting blueprints, and governing your service catalog. See Configuring vRealize Automation. Managing the Service Catalog The service catalog is where your customers request machines and other items to provision for their use.
PAGE 386
Configuring vRealize Automation Blueprints and Actions are published as Catalog Items and Actions Create a Service Add a Catalog Item to a Service Do you want to apply approval policies to one or more catalog items that are included in the Service? No Yes Do you have an approval policy applicable to the Catalog Items in Service? No Create an approval policy now or later? Now Yes Later Create an Approval Policy Create an Entitlement without approval policies Create an Entitlement with approval
PAGE 387
Configuring vRealize Automation Table 4‑46. Configuring the Service Catalog Checklist Task Required Role Details Add a service. tenant administrator or catalog administrator See Add a Service. Add a catalog item to a service. tenant administrator or catalog administrator See Add Catalog Items to a Service. Configure the catalog item in the service. tenant administrator or catalog administrator See Configure a Catalog Item. Create and apply entitlements to the catalog item.
PAGE 388
Configuring vRealize Automation Prerequisites Log in to the vRealize Automation console as a tenant administrator or catalog administrator. Procedure 1 Select Administration > Catalog Management > Services. 2 Click the New icon ( 3 Enter a name and description. ). These values appear in the service catalog for the catalog users. 4 To add a specific icon for the service in the service catalog, click Browse and select an image. The supported image file types are GIF, JPG, and PNG.
PAGE 389
Configuring vRealize Automation 7 Click Add. What to do next Associate catalog items with a service so that you can entitle users to the items. See Add Catalog Items to a Service. Add Catalog Items to a Service Add catalog items to services so that you can entitle users to request the items in the service catalog. A catalog item can be associated with only one service. Prerequisites n Log in to the vRealize Automation console as a tenant administrator or catalog administrator.
PAGE 390
Configuring vRealize Automation Published Catalog Items A catalog item is a published blueprint. Published blueprints can also be used in other blueprints. The reuse of blueprints in other blueprints is not displayed in the catalog items list. The published catalog items can also include items that are only components of blueprints. For example, published software components are listed as catalog items, but they are available only as part of a deployment.
PAGE 391
Configuring vRealize Automation 3 Configure the catalog item settings. Option Description Icon Browse for an image. The supported image file types are GIF, JPG, and PNG. The displayed image is 40 x 40 pixels. If you do not select a custom image, the default catalog icon appears in the service catalog. Status Possible values include Active, Inactive, and Staging. n Active. The catalog item appears in the service catalog and entitled users can use it to provision resources.
PAGE 392
Configuring vRealize Automation Procedure 1 Select Administration > Catalog Management > Actions. 2 Select the shared action and click View Details. 3 Browse for an image. 4 To view the entitlements where the action is made available to users, click the Entitlements tab. 5 Click Update. What to do next Entitle Users to Services, Catalog Items, and Actions.
PAGE 393
Configuring vRealize Automation For example, as a business group manager, you entitle your development team to a service that includes three virtual machine catalog items. You apply an approval policy that requires the approval of the virtual infrastructure administrator for machines with more than four CPUs. One of the virtual machines is used for performance testing, so you add it as a catalog item and apply less restrictive approval policy for the same group of users.
PAGE 394
Configuring vRealize Automation Best Practices When Entitling Users to Actions Blueprints are complex and entitling actions to run on provisioned blueprints can result in unexpected behavior. Use the following best practices when entitling service catalog users to run actions on their provisioned items. n When you entitle users to the Destroy Machine action, entitle them to Destroy Deployment. A provisioned blueprint is a deployment. A deployment can contain a machine.
PAGE 395
Configuring vRealize Automation n Verify that the approval policies exist if you plan to add approvals when you create this entitlement. See Create an Approval Policy. If you want to entitle users to the items in the service catalog without approvals, you can modify the entitlement later to add approvals to one or more services, catalog items, and actions. Procedure 1 Select Administration > Catalog Management > Entitlements. 2 Click the New icon ( 3 Configure the Details options. ).
PAGE 396
Configuring vRealize Automation 5 Click an New icon ( ) to entitle users to services, catalog items, or actions with this entitlement. You can create an entitlement with various combinations of the services, items, and actions. Option Description Entitled Services Add a service when you want to allow entitled users access to all the published catalog items associated with the service. An entitled service is a dynamic entitlement.
PAGE 397
Configuring vRealize Automation What to do next Verify that the entitled services and catalog items appear in the service catalog for the entitled users and that the requested items provision the target objects as expected. You can request the item on behalf of the selected users.
PAGE 398
Configuring vRealize Automation Procedure 1 Select Administration > Catalog Management > Entitlements. 2 Click the Prioritize icon ( 3 Select a business group from the Business Group drop-down list. 4 Drag an entitlement to a new location in the list to change its priority. 5 Select an update method. ). Option Description Update Saves your changes. Update & Close Saves your changes and closes the Prioritize Elements window.
PAGE 399
Configuring vRealize Automation Examples of Approval Policies Based on the Virtual Machine Policy Type You can create an approval policy that you can apply to the same catalog item type, but it produces different results when an item is requested in the service catalog. Depending on how the approval policy is defined and applied, the effect on the service catalog user and the approver varies.
PAGE 400
Configuring vRealize Automation Table 4‑49. Examples of Approval Policies and Results (Continued) Governance Goals Selected Policy Type Pre or Post Approval To manage virtual infrastructure resources and to control costs, you add two preapproval levels because one approval is for machine resources and the other is for cost of machine per day. Service Catalog - Catalog Item Request Virtual Machine Add To Pre Approval tab When is Approval Required Level 1 Select Required based on conditions.
PAGE 401
Configuring vRealize Automation This example uses specific details to build the blueprint and then apply approval policies to actions that you can run from the service catalog on the provisioned blueprint in different entitlements. The blueprint is a composite blueprint that includes another blueprint. The actions used are to destroy the provisioned items, destroy a deployment for the blueprints and destroy a virtual machine for the machine.
PAGE 402
Configuring vRealize Automation User Action in the Service Catalog Selected Action Destroyed Blueprints or Machines Action 1 Destroy - Deployment action runs on Blueprint 1 - Continuous Integration Blueprint Blueprint 1, Blueprint 2, and Virtual Machine 1 Action 2 Destroy - Deployment action runs on the nested Blueprint 2 - Preproduction Blueprint Blueprint 2 and Virtual Machine 1 Action 3 Destroy - Virtual Machine action runs on the machine that is inside a deployment, Virtual Machine 1 - TestAs
PAGE 403
Configuring vRealize Automation Entitlement Name Approval Policy on Actions If Approved, Destroyed Blueprints or Machines User Action Approval Request Triggered Action 2 (Run Destroy Deployment action on the Blueprint 2) Approval requests are triggered for Blueprint 2 only Blueprint 2 and Virtual Machine 1 Action 3 (Destroy - Virtual Machine action runs on Virtual Machine 1) Approval requests are triggered for Virtual Machine 1 only Virtual Machine 1 Example of an Approval Policy in Multiple Ent
PAGE 404
Configuring vRealize Automation Processing Approval Policies in the Service Catalog When a user requests an item in the service catalog that has an approval policy applied, the request is processed by the approver and the requesting user similar to the following workflow Request item in the service catalog Is approval required on item or component? Yes Approval request sent to approver’s Inbox tab Approver approves request? No Requestor notified of rejection on Requests tab No Yes Item is provisi
PAGE 405
Configuring vRealize Automation Procedure 1 Specify Approval Policy Information When you create an approval policy, define the approval policy type, name, description, and status. 2 Create an Approval Level When you create an approval policy, you can add pre-approval and post-approval levels. 3 Configure the Approval Form to Include System and Custom Properties You can add system and custom properties that appear on an approval form.
PAGE 406
Configuring vRealize Automation 3 Select a policy type or software component. Option Description Select an approval policy type Create an approval policy based on the policy request type. Select this option to define an approval policy that is applicable to all catalog items of that type. The request type can be a generic request, a catalog item request, or a resource action request. The available condition configuration options vary depending on the type.
PAGE 407
Configuring vRealize Automation Procedure 1 On the Pre Approval or Post Approval tab, click the New icon ( 2 Enter a name and, optionally, a description. 3 Select an approval requirement. ). Option Description Always Required The approval policy is triggered for every request. Required based on conditions The approval policy is based on one or more condition clauses. If you select this option, you must create the conditions.
PAGE 408
Configuring vRealize Automation What to do next To add properties to the approval form, see Configure the Approval Form to Include System and Custom Properties. Configure the Approval Form to Include System and Custom Properties You can add system and custom properties that appear on an approval form.
PAGE 409
Configuring vRealize Automation 5 d Click Save. e To delete multiple custom properties, select the rows and click Delete. Click OK. What to do next n Add additional pre-approval or post-approval levels. n Save the approval policy. The policy must be active to apply to services, items, or actions in the Entitlements. Approval Policy Settings When you create an approval policy, you configure various options that determine when an item requested by a service catalog users must be approved.
PAGE 410
Configuring vRealize Automation Table 4‑51. Approval Policy Type Options Option Description Select an approval policy type Create an approval policy based on the policy request type. Select this option to define an approval policy that is applicable to all catalog items of that type. The request type can be a generic request, a catalog item request, or a resource action request. The available condition configuration options vary depending on the type.
PAGE 411
Configuring vRealize Automation Table 4‑52. Approval Policy Options (Continued) Option Description Status Possible values include: Policy Type n Draft. The approval policy is not available to apply in entitlements. After you make a policy active, you can never return it to draft. n Active. The approval policy is available to apply in entitlements. n Inactive. The approval policy is not available to apply in entitlements.
PAGE 412
Configuring vRealize Automation To define the basic approval policy information, select Administration > Approval Polices. Click New. Select the policy type and click OK. On the Pre Approval or Post Approval tab, click the New icon ( ). You prioritize levels based on the order that you want them processed. When the approval policy is triggered, if the first level of approval is rejected, the request is rejected. Table 4‑53. Level Information Options Option Description Name Enter a name.
PAGE 413
Configuring vRealize Automation Table 4‑53. Level Information Options (Continued) Option Description Specific Users and Groups Sends the approval request to the selected users. Select the users or user groups that must approve the service catalog request before it is provisioned or an action runs. For example, the request goes to the virtual infrastructure administrator group with Anyone can approve selected.
PAGE 414
Configuring vRealize Automation To select system properties, select Administration > Approval Polices. Click New. Select the policy type and click OK. On the Pre Approval or Post Approval tab, click the New icon ( System Properties tab. ) and click the Table 4‑54. System Properties Options Option Description Properties The list of available system properties depends on the selected request type or catalog item, and whether system properties exist for the item.
PAGE 415
Configuring vRealize Automation Prerequisites Log in to the vRealize Automation console as a tenant administrator or approval administrator. Procedure 1 Select Administration > Approval Policies. 2 Select the row of the approval policy to copy. 3 Click the Copy icon ( ). A copy of the approval policy is created. 4 Select the new approval policy to edit. 5 Enter a name in the Name text box. 6 (Optional) Enter a description in the Description text box.
PAGE 416
Configuring vRealize Automation 2 Click the approval policy name. 3 Click View Linked Entitlements. a In the Replace All With drop-down menu, select the new approval policy. If the list includes more than one entitlement, the new approval policy is applied to all the listed entitlements. b Click OK. 4 After you verify that no entitlements that are linked to the approval policy, select Inactive from the Status drop-menu. 5 Click OK.
PAGE 417
Configuring vRealize Automation Scenario: Configure the Catalog for Rainpole Architects to Test Blueprints Using your tenant administrator privileges, you create a special catalog service that contains very little governance, where your Rainpole architects can efficiently test their work before exporting blueprints into your production environment.
PAGE 418
Configuring vRealize Automation 5 As the tenant administrator who is creating the service, use the search option to add yourself as the Owner and Support Team. 6 Click OK. What to do next Using your tenant administrator privileges, add the published vSphere CentOS machine blueprint to your Rainpole service. Scenario: Add Your vSphere CentOS Catalog Item to the Rainpole Service Using your tenant administrator privileges, you add the published vSphere CentOS machine blueprint to your Rainpole service.
PAGE 419
Configuring vRealize Automation Procedure 1 Select Administration > Catalog Management > Entitlements. 2 Click the New icon ( 3 Configure the details. 4 ). a Enter the name Rainpole architect entitlement b Select Active from the Status drop-down menu. c Select the your Rainpole business group from the Business Group drop-down menu. d Add your Rainpole architects by using the Users & Groups search box. e Click Next. Entitle the Rainpole catalog service.
PAGE 420
Configuring vRealize Automation Scenario: Test Your Rainpole CentOS Machine Using the local test user account you created, you request to provision your vSphere CentOS machine. You log into the provisioned machine and verify that it is working as expected.
PAGE 421
Configuring vRealize Automation Procedure 1 Select Items > Machines. 2 Select the arrow next to the CentOS on vSphere item. The provisioned machine appears under the expanded item. 3 Click the provisioned machine. 4 Click Remote Log in to Machine on the right-hand panel. 5 Log in to the machine. You installed vRealize Automation in a minimal deployment, set up a proof of concept, and configured your environment for ongoing development of blueprints.
PAGE 422
Configuring vRealize Automation Procedure 1 Scenario: Create a Development and Quality Engineering Catalog Service As the tenant administrator, you want to create a separate catalog service for your development and quality engineering group so your other groups, such as finance and human resources, don't see the specialized catalog items. You create a catalog service called Dev and QE Service to publish all the catalog items development and engineering need to run their test cases.
PAGE 423
Configuring vRealize Automation Scenario: Add CentOS with MySQL to Your Dev and QE Service As the tenant administrator, you want to add the CentOS with MySQL catalog item to the Dev and QE service. Procedure 1 Select Administration > Catalog Management > Services. 2 Select the Dev and QE Service row in the Services list and click Manage Catalog Items. 3 Click the New icon ( 4 Select CentOS with MySQL. ).
PAGE 424
Configuring vRealize Automation d In the Users and Groups area, add one or more users. Add yourself only, unless you are certain that the blueprint is working as intended. If it is, you can add individual users and you can add custom user groups. e 4 Click Next. Add the service.
PAGE 425
Configuring vRealize Automation What to do next After you verify your work by provisioning the CentOS with MySQL catalog item, you can add additional users to the entitlement to make the catalog item publicly available to your development and quality engineering users. If you want to further govern the provisioning of resources in your environment, you can create approval policies for the MySQL Software component and the CentOS for Software Testing machine.
PAGE 426
Configuring vRealize Automation Scenario: Create a CentOS with MySQL Virtual Machine Approval Policy As the tenant administrator you want to ensure that the development and quality engineering group receives virtual machines that are properly provisioned in your environment, so you create an approval policy that requires pre approval for certain types of requests.
PAGE 427
Configuring vRealize Automation i Select the user or group. j Select Anyone can approve. The request only needs one virtual infrastructure administrator to verify the resources and approve the request. 5 6 Click the System Properties tab and select the properties that allow the approver to modify the requested CPU and Memory values before approving a request. a Select the CPUs and Memory (MB) check boxes. b Click OK. Click OK.
PAGE 428
Configuring vRealize Automation 4 Configure the Level Information tab with the triggering criteria and the approval actions. a In the Name text box, enter MySQL software deployment notice. b In the Description text box, enter Software mgr approval of software installation. c Select Always required. d Select Specific Users and Groups. e Enter the name of the software manager in the search text box and click the search icon ( select the user. f Select Anyone can approve.
PAGE 429
Configuring vRealize Automation 4 Add the CentOS with MySQL machine and apply the approval policy. a Click the Add Items icon ( b Select the CentOS with MySQL check box. c Click the Apply this policy to selected items drop-down arrow. ) beside the Entitled Items heading. The CentOS on vSphere CPU and Memory policy is not in the list. d Click Show all and click the down-arrow to view all approval policies.
PAGE 430
Configuring vRealize Automation 6 Add actions that the users can run on the provisioned machine. Approval policies are not applied to actions in this scenario. a Click the Add Items icon ( b Select the following actions. c 7 ) beside the Entitled Actions heading. Name / Type Description Create Snapshot / Virtual Machine Creates a snapshot of the virtual machine, including the installed software. Allows the developers to create snapshots to which they can revert during development.