Configuring vRealize Automation vRealize Automation 7.
Configuring vRealize Automation You can find the most up-to-date technical documentation on the VMware Web site at: https://docs.vmware.com/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to: docfeedback@vmware.com Copyright © 2015, 2016 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com 2 VMware, Inc.
Contents Configuring vRealize Automation 7 Updated Information 9 1 External Preparations for Provisioning 11 Preparing Your Environment for vRealize Automation Management 11 Checklist for Preparing NSX Network and Security Configuration 12 Checklist for Preparing External IPAM Provider Support 14 Preparing Your vCloud Director Environment for vRealize Automation 16 Preparing Your vCloud Air Environment for vRealize Automation 17 Preparing Your Amazon AWS Environment 17 Preparing Red Hat OpenStack Netwo
Configuring vRealize Automation Configure Smart Card Authentication for vRealize Automation 120 Generate a Connector Activation Token 121 Deploy the Connector OVA File 121 Configure Connector Settings 122 Apply Public Certificate Authority 123 Create a Workspace Identity Provider 125 Configure Certificate Authentication and Configure Default Access Policy Rules 125 Create a Multi Domain or Multi Forest Active Directory Link 126 Configuring Groups and User Roles 127 Assign Roles to Directory Users or Grou
Contents Choosing an Endpoint Scenario 160 Create a Fabric Group 175 Configure Machine Prefixes 176 Managing Key Pairs 176 Creating a Network Profile 178 Configuring Reservations and Reservation Policies 191 Scenario: Configure IaaS Resources for Rainpole 221 Scenario: Apply a Location to a Compute Resource for Cross Region Deployments 225 Checklist for Provisioning a vRealize Automation Deployment Using an External IPAM Provider 225 Configuring XaaS Resources 226 Configure the Active Directory Plug-In as
Configuring vRealize Automation Index 6 399 VMware, Inc.
Configuring vRealize Automation Configuring vRealize Automation provides information about configuring vRealize Automation and your external environments to prepare for vRealize Automation provisioning and catalog management. For information about supported integrations, see https://www.vmware.com/pdf/vrealize-automation-71support-matrix.pdf.
Configuring vRealize Automation 8 VMware, Inc.
Updated Information This Configuring vRealize Automation is updated with each release of the product or when necessary. This table provides the update history of the Configuring vRealize Automation. Revision EN-002076-04 Description n n n n EN-002076-03 EN-002076-02 Added a note to “Specify Tenant Information,” on page 137 indicating that tenant URLs must use only lowercase characters. n n n n EN-002076-01 n n n EN-002076-00 VMware, Inc.
Configuring vRealize Automation 10 VMware, Inc.
1 External Preparations for Provisioning You may need to create or prepare some elements outside of vRealize Automation to support catalog item provisioning. For example, if you want to provide a catalog item for provisioning a clone machine, you need to create a template on your hypervisor to clone from.
Configuring vRealize Automation Table 1‑1. Preparing Your Environment for vRealize Automation Integration (Continued) Environment Preparations Prepare elements and user roles in your Amazon AWS environment for use in vRealize Automation, and understand how Amazon AWS features map to vRealize Automation features. See “Preparing Your Amazon AWS Environment,” on page 17.
Chapter 1 External Preparations for Provisioning Table 1‑2. Preparing NSX Networking and Security Checklist (Continued) Task Location Details Create NSX security policies, tags, and groups. Configure security settings in NSX. See the NSX Administration Guide. Configure NSX load balancer settings. Configure an NSX load balancer to work with vRealize Automation. See the NSX Administration Guide. Also see Custom Properties for Networking in Custom Properties Reference.
Configuring vRealize Automation 7 Restart the vRealize Orchestrator server service. 8 Restart the vRealize Orchestrator configuration interface. 9 Click Plug-Ins and verify that the status changed to Installation OK. 10 Start the vRealize Orchestrator client application, log in, and use the Workflow tab to navigate through the library to the NSX folder. You can browse through the workflows that the NSX plug-in provides.
Chapter 1 External Preparations for Provisioning Table 1‑3. Preparing for External IPAM Provider Support Checklist Task Location Details Obtain and import the supported external IPAM Provider vRealize Orchestrator plugin. Download the IPAM provider package, for example Infoblox IPAM, from the VMware Solution Exchange and import the package to vRealize Orchestrator. If the VMware Solution Exchange (https://solutionexchange.vmware.
Configuring vRealize Automation Run the Workflow to Register the Infoblox IPAM Endpoint Type in vRealize Orchestrator Run the registration workflow in vRealize Orchestrator to support vRealize Automation use of the external IPAM provider and register the Infoblox IPAM endpoint type for use in vRealize Automation. To register IPAM endpoint types in vRealize Orchestrator, you are prompted to supply vRealize Automation vRA Administrator credentials.
Chapter 1 External Preparations for Provisioning User Role Considerations vCloud Director user roles in an organization do not need to correspond with roles in vRealize Automation business groups. If the user account does not exist in vCloud Director, vCloud Director performs a lookup in the associated LDAP or Active Directory and creates the user account if the user exists in the identity store. If it cannot create the user account, it logs a warning but does not fail the provisioning process.
Configuring vRealize Automation The AWS Power User role does not allow management of AWS Identity and Access Management (IAM) users and groups. For management of IAM users and groups, you must be configured with AWS Full Access Administrator credentials. vRealize Automation requires access keys for endpoint credentials and does not support user names and passwords.
Chapter 1 External Preparations for Provisioning n Elastic block storage volumes State data collection occurs automatically every 15 minutes by default. It gathers information about the state of managed instances, which are instances that vRealize Automation creates.
Configuring vRealize Automation Using Elastic IP Addresses for Amazon Web Services Using an elastic IP address allows you to rapidly fail over to another machine in a dynamic Amazon Web Services cloud environment. In vRealize Automation, the elastic IP address is available to all business groups that have rights to the region. An administrator can allocate elastic IP addresses to your Amazon Web Services account by using the AWS Management Console.
Chapter 1 External Preparations for Provisioning Scenario: Configure Network-to-Amazon VPC Connectivity for a Proof of Concept Environment As the IT professional setting up a proof of concept environment to evaluate vRealize Automation, you want to temporarily configure network-to-Amazon VPC connectivity to support the vRealize Automation Software feature.
Configuring vRealize Automation 6 Invoke the SSH Tunnel from the local network machine to the Amazon AWS tunnel machine. ssh -N -v -o "ServerAliveInterval 30" -o "ServerAliveCountMax 40" -o "TCPKeepAlive yes” \ -R 1442:vRealize_automation_appliance_fqdn:5480 \ -R 1443:vRealize_automation_appliance_fqdn:443 \ -R 1444:manager_service_fqdn:443 \ User of Amazon tunnel machine@Public IP Address of Amazon tunnel machine You configured port forwarding to allow your Amazon AWS tunnel machine to access vRealize A
Chapter 1 External Preparations for Provisioning Preparing Your SCVMM Environment Before you begin creating SCVMM templates and hardware profiles for use in vRealize Automation machine provisioning, you must understand the naming restrictions on template and hardware profile names, and configure SCVMM network and storage settings.
Configuring vRealize Automation Preparing for Machine Provisioning Depending on your environment and your method of machine provisioning, you might need to configure elements outside of vRealize Automation. For example, you might need to configure machine templates or machine images. You might also need to configure NSX settings or run vRealize Orchestrator workflows.
Chapter 1 External Preparations for Provisioning Table 1‑4. Choosing a Machine Provisioning Method to Prepare (Continued) Supported Endpoint Agent Support Provision a spaceefficient copy of a virtual machine called a linked clone. Linked clones are based on a snapshot of a VM and use a chain of delta disks to track differences from a parent machine. vSphere n Provision a spaceefficient copy of a virtual machine by using Net App FlexClone technology.
Configuring vRealize Automation Table 1‑4. Choosing a Machine Provisioning Method to Prepare (Continued) Scenario 26 Supported Endpoint Provision a machine by booting into a WinPE environment and installing an operating system using a Windows Imaging File Format (WIM) image of an existing Windows reference machine. n Launch an instance from a virtual machine image. Launch an instance from an Amazon Machine Image. Provisioning Method Pre-provisioning Preparations Guest agent is required.
Chapter 1 External Preparations for Provisioning Checklist for Running Visual Basic Scripts During Provisioning You can configure vRealize Automation to run your custom Visual Basic scripts as additional steps in the machine life cycle, either before or after machine provisioning. For example, you could use a preprovisioning script to generate certificates or security tokens before provisioning, and then a postprovisioning script to use the certificates and tokens after machine provisioning.
Configuring vRealize Automation Using vRealize Automation Guest Agent in Provisioning You can install the guest agent on reference machines to further customize a machine after deployment. You can use the reserved guest agent custom properties to perform basic customizations such as adding and formatting disks, or you can create your own custom scripts for the guest agent to run within the guest operating system of a provisioned machine.
Chapter 1 External Preparations for Provisioning Table 1‑6. Custom Properties for Changing IP Address of a Provisioned Machine with a Guest Agent (Continued) Custom Property Description VirtualMachine.SoftwareN.ScriptPath Specifies the full path to an application's install script. The path must be a valid absolute path as seen by the guest operating system and must include the name of the script filename.
Configuring vRealize Automation Table 1‑6. Custom Properties for Changing IP Address of a Provisioned Machine with a Guest Agent (Continued) Custom Property Description If you set VirtualMachine.ScriptPath.Decrypt to false, or do not create the VirtualMachine.ScriptPath.Decrypt custom property, then the string inside the square brackets ( [ and ]) is not decrypted. For more information about custom properties you can use with the guest agent, see Custom Properties Reference.
Chapter 1 External Preparations for Provisioning 6 7 If deployed machines are not already configured to trust the Manager Service SSL certificate, you must install the cert.pem file on your reference machine to establish trust. n For the most secure approach, obtain the cert.pem certificate and manually install the file on the reference machine. n For a more convenient approach, you can connect to the manager service load balancer or manager service machine and download the cert.pem certificate.
Configuring vRealize Automation 3 4 Download and save the Windows guest agent installation file to the C drive of your reference machine. n Windows guest agent files (32-bit.) n Windows guest agent files (64-bit.) Install the guest agent on the reference machine. a Right-click the file and select Properties. b Click General. c Click Unblock. d Extract the files. This produces the directory C:\VRMGuestAgent. Do not rename this directory.
Chapter 1 External Preparations for Provisioning You can also configure the guest agent to populate the trusted PEM file on first use. This is less secure than manually installing the PEM files on each template, but is more flexible for environments where you might use a single template for multiple servers. To allow the guest agent to trust the first server it connects to, you create a template with no PEM files in the VRMGuestAgent directory.
Configuring vRealize Automation Identify or create a reference machine. Are you working in vCenter Server? Yes Install VMware Tools. No Install the guest agent and the software bootstrap agent. Yes Do you want to support software components in your blueprints? No Do you want the ability to customize machines after deployment? Yes Install the guest agent. No Convert your reference machine to a template.
Chapter 1 External Preparations for Provisioning Table 1‑7. Checklist for Preparing to Provision by Cloning Task Location Details Hypervisor See the documentation provided by your hypervisor. (Optional) If you want your clone template to support Software components, install the vRealize Automation guest agent and software bootstrap agent on your reference machine. Reference machine For Windows reference machines, see “Prepare a Windows Reference Machine to Support Software,” on page 63.
Configuring vRealize Automation Table 1‑8. Template and Reservation Information Worksheet (Continued) Required Information My Value (vSphere only) Type of cloning requested for this template Details n n n Customization specification name (Required for cloning with static IP addresses) Clone Linked Clone NetApp FlexClone You cannot perform customizations of Windows machines without a customization specification object.
Chapter 1 External Preparations for Provisioning Table 1‑10. Visual Basic Script Information Custom Property My Value Description ExternalPreProvisioningVbScrip t Run a script before provisioning. Enter the complete path to the script including the filename and extension. %System Drive%Program Files (x86)\VMware\vCAC Agents\EPI_Agents\Scripts\SendE mail.vbs. ExternalPostProvisioningVbScri pt Run a script after provisioning. Enter the complete path to the script including the filename and extension.
Configuring vRealize Automation Table 1‑11. Linux Guest Agent Customization Script Information Worksheet (Continued) Custom Property My Value Description Linux.ExternalScript.Server Specifies the name of the NFS server, for example lab-ad.lab.local, on which the Linux external customization script named in Linux.ExternalScript.Name is located. Linux.ExternalScript.Path Specifies the local path to the Linux customization script or the export path to the Linux customization on the NFS server.
Chapter 1 External Preparations for Provisioning Table 1‑12. Custom Properties for Customizing Cloned Machines with a Guest Agent Worksheet (Continued) Custom Property My Value Description VirtualMachine.DiskN.Size Defines the size in GB of disk N. For example, to give a size of 150 GB to a disk G, define the custom property VirtualMachine.Disk0.Size and enter a value of 150. Disk numbering must be sequential. By default a machine has one disk referred to by VirtualMachine.Disk0.
Configuring vRealize Automation Table 1‑12. Custom Properties for Customizing Cloned Machines with a Guest Agent Worksheet (Continued) Custom Property My Value Description VirtualMachine.Customize.WaitC omplete Set to True to prevent the provisioning workflow from sending work items to the guest agent until all customizations are complete. VirtualMachine.SoftwareN.Name Specifies the descriptive name of a software application N or script to install or run during provisioning.
Chapter 1 External Preparations for Provisioning Table 1‑13. Custom Properties for Networking Configuration Custom Property My Value Description VirtualMachine.NetworkN.Addre ss Specifies the IP address of network device N in a machine provisioned with a static IP address. VirtualMachine.NetworkN.MacAd dressType Indicates whether the MAC address of network device N is generated or userdefined (static). This property is available for cloning. The default value is generated.
Configuring vRealize Automation Table 1‑13. Custom Properties for Networking Configuration (Continued) Custom Property VirtualMachine.NetworkN.Name My Value Description Specifies the name of the network to connect to, for example the network device N to which a machine is attached. This is equivalent to a network interface card (NIC). By default, a network is assigned from the network paths available on the reservation on which the machine is provisioned. Also see VirtualMachine.NetworkN.Addres sType.
Chapter 1 External Preparations for Provisioning Table 1‑13. Custom Properties for Networking Configuration (Continued) Custom Property VirtualMachine.NetworkN.Profi leName n n n n n n n n VMware, Inc. VirtualMachine.NetworkN.S ubnetMask VirtualMachine.NetworkN.G ateway VirtualMachine.NetworkN.P rimaryDns VirtualMachine.NetworkN.S econdaryDns VirtualMachine.NetworkN.P rimaryWins VirtualMachine.NetworkN.S econdaryWins VirtualMachine.NetworkN.D nsSuffix VirtualMachine.NetworkN.
Configuring vRealize Automation Table 1‑13. Custom Properties for Networking Configuration (Continued) Custom Property VCNS.LoadBalancerEdgePool.Nam es.name My Value Description Specifies the vCloud Networking and Security load balancing pools to which the virtual machine is assigned during provisioning. The virtual machine is assigned to all service ports of all specified pools. The value is an edge/pool name or a list of edge/pool names separated by commas. Names are case-sensitive.
Chapter 1 External Preparations for Provisioning Table 1‑13. Custom Properties for Networking Configuration (Continued) Custom Property VCNS.SecurityGroup.Names.name My Value Description Specifies the vCloud Networking and Security security group or groups to which the virtual machine is assigned during provisioning. The value is a security group name or a list of names separated by commas. Names are case-sensitive.
Configuring vRealize Automation Templates that are to be shared across organizations must be public. Only reserved templates are available to vRealize Automation as a cloning source. Note When you create a blueprint by cloning from a template, that template's unique identifier becomes associated with the blueprint. When the blueprint is published to the vRealize Automation catalog and used in the provisioning and data collection processes, the associated template is recognized.
Chapter 1 External Preparations for Provisioning 5 6 (Optional) Add customization scripts. a To specify post-installation customization scripts in the configuration file, see “Specify Custom Scripts in a kickstart/autoYaST Configuration File,” on page 47. b To call Visual Basic scripts in blueprint, see “Checklist for Running Visual Basic Scripts During Provisioning,” on page 27.
Configuring vRealize Automation Prerequisites n Prepare a kickstart or autoYaST configuration file. See “Prepare the Linux Kickstart Configuration Sample File,” on page 47. n Your script must return a non-zero value on failure to prevent machine provisioning failure. Procedure 1 Create or identify the script you want to use. 2 Save the script as NN_scriptname. NN is a two digit number. Scripts are executed in order from lowest to highest.
Chapter 1 External Preparations for Provisioning 5 Copy the ISO image to the location required by your virtualization platform. If you do not know the appropriate location, refer to the documentation provided by your hypervisor. 6 Gather the following information so that blueprint architects can include it on blueprints: a The name of the collection containing the task sequence. b The fully qualified domain name of the SCCM server on which the collection containing the sequence resides.
Configuring vRealize Automation 5 Create the WIM image of the reference machine. Do not include any spaces in the WIM image file name or provisioning fails. 6 Create a WinPE image that contains the vRealize Automation guest agent. You can use the vRealize Automation PEBuilder to create a WinPE image that includes the guest agent. n “Install PEBuilder,” on page 51.
Chapter 1 External Preparations for Provisioning 4 (Optional) If you want to enable XenDesktop integration, install and configure a Citrix Virtual Desktop Agent. 5 (Optional) A Windows Management Instrumentation (WMI) agent is required to collect certain data from a Windows machine managed by vRealize Automation, for example the Active Directory status of a machine’s owner.
Configuring vRealize Automation Prerequisites n Install NET Framework 4.5. n Windows Automated Installation Kit (AIK) for Windows 7 (including WinPE 3.0) is installed. Procedure 1 Navigate to the vCloud Automation Center Appliance management console installation page. For example: https://vcac-hostname.domain.name:5480/installer/. 2 Download the PEBuilder.
Chapter 1 External Preparations for Provisioning The high-level process for enabling WIM-based provisioning with VirtIO drivers is as follows: 1 Create a WIM image from a Windows reference machine with the VirtIO drivers installed or insert the drivers into an existing WIM image. 2 Copy the VirtIO driver files to the Plugins subdirectory of your PEBuilder installation directory before creating a WinPE image, or insert the drivers into a WinPE image created using other means.
Configuring vRealize Automation 5 Click File > Advanced. Note Do not change the WinPE Architecture or Protocol settings. 6 Select the Include vCAC Guest Agent in WinPE ISO check box. 7 Click OK. 8 Click Build. What to do next Place the WinPE image in the location required by your integration platform. If you do not know the location, please see the documentation provided by your platform. If you are provisioning HP iLO machines, place the WinPE image in a web-accessible location.
Chapter 1 External Preparations for Provisioning Install the Guest Agent in a WinPE If you choose not to use the vRealize Automation PEBuilder to create you WinPE, you must install PEBuilder to manually copy the guest agent files to your WinPE image. PEBuilder has a 32 bit guest agent. If you need to run commands specific to 64 bit, install PEBuilder and then get the 64 bit files from the GugentZipx64.zip file.
Configuring vRealize Automation 4 Replace all instances of the string #Dcac Hostname# with the fully qualified domain name and port number of the IaaS Manager Service host. Option Description If you are using a load balancer Enter the fully qualified domain name and port of the load balancer for the IaaS Manager Service. For example, manager_service_LB.mycompany.com:443 With no load balancer Enter the fully qualified domain name and port of the machine on which the IaaS Manager Service is installed.
Chapter 1 External Preparations for Provisioning 8 Save and close the file. What to do next “Configure the Guest Agent Properties Files,” on page 57. Configure the Guest Agent Properties Files If you choose not to use the vRealize Automation PEBuilder, you must manually configure the guest agent properties files. Prerequisites “Configure the doagentc.bat File,” on page 56. Procedure 1 Navigate to the VRMGuestAgent directory within your WinPE Image. For example: C:\Program Files (x86)\VMware\PE Builder\P
Configuring vRealize Automation Preparing for Amazon Machine Image Provisioning Prepare your Amazon Machine Images and instance types for provisioning in vRealize Automation. Understanding Amazon Machine Images You can select an Amazon machine image from a list of available images when creating Amazon machine blueprints. An Amazon machine image is a template that contains a software configuration, including an operating system. They are managed by Amazon Web Services accounts.
Chapter 1 External Preparations for Provisioning Understanding Amazon Instance Types An IaaS architect selects one or more Amazon instance types when creating Amazon EC2 blueprints. An IaaS administrator can add or remove instance types to control the choices available to the architects. An Amazon EC2 instance is a virtual server that can run applications in Amazon Web Services. Instances are created from an Amazon machine image and by choosing an appropriate instance type.
Configuring vRealize Automation Scenario: Prepare vSphere Resources for Machine Provisioning in Rainpole As the vSphere administrator creating templates for vRealize Automation, you want to use the vSphere Web Client to prepare for cloning CentOS machines in vRealize Automation.
Chapter 1 External Preparations for Provisioning 6 Even though your reference machine has a CentOS guest operating system, select Red Hat Enterprise Linux 6 (64-bit) from the Guest OS Version drop-down menu. If you select CentOS, your template and customization specification might not work as expected. 7 Right-click your Rainpole_centos_63_x86 reference machine in the vSphere Web Client and select Template > Convert to Template.
Configuring vRealize Automation What to do next Log in to the vRealize Automation console as the configuration administrator you created during the installation and request the catalog items that quickly set up your proof of concept. Preparing for Software Provisioning Use Software to deploy applications and middleware as part of the vRealize Automation provisioning process for vSphere, vCloud Director,vCloud Air, and Amazon AWS machines.
Chapter 1 External Preparations for Provisioning Preparing to Provision Machines with Software To support Software components, you must install the guest agent and Software bootstrap agent on your reference machine before you convert to a template for cloning, create an Amazon machine image, or take a snapshot.
Configuring vRealize Automation 3 Download and install the vRealize Automation guest agent from https://vRealize_VA_Hostname_fqdn/software/index.html. a Download GugentZip_version to the C drive on the reference machine. Select either GuestAgentInstaller.exe (32-bit) or GuestAgentInstaller_x64.exe (64-bit) depending on which is appropriate for your operating system. b Right-click the file and select Properties. c Click General. d Click Unblock. e Extract the files to C:\.
Chapter 1 External Preparations for Provisioning d Click Unblock. Important If you do not disable this Windows security feature, you cannot use the Software agent bootstrap file. e 6 Unzip the vmware-vra-software-agent-bootstrap-windows_version.zip file to the c:\temp folder. Install the Software bootstrap agent. a Open a Windows CMD console and navigate to the c:\temp folder. b Enter the command to install the agent bootstrap. install.
Configuring vRealize Automation n dmidecode as required by cloud providers n Common requirements such as sed, awk, perl, chkconfig, unzip, and grep depending on your Linux distribution For related information about Linux prerequisites, see the prepare_vra_template.sh script. n If you plan to remotely access the virtual machine using Linux ssh logging for troubleshooting or for other reasons, install the OpenSSH server and client for Linux.
Chapter 1 External Preparations for Provisioning Windows For Windows reference machines, you remove the existing Software agent bootstrap and vRealize Automation 6.0 or later guest agent, and delete any existing runtime log files. In a PowerShell command window, run the commands to remove the agent and artifacts. c:\opt\vmware-appdirector\agent-bootstrap\agent_bootstrap_removal.bat c:\opt\vmware-appdirector\agent-bootstrap\agent_reset.
Configuring vRealize Automation Scenario: Prepare Your Reference Machine for Guest Agent Customizations and Software Components So that your template can support software components, you install the software bootstrap agent and its prerequisite, the guest agent, on your reference machine. The agents ensure that vRealize Automation architects who use your template can include software components in their blueprints.
Chapter 1 External Preparations for Provisioning c If you rebooted or reconfigured the reference machine after installing the software bootstrap agent, reset the agent. /opt/vmware-appdirector/agent-bootstrap/agent_reset.sh d Power down the machine. shutdown -h now 2 Log in to the vSphere Web Client as an administrator. 3 Right-click your reference machine and select Edit Settings. 4 Enter cpb_centos_63_x84 in the VM Name text box.
Configuring vRealize Automation 9 Select Use standard network settings for the guest operating system, including enabling DHCP on all network interfaces. Fabric administrators and infrastructure architects handle network settings for provisioned machine by creating and using Network profiles in vRealize Automation. 10 Follow the prompts to enter the remaining required information. 11 On the Ready to complete page, review your selections and click Finish.
Chapter 1 External Preparations for Provisioning Scenario: Prepare Your Reference Machine for the Dukes Bank vSphere Sample Application You want your template to support the Dukes Bank sample application, so you must install both the guest agent and the software bootstrap agent on your reference machine so vRealize Automation can provision the software components.
Configuring vRealize Automation Procedure 1 Log in to your reference machine as the root user. a Edit your /etc/selinux/config file to disable SELinux. SELINUX=disabled If you do not disable SELinux, the MySQL software component of the Duke's Bank Sample application might not work as expected. b Remove udev persistence rules. /bin/rm -f /etc/udev/rules.d/70* c Enable machines cloned from this template to have their own unique identifiers. /bin/sed -i '/^\(HWADDR\|UUID\)=/d' /etc/sysconfig/network-scr
Chapter 1 External Preparations for Provisioning 5 c Enter Dukes Bank customization spec in the Description text box. d Click Next. Set computer name. a Select Use the virtual machine name. b Enter the domain on which you want to provision the Dukes Bank sample application in the Domain name text box. c Click Next. 6 Configure time zone settings. 7 Click Next. 8 Select Use standard network settings for the guest operating system, including enabling DHCP on all network interfaces.
Configuring vRealize Automation 74 VMware, Inc.
2 Configuring Tenant Settings Tenant administrators configure tenant settings such as user authentication, and manage user roles and business groups. System administrators and tenant administrators configure options such as email servers to handle notifications, and branding for the vRealize Automation console. You can use the Configuring Tenant Settings Checklist to see a high-level overview of the sequence of steps required to configure tenant settings. Table 2‑1.
Configuring vRealize Automation This chapter includes the following topics: n “Choosing Directories Management Configuration Options,” on page 76 n “Scenario: Configure an Active Directory Link for a Highly Available vRealize Automation,” on page 118 n “Configure Smart Card Authentication for vRealize Automation,” on page 120 n “Create a Multi Domain or Multi Forest Active Directory Link,” on page 126 n “Configuring Groups and User Roles,” on page 127 n “Scenario: Configure the Default Tenant fo
Chapter 2 Configuring Tenant Settings Table 2‑3. Directories Management Settings Setting Description Directories The Directories page enables you to create and manage Active Directory links to support vRealize Automation tenant user authentication and authorization. You create one or more directories and then sync those directories with your Active Directory deployment. This page displays the number of groups and users that are synced to the directory and the last sync time.
Configuring vRealize Automation The connector is the default identity provider. For the authentication methods the connector supports, see VMware Identity Manager Administration. You can also use third-party identity providers that support the SAML 2.0 protocol. Use a third-party identity provider for an authentication type the connector does not support or for an authentication type the connector does support, if the third-party identity provider is preferable based on your enterprise security policy.
Chapter 2 Configuring Tenant Settings Multi-Domain, Single Forest Active Directory Environment A multi-domain, single forest Active Directory deployment allows you to sync users and groups from multiple Active Directory domains within a single forest. You can configure the service for this Active Directory environment as a single Active Directory, Integrated Windows Authentication directory type or, alternatively, as an Active Directory over LDAP directory type configured with the global catalog option.
Configuring vRealize Automation n For Active Directory over LDAP, information required includes the Base DN, Bind DN, and Bind DN password. n For Active Directory Integrated Windows Authentication, required information includes the domain's Bind user UPN address and password. n If Active Directory is accessed over SSL, a copy of the SSL certificate is required.
Chapter 2 Configuring Tenant Settings 6 Enter the appropriate information in the Server Location text box if you selected Active Directory over LDAP or in the Join Domain Details text boxes if you selected Active Directory (Integrated Windows Authentication) Option Description Server Location - Displayed when Active Directory over LDAP is selected n n n Join Domain Details - Displayed when Active Directory (Integrated Windows Authentication) is selected 7 If you want to use DNS Service Location to
Configuring vRealize Automation 12 Verify that the Directories Management directory attribute names are mapped to the correct Active Directory attributes. If the directory attribute names are not mapped correctly, select the correct Active Directory attribute from the drop-down menu. 13 14 Click Next. Click to select the groups you want to sync from Active Directory to the directory. When you add a group from Active Directory, if members of that group are not in the Users list, they are added.
Chapter 2 Configuring Tenant Settings Configure Directories Management for High Availability You can use Directories Management to configure a high availability Active Directory connection in vRealize Automation. Each vRealize Automation appliance includes a connector that supports user authentication, although only one connector is typically configured to perform directory synchronization. It does not matter which connector you choose to serve as the sync connector.
Configuring vRealize Automation Configure a Bi Directional Trust Relationship Between vRealize Automation and Active Directory You can enhance system security of a basic vRealize Automation Active Directory connection by configuring a bi directional trust relationship between your identity provider and Active Directory Federated Services.
Chapter 2 Configuring Tenant Settings 3 4 Create a new Identity Provider for you deployment. a Select Administration > Directories Management > Identity Providers. b Click Add Identity Provider and complete the fields as appropriate. Option Description Identity Provider Name Enter a name for the new identity provider Identity Provider Metadata (URI or XML) Paste the contents of your Active Directory Federated Services metadata file here.
Configuring vRealize Automation n Create a claim rule that transforms the attributes retrieved from LDAP in the Get Attributes rule into the desired SAML format. After you create the rule,. you must edit the rule by adding the following text: c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.
Chapter 2 Configuring Tenant Settings d Click Download adjacent to the Metadata for your SAML service provider heading. The vsphere.local.xml file should begin downloading. e 2 3 Copy the contents of the vsphere.local.xml file. On the vRealize Automation Directories Management Identity Providers page, create a new Identity Provider. a Log in to vRealize Automation as a tenant administrator. b Select Administration > Directories Management > Identity Providers.
Configuring vRealize Automation Add Users or Groups to an Active Directory Connection You can add users or groups to an existing Active Directory connection. The Directories Management user authentication system imports data from Active Directory when adding groups and users, and the speed of the system is limited by Active Directory capabilities. As a result, import operations may require a significant amount of time depending on the number of groups and users being added.
Chapter 2 Configuring Tenant Settings To edit the user configuration: u To add users, click the + icon to add a new line for user DN definition and enter the appropriate user DN. If you want to delete a user DN definition, click the x icon for the desired user DN. 5 Click Save to save your changes without synchronizing to make your updates immediately, or click Save & Sync to save your changes and synchronize to implement your updates immediately.
Configuring vRealize Automation Add Memory to Directories Management You may need to allocate additional memory to Directories Management if you have Active Directory connections that contain a large number of users or groups. By default, 4 GB of memory is allocated to the Directories Management service. This is sufficient for many small to medium sized deployments. If you have an Active Directory connection that uses a large number of users or groups, you may need to increase this memory allocation.
Chapter 2 Configuring Tenant Settings 5 Restart the service. Enter service horizon-workspace restart. Managing User Attributes that Sync from Active Directory The Directories Management User Attributes page lists the user attributes that sync to your Active Directory connection. Changes that are made and saved in the User Attributes page are added to the Mapped Attributes page in the Directories Management directory.
Configuring vRealize Automation Table 2‑7. Default Active Directory Attributes to Sync to Directory (Continued) Directory Attribute Name Default Mapping to Active Directory Attribute lastName sn firstName givenName email mail userName sAMAccountName Managing Connectors The Connectors page lists deployed connectors for your enterprise network.
Chapter 2 Configuring Tenant Settings If you do not have the rights to join a domain, or if your company policy requires a custom location for the computer object, you must ask your administrator to create the object and then join the connector machine to the domain. Procedure 1 Ask your Active Directory administrator to create the computer object in Active Directory in a location determined by your company policy. You must provide the host name of the connector.
Configuring vRealize Automation Note that if an entry for a domain already exists in the file, it is not updated. For example, if you created a directory, then deleted it, the original domain entry remains in the file and is not updated. n The file is not updated automatically in any other scenario. For example, if you delete a directory, the domain entry is not deleted from the file. n If a domain controller listed in the file is not reachable, edit the file and remove it.
Chapter 2 Configuring Tenant Settings Procedure 1 Log in to the Directories Management virtual machine as the root user. Note If you are using an additional connector for the directory, log in to the connector virtual machine. 2 Edit the /usr/local/horizon/conf/runtime-config.properties file and add the following attribute. siteaware.subnet.override=subnet where subnet is a subnet for the site whose domain controllers you want to use. For example: siteaware.subnet.override=10.100.0.
Configuring vRealize Automation 4 Change the owner of the domain_krb.properties file to horizon and group to www using the following command: chown horizon:www /usr/local/horizon/conf/domain_krb.properties 5 Restart the service. service horizon-workspace restart Troubleshooting domain_krb.properties Use this information to troubleshoot the domain_krb.properties file. "Error resolving domain" error If the domain_krb.
Chapter 2 Configuring Tenant Settings Device Type Select the type of device that the rule manages. The client types are Web Browser, Identity Manager Client App, iOS, Android, and All device types. Authentication Methods Set the priority of the authentication methods for the policy rule. The authentication methods are applied in the order they are listed.
Configuring vRealize Automation 1 2 n For the internal network (Internal Network Range), two authentication methods are configured for the rule, Kerberos and password authentication as the fallback method. To access the apps portal from an internal network, the service attempts to authenticate users with Kerberos authentication first, as it is the first authentication method listed in the rule. If that fails, users are prompted to enter their Active Directory password.
Chapter 2 Configuring Tenant Settings 1 To access the service from outside the enterprise network, the user is required to log in with RSA SecurID. The user logs in using a browser and now has access to the apps portal for a four hour session as provided by the default access rule. 2 After four hours, the user tries to launch a Web application with the Sensitive Web Applications policy set applied.
Configuring vRealize Automation Manage the User Access Policy vRealize Automation is supplied with a default user access policy that you can use as is or edit as needed to manage tenant access to applications. vRealize Automation is supplied with a default user access policy, and you cannot add new policies. You can edit the existing policy to add rules. Prerequisites n Select or configure the appropriate identity providers for your deployment. See “Configure an Identity Provider Instance,” on page 110.
Chapter 2 Configuring Tenant Settings Integrating Alternative User Authentication Products with Directories Management Typically, when you initially configure Directories Management, you use the connectors supplied with your existing vRealize Automation infrastructure to create an Active Directory connection for user ID and password based authentication and management. Alternatively, you can integrate Directories Management with other authentication solutions such as Kerberos or RSA SecurID.
Configuring vRealize Automation Table 2‑8. User Authentication Types Supported by Directories Management (Continued) Authentication Types Description Mobile SSO (for Android) Mobile SSO for Android authentication is used for single sign-on authentication for AirWatch-managed Android devices. A proxy service is set up between the Directories Management service and AirWatch to retrieve the certificate from AirWatch for authentication.
Chapter 2 Configuring Tenant Settings Procedure 1 2 On a supported version of the RSA SecurID server, add the Directories Management connector as an authentication agent. Enter the following information. Option Description Hostname The host name of Directories Management. IP address The IP address of Directories Management.
Configuring vRealize Automation 6 Option Action Connector Address Enter the IP address of the connector instance. The value you enter must match the value you used when you added the connector appliance as an authentication agent to the RSA SecurID server. If your RSA SecurID server has a value assigned to the Alternate IP address prompt, enter that value as the connector IP address. If no alternate IP address is assigned, enter the value assigned to the IP address prompt.
Chapter 2 Configuring Tenant Settings You can set up a secondary Radius authentication server to be used for high availability. If the primary RADIUS server does not respond within the server timeout configured for RADIUS authentication, the request is routed to the secondary server. When the primary server does not respond, the secondary server receives all future authentication requests.
Configuring vRealize Automation 5 Option Action Authenticatio n type Enter the authentication protocol that is supported by the RADIUS server. Either PAP, CHAP, MSCHAP1, OR MSCHAP2. Shared secret Enter the shared secret that is used between the RADIUS server and the VMware Identity Manager service. Server timeout in seconds Enter the RADIUS server timeout in seconds, after which a retry is sent if the RADIUS server does not respond.
Chapter 2 Configuring Tenant Settings n Using Certificate Revocation Checking on page 107 You can configure certificate revocation checking to prevent users who have their user certificates revoked from authenticating. Certificates are often revoked when a user leaves an organization, loses a smart card, or moves from one department to another.
Configuring vRealize Automation Logging in with CRL Checking When you enable certificate revocation, the Directories Management server reads a CRL to determine the revocation status of a user certificate. If a certificate is revoked, authentication through the certificate fails.
Chapter 2 Configuring Tenant Settings 5 Option Description Certificate policies accepted Create a list of object identifiers that are accepted in the certificate policies extensions. Enter the object ID numbers (OID) for the Certificate Issuing Policy. Click Add another value to add more OIDs. Enable cert revocation Select the check box to enable certificate revocation checking. Certificate revocation checking prevents users who have revoked user certificates from authenticating.
Configuring vRealize Automation Configure an Identity Provider Instance vRealize Automation is supplied with a default identity provider instance. Users may want to create additional identity provider instances. vRealize Automation is supplied with an default identity provider. In most cases, the default provider is sufficient for customer needs.
Chapter 2 Configuring Tenant Settings What to do next n Copy and save the Directories Management service provider metadata that is required to configure the third-party identity provider instance. This metadata is available either in the SAML Signing Certificate section of the Identity Provider page. n Add the authentication method of the identity provider to the services default policy.
Configuring vRealize Automation 2 3 Edit an existing network range or add a new network range. Option Description Edit an existing range Click the network range name to edit. Add a range Click Add Network Range to add a new range. Complete the form. Form Item Description Name Enter a name for the network range. Description Enter a description for the Network Range. View Pods The View Pods option only appears when the View module is enabled. Client Access URL Host.
Chapter 2 Configuring Tenant Settings 8 Click Sync Settings > Mapped Attributes. 9 In the drop-down menu for the attributes that you added, select the Active Directory attribute to map to. 10 Click Save. The directory is updated the next time the directory syncs to the Active Directory. Applying the Default Access Policy The Directories Management service includes a default access policy that controls user access to their apps portals. You can edit the policy to change the policy rules as necessary.
Configuring vRealize Automation e In the Re-Authenticate after value text box, enter the number of hours after which users must authenticate again. f (Optional) Create a custom access denied message that displays when user authentication fails. You can use up to 4000 characters, which is about 650 words. If you want to send users to another page, in the Link URL text box, add the URL link. In the Link text text box, enter the text that displays for the link.
Chapter 2 Configuring Tenant Settings Configure Kerberos Authentication To configure the Directories Management service to provide Kerberos authentication, you must join to the domain and enable Kerberos authentication on the Directories Management connector. Procedure 1 As a tenant administrator, navigate to Administration > Directories Management > Connectors 2 On the Connectors page, for the connector that is being configured for Kerberos authentication, click Join Domain.
Configuring vRealize Automation Configure Internet Explorer to Access the Web Interface You must configure the Internet Explorer browser if Kerberos is configured for your deployment and if you want to grant users access to the Web interface using Internet Explorer. Kerberos authentication works in conjunction with Directories Management on Windows operating systems. Note Do not implement these Kerberos-related steps on other operating systems.
Chapter 2 Configuring Tenant Settings 6 Log in to the Web interface to check access. If Kerberos authentication is successful, the test URL goes to the Web interface. The Kerberos protocol secures all interactions between this Internet Explorer browser instance and Directories Management. Now, users can use single sign-on to access their My Apps portal.
Configuring vRealize Automation n Since Chrome uses the Internet Explorer configuration to enable Kerberos authentication, you must configure Internet Explorer to allow Chrome to use the Internet Explorer configuration. See Google documentation for information about how to configure Chrome for Kerberos authentication. Procedure 1 Test Kerberos functionality by using the Chrome browser. 2 Log in to Directories Management at https://myconnectorhost.domain.com/authenticate/.
Chapter 2 Configuring Tenant Settings 4 Option Sample Input Bind DN Enter the full distinguished name (DN), including common name (CN), of an Active Directory user account that has privileges to search for users. For example, cn=config_admin infra,cn=users,dc=corp,dc=local. Bind DN Password Enter the Active Directory password for the account that can search for users. Click Test Connection to test the connection to the configured directory.
Configuring vRealize Automation e Enter the appropriate password in the Bind DN Password text box that appears when you select the connector. f Click Add Connector. g Edit the host name to point to your load balancer. You connected your corporate Active Directory to vRealize Automation and configured Directories Management for high availability. What to do next To provide enhanced security, you can configure bi-directional trust between your identity provider and your Active Directory.
Chapter 2 Configuring Tenant Settings 6 Configure Certificate Authentication and Configure Default Access Policy Rules on page 125 You must configure your external connection for use with your vRealize Automation Active Directory and domain. Generate a Connector Activation Token Before you deploy the connector virtual appliance to use for smart card authentication, generate an activation code for the new connector from the vRealize Automation console.
Configuring vRealize Automation Page Description Storage Select the location to store the virtual machine files. Disk Format Select the disk format for the files. For production environments, select a Thick Provision format. Use the Thin Provision format for evaluation and testing. Network Mapping Map the networks in your environment to the networks in the OVF template. Properties a b Ready to Complete Review your selections and click Finish.
Chapter 2 Configuring Tenant Settings 3 Create strong passwords for the following connector virtual appliance administrator accounts. Strong passwords should be at least eight characters long and include uppercase and lowercase characters and at least one digit or special character. Option Description Appliance Administrator Create the appliance administrator password. The user name is admin and cannot be changed.
Configuring vRealize Automation 5 Select Install Certificate. 6 In the Terminate SSL on Identity Manager Appliance tab, select Custom Certificate. 7 In the SSL Certificate Chain text box, paste the host, intermediate, and root certificates, in that order. The SSL certificate works only if you include the entire certificate chain in the correct order.
Chapter 2 Configuring Tenant Settings Create a Workspace Identity Provider You must create a Workspace identity provider for use with an external connector. Prerequisites n Log in to the vRealize Automation console as a tenant administrator. Procedure 1 Select Administration > Directories Management > Identity Providers. 2 Select Add Identity Provider. 3 Select Create Workspace IDP on the displayed menu. 4 Type a name for the identity provider in the Identity Provider Name field.
Configuring vRealize Automation 9 Add Certificate to the policy rules and make it the first authentication method. Certificate must be the first authentication method listed in the policy rule, otherwise certificate authentication fails. Create a Multi Domain or Multi Forest Active Directory Link As a system administrator, you need to configure a multi domain or multi forest Active Directory link. The procedure for configuring a multi domain or multi forest Active Directory link is essentially the same.
Chapter 2 Configuring Tenant Settings 9 Click the appropriate check boxes to select the desired domains for your system deployment. 10 Click Next. 11 Verify that the Directories Management directory attribute names are mapped to the correct Active Directory attributes. If the directory attribute names are mapped incorrectly, select the correct Active Directory attribute from the drop-down menu. 12 13 Click Next. Click to select the groups you want to sync from Active Directory to the directory.
Configuring vRealize Automation 2 Enter a user or group name in the Search box and press Enter. Do not use an at sign (@), backslash (\), or slash (/) in a name. You can optimize your search by typing the entire user or group name in the form user@domain. 3 Click the name of the user or group to which you want to assign roles. 4 Select one or more roles from the Add Roles to this User list. The Authorities Granted by Selected Roles list indicates the specific authorities you are granting.
Chapter 2 Configuring Tenant Settings Users who are currently logged in to the vRealize Automation console must log out and log back in to the vRealize Automation console before they can navigate to the pages to which they have been granted access. Create a Business Group Business groups are used to associate a set of services and resources to a set of users, often corresponding to a line of business, department, or other organizational unit.
Configuring vRealize Automation 5 Enter a user name or custom user group name and press Enter. You can add one or more individuals or custom user groups to the business group. You do not have to specify users at this time. You can create empty business groups to populate later. Option Description Group Manager Role Can create entitlements and assign approval policies for the group. Support Role Can request and manage service catalog items on behalf of the other members of the business group.
Chapter 2 Configuring Tenant Settings The problem can appear after you upgrade if the synchronization does to run as expected. It can also appear if you use the API to update the IaaS database with a new or modified business group. Solution Prerequisites Ensure that you can run command line commands. See Programming Guide. Procedure u Enter the command string on the vcac-cli command line.
Configuring vRealize Automation Procedure 1 Scenario: Create Local User Accounts for Rainpole on page 132 Using your default system administrator privileges, you create two local user accounts in the default tenant. Assign one of these accounts to the tenant administrator role so you can start configuring the default tenant. You can use the second account later as a shared login for your architects to test blueprint and catalog access.
Chapter 2 Configuring Tenant Settings 8 9 10 Click OK. Click the New icon ( ). Create a local user account that you and your architects can later configure for testing blueprints and catalog access. Option Input First Name test Last Name user Email Enter an email address or use the placeholder test_user@rainpole.com. Username test_user Password VMware1! 11 Click OK. 12 Click the Administrators tab. 13 Enter Rainpole in the Tenant administrators search box and press Enter.
Configuring vRealize Automation Option Sample Input Bind DN Enter the full distinguished name (DN), including common name (CN), of an Active Directory user account that has privileges to search for users. For example, cn=config_admin infra,cn=users,dc=rainpole,dc=local. Bind DN Password Enter the Active Directory password for the account that can search for users. 6 Click the Test Connection button to test the connection to the configured directory. 7 Click Save & Next.
Chapter 2 Configuring Tenant Settings 6 Click Finish. The console is updated with your changes. 7 Select Administration > Branding > Login Screen Branding. 8 Follow the prompts to customize the login screen branding. 9 Click Save. The console is updated with your changes. You updated the look and feel of the console for the default tenant. What to do next Create a custom group for members of your IT organization who need highly privileged access to vRealize Automation.
Configuring vRealize Automation What to do next Assign your custom group to the IaaS administrator role. Scenario: Assign IaaS Administrator Privileges to Your Custom Group of Rainpole Architects Using your default system administrator privileges, you assign your custom group to the IaaS administrator role to allow the group to configure IaaS resources. Procedure 1 Log out of the vRealize Automation console. 2 Select the vsphere.local domain and click Next.
Chapter 2 Configuring Tenant Settings 2 Configure Local Users on page 137 The vRealize Automation system administrator must configure local users for each applicable tenant. 3 Appoint Administrators on page 138 You can appoint one or more tenant administrators and IaaS administrators from the identity stores you configured for a tenant. Specify Tenant Information The first step to configuring a tenant is to name the new tenant and add it to vRealize Automation and create the tenant-specific access URL.
Configuring vRealize Automation The specified local users are created for the tenant. Appoint Administrators You can appoint one or more tenant administrators and IaaS administrators from the identity stores you configured for a tenant. Tenant administrators are responsible for configuring tenant-specific branding, as well as managing identity stores, users, groups, entitlements, and shared blueprints within the context of their tenant.
Chapter 2 Configuring Tenant Settings (Optional) Configuring Custom Branding vRealize Automation enables you to apply custom branding to tenant login and application pages. Custom branding can include text and background colors, business logos, company name, privacy policies, copyright statements and other relevant information that you want to appear on tenant login or application pages.
Configuring vRealize Automation Custom Branding for Tenant Applications Use the Application Branding page to apply custom branding to vRealize Automation tenant applications. You can use default vRealize Automation branding on your user applications, or you can configure custom branding using the Application Branding page. This page enables you to configure branding on the header and footer of application pages. Note that custom branding applies in the same manner to all of your user applications.
Chapter 2 Configuring Tenant Settings (Optional) Checklist for Configuring Notifications You can configure vRealize Automation to send users notifications when specific events occur. Users can choose which notifications to subscribe to, but they can only select from events you enable as notification triggers. VMware, Inc.
Configuring vRealize Automation Configure an outbound mail server to send notifications. Do you want users to be able to respond to notifications? Yes Configure an inbound mail server to receive notifications. No Enable notifications for any events you want to allow users to receive updates for. Do you want to customize the templates for IaaS notifications? Yes TEMPLATE Edit the configuration files that control IaaS notifications.
Chapter 2 Configuring Tenant Settings Table 2‑9. Checklist for Configuring Notifications Task Required Role Configure an outbound email server to send notifications. n n (Optional) Configure an inbound email server so that users can complete tasks by responding to notifications. n n Details System administrator s configure default global servers. Tenant administrator s configure servers for their tenants.
Configuring vRealize Automation Configuring Global Email Servers for Notifications Tenant administrators can add email servers as part of configuring notifications for their own tenants. As a system administrator, you can set up global inbound and outbound email servers that appear to all tenants as the system defaults. If tenant administrators do not override these settings before enabling notifications, vRealize Automation uses the globally configured email servers.
Chapter 2 Configuring Tenant Settings Create a Global Outbound Email Server System administrators create a global outbound email server to handle outbound email notifications. You can create only one outbound server, which appears as the default for all tenants. If tenant administrators do not override these settings before enabling notifications, vRealize Automation uses the globally configured email server. Prerequisites Log in to the vRealize Automation console as a system administrator.
Configuring vRealize Automation n If the email server requires authentication, the specified user must be in an identity store and the business group. Procedure 1 2 Select Administration > Notifications > Email Servers. Click the Add icon ( ). 3 Select Email – Outbound. 4 Click OK. 5 Enter a name in the Name text box. 6 (Optional) Enter a description in the Description text box. 7 Type the name of the server in the Server Name text box. 8 Choose an encryption method. n Click Use SSL.
Chapter 2 Configuring Tenant Settings 2 Click the Add icon ( ). 3 Select Email - Inbound and click OK. 4 Configure the following inbound email server options. 5 Option Action Name Enter a name for the inbound email server. Description Enter a description of the inbound email server. Security Select the Use SSL check box. Protocol Choose a server protocol. Server Name Enter the server name. Server Port Enter the server port number.
Configuring vRealize Automation 7 Choose an encryption method. n Click Use SSL. n Click Use TLS. n Click None to send unencrypted communications. 8 Type the server port number in the Server Port text box. 9 (Optional) Select the Required check box if the server requires authentication. 10 a Type a user name in the User Name text box. b Type a password in the Password text box.
Chapter 2 Configuring Tenant Settings 7 Enter a password in the Password text box. 8 Type the email address that vRealize Automation users can reply to in the Email Address text box. 9 (Optional) Select Delete From Server to delete from the server all processed emails that are retrieved by the notification service. 10 Choose whether vRealize Automation can accept self-signed certificates from the email server. This option is available only if you enabled encryption.
Configuring vRealize Automation Procedure 1 Log in to the vRealize Automation server by using credentials with administrative access. 2 Navigate to and open the /etc/vcac/setenv-user file. 3 Add the following line to the file to specify the number of days prior to machine expiration, where 3 in this example specifies 3 days prior to machine expiration. VCAC_OPTS="$VCAC_OPTS -Dlease.enforcement.prearchive.notification.
Chapter 2 Configuring Tenant Settings Prerequisites Log in to the IaaS Manager Service as an administrator. Procedure 1 Set your current directory to \Rdp. 2 Copy the file Default.rdp and rename it to Console.rdp in the same directory. 3 Open the Console.rdp file in an editor. 4 Add RDP settings to the file. For example, connect to console:i:1.
Configuring vRealize Automation 3 Edit the CustomDataType section of the file to create Data Name entries for each location.
Chapter 2 Configuring Tenant Settings You defined the default vRealize Orchestrator workflow folder for a tenant. What to do next Repeat the procedure for all of the tenants for which you want to define a default workflow folder. Configure an External vRealize Orchestrator Server You can set up vRealize Automation to use an external vRealize Orchestrator server. System administrators can configure the default vRealize Orchestrator server globally for all tenants.
Configuring vRealize Automation You configured the connection to the external vRealize Orchestrator server, and the vCAC workflows folder and the related utility actions are automatically imported. The vCAC > ASD workflows folder contains workflows for configuring endpoints and creating resource mappings. What to do next Configure the vRealize Orchestrator plug-ins as endpoints. See “Configuring XaaS Resources,” on page 226.
Chapter 2 Configuring Tenant Settings 5 Log in by using the vRealize Orchestrator Client user name and password. The credentials are the default tenant administrator user name and password. 6 In the Certificate Warning window select an option to handle the certificate warning. The vRealize Orchestrator client communicates with the vRealize Orchestrator server by using an SSL certificate. A trusted CA does not sign the certificate during installation.
Configuring vRealize Automation 156 VMware, Inc.
Configuring Resources 3 You can configure resources such as endpoints, reservations, and network profiles to support vRealize Automation blueprint definition and machine provisioning.
Configuring vRealize Automation Table 3‑1. Checklist for Configuring IaaS Resources Task vRealize Automation Role Store administrator-level credentials to your infrastructure. IaaS administrator “Store User Credentials,” on page 158.
Chapter 3 Configuring Resources 5 Enter the user name in the User name text box. Platform Format and Details vSphere domain\username Provide credentials with permission to modify custom attributes. vCloud Air username as specified in the endpoint user interface Provide credentials for an organization administrator with rights to connect by using VMware Remote Console.
Configuring vRealize Automation Choosing an Endpoint Scenario You create the endpoints that allow vRealize Automation to communicate with your infrastructure. Depending on your machine provisioning needs, the procedure to create an endpoint differs. Choose an endpoint scenario based on the target endpoint type. Table 3‑2.
Chapter 3 Configuring Resources Procedure 1 Select Infrastructure > Endpoints > Endpoints. 2 Select New > Virtual > vSphere. 3 Enter a name in the Name text box. This must match the endpoint name provided to the vSphere proxy agent during installation or data collection fails. 4 (Optional) Enter a description in the Description text box. 5 Enter the URL for the vCenter Server instance in the Address text box. The URL must be of the type: https://hostname/sdk or https://IP_address/sdk.
Configuring vRealize Automation Procedure 1 Select Infrastructure > Endpoints > Endpoints. 2 Select New > Virtual > vSphere. 3 Enter a name in the Name text box. This must match the endpoint name provided to the vSphere proxy agent during installation or data collection fails. 4 (Optional) Enter a description in the Description text box. 5 Enter the URL for the vCenter Server instance in the Address text box. The URL must be of the type: https://hostname/sdk or https://IP_address/sdk.
Chapter 3 Configuring Resources 2 Select New > Orchestration > vCenter Orchestrator. 3 Enter a name and, optionally, a description. 4 Enter a URL with the fully qualified name or IP address of the vRealize Orchestrator server and the vRealize Orchestrator port number. The transport protocol must be HTTPS. If no port is specified, the default port 443 is used.
Configuring vRealize Automation The first IPAM endpoint for vRealize Automation is created when you register the endpoint type for the IPAM solution provider plug-in in vRealize Orchestrator. Prerequisites n “Obtain and Import the External IPAM Provider Package in vRealize Orchestrator,” on page 15. n “Run the Workflow to Register the Infoblox IPAM Endpoint Type in vRealize Orchestrator,” on page 16. n Log in to the vRealize Automation console as an IaaS administrator.
Chapter 3 Configuring Resources Create a vCloud Air Endpoint You can create a vCloud Air endpoint for a an OnDemand or subscription service. For information about vCloud Air Management Console, see vCloud Air documentation. Note Reservations defined for vCloud Air endpoints and vCloud Director endpoints do not support the use of network profiles for provisioning machines. Prerequisites n Log in to the vRealize Automation console as an IaaS administrator.
Configuring vRealize Automation vRealize Automation uses a proxy agent to manage vSphere resources. Note Reservations defined for vCloud Air endpoints and vCloud Director endpoints do not support the use of network profiles for provisioning machines. Prerequisites n Log in to the vRealize Automation console as an IaaS administrator. n “Store User Credentials,” on page 158. Procedure 1 Select Infrastructure > Endpoints > Endpoints. 2 Select New > Cloud > vCloud Director.
Chapter 3 Configuring Resources 7 (Optional) Select the Use proxy server check box to configure additional security and force connections to pass through a proxy server. a Enter the host name of your proxy server in the Hostname text box. b Enter the port number to use for connecting to the proxy server in the Port text box. c (Optional) Click the Browse icon next to the Credentials text box.
Configuring vRealize Automation Create a Standalone Endpoint for Hyper-V You can create endpoints to allow vRealize Automation to communicate with the Hyper-V server environment and discover compute resources, collect data, and provision machines. Prerequisites n Log in to the vRealize Automation console as an IaaS administrator. n A system administrator must install a proxy agent with stored credentials that correspond to your endpoint. See Installing vRealize Automation 7.1.
Chapter 3 Configuring Resources What to do next Add the compute resources from your endpoint to a fabric group. See “Create a Fabric Group,” on page 175. Create a KVM (RHEV) Endpoint You can create endpoints to allow vRealize Automation to communicate with the KVM (RHEV) environment and discover compute resources, collect data, and provision machines. Prerequisites n Log in to the vRealize Automation console as an IaaS administrator. n “Store User Credentials,” on page 158.
Configuring vRealize Automation To avoid duplicate entries in the vRealize Automation compute resource table, specify an address that matches the configured Xen pool master address. For example, if the Xen pool master address uses the host name, enter the host name and not the FQDN. If the Xen pool master address uses FQDN, then enter the FQDN. 3 Select the proxy agent that your system administrator installed for this endpoint from the Proxy agent name drop-down menu.
Chapter 3 Configuring Resources 3 Enter a name and, optionally, a description. Typically this name indicates the Amazon Web Services account that corresponds to this endpoint. 4 Click Credentials and select the administrative-level credentials you stored for this endpoint. Only one endpoint can be associated with an Amazon access key ID. 5 (Optional) Click the Use proxy server checkbox to configure additional security and force connections to Amazon Web Services to pass through a proxy server.
Configuring vRealize Automation 4 n Memory (GB) n Storage (GB) n Compute Units Click the Save icon ( ). When IaaS architects create Amazon Web Services blueprints, they can use your custom instance types. What to do next Add the compute resources from your endpoint to a fabric group. See “Create a Fabric Group,” on page 175. Create an OpenStack or PowerVC Endpoint You create an endpoint to allow vRealize Automation to communicate with your OpenStack or PowerVC instance.
Chapter 3 Configuring Resources Import a List of Endpoints Importing a CSV file of endpoints can be more efficient than adding endpoints one at a time by using the vRealize Automation console. Prerequisites n Log in to the vRealize Automation console as an IaaS administrator. n Store the credentials for your endpoints. n Prepare an Endpoint CSV file for import. Procedure 1 Select Infrastructure > Endpoints > Endpoints. 2 Click Import Endpoints. 3 Click Browse.
Configuring vRealize Automation Table 3‑3. CSV File Fields and Their Order for Importing Endpoints (Continued) Field Description Credentials (Required) Name you gave the user credentials when you stored them in vRealize Automation. Name (Required) Provide a name for the endpoint. For OpenStack, the address is used as the default name. Description (Optional) Provide a description for the endpoint. OpenstackProject (Required for OpenStack only) Provide the project name for the endpoint.
Chapter 3 Configuring Resources Troubleshooting Locate the vCloud Air Management URL for an Organization Virtual Data Center To create a vCloud Air endpoint, you must provide vRealize Automation with the required vCloud Air region and the management URL. Solution The vCloud Air management URL is also the URL of the vCloud Director server used to manage a specific virtual data center (vDC). You can use the region information and the management URL to configure your vCloud Air endpoint.
Configuring vRealize Automation Fabric administrators can now configure machine prefixes. See “Configure Machine Prefixes,” on page 176. Users who are currently logged in to the vRealize Automation console must log out and log back in to the vRealize Automation console before they can navigate to the pages to which they have been granted access. Configure Machine Prefixes You can create machine prefixes that are used to create names for machines provisioned through vRealize Automation.
Chapter 3 Configuring Resources Existing key pairs are imported as part of data collection when you add a cloud endpoint. A fabric administrator can also create and manage key pairs by using the vRealize Automation console. If you delete a key pair from the vRealize Automation console, it is also deleted from the cloud service account. In addition to managing key pairs manually, you can configure vRealize Automation to generate key pairs automatically per machine or per business group.
Configuring vRealize Automation 4 5 Use one of the following methods to upload the key. n Browse for a PEM-encoded file and click Upload. n Paste the text of the private key, beginning with -----BEGIN RSA PRIVATE KEY----- and ending with -----END RSA PRIVATE KEY-----. Click the Save icon ( ). Export the Private Key from a Key Pair You can export the private key from a key pair to a PEM-encoded file. Prerequisites n Log in to the vRealize Automation console as a fabric administrator.
Chapter 3 Configuring Resources When provisioning virtual machines by cloning or by using kickstart/autoYaST provisioning, the requesting machine owner can assign static IP addresses from a predetermined range. If you specify a network profile in a reservation and a blueprint, the blueprint value takes precedence. For example, if you specify a network profile in the blueprint by using the VirtualMAchine.NetworkN.
Configuring vRealize Automation When you select an external IPAM endpoint in a network profile, vRealize Automation retrieves IP ranges from the registered external IPAM provider endpoint, such as Infoblox. It then allocates IP values from that endpoint. If you specify a network profile in a reservation and a blueprint, the blueprint value takes precedence. For example, if you specify a network profile in the blueprint by using the VirtualMAchine.NetworkN.
Chapter 3 Configuring Resources n Create a CSV file containing IP addresses for import to a network range. See “Create an External Network Profile by Using An External IPAM Provider,” on page 184 and “Understanding CSV File Format for Importing Network Profile IP Addresses,” on page 180. Procedure 1 Select Infrastructure > Reservations > Network Profiles. 2 Click New and select a network profile type from the drop-down menu. For this example, select External.
Configuring vRealize Automation 11 Click the IP Addresses tab to display the IP address data for the specified range address space. If you imported the IP address information from a CSV file, the range name is generated as Imported from CSV. 12 (Optional) Select IP address information from the Network range drop-down menu to filter IP address entries. You can display information about all defined network ranges, the network ranges imported from a CSV file, or a named network range.
Chapter 3 Configuring Resources 3 Enter a name and, optionally, a description. 4 (Optional) Accept the supplied internal VMware IPAM endpoint in the IPAM endpoint drop-down menu. 5 Enter an IP subnet mask in the Subnet mask text box. For example, enter 255.255.0.0. 6 Enter an Edge or routed gateway address in the Gateway text box. 7 Click the DNS tab. 8 Enter DNS and WINS values as needed. The DNS and WINS fields are optional if you are using an internal IPAM endpoint.
Configuring vRealize Automation d n Enter the end IP address of the range in the Ending IP address text box. Click Import from CSV. a Browse to and select the CSV file or drag the CSV file into the Import from CSV dialog box. A row in the CSV file has the format ip_address, machine_name, status, NIC offset. For example: 100.10.100.1,mymachine01,Unallocated b 3 CSV Field Description ip_address An IP address in IPv4 format. machine_name Name of a managed machine in vRealize Automation.
Chapter 3 Configuring Resources You can define one or more network ranges of static IP addresses in the network profile for use in provisioning a machine. If you do not specify a range, you can use a network profile as a network reservation policy to select a reservation network path for a virtual machine network card (vNIC).
Configuring vRealize Automation What to do next You can now define network ranges for IP addresses to complete the network profile definition. Configure External Network Profile IP Ranges For Registered IPAM Endpoint You can define one or more network ranges of static IP addresses in the network profile for use in provisioning a machine.
Chapter 3 Configuring Resources Specify NAT Network Profile Information The network profile identifies the NAT network properties, underlying external network profile, NAT type, and other values used to provision the network. Prerequisites n Log in to the vRealize Automation console as a fabric administrator. n Create an external network profile. See “Create an External Network Profile,” on page 182 or “Create an External Network Profile by Using An External IPAM Provider,” on page 184.
Configuring vRealize Automation c (Optional) Enter a DNS suffix value. The DNS suffix is used in DNS name registration and DNS name resolution. d (Optional) Enter a DNS search suffix value. e (Optional) Enter a Preferred WINS server value. f (Optional) Enter an Alternate WINS server value. What to do next “Configure NAT Network Profile IP Ranges,” on page 188. Configure NAT Network Profile IP Ranges You can define one or more ranges of static IP addresses for use in provisioning a network.
Chapter 3 Configuring Resources 3 Click OK. The IP range name appears in the defined ranges list. The IP addresses in the range appear in the defined IP addresses list. The uploaded IP addresses appear on the IP Addresses page when you click Apply or after you save and then edit the network profile. 4 Click the IP Addresses tab to display the IP addresses for the named network range. 5 (Optional) Select IP address information from the Network range drop-down menu to filter IP address entries.
Configuring vRealize Automation 2 Click New and select Routed from the drop-down menu. 3 Enter a name and, optionally, a description. 4 Select an existing network profile from the External Network Profile drop-down menu. 5 Accept the default IPAM endpoint value for the supplied internal VMware IPAM provider or select another IPAM provider endpoint, such as Infoblox, that you have imported and registered in vRealize Orchestrator.
Chapter 3 Configuring Resources 2 Click Generate Ranges to generate network ranges based on the subnet mask, range subnet mask, and base IP address information that you entered on the General tab. Starting with the base IP address, vRealize Automation generates ranges based on the range subnet mask. For example, vRealize Automation generates ranges of 255 IP ranges if the subnet mask is 255.255.0.0 and the range subnet mask is 255.255.255.0 using the name Range1 through Rangen. 3 Click OK.
Configuring vRealize Automation Table 3‑5. Choosing a Reservation Scenario Scenario Procedure Create a vSphere reservation. “Create a Reservation for Hyper-V, KVM, SCVMM, vSphere, or XenServer,” on page 213 Create a reservation to allocate resources for a vCloud Air endpoint. “Create a vCloud Air Reservation,” on page 201 Create a reservation to allocate resources for a vCloud Director endpoint.
Chapter 3 Configuring Resources The allocated machine quota includes only machines that are powered on. For example, if a reservation has a quota of 50, and 40 machines have been provisioned but only 20 of them are powered on, the reservation’s quota is 40 percent allocated, not 80 percent. n The reservation must have the security groups specified in the machine request. n The reservation must be associated with a region that has the machine image specified in the blueprint.
Configuring vRealize Automation If the custom property VirtualMachine.DiskN.StorageReservationPolicyMode is set to Not Exact, and no storage path with sufficient capacity is available in the storage reservation policy, then provisioning proceeds with a storage path outside the specified storage reservation policy. The default value of VirtualMachine.DiskN.StorageReservationPolicyMode is Exact.
Chapter 3 Configuring Resources Specify Amazon Reservation Information Each reservation is configured for a specific business group to grant them access to request machines on a specified compute resource. Note After you create a reservation, you cannot change the business group or compute resource associations. You can control the display of reservations when adding, editing, or deleting by using the Filter By Category option on the Reservations page.
Configuring vRealize Automation Specify Resource and Network Settings for Amazon Reservations Specify resource and network settings for provisioning machines from this vRealize Automation reservation. For related information about load balancers, see Configuring vRealize Automation. Prerequisites “Specify Amazon Reservation Information,” on page 195. Procedure 1 Click the Resouces tab. 2 Select a compute resource on which to provision machines from the Compute resource drop-down menu.
Chapter 3 Configuring Resources You can save the reservation now by clicking Save. Or you can add custom properties to further control reservation specifications. You can also configure email alerts to send notifications when resources allocated to this reservation become low. Specify Custom Properties and Alerts for Amazon Reservations You can associate custom properties with a vRealize Automation reservation. You can also configure alerts to send email notifications when reservation resources are low.
Configuring vRealize Automation Procedure 1 Specify OpenStack Reservation Information on page 198 Each reservation is configured for a specific business group to grant them access to request machines on a specified compute resource. 2 Specify Resources and Network Settings for OpenStack Reservations on page 199 Specify resource and network settings available to machines that are provisioned from this vRealize Automation reservation.
Chapter 3 Configuring Resources 7 (Optional) Select a reservation policy from the Reservation policy drop-down menu. This option requires that one or more reservation policies exist. You can edit the reservation later to specify a reservation policy. You use a reservation policy to restrict provisioning to specific reservations. 8 Enter a number in the Priority text box to set the priority for the reservation. The priority is used when a business group has more than one reservation.
Configuring vRealize Automation 5 If you selected Specific key Pair in the Key pair drop-down menu, select a key pair value from the Specific key pair drop-down menu. 6 Select one or more security groups that can be assigned to a machine during provisioning from the Security groups list. 7 Click the Network tab. 8 Configure a network path for machines provisioned by using this reservation. a (Optional) If the option is available, select a storage endpoint from the Endpoint drop-down menu.
Chapter 3 Configuring Resources 8 Enable the Capacity Alerts check box to configure alerts to be sent. 9 Use the slider to set thresholds for available resource allocation. 10 Enter one or more user email addresses or group names to receive alert notifications in the Recipients text box. Press Enter to separate multiple entries. 11 Select Send alerts to group manager to include group managers in the email alerts. 12 Specify a reminder frequency (days). 13 Click Save.
Configuring vRealize Automation n Verify that a tenant administrator created at least one business group. n Verify that a compute resource exists. n Configure network settings. n (Optional) Configure network profile information. Procedure 1 2 Select Infrastructure > Reservations > Reservations. Click the New icon ( ) and select the type of reservation to create. The available cloud reservation types are Amazon, OpenStack, vCloud Air, and vCloud Director. Select vCloud Air.
Chapter 3 Configuring Resources For integrations that use Storage Distributed Resource Scheduler (SDRS) storage, you can select a storage cluster to allow SDRS to automatically handle storage placement and load balancing for machines provisioned from this reservation. The SDRS automation mode must be set to Automatic. Otherwise, select a datastore within the cluster for standalone datastore behavior. SDRS is not supported for FlexClone storage devices.
Configuring vRealize Automation 8 Configure a network path for machines provisioned by using this reservation. a (Optional) If the option is available, select a storage endpoint from the Endpoint drop-down menu. The FlexClone option is visible in the endpoint column if a NetApp ONTAP endpoint exists and if the host is virtual. If there is a NetApp ONTAP endpoint, the reservation page displays the endpoint assigned to the storage path.
Chapter 3 Configuring Resources 11 Use the slider to set thresholds for available resource allocation. 12 Enter one or more user email addresses or group names to receive alert notifications in the Recipients text box. Press Enter to separate multiple entries. 13 Select Send alerts to group manager to include group managers in the email alerts. 14 Specify a reminder frequency (days). 15 Click Save. The reservation is saved and appears in the Reservations list.
Configuring vRealize Automation n Configure network settings. n (Optional) Configure network profile information. Procedure 1 2 Select Infrastructure > Reservations > Reservations. Click the New icon ( ) and select the type of reservation to create. The available cloud reservation types are Amazon, OpenStack, vCloud Air, and vCloud Director. Select vCloud Director. 3 (Optional) Select an existing reservation from the Copy from existing reservation drop-down menu.
Chapter 3 Configuring Resources Prerequisites “Specify vCloud Director Reservation Information,” on page 205. Procedure 1 Click the Resouces tab. 2 Select a compute resource on which to provision machines from the Compute resource drop-down menu. Only templates located on the cluster you select are available for cloning with this reservation. 3 Select an allocation model.
Configuring vRealize Automation Specify Custom Properties and Alerts for vCloud Director Reservations You can associate custom properties with a vRealize Automation reservation. You can also configure alerts to send email notifications when reservation resources are low. Custom properties and email alerts are optional configurations for the reservation. If you do not want to associate custom properties or set alerts, click Save to finish creating the reservation.
Chapter 3 Configuring Resources Scenario: Create an Amazon Reservation for a Proof of Concept Environment Because you used an SSH tunnel to temporarily establish network-to-Amazon VPC connectivity for your proof of concept environment, you have to add custom properties to your Amazon reservations to ensure the Software bootstrap agent and guest agent run communications through the tunnel.
Configuring vRealize Automation 3 Enter Amazon Tunnel POC in the Name text box. 4 Select the business group you created for your blueprint architects from the Business Group dropdown menu. 5 Enter a 1 in the Priority text box to set this reservation as the highest priority. You configured the business group and the priority for the reservation, but you still need to allocate resources and configure the custom properties for the SSH tunnel.
Chapter 3 Configuring Resources 3 Configure the tunnel custom properties. Use the private IP address of your Amazon AWS tunnel machine and port 1443, which you assigned for vRealize_automation_appliance_fqdn when you invoked the SSH tunnel. 4 Option Value software.ebs.url https://Private_IP:1443/event-broker-service/api software.agent.service.url https://Private_IP:1443/software-service/api agent.download.url https://Private_IP:1443/software-service/resources/nobelagent.jar Click Save.
Configuring vRealize Automation When a virtual reservation’s machine quota, memory, or storage is fully allocated, no further virtual machines can be provisioned from it. Resources may be reserved beyond the physical capacity of a virtualization compute resource (overcommitted), but when the physical capacity of a compute resource is 100% allocated, no further machines can be provisioned on any reservations with that compute resource until the resources are reclaimed.
Chapter 3 Configuring Resources Creating a vSphere Reservation for NSX Network and Security Virtualization You can create a vSphere reservation to assign external networks and routed gateways to network profiles for networks, specify the transport zone, and assign security groups to machine components.
Configuring vRealize Automation Procedure 1 Specify Virtual Reservation Information on page 214 Each reservation is configured for a specific business group to grant users access to request machines on a specified compute resource. 2 Specify Resource and Networking Settings for a Virtual Reservation on page 215 Specify resource and network settings for provisioning machines from this vRealize Automation reservation.
Chapter 3 Configuring Resources 7 (Optional) Select a reservation policy from the Reservation policy drop-down menu. This option requires that one or more reservation policies exist. You can edit the reservation later to specify a reservation policy. You use a reservation policy to restrict provisioning to specific reservations. 8 Enter a number in the Priority text box to set the priority for the reservation. The priority is used when a business group has more than one reservation.
Configuring vRealize Automation 7 Click the Network tab. 8 Configure a network path for machines provisioned by using this reservation. a (Optional) If the option is available, select a storage endpoint from the Endpoint drop-down menu. The FlexClone option is visible in the endpoint column if a NetApp ONTAP endpoint exists and if the host is virtual. If there is a NetApp ONTAP endpoint, the reservation page displays the endpoint assigned to the storage path.
Chapter 3 Configuring Resources 11 Enter one or more user email addresses or group names to receive alert notifications in the Recipients text box. Press Enter to separate multiple entries. 12 Select Send alerts to group manager to include group managers in the email alerts. 13 Specify a reminder frequency (days). 14 Click Save. The reservation is saved and appears in the Reservations list. What to do next You can configure optional reservation policies or begin preparing for provisioning.
Configuring vRealize Automation Reservation Policies You can use a reservation policy to control how reservation requests are processed. When you provision machines from the blueprint, provisioning is restricted to the resources specified in your reservation policy. Reservation policies provide an optional means of controlling how reservation requests are processed.
Chapter 3 Configuring Resources Create a Reservation Policy You can use reservation policies to group similar reservations together. Create the reservation policy first, then add the policy to reservations to allow a blueprint creator to use the reservation policy in a blueprint. The policy is created as an empty container. You can control the display of reservation policies when adding, editing, or deleting by using the Filter By Type option on the Reservation Policies page.
Configuring vRealize Automation When you create a blueprint, you can assign a single datastore or a storage reservation policy that represents multiple datastores to a volume. When they assign a single datastore, or storage profile, to a volume, vRealize Automation uses that datastore or storage profile at provisioning time, if possible.
Chapter 3 Configuring Resources 4 Select Storage Reservation Policy from the Type drop-down menu. 5 Enter a description in the Description text box. 6 Click Update to save the policy. Assign a Storage Reservation Policy to a Datastore You can associate a storage reservation policy to a compute resource. After the storage reservation policy is created, populate it with datastores. A datastore can belong to only one storage reservation policy.
Configuring vRealize Automation 2 Scenario: Configure Machine Prefixes for Rainpole on page 222 Using your fabric administrator privileges, you create a prefix that you can configure to prepend to machines provisioned by your vRealize Automation architects and developers during development and testing.
Chapter 3 Configuring Resources What to do next Using your tenant administrator privileges, you create a business group for the IT team that is responsible for designing and testing your vRealize Automation blueprints. Scenario: Create a Business Group for Your Rainpole Architects to Test Catalog Items Using your tenant administrator privileges, you create a business group for the IT team responsible for designing and testing vRealize Automation blueprints.
Configuring vRealize Automation Procedure 1 2 Select Infrastructure > Reservations > Reservations. Click the New icon ( ). 3 Select vSphere from the drop-down menu. 4 Enter the reservation information. Option Input Name Rainpole reservation Tenant vsphere.local Business Group Rainpole business group Priority 1 5 Select the Resources tab. 6 Enter the resources information from your deployment environment. Option Input Compute resources Select a resource cluster from the drop-down menu.
Chapter 3 Configuring Resources Scenario: Apply a Location to a Compute Resource for Cross Region Deployments As a fabric administrator, you want to label your compute resources as belonging to your Boston or London datacenter to support cross region deployments. When your blueprint architects enable the locations feature on their blueprints, users are able to choose whether to provision machines in your Boston or London datacenter.
Configuring vRealize Automation Table 3‑6. Preparing for Provisioning a vRealize Automation Deployment Using Infoblox IPAM Checklist Task Location Details Obtain, import, and configure the external IPAM solution provider plug-in or package. Obtain and import the vRealize Orchestrator plug-in, run the vRealize Orchestrator configuration workflows, and register the IPAM provider endpoint type in vRealize Orchestrator. If the VMware Solution Exchange (https://solutionexchange.vmware.
Chapter 3 Configuring Resources Configure the Active Directory Plug-In as an Endpoint You add an endpoint and configure the Active Directory plug-in to connect to a running Active Directory instance and manage users and user groups, Active Directory computers, organizational units, and so on. After you add an Active Directory endpoint, you can update it at any time. Prerequisites n Verify that you have access to a Microsoft Active Directory instance. See the Microsoft Active Directory documentation.
Configuring vRealize Automation 8 Configure the shared session settings. The credentials are used by vRealize Orchestrator to run all the Active Directory workflows and actions. 9 a Enter the user name for the shared session in the User name for the shared session text box. a Enter the password for the shared session in the Password for the shared session text box. Click Finish. You added an Active Directory instance as an endpoint.
Chapter 3 Configuring Resources 8 (Optional) Configure proxy settings. a Select Yes to use a proxy from the Use Proxy drop-down menu. b Enter the IP of the proxy server in the Proxy address text box. c Enter the port number to communicate with the proxy server in the Proxy port text box. 9 Click Next. 10 Select the authentication type. 11 VMware, Inc. Option Action None No authentication is required. OAuth 1.0 Uses OAuth 1.0 protocol.
Configuring vRealize Automation You configured the endpoint and added a REST host. XaaS architects can use XaaS to publish HTTP-REST plug-in workflows as catalog items and resource actions. Configure the PowerShell Plug-In as an Endpoint You can add an endpoint and configure the PowerShell plug-in to connect to a running PowerShell host, so that you can call PowerShell scripts and cmdlets from vRealize Orchestrator actions and workflows, and work with the result.
Chapter 3 Configuring Resources Configure the SOAP Plug-In as an Endpoint You can add an endpoint and configure the SOAP plug-in to define a SOAP service as an inventory object, and perform SOAP operations on the defined objects. Prerequisites n Verify that you have access to a SOAP host. The plug-in supports SOAP Version 1.1 and 1.2, and WSDL 1.1 and 2.0. n Log in to the vRealize Automation console as a tenant administrator. Procedure 1 2 Select Administration > vRO Configuration > Endpoints.
Configuring vRealize Automation 10 11 Select the authentication type. Option Action None No authentication is required. Basic Provides basic access authentication. The communication with the host is in shared session mode. a Enter the user name for the shared session in the User name text box. b Enter the password for the shared session in the Password text box. Digest Provides digest access authentication that uses encryption. The communication with the host is in shared session mode.
Chapter 3 Configuring Resources 5 Enter a name and, optionally, a description. 6 Click Next. 7 Provide information about the vCenter Server instance. a Enter the IP address or the DNS name of the machine in the IP or host name of the vCenter Server instance to add text box. This is the IP address or DNS name of the machine on which the vCenter Server instance you want to add is installed.
Configuring vRealize Automation Working With Active Directory Policies Active Directory policies define the properties of a machine record, for example, domain, as well as the organizational unit in which the record is created using a vRealize Automation blueprint. If you apply a policy to a business group, all the machine requests from the business group members are added to the specified organizational unit.
Chapter 3 Configuring Resources Create an Active Directory Policy You create an Active Directory policy to define where records are added in an Active Directory instance when your users deploy machines. You can assign a policy to a business group so that all machines deployed by the business group members result in a record created in the specified organizational unit.
Configuring vRealize Automation Scenario: Add a Custom Property to Blueprints to Override an Active Directory Policy As a blueprint architect for the development business group, you have a blueprint that includes an application machine and a database machine. You want the database machine record added to an organizational unit that is different from the applied Active Directory policy. You have an existing policy that is applied to the development business group.
Providing On-Demand Services to Users 4 You deliver on-demand services to users by creating catalog items and actions, then carefully controlling who can request those services by using entitlements and approvals.
Configuring vRealize Automation Software Components You can create and publish software components to install software during the machine provisioning process and support the software life cycle. For example, you can create a blueprint for developers to request a machine with their development environment already installed and configured. Software components are not catalog items by themselves, and you must combine them with a machine component to create a catalog item blueprint.
Chapter 4 Providing On-Demand Services to Users XaaS Blueprints You can publish your vRealize Orchestrator workflows as XaaS blueprints. For example, you can create a custom resource for Active Directory users, and design an XaaS blueprint to allow managers to provision new users in their Active Directory group. You create and manage XaaS components outside of the design tab.
Configuring vRealize Automation Table 4‑1. Choosing Your Import and Export Tool Tool More information vRealize CloudClient See the VMware Developer site at https://developercenter.vmware.com/tool/cloudclient. vRealize Automation REST API See the Programming Guide in the vRealize Automation Information Center at https://www.vmware.com/support/pubs/vcac-pubs.html.
Chapter 4 Providing On-Demand Services to Users Scenario: Import the Dukes Bank for vSphere Sample Application You download the Dukes Bank for vSphere application from your vRealize Automation appliance. You import the sample application into your vRealize Automation tenant to view a working sample of a multitiered vRealize Automation blueprint that includes multiple machine components with networking and software components. Procedure 1 Log in to your vRealize Automation appliance as root by using SSH.
Configuring vRealize Automation Scenario: Configure Dukes Bank vSphere Sample Components for Your Environment Using your infrastructure architect privileges, you configure each of the Dukes Bank machine components to use the customization specification, template, and machine prefixes that you created for your environment. This scenario configures the machine components to clone machines from the template you created in the vSphere Web Client.
Chapter 4 Providing On-Demand Services to Users d Select Cloneworkflow from the Provisioning workflow drop-down menu. e Select your dukes_bank_template from the Clone from dialog. f Enter your Customspecs_sample in the Customization spec text box. This field is case sensitive. g Click the Machine Resources tab. h Verify that memory settings are at least 2048 MB. 6 Repeat for the database-node machine component. 7 Click Save and Finish.
Configuring vRealize Automation 5 Click Submit. Depending on your network and your vCenter Server instance, it can take approximately 15-20 minutes for the Dukes Bank sample application to fully provision. You can monitor the status under the Requests tab, and after the application provisions you can view the catalog item details on the Items tab. 6 7 After the application provisions, locate the IP address of the load balancer server so you can access the Dukes Bank sample application.
Chapter 4 Providing On-Demand Services to Users Table 4‑2. Building Your Design Library Catalog Item Role Components Description Details Machines Infrastruct ure architect Create machine blueprints on the Blueprints tab. You can create machine blueprints to rapidly deliver virtual, private and public, or hybrid cloud machines to your users.
Configuring vRealize Automation Table 4‑2. Building Your Design Library (Continued) Catalog Item Role Components Description Details Custom IT Services XaaS architects Create and publish XaaS blueprints on the XaaS tab. You can create XaaS catalog items that extend vRealize Automation functionality beyond machine, networking, security, and software provisioning.
Chapter 4 Providing On-Demand Services to Users Thin Provisioning Thin provisioning is supported for all virtual provisioning methods. Depending on your virtualization platform, storage type, and default storage configuration, thin provisioning might always be used during machine provisioning. For example, for vSphere ESX Server integrations using NFS storage, thin provisioning is always employed.
Configuring vRealize Automation 6 Drag the type of machine you want to provision onto the design canvas. 7 Follow the prompts on each of the tabs to configure machine provisioning details. 8 Click Finish. 9 Select your blueprint and click Publish. You configured and published a machine component as a standalone blueprint. Catalog administrators can include this machine blueprint in catalog services and entitle users to request this blueprint.
Chapter 4 Providing On-Demand Services to Users Properties Tab Custom properties you add at the blueprint level apply to the entire blueprint, including all components. However, they can be overridden by custom properties assigned later in the precedence chain. For more information about order of precedence for custom properties, see Custom Properties Reference. Table 4‑4.
Configuring vRealize Automation vSphere Machine Component Settings Understand the settings and options that you can configure for a vSphere machine component in the vRealize Automation blueprint design canvas. vSphere is the only machine component type that can use NSX network and security component settings in the design canvas. General Tab Configure general settings for a vSphere machine component. Table 4‑5.
Chapter 4 Providing On-Demand Services to Users Table 4‑6. Build Information Tab Setting Description Blueprint type For record-keeping and licensing purposes, select whether machines provisioned from this blueprint are classified as Desktop or Server. Action The options you see in the action drop-down menu depend on the type of machine you select. The following actions are available: n Create n Create the machine component specification without use of a cloning option.
Configuring vRealize Automation Table 4‑6. Build Information Tab (Continued) Setting Description Clone from For clone or NetApp FlexClone, select a machine template to clone from. For linked clones, select a machine from the list of machines. You only see machines that have available snapshots to clone from and that you manage as a tenant administrator or business group manager. You can only clone from templates that exist on machines that you manage as a business group manager or tenant administrator.
Chapter 4 Providing On-Demand Services to Users Table 4‑8. Storage Tab Settings Setting Description ID Enter an ID or name for the storage volume. Capacity (GB) Enter the storage capacity for the storage volume. Drive Letter/Mount Path Enter a drive letter or mount path for the storage volume. Label Enter a label for the drive letter and mount path for the storage volume. Storage Reservation Policy Enter the existing storage reservation policy to use with this storage volume.
Configuring vRealize Automation Security Tab You can configure security settings for a vSphere machine component based on NSX settings that are configured outside vRealize Automation. You an optionally use settings from existing and on-demand NSX security components in the blueprint design canvas. The security settings from existing and on-demand security group and security tag components in the blueprint design canvas are automatically available.
Chapter 4 Providing On-Demand Services to Users Table 4‑11. Properties > Custom Properties Tab Settings (Continued) Setting Description Overridable You can specify that the property value can be overridden by the next or subsequent person who uses the property. Typically, this is another architect, but if you select Show in request, your business users are able to see and edit property values when they request catalog items.
Configuring vRealize Automation Table 4‑13. General Tab Settings (Continued) Setting Description Reservation policy Apply a reservation policy to a blueprint to restrict the machines provisioned from that blueprint to a subset of available reservations.
Chapter 4 Providing On-Demand Services to Users Table 4‑14. Build Information Tab (Continued) Setting Description Provisioning workflow The options you see in the provisioning workflow dropdown menu depend on the type of machine you select, and the action you select. The following actions are available: n CloneWorkflow Make copies of a virtual machine, either by clone, linked clone, or Netapp Flexclone. Clone from For clone or NetApp FlexClone, select a machine template to clone from.
Configuring vRealize Automation Table 4‑16. Storage Tab Settings (Continued) Setting Description Maximum volumes Enter the maximum number of allowed storage volumes that can be used when provisioning from the machine component. Enter 0 to prevent others from adding storage volumes. The default value is 60. Allow users to see and change storage reservation policies Select the check box to allow users to remove an associated reservation policy or specify a different reservation policy when provisioning.
Chapter 4 Providing On-Demand Services to Users Table 4‑18. Properties > Property Groups Tab Settings Setting Description Name Select an available property group from the drop-down menu. Move Up and Move Down Control the precedence level of listed property groups in descending order. The first-listed property group has precedence over the next-listed property group and so on. View Properties Display the custom properties in the selected property group.
Configuring vRealize Automation Table 4‑19. General Tab Settings (Continued) Setting Description Machine prefix Machine prefixes are created by fabric administrators and are used to create the names of provisioned machines. If you select Use group default, machines provisioned from your blueprint are named according to the machine prefix configured as the default for the user's business group. If no machine prefix is configured, one is generated for you based on the name of the business group.
Chapter 4 Providing On-Demand Services to Users Table 4‑20. Build Information Tab (Continued) Setting Description Key Pair Key pairs are required for provisioning with Amazon Web Services. Key pairs are used to provision and connect to a cloud instance. They are also used to decrypt Windows passwords and to log in to a Linux machine. The following key pair options are available: n Not specified n Controls key pair behavior at the blueprint level rather than at the reservation level.
Configuring vRealize Automation Table 4‑21. Machine Resources Tab (Continued) Setting Description Storage (GB): Minimum and Maximum Enter a minimum and maximum amount of storage that can be consumed by machines that are provisioned by this machine component. For vSphere, KVM (RHEV), SCVMM, vCloud Air, and vCloud Director, minimum storage is set based on what you enter on the Storage tab.
Chapter 4 Providing On-Demand Services to Users Table 4‑23. Properties > Property Groups Tab Settings Setting Description Name Select an available property group from the drop-down menu. Move Up and Move Down Control the precedence level of listed property groups in descending order. The first-listed property group has precedence over the next-listed property group and so on. View Properties Display the custom properties in the selected property group.
Configuring vRealize Automation Table 4‑24. General Tab Settings (Continued) Setting Description Machine prefix Machine prefixes are created by fabric administrators and are used to create the names of provisioned machines. If you select Use group default, machines provisioned from your blueprint are named according to the machine prefix configured as the default for the user's business group. If no machine prefix is configured, one is generated for you based on the name of the business group.
Chapter 4 Providing On-Demand Services to Users Table 4‑25. Build Information Tab (Continued) Setting Description OpenStack Image Select an available OpenStack machine image. An OpenStack machine image is a template that contains a software configuration, including an operating system. Machine images are managed by OpenStack accounts. Key Pair Key pairs are optional for provisioning with OpenStack. Key pairs are used to provision and connect to a cloud instance.
Configuring vRealize Automation Properties Tab Optionally specify custom property and property group information for your OpenStack machine component. You can add individual and groups of custom properties to the machine component by using the Properties tab. You can add also custom properties and property groups to the overall blueprint by using the Properties tab when you create or edit a blueprint by using the New Blueprint or Blueprint Properties page, respectively.
Chapter 4 Providing On-Demand Services to Users Troubleshooting Blueprints for Clone and Linked Clone When creating a linked clone or clone blueprint, machine or templates are missing. Using your shared clone blueprint to request machines fails to provision machines.
Configuring vRealize Automation Table 4‑29. Causes for Common Clone and Linked Clone Blueprints Problems (Continued) Problem Cause Solution Provisioning failure with a guest agent The virtual machine might be rebooting immediately after the guest operating system customization is completed, but before the guest agent work items are completed, causing provisioning to fail. You can use the custom property VirtualMachine.Admin.CustomizeGuestOSDe lay to increase the time delay.
Chapter 4 Providing On-Demand Services to Users After you publish your blueprint, other architects can reuse it as a component in new blueprints. No one can see or request your blueprint from the catalog until you use your tenant administrator privileges to make it available for request.
Configuring vRealize Automation Scenario: Configure General Details for Your Rainpole Machine Component Using your IaaS architect privileges, you drag a vSphere machine component onto the design canvas and configure the general details for machines provisioned by using your blueprint. Only IaaS architects are allowed to configure machine components. Application and Software architects are only allowed to use machine components by reusing the published machine blueprints that you create.
Chapter 4 Providing On-Demand Services to Users Scenario: Configure Machine Resources for Your Rainpole Machines Using your IaaS architect privileges, you give users minimum and maximum parameters for memory and the number of allowed CPU's. This conserves resources, but also accommodates your user's needs. Software architects and application architects are not allowed to configure machine components, but they can reuse blueprints that contain machines components.
Configuring vRealize Automation Configure Tenant Configure IaaS Resources Design OnDemand Services You are here Procedure 1 Scenario: Install the Guest Agent and Software Bootstrap Agent on Your Rainpole Machine on page 272 Using your business group manager privileges, you log in to the Rainpole001 machine you provisioned as the test user. You install the guest agent and the Software bootstrap agent on your machine to prepare for Software provisioning.
Chapter 4 Providing On-Demand Services to Users 8 Follow the prompts to complete the installation. You see a confirmation message when the installation is successfully completed. If you see an error message and logs in the console, resolve the errors and run the installer script again. 9 Return to the vRealize Automation console and create the snapshot. a Click Create Snapshot from the Actions menu on the right and follow the prompts. b Click the Snapshots tab to monitor the process.
Configuring vRealize Automation Add RDP Connection Support to Your Windows Machine Blueprints If you want to allow your catalog administrators to entitle users to the Connect using RDP action for your Windows blueprints, you must add the RDP custom properties to your machine blueprint, and reference the custom RDP file your system administrator prepared.
Chapter 4 Providing On-Demand Services to Users Scenario: Add Active Directory Cleanup to Your CentOS Blueprint As an IaaS architect, you want to configure vRealize Automation to clean up your Active Directory environment whenever provisioned machines are removed from your hypervisors. So you edit your existing vSphere CentOS blueprint to configure the Active Directory cleanup plugin.
Configuring vRealize Automation 7 Option Description and Value Plugin.AdMachineCleanup.Delete Set to True to delete the accounts of destroyed machines, instead of disabling them. Plugin.AdMachineCleanup.MoveToO u Moves the account of destroyed machines to a new Active Directory organizational unit. The value is the organization unit to which you are moving the account. This value must be in ou=OU, dc=dc format, for example ou=trash,cn=computers,dc=lab,dc=local. Plugin.AdMachineCleanup.
Chapter 4 Providing On-Demand Services to Users Scenario: Enable Users to Select Datacenter Locations for Cross Region Deployments As a blueprint architect, you want to allow your users to choose whether to provision machines on your Boston or London infrastructure, so you edit your existing vSphere CentOS blueprint to enable the locations feature.
Configuring vRealize Automation Designing Machine Blueprints with NSX Networking and Security If you have an NSX instance integrated with vRealize Automation, you can configure your vSphere blueprints to leverage NSX for network and security virtualization. If you have configured vRealize Automation integration with NSX, you can use network, security, and load balancer components in the design canvas to configure your blueprint for machine provisioning.
Chapter 4 Providing On-Demand Services to Users Table 4‑31. NSX Settings Tab Settings Setting Description Transport zone Select an existing NSX transport zone to contain the network or networks that the provisioned machine deployment can use. A transport zone defines which clusters the networks can span. When provisioning machines, if a transport zone is specified in a reservation and in a blueprint, the transport zone values must match.
Configuring vRealize Automation Table 4‑32. Properties Tab Settings (Continued) Tab Custom Properties Setting Description View merged properties If a custom property is included in more than one property group, the value included in the property group with the highest priority takes precedence. You can view these merged properties to assist you in prioritizing property groups. You can add individual custom properties instead of property groups.
Chapter 4 Providing On-Demand Services to Users vRealize Automation provisions a routed gateway, for example an edge services gateway (ESG), for NAT networks and for load balancers. For routed networks, vRealize Automation uses existing distributed routers. A NAT network profile and load balancer enable vRealize Automation to deploy an NSX edge services gateway. A routed network profile uses an NSX logical distributed router (DLR).
Configuring vRealize Automation To integrate network and security with vRealize Automation, an IaaS administrator must install the NSX plug-ins in vRealize Orchestrator and create vRealize Orchestrator and vSphere endpoints. For information about external preparation, see Configuring vRealize Automation. You can create network profiles that specify network settings in reservations and in the blueprint canvas. External network profiles define existing physical networks.
Chapter 4 Providing On-Demand Services to Users Security groups are managed in the source resource. For information about managing security groups for various resource types, see the vendor documentation. You can add an NSX existing or on-demand security group to the blueprint canvas. Security Tag A security tag is a qualifier object or categorizing entry that you can use as a grouping mechanism. You define the criteria that an object must meet to be added to the security group you are creating.
Configuring vRealize Automation 4 Click OK. 5 Click Finish to save the blueprint as draft or continue configuring the blueprint. You can continue configuring security settings by adding additional security components and by selecting settings in the Security tab of a vSphere machine component in the blueprint canvas.
Chapter 4 Providing On-Demand Services to Users n Verify that the NSX plug-in for vRealize Automation is installed and that the NSX inventory has executed successfully for your cluster . To use NSX configurations in vRealize Automation, you must install the NSX plug-in and run data collection. n Log in to the vRealize Automation console as an infrastructure architect. n Open a new or existing blueprint in the design canvas by using the Design tab.
Configuring vRealize Automation n Verify that the NSX plug-in for vRealize Automation is installed and that the NSX inventory has executed successfully for your cluster . To use NSX configurations in vRealize Automation, you must install the NSX plug-in and run data collection. n Create a network profile. n Log in to the vRealize Automation console as an infrastructure architect. n Open a new or existing blueprint in the design canvas by using the Design tab.
Chapter 4 Providing On-Demand Services to Users Prerequisites n Create and configure network settings for NSX. See Configuring vRealize Automation and NSX Administration Guide. n Verify that the NSX plug-in for vRealize Automation is installed and that the NSX inventory has executed successfully for your cluster . To use NSX configurations in vRealize Automation, you must install the NSX plug-in and run data collection. n Create a network profile.
Configuring vRealize Automation 7 (Optional) For an on-demand NAT network component, click the DCHP tab to specify IP address range and lease length values. You can edit the start and end IP address values for the DCHP range. When the virtual machine is provisioned with DCHP, the network adapter assigns an IP address to the machine that is within this range. It is a static network adapter by default. The IP address values cannot be those of the network or broadcast addresses used in the associated subnet.
Chapter 4 Providing On-Demand Services to Users Prerequisites n Create and configure load balancer settings for NSX. See Configuring vRealize Automation and NSX Administration Guide. n Verify that the NSX plug-in for vRealize Automation is installed and that the NSX inventory has executed successfully for your cluster . To use NSX configurations in vRealize Automation, you must install the NSX plug-in and run data collection. n Create a network profile.
Configuring vRealize Automation Associating Network and Security Components You can drag network and security components onto the design canvas to make their settings available for machine component configuration in the blueprint. After you have defined network and security settings for the machine, you can optionally associate settings from a load balancer component.
Chapter 4 Providing On-Demand Services to Users You can download predefined Software components for a variety of middleware services and applications from the VMware Solution Exchange. Using either the vRealize CloudClient or vRealize Automation REST API , you can programmatically import predefined Software components into your vRealize Automation instance. n To visit the VMware Solution Exchange, see https://solutionexchange.vmware.com/store/category_groups/cloud-management.
Configuring vRealize Automation Table 4‑34. Scripting Examples for the Computed Property Option Sample String Property Script Sytax Sample Usage my_unique_id = "" Bash - $my_unique_id export my_unique_id="012345678 9" Windows CMD - %my_unique_id% set my_unique_id=0123456789 Windows PowerShell - $my_unique_id $my_unique_id = "0123456789" String Property String properties expect string values.
Chapter 4 Providing On-Demand Services to Users Sample Array Property Script Syntax Sample Usage Windows PowerShell $operating_systems for the entire array of strings foreach ($os in $operating_systems) { write-output $os } $operating_systems[N] for the individual array element Content Property The content property value is a URL to a file to download content.
Configuring vRealize Automation configure the WAR component to set the server_home property value to the Apache Tomcat server install_path property value in your script. As long as the architect who assembles the blueprint binds the server_home property to the Apache Tomcat server install_path property, then the server_home property value is set correctly. Your action scripts can only use properties that you define in those scripts, and you can only create property bindings with string and array values.
Chapter 4 Providing On-Demand Services to Users n Windows PowerShell $progress_status="completed" Note Array and content property do not support passing modified property values between action scripts of life cycle stages. Best Practices for Developing Components To familiarize yourself with best practices for defining properties and action scripts, you can download and import Software components and application blueprints from the VMware Solution Exchange.
Configuring vRealize Automation 4 (Optional) If you want to control how your Software component is included in blueprints, select a container type from the Container drop-down menu. Option Description Machines Your Software component must be placed directly on a machine. One of your published Software components If you are designing a Software component specifically to install on top of another Software component that you created, select that Software component from the list.
Chapter 4 Providing On-Demand Services to Users Table 4‑37. Life Cycle Actions (Continued) Life Cycle Actions Description Start Start your software. For example, you might start the Tomcat service using the start command in the Tomcat server. Start scripts run after the configure action completes. Update If you are designing your software component to support scalable blueprints, handle any updates that are required after a scale in or scale out operation.
Configuring vRealize Automation 6 Select Machine from the Container drop-down menu. Because you only want MySQL to install directly on a machine, you restrict architects from dropping your MySQL Software component on top of other Software components. 7 Click Next. 8 Click New and add and configure each of the following properties for the installation script. Click OK to save each property. Architects can configure your Software properties to show to users in the request form.
Chapter 4 Providing On-Demand Services to Users c Paste the following script.
Configuring vRealize Automation fi export PATH=$PATH: $JAVA_HOME/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin set -e # Tested on CentOS if [ -x /usr/sbin/selinuxenabled ] && /usr/sbin/selinuxenabled; then # SELinux can be disabled by setting "/usr/sbin/setenforce Permissive" echo 'SELinux in enabled on this VM template.
Chapter 4 Providing On-Demand Services to Users c Paste the following script.
Configuring vRealize Automation fi export PATH=$PATH: $JAVA_HOME/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin set -e # Locate the my.cnf file my_cnf_file= if [ -f /etc/my.cnf ]; then my_cnf_file=/etc/my.cnf elif [ -f /etc/mysql/my.cnf ]; then my_cnf_file=/etc/mysql/my.cnf fi if [ "x$my_cnf_file" = "x" ]; then echo "Neither /etc/my.cnf nor /etc/mysql/my.cnf can be found, stopping configuration" exit 1 fi # update mysql configuration to handle big packets sed -ie "s/\[mysqld\]/\[mysqld\]\
Chapter 4 Providing On-Demand Services to Users e Select max_allowed_packet_size from the Select a property to insert drop-down menu. The script now includes the property. #!/bin/sh echo "The maximum allowed packet size is: $max_allowed_packet_size" f Click OK. 13 Click Next. 14 Click Finish. 15 Select the row that contains MySQL for Linux Virtual Machines and click Publish.
Configuring vRealize Automation Table 4‑38. New Software General Settings (Continued) Setting Description Description Summarize your Software component for the benefit of other architects. Container On the design canvas, blueprint architects can only place your Software component inside the container type you select. n Select Machines to require architects to place your Software component directly on a machine component in the design canvas.
Chapter 4 Providing On-Demand Services to Users Table 4‑39. New Software Properties (Continued) Setting Description Encrypted Mark properties as encrypted to mask the value and display as asterisks in vRealize Automation. If you change a property from encrypted to unencrypted, vRealize Automation resets the property value. For security, you must set a new value for the property.
Configuring vRealize Automation Script Type Success Status Bash n n return 0 exit 0 Error Status n n return non-zero exit non-zero Unsupported Commands None Windows CMD exit /b 0 exit /b non-zero Do not use exit 0 or exit non-zero codes. PowerShell exit 0 exit non-zero; Do not use warning, verbose, debug, or host calls. Creating XaaS Blueprints and Resource Actions The XaaS blueprints can be published as catalog items or used in the blueprint design canvas.
Chapter 4 Providing On-Demand Services to Users XaaS architects add custom resources related to the supported endpoints and provided workflows, and then create XaaS blueprints and actions based on those resources. Tenant administrators and business group managers can add the XaaS blueprints and actions to the service catalog. The XaaS blueprint can also be used in the blueprint designer.
Configuring vRealize Automation The default vRealize Orchestrator server inventory is shared across all tenants and cannot be used per tenant. For example, if a service architect creates a service blueprint for creating a cluster compute resource, the consumers from different tenants have to browse through the inventory items of all vCenter Server instances although they might belong to a different tenant.
Chapter 4 Providing On-Demand Services to Users Table 4‑42. Plug-Ins Included by Default in vRealize Orchestrator (Continued) Plug-In Purpose Net Wraps the Jakarta Apache Commons Net Library. Provides implementations of Telnet, FTP, POP3, and IMAP. The POP3 and IMAP part is used for reading email. In combination with the Mail plug-in, the Net plug-in provides complete email send and receive capabilities in workflows.
Configuring vRealize Automation Prerequisites Log in to the vRealize Automation console as an XaaS architect. Procedure 1 2 3 Select Design > XaaS > Custom Resources. Click the New icon ( ). Enter the vRealize Orchestrator object type In the Orchestrator Type text box and press Enter. For example, enter v to see all types containing the letter v. To see all types, enter a space and click Search. 4 Enter a name and, optionally, a description. 5 Enter a version. The version supports integers only.
Chapter 4 Providing On-Demand Services to Users Create an XaaS Blueprint as a Catalog Item An XaaS blueprint is a provisioning blueprint. Some of the provided provisioning workflows include creating virtual machines, adding users to Active Directory, or taking virtual machine snapshots. Prerequisites n Log in to the vRealize Automation console as an XaaS architect. n Create a custom resource for the target resource type. See “Add a Custom Resource,” on page 309.
Configuring vRealize Automation 5 Enter a name and, optionally, a description. The Name and Description text boxes are prepopulated with the name and description of the workflow as they are defined in vRealize Orchestrator. 6 (Optional) If you do not want to prompt consumers to enter a description and reason for requesting this resource action, select the Hide catalog request information page check box. 7 Enter a version. The version supports integers only. The supported format extends to major.minor.
Chapter 4 Providing On-Demand Services to Users What to do next Publish the blueprint as a catalog item. See “Publish an XaaS Blueprint as a Catalog Item,” on page 313. Publish an XaaS Blueprint as a Catalog Item After you create an XaaS blueprint, it is in a draft state and you can publish it as a catalog item. Prerequisites Log in to the vRealize Automation console as an XaaS architect. Procedure 1 Select Design > XaaS > XaaS Blueprints.
Configuring vRealize Automation 5 Configure the default values for the general parameters and infrastructure options. These default values appear in the service catalog form when a user requests the item. 6 Click Finish. The XaaS blueprint is now part of the application blureprint. What to do next Verify that the application blueprint is added to a service and entitled to users. See “Managing the Service Catalog,” on page 357.
Chapter 4 Providing On-Demand Services to Users 3 Navigate through the vRealize Orchestrator workflow library and select a workflow. You can see the name and description of the selected workflow, and the input and output parameters as they are defined in vRealize Orchestrator. 4 Click Next. 5 Select the custom resource that you previously created from the Resource type drop-down menu. 6 Select the input parameter for the resource action from the Input parameter drop-down menu. 7 Click Next.
Configuring vRealize Automation Option Edit a form page Click the Edit icon ( ) next to the form page name, make the necessary changes, and click Submit. Delete a form page Click the Delete icon ( dialog box click OK. Add an element to the form page Drag an element from the New Fields pane on the left to the pane on the right. You can then provide the required information and click Submit.
Chapter 4 Providing On-Demand Services to Users You assigned an icon to the resource action. Business group managers and tenant administrators can use the resource action in an entitlement. Mapping Other Resources to Work with XaaS Resource Actions You map items that were not provisioned using XaaS so that you can run resource actions to run on those items.
Configuring vRealize Automation n Verify that the mapping script or workflow is available in vRealize Orchestrator. See “Resource Mapping Script Actions and Workflows,” on page 317 Procedure 1 2 Select Design > XaaS > Resource Mappings. Click the New icon ( ). 3 Enter a name and, optionally, a description. 4 Enter a version. The version supports integers only. The supported format extends to major.minor.micro-revision.
Chapter 4 Providing On-Demand Services to Users Table 4‑43. XaaS Object Types and Associated Forms Object Type Default Form Additional Forms Custom resource Resource details form based on the attributes of the vRealize Orchestrator plug-in inventory type (read-only). n None XaaS blueprint Request submission form based on the presentation of the selected workflow.
Configuring vRealize Automation Table 4‑44. New Fields in the Resource Action or XaaS Blueprint Form Field Description Text field Single-line text box Text area Multi-line text box Link Field in which consumers enter a URL Email Field in which consumers enter an email address Password field Field in which consumers enter a password Integer field Text box in which consumers entre an integer You can make this field a slider with a minimum and maximum value, as well as an increment.
Chapter 4 Providing On-Demand Services to Users For each constraint you apply to an element, you can select one of the following options to define the constraint: Not set Gets the property from the vRealize Orchestrator workflow presentation. Constant Sets the element you are editing to required or optional. Field Binds the element to another element from the form. For example, you can set the element to be required only when another element, such as a check box, is selected.
Configuring vRealize Automation Table 4‑46. Values in the Form Designer (Continued) Value Description Value Define a static custom values with labels. External Values Select a vRealize Orchestrator script action to define your value with information not directly exposed by the workflow.
Chapter 4 Providing On-Demand Services to Users The steps in the vRealize Orchestrator presentation are represented as form pages and the vRealize Orchestrator presentation groups are represented as separate sections. The input types of the selected workflow are displayed as various fields in the form. For example, the vRealize Orchestrator type string is represented by a text box.
Configuring vRealize Automation You can edit how an object is represented in the form designer. For example, you can edit the default VC:VirtualMachine representation and make it a tree instead of a search box. You can also add new fields such as check boxes, drop-down menus, and so on, and apply various constraints.
Chapter 4 Providing On-Demand Services to Users Add a New Custom Resource Form Page You can add a new page to rearrange the form into multiple tabs. Prerequisites n Log in to the vRealize Automation console as a tenant administrator or XaaS architect. n “Add a Custom Resource,” on page 309. Procedure 1 Select Design > XaaS > Custom Resources. 2 Click the custom resource to edit. 3 Click the Details Form tab. 4 5 Click the New Page icon ( ) next to the Form page name.
Configuring vRealize Automation Procedure 1 Select Design > XaaS > Custom Resources. 2 Click the custom resource to edit. 3 Click the Details Form tab. 4 Drag the Text element from the Form pane to the Form page pane. 5 Enter the text you want to add. 6 Click outside of the element to save the changes. 7 Click Finish.
Chapter 4 Providing On-Demand Services to Users Designing an XaaS Blueprint Form When you create an XaaS blueprint, you can edit the form of the blueprint by adding new fields to the form, modifying the existing fields, deleting, or rearranging fields. You can also create new forms and form pages, and drag and drop new fields to them.
Configuring vRealize Automation 7 Click Submit. What to do next Add the fields you want by dragging them from the New fields pane to the Form page pane. Edit an XaaS Blueprint Element You can edit some of the characteristics of an element on the Blueprint Form page of a XaaS blueprint. You can change the type of an element, its default values, and apply various constraints and values. Prerequisites n Log in to the vRealize Automation console as a tenant administrator or XaaS architect.
Chapter 4 Providing On-Demand Services to Users 13 Option Description Conditional Applies a condition. By using conditions you can create various clauses and expressions and apply them to an element. External Select a vRealize Orchestrator script action to define the value. Add one or more values for the element on the Values tab. The options available depend on the type of element you are editing.
Configuring vRealize Automation 8 Enter a vRealize Orchestrator object in the Entity type text box and press Enter. This step is not required for all field types. 9 Option Description Result Type If you are using a script action to define an external value for the field, enter the result type of your vRealize Orchestrator script action.
Chapter 4 Providing On-Demand Services to Users 3 Click the Blueprint Form tab. 4 Drag the Text element from the New Fields pane to the Form page pane. 5 Enter the text you want to add. 6 Click outside of the element to save the changes. 7 Click Update. Designing a Resource Action Form When you create a resource action, you can edit the form of the action by adding new fields to the form, modifying the existing fields, deleting, or rearranging fields.
Configuring vRealize Automation n “Create a Resource Action,” on page 314. Procedure 1 Select Design > XaaS > Resource Actions. 2 Click the resource action you want to edit. 3 Click the Form tab. 4 Drag an element from the New Fields pane and drop it to the Form page pane. 5 Enter the ID of a workflow input parameter in the ID text box. 6 Enter a label in the Label text box. Labels appear to consumers on the forms. 7 (Optional) Select a type for the field from the Type drop-down menu.
Chapter 4 Providing On-Demand Services to Users 6 Enter a new name for the field in the Label text box to change the label that consumers see. 7 Edit the description in the Description text box. 8 Select an option from the Type drop-down menu to change the display type of the element. The options vary depending on the type of element you edit. 9 Select an option from the Size drop-down menu to change the size of the element.
Configuring vRealize Automation Option Description Value Define custom values with labels. a Enter a value in the Value text box. b Enter a label for the value in the Label text box. c Click the Add icon ( ). External Values Select a vRealize Orchestrator script action to define your value with information not directly exposed by the workflow. n Select Add External Value. n Select your vRealize Orchestrator script action. n Click Submit. 14 Click Submit. 15 Click Update.
Chapter 4 Providing On-Demand Services to Users XaaS Examples and Scenarios The examples and scenarios suggest ways that you can use vRealize Automation to accomplish common tasks using XaaS blueprints and resource actions. Create an XaaS Blueprint and Action for Creating and Modifying a User By using XaaS, you can create and publish a catalog item for provisioning a user in a group.
Configuring vRealize Automation Create a Test User as a Custom Resource You can create a custom resource and map it to the vRealize Orchestrator object type AD:User. Prerequisites Log in to the vRealize Automation console as an XaaS architect. Procedure 1 2 Select Design > XaaS > Custom Resources. Click the New icon ( ). 3 In the Orchestrator Type text box, enter AD:User and press Enter. 4 Select AD:User in the list. 5 Type a name for the resource. For example, Test User.
Chapter 4 Providing On-Demand Services to Users 7 Edit the blueprint form. a Click The domain name in Win2000 form. b Click the Constraints tab. c Click the Value drop-down arrow, select Constant in the drop-down menu, and enter test.domain. You set the domain name to a constant value. d Click the Visible drop-down arrow, select Constant in drop-down menu, and select No in the drop-down menu. You made the domain name invisible to the consumer of the catalog item.
Configuring vRealize Automation 5 Select Test User from the Resource type drop-down menu. This is the custom resource you created previously. 6 Select user from the Input parameter drop-down menu. 7 Click Next. 8 Change the name of the resource action to Change the password of the Test User, and leave the description as it appears on the Details tab. 9 Click Next. 10 (Optional) Leave the form as is. 11 Click Add.
Chapter 4 Providing On-Demand Services to Users 6 Click OK. You created the service called Create a Test User, and you can see it on the Services page. What to do next Edit the Create a test user catalog item to include it in the service. Associate the Catalog Item with the Create a Test User Service To include the Create a test user catalog item in the Create a Test User service, you must associate it with this service.
Configuring vRealize Automation 9 Enter Create a Test User in the Entitled Services text box and press Enter. 10 Enter Change the password of the Test User in the Entitled Actions text box and press Enter. 11 Click Add. You created an active entitlement and exposed the service to the catalog of the consumers. When consumers of the service log in to their vRealize Automation consoles, they see the service you created, Create a test user, on the Catalog tab.
Chapter 4 Providing On-Demand Services to Users You created a resource action for migrating a virtual machine and you can see it listed on the Resource Actions page. What to do next “Publish the Action for Migrating a vSphere Virtual Machine,” on page 341 Publish the Action for Migrating a vSphere Virtual Machine To use the Quick migration of virtual machine resource action as a post-provisioning operation, you must publish it. Procedure 1 Select Design > XaaS > Resource Actions.
Configuring vRealize Automation Create an Action to Migrate a vSphere Virtual Machine With vMotion You can create a custom resource action to allow the service catalog users to migrate a vSphere virtual machine with vMotion after they provision the machine with IaaS. Procedure 1 2 Select Design > XaaS > Resource Actions. Click Add ( ).
Chapter 4 Providing On-Demand Services to Users f Enter defaultPriority in the Predefined values search text box, and press Enter. g Enter highPriority in the Predefined values search text box, and press Enter. h Click Submit. When the consumers request the resource action, they see a radio button group with three radio buttons: lowPriority, defaultPriority, and highPriority. 4 Edit the state element. a Click the Edit icon ( ) next to the state field.
Configuring vRealize Automation 13 Click Add. You created a resource action to migrate a virtual machine with vMotion and you can see it listed on the Resource Actions page. What to do next “Publish the Action for Migrating a Virtual Machine with vMotion,” on page 344. Publish the Action for Migrating a Virtual Machine with vMotion To use the Migrate a virtual machine with vMotion resource action as a post-provisioning operation, you must publish it. Procedure 1 Select Design > XaaS > Resource Actions.
Chapter 4 Providing On-Demand Services to Users 2 Click Add ( ). 3 Navigate to Orchestrator > Library > vCenter > Virtual Machine management > Snapshot in the vRealize Orchestrator workflow library and select the Create a snapshot workflow. 4 Click Next. 5 Select IaaS VC VirtualMachine from the Resource type drop-down menu. 6 Select vm from the Input parameter drop-down menu. 7 Click Next. 8 Leave the name of the resource action and the description as they appear on the Details tab.
Configuring vRealize Automation Procedure 1 Create a Resource Mapping for Amazon Instances on page 346 You can create a resource mapping to associate Amazon instances provisioned by using IaaS with the vRealize Orchestrator type AWS:EC2Instance exposed by the Amazon Web Services plug-in. 2 Create a Resource Action to Start an Amazon Virtual Machine on page 346 You can create a resource action so that the consumers can start provisioned Amazon virtual machines.
Chapter 4 Providing On-Demand Services to Users 3 Select Orchestrator > Library > Amazon Web Services > Elastic Cloud > Instances and select the Start Instances workflow in the workflows folder. 4 Click Next. 5 Select EC2 Instance from the Resource type drop-down menu. This is the name of the resource mapping you previously created. 6 Select instance from the Input parameter drop-down menu. This is the input parameter of the resource action workflow to match the resource mapping. 7 Click Next.
Configuring vRealize Automation 2 Open the vmo.properties configuration file in a text editor. 3 Verify that the following property is disabled. com.vmware.o11n.webview.htmlescaping.disabled 4 Save the vmo.properties file. 5 Restart the vRealize Orchestrator serv er. Publishing a Blueprint Blueprints are saved in the draft state and must be manually published before you can configure them as catalog items or use them as blueprint components in the design canvas.
Chapter 4 Providing On-Demand Services to Users Assembling Composite Blueprints You can reuse published blueprints and blueprint components, combining them in new ways to create IT service packages that deliver elaborate functionality to your users. Figure 4‑3. Workflow for Assembling Composite Blueprints Blueprint architects create reusable blueprint components for the design library.
Configuring vRealize Automation n Understanding Nested Blueprint Behavior on page 350 You can reuse blueprints by nesting them in another blueprint as a component. You nest blueprints for reuse and modularity control in machine provisioning, but there are specific rules and considerations when you work with nested blueprints.
Chapter 4 Providing On-Demand Services to Users n Settings you define in the outer blueprint override settings configured in your nested blueprints with the following exceptions: n You can change the name of a nested blueprint, but you cannot change the name of a machine component, or any other component, inside a nested blueprint. n You cannot add or delete custom properties for a machine component in a nested blueprint. However, you can edit those custom properties.
Configuring vRealize Automation Software Component Considerations for Nesting Blueprints For scalable blueprints, it is a best practice to create single layer blueprints that do not reuse other blueprints. Normally, update processes during scale operations are triggered by implicit dependencies such as dependencies you create when you bind a software property to a machine property. However, implicit dependencies in a nested blueprint do not always trigger update processes.
Chapter 4 Providing On-Demand Services to Users You set property bindings when you configure components in a blueprint. On the Blueprint page, you drag your component onto the canvas and click the Properties tab. To bind a property to another property in a blueprint, select the Bind checkbox. You can enter ComponentName~PropertyName in the value text box, or you can use the down arrow to generate a list of available binding options.
Configuring vRealize Automation Figure 4‑5. Controlling the Build Order by Mapping Dependencies If you are designing blueprints to be scalable, it is a best practice to create single layer blueprints that do not reuse other blueprints. Normally, update processes during scale operations are triggered by implicit dependencies such as dependencies you create when you bind a software property to a machine property. However, implicit dependencies in a nested blueprint do not always trigger update processes.
Chapter 4 Providing On-Demand Services to Users 3 Scenario: Add Your CentOS with MySQL Catalog Item to the Rainpole Service on page 356 Using your tenant administrator privileges, add your new blueprint to the Rainpole catalog service so you can verify your work. 4 Scenario: Provision the CentOS with MySQL Catalog Item for Rainpole on page 356 Using the test user account, request the service catalog item to provision a CentOS machine with MySQL.
Configuring vRealize Automation 6 Update the db_port property for this blueprint. a Select the db_port property and click Edit. b Enter 3308 in the Value text box. When a service catalog user requests the item, 3308 is the default value. c Click OK. 7 Click Finish. 8 Select the row that contains CentOS with MySQL and click Publish. You published a blueprint that includes the CentOS machine and MySQL software component.
Chapter 4 Providing On-Demand Services to Users What to do next n Plan for installing a production environment. See Reference Architecture. n Learn about more options for configuring vRealize Automation, designing and exporting blueprints, and governing your service catalog. See Configuring vRealize Automation. Managing the Service Catalog The service catalog is where your customers request machines and other items to provision for their use.
Configuring vRealize Automation Blueprints and Actions are published as Catalog Items and Actions Create a Service Add a Catalog Item to a Service Do you want to apply approval policies to one or more catalog items that are included in the Service? No Yes Do you have an approval policy applicable to the Catalog Items in Service? No Create an approval policy now or later? Now Yes Later Create an Approval Policy Create an Entitlement without approval policies Create an Entitlement with approval
Chapter 4 Providing On-Demand Services to Users Table 4‑48. Configuring the Service Catalog Checklist Task Required Role Details Add a service. tenant administrator or catalog administrator See “Add a Service,” on page 359. Add a catalog item to a service. tenant administrator or catalog administrator See “Add Catalog Items to a Service,” on page 361. Configure the catalog item in the service. tenant administrator or catalog administrator See “Configure a Catalog Item,” on page 362.
Configuring vRealize Automation Procedure 1 2 3 Select Administration > Catalog Management > Services. Click the New icon ( ). Enter a name and description. These values appear in the service catalog for the catalog users. 4 To add a specific icon for the service in the service catalog, click Browse and select an image. The supported image file types are GIF, JPG, and PNG. The displayed image is 40 x 40 pixels. If you do not select a custom image, the default icon appears in the service catalog.
Chapter 4 Providing On-Demand Services to Users Add Catalog Items to a Service Add catalog items to services so that you can entitle users to request the items in the service catalog. A catalog item can be associated with only one service. Prerequisites n Log in to the vRealize Automation console as a tenant administrator or catalog administrator. n Verify that a service exists. See “Add a Service,” on page 359. n Verify that one or more catalog items are published.
Configuring vRealize Automation Actions can include built-in actions or actions created using XaaS. Built-in actions are added when you add a machine or other provided blueprint. XaaS actions must be created and published. Actions are not associated with services. You must include an action in the entitlement that contains the catalog item on which the action runs. Actions that are entitled to users do not appear in the service catalog.
Chapter 4 Providing On-Demand Services to Users What to do next n To make the catalog item available in the service catalog, you must entitle users to the service associated with the item or to the individual item. See “Creating Entitlements,” on page 363. n To specify the entitlements processing order so that the approval policies for individual users are applied correctly, set the priority order for multiple entitlements for the same business group. See “Prioritize Entitlements,” on page 368.
Configuring vRealize Automation n Services in Entitlements on page 364 An entitled service operates as a dynamic group of catalog items. If a catalog item is added to a service after it is entitled, the new catalog item is available to the specified users without any additional configuration. n Catalog Items and Components in Entitlements on page 364 Entitled catalog items are blueprints that you can request in the service catalog.
Chapter 4 Providing On-Demand Services to Users For example, an item includes a machine and software. The machine is available as a provisionable item and has an approval policy that requires site manager approval. The software is not available as a standalone, provisionable item, only as part of a machine request, but the approval policy for the software requires approval from your organization's software licensing administrator.
Configuring vRealize Automation Entitle Users to Services, Catalog Items, and Actions When you add a service, catalog item, or action to an entitlement, you allow the users and groups identified in the entitlement to request the provisionable items in the service catalog. Actions are associated with items and appear on the Items tab for the requesting user. There are several user roles with permission to create entitlements for business groups.
Chapter 4 Providing On-Demand Services to Users 4 5 Option Description Business Group Select a business group. You can create entitlements for only one business group and entitled users must be members of the business group. If you want an entitlement available to all users, you must either have an All Users business group and a custom user group that includes all users, or you must create entitlements for each business group.
Configuring vRealize Automation 7 Select the check boxes to include items to the entitlement. 8 To add an approval policy to the selected service, item, or action, select an approval policy from the Apply this Policy to selected Items drop-down menu. If you apply an approval policy to a service, all the items in the service have the same approval policy. To apply a different policy to an item, add it as a catalog item an apply the appropriate policy. 9 Click OK.
Chapter 4 Providing On-Demand Services to Users Prerequisites Log in to the vRealize Automation console as a tenant administrator or catalog administrator. Procedure 1 Select Administration > Catalog Management > Entitlements. 2 Click the Prioritize icon ( 3 Select a business group from the Business Group drop-down list. 4 Drag an entitlement to a new location in the list to change its priority. 5 Select an update method. ). Option Description Update Saves your changes.
Configuring vRealize Automation Examples of Approval Policies Based on the Virtual Machine Policy Type You can create an approval policy that you can apply to the same catalog item type, but it produces different results when an item is requested in the service catalog. Depending on how the approval policy is defined and applied, the effect on the service catalog user and the approver varies.
Chapter 4 Providing On-Demand Services to Users Table 4‑51. Examples of Approval Policies and Results (Continued) Governance Goals Selected Policy Type Pre or Post Approval To manage virtual infrastructure resources and to control costs, you add two pre-approval levels because one approval is for machine resources and the other is for cost of machine per day.
Configuring vRealize Automation Example Blueprint In this example, you configure a blueprint that includes a nested blueprint with a virtual machine. n Blueprint 1 - Continuous Integration Blueprint n Blueprint 2 - Pre-Production Blueprint n Virtual Machine 1 - TestAsAService vSphere VM Approval Policies for Destroy Actions You configure the two approval policies to destroy provisioned items. A Destroy - Deployment action can run on Blueprint 1 or Blueprint 2 in this example.
Chapter 4 Providing On-Demand Services to Users Entitlement Name Approval Policy on Actions Entitlement 1 Destroy Deployment Approval Policy Policy A (Destroy Deployment Approval Policy) on Destroy Deployment action only Entitlement 2 Entitlement 3 Policy B (Destroy Virtual Machine Policy) on Destroy Virtual Machine action only Policy A (Destroy Deployment Approval Policy) on Destroy Deployment action and Policy B (Destroy - Virtual Machine Policy) on Destroy Virtual Machine action User Action App
Configuring vRealize Automation n QE Training includes RHEL vSphere virtual machine Services n The QE Testing blueprint is associated with the Testing service n The QE Training blueprint is associated with the Training service Entitlements n Entitlement 1 n Entitlement 2 Table 4‑52.
Chapter 4 Providing On-Demand Services to Users Processing Approval Policies in the Service Catalog When a user requests an item in the service catalog that has an approval policy applied, the request is processed by the approver and the requesting user similar to the following workflow Request item in the service catalog Is approval required on item or component? Yes Approval request sent to approver’s Inbox tab Approver approves request? No Requestor notified of rejection on Requests tab No Yes
Configuring vRealize Automation 2 Create an Approval Level on page 377 When you create an approval policy, you can add pre-approval and post-approval levels. 3 Configure the Approval Form to Include System and Custom Properties on page 378 You can add system and custom properties that appear on an approval form.
Chapter 4 Providing On-Demand Services to Users 6 Select the state of the policy from the Status drop-down menu. Option Description Draft Saves the approval policy in an editable state. Active Saves the approval policy in a read-only state that you can use in an entitlement. Inactive Saves the approval policy in a read-only state that you cannot use in an entitlement until you activate the policy. What to do next Create the pre-approval and post-approval levels.
Configuring vRealize Automation 4 Select the approvers. Option 5 6 Action Specific Users and Groups Sends the approval request to the selected users. Determine approvers from the request Sends the approval request to the users based on the defined condition. Use event subscription Processes the approval request based on defined event subscriptions. The workflow subscription must be defined in Adminstration > Events > Subcriptions.
Chapter 4 Providing On-Demand Services to Users 3 Select the check box for each system property that you want the approver to configure during the approval process. 4 Configure the custom properties. Add one or more custom properties that you want the approver to configure during the approval process. a b c Click the Custom Properties tab. Click the New icon ( Enter the custom property values. Option 5 ). Description Name Enter the property name.
Configuring vRealize Automation n Add Custom Properties to Approval Policy Settings on page 384 You configure custom properties that you want to add to the approval form to allow the approver to modify the value. Approval Policy Type Settings The approval policy type determines how the approval policy is configured and to what items or actions you can apply it in the entitlement.
Chapter 4 Providing On-Demand Services to Users Table 4‑54. Approval Policy Options (Continued) Option Description Status Possible values include: n Draft. The approval policy is not available to apply in entitlements. After you make a policy active, you can never return it to draft. n Active. The approval policy is available to apply in entitlements. n Inactive. The approval policy is not available to apply in entitlements.
Configuring vRealize Automation Table 4‑55. Level Information Options 382 Option Description Name Enter a name. The level name appears when you are reviewing requests with approval policies. Description Enter a level description. For example, CPU>4 to VI Admin. When is approval required? Select when the approval policy is triggered. Always required The approval policy is triggered for every request.
Chapter 4 Providing On-Demand Services to Users Table 4‑55. Level Information Options (Continued) Option Description Use event subscription Processes the approval request based on defined event subscriptions. The workflow subscription must be defined in Adminstration > Events > Subcriptions. The applicable workflow subscriptions are pre-approval and postapproval. Anyone can approve Only one of the approvers must approve before the request is processed.
Configuring vRealize Automation Add Custom Properties to Approval Policy Settings You configure custom properties that you want to add to the approval form to allow the approver to modify the value. For example, for a virtual machine approval, add VMware.VirtualCenter.Folder if you want to allow the approver to specify the folder to which the machine is added in vCenter Server. You can also add a custom property that is specific to this approval policy form.
Chapter 4 Providing On-Demand Services to Users 7 Select the state of the policy from the Status drop-down menu. Option Description Draft Saves the approval policy in an editable state. Active Saves the approval policy in a read-only state that you can use in an entitlement. Inactive Saves the approval policy in a read-only state that you cannot use in an entitlement until you activate the policy. 8 Edit the pre-approval and post-approval levels. 9 Click OK.
Configuring vRealize Automation Delete an Approval Policy If you have approval policies that you deactivated and do not need, you can delete them from vRealize Automation. Prerequisites n Unlink and deactivate approval policies. See “Deactivate an Approval Policy,” on page 385. n Log in to the vRealize Automation console as a tenant administrator or approval administrator. Procedure 1 Select Administration > Approval Policies. 2 Select the row containing the inactive policy. 3 Click Delete.
Chapter 4 Providing On-Demand Services to Users Scenario: Create a Catalog Service for Rainpole Blueprint Testing Using your tenant administrator privileges, you create a catalog service called Rainpole service. You assign yourself as the owner and support contact for this service, so your Rainpole architects can contact you with any problems. Procedure 1 2 Select Administration > Catalog Management > Services. Click the New icon ( ). 3 Enter the name Rainpole service.
Configuring vRealize Automation Scenario: Entitle Your Rainpole Architects to Request Catalog Items Using your tenant administrator privileges, entitle your Rainpole architects to all actions and items that belong to the Rainpole service. By entitling your Rainpole architects to all actions and items in the service, you make it easier for them to add new catalog items to the service for testing. In a production environment, you might use entitlements differently and configure strict governance.
Chapter 4 Providing On-Demand Services to Users Scenario: Test Your Rainpole CentOS Machine Using the local test user account you created, you request to provision your vSphere CentOS machine. You log in to the provisioned machine and verify that it is working as expected.
Configuring vRealize Automation 3 Click the provisioned machine. 4 Click Remote Log in to Machine on the right-hand panel. 5 Log in to the machine. You installed vRealize Automation in a minimal deployment, set up a proof of concept, and configured your environment for ongoing development of blueprints. What to do next n If you purchased a vRealize Automation enterprise license, you can continue reading to learn about provisioning machines with software components.
Chapter 4 Providing On-Demand Services to Users Scenario: Create a Development and Quality Engineering Catalog Service As the tenant administrator, you want to create a separate catalog service for your development and quality engineering group so your other groups, such as finance and human resources, don't see the specialized catalog items. You create a catalog service called Dev and QE Service to publish all the catalog items development and engineering need to run their test cases.
Configuring vRealize Automation Scenario: Entitle Users to Request Dev and QE Service Items as a Catalog Item As the tenant administrator, you create a Dev and QE entitlement and add the catalog items and some relevant actions so your development and quality engineering users can request the CentOS with MySQL catalog item, and run actions against the machine and the deployment.
Chapter 4 Providing On-Demand Services to Users 5 Add actions. a b Click the Add Actions icon ( ) beside the Entitled Actions heading. Click the Type column header to sort the list. Select the following actions based on type. These actions are useful to the development and quality engineering users working with their test case machines, and are the only actions that you want these business group members to use.
Configuring vRealize Automation Procedure 1 Scenario: Create a CentOS with MySQL Virtual Machine Approval Policy on page 394 As the tenant administrator you want to ensure that the development and quality engineering group receives virtual machines that are properly provisioned in your environment, so you create an approval policy that requires pre approval for certain types of requests.
Chapter 4 Providing On-Demand Services to Users f Click Add expression and configure the clause with the values Memory (MB) > 2048. g Select Specific Users and Groups. h Enter the name of the vSphere virtual infrastructure administrator or administrator group in the search text box and click the search icon ( i Select the user or group. j Select Anyone can approve. ). The request only needs one virtual infrastructure administrator to verify the resources and approve the request.
Configuring vRealize Automation 4 Configure the Level Information tab with the triggering criteria and the approval actions. a In the Name text box, enter MySQL software deployment notice. b In the Description text box, enter Software mgr approval of software installation. c Select Always required. d Select Specific Users and Groups. e f Enter the name of the software manager in the search text box and click the search icon ( select the user. ) and Select Anyone can approve.
Chapter 4 Providing On-Demand Services to Users e Select CentOS on vSphere CPU and Memory [Service Catalog - Catalog Item Request - Virtual Machine]. The vSphere CentOS machine is a machine blueprint in an application blueprint. Review the policy names so that you select the one that is appropriate to your catalog item type. If you apply the wrong policy, the approval policy fails or triggers approval requests based on incorrect conditions. f 5 Click OK.
Configuring vRealize Automation 398 VMware, Inc.
Index A access policies Auth Strength 113 Client Type 113 minimum authentication score 96, 98 network 96, 98 Network 113 relationship to identity providers 96 TTL 96, 98, 113 Web-application-specific 98 access policy sets default 96, 113 portal 96 Web-application-specific 98 action, entitlement 363, 365 active directory connector 77 directory 77 worker 77 Active Directory attribute mapping 89, 112 cleanup plugin 275 create policy 234 integrating 78 override policy 236 policy 234 Active Directory Global Cat
Configuring vRealize Automation pre-approval level 377 sample configurations 370 approval policy approval level 381 copy 384 custom property 384 deactivate 385 delete 386 entitlement 365 form 383, 384 modify 384 policy type 376, 380 service catalog workflow 375 system properties 383 approval policy example, multiple entitlements 373 approval policy options 379 approval policy type 376 approvals, creating approval policies for catalog item components 393 archive, settings in new blueprint 248, 278 array, pr
Index C catalog adding items to a service 391 creating governed catalog service 391 catalog item, entitlement 363, 364 catalog items adding in a service 361 adding to a service 356 associating a service 362 designing blueprints for catalog items 237 including in an example service 339 logging into machines 389 publishing 313 publishing and entitling a blueprint 348 removing from a service 361 requesting 356 requesting for Rainpole 389 catalog services adding catalog items 387 creating a service for bluepri
Configuring vRealize Automation datastores assigning storage reservation policies 221 using storage reservation policies 219 default tenant configuring for Rainpole 131 configuring local users 132 delete approval policy 386 tenant 138 dependencies, mapping in blueprints 353 destroy actions, approval policies 371 directories, add 76 directories management active directory link 79 certificate authentication 108 configuring single domain active directory over LDAP 133 high availability 83 multi-forest environ
Index entitling users to catalog items 390 prioritizing 368 services 363 entitling example resource action 339 example service to a user 339 entitling users to catalog items 392 ESX, See VMware ESX ESXi, See VMware ESXi example associating catalog items with a service 339 changing user password 337 creating services 338 creating user in a group 336 creating a custom resource 336 entitling service to a customer 339 migrating virtual machine 340, 342 publishing a resource action 338, 341, 344, 345 resource a
Configuring vRealize Automation overview 176 uploading a private key 177 kickstart, specifying custom scripts 47 Kickstart configuration file 47 preparing for provisioning 46 KVM (RHEV) provisioning, including VirtIO drivers 52 L lease, settings in new blueprint 248, 278 levels, approval policies 380 linked clone blueprint, creating 271, 273 linked clone, missing machines to clone 267 linked clone blueprints, troubleshooting 267 Linux configuration file 47 preparing for provisioning 46 Linux guest agent,
Index NSX settings using a transport zone 278 using a routed gateway 278 using an Edge and routed gateway reservation policy 278 using app isolation 278 O OpenStack assigning a floating IP address 22 flavors 57 support for security groups 22 using optional features 22 virtual machine image provisioning 57 virtual machine images 57 Orchestrator default root folder 152 integration 306 Orchestrator plug-in Active Directory 227 HTTP-REST 228 PowerShell 230 SOAP 231 vCenter Server 232 Orchestrator configuratio
Configuring vRealize Automation creating a vCloud Director reservation 205, 208 creating a virtual reservation 213, 214, 216 creating an OpenStack reservation 197, 198 creating and using cloud reservations 192 FlexClone 215 NetApp ONTAP 215 types 191 using routed gateway reservation policy 280 using cloud reservations 192 using virtual reservations 211 Reservations, adding support for SSH Tunnels to a reservation 209 resource actions adding a new field 329, 331 adding a new form 331 adding an example form
Index preparing Amazon environment 18 preparing a base for delivering software components 271 using in blueprints 352 Software preparing for software provisioning chapter 63 preparing a Windows reference machine 63 supported provisioning methods 62 software components adding to blueprints 355 creating 297 creating approval policies 395 provisioning 356 understanding settings 303 Software components creating 295 developing 290 Software bootstrap agent installing 68 installing for Duke's Bank 71 SRV 90 start
Configuring vRealize Automation vCloud Air endpoints, troubleshooting management URL 175 vCloud Director preparing for integration 16 preparing a Windows reference machine for Software provisioning 63 preparing for software provisioning chapter 63 resource mappings 317 VirtIO, using with KVM (RHEV) 52 virtual machine images, overview 57 virtual reservations 211 virtual private cloud, configuring for use with Amazon 19 VirtualMachine.NetworkN.
