7.3

ManualsBrandsVMware ManualsApplicationsvRealize Automation

Table Of Contents

Configuring vRealize Automation

Conﬁguring vRealize

Automation

15 March 2018

vRealize Automation 7.3

Summary of content (585 pages)

PAGE 1
Configuring vRealize Automation 15 March 2018 vRealize Automation 7.
PAGE 2
Configuring vRealize Automation You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback to docfeedback@vmware.com VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright © 2015–2018 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc.
PAGE 3
Contents Configuring vRealize Automation Updated Information 6 7 1 External Preparations for Blueprint Provisioning 8 Preparing Your Environment for vRealize Automation Management 8 Checklist for Preparing NSX Network and Security Configuration Checklist For Providing Third-Party IPAM Provider Support 9 13 Checklist for Configuring Containers for vRealize Automation 17 Preparing Your vCloud Director Environment for vRealize Automation Preparing Your vCloud Air Environment for vRealize Automation P
PAGE 4
Configuring vRealize Automation Configure External Connectors for Smart Card and Third-party Identity Provider Authentication in vRealize Automation 154 Create a Multi Domain or Multi Forest Active Directory Link Configuring Groups and User Roles Create Additional Tenants Delete a Tenant 161 163 168 170 Configuring Custom Branding 170 Checklist for Configuring Notifications 173 Create a Custom RDP File to Support RDP Connections for Provisioned Machines Scenario: Add Datacenter Locations for Cro
PAGE 5
Configuring vRealize Automation Managing Deployed Catalog Items 554 Running Actions for Provisioned Resources 554 Specify Machine Reconfiguration Settings and Considerations for Reconfiguration Reconfigure a Load Balancer in a Deployment Change NAT Rules in a Deployment VMware, Inc.
PAGE 6
Configuring vRealize Automation Configuring vRealize Automation provides information about configuring vRealize Automation and your external environments to prepare for vRealize Automation provisioning and catalog management.
PAGE 7
Updated Information The following table lists the changes to Configuring vRealize Automation for this product release. Revision Description 15 MAR 2018 n Updated Troubleshooting Workload Placement to include the log file name. n Updated downloadable scripts in Prepare a Windows Reference Machine to Support Software and Prepare a Linux Reference Machine to Support Software. n Updated Force Destroy a Deployment After a Failed Destroy Request.
PAGE 8
1 External Preparations for Blueprint Provisioning You may need to create or prepare some elements outside of vRealize Automation to support catalog item provisioning. For example, if you want to provide a catalog item for provisioning a clone machine, you need to create a template on your hypervisor to clone from.
PAGE 9
Configuring vRealize Automation Table 1‑1. Preparing Your Environment for vRealize Automation Integration (Continued) Environment vCloud Air Amazon AWS Microsoft Azure Red Hat OpenStack SCVMM Preparations Register for your vCloud Air account, set up your vCloud Air environment, and identify or create appropriate credentials to provide vRealize Automation with access to your environment. See Preparing for vCloud Air and vCloud Director Provisioning.
PAGE 10
Configuring vRealize Automation Beginning in vRealize Automation 7.3, you no longer need to install the NSX plug-in to obtain integrated NSX functionality. All integrated NSX functionality is now sourced directly from the NSX APIs, rather than from the NSX plug-in. However, if you want to use XaaS to extend your vRealize Automation and NSX integration, you must install the NSX plug-in in vRealize Orchestrator as described here.
PAGE 11
Configuring vRealize Automation Prerequisites Beginning in vRealize Automation 7.3, you no longer need to install the NSX plug-in to obtain integrated NSX functionality. All integrated NSX functionality is now sourced directly from the NSX APIs, rather than from the NSX plug-in. However, if you want to use XaaS to extend your vRealize Automation and NSX integration, you must install the NSX plug-in in vRealize Orchestrator as described here.
PAGE 12
Configuring vRealize Automation 10 Start the vRealize Orchestrator client application, log in, and use the Workflow tab to navigate through the library to the NSX folder. You can browse through the workflows that the NSX plug-in provides. What to do next Create a vRealize Orchestrator endpoint in vRealize Automation to use for running workflows. See Create a vRealize Orchestrator Endpoint.
PAGE 13
Configuring vRealize Automation The primary NSX manager can create universal objects, such as universal logical switches. These objects are synchronized to the secondary NSX managers. You can view these objects from the secondary NSX managers, but you cannot edit them there. You must use the primary NSX manager to manage universal objects. The primary NSX manager can be used to configure any of the secondary NSX managers in the environment.
PAGE 14
Configuring vRealize Automation For an overview of the provisioning process for using an external IPAM provider to supply a range of possible IP addresses, see Provisioning a vRealize Automation Deployment Using a Third-Party IPAM Provider. Table 1‑3. Preparing for External IPAM Provider Support Checklist Task Description Details Obtain and import the supported external IPAM Provider vRealize Orchestrator plugin.
PAGE 15
Configuring vRealize Automation n Create your own third-party IPAM solution by obtaining and using a third-party IPAM Solution Provider SDK, supporting documentation, and an associated starter package for vRealize Orchestrator and vRealize Automation from code.vmware.com/web/sdk on the vRealize Automation Third-Party IPAM Integration SDK 7.3 page.
PAGE 16
Configuring vRealize Automation Run Workflow to Register Third-Party IPAM Endpoint Type in vRealize Orchestrator Run the registration workflow in vRealize Orchestrator to support vRealize Automation use of the thirdparty IPAM provider and register the IPAM endpoint type for use in vRealize Automation. To register IPAM endpoint types in vRealize Orchestrator, you are prompted to supply vRealize Automation vRA Administrator credentials.
PAGE 17
Configuring vRealize Automation What to do next You can now create an IPAM Infloblox type endpoint, or and endpoint for whatever third-party package or plug-in you have just registered, in vRealize Automation. See Create a Third-Party IPAM Provider Endpoint. Checklist for Configuring Containers for vRealize Automation To get started with Containers, you must configure the feature to support vRealize Automation user roles.
PAGE 18
Configuring vRealize Automation Clustering Containers You can use the Xenon service in conjunction with Containers for vRealize Automation to join nodes to a cluster. If the nodes are clustered, the Xenon service connects other nodes automatically when it starts. You can monitor the cluster status on the Xenon tab in the vRealize Automation appliance or by running the following command in a CLI: service xenon-service status_cluster Xenon works on quorum-based clustering.
PAGE 19
Configuring vRealize Automation Configure Your Environment Configure your environment as instructed in the vCloud Air documentation. Required Credentials for Integration Create or identify either virtual infrastructure administrator or account administrator credentials that your vRealize Automation IaaS administrators can use to bring your vCloud Air environment under vRealize Automation management as an endpoint.
PAGE 20
Configuring vRealize Automation "ec2:DescribeAvailabilityZones", "ec2:DescribeImageAttribute", "ec2:DescribeInstanceAttribute", "ec2:DescribeVolumeStatus", "ec2:DescribeVpnConnections", "ec2:DescribeRegions", "ec2:DescribeTags", "ec2:DescribeVolumeAttribute", "ec2:DescribeNetworkInterfaces", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DisassociateAddress", "ec2:GetPasswordData", "ec2:ImportKeyPair", "ec2:ImportVolume", "ec2:CreateVolume", "ec2:DeleteVolume", "ec2:AttachVolume", "ec2:ModifyVolumeAttribute
PAGE 21
Configuring vRealize Automation When you create an AWS endpoint in vRA, you're prompted to enter a key and secret key. To obtain the access key needed to create the Amazon endpoint, the administrator must either request a key from a user who has AWS Full Access Administrator credentials or be additionally configured with the AWS Full Access Administrator policy. See Create an Amazon Endpoint.
PAGE 22
Configuring vRealize Automation Inventory data collection, which occurs automatically once a day, collects data about what is on a compute resource, such as the following data: n Elastic IP addresses n Elastic load balancers n Elastic block storage volumes State data collection occurs automatically every 15 minutes by default. It gathers information about the state of managed instances, which are instances that vRealize Automation creates.
PAGE 23
Configuring vRealize Automation Using Elastic Load Balancers for Amazon Web Services Elastic load balancers distribute incoming application traffic across Amazon Web Services instances. Amazon load balancing enables improved fault tolerance and performance. Amazon makes elastic load balancing available for machines provisioned using Amazon EC2 blueprints. The elastic load balancer must be available in the Amazon Web Services, Amazon Virtual Private Network and at the provisioning location.
PAGE 24
Configuring vRealize Automation When you use an Amazon elastic block storage volume in conjunction with vRealize Automation, the following caveats apply: n You cannot attach an existing elastic block storage volume when you provision a machine instance. However, if you create a new volume and request more than one machine at a time, the volume is created and attached to each instance. For example, if you create one volume named volume_1 and request three machines, a volume is created for each machine.
PAGE 25
Configuring vRealize Automation n Install OpenSSH SSHD Server on both tunnel machines. Procedure 1 Log in to your Amazon AWS tunnel machine as the root user or similar. 2 Disable iptables. # service iptables save # service iptables stop # chkconfig iptables off 3 Edit /etc/ssh/sshd_config to enable AllowTCPForwarding and GatewayPorts. 4 Restart the service. /etc/init.
PAGE 26
Configuring vRealize Automation You can specify security groups in a reservation when requesting a machine. You can also specify an existing or on-demand NSX security group in the design canvas. Security groups are imported during data collection. Each available region requires at least one specified security group. When you create a reservation, the available security groups that are available to you in that region are displayed. Every region includes at least the default security group.
PAGE 27
Configuring vRealize Automation n Temporary Profile n Profile Required Network Configuration for SCVMM Clusters SCVMM clusters only expose virtual networks to vRealize Automation, so you must have a 1:1 relationship between your virtual and logical networks. Using the SCVMM console, map each logical network to a virtual network and configure your SCVMM cluster to access machines through the virtual network.
PAGE 28
Configuring vRealize Automation 2 Disable iptables. # service iptables save # service iptables stop # chkconfig iptables off 3 Edit /etc/ssh/sshd_config to enable AllowTCPForwarding and GatewayPorts. 4 Restart the service. /etc/init.d/sshd restart 5 Log in to the CentOS machine on the same local network as your vRealize Automation installation as the root user. 6 Invoke the SSH Tunnel from the local network machine to the Azure tunnel machine.
PAGE 29
Configuring vRealize Automation Choosing a Machine Provisioning Method to Prepare For most machine provisioning methods, you must prepare some elements outside of vRealize Automation. Table 1‑5. Choosing a Machine Provisioning Method to Prepare Scenario Supported Endpoint Agent Support Provisioning Method Pre-provisioning Preparations Depends on the provisioning method you choose.
PAGE 30
Configuring vRealize Automation Table 1‑5. Choosing a Machine Provisioning Method to Prepare (Continued) Supported Endpoint Agent Support Provision a space-efficient copy of a virtual machine called a linked clone. Linked clones are based on a snapshot of a VM and use a chain of delta disks to track differences from a parent machine.
PAGE 31
Configuring vRealize Automation Table 1‑5. Choosing a Machine Provisioning Method to Prepare (Continued) Scenario Supported Endpoint Agent Support Provisioning Method Pre-provisioning Preparations Guest agent is installed as part of the preparation instructions. SCCM Preparing for SCCM Provisioning Guest agent is required. When you create the WinPE image, you must manually insert the guest agent.
PAGE 32
Configuring vRealize Automation Table 1‑6. Running Visual Basic Scripts During Provisioning Checklist Task Location Details Install and configure the EPI agent for Visual Basic scripts. Typically the Manager Service host See Installing vRealize Automation 7.3. Machine where EPI agent is installed vRealize Automation includes a sample Visual Basic script PrePostProvisioningExample.vbs in Create your visual basic scripts. the Scripts subdirectory of the EPI agent installation directory.
PAGE 33
Configuring vRealize Automation You can write your own custom scripts for the guest agent to run on deployed machines, and use custom properties on the machine blueprint to specify the location of those scripts and the order in which to run them. You can also use custom properties on the machine blueprint to pass custom property values to your scripts as parameters.
PAGE 34
Configuring vRealize Automation Table 1‑7. Custom Properties for Changing IP Address of a Provisioned Machine with a Guest Agent Custom Property VirtualMachine.Admin.UseGuestAgent Description Set to true to initialize the guest agent when the provisioned machine is started. VirtualMachine.Customize.WaitComplete VMware, Inc. Set to True to prevent the provisioning workflow from sending work items to the guest agent until all customizations are complete.
PAGE 35
Configuring vRealize Automation Table 1‑7. Custom Properties for Changing IP Address of a Provisioned Machine with a Guest Agent (Continued) Custom Property Description VirtualMachine.SoftwareN.ScriptPath Specifies the full path to an application's install script. The path must be a valid absolute path as seen by the guest operating system and must include the name of the script filename.
PAGE 36
Configuring vRealize Automation Table 1‑7. Custom Properties for Changing IP Address of a Provisioned Machine with a Guest Agent (Continued) Custom Property Description n Set custom property VirtualMachine.Software0.ScriptPath as VirtualMachine.Software0.ScriptPath = c:\dosomething.bat [MyPassword]. If you set VirtualMachine.ScriptPath.Decrypt to false, or do not create the VirtualMachine.ScriptPath.Decrypt custom property, then the string inside the square brackets ( [ and ]) is not decrypted.
PAGE 37
Configuring vRealize Automation n For Linux vSphere installs, the cert.pem file must reside in the /usr/share/gugent folder. Note You can optionally install software and guest agents together by downloading the following script from https://APPLIANCE/software/index.html. The script allows you to handle acceptance of SSL certificate fingerprints as you create the templates. n Linux prepare_vra_template.sh n Windows prepare_vra_template.
PAGE 38
Configuring vRealize Automation 5 Install the guest agent package that corresponds to the guest operating system you are deploying during provisioning. a Navigate to the VraLinuxGuestAgent subdirectory that corresponds to the guest operating system to deploy during provisioning, for example rhel32. b Locate your preferred package format or convert a package to your preferred package format. c Install the guest agent package on your reference machine.
PAGE 39
Configuring vRealize Automation 8 If you are installing the guest agent on a Ubuntu operating system, create symbolic links for shared objects by running one of the following command sets. Option Description 64-bit systems 32-bit systems cd /lib/x86_64-linux-gnu sudo ln -s libssl.so.1.0.0 libssl.so.10 sudo ln -s libcrypto.so.1.0.0 libcrypto.so.10 cd /lib/i386-linux-gnu sudo ln -s libssl.so.1.0.0 libssl.so.10 sudo ln -s libcrypto.so.1.0.0 libcrypto.so.
PAGE 40
Configuring vRealize Automation 4 Configure the guest agent to communicate with the Manager Service. a Open an elevated command prompt. b Navigate to C:\VRMGuestAgent. c Put the trusted Manager Service PEM file in the C:\VRMGuestAgent\ directory to configure the guest agent to trust your Manager Service machine. d Run winservice -i -h Manager_Service_Hostname_fdqn:portnumber -p ssl. The default port number for the Manager Service is 443.
PAGE 41
Configuring vRealize Automation Identify or create a reference machine. Are you working in vCenter Server? Yes Install VMware Tools. No Install the guest agent and the software bootstrap agent. Yes Do you want to support software components in your blueprints? No Do you want the ability to customize machines after deployment? Yes Install the guest agent. No Convert your reference machine to a template.
PAGE 42
Configuring vRealize Automation Table 1‑8. Checklist for Preparing to Provision by Cloning Task Location Details Hypervisor See the documentation provided by your hypervisor. (Optional) If you want your clone template to support Software components, install the vRealize Automation guest agent and software bootstrap agent on your reference machine. Reference machine For Windows reference machines, see Prepare a Windows Reference Machine to Support Software.
PAGE 43
Configuring vRealize Automation Required Template and Reservation Information Table 1‑9. Template and Reservation Information Worksheet Required Information My Value Details Template name Reservations on which the template is available, or reservation policy to apply To avoid errors during provisioning, ensure that the template is available on all reservations or create reservation policies that architects can use to restrict the blueprint to reservations where the template is available.
PAGE 44
Configuring vRealize Automation Visual Basic Script Information If you configured vRealize Automation to run your custom Visual Basic scripts as additional steps in the machine life cycle, you must include information about the scripts in the blueprint. Note A fabric administrator can create a property group by using the property sets ExternalPreProvisioningVbScript and ExternalPostProvisioningVbScript to provide this required information.
PAGE 45
Configuring vRealize Automation Table 1‑12. Linux Guest Agent Customization Script Information Worksheet Custom Property My Value Linux.ExternalScript.Name Description Specifies the name of an optional customization script, for example config.sh, that the Linux guest agent runs after the operating system is installed. This property is available for Linux machines cloned from templates on which the Linux agent is installed.
PAGE 46
Configuring vRealize Automation Table 1‑13. Custom Properties for Customizing Cloned Machines with a Guest Agent Worksheet Custom Property VirtualMachine.Admin.AddOwnerToAd mins My Value Description Set to True (default) to add the machine’s owner, as specified by the VirtualMachine.Admin.Owner property, to the local administrators group on the machine. VirtualMachine.Admin.
PAGE 47
Configuring vRealize Automation Table 1‑13. Custom Properties for Customizing Cloned Machines with a Guest Agent Worksheet (Continued) Custom Property VirtualMachine.DiskN.Size My Value Description Defines the size in GB of disk N. For example, to give a size of 150 GB to a disk G, define the custom property VirtualMachine.Disk0.Size and enter a value of 150. Disk numbering must be sequential. By default a machine has one disk referred to by VirtualMachine.Disk0.
PAGE 48
Configuring vRealize Automation Table 1‑13. Custom Properties for Customizing Cloned Machines with a Guest Agent Worksheet (Continued) Custom Property My Value Description VirtualMachine.Admin.CustomizeGue stOSDelay Specifies the time to wait after customization is complete and before starting the guest operating system customization. The value must be in HH:MM:SS format. If the value is not set, the default value is one minute (00:01:00).
PAGE 49
Configuring vRealize Automation Table 1‑13. Custom Properties for Customizing Cloned Machines with a Guest Agent Worksheet (Continued) Custom Property My Value VirtualMachine.SoftwareN.ISOName Description Specifies the path and filename of the ISO file relative to the datastore root. The format is /folder_name/subfolder_name/file_ name.iso. If a value is not specified, the ISO is not mounted. VirtualMachine.SoftwareN.
PAGE 50
Configuring vRealize Automation Table 1‑14. Custom Properties for Networking Configuration (Continued) Custom Property VirtualMachine.NetworkN.MacAddr ess My Value Description Specifies the MAC address of a network device N. This property is available for cloning. If the value of VirtualMachine.NetworkN.MacAddres sType is generated, this property contains the generated address. If the value of VirtualMachine.NetworkN.MacAddres sType is static, this property specifies the MAC address.
PAGE 51
Configuring vRealize Automation Table 1‑14. Custom Properties for Networking Configuration (Continued) Custom Property VirtualMachine.NetworkN.Name My Value Description Specifies the name of the network to connect to, for example the network device N to which a machine is attached. This is equivalent to a network interface card (NIC). By default, a network is assigned from the network paths available on the reservation on which the machine is provisioned. Also see VirtualMachine.NetworkN.
PAGE 52
Configuring vRealize Automation Table 1‑14. Custom Properties for Networking Configuration (Continued) Custom Property VirtualMachine.NetworkN.PortID My Value Description Specifies the port ID to use for network device N when using a dvPort group with a vSphere distributed switch. VirtualMachine.NetworkN custom properties are specific to individual blueprints and machines. When a machine is requested, network and IP address allocation is performed before the machine is assigned to a reservation.
PAGE 53
Configuring vRealize Automation Table 1‑14. Custom Properties for Networking Configuration (Continued) Custom Property n VirtualMachine.NetworkN.Subn etMask n VirtualMachine.NetworkN.Gate way n VirtualMachine.NetworkN.Prim aryDns n VirtualMachine.NetworkN.Seco ndaryDns n n n n My Value Description Appending a name allows you to create multiple versions of a custom property.
PAGE 54
Configuring vRealize Automation Table 1‑14. Custom Properties for Networking Configuration (Continued) Custom Property VCNS.SecurityGroup.Names.name My Value Description Specifies the NSX security group or groups to which the virtual machine is assigned during provisioning. The value is a security group name or a list of names separated by commas. Names are casesensitive. Appending a name allows you to create multiple versions of the property, which can be used separately or in combination.
PAGE 55
Configuring vRealize Automation Templates that are to be shared across organizations must be public. Only reserved templates are available to vRealize Automation as a cloning source. Note When you create a blueprint by cloning from a template, that template's unique identifier becomes associated with the blueprint. When the blueprint is published to the vRealize Automation catalog and used in the provisioning and data collection processes, the associated template is recognized.
PAGE 56
Configuring vRealize Automation 3 Edit the isolinux/isolinux.cfg or loader/isolinux.cfg to specify the name and location of the configuration file and the appropriate Linux distribution source. 4 Create the boot ISO image and save it to the location required by your virtualization platform. See the documentation provided by your hypervisor for information about the required location. 5 (Optional) Add customization scripts.
PAGE 57
Configuring vRealize Automation 7 Replace all instances of the string host=dcac.example.net with the IP address or fully qualified domain name and port number for the Manager Service or the load balancer for the Manager Service. 8 Platform Required Format vSphere ESXi IP Address, for example: --host=172.20.9.59 vSphere ESX IP Address, for example: --host=172.20.9.58 SUSE 10 IP Address, for example: --host=172.20.9.57 All others FQDN, for example: --host=mycompany-host1.mycompany.
PAGE 58
Configuring vRealize Automation 5 Modify the post-installation section of the configuration file to copy or install your script into the /usr/share/gugent/site/workitem directory of your choice. Custom scripts are most commonly run for virtual kickstart/autoYaST with the work items SetupOS (for create provisioning) and CustomizeOS (for clone provisioning), but you can run scripts at any point in the workflow. For example, you can modify the configuration file to copy the script 11_addusers.
PAGE 59
Configuring vRealize Automation b The fully qualified domain name of the SCCM server on which the collection containing the sequence resides. c The site code of the SCCM server. d Administrator-level credentials for the SCCM server. e (Optional) For SCVMM integrations, the ISO, virtual hard disk, or hardware profile to attach to provisioned machines.
PAGE 60
Configuring vRealize Automation 2 Ensure that the network has a DHCP server. vRealize Automation cannot provision machines with a WIM image unless DHCP is available. 3 Identify or create the reference machine in the virtualization platform you intend to use for provisioning. For vRealize Automation requirements, see Reference Machine Requirements for WIM Provisioning. For information about creating a reference machine, see the documentation provided by your hypervisor.
PAGE 61
Configuring vRealize Automation 2 SysPrep Requirements for the Reference Machine A SysPrep answer file contains several required settings that are used for WIM provisioning. 3 Preparing for WIM Provisioning with VirtIO Drivers If you are using VirtIO for network or storage interfaces, you must ensure that the necessary drivers are included in your WinPE image and WIM image. VirtIO generally offers better performance when provisioning with KVM (RHEV).
PAGE 62
Configuring vRealize Automation Table 1‑15. Windows Server or Windows XP reference machine SysPrep required settings (Continued) GuiUnattended Settings Value AutoLogonUsername username (username and password are the credentials used for auto logon when the newly provisioned machine boots into the guest operating system. Administrator is typically used.) AutoLogonPassword password corresponding to the AutoLogonUsername. Table 1‑16.
PAGE 63
Configuring vRealize Automation 3 Upload the WinPE image ISO to the Red Hat Enterprise Virtualization ISO storage domains using the rhevm-iso-uploader command. For more information about managing ISO images in RHEV refer to the Red Hat documentation. 4 Create a KVM (RHEV) blueprint for WIM provisioning and select the WinPE ISO option. The custom property VirtualMachine.Admin.DiskInterfaceType must be included with the value VirtIO.
PAGE 64
Configuring vRealize Automation n Create a WinPE. Procedure u Download and install the vRealize Automation guest agent from https://vRealize_VA_Hostname_fqdn/software/index.html. a Download GugentZip_version to the C drive on the reference machine. Select either GuestAgentInstaller.exe (32-bit) or GuestAgentInstaller_x64.exe (64-bit) depending on which is appropriate for your operating system. b Right-click the file and select Properties. c Click General. d Click Unblock.
PAGE 65
Configuring vRealize Automation 5 Replace all instances of the string #Protocol# with the string /ssl. 6 Replace all instances of the string #Comment# with REM (REM must be followed by a trailing space). 7 (Optional) If you are using self-signed certificates, uncomment the openSSL command. echo QUIT | c:\VRMGuestAgent\bin\openssl s_client –connect 8 Save and close the file. 9 Edit the Startnet.cmd script for your WinPE to include the doagent.bat as a custom script.
PAGE 66
Configuring vRealize Automation What to do next Configure the Guest Agent Properties Files. Configure the Guest Agent Properties Files You must manually configure the guest agent properties files. Prerequisites Configure the doagentc.bat File. Procedure 1 Navigate to the VRMGuestAgent directory within your WinPE Image. For example: C:\Program Files (x86)\VMware\Plugins\VRM Agent\VRMGuestAgent. 2 Make a copy of the file gugent.properties and name it gugent.properties.template.
PAGE 67
Configuring vRealize Automation OpenStack Flavors You can select one or more flavors when creating OpenStack blueprints. OpenStack flavors are virtual hardware templates that define the machine resource specifications for instances provisioned in OpenStack. Flavors are managed by the OpenStack provider and are imported during data collection. vRealize Automation supports several flavors of OpenStack.
PAGE 68
Configuring vRealize Automation n vRealize Automation cannot create user accounts on a cloud machine. The first time a machine owner connects to a cloud machine, she must log in as an administrator and add her vRealize Automation user credentials or an administrator must do that for her. She can then log in using her vRealize Automation user credentials. If the Amazon machine image generates the administrator password on every boot, the Edit Machine Record page displays the password.
PAGE 69
Configuring vRealize Automation Procedure 1 Click Infrastructure > Administration > Instance Types. 2 Click New. 3 Add a new instance type, specifying the following parameters. Information about the available Amazon instances types and the setting values that you can specify for these parameters is available from Amazon Web Services documentation in EC2 Instance Types Amazon Web Services (AWS) at aws.amazon.com/ec2 and Instance Types at docs.aws.amazon.com.
PAGE 70
Configuring vRealize Automation You want to convert an existing CentOS reference machine into a vSphere template so you and your Rainpole architects can create blueprints for cloning CentOS machines in vRealize Automation. To prevent any conflicts that might arise from deploying multiple virtual machines with identical settings, you also want to create a general customization specification that you and your architects can use to create clone blueprints for Linux templates.
PAGE 71
Configuring vRealize Automation 7 Right-click your Rainpole_centos_63_x86 reference machine in the vSphere Web Client and select Template > Convert to Template. vCenter Server marks your Rainpole_centos_63_x86 reference machine as a template and displays the task in the Recent Tasks pane.
PAGE 72
Configuring vRealize Automation You have a general customization specification that you can use to create blueprints for cloning Linux machines. What to do next Log in to the vRealize Automation console as the configuration administrator you created during the installation and request the catalog items that quickly set up your proof of concept.
PAGE 73
Configuring vRealize Automation Table 1‑17. Provisioning Methods that Support Software (Continued) Machine Type Provisioning Method vCloud Air Clone A clone blueprint provisions a complete and independent virtual machine based on a vCenter Server virtual machine template. If you want your templates for cloning to support Software components, install the guest agent and software bootstrap agent on your reference machine as you prepare a template for cloning.
PAGE 74
Configuring vRealize Automation Procedure 1 Log in to the Windows reference server as an administrator. 2 Open a browser to the software download page on the vRealize Automation appliance. https://vrealize-automation-appliance-FQDN/software 3 Save the template ZIP to the Windows server. prepare_vra_template_windows.zip 4 Extract the ZIP contents to a folder, and run the prepare_vra_template.ps1 script using either of the following commands. n PowerShell -NoProfile -ExecutionPolicy Bypass Command .
PAGE 75
Configuring vRealize Automation n dmidecode as required by cloud providers n Common requirements such as sed, awk, perl, chkconfig, unzip, and grep depending on your Linux distribution You might also use an editor to inspect the downloaded prepare_vra_template.sh script, which exposes the commands that it uses. n If you plan to remotely access the machine for troubleshooting or other reasons, install OpenSSH. n Remove network configuration artifacts from the network configuration files.
PAGE 76
Configuring vRealize Automation Updating Existing Virtual Machine Templates in vRealize Automation If you are updating your templates, Amazon Machine Images, or snapshots for the latest version of the Windows Software bootstrap agent, or if you are manually updating to the latest Linux Software bootstrap agent instead of using the prepare_vra_template.sh script, you need to remove any existing versions and delete any logs. Linux For Linux reference machines, running the prepare_vra_template.
PAGE 77
Configuring vRealize Automation Procedure 1 Scenario: Prepare Your Reference Machine for Guest Agent Customizations and Software Components So that your template can support software components, you install the software bootstrap agent and its prerequisite, the guest agent, on your reference machine. The agents ensure that vRealize Automation architects who use your template can include software components in their blueprints.
PAGE 78
Configuring vRealize Automation Procedure 1 In your Web browser, open the following URL. https://vrealize-automation-appliance-FQDN/software/index.html 2 Save the prepare_vra_template.sh script to your reference machine. 3 On the reference machine, make prepare_vra_template.sh executable. chmod +x prepare_vra_template.sh 4 Run prepare_vra_template.sh. ./prepare_vra_template.sh 5 Follow the prompts. If you need non-interactive information about options and values, enter ./prepare_vra_template.
PAGE 79
Configuring vRealize Automation c If you rebooted or reconfigured the reference machine after installing the software bootstrap agent, reset the agent. /opt/vmware-appdirector/agent-bootstrap/agent_reset.sh d Power down the machine. shutdown -h now 2 Log in to the vSphere Web Client as an administrator. 3 Right-click your reference machine and select Edit Settings. 4 Enter cpb_centos_63_x84 in the VM Name text box.
PAGE 80
Configuring vRealize Automation 6 Set computer name. a Select Use the virtual machine name. b Enter the domain on which cloned machines are going to be provisioned in the Domain name text box. c Click Next. 7 Configure time zone settings. 8 Click Next. 9 Select Use standard network settings for the guest operating system, including enabling DHCP on all network interfaces.
PAGE 81
Configuring vRealize Automation Procedure 1 Scenario: Prepare Your Reference Machine for the Dukes Bank vSphere Sample Application You want your template to support the Dukes Bank sample application, so you must install both the guest agent and the software bootstrap agent on your reference machine so vRealize Automation can provision the software components.
PAGE 82
Configuring vRealize Automation 4 Run the prepare_vra_template.sh installer script. ./prepare_vra_template.sh You can run the help command ./prepare_vra_template.sh --help for information about noninteractive options and expected values. 5 Follow the prompts to complete the installation. You see a confirmation message when the installation is successfully completed. If you see an error message and logs in the console, resolve the errors and run the installer script again.
PAGE 83
Configuring vRealize Automation d If you rebooted or reconfigured the reference machine after installing the software bootstrap agent, reset the agent. /opt/vmware-appdirector/agent-bootstrap/agent_reset.sh e Power down the machine. shutdown -h now 2 Log in to the vSphere Web Client as an administrator. 3 Right-click your reference machine and select Edit Settings. 4 Enter dukes_bank_template in the VM Name text box.
PAGE 84
Configuring vRealize Automation 5 Set computer name. a Select Use the virtual machine name. b Enter the domain on which you want to provision the Dukes Bank sample application in the Domain name text box. c Click Next. 6 Configure time zone settings. 7 Click Next. 8 Select Use standard network settings for the guest operating system, including enabling DHCP on all network interfaces.
PAGE 85
Tenant and Resource Preparations for Blueprint Provisioning 2 You can configure multiple tenant environments, each with their own groups of users and unique access to resources that you bring under vRealize Automation management. This chapter includes the following topics: n Configuring Tenant Settings n Configuring Resources Configuring Tenant Settings Tenant administrators configure tenant settings such as user authentication, and manage user roles and business groups.
PAGE 86
Configuring vRealize Automation Table 2‑1. Checklist for Configuring Tenant Settings (Continued) Task (Optional) Configure vRealize Automation to send users notifications when specific events occur. (Optional) Configure vRealize Orchestrator to support XaaS and other extensibility.
PAGE 87
Configuring vRealize Automation You can manage the following settings from the Administration > Directories Management tab. Table 2‑3. Directories Management Settings Setting Description Directories The Directories page enables you to create and manage Active Directory links to support vRealize Automation tenant user authentication and authorization. You create one or more directories and then sync those directories with your Active Directory deployment.
PAGE 88
Configuring vRealize Automation The connector is the default identity provider. For the authentication methods the connector supports, see VMware Identity Manager Administration. You can also use third-party identity providers that support the SAML 2.0 protocol. Use a third-party identity provider for an authentication type the connector does not support or for an authentication type the connector does support, if the third-party identity provider is preferable based on your enterprise security policy.
PAGE 89
Configuring vRealize Automation Single Active Directory Domain Environment A single Active Directory deployment allows you to sync users and groups from a single Active Directory domain. See Configure an Active Directory over LDAP/IWA Link. For this environment, when you add a directory to the service, select the Active Directory over LDAP option.
PAGE 90
Configuring vRealize Automation n Active Directory (Integrated Windows Authentication) - With Active Directory (Integrated Windows Authentication), you configure the domain to join. Active Directory over LDAP is appropriate for single domain deployments. Use Active Directory (Integrated Windows Authentication) for all multi-domain and multi-forest deployments. n OpenLDAP - You can use the open source version of LDAP to support Directories Management user authentication.
PAGE 91
Configuring vRealize Automation 4 5 Select the appropriate Active Directory communication protocol using the radio buttons under the Directory Name text box. Option Description Windows Authentication Select Active Directory (Integrated Windows Authentication). For Active Directory Integrated Windows Authentication, required information includes the domain's Bind user UPN address and password. LDAP Select Active Directory over LDAP.
PAGE 92
Configuring vRealize Automation 6 Enter the appropriate information in the Server Location text box if you selected Active Directory over LDAP, or enter information in the Join Domain Details text boxes if you selected Active Directory (Integrated Windows Authentication).
PAGE 93
Configuring vRealize Automation 7 In the Bind User Details section, enter the appropriate credentials to facilitate directory synchronization. For Active Directory over LDAP: Option Description Base DN Enter the search base distinguished name. For example, cn=users,dc=corp,dc=local. Bind DN Enter the bind distinguished name.
PAGE 94
Configuring vRealize Automation 14 Click to select the groups you want to sync from Active Directory to the directory. When you add a group from Active Directory, if members of that group are not in the Users list, they are added. When you sync a group, any users that lack Domain Users as their primary group in Active Directory are not synced.
PAGE 95
Configuring vRealize Automation What to do next If your vRealize Automation environment is configured for high availability, you must specifically configure Directories Management for high availability. See Configure Directories Management for High Availability. n Set up authentication methods. After users and groups sync to the directory, if the connector is also used for authentication, you can set up additional authentication methods on the connector.
PAGE 96
Configuring vRealize Automation n A Bind DN user account. Using a Bind DN user account with a non-expiring password is recommended. n In your LDAP directory, the UUID of users and groups must be in plain text format. n In your LDAP directory, a domain attribute must exist for all users and groups. You map this attribute to the Directories Management domain attribute when you create the Directories Management directory. n User names must not contain spaces.
PAGE 97
Configuring vRealize Automation Option Description LDAP Configuration Specify the LDAP search filters and attributes that Directories Management can use to query your LDAP directory. Default values are provided based on the core LDAP schema. Filter Queries n Groups: The search filter for obtaining group objects. For example: (objectClass=group) n Bind user: The search filter for obtaining the bind user object, that is, the user that can bind to the directory.
PAGE 98
Configuring vRealize Automation 7 In the Map Attributes page, verify that the Directories Management attributes are mapped to the correct LDAP attributes. These attributes will be synced for users. Important You must specify a mapping for the domain attribute. You can add attributes to the list from the User Attributes page. 8 Click Next. 9 Click + to select the groups you want to sync from the LDAP directory to the Directories Management directory on Select the groups (users) you want to sync page.
PAGE 99
Configuring vRealize Automation 11 Click + to add additional users. For example, enter CN=username,CN=Users,OU=myUnit,DC=myCorp,DC=com. You can add organizational units as well as individual users here. You can create a filter to exclude some types of users. Select the user attribute to filter by, the query rule, and the value. 12 Click Next. 13 Review the page to see how many users and groups will sync to the directory and to view the default sync schedule.
PAGE 100
Configuring vRealize Automation n If you plan to add both Active Directory and LDAP directories, ensure that you do not mark any attributes required in the User Attributes page, except for userName, which can be marked required. The settings in the User Attributes page apply to all directories in the service. If an attribute is marked required, users without that attribute are not synced to the Directories Management service.
PAGE 101
Configuring vRealize Automation 3 Click the Identity Provider that is currently in use for your system. The existing directory and connector that provide basic identity management for your system appears. 4 On the Identity Provider properties page, click the Add a Connector drop-down list, and select the connector that corresponds to your secondary vRealize Automation appliance. 5 Enter the appropriate password in the Bind DN Password text box that appears when you select the connector.
PAGE 102
Configuring vRealize Automation 2 Search for the word logout, and edit the location of each instance to point to https://servername.domain/adfs/ls/logout.aspx For example, the following: SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://servername.domain/adfs/ls/ "/> Should be changed to: SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://servername.domain/adfs/ls/logout.
PAGE 103
Configuring vRealize Automation c Click the + icon under the Policy Rules heading to add a new rule. Use the fields on the Add a Policy Rule page to create a rule that specifies the appropriate primary and secondary authentication methods to use for a specific network range and device. For example, if your network range is My Machine, and you need to access content from All Device Types then, for a typical deployment, you must authenticate by using the following method: ADFS Username and Password.
PAGE 104
Configuring vRealize Automation Setting up SAML between SSO2 and Directories Management involves configuration on the Directories Management and SSO components. Table 2‑4. SAML Federation Component Configuration Component Configuration Directories Management Configure SSO2 as a third-party Identity Provider on Directories Management and update the default authentication policy. You can create an automated script to set up Directories Management.
PAGE 105
Configuring vRealize Automation c Click Add Identity Provider and provide the configuration information. Option Action Identity Provider Name Enter a name for the new Identity Provider. Identity Provider Metadata (URI or XML) text box Paste the contents of your SSO2 idp.xml metadata file in the text box and Name ID Policy in SAML Request (Optional) Enter http://schemas.xmlsoap.org/claims/UPN. Users Select the domains to which you want users to have access privileges.
PAGE 106
Configuring vRealize Automation action. If problems occur, close unneeded applications and verify that your deployment has appropriate memory allocated to Active Directory. If problems continue, increase the Active Directory memory allocation. For deployments with large numbers of users and groups, you might need to increase the Active Directory memory allocation to as much as 24 GB.
PAGE 107
Configuring vRealize Automation To edit the user configuration: u To add users, click the + icon to add a line for a user DN definition and enter the appropriate user DN. If you want to delete a user DN definition, click the x icon for the desired user DN. 5 Click Save to save your changes without synchronizing your updates immediately. Click Save & Sync to save your changes and synchronize your updates immediately.
PAGE 108
Configuring vRealize Automation Add Memory to Directories Management You may need to allocate additional memory to Directories Management if you have Active Directory connections that contain a large number of users or groups. By default, 4 GB of memory is allocated to the Directories Management service. This is sufficient for many small to medium sized deployments. If you have an Active Directory connection that uses a large number of users or groups, you may need to increase this memory allocation.
PAGE 109
Configuring vRealize Automation 2 Change directories to /usr/local/horizon/conf and create a file called domain_krb.properties. 3 Edit the domain_krb.properties file to add the list of the domain to host values. Add the information as =, , . For example, enter the list as example.com=examplehost.com:636, examplehost2.example.com:389 4 Change the owner of the domain_krb.properties file to horizon and group to www.
PAGE 110
Configuring vRealize Automation The User Attributes page lists the default directory attributes that you can map to Active Directory attributes. You select the attributes that are required, and you can add other Active Directory attributes to sync to the directory. Table 2‑7.
PAGE 111
Configuring vRealize Automation n In the Identity Provider column, select the IdP to view, edit or disable. See Configure a Third Party Identity Provider Connection. n In the Associated Directory column, access the directory associated with this worker. n Click Join Domain to join the connector to a specific Active Directory domain.
PAGE 112
Configuring vRealize Automation If you do not have the rights to join a domain, or if your company policy requires a custom location for the computer object, you must ask your administrator to create the object and then join the connector machine to the domain. Procedure 1 Ask your Active Directory administrator to create the computer object in Active Directory in a location determined by your company policy. You must provide the host name of the connector.
PAGE 113
Configuring vRealize Automation You must also update the file manually for any other changes. The following rules apply. n The domain_krb.properties file is created in the virtual machine that contains the connector. In a typical deployment, with no additional connectors deployed, the file is created in the Directories Management service virtual machine. If you are using an additional connector for the directory, the file is created in the connector virtual machine.
PAGE 114
Configuring vRealize Automation Sample domain_krb.properties File example.com=host1.example.com:389,host2.example.com:389 n Override the Default Subnet Selection To auto-populate the domain_krb.properties file, the connector attempts to find domain controllers that are at the same site so there is minimal latency between the connector and Active Directory. n Edit the domain_krb.properties file The /usr/local/horizon/conf/domain_krb.
PAGE 115
Configuring vRealize Automation Edit the domain_krb.properties file The /usr/local/horizon/conf/domain_krb.properties file determines the domain controllers to use for directories that have DNS Service Location lookup enabled. You can edit the file at any time to modify the list of domain controllers for a domain, or to add or delete domain entries. Your changes will not be overridden. The file is initially created and auto-populated by the connector. You need to update it manually in some scenarios.
PAGE 116
Configuring vRealize Automation "Error resolving domain" error If the domain_krb.properties file already includes an entry for a domain, and you try to create a new directory of a different type for the same domain, an "Error resolving domain" error occurs. You must edit the domain_krb.properties file and manually remove the domain entry before creating the new directory. Domain controllers are unreachable Once a domain entry is added to the domain_krb.properties file, it is not updated automatically.
PAGE 117
Configuring vRealize Automation Authentication Methods Set the priority of the authentication methods for the policy rule. The authentication methods are applied in the order they are listed. The first identity provider instances that meets the authentication method and network range configuration in the policy is selected, and the user authentication request is forwarded to the identity provider instance for authentication. If authentication fails, the next authentication method in the list is selected.
PAGE 118
Configuring vRealize Automation Example Default Policy The following policy serves as an example of how you can configure the default policy to control access to the apps portal. See Manage the User Access Policy. The policy rules are evaluated in the order listed. You can change the order of the policy by dragging and dropping the rule in the Policy Rules section. In the following use case, this policy example applies to all applications.
PAGE 119
Configuring vRealize Automation The following Web-application-specific policy provides an example of a policy you can create to control access to specified Web applications. Example 1 Strict Web-Application-Specific Policy In this example, a new policy is created and applied to a sensitve Web application. 1 To access the service from outside the enterprise network, the user is required to log in with RSA SecurID.
PAGE 120
Configuring vRealize Automation 2 The user immediately tries to launch a Web application with the Example 2 policy rule applied, which requires RSA SecurID authentication. 3 The user is redirected to an identity provider that provides RSA SecurID authentication. 4 After the user successfully logs in, the service launches the application and saves the authentication event.
PAGE 121
Configuring vRealize Automation d Specify the number of hours a Web application session open. e Click Save. 6 Configure additional rules as appropriate. 7 Click Save. Configuring Additional Identity Provider Connections You can configure additional identity provider connections as needed to support different identity management scenarios, including additional built-in identity providers and third-party identity providers.
PAGE 122
Configuring vRealize Automation vRealize Automation is supplied with an default identity provider. In most cases, the default provider is sufficient for customer needs. If you use an existing enterprise identity management solution, you can set up a custom identity provider to redirect users to your existing identity solution. When using a custom identity provider, Directories Management uses SAML metadata from that provider to establish a trust relationship with the provider.
PAGE 123
Configuring vRealize Automation Option Description Network The existing network ranges configured in the service are listed. Select the network ranges for the users, based on their IP addresses, that you want to direct to this identity provider instance for authentication. 5 Authentication Methods Add the authentication methods supported by the third-party identity provider. Select the SAML authentication context class that supports the authentication method.
PAGE 124
Configuring vRealize Automation Option Description Users Select the group of users who can authenticate using this Workspace identity provider. Network The existing network ranges configured in the service are listed. Select the network range for the users based on the IP addresses that you want to direct to this identity provider instance for authentication. Authentication Methods Authentication methods that are configured for the service are displayed.
PAGE 125
Configuring vRealize Automation Integrating Alternative User Authentication Products with Directories Management Typically, when you initially configure Directories Management, you use the connectors supplied with your existing vRealize Automation infrastructure to create an Active Directory connection for user ID and password based authentication and management. Alternatively, you can integrate Directories Management with other authentication solutions such as Kerberos or RSA SecurID.
PAGE 126
Configuring vRealize Automation Table 2‑8. User Authentication Types Supported by Directories Management (Continued) Authentication Types Description Mobile SSO (for iOS) Mobile SSO for iOS authentication is used for single sign-on authentication for AirWatchmanaged iOS devices. Mobile SSO (for iOS) authentication uses a Key Distribution Center (KDC) that is part of the Directories Management service.
PAGE 127
Configuring vRealize Automation Prerequisites n Verify that one of the following RSA Authentication Manager versions is installed and functioning on the enterprise network: RSA AM 6.1.2, 7.1 SP2 and later, and 8.0 and later. The Directories Management server uses AuthSDK_Java_v8.1.1.312.06_03_11_03_16_51 (Agent API 8.1 SP1), which only supports the preceding versions of RSA Authentication Manager (the RSA SecurID server).
PAGE 128
Configuring vRealize Automation 4 In the Authentication Adapters page SecurIDldpAdapter row, click Edit. 5 Configure the SecurID Authentication Adapter page. Information used and files generated on the RSA SecurID server are required when you configure the SecurID page. 6 Option Action Name A name is required. The default name is SecurIDldpAdapter. You can change this. Enable SecurID Select this box to enable SecurID authentication.
PAGE 129
Configuring vRealize Automation When users sign in to their My Apps portal and RADIUS authentication is enabled, a special login dialog box appears in the browser. Users enter their RADUS authentication user name and passcode in the login dialog box. If the RADIUS server issues an access challenge, the identity manager service displays a dialog box prompting for a second passcode. Currently support for RADIUS challenges is limited to prompting for text input.
PAGE 130
Configuring vRealize Automation Procedure 1 Select Administration > Directories Management > Connectors. 2 On the Connectors page, select the Worker link for the connector that is being configured for RADIUS authentication. 3 Click Auth Adapters and then click RadiusAuthAdapter. You are redirected to the identity manager sign-in page. 4 Click Edit to configure these fields on the Authentication Adapter page. Option Action Name A name is required. The default name is RadiusAuthAdapter.
PAGE 131
Configuring vRealize Automation 5 You can enable a secondary RADIUS server for high availability. Configure the secondary server as described in step 4. 6 Click Save. What to do next Add the RADIUS authentication method to the default access policy. Select Administration > Directories Management > Policies and click Edit Default Policy to edit the default policy rules to add the RADIUS authentication method to the rule in the correct authentication order.
PAGE 132
Configuring vRealize Automation You can configure the Directories Management to use an email address to validate the user account if the UPN does not exist in the certificate. You can also enable an alternate UPN type to be used. Certificate Authority Required for Authentication To enable logging in using certificate authentication, root certificates and intermediate certificates must be uploaded to the Directories Management.
PAGE 133
Configuring vRealize Automation Logging in with OCSP Certificate Checking When you configure Certificate Status Protocol (OCSP) revocation checking, Directories Management sends a request to an OCSP responder to determine the revocation status of a specific user certificate. The Directories Management server uses the OCSP signing certificate to verify that the responses it receives from the OCSP responder are genuine. If the certificate is revoked, authentication fails.
PAGE 134
Configuring vRealize Automation Option Description Uploaded CA certificates The uploaded certificate files are listed in the Uploaded Ca Certificates section of the form. You must restart the service before the new certificates are made available. Click Restart Web Service to restart the service and add the certificates to the trusted service. Note Restarting the service does not enable certificate authentication. After the service is restarted, continue configuring this page.
PAGE 135
Configuring vRealize Automation n When Certificate Authentication is configured, and the service appliance is set up behind a load balancer, make sure that the Directories Management connector is configured with SSL pass-through at the load balancer and not configured to terminate SSL at the load balancer. This configuration ensures that the SSL handshake is between the connector and the client in order to pass the certificate to the connector.
PAGE 136
Configuring vRealize Automation 2 Click Add Identity Provider. A menu appears with Identity Provider options. 3 Select Create Third Party IDP. 4 Enter the appropriate information to configure the identity provider. Option Description Identity Provider Name Enter a name for this identity provider instance. SAML Metadata Add the third party IdPs XML-based metadata document to establish trust with the identity provider. 1 Enter the SAML metadata URL or the xml content into the text box.
PAGE 137
Configuring vRealize Automation Managing Authentication Methods to Apply to Users The Directories Management service attempts to authenticate users based on the authentication methods, the default access policy, network ranges, and the identity provider instances you configure. When users attempt to log in, the service evaluates the default access policy rules to select which rule in the policy to apply. The authentication methods are applied in the order they are listed in the rule.
PAGE 138
Configuring vRealize Automation 2 3 Edit an existing network range or add a new network range. Option Description Edit an existing range Click the network range name to edit. Add a range Click Add Network Range to add a new range. Complete the form. Form Item Description Name Enter a name for the network range. Description Enter a description for the Network Range. View Pods The View Pods option only appears when the View module is enabled. Client Access URL Host.
PAGE 139
Configuring vRealize Automation 5 In the Attributes section, add the Directories Management directory attribute name to the list. 6 Click Save. The default attribute status is updated and attributes you added are added on the directory's Mapped Attributes list. 7 After the directory is created, go to the Identity Stores page and select the directory. 8 Click Sync Settings > Mapped Attributes.
PAGE 140
Configuring vRealize Automation 3 To edit a policy rule, click the authentication method to edit in the Policy Rules, Authentication Method column. The add a new policy rule, click the + icon. 4 Click Save and click Save again on the Policy page. 5 Click Save and click Save again on the Policy page.
PAGE 141
Configuring vRealize Automation Configure Kerberos Authentication To configure the Directories Management service to provide Kerberos authentication, you must join to the domain and enable Kerberos authentication on the Directories Management connector. Procedure 1 As a tenant administrator, navigate to Administration > Directories Management > Connectors 2 On the Connectors page, for the connector that is being configured for Kerberos authentication, click Join Domain.
PAGE 142
Configuring vRealize Automation What to do next Add the authentication method to the default access policy. Navigate to Administration > Directories Management > Policies and click Edit Default Policy to edit the default policy rules to add the Kerberos authentication method to the rule in the correct authentication order.
PAGE 143
Configuring vRealize Automation d In the Local Intranet dialog box, click Advanced. A second dialog box named Local intranet appears. e Enter the Directories Management URL in the Add this Web site to the zone text box. https://myconnectorhost.domain/authenticate/ f 5 Click Add > Close > OK. Verify that Internet Explorer is allowed to pass the Windows authentication to the trusted site. a In the Internet Options dialog box, click the Advanced tab. b Select Enable Integrated Windows Authentication.
PAGE 144
Configuring vRealize Automation 8 Click OK. 9 Test Kerberos functionality by using the Firefox browser to log in to login URL. For example, https://myconnectorhost.domain.com/authenticate/. If the Kerberos authentication is successful, the test URL goes to the Web interface. The Kerberos protocol secures all interactions between this Firefox browser instance and Directories Management. Now, users can use single sign-on access their My Apps portal.
PAGE 145
Configuring vRealize Automation By default, the connector uses the VMware Web site for the upgrade procedure, which requires the connector appliance to have Internet connectivity. You must also configure proxy server settings for the connector appliance, if applicable. If your connector instance does not have an Internet connection, you can perform the upgrade offline. For an offline upgrade, you download the upgrade package and set up a local Web server to host the upgrade file.
PAGE 146
Configuring vRealize Automation Enable your proxy to handle only Internet traffic. To ensure that the proxy is set up correctly, set the parameter for internal traffic to no-proxy within the domain. Note Proxy servers that require authentication are not supported. Prerequisites n Verify that you have the root password for the connector appliance. n Verify that you have the proxy server information. Procedure 1 Log in to the connector appliance as the root user.
PAGE 147
Configuring vRealize Automation Procedure 1 Log in to the connector appliance as the root user. 2 Run the following command. /usr/local/horizon/update/updatemgr.hzn updateinstaller 3 Run the following command to check that on online upgrade exists. /usr/local/horizon/update/updatemgr.hzn check 4 Run the following command to update the appliance. /usr/local/horizon/update/updatemgr.hzn update Messages that occur during the upgrade are saved to the update.log file at /opt/vmware/var/log/update.log.
PAGE 148
Configuring vRealize Automation n Configure the connector appliance to user a local Web server to host the upgrade file. See Prepare a Local Web Server for Offline Upgrade. Procedure 1 Prepare a Local Web Server for Offline Upgrade Before you start the offline connector upgrade, prepare the local Web server by creating a directory structure that includes a subdirectory for the connector appliance.
PAGE 149
Configuring vRealize Automation Prerequisites Prepare a local Web server for offline upgrade. Procedure 1 Log in to the connector appliance as the root user. 2 Run the following command to configure an upgrade repository that uses a local Web server. /usr/local/horizon/update/updatelocal.hzn seturl http://YourWebServer/VM/ Note To undo the configuration and restore the ability to perform an online upgrade, you can run the following command. /usr/local/horizon/update/updatelocal.
PAGE 150
Configuring vRealize Automation The connector upgrade is complete. Configuring Settings After Upgrading an External Connector After upgrading to connector 2016.3.1.0 or later, you may need to configure some settings. Rejoin Domain with Kerberos Authentication If you use Kerberos authentication or Active Directory (Integrated Windows Authentication) directories, you must leave the domain and then rejoin it. This is required for all the connector virtual appliances in your deployment.
PAGE 151
Configuring vRealize Automation Troubleshooting External Connector Upgrade Errors You can troubleshoot vRA Directories Management external connector upgrade problems by reviewing the error logs. If the connector does not start, you can revert to a previous instance by rolling back to a snapshot. n Checking the Upgrade Error Logs Resolve errors that occur during upgrade by reviewing the error logs. Upgrade log files are in the /opt/vmware/var/log directory.
PAGE 152
Configuring vRealize Automation Collecting a Log File Bundle You can collect a bundle of log files to send to VMware support. You obtain the bundle from the connector configuration page. The following log files are collected in the bundle. Table 2‑9. Log Files Component Location of Log File Description Apache Tomcat Logs (catalina.log) /opt/vmware/horizon/workspace/logs/catal ina.log Apache Tomcat records messages that are not recorded in other log files. Configurator Logs (configurator.
PAGE 153
Configuring vRealize Automation n Log in to the vRealize Automation console as a tenant administrator. Procedure 1 Select Administration > Directories Management > Directories. 2 Click Add Directory. 3 Enter your specific Active Directory account settings, and accept the default options. 4 Option Sample Input Directory Name Add the IP address of your active directory domain name. Sync Connector Every vRealize Automation appliance contains a connector. Use any of the available connectors.
PAGE 154
Configuring vRealize Automation f Click to add additional users. For example, enter as CN-username,CN=Users,OU-myUnit,DC=myCorp,DC=com. To exclude users, click + to create a filter to exclude some types of users. You select the user attribute to filter by, the query rule, and the value. g 9 Click Next. Review the page to see how many users and groups are syncing to the directory and click Sync Directory.
PAGE 155
Configuring vRealize Automation Directories Management supports multiple identity providers and connector clusters for each configured Active Directory. To use a third-party identity provider or smart card authentication, you can set up either a single external connector or a connector cluster with an appropriate identity provider behind a load balancer that permits SSL passthrough. See Managing Connectors and Connector Clusters for more information.
PAGE 156
Configuring vRealize Automation Generate a Connector Activation Token Before you deploy the connector virtual appliance to use for smart card authentication, generate an activation code for the new connector from the vRealize Automation console. The activation code is used to establish communication between Directories Management and the connector. You can configure a single connector or a connector cluster. If you want to use a connector cluster, repeat this procedure for each connector that you need.
PAGE 157
Configuring vRealize Automation Page Description Name and Location Enter a name for the virtual appliance. The name must be unique within the inventory folder and can contain up to 80 characters. Names are case sensitive. Select a location for the virtual appliance. Host / Cluster Select the host or cluster to run the deployed template. Resource Pool Select the resource pool. Storage Select the location to store the virtual machine files. Disk Format Select the disk format for the files.
PAGE 158
Configuring vRealize Automation Procedure 1 To run the Setup wizard, enter the connector URL that was displayed in the Console tab after the OVA was deployed. 2 On the Welcome Page, click Continue. 3 Create strong passwords for the following connector virtual appliance administrator accounts. Strong passwords should be at least eight characters long and include uppercase and lowercase characters and at least one digit or special character.
PAGE 159
Configuring vRealize Automation You only need to specify the CN, or certificate authority's site domain name, if you are generating a CSR for a custom certificate. Prerequisites Generate a Certificate Signing Request (CSR) and obtain a valid, signed certificate from a CA. If your organization provides SSL certificates that are signed by a CA, you can use these certificates. The certificate must be in the PEM format.
PAGE 160
Configuring vRealize Automation Certificate Chain Example WdR9Vpg3WQT5+C3HU17bUOwvhp/rjlQvt90+ ... ... ... O05j5xsxzDJfWr1lqBlFF/OkIYCPW53+cyK1 -----END CERTIFICATE---------BEGIN CERTIFICATE----dR9Vpg3WQTjlQvt9W5+C3HU17bUOwvhp/r0+ ... ... ... 5j5xsxzDJfWr1lqW53+O0BlFF/OkIYCPcyK1 -----END CERTIFICATE----Private Key Example -----BEGIN RSA PRIVATE KEY----jlQvtg3WQT5+C3HU17bU9WdR9VpOwvhp/r0+ ... ... ...
PAGE 161
Configuring vRealize Automation 6 Select the external connector or connectors that you configured for smart card authentication. Note If the deployment is located behind a load balancer, enter the load balancer URL. 7 Select the network for access to this identity provider. 8 Click Add. Configure Certificate Authentication and Configure Default Access Policy Rules You must configure your external connection for use with your vRealize Automation Active Directory and domain.
PAGE 162
Configuring vRealize Automation Prerequisites n Install a distributed vRealize Automation deployment with appropriate load balancers. See Installing vRealize Automation 7.3. n Log in to the vRealize Automation console as a tenant administrator. n Configure the appropriate domains and Active Directory forests for your deployment. Procedure 1 Select Administration > Directories Management > Directories. 2 Click Add Directory.
PAGE 163
Configuring vRealize Automation 11 Verify that the Directories Management directory attribute names are mapped to the correct Active Directory attributes. If the directory attribute names are mapped incorrectly, select the correct Active Directory attribute from the drop-down menu. 12 Click Next. 13 Click to select the groups you want to sync from Active Directory to the directory. When you add an Active Directory group, if members of that group are not in the Users list, they are added.
PAGE 164
Configuring vRealize Automation To allow users or groups to modify and trigger a pipeline, you must assign permissions to those users and groups. When you assign users and groups the role of Release Manager, they can modify and trigger the pipeline. When you assign users and groups the role of Release Engineer, they can trigger the pipeline. For more information, see the Using vRealize Code Stream guide. Prerequisites Log in to the vRealize Automation console as a tenant administrator.
PAGE 165
Configuring vRealize Automation You can assign roles to your custom group, but it is not necessary in all cases. For example, you can create a custom group called Machine Specification Approvers, to use for all machine pre-approvals. You can also create custom groups to map to your business groups so that you can manage all groups in one place. In those cases, you do not need to assign roles. Prerequisites Log in to the vRealize Automation console as a tenant administrator.
PAGE 166
Configuring vRealize Automation To support vCloud Director integration, the same business group members in the vRealize Automation business group must also be members of the vCloud Director organization. After a tenant administrator creates the business group, the business group manager has permission to modify the manager email address and the members. The tenant administrator can modify all the options. This procedure assumes that IaaS is installed and configured.
PAGE 167
Configuring vRealize Automation Option Description Shared access role Can use and run actions on the resources that other business group members deploy. User role Can request service catalog items to which they are entitled. 6 Click Next. 7 Configure default infrastructure options. Option Description Default machine prefix Select a preconfigured machine prefix for the business group. This prefix is used by machine blueprints.
PAGE 168
Configuring vRealize Automation Solution u To reduce the retrieval workload, use Active Directory groups or custom groups whenever possible rather than adding hundreds of individual members by name. Create Additional Tenants As a system administrator, you can create additional vRealize Automation tenants so that users can access the appropriate applications and resources that they need to complete their work assignments.
PAGE 169
Configuring vRealize Automation 2 Click the New icon ( 3 Enter a name in the Name text box. 4 (Optional) Enter a description in the Description text box. 5 Enter a unique identifier for the tenant in the URL Name text box. ). This URL token is used to append a tenant-specific identifier to the vRealize Automation console URL. For example, enter mytenant to create the URL https://vrealize-appliancehostname.domain.name/vcac/org/mytenant.
PAGE 170
Configuring vRealize Automation Tenant administrators are responsible for configuring tenant-specific branding, as well as managing identity stores, users, groups, entitlements, and shared blueprints within the context of their tenant. IaaS Administrators are responsible for configuring infrastructure source endpoints in IaaS, appointing fabric administrators, and monitoring IaaS logs. Prerequisites n Before you appoint IaaS administrators, you must install IaaS.
PAGE 171
Configuring vRealize Automation Custom branding can include text and background colors, business logos, company name, privacy policies, copyright statements and other relevant information that you want to appear on tenant login or application pages. Custom Branding for Tenant Login Page Use the Login Screen Branding page to apply custom branding to your vRealize Automation tenant login pages.
PAGE 172
Configuring vRealize Automation You can use default vRealize Automation branding on your user applications, or you can configure custom branding using the Application Branding page. This page enables you to configure branding on the header and footer of application pages. Note that custom branding applies in the same manner to all of your user applications. The Application Branding page displays the currently implemented header or footer branding at the bottom of the page.
PAGE 173
Configuring vRealize Automation (Optional) Checklist for Configuring Notifications You can configure vRealize Automation to send users notifications when specific events occur. Users can choose which notifications to subscribe to, but they can only select from events you enable as notification triggers. VMware, Inc.
PAGE 174
Configuring vRealize Automation Configure an outbound mail server to send notifications. Do you want users to be able to respond to notifications? Yes Configure an inbound mail server to receive notifications. No Enable notifications for any events you want to allow users to receive updates for. Do you want to customize the templates for IaaS notifications? Yes TEMPLATE Edit the configuration files that control IaaS notifications.
PAGE 175
Configuring vRealize Automation Table 2‑10. Checklist for Configuring Notifications Task Configure an outbound email server to send notifications. (Optional) Configure an inbound email server so that users can complete tasks by responding to notifications. Required Role n System administrators configure default global servers. n Tenant administrators configure servers for their tenants. n System administrators configure default global servers.
PAGE 176
Configuring vRealize Automation Configuring Global Email Servers for Notifications Tenant administrators can add email servers as part of configuring notifications for their own tenants. As a system administrator, you can set up global inbound and outbound email servers that appear to all tenants as the system defaults. If tenant administrators do not override these settings before enabling notifications, vRealize Automation uses the globally configured email servers.
PAGE 177
Configuring vRealize Automation 18 Click Add. Create a Global Outbound Email Server System administrators create a global outbound email server to handle outbound email notifications. You can create only one outbound server, which appears as the default for all tenants. If tenant administrators do not override these settings before enabling notifications, vRealize Automation uses the globally configured email server. Prerequisites Log in to the vRealize Automation console as a system administrator.
PAGE 178
Configuring vRealize Automation Add a Tenant-Specific Outbound Email Server Tenant administrators can add an outbound email server to send notifications for completing work items, such as approvals. Each tenant can have only one outbound email server. If your system administrator has already configured a global outbound email server, see Override a System Default Outbound Email Server. Prerequisites n Log in to the vRealize Automation console as a tenant administrator.
PAGE 179
Configuring vRealize Automation 12 Choose whether vRealize Automation can accept self-signed certificates from the email server. This option is available only if you enabled encryption. n Click Yes to accept self-signed certificates. n Click No to reject self-signed certificates. 13 Click Test Connection. 14 Click Add. Add a Tenant-Specific Inbound Email Server Tenant administrators can add an inbound email server so that users can respond to notifications for completing work items, such as approvals.
PAGE 180
Configuring vRealize Automation 9 (Optional) Select Delete From Server to delete from the server all processed emails that are retrieved by the notification service. 10 Choose whether vRealize Automation can accept self-signed certificates from the email server. This option is available only if you enabled encryption. n Click Yes to accept self-signed certificates. n Click No to reject self-signed certificates. 11 Click Test Connection. 12 Click Add.
PAGE 181
Configuring vRealize Automation 11 Choose whether vRealize Automation can accept self-signed certificates from the email server. This option is available only if you enabled encryption. n Click Yes to accept self-signed certificates. n Click No to reject self-signed certificates. 12 Click Test Connection. 13 Click Add. Override a System Default Inbound Email Server If the system administrator has configured a system default inbound email server, tenant administrators can override this global setting.
PAGE 182
Configuring vRealize Automation 10 Choose whether vRealize Automation can accept self-signed certificates from the email server. This option is available only if you enabled encryption. n Click Yes to accept self-signed certificates. n Click No to reject self-signed certificates. 11 Click Test Connection. 12 Click Add. Revert to System Default Email Servers Tenant administrators who override system default servers can revert the settings back to the global settings.
PAGE 183
Configuring vRealize Automation You can change the setting that defines the number of days before a machine's expiration date that vRealize Automation sends an expiration notification email. The email notifies users of a machine's expiration date. By default, the setting is 7 days prior to machine expiration. Procedure 1 Log in to the vRealize Automation server by using credentials with administrative access. 2 Navigate to and open the /etc/vcac/setenv-user file.
PAGE 184
Configuring vRealize Automation 2 Select the Enabled check box for the Email protocol in the Notifications table. 3 Click Apply. 4 Click Close. (Optional) Create a Custom RDP File to Support RDP Connections for Provisioned Machines System administrators create a custom remote desktop protocol file that IaaS architects use in blueprints to configure RDP settings.
PAGE 185
Configuring vRealize Automation You have a datacenter in London, and a datacenter in Boston, and you do not want users in Boston provisioning machines on your London infrastructure or vice versa. To ensure that Boston users provision on your Boston infrastructure, and London users provision on your London infrastructure, you want to allow users to select an appropriate location for provisioning when they request machines.
PAGE 186
Configuring vRealize Automation Configuring vRealize Orchestrator vRealize Orchestrator is an automation and management engine that extends vRealize Automation to support XaaS and other extensibility. You can configure and use the vRealize Orchestrator server that is preconfigured in the vRealize Automation appliance, or you can deployvRealize Orchestrator as an external server instance and associate that external instance with vRealize Automation.
PAGE 187
Configuring vRealize Automation 3 Click Use the default Orchestrator server. Connections to the embedded vRealize Orchestrator server are now configured. The vCAC workflows folder and the related utility actions are automatically imported. The vCAC > ASD workflows folder contains workflows for configuring endpoints and creating resource mappings.
PAGE 188
Configuring vRealize Automation 4 Log in to the vRealize Orchestrator Control Center. The user name is configured by the vRealize Automation appliance administrator. Log in to the vRealize Orchestrator Client To perform general administration tasks or to edit and create workflows in the default vRealize Orchestrator instance, you must log in to the vRealize Orchestrator client.
PAGE 189
Configuring vRealize Automation Configure an External vRealize Orchestrator Server You can set up vRealize Automation to use an external vRealize Orchestrator server. System administrators can configure the default vRealize Orchestrator server globally for all tenants. Tenant administrators can configure the vRealize Orchestrator server only for their tenants.
PAGE 190
Configuring vRealize Automation 6 Select the authentication type. Option Description Single Sign-On Connects to the vRealize Orchestrator server by using vCenter Single Sign-On. This option is applicable only if you configured the vRealize Orchestrator and vRealize Automation to use a common vCenter Single Sign-On instance. Basic Connects to the vRealize Orchestrator server with the user name and password that you enter in the User name and Password text boxes.
PAGE 191
Configuring vRealize Automation Table 2‑11. Checklist for Configuring IaaS Resources vRealize Automation Role Details Create endpoints for your infrastructure to bring resources under vRealize Automation management. IaaS administrator Choosing an Endpoint Scenario. Create a fabric group to organize infrastructure resources into groups and assign one or more administrators to manage those resources as your vRealize Automation fabric administrators. IaaS administrator Create a Fabric Group.
PAGE 192
Configuring vRealize Automation n IPAM This category is only visible if you have registered a third-party IPAM endpoint type such as Infoblox IPAM in a vRealize Orchestrator workflow. n Management This category contains the vRealize Operations Manager endpoint only. n Network and Security This category contains the Proxy and NSX endpoint types. A Proxy endpoint can be associated to an Amazon, vCloud Air, or vCloud Director endpoint. An NSX endpoint can be associated to a vSphere endpoint.
PAGE 193
Configuring vRealize Automation Table 2‑12.
PAGE 194
Configuring vRealize Automation Table 2‑13. General Tab Settings (Continued) Setting Address Description Enter the endpoint address using the endpoint-specific address format. n For a KVM (RHEV) or NetApp ONTAP endpoint, the address must be of one of the following formats: n https://FQDN n https://IP_address For example: https://mycompany-kvmrhev1.mycompany.local or netapp-1.mycompany.local. n For an OpenStack endpoint, the address must be of the format https:// FQDN/powervc/openstack/ service.
PAGE 195
Configuring vRealize Automation Table 2‑13. General Tab Settings (Continued) Setting Description Port Enter the port value to connect to on the proxy endpoint address. This setting applies to Proxy endpoints only. Priority Enter a priority value as an integer greater than or equal to 1. The lower value specifies a higher priority. The priority value is associated to the embedded VMware.VCenterOrchestrator.Priority custom property. This setting applies to vRealize Orchestrator endpoints only.
PAGE 196
Configuring vRealize Automation n If you want to configure additional NSX network and security settings for the vSphere endpoint, create an NSX endpoint. You can associate to the NSX endpoint as you create the vSphere endpoint. See Create an NSX Endpoint and Associate to a vSphere Endpoint. Procedure 1 Select Infrastructure > Endpoints > Endpoints. 2 Select New > Virtual > vSphere. 3 Enter a name in the Name text box.
PAGE 197
Configuring vRealize Automation n Agent error The associated vSphere agent is not found. The agent must be running for the test to succeed. n Host error The specified endpoint address is not reachable or the associated manager service is not running. The manager service must be running for the test to succeed. n Credentials error The specified user name and password combination is invalid for the endpoint at the specified address.
PAGE 198
Configuring vRealize Automation n You must install a vSphere proxy agent to manage your vSphere endpoint, and you must use the same exact name for your endpoint and agent. For information about installing the agent, see Installing vRealize Automation 7.3. n Configure your NSX network settings. See Configuring Network and Security Component Settings. n Create a vSphere Endpoint.
PAGE 199
Configuring vRealize Automation n Host error The specified endpoint address is not reachable or the associated manager service is not running. The manager service must be running for the test to succeed. n Credentials error The specified user name and password combination is invalid for the endpoint at the specified address. n Timeout The test action could not complete in the allowed two-minute time period.
PAGE 200
Configuring vRealize Automation n If you want to configure additional security and force connections to pass through a proxy server, create a Proxy endpoint. You can associate to the Proxy endpoint as you create the vCloud Director endpoint. See Create a Proxy Endpoint and Associate to a Cloud Endpoint. Procedure 1 Select Infrastructure > Endpoints > Endpoints. 2 Select New > Cloud > vCloud Air. 3 Enter a name and, optionally, a description.
PAGE 201
Configuring vRealize Automation vRealize Automation uses a proxy agent to manage vSphere resources. Note Reservations defined for vCloud Air endpoints and vCloud Director endpoints do not support the use of network profiles for provisioning machines. For information about associating proxy settings to your endpoint, see Create a Proxy Endpoint and Associate to a Cloud Endpoint. Prerequisites n Log in to the vRealize Automation console as an IaaS administrator.
PAGE 202
Configuring vRealize Automation 6 If you are an organization administrator, you can enter a vCloud Director organization name in the Organization text box. Option Description Discover all Organization vCDs If you have implemented vCloud Director in a private cloud, you can leave the Organization text box blank to allow the application to discover all the available Organization vDCs. Separate endpoints for each Organization vCD Enter a vCloud Director organization name in the Organization text box.
PAGE 203
Configuring vRealize Automation For information about associating proxy settings to your endpoint, see Create a Proxy Endpoint and Associate to a Cloud Endpoint. Prerequisites n Log in to the vRealize Automation console as an IaaS administrator. n If you want to configure additional security and force connections to pass through a proxy server, create a Proxy endpoint. You can associate to the Proxy endpoint as you create the Amazon endpoint.
PAGE 204
Configuring vRealize Automation Prerequisites Log in to the vRealize Automation console as an IaaS administrator. Procedure 1 Click Infrastructure > Administration > Instance Types. 2 Click New. 3 Add a new instance type, specifying the following parameters. Information about the available Amazon instances types and the setting values that you can specify for these parameters is available from Amazon Web Services documentation in EC2 Instance Types Amazon Web Services (AWS) at aws.amazon.
PAGE 205
Configuring vRealize Automation n Create an Amazon Endpoint n Create a vCloud Director Endpoint You must have at least one vCloud Air, vCloud Director, or Amazon endpoint to create an association from the Proxy endpoint. Procedure 1 Select Infrastructure > Endpoints > Endpoints. 2 Select New > Network and Security > Proxy. 3 Enter a name in the Name text box. 4 (Optional) Enter a description in the Description text box. 5 Enter the URL for the installed proxy agent in the Address text box.
PAGE 206
Configuring vRealize Automation Procedure 1 Select Infrastructure > Endpoints > Endpoints. 2 Select New > Orchestration > vRealize Orchestrator. 3 Enter a name and, optionally, a description. 4 Enter a URL with the fully qualified name or IP address of the vRealize Orchestrator server and the vRealize Orchestrator port number. The transport protocol must be HTTPS. If no port is specified, the default port 443 is used.
PAGE 207
Configuring vRealize Automation Create a vRealize Operations Manager Endpoint You can create a vRealize Operations Manager endpoint to connect to a vRealize Operations Manager host suite API. For information about validating the vRealize Operations Manager connection and certificate trust, see Considerations When Using Test Connection. Prerequisites n Log in to the vRealize Automation console as an IaaS administrator. Procedure 1 Select Infrastructure > Endpoints > Endpoints.
PAGE 208
Configuring vRealize Automation If the Test Connection action fails, you can still save the endpoint but machine provisioning might fail. If there is a trusted certificate issue, for example the certificate has expired, you are prompted to accept a certificate thumbprint. 8 Click OK. Create a Third-Party IPAM Provider Endpoint If you registered and configured a third-party IPAM endpoint type in vRealize Orchestrator, you can create an endpoint for that IPAM solution provider in vRealize Automation.
PAGE 209
Configuring vRealize Automation 4 Enter the location of the registered IPAM endpoint in the Address text box using the provider-specific URL format, for example https:/host_name/name. For example, you might create several IPAM endpoints, such as https://nsx62-scale-infoblox and https://nsx62-scale-infoblox2, when you registered the IPAM endpoint type in vRealize Orchestrator. Enter a primary registered endpoint type.
PAGE 210
Configuring vRealize Automation Prerequisites n Configure a Microsoft Azure instance and obtain a valid Microsoft Azure subscription from which you can use the subscription ID. See http://www.vaficionado.com/2016/11/using-new-microsoft-azure-endpoint-vrealize-automation-7-2/ for more information about configuring Azure and obtaining a subscription ID. n Your vRealize Automation deployment must have at least one tenant and one business group.
PAGE 211
Configuring vRealize Automation Parameter Description Azure subscription id The identifier for your Azure subscription. The ID defines the storage accounts, virtual machines and other Azure resources to which you have access. Resource manager settings Azure service URI The URI through which you gain access to your Azure instance. The default value of https://management.azure.com/ is appropriate for many typical implementations. Tenant Id The Azure tenant ID that you want the endpoint to use.
PAGE 212
Configuring vRealize Automation Action Options Create an Azure resource group n Create the resource group using the Azure portal. See the Azure documentation for specific instructions. n Use the appropriate vRealize Orchestrator workflow found under the Library/Azure/Resource/Create resource group. Create an Azure storage account n In vRealize Automation, create and publish an XaaS blueprint that contains the vRealize Orchestrator workflow.
PAGE 213
Configuring vRealize Automation Procedure 1 Select Administration > Endpoints > OrchestratorEndpoints. 2 Click the New icon ( 3 On the Plug-in tab, click the Plug-in drop-down menu and select Puppet Plug-in. 4 Click Next. 5 Enter a name and, optionally, a description. 6 Click Next. 7 Populate the text boxes on the Details tab as appropriate for the endpoint. 8 ).
PAGE 214
Configuring vRealize Automation Procedure 1 Select Infrastructure > Endpoints > Endpoints. 2 Select New > Virtual > Hyper-V (SCVMM). 3 Enter a name in the Name text box. 4 (Optional) Enter a description in the Description text box. 5 Enter the URL for the endpoint in the Address text box. The URL must be of the type: FQDN or IP_address. For example: mycompany-scvmm1.mycompany.local. 6 Enter the administrative-level user name and password that you stored for this endpoint.
PAGE 215
Configuring vRealize Automation 4 Enter the URL for the endpoint in the Address text box. Option PowerVC Description The URL must be of the format http://myPowerVC.com:5000 or http://FQDN:5000. Openstack The URL must be of the format FQDN:5000 or IP_address:5000. Do not include the /v2.0 suffix in the endpoint address. 5 Enter your administrative-level user name and password. The credentials you provide must have the administrator role in the OpenStack tenant associated with the endpoint.
PAGE 216
Configuring vRealize Automation 2 Enter the fully qualified DNS name of your Hyper-V server, Xen server, or Xen pool master in the Compute resource text box. Note For a Xen pool endpoint, you must enter the name of the pool master. To avoid duplicate entries in the vRealize Automation compute resource table, specify an address that matches the configured Xen pool master address. For example, if the Xen pool master address uses the host name, enter the host name and not the FQDN.
PAGE 217
Configuring vRealize Automation If you receive errors when running Test Connection on upgraded or migrated endpoints, see Considerations When Working With Upgraded or Migrated Endpoints for steps needed to establish certificate trust. Import or Export Endpoints Programmatically To programmatically import and export endpoints in vRealize Automation 7.3 or later you must use either new vRealize Automation endpoint-configuration-service REST APIs or use vRealize CloudClient.
PAGE 218
Configuring vRealize Automation After upgrade or migration, the new Proxy endpoint name is Proxy_YYYYY where YYYYY is a hash of the proxy's URL, port, and credentials. If you used the same proxy settings (for example the same URL, port, and credentials) for a different endpoint (for example, a vCloud Air or Amazon endpoint), after upgrade or migration there is only one Proxy endpoint and an association between the vCloud Air and Amazon endpoint and the new Proxy endpoint.
PAGE 219
Configuring vRealize Automation If the Test Connection action is successful but some data collection or provisioning operations fail, you can install the same certificate on all the agent machines that serve the endpoint and on all DEM machines. Alternatively, you can uninstall the certificate from existing machines and repeat the preceding procedure for the failing endpoint. n The vRealize Automation REST APIs that were used to programmatically create, edit, and delete endpoints in vRealize Automation 7.
PAGE 220
Configuring vRealize Automation n You can delete endpoints programmatically by using either the new CREATE, EDIT, and DELETE vRealize Automation endpoint-configuration-service REST APIs introduced in vRealize Automation 7.3 or by using vRealize CloudClient. You cannot delete endpoints by using the prevRealize Automation 7.3 endpoint-configuration-service REST APIs.
PAGE 221
Configuring vRealize Automation Create a Fabric Group You can organize infrastructure resources into fabric groups and assign one or more fabric administrators to manage the resources in the fabric group. Fabric groups are required for virtual and cloud endpoints. You can grant the fabric administrator role to multiple users by either adding multiple users one at a time or by choosing an identity store group or custom group as your fabric administrator.
PAGE 222
Configuring vRealize Automation n Not begin with a hyphen. n No other symbols, punctuation characters, or blank spaces can be used. n No longer than 15 characters, including the digits, to conform to the Windows limit of 15 characters in host names. Longer host names are truncated when a machine is provisioned, and updated the next time data collection is run. However, for WIM provisioning names are not truncated and provisioning fails when the specified name is longer than 15 characters.
PAGE 223
Configuring vRealize Automation Network profiles are used to configure network settings when machines are provisioned. Network profiles also specify the configuration of NSX Edge devices that are created when you provision machines. You identify a network profile when you create reservations and blueprints. In a reservation, you can assign a network profile to a network path and specify any one of those paths for a machine component in a blueprint.
PAGE 224
Configuring vRealize Automation Table 2‑14. Available Network Types for a vRealize Automation Network Profile Network Type Description External Existing network configured on the vSphere server. They are the external part of the NAT and routed networks types. An external network profile can define a range of static IP addresses available on the external network.
PAGE 225
Configuring vRealize Automation You can assign a network profile to a vSphere machine component in a blueprint by adding an existing, on-demand NAT, or on-demand routed network component to the design canvas and selecting a network profile to which to connect the vSphere machine component. You can also assign network profiles to blueprints by using the custom property VirtualMachine.NetworkN.ProfileName, where N is the network identifier.
PAGE 226
Configuring vRealize Automation You can add or change the IP addresses in a network profile range by importing from a CSV file or by entering values manually. Alternatively, you can allow a third-party IPAM provider to supply IP addresses. n Import an initial range of IP addresses into a vRealize Automation network profile. n Apply the imported values to create our first named network range in the network profile. n Delete one or more IP addresses from the network range vRealize Automation.
PAGE 227
Configuring vRealize Automation d n Enter the end IP address of the range. Click Import from CSV. a Browse to and select the CSV file or drag the CSV file into the Import from CSV dialog box. A row in the CSV file has the format ip_address, machine_name, status, NIC offset. For example: 100.10.100.1,mymachine01,Allocated b CSV Field Description ip_address An IP address in IPv4 format. machine_name Name of a managed machine in vRealize Automation. If the field is empty, the default is no name.
PAGE 228
Configuring vRealize Automation Create an External Network Profile By Using the Supplied IPAM Endpoint You can create an external network profile to define network properties and a range of static IP addresses for use when provisioning machines on an existing network. You can define one or more network ranges of static IP addresses in the network profile for use in provisioning a machine.
PAGE 229
Configuring vRealize Automation 5 Enter an IP subnet mask in the Subnet mask text box. The subnet mask specifies the size of the entire routable address space that you want to define for your network profile. For example, enter 255.255.0.0. 6 Enter an Edge or routed gateway address in the Gateway text box. Use a standard IPv4 address format. For example, enter 10.10.110.1. The gateway IP address defined in the network profile is assigned to the NIC during allocation.
PAGE 230
Configuring vRealize Automation Procedure 1 Click the Network Ranges tab. 2 Click New to enter a new network range name and IP address range manually or click Import from CSV to import the IP address information from a properly formatted CSV file. n n Click New. a Enter a network range name. b Enter a network range description. c Enter the start IP address of the range. d Enter the end IP address of the range. Click Import from CSV.
PAGE 231
Configuring vRealize Automation 6 (Optional) Select a status type from the IP status drop-down menu to filter IP address entries to only those that match the selected IP status. Status settings are allocated, unallocated, destroyed, and expired. For IP addresses that are in an expired or destroyed state, you can click Reclaim to make those IP address ranges available for allocation. You must save the profile for the reclamation to take effect.
PAGE 232
Configuring vRealize Automation Specify External Network Profile Information By Using a Third-Party IPAM Endpoint An external network profile identifies network properties and settings for an existing network. An external network profile is a requirement of NAT and routed network profiles. If you registered and configured an IPAM endpoint in vRealize Orchestrator, you can specify that IP address information be supplied by an IPAM provider.
PAGE 233
Configuring vRealize Automation vRealize Automation only saves external IPAM range IDs in the database, not range details. If you edit a network profile on this page or on a blueprint, vRealize Automation calls the IPAM service to get range details based on the selected range IDs. Note There is a known issue with some third-party IPAM providers in which a query can time out when returning network ranges, resulting in an empty list.
PAGE 234
Configuring vRealize Automation 4 Click OK. The IP range name appears in the defined ranges list. The IP addresses in the range appear in the defined IP addresses list. The uploaded IP addresses appear on the IP Addresses page when you click Apply or after you save and then edit the network profile. 5 Click OK to complete the network profile. What to do next You can assign a network profile to a network path in a reservation or a blueprint architect can specify the network profile in a blueprint.
PAGE 235
Configuring vRealize Automation 2 Configure Routed Network Profile IP Ranges with the vRealize Automation IPAM Endpoint You can define one or more ranges of static IP addresses for use in provisioning a network. Specify Routed Network Profile Information with the vRealize Automation IPAM Endpoint The network profile information identifies the routed network properties, its underlying external network profile, and other values used in provisioning the network when using the supplied IPAM endpoint.
PAGE 236
Configuring vRealize Automation 9 Click the DNS tab. 10 Enter DNS and WINS values as needed. DNS values are used for DNS name registration and resolution. The DNS and WINS fields are optional if you are using an internal IPAM endpoint. If you are using an external IPAM endpoint, the DNS and WINS values are provided by the third-party IPAM provider. a (Optional) Enter a Primary DNS server value. b (Optional) Enter a Secondary DNS server value. c (Optional) Enter a DNS suffixes value.
PAGE 237
Configuring vRealize Automation When you use a third-party IPAM endpoint in your routed network profile, the provider creates new IP ranges for each instance of the on-demand network. You can use IP ranges obtained from the supplied VMware IPAM endpoint or from a third-party IPAM service provider endpoint that you have registered and configured in vRealize Orchestrator, such as Infoblox IPAM. An IP range is created from an IP block during allocation.
PAGE 238
Configuring vRealize Automation 6 Select a value in the Range subnet mask text box drop-down menu to determine how many network subnets are created for provisioning. For example, enter 255.255.255.0. The range subnet mask defines how you want to partition that space into individual address blocks that are allocated to every deployment instance of that network profile. When choosing a value for the range subnet mask, consider the number of deployments that you expect to use the routed network.
PAGE 239
Configuring vRealize Automation 2 Add one or more IP blocks, or IPAM provider ranges, by using the provider-specific search syntax or selecting from the Search drop-down menu. The IP blocks are retrieved from the third-party IPAM provider. Selecting a network range may result in an empty list when using a third-party IPAM provider. For details, see Knowledge Base article 2148656 at http://kb.vmware.com/kb/2148656. a Click Add. b Click Search.
PAGE 240
Configuring vRealize Automation Specify NAT Network Profile Information with the vRealize Automation IPAM Endpoint The network profile identifies the NAT network properties, underlying external network profile, NAT type, and other values used to provision the network by using the embedded vRealize Automation IPAM. If you want to create a NAT network profile that uses a third-party IPAM endpoint, see Specify NAT Network Profile Information with a Third-Party IPAM Endpoint.
PAGE 241
Configuring vRealize Automation 8 Enter an Edge or routed gateway address in the Gateway text box. Use a standard IPv4 address format. For example, enter 10.10.110.1. The gateway IP address defined in the network profile is assigned to the NIC during allocation. If no value is assigned in the Gateway text box in the network profile, then you must use the VirtualMachine.Network0.Gateway custom property when provisioning the Edge machine.
PAGE 242
Configuring vRealize Automation 2 Click New to enter a new network range name and IP address range manually or click Import from CSV to import the IP address information from a properly formatted CSV file. n n Click New. a Enter a network range name. b Enter a network range description. c Enter the start IP address of the range. d Enter the end IP address of the range. Click Import from CSV. a Browse to and select the CSV file or drag the CSV file into the Import from CSV dialog box.
PAGE 243
Configuring vRealize Automation 6 (Optional) Select a status type from the IP status drop-down menu to filter IP address entries to only those that match the selected IP status. Status settings are allocated, unallocated, destroyed, and expired. For IP addresses that are in an expired or destroyed state, you can click Reclaim to make those IP address ranges available for allocation. You must save the profile for the reclamation to take effect.
PAGE 244
Configuring vRealize Automation n Create an external network profile. See Create an External Network Profile By Using the Supplied IPAM Endpoint or Create an External Network Profile by Using A Third-Party IPAM Provider. n Create and configure a third-party IPAM endpoint. See Create a Third-Party IPAM Provider Endpoint. Procedure 1 Select Infrastructure > Reservations > Network Profiles. 2 Click New and select NAT from the drop-down menu. 3 Enter a name and, optionally, a description.
PAGE 245
Configuring vRealize Automation 8 Enter an Edge or routed gateway address in the Gateway text box. Use a standard IPv4 address format. For example, enter 10.10.110.1. The gateway IP address defined in the network profile is assigned to the NIC during allocation. If no value is assigned in the Gateway text box in the network profile, then you must use the VirtualMachine.Network0.Gateway custom property when provisioning the Edge machine. 9 Click the DNS tab. 10 Enter DNS and WINS values as needed.
PAGE 246
Configuring vRealize Automation d n Enter the end IP address of the range. Click Import from CSV. a Browse to and select the CSV file or drag the CSV file into the Import from CSV dialog box. A row in the CSV file has the format ip_address, machine_name, status, NIC offset. For example: 100.10.100.1,mymachine01,Allocated b 3 CSV Field Description ip_address An IP address in IPv4 format. machine_name Name of a managed machine in vRealize Automation. If the field is empty, the default is no name.
PAGE 247
Configuring vRealize Automation When you destroy a machine that has a static IP address, its IP address is made available for other machines to use. Unused addresses might not be available immediately because the process to reclaim static IP addresses runs every 30 minutes. If you are using a third-party IPAM provider, vRealize Automation deletes the associated IP addresses by using the vRealize Orchestrator workflow in the third-party IPAM provider plug-in or package.
PAGE 248
Configuring vRealize Automation n Azure n Hyper V (SCVMM) n Hyper-V Stand-alone n KVM (RHEV) n OpenStack n XenServer You can configure security settings for the virtual machines to be provisioned by specifying information in a reservation, blueprint, or guest agent script. If the machines to be provisioned requires a guest agent, you must add a security rule that contains that requirement to the reservation or the blueprint.
PAGE 249
Configuring vRealize Automation Table 2‑15. Choosing a Reservation Scenario (Continued) Scenario Procedure Create a reservation to allocate resources on an OpenStack. resource. Create an OpenStack Reservation Create a reservation to allocate resources for SCVMM. Create a Reservation for Hyper-V, KVM, SCVMM, vSphere, or XenServer Create a reservation to allocate resources for XenServer.
PAGE 250
Configuring vRealize Automation The reservation for which a machine is provisioned must satisfy the following criteria: n The reservation must be of the same platform type as the blueprint from which the machine was requested. n The reservation must be enabled. n The reservation must have capacity remaining in its machine quota or have an unlimited quota. The allocated machine quota includes only machines that are powered on.
PAGE 251
Configuring vRealize Automation If multiple reservations meet all of the criteria, the reservation from which to provision a requested machine is determined by the following logic: n A reservation with a lower priority value is selected before a reservation with a higher priority value. n If multiple reservations have the same priority, the reservation with the lowest percentage of its machine quota allocated is selected.
PAGE 252
Configuring vRealize Automation Procedure 1 Specify Amazon Reservation Information Each reservation is configured for a specific business group to grant them access to request machines on a specified compute resource. 2 Specify Resource and Network Settings for Amazon Reservations Specify resource and network settings for provisioning machines from this vRealize Automation reservation.
PAGE 253
Configuring vRealize Automation 4 Enter a name in the Name text box. 5 Select a tenant from the Tenant drop-down menu. 6 Select a business group from the Business group drop-down menu. Only users in this business group can provision machines by using this reservation. 7 (Optional) Select a reservation policy from the Reservation policy drop-down menu. This option requires that one or more reservation policies exist. You can edit the reservation later to specify a reservation policy.
PAGE 254
Configuring vRealize Automation 3 (Optional) Enter a number in the Machine quota text box to set the maximum number of machines that can be provisioned on this reservation. Only machines that are powered on are counted towards the quota. Leave blank to make the reservation unlimited. 4 Select a method of assigning key pairs to compute instances from the Key pair drop-down menu. Option Description Not Specified Controls key pair behavior at the blueprint level rather than the reservation level.
PAGE 255
Configuring vRealize Automation You can associate custom properties with a vRealize Automation reservation. You can also configure alerts to send email notifications when reservation resources are low. Custom properties and email alerts are optional configurations for the reservation. If you do not want to associate custom properties or set alerts, click Save to finish creating the reservation. You can add as many custom properties as apply to your needs.
PAGE 256
Configuring vRealize Automation Create an OpenStack Reservation You must allocate resources to machines by creating a reservation before members of a business group can request machine provisioning. Create an OpenStack reservation. Procedure 1 Specify OpenStack Reservation Information Each reservation is configured for a specific business group to grant them access to request machines on a specified compute resource.
PAGE 257
Configuring vRealize Automation 3 (Optional) Select an existing reservation from the Copy from existing reservation drop-down menu. Data from the selected reservation appears. You can make changes as required for your new reservation. 4 Enter a name in the Name text box. 5 Select a tenant from the Tenant drop-down menu. 6 Select a business group from the Business group drop-down menu. Only users in this business group can provision machines by using this reservation.
PAGE 258
Configuring vRealize Automation 3 (Optional) Enter a number in the Machine quota text box to set the maximum number of machines that can be provisioned on this reservation. Only machines that are powered on are counted towards the quota. Leave blank to make the reservation unlimited. 4 Select a method of assigning key pairs to compute instances from the Key pair drop-down menu. Option Description Not Specified Controls key pair behavior at the blueprint level rather than the reservation level.
PAGE 259
Configuring vRealize Automation Specify Custom Properties and Alerts for OpenStack Reservations You can associate custom properties with a vRealize Automation reservation. You can also configure alerts to send email notifications when reservation resources are low. Custom properties and email alerts are optional configurations for the reservation. If you do not want to associate custom properties or set alerts, click Save to finish creating the reservation.
PAGE 260
Configuring vRealize Automation Create a vCloud Air Reservation You must allocate resources to machines by creating a vRealize Automation reservation before members of a business group can request machine provisioning. Each business group must have at least one reservation for its members to provision machines of that type. Procedure 1 Specify vCloud Air Reservation Information You can create a reservation for each vCloud Air machine subscription or OnDemand resource.
PAGE 261
Configuring vRealize Automation Procedure 1 Select Infrastructure > Reservations > Reservations. 2 Click the New icon ( ) and select the type of reservation to create. The available cloud reservation types are Amazon, OpenStack, vCloud Air, and vCloud Director. Select vCloud Air. 3 (Optional) Select an existing reservation from the Copy from existing reservation drop-down menu. Data from the selected reservation appears. You can make changes as required for your new reservation.
PAGE 262
Configuring vRealize Automation For integrations that use Storage Distributed Resource Scheduler (SDRS) storage, you can select a storage cluster to allow SDRS to automatically handle storage placement and load balancing for machines provisioned from this reservation. The SDRS automation mode must be set to Automatic. Otherwise, select a datastore within the cluster for standalone datastore behavior. SDRS is not supported for FlexClone storage devices.
PAGE 263
Configuring vRealize Automation 8 Configure a network path for machines provisioned by using this reservation. a (Optional) If the option is available, select a storage endpoint from the Endpoint drop-down menu. The FlexClone option is visible in the endpoint column if a NetApp ONTAP endpoint exists and if the host is virtual. If there is a NetApp ONTAP endpoint, the reservation page displays the endpoint assigned to the storage path.
PAGE 264
Configuring vRealize Automation 5 (Optional) Check the Encrypted check box to encrypt the property value. 6 (Optional) Check the Prompt User check box to require that the user enter a value. This option cannot be overridden when provisioning. 7 Click Save. 8 (Optional) Add any additional custom properties. 9 Click the Alerts tab. 10 Enable the Capacity Alerts check box to configure alerts to be sent. 11 Use the slider to set thresholds for available resource allocation.
PAGE 265
Configuring vRealize Automation What to do next You can configure optional reservation policies or begin preparing for provisioning. Users who are authorized to create blueprints can create them now. Specify vCloud Director Reservation Information You can create a reservation for each vCloud Director organization virtual datacenter (VDC). Each reservation is configured for a specific business group to grant them access to request machines on a specified compute resource.
PAGE 266
Configuring vRealize Automation 7 (Optional) Select a reservation policy from the Reservation policy drop-down menu. This option requires that one or more reservation policies exist. You can edit the reservation later to specify a reservation policy. You use a reservation policy to restrict provisioning to specific reservations. 8 Enter a number in the Priority text box to set the priority for the reservation. The priority is used when a business group has more than one reservation.
PAGE 267
Configuring vRealize Automation 4 (Optional) Enter a number in the Machine quota text box to set the maximum number of machines that can be provisioned on this reservation. Only machines that are powered on are counted towards the quota. Leave blank to make the reservation unlimited. 5 Specify the amount of memory, in GB, to be allocated to this reservation from the Memory table. The overall memory value for the reservation is derived from your compute resource selection.
PAGE 268
Configuring vRealize Automation You can associate custom properties with a vRealize Automation reservation. You can also configure alerts to send email notifications when reservation resources are low. Custom properties and email alerts are optional configurations for the reservation. If you do not want to associate custom properties or set alerts, click Save to finish creating the reservation. You can add as many custom properties as apply to your needs.
PAGE 269
Configuring vRealize Automation Create a Reservation for Microsoft Azure Create an Azure reservation for a specific business group to grant users in that group the ability to request Azure virtual machines on a specified compute resource. If your deployment supports single sign-on through a VPN tunnel, you can configure support for this functionality with Azure virtual machines using the settings on the Properties tab. Note Ignore the Alerts tab when creating an Azure reservation as it does not apply.
PAGE 270
Configuring vRealize Automation 5 Select a business group from the Business group drop-down menu. Only users in this business group can provision machines by using this reservation. 6 Ignore the Reservation policy text box, as it does not apply to Azure reservations. 7 Enter a number in the Priority text box to set the priority for the reservation. The priority is used when a business group has more than one reservation.
PAGE 271
Configuring vRealize Automation 4 Click New in the Storage Accounts table. a Paste the appropriate Storage Account name information from your Azure instance in the Name text box. Note The Name box cannot be left empty. b Assign a numerical priority value in the Priority text box. c Click Save to add the Storage Account to the reservation. This assignment determines priority when a reservation has more than one Storage Account, with lower numbers taking precedence.
PAGE 272
Configuring vRealize Automation These scripts install Azure extensions required to support VPN tunneling. There are two scripts: script.ps1 and script.sh. The .ps1 file is for Windows systems, and the .sh file is for Linux systems. a Run https://vrealize-automation-appliance-fqdn/software to open the VMware vRealize Automation Appliance page. b Click the Guest and software agents link under the To install vRealize Automation components (IaaS, Guest and Software Agents, Tools) heading.
PAGE 273
Configuring vRealize Automation Procedure 1 Click New in the Networks table to configure the appropriate Azure virtual network to use with your virtual machine. a Paste the appropriate vNet name information from your Azure instance into the vNet text box. b Paste the appropriate Subnet name information from your Azure instance into the Subnet text box. The Subnet specification is optional. If you leave this box empty, the subnet of the specified vNet is used by default.
PAGE 274
Configuring vRealize Automation Scenario: Create an Amazon Reservation for a Proof of Concept Environment Because you used an SSH tunnel to temporarily establish network-to-Amazon VPC connectivity for your proof of concept environment, you have to add custom properties to your Amazon reservations to ensure the Software bootstrap agent and guest agent run communications through the tunnel.
PAGE 275
Configuring vRealize Automation Procedure 1 Select Infrastructure > Reservations > Reservations. 2 Click the New icon ( ) and select the type of reservation to create. Select Amazon. 3 Enter Amazon Tunnel POC in the Name text box. 4 Select the business group you created for your blueprint architects from the Business Group dropdown menu. 5 Enter a 1 in the Priority text box to set this reservation as the highest priority.
PAGE 276
Configuring vRealize Automation You need to add tunnel custom properties on the reservation to configure the agents to access those ports. Note If you are using a PAT or NAT system network between your organization's network and the vRealize Automation network, you can use these properties to access your private IP address and port. Procedure 1 Click the Properties tab. 2 Click New. 3 Configure the tunnel custom properties.
PAGE 277
Configuring vRealize Automation To provision successfully, the reservation must have sufficient available storage. The reservation's storage availability depends on: n How much storage is available on the datastore/cluster. n How much of that storage is reserved for that datastore/cluster.
PAGE 278
Configuring vRealize Automation If the value of the custom property VRM.Datacenter.Policy is Exact and there is no reservation for a compute resource associated with that location that satisfies all the other criteria, then provisioning fails. If the value of VRM.Datacenter.Policy is NotExact and there is no reservation for a compute resource associated with that location that satisfies all the other criteria, provisioning can proceed on another reservation regardless of location.
PAGE 279
Configuring vRealize Automation If you have configured NSX you can specify NSX transport zone, Edge and routed gateway reservation policy, and app isolation settings when you create or edit a blueprint. These settings are available on the NSX Settings tab on the Blueprint and Blueprint Properties pages.
PAGE 280
Configuring vRealize Automation Each business group must have at least one reservation for its members to provision machines of that type. For example, a business group with a vSphere reservation, but not a KVM (RHEV) reservation, cannot request a KVM (RHEV) virtual machine. In this example, the business group must be allocated a reservation specifically for KVM (RHEV) resources.
PAGE 281
Configuring vRealize Automation 3 (Optional) Select an existing reservation from the Copy from existing reservation drop-down menu. Data from the selected reservation appears. You can make changes as required for your new reservation. 4 Enter a name in the Name text box. 5 Select a tenant from the Tenant drop-down menu. 6 Select a business group from the Business group drop-down menu. Only users in this business group can provision machines by using this reservation.
PAGE 282
Configuring vRealize Automation Procedure 1 Click the Resouces tab. 2 Select a compute resource on which to provision machines from the Compute resource drop-down menu. Only templates located on the cluster you select are available for cloning with this reservation. During provisioning, machines are placed on a host that is connected to the local storage.
PAGE 283
Configuring vRealize Automation 8 Configure a network path for machines provisioned by using this reservation. a (Optional) If the option is available, select a storage endpoint from the Endpoint drop-down menu. The FlexClone option is visible in the endpoint column if a NetApp ONTAP endpoint exists and if the host is virtual. If there is a NetApp ONTAP endpoint, the reservation page displays the endpoint assigned to the storage path.
PAGE 284
Configuring vRealize Automation 6 (Optional) Check the Prompt User check box to require that the user enter a value. This option cannot be overridden when provisioning. 7 (Optional) Add any additional custom properties. 8 Click the Alerts tab. 9 Enable the Capacity Alerts check box to configure alerts to be sent. 10 Use the slider to set thresholds for available resource allocation. 11 Enter the AD user or group names (not email addresses) to receive alert notifications in the Recipients text box.
PAGE 285
Configuring vRealize Automation Procedure 1 Select Infrastructure > Reservations > Reservations. 2 Point to a reservation and click Edit. 3 Click the Network tab. 4 Assign a network profile to a network path. a Select a network path on which to enable static IP addresses. The network path options are derived from settings on the Resources tab. 5 b Map an available network profile to the path by selecting a profile from the Network Profile dropdown menu.
PAGE 286
Configuring vRealize Automation You can add multiple reservations to a reservation policy, but a reservation can belong to only one policy. You can assign a single reservation policy to more than one blueprint. A blueprint can have only one reservation policy. Note Reservations defined for vCloud Air endpoints and vCloud Director endpoints do not support the use of network profiles for provisioning machines.
PAGE 287
Configuring vRealize Automation Procedure 1 Select Infrastructure > Reservations > Reservation Policies. 2 Click Add. 3 Enter a name in the Name text box. 4 Select Reservation Policy from the Type drop-down menu. 5 Enter a description in the Description text box. 6 Click Update to save the policy. Assign a Reservation Policy to a Reservation You can assign a reservation policy to a reservation when you create the reservation.
PAGE 288
Configuring vRealize Automation A storage reservation policy is essentially a tag applied to one or more datastores or storage profiles by a fabric administrator to group datastores or storage profiles that have similar characteristics, such as speed or price. A datastore or storage profile can be assigned to only one storage reservation policy at a time, but a storage reservation policy can have many different datastores or storage profiles.
PAGE 289
Configuring vRealize Automation You can control the display of reservation policies when adding, editing, or deleting by using the Filter By Type option on the Reservation Policies page. Prerequisites Log in to the vRealize Automation console as a fabric administrator. Procedure 1 Select Infrastructure > Reservations > Reservation Policies. 2 Click Add. 3 Enter a name in the Name text box. 4 Select Storage Reservation Policy from the Type drop-down menu.
PAGE 290
Configuring vRealize Automation Workload Placement When you deploy a blueprint, workload placement uses collected data to recommend where to deploy the blueprint based on available resources. vRealize Automation and vRealize Operations Manager work together to provide placement recommendations for workloads in the deployment of new blueprints.
PAGE 291
Configuring vRealize Automation Table 2‑16. Considerations to Provision Virtual Machines Consideration Effect Policies The vRealize Automation reservation policy might indicate more than one reservation. Reservations vRealize Automation evaluates the request, and determines which reservations can satisfy the constraints made in the request.
PAGE 292
Configuring vRealize Automation Table 2‑18. Users and Roles to Provision Blueprints Step User Action Role Required 1 Cloud Administrator or Virtual Infrastructure (VI) Administrator Ensures that the initial placement of virtual machines meets organizational policies, and that they are optimized according to the operational analytics data. IaaS Admin role 1 Fabric Administrator Defines the reservations, reservation policies, and placement policy in vRealize Automation.
PAGE 293
Configuring vRealize Automation Table 2‑18. Users and Roles to Provision Blueprints (Continued) Step User Action Role Required 6 Fabric Administrator Selects the placement policy in vRealize Automation. Fabric Administrator role Use the workload placement policy to have vRealize Automation determine where to place machines when you deploy new blueprints. The placement policy requires input from vRealize Operations Manager 7 Developer Requests a blueprint to provision virtual machines.
PAGE 294
Configuring vRealize Automation n vRealize Operations Manager does not support workload placement on resource pools in vCenter Server. n vRealize Operations Manager does not support vSAN in the current release. Permissions to Configure Workload Placement You must have permissions in vRealize Automation and vRealize Operations Manager to configure workload placement and the placement policy. In vRealize Automation, you must have the Fabric Administrator role to configure workload placement.
PAGE 295
Configuring vRealize Automation To use the workload placement analytics that vRealize Operations Manager provides, select Use vRealize Operations Manager for placement recommendations If you do not use the workload placement policy, vRealize Automation uses default placement method. Configuring Workload Placement To use the placement policy to place machines when you deploy new blueprints, you configure vRealize Automation to use the analytics that vRealize Operations Manager provides.
PAGE 296
Configuring vRealize Automation 2 Configure vRealize Operations Manager for Workload Placement in vRealize Automation To provide workload placement analytics to vRealize Automation to place machines when you deploy new blueprints, you must prepare the vRealize Operations Manager instance. You configured vRealize Automation and vRealize Operations Manager to use workload placement analytics to suggest placement destinations for new blueprints.
PAGE 297
Configuring vRealize Automation Yes Does an endpoint exist for the vRealize Operations Manager instance? No Create a vRealize Operations Manager endpoint. Infrastructure > Endpoints > Endpoints Does an endpoint exist for the vCenter Server in the vRealize Automation instance used for workload placement? No Yes Create a vSphere endpoint. Infrastructure > Endpoints > Endpoints Add reservations to the vCenter Server endpoint.
PAGE 298
Configuring vRealize Automation Procedure 1 In your vRealize Automation instance, add an endpoint for the vRealize Operations Manager instance, and click OK. a Select Infrastructure > Endpoint > Endpoints. b Select New > Management > vRealize Operations Manager. c Enter the general information for the vRealize Operations Manager endpoint. You do not need to specify properties for the endpoint. 2 In your vRealize Automation instance, add an endpoint for the vCenter Server instance, and click OK.
PAGE 299
Configuring vRealize Automation 4 5 Create reservations for the compute resources in the vCenter Server instance. a Select Infrastructure > Reservations > Reservations. b Select New > vSphere (vCenter). c On each tab, enter the information for the reservation. Option Action General Select a reservation policy, the priority for the policy, and click Enable this reservation. Resources Select the machine quota, memory, and storage. You do not have to select a resource pool.
PAGE 300
Configuring vRealize Automation To allow workload placement to move virtual machines, those virtual machines must reside in a data center or custom data center. Yes Is the vRealize Automation Solution installed and configured in the vRealize Operations Manager instance? Are one or more policies configured to consolidate and balance workloads? No Yes No Install and configure the vRealize Automation Solution in the vRealize Operations Manager instance.
PAGE 301
Configuring vRealize Automation n Verify that the vRealize Automation Solution is installed and configured in the vRealize Operations Manager instance that is being used for workload placement. For details about this solution, see the Management Pack for vRealize Automation on Solution Exchange. For information about how workload placement works in vRealize Operations Manager, see Workload Automation Details and related topics in the vRealize Operations Manager documentation.
PAGE 302
Configuring vRealize Automation 3 Configure a policy to consolidate and balance workloads on your clusters, and apply that policy to the custom group. You configure a policy in vRealize Operations Manager to establish the settings for consolidation, balance, fill, CPU, memory, and disk space. For example, you modify the setting named Consolidate Workloads to determine the best placement for new managed workloads based on the cluster status and capacity.
PAGE 303
Configuring vRealize Automation The vRealize Automation Solution Is Required for Workload Placement to Operate Properly Workload placement is based on individual machines, and placement is done at the machine level. When vRealize Automation and vRealize Operations Manager are installed together, the vRealize Automation Solution must also be installed. The solution, which includes the management pack and adapter, identifies the clusters on which the rebalance container or move VM actions are disabled.
PAGE 304
Configuring vRealize Automation If the vRealize Automation solution, which includes the management pack and adapter, is not available in the vRealize Operations Manager, the move VM and rebalance container actions are available. Managing Key Pairs Key pairs are used to provision and connect to a cloud instance. A key pair is used to decrypt Windows passwords or to log in to a Linux machine. Key pairs are required for provisioning with Amazon AWS. For Red Hat OpenStack, key pairs are optional.
PAGE 305
Configuring vRealize Automation Upload the Private Key for a Key Pair You can upload the private key for a key pair in PEM format. Prerequisites n Log in to the vRealize Automation console as a fabric administrator. n You must already have a key pair. See Create a Key Pair. Procedure 1 Select Infrastructure > Reservations > Key Pairs. 2 Locate the key pair for which you want to upload a private key. 3 Click the Edit icon ( 4 Use one of the following methods to upload the key. ).
PAGE 306
Configuring vRealize Automation You have a datacenter in London, and a datacenter in Boston, and you don't want users in Boston provisioning machines on your London infrastructure or vice versa. To ensure that Boston users provision on your Boston infrastructure, and London users provision on your London infrastructure, you want to allow users to select an appropriate location for provisioning when they request machines. Prerequisites n Log in to the vRealize Automation console as a fabric administrator.
PAGE 307
Configuring vRealize Automation Table 2‑19. Preparing for Provisioning a vRealize Automation Deployment Using Infoblox IPAM Checklist Task Description Details Obtain, import, and configure the third-party IPAM solution provider plug-in or package. Obtain and import the vRealize Orchestrator plug-in, run the vRealize Orchestrator configuration workflows, and register the IPAM provider endpoint type in vRealize Orchestrator. See Checklist For Providing Third-Party IPAM Provider Support.
PAGE 308
Configuring vRealize Automation When you add a vRealize Orchestrator plug-in as an endpoint by using the vRealize Automation UI, you run a configuration workflow in the default vRealize Orchestrator server. The configuration workflows are located in the vRealize Automation > XaaS > Endpoint Configuration workflows folder. Important Configuring a single plug-in in vRealize Orchestrator and in the vRealize Automation console is not supported and results in errors.
PAGE 309
Configuring vRealize Automation c Enter the root element of the Active Directory service in the Root text box. For example, if your domain name is mycompany.com, then your root Active Directory is dc=mycompany,dc=com. This node is used for browsing your service directory after entering the appropriate credentials. For large service directories, specifying a node in the tree narrows the search and improves performance.
PAGE 310
Configuring vRealize Automation Procedure 1 Select Administration > Endpoints > OrchestratorEndpoints. 2 Click the New icon ( 3 Select HTTP-REST from the Plug-in drop-down menu. 4 Click Next. 5 Enter a name and, optionally, a description. 6 Click Next. 7 Provide information about the REST host. ). a Enter the name of the host in the Name text box. b Enter the address of the host in the URL text box.
PAGE 311
Configuring vRealize Automation 10 Select the authentication type. Option Action None No authentication is required. OAuth 1.0 Uses OAuth 1.0 protocol. You must provide the required authentication parameters under OAuth 1.0. OAuth 2.0 a Enter the key used to identify the consumer as a service provider in the Consumer key text box. b Enter the secret to establish ownership of the consumer key in the Consumer secret text box.
PAGE 312
Configuring vRealize Automation You configured the endpoint and added a REST host. XaaS architects can use XaaS to publish HTTPREST plug-in workflows as catalog items and resource actions. Configure the PowerShell Plug-In as an Endpoint You can add an endpoint and configure the PowerShell plug-in to connect to a running PowerShell host, so that you can call PowerShell scripts and cmdlets from vRealize Orchestrator actions and workflows, and work with the result.
PAGE 313
Configuring vRealize Automation 10 Click Finish. You added an Windows PowerShell host as an endpoint. XaaS architects can use the XaaS to publish PowerShell plug-in workflows as catalog items and resource actions. Configure the SOAP Plug-In as an Endpoint You can add an endpoint and configure the SOAP plug-in to define a SOAP service as an inventory object, and perform SOAP operations on the defined objects. Prerequisites n Verify that you have access to a SOAP host. The plug-in supports SOAP Version 1.
PAGE 314
Configuring vRealize Automation 8 9 (Optional) Specify the proxy settings. a To use a proxy, select Yes from the Proxy drop-down menu. b Enter the IP of the proxy server in the Address text box. c Enter the port number to communicate with the proxy server in the Port text box. Click Next. 10 Select the authentication type. Option Action None No authentication is required. Basic Provides basic access authentication. The communication with the host is in shared session mode.
PAGE 315
Configuring vRealize Automation n Log in to the vRealize Automation console as a tenant administrator. Procedure 1 Select Administration > Endpoints > OrchestratorEndpoints. 2 Click the New icon ( 3 Select vCenter Server from the Plug-in drop-down menu. 4 Click Next. 5 Enter a name and, optionally, a description. 6 Click Next. 7 Provide information about the vCenter Server instance. a ).
PAGE 316
Configuring vRealize Automation Create a Microsoft Azure Endpoint You can create a Microsoft Azure endpoint to facilitate a credentialed connection between vRealize Automation and an Azure deployment. An endpoint establishes a connection to a resource, in this case an Azure instance, that you can use to create virtual machine blueprints. You must have an Azure endpoint to use as the basis of blueprints for provisioning Azure virtual machines.
PAGE 317
Configuring vRealize Automation n Log in to the vRealize Automation console as a tenant administrator. Procedure 1 Select Administration > Endpoints > OrchestratorEndpoints. 2 Click the New icon ( 3 On the Plug-in tab, click the Plug-in drop-down menu and select Azure Plug-in. 4 Click Next. 5 Enter a name and, optionally, a description. 6 Click Next. 7 Populate the text boxes on the Details tab as appropriate for the endpoint. Parameter ).
PAGE 318
Configuring vRealize Automation What to do next Create appropriate resource groups, storage accounts, and network security groups in Azure. You should also create load balancers if appropriate for your implementation. Action Options Create an Azure resource group n Create the resource group using the Azure portal. See the Azure documentation for specific instructions. n Use the appropriate vRealize Orchestrator workflow found under the Library/Azure/Resource/Create resource group.
PAGE 319
Configuring vRealize Automation The Hosts tab contains the controls for adding new hosts, monitoring the state of the provision requests of existing hosts, viewing event logs for your containers, and performing data collection on hosts. The Requests and Event Log panels are located on the right side of the page. Add a Container Host You must add a host to deploy containers.
PAGE 320
Configuring vRealize Automation Using Container Deployment Policies You can link deployment policies to hosts and container definitions. You use deployment policies in Containers for vRealize Automation to set a preference for the specific host and quotas for when you deploy a container. Deployment policies that are applied to a container have a higher priority than placements that are applied to container hosts.
PAGE 321
Configuring vRealize Automation 10 Select the maximum amount of memory that can be used. Select a number between 0 and the amount of memory available in the placement zone. This is the total memory available for resources in this placement. Enter 0 to specify no limit. 11 Click Save. Set a Deployment Policy on a Host Set a preference for the specific host and quotas for when you deploy a container. Procedure 1 Create or edit a container host.
PAGE 322
Configuring vRealize Automation Placement 1 60 GB RAM Placement 2 50 GB RAM Placement 3 10 GB RAM Placement Zone 120 GB RAM (=16 + 32 + 8 + 64) Host 1 16 GB RAM Host 2 32 GB RAM Host 3 8 GB RAM Host 4 64 GB RAM When a container is provisioned, the placements are filtered based on the business group, available resources, and priority.
PAGE 323
Configuring vRealize Automation 4 Edit the template or image. Option Description To edit a template n Click Edit in the upper-right section of the template that you want to open. n If the template contains multiple templates, point to the template that you want to edit, and click Edit in the upper-right section of the template that you want to open. To edit an image. 5 Click the Health Config tab. 6 Select a health mode.
PAGE 324
Configuring vRealize Automation Configure Links in Containers Links and exposed services address communication across container services and load balancing across hosts. You can configure link settings for your containers in Containers. You can use links to enable communication between multiple services in your application. Links in Containers are similar to Docker links, but connect containers across hosts. A link consists of two parts: a service name and an alias.
PAGE 325
Configuring vRealize Automation 4 Edit the template or image. Option Description To edit a template n Click Edit in the upper-right section of the template that you want to open. n If the template contains multiple templates, point to the template that you want to edit, and click Edit in the upper-right section of the template that you want to open. To edit an image. 5 6 Click the arrow next to the image's Provision button, and click Enter additional info.
PAGE 326
Configuring vRealize Automation n Verify that you have container administrator or container architect role privileges. Procedure 1 Log in to vRealize Automation. 2 Click the Containers tab. 3 Click Templates in the left pane. 4 Edit the template or image. Option Description To edit a template n Click Edit in the upper-right section of the template that you want to open.
PAGE 327
Configuring vRealize Automation 2 Click the Containers tab. 3 Click Templates in the left pane. 4 Edit the template or image. Option Description To edit a template n Click Edit in the upper-right section of the template that you want to open. n If the template contains multiple templates, point to the template that you want to edit, and click Edit in the upper-right section of the template that you want to open. To edit an image. 5 Click the Policy tab. 6 Set the container cluster size.
PAGE 328
Configuring vRealize Automation Prerequisites n Verify that you have container administrator role privileges. Procedure 1 Log in to the vRealize Automation console as a container administrator. 2 Click the Containers tab. 3 Click Templates in the left pane. A list displays the templates and images that are available for provisioning. n Configured templates in the Images view. n Existing or custom templates in the Template view.
PAGE 329
Configuring vRealize Automation Procedure 1 Click the Containers tab. 2 Click Templates in the left pane. A list displays the templates and images that are available for provisioning. n Configured templates in the Images view. n Existing or custom templates in the Template view. n All available templates and images based on your specified registries in the All view. The Import and Export options are also available to import or export templates and images.
PAGE 330
Configuring vRealize Automation 2 Click Templates in the left pane. A list displays the templates and images that are available for provisioning. n Configured templates in the Images view. n Existing or custom templates in the Template view. n All available templates and images based on your specified registries in the All view. The Import and Export options are also available to import or export templates and images.
PAGE 331
Configuring vRealize Automation 2 Click Templates in the left pane. A list displays the templates and images that are available for provisioning. n Configured templates in the Images view. n Existing or custom templates in the Template view. n All available templates and images based on your specified registries in the All view. The Import and Export options are also available to import or export templates and images. 3 Point to a template and click its Export icon.
PAGE 332
Configuring vRealize Automation Containers can interact with both Docker Registry HTTP API V1 and V2 in the following manner: V1 over HTTP (unsecured, plain HTTP registry) You can freely search this kind of registry, but you must manually configure each Docker host with the --insecure-registry flag to provision containers based on images from insecure registries. You must restart the Docker daemon after setting the property. V1 over HTTPS Use behind a reverse proxy, such as NGINX.
PAGE 333
Configuring vRealize Automation 4 Click Add. 5 Enter the registry address. 6 Enter a name for the registry. 7 Select your login credentials from the drop-down list. 8 (Optional) Click Verify to confirm that the configured parameters are valid. 9 Click Save to add the registry. Configuring Network Resources for Containers You can create, modify, and attach network configurations to containers and container templates in the Containers for vRealize Automation application.
PAGE 334
Configuring vRealize Automation 7 Configure the advanced network configuration settings. Option IPAM configuration Custom properties Description Subnet Provide subnet and gateway addresses that are unique to this network configuration. They must not overlap with any other networks on the same container host. Optionally, specify custom properties for the new network configuration. containers.ipam .driver For use with containers only.
PAGE 335
Configuring vRealize Automation Prerequisites n Verify that you have a template available. If not, you must first create one. n Verify that you have container administrator, container architect, or IaaS administrator role privileges. n Verify that at least one host is configured and available for container network configuration. Procedure 1 Log in to vRealize Automation. 2 Click the Containers tab. 3 Click Templates in the left pane.
PAGE 336
Configuring vRealize Automation Containers for vRealize Automation uses Docker volumes for persistent data management. With volumes you can perform the following tasks: n Share volumes between different containers within the same host. n Update data instantly. n Save the volume data after the container is deleted. Create a New Volume for Containers To extend your container storage, you must first create a data volume.
PAGE 337
Configuring vRealize Automation 10 Click Create. The Create Volume panel disappears and the added volume appears in the Volumes tab. What to do next Add a Volume to a Container Template Add a Volume to a Container Template Connect a volume to a container by adding it to a template. Prerequisites n Verify that you have a template available. If not, you must first create one. n Verify that you have container administrator, container architect, or IaaS administrator role privileges.
PAGE 338
Configuring vRealize Automation The Add Volume panel disappears and the added volume appears as a horizontal icon below the container icons in the Edit Template page. A volume icon also displays on the bottom border of the container icons. 9 Connect the volume to a container, by dragging the volume connector icon from the container to any point on the horizontal icon representing the volume. 10 (Optional) Click on the container path to change the location where the volume is mounted.
PAGE 339
Configuring vRealize Automation The list of the provided Active Directory custom properties is included in the Custom Properties Reference. The custom property prefix is ext.policy.activedirectory. In addition to the provided properties, you can create your own custom properties. You must prefix you custom properties with ext.policy.activedirectory. For example, ext.policy.activedirectory.domain.extension or ext.policy.activedirectory.yourproperty.
PAGE 340
Configuring vRealize Automation n If you use an external vRealize Orchestrator server, verity that it is set up correctly. See Configure an External vRealize Orchestrator Server. n Log in to the vRealize Automation console as a tenant administrator. Procedure 1 Select Administration > AD Policies. 2 Click the New icon ( 3 Configure the Active Directory policy details. ). Option Description ID Enter the permanent value. The value cannot include any spaces or special characters.
PAGE 341
Configuring vRealize Automation You have an existing policy that is applied to the development business group. The policy adds machine records to ou=development,dc=corp,dc=domain,dc=com. You want all database machines to be added to ou=databases,dc=corp,dc=domain,dc=com. In a blueprint that includes a database server, you override the Active Directory organizational unit to add the database machine record to ou=databases,dc=corp,dc=domain,dc=com.
PAGE 342
Configuring vRealize Automation What to do next Request your test blueprint. Verify that the record for the database machine was added to the database organizational unit, and that the record for the application machine is added to the development organizational unit. When you are satisfied with the results, you can add the custom property to your production blueprints. VMware, Inc.
PAGE 343
Providing Service Blueprints to Users 3 You deliver on-demand services to users by creating catalog items and actions, then carefully controlling who can request those services by using entitlements and approvals.
PAGE 344
Configuring vRealize Automation Software Components You can create and publish software components to install software during the machine provisioning process and support the software life cycle. For example, you can create a blueprint for developers to request a machine with their development environment already installed and configured. Software components are not catalog items by themselves, and you must combine them with a machine component to create a catalog item blueprint. VMware, Inc.
PAGE 345
Configuring vRealize Automation Machine Blueprints You can create and publish simple blueprints to provision single machines or you can create more complex blueprints that contain additional machine components and optionally any combination of the following component types: n Software components n Existing blueprints n NSX network and security components n XaaS components n Containers components n Custom or other components XaaS Blueprints You can publish your vRealize Orchestrator workflows as
PAGE 346
Configuring vRealize Automation n IaaS machine blueprints n Software components n XaaS blueprints n Component profiles n Property groups Property group information is tenant-specific and is only imported with the blueprint if the property group already exists in the target vRealize Automation instance.
PAGE 347
Configuring vRealize Automation Scenario: Importing the Dukes Bank for vSphere Sample Application and Configuring for Your Environment As an IT professional evaluating or learning vRealize Automation, you want to import a robust sample application into your vRealize Automation instance so you can quickly explore the available functionality and determine how you might build vRealize Automation blueprints that suit the needs of your organization. Prerequisites n Prepare a CentOS 6.
PAGE 348
Configuring vRealize Automation Procedure 1 Log in to your vRealize Automation appliance as root by using SSH. 2 Download the Dukes Bank for vSphere sample application from your vRealize Automation appliance to /tmp. wget --no-check-certificate https://vRealize_VA_Hostname_fqdn: 5480/blueprints/DukesBankAppForvSphere.zip Do not unzip the package. 3 Download vRealize CloudClient from http://developercenter.vmware.com/tool/cloudclient to /tmp. 4 Unzip the cloudclient-4x-dist.zip package.
PAGE 349
Configuring vRealize Automation Scenario: Configure Dukes Bank vSphere Sample Components for Your Environment Using your infrastructure architect privileges, you configure each of the Dukes Bank machine components to use the customization specification, template, and machine prefixes that you created for your environment. This scenario configures the machine components to clone machines from the template you created in the vSphere Web Client.
PAGE 350
Configuring vRealize Automation 5 h Click the Machine Resources tab. i Verify that memory settings are at least 2048 MB. Edit the loadbalancer-node so vRealize Automation can provision this machine component in your environment. a Click the loadbalancer-node component on the design canvas. b Select your machine prefix from the Machine prefix drop-down menu. c Click the Build Information tab. d Select Cloneworkflow from the Provisioning workflow drop-down menu.
PAGE 351
Configuring vRealize Automation n Configure the service catalog and make your published Dukes Bank blueprint available for users to request. See Checklist for Configuring the Service Catalog. n Verify that virtual machines you provision can reach the yum repository. Procedure 1 Log in to the vRealize Automation console as a user who is entitled to the Dukes Bank catalog item. 2 Click the Catalog tab. 3 Locate the Dukes Bank sample application catalog item and click Request.
PAGE 352
Configuring vRealize Automation You have a working Dukes Bank sample application to use as a starting point for developing your own blueprints, as a tool to evaluate vRealize Automation, or as a learning resource to assist you in understanding vRealize Automation functionality and components. Building Your Design Library You can build out a library of reusable blueprint components that your architects can assemble into application blueprints for delivering elaborate on-demand services to your users.
PAGE 353
Configuring vRealize Automation Table 3‑2. Building Your Design Library (Continued) Catalog Item Role Components Description Details Software on machines Software architect Create and publish Software Components on the Software tab, then combine them with machine blueprints on the Blueprints tab. Add Software components to your machine blueprints to standardize, deploy, configure, update, and scale complex applications in cloud environments.
PAGE 354
Configuring vRealize Automation Space-Efficient Storage for Virtual Provisioning Space-efficient storage technology eliminates the inefficiencies of traditional storage methods by using only the storage actually required for a machine's operations. Typically, this is only a fraction of the storage actually allocated to machines. vRealize Automation supports two methods of provisioning with space-efficient technology, thin provisioning and FlexClone provisioning.
PAGE 355
Configuring vRealize Automation Understanding and Using Blueprint Parameterization You can use component profiles to parameterize blueprints. Rather than create a separate small, medium, and large blueprint for a particular deployment type, you can create a single blueprint with a choice of small, medium, or large size virtual machine. Users can select one of these sizes when they deploy the catalog item. Component profiles minimize blueprint sprawl and simplify your catalog offerings.
PAGE 356
Configuring vRealize Automation Configure a Machine Blueprint Configure and publish a machine component as a standalone blueprint that other architects can reuse as a component in application blueprints, and catalog administrators can include in catalog services. Prerequisites n Log in to the vRealize Automation console as an infrastructure architect.
PAGE 357
Configuring vRealize Automation Blueprint Properties Settings You can specify settings that apply to the entire blueprint by using the New Blueprint page when you create the blueprint. After you create the blueprint, you can edit these settings on the Blueprint Properties page. General Tab Apply settings across your entire blueprint, including all components you intend to add now or later. Table 3‑3. General Tab Settings Setting Description Name Enter a name for your blueprint.
PAGE 358
Configuring vRealize Automation Table 3‑4. Properties Tab Settings Tab Setting Property Groups Property groups are reusable groups of properties that are designed to simplify the process of adding custom properties to blueprints. Your tenant administrators and fabric administrators can group properties that are often used together so you can add the property group to a blueprint instead of individually inserting custom properties.
PAGE 359
Configuring vRealize Automation Table 3‑4. Properties Tab Settings (Continued) Tab Setting Description Overridable You can specify that the property value can be overridden by the next or subsequent person who uses the property. Typically, this is another architect, but if you select Show in request, your business users are able to see and edit property values when they request catalog items.
PAGE 360
Configuring vRealize Automation Table 3‑5. General Tab Settings (Continued) Setting Description Machine prefix Machine prefixes are created by fabric administrators and are used to create the names of provisioned machines. If you select Use group default, machines provisioned from your blueprint are named according to the machine prefix configured as the default for the user's business group. If no machine prefix is configured, one is generated for you based on the name of the business group.
PAGE 361
Configuring vRealize Automation Table 3‑6. Build Information Tab Setting Description Blueprint type For record-keeping and licensing purposes, select whether machines provisioned from this blueprint are classified as Desktop or Server. Action The options you see in the action drop-down menu depend on the type of machine you select. The following actions are available: n Create Create the machine component specification without use of a cloning option.
PAGE 362
Configuring vRealize Automation Table 3‑6. Build Information Tab (Continued) Setting Description Provisioning workflow The options you see in the provisioning workflow drop-down menu depend on the type of machine you select, and the action you select. n BasicVmWorkflow Provision a machine with no guest operating system. n ExternalProvisioningWorkflow Create a machine by starting from either a virtual machine instance or cloud-based image.
PAGE 363
Configuring vRealize Automation Table 3‑6. Build Information Tab (Continued) Setting Description Clone from snapshot For Linked Clone, select an existing snapshot to clone from based on the selected machine template. Machines only appear in the list if they already have an existing snapshot, and if you manage that machine as a tenant administrator or business group manager. If you select Use current snapshot, the clone is defined with the same characteristics as the latest state of the virtual machine.
PAGE 364
Configuring vRealize Automation Table 3‑7. Machine Resources Tab Setting Description CPUs: Minimum and Maximum Enter a minimum and maximum number of CPUs that can be provisioned by this machine component. Memory (MB): Minimum and Maximum Enter a minimum and maximum amount of memory that can be consumed by machines that are provisioned by this machine component.
PAGE 365
Configuring vRealize Automation Network Tab You can configure network settings for a vSphere machine component based on NSX network and load balancer settings that are configured outside vRealize Automation. You can use settings from one or more existing and on-demand NSX network components in the design canvas.
PAGE 366
Configuring vRealize Automation Table 3‑10. Security Tab Settings Setting Description Name Display the name of an NSX security group or tag. The names are derived from security components in the design canvas. Select the check box next to a listed security group or tag to use that group or tag for provisioning from this machine component. Type Indicate if the security element is an on-demand security group, an existing security group, or a security tag.
PAGE 367
Configuring vRealize Automation You can use the Property Groups tab to add and configure settings for existing custom property groups. You can create your own property groups or use property groups that have been created for you. Table 3‑12. Properties > Property Groups Tab Settings Setting Description Name Select an available property group from the drop-down menu. Move Up and Move Down Control the precedence level of listed property groups in descending order.
PAGE 368
Configuring vRealize Automation Table 3‑13. Profiles Tab Settings Setting Description Add Add the Size or Image component profile. Edit Value Sets Assign one or more value sets for the selected component profile by selecting from a list of defined value sets. You can select one of the value sets as the default. Remove Remove the Size or Image component profile.
PAGE 369
Configuring vRealize Automation Table 3‑14. General Tab Settings (Continued) Setting Description Machine prefix Machine prefixes are created by fabric administrators and are used to create the names of provisioned machines. If you select Use group default, machines provisioned from your blueprint are named according to the machine prefix configured as the default for the user's business group. If no machine prefix is configured, one is generated for you based on the name of the business group.
PAGE 370
Configuring vRealize Automation Table 3‑15. Build Information Tab (Continued) Setting Description Provisioning workflow The options you see in the provisioning workflow drop-down menu depend on the type of machine you select, and the action you select. The only provisioning action available for a vCloud Air machine component is CloneWorkflow. n CloneWorkflow Make copies of a virtual machine, either by Clone, Linked Clone, or NetApp Flexclone. Clone from Select a machine template to clone from.
PAGE 371
Configuring vRealize Automation Table 3‑17. Storage Tab Settings (Continued) Setting Description Drive Letter/Mount Path Enter a drive letter or mount path for the storage volume. Label Enter a label for the drive letter and mount path for the storage volume. Storage Reservation Policy Enter the existing storage reservation policy to use with this storage volume. Custom Properties Enter any custom properties to use with this storage volume.
PAGE 372
Configuring vRealize Automation Table 3‑18. Properties > Custom Properties Tab Settings (Continued) Setting Description Overridable You can specify that the property value can be overridden by the next or subsequent person who uses the property. Typically, this is another architect, but if you select Show in request, your business users are able to see and edit property values when they request catalog items.
PAGE 373
Configuring vRealize Automation Table 3‑20. General Tab Settings (Continued) Setting Description Reservation policy Apply a reservation policy to a blueprint to restrict the machines provisioned from that blueprint to a subset of available reservations.
PAGE 374
Configuring vRealize Automation Table 3‑21. Build Information Tab (Continued) Setting Description Amazon machine image Select an available Amazon machine image. An Amazon machine image is a template that contains a software configuration, including an operating system. Machine images are managed by Amazon Web Services accounts. You can refine the list of Amazon machine image names in the display by using the Filters option in the AMI ID column drop-down menu.
PAGE 375
Configuring vRealize Automation Table 3‑22. Machine Resources Tab Setting Description CPUs: Minimum and Maximum Enter a minimum and maximum number of CPUs that can be provisioned by this machine component. Memory (MB): Minimum and Maximum Enter a minimum and maximum amount of memory that can be consumed by machines that are provisioned by this machine component.
PAGE 376
Configuring vRealize Automation Table 3‑23. Properties > Custom Properties Tab Settings (Continued) Setting Description Overridable You can specify that the property value can be overridden by the next or subsequent person who uses the property. Typically, this is another architect, but if you select Show in request, your business users are able to see and edit property values when they request catalog items.
PAGE 377
Configuring vRealize Automation Table 3‑25. General Tab Settings (Continued) Setting Description Reservation policy Apply a reservation policy to a blueprint to restrict the machines provisioned from that blueprint to a subset of available reservations.
PAGE 378
Configuring vRealize Automation Table 3‑26. Build Information Tab Setting Description Blueprint type For record-keeping and licensing purposes, select whether machines provisioned from this blueprint are classified as Desktop or Server.
PAGE 379
Configuring vRealize Automation Table 3‑26. Build Information Tab (Continued) Setting Description Key pair Key pairs are optional for provisioning with OpenStack. Key pairs are used to provision and connect to a cloud instance. They are also used to decrypt Windows passwords and to log in to a Linux machine. The following key pair options are available: n Not specified Controls key pair behavior at the blueprint level rather than at the reservation level.
PAGE 380
Configuring vRealize Automation Table 3‑27. Machine Resources Tab Setting Description CPUs: Minimum and Maximum Enter a minimum and maximum number of CPUs that can be provisioned by this machine component. Memory (MB): Minimum and Maximum Enter a minimum and maximum amount of memory that can be consumed by machines that are provisioned by this machine component.
PAGE 381
Configuring vRealize Automation Table 3‑28. Properties > Custom Properties Tab Settings (Continued) Setting Description Overridable You can specify that the property value can be overridden by the next or subsequent person who uses the property. Typically, this is another architect, but if you select Show in request, your business users are able to see and edit property values when they request catalog items.
PAGE 382
Configuring vRealize Automation Troubleshooting Blueprints for Clone and Linked Clone When creating a linked clone or clone blueprint, machine or templates are missing. Using your shared clone blueprint to request machines fails to provision machines. Problem When working with clone or linked clone blueprints, you might encounter one of the following problems: n When you create a linked clone blueprint, no machines appear in the list to clone, or the machine you want to clone does not appear.
PAGE 383
Configuring vRealize Automation Table 3‑30. Causes for Common Clone and Linked Clone Blueprints Problems (Continued) Problem Cause Solution Provisioning failure with a shared blueprint For blueprints, no validation is available to ensure that the template you select exists in the reservation used to provision a machine from your shared clone blueprint. Consider using entitlements to restrict the blueprint to users who have a reservation on the compute resource where the template exists.
PAGE 384
Configuring vRealize Automation New Blueprint and Blueprint Properties Page Settings with NSX You can specify settings that apply to the entire blueprint, including some NSX settings, by using the New Blueprint page when you create the blueprint. After you create the blueprint, you can edit these settings on the Blueprint Properties page. General Tab Apply settings across your entire blueprint, including all components you intend to add now or later. Table 3‑31.
PAGE 385
Configuring vRealize Automation Table 3‑32. NSX Settings Tab Settings Setting Description Transport zone Select an existing NSX transport zone to contain the network or networks that the provisioned machine deployment can use. A transport zone defines which clusters the networks can span. When provisioning machines, if a transport zone is specified in a reservation and in a blueprint, the transport zone values must match. A transport zone is only required for blueprints that have an on-demand network.
PAGE 386
Configuring vRealize Automation Table 3‑33. Properties Tab Settings Tab Setting Property Groups Property groups are reusable groups of properties that are designed to simplify the process of adding custom properties to blueprints. Your tenant administrators and fabric administrators can group properties that are often used together so you can add the property group to a blueprint instead of individually inserting custom properties.
PAGE 387
Configuring vRealize Automation Table 3‑33. Properties Tab Settings (Continued) Tab Setting Description Overridable You can specify that the property value can be overridden by the next or subsequent person who uses the property. Typically, this is another architect, but if you select Show in request, your business users are able to see and edit property values when they request catalog items.
PAGE 388
Configuring vRealize Automation A NAT network profile and load balancer enable vRealize Automation to deploy an NSX edge services gateway. A routed network profile uses an NSX logical distributed router (DLR). The DLR must be created in NSX before it can be consumed by vRealize Automation. vRealize Automation cannot create DLRs. After data collection, vRealize Automation can use the DLR for virtual machine provisioning.
PAGE 389
Configuring vRealize Automation If the web component machine needs access to the app component machine using a load balancer on ports 8080 and 8443, the web security policy should also include firewall rules to allow outbound traffic to these ports in addition to the existing firewall rules that allow inbound traffic to ports 80 and 443. For information about security features that can be applied to a machine component in a blueprint, see Using Security Components in the Design Canvas.
PAGE 390
Configuring vRealize Automation on a separate security policy to allow communication between specific machines, the guest agent might be unable to communicate with vRealize Automation during the customization phase. To avoid this problem during machine provisioning, use a default security policy that allows communication during the customization phase. You can also add a Containers network component to a blueprint.
PAGE 391
Configuring vRealize Automation Procedure 1 Click Network & Security in the Categories section to display the list of available network and security components. 2 Drag an Existing Network component onto the design canvas. 3 Click in the Existing network text box and select an existing network profile. The description, subnet mask and gateway values are populated based on the selected network profile. 4 (Optional) Click the DNS/WINS tab.
PAGE 392
Configuring vRealize Automation n NSX Load Balancer Component You can create NAT rules for a NAT one-to many network component that is associated to the VIP network of an NSX load balancer component. For example, if the NAT network component is associated to a load balancer component that is load balancing three machines, you can define a NAT rule that allows port 90 on the external IP to connect to the load balancer VIP through port 80 on the NAT network using UDP protocol.
PAGE 393
Configuring vRealize Automation n Log in to the vRealize Automation console as an infrastructure architect. n Open a new or existing blueprint in the design canvas by using the Design tab. n If you want to specify NAT rules for a NAT network component, you must use a NAT one-to-many network profile. See Create a NAT Network Profile By Using the Supplied IPAM Endpoint or Create a NAT Network Profile By Using a Third-Party IPAM Endpoint. For information about NAT rules, see Creating and Using NAT Rules.
PAGE 394
Configuring vRealize Automation 8 Click the IP Ranges tab. The IP range or ranges specified in the network profile are displayed. You can change the sort order or column display. For NAT networks, you can also change IP range values. 9 a Enter a start IP address value in the IP range start text box. b Enter a start IP address value in the IP range start text box.
PAGE 395
Configuring vRealize Automation n If the pool network profile is routed, the VIP network profile can only be on the same routed network. n If the pool network profile is external, the VIP network profile can only be the same external network profile. Each load balancer component can have multiple virtual servers, which are also referred to as load balancer services. Each virtual server in the load balancer component has one port and protocol.
PAGE 396
Configuring vRealize Automation Add an On-Demand Load Balancer Component You can drag an NSX on-demand load balancer component onto the design canvas and configure its settings for use with vSphere machine components and container components in the blueprint. For related information about creating NSX application profiles to define the behavior of a particular type of network traffic, see the NSX Administration Guide for your release at https://www.vmware.com/support/pubs/nsx_pubs.html.
PAGE 397
Configuring vRealize Automation If the load balancer is provisioned with an external network, the VIP (specified with VIP Network) and member pool (specified with Member Network) must be on the same existing network. If the VIP and pool are not on the same external network, an error occurs during provisioning. Prerequisites n Create and configure load balancer settings for NSX. See Configuring vRealize Automation and NSX Administration Guide.
PAGE 398
Configuring vRealize Automation 8 To create a virtual server definition, click New and see Define Virtual Server General Settings. Each load balancer component requires at least one virtual server. To specify logging options, see Define Load Balancer Logging Options. Define Virtual Server General Settings You can define a single virtual server protocol and port for your load balancer or you can add additional virtual servers to customize additional NSX load balancer options.
PAGE 399
Configuring vRealize Automation Configure the load balancer component with additional settings, for example to define a different protocol for health monitoring or a different port for monitoring member traffic. Additional tabs appear that allow you to add customized settings. If you selected Use default value for all other settings and clicked OK you are done and can continue to define or edit your blueprint in the design canvas. If you selected Customize, continue to the step.
PAGE 400
Configuring vRealize Automation 3 (Optional) Select the algorithm balancing method for this pool. The algorithm options and the algorithm parameters for the options that require them are described in the following table. Option Description and algorithm parameters ROUND_ROBIN Each server is used in turn according to the weight assigned to it. If the load balancer was created in vRealize Automation, the weight is the same for all members.
PAGE 401
Configuring vRealize Automation Option Description and algorithm parameters HTTPHEADER The HTTP header name is looked up in each HTTP request. The header name in parenthesis is not case sensitive which is similar to the ACL 'hdr()' function. The HTTPHEADER algorithm parameter has one option headerName=. For example, you can use host as the HTTPHEADER algorithm parameter. If the header is absent or does not contain any value, the round robin algorithm is applied.
PAGE 402
Configuring vRealize Automation n Select MSRDP to maintain persistent sessions between Windows clients and servers that are running the Microsoft Remote Desktop Protocol (RDP) service. The recommended scenario for enabling MSRDP persistence is to create a load balancing pool that consists of members running the supported Windows Server, where all members belong to a Windows cluster and participate in a Windows session directory.
PAGE 403
Configuring vRealize Automation Procedure 1 (Optional) Select a heath check protocol in the Health check protocol drop-down menu to specify how the pool member is accessed when the load balancer listens to determine the health of the pool member. The protocol options are HTTP, HTTPS, TCP, ICMP, UDP, and None. You can also accept the default protocol as specified on the General tab.
PAGE 404
Configuring vRealize Automation Prerequisites Define Virtual Server General Settings. Procedure 1 Enter a value in the Connection limit text box to specify the maximum concurrent connections in NSX that the virtual server can process. This setting considers the number of all member connections. Enter a value of 0 to specify no limit. 2 Enter a value in the Connection rate limit text box to specify the maximum number of incoming connection requests in NSX that can be accepted per second.
PAGE 405
Configuring vRealize Automation Logging levels include debug, info, warning, error, and critical. Debug and info options log user requests while warning, error, and critical options do not log users requests. For additional information about NSX load balancer logging, see the NSX Administration Guide. Prerequisites Define Load Balancer Member Settings. Procedure 1 Select the Global tab on the load balancer component in the design canvas.
PAGE 406
Configuring vRealize Automation Using Security Components in the Design Canvas You can add NSX security components to the design canvas to make their configured settings available to one or more vSphere machine components in the blueprint. Security groups, tags, and policies are configured outside of vRealize Automation in the NSX application.
PAGE 407
Configuring vRealize Automation Security Policy A security policy is a set of endpoint, firewall, and network introspection services that can be applied to a security group. You can add security policies to a vSphere virtual machine by using an on-demand security group in a blueprint. You cannot add a security policy directly to a reservation. After data collection, the security policies that have been defined in NSX for a compute resource are available for selection in a blueprint.
PAGE 408
Configuring vRealize Automation You can continue configuring security settings by adding additional security components and by selecting settings in the Security tab of a vSphere machine component in the design canvas. Add an On-Demand Security Group Component You can add an on-demand NSX security group component to the design canvas in preparation for associating its settings to one or more vSphere machine components or other available component types in the blueprint.
PAGE 409
Configuring vRealize Automation n Verify that the NSX inventory has executed successfully for your cluster. To use NSX configurations in vRealize Automation, you must run data collection. n Log in to the vRealize Automation console as an infrastructure architect. n Open a new or existing blueprint in the design canvas by using the Design tab. Procedure 1 Click Network & Security in the Categories section to display the list of available network and security components.
PAGE 410
Configuring vRealize Automation Using Container Components in Blueprints You can configure and use container components in the blueprint. After a container administrator has created container definitions in Containers for vRealize Automation, a container architect can add and configure container components for vRealize Automation blueprints in the design canvas.
PAGE 411
Configuring vRealize Automation Table 3‑35. Network Tab Settings (Continued) Setting Description Publish All Ports Select the check mark box to expose the ports that are used in the container image to all users. Host name Specify the container host name. If no name is specified, the value defaults to the name of the container component in the blueprint. Network mode Specify the networking stack of the container. If no value is specified, the container is configured in Bridge network mode.
PAGE 412
Configuring vRealize Automation Table 3‑37. Policy Tab Settings (Continued) Settings Description Memory swap Total memory limit. Affinity constraints Defines rules for provisioning of containers on the same or different hosts. n Affinity type For anti-affinity, the containers are placed on different hosts, otherwise they are placed on the same host .
PAGE 413
Configuring vRealize Automation Table 3‑39. Properties Tab Settings for Custom Properties Setting Description Name Enter the name of a custom property or select an available custom property from the drop-down menu. Value Enter or edit a value to associate with the custom property name. Encrypted You can choose to encrypt the property value, for example, if the value is a password.
PAGE 414
Configuring vRealize Automation Table 3‑40. Health Config Tab Settings (Continued) Mode setting Description Ignore health check on provision Uncheck this option to force health check on provision. By forcing it, a container is not considered provisioned until one successful health check passes. Autodeploy Automatic redeployment of containers when they are in ERROR state. Log Config Tab Specify a logging mode, and optional logging options, for the blueprint container component in the design canvas.
PAGE 415
Configuring vRealize Automation Table 3‑42. Containers Custom Properties Property Description containers.ipam.driver For use with containers only. Specifies the IPAM driver to be used when adding a Containers network component to a blueprint. The supported values depend on the drivers installed in the container host environment in which they are used. For example, a supported value might be infoblox or calico depending on the IPAM plug-ins that are installed on the container host. containers.network.
PAGE 416
Configuring vRealize Automation Using Containers Network Components in the Design Canvas You can add one or more Containers network components to the design canvas and configure their settings for vSphere machine components in the blueprint. You can add the containers.ipam.driver and containers.network.driver to the component when you add it to the blueprint. Add a Container Network Component You can add container network information to a vRealize Automation blueprint that contains container components.
PAGE 417
Configuring vRealize Automation If you select the Custom Properties tab and click Add you can add individual custom properties to the container component. Table 3‑43. Properties Tab Settings for Custom Properties 8 Setting Description Name Enter the name of a custom property or select an available custom property from the drop-down menu. Value Enter or edit a value to associate with the custom property name.
PAGE 418
Configuring vRealize Automation n XaaS components n Custom components You can push a template from Containers to vRealize Automation. Changes that you make to the vRealize Automation blueprint have no affect on the Containers template. You can make subsequent changes in the Containers template and push again to overwrite the blueprint in vRealize Automation.
PAGE 419
Configuring vRealize Automation Create a Blueprint for Microsoft Azure You can create Microsoft Azure virtual machine blueprints that provide access to Azure virtual machine resources. A default Azure Machine template appears in the Machine Types category on the vRealize Automation Edit Blueprint page. You can use this virtual machine template as the basis of an Azure blueprint as described in the following procedure.
PAGE 420
Configuring vRealize Automation 7 Enter the required information for the Azure virtual machine in the text boxes on the tabbed pages located on the bottom half of the Design Canvas that appear when you drag the Azure Machine template to the Design Canvas. Available selections for text boxes and other parameters on all of these tabs are determined primarily by the Azure endpoint that was configured as a basis for blueprints.
PAGE 421
Configuring vRealize Automation Tab Description Important Parameters General Select basic connection information for the Azure virtual machine such as the endpoint to be used. ID - Identifies the Azure virtual machine you are creating. If you change this name, the Azure virtual machine image on the Design Canvas is also updated automatically. Description - Identifies the virtual machine you are creating and whether or not it is required.
PAGE 422
Configuring vRealize Automation Tab Description Important Parameters Size - Defines the specific virtual machine instance size within a series. Size is related to the selected Series. If you have a valid connection to an Azure instance, the available sizes fare populated dynamically based on the subscription and selected location and series. See the Azure documentation for size information. Instance Size Details - Optional information about the virtual machine instance series and size.
PAGE 423
Configuring vRealize Automation Tab Description Important Parameters Storage Enables you to organize Azure storage accounts. A storage account provides access to the different types of Azure storage, such as Azure Blob, Queue Table, and File storage. For most blueprints, you can accept the defaults. Storage account - Enter the storage account name for the virtual machine if appropriate. The Azure virtual machine operating system disk is deployed to this storage account.
PAGE 424
Configuring vRealize Automation Tab Description Important Parameters n subNet Name - The domain name of the Azure subnet. Note You can set the public IP address for Azure during day 2 operations. n 8 If you select Use Network Profile, the network configuration is detached from underlying Azure constructs and is instead coupled with the vRealize Automation networking profile.
PAGE 425
Configuring vRealize Automation You can work with Azure resource actions just as with any other XaaS resource actions in vRealize Automation. See Creating XaaS Blueprints and Resource Actions and vRealize Orchestrator Integration in vRealize Automation in Configuring vRealize Automation for more information about XaaS resource actions. Prerequisites Configure a valid Azure Endpoint for your vRealize Automation deployment. Procedure 1 Select Design > XaaS > Resource Actions 2 Click New.
PAGE 426
Configuring vRealize Automation n Specify a Puppet environment and leave the Puppet role box empty. Users must specify the role at request time. Prerequisites Create an appropriate vSphere blueprint. See vSphere Machine Component Settings for more information. Procedure 1 Select Design > Blueprints. 2 Select Configuration Management from the Categories menu on the Design page for blueprints. 3 Select the Puppet component and drag it to the vSphere component on the Design Canvas.
PAGE 427
Configuring vRealize Automation n Create at least one Windows machine blueprint. Procedure 1 Select Design > Blueprints. 2 Point to the blueprint to update and click Edit. 3 Select the machine component on your canvas to edit the details. 4 Click the Properties tab. 5 Click the Custom Properties tab. 6 Configure RDP settings. a Click New Property. b Enter the RDP custom property names in the Name text box and the corresponding values in the Value text box.
PAGE 428
Configuring vRealize Automation Using the Active Directory Cleanup Plugin, you can specify the following Active Directory account actions to occur when a machine is deleted from a hypervisor: n Delete the AD account n Disable the AD account n Rename AD account n Move the AD account to another AD organizational unit (OU) Prerequisites Note This information does not apply to Amazon Web Services. n Log in to the vRealize Automation console as an infrastructure architect.
PAGE 429
Configuring vRealize Automation 7 Option Description and Value Plugin.AdMachineCleanup.Delete Set to True to delete the accounts of destroyed machines, instead of disabling them. Plugin.AdMachineCleanup.MoveToOu Moves the account of destroyed machines to a new Active Directory organizational unit. The value is the organization unit to which you are moving the account. This value must be in ou=OU, dc=dc format, for example ou=trash,cn=computers,dc=lab,dc=local. Plugin.AdMachineCleanup.
PAGE 430
Configuring vRealize Automation 8 Configure vRealize Automation to prompt users for a hostname value during request. a Select Overridable. b Select Show in Request. Because host names must be unique, users can only request one machine at a time from this blueprint. 9 Click the Save icon ( ). 10 Click OK. Users who request a machine from your blueprint are required to specify a host name for their machine. vRealize Automation validates that the specified host name is unique.
PAGE 431
Configuring vRealize Automation 2 Point to your Centos on vSphere blueprint and click Edit. 3 Select the machine component on your canvas to bring up the General details tab. 4 Select the Display location on request check box. 5 Click Finish. 6 Point to your Centos on vSphere blueprint and click Publish. Business group users are now prompted to select a datacenter location when they request a machine to be provisioned from your blueprint.
PAGE 432
Configuring vRealize Automation You can download predefined Software components for a variety of middleware services and applications from the VMware Solution Exchange. Using either the vRealize CloudClient or vRealize Automation REST API, you can programmatically import predefined Software components into your vRealize Automation instance. n To visit the VMware Solution Exchange, see https://solutionexchange.vmware.com/store/category_groups/cloud-management.
PAGE 433
Configuring vRealize Automation If you select the computed property option, leave the value for your custom property blank. Design your scripts for the computed values. Table 3‑45.
PAGE 434
Configuring vRealize Automation When you pass large numbers into an array, do not use the grouping format. For example: do not use 4444 444.000 (French), 4.444.444,000 (Italian), or 4,444,444.000 (English), because data files that contain locale-specific formats might be misinterpreted when they are transferred to a machine that has a different locale. The grouping format is not allowed, because a number such as 4,444,444.000 would be considered as three separate numbers. Instead, just enter 4444444.000.
PAGE 435
Configuring vRealize Automation Sample String Property Script Syntax cheetah_tgz_url = "http://app_content_server_ip:port/artifacts/software/jboss/cheetah-2.4.4.tar.gz" Bash $cheetah_tgz_url Sample Usage Windows CMD %cheetah_tgz_url% Windows PowerShell - $cheetah_tgz_url tar -zxvf $cheetah_tgz_url start /wait c:\unzip.exe %cheetah_tgz_url% & c:\unzip.exe $cheetah_tgz_url Boolean Property Use the boolean property type to provide True and False choices in the Value drop-down menu.
PAGE 436
Configuring vRealize Automation the cluster, but in no particular order. If your users scale the deployment, the order of values could be different for each operation. To make sure you never lose values for clustered components, you can use the array type for any software properties. However, you must design your software components so they don't expect a value array in any specific order.
PAGE 437
Configuring vRealize Automation n Windows PowerShell $progress_status="completed" Note Array and content property do not support passing modified property values between action scripts of life cycle stages. Best Practices for Developing Components To familiarize yourself with best practices for defining properties and action scripts, you can download and import Software components and application blueprints from the VMware Solution Exchange.
PAGE 438
Configuring vRealize Automation 3 Enter a name and, optionally, a description. Using the name you specified for your Software component, vRealize Automation creates an ID for the Software component that is unique within your tenant. You can edit this field now, but after you save the blueprint you can never change it. Because IDs are permanent and unique within your tenant, you can use them to programmatically interact with blueprints and to create property bindings.
PAGE 439
Configuring vRealize Automation d Select the expected type for the value of your property. e Define the value for your property. Option Description Use the value you supply now n Enter a value. n Deselect Overridable. n Select Required. n To provide a default, enter a value. Require architects to supply a value Allow architects to supply a value if they choose n Select Overridable. n Select Required. n To provide a default, enter a value. n Select Overridable. n Deselect Required.
PAGE 440
Configuring vRealize Automation 8 Select the Reboot checkbox for any script that requires you to reboot the machine. After the script runs, the machine reboots before starting the next life cycle script. 9 Click Finish. 10 Select your Software component and click Publish. You configured and published a Software component. Other software architects, IaaS architects, and application architects can use this Software component to add software to application blueprints.
PAGE 441
Configuring vRealize Automation Table 3‑49. New Software General Settings (Continued) Setting Description Description Summarize your Software component for the benefit of other architects. Container On the design canvas, blueprint architects can only place your Software component inside the container type you select. n Select Machines to require architects to place your Software component directly on a machine component in the design canvas.
PAGE 442
Configuring vRealize Automation Table 3‑50. New Software Properties (Continued) Setting Description Value n To use the value you supply: n n Select Required. n Deselect Overridable. To require architects to supply a value: n n Encrypted Enter a Value. n (Optional) Enter a Value to provide a default. n Select Overridable. n Select Required. Allow architects to supply a value or leave the value blank: n (Optional) Enter a Value to provide a default. n Select Overridable.
PAGE 443
Configuring vRealize Automation Table 3‑51. Life Cycle Actions (Continued) Life Cycle Actions Description Start Start your software. For example, you might start the Tomcat service using the start command in the Tomcat server. Start scripts run after the configure action completes. Update If you are designing your software component to support scalable blueprints, handle any updates that are required after a scale in or scale out operation.
PAGE 444
Configuring vRealize Automation The vRealize Orchestrator server distributed with vRealize Automation is preconfigured, and therefore when your system administrator deploys the vRealize Automation Appliance, the vRealize Orchestrator server is up and running. Figure 3‑2.
PAGE 445
Configuring vRealize Automation Figure 3‑3.
PAGE 446
Configuring vRealize Automation System administrators can install vRealize Orchestrator or deploy the vRealize Orchestrator Applianceseparately to set up an external vRealize Orchestrator instance and configure vRealize Automation to work with that external vRealize Orchestrator instance. System administrators can also configure vRealize Orchestrator workflow categories per tenant and define which workflows are available to each tenant.
PAGE 447
Configuring vRealize Automation Table 3‑53. Plug-Ins Included by Default in vRealize Orchestrator (Continued) Plug-In Purpose XML A complete Document Object Model (DOM) XML parser that you can implement in workflows. Alternatively, you can use the ECMAScript for XML (E4X) implementation in the vRealize Orchestrator JavaScript API. Mail Uses Simple Mail Transfer Protocol (SMTP) to send email from workflows. Net Wraps the Jakarta Apache Commons Net Library.
PAGE 448
Configuring vRealize Automation XaaS Blueprint Workflow The workflow that you follow to create an XaaS blueprint and any optional resource actions varies depending on how you intend to use the blueprint. The following workflow provides the basic process. VMware, Inc.
PAGE 449
Configuring vRealize Automation Does your XaaS blueprint provision a resource? No Yes Create a custom resource type. Design > XaaS > Custom Resources > New Create a blueprint that runs a workflow but does not provision resources. Design > XaaS > XaaS Blueprints > New Create a blueprint to provision a resource. Design > XaaS > XaaS Blueprints > New Publish the blueprint.
PAGE 450
Configuring vRealize Automation XaaS Blueprint Terminology XaaS blueprints are vRealize Orchestrator workflows that can provision resources, make changes to provisioned resources, or behave as a service that performs a task in your environment. The blueprints and the resource actions have several nuances that you must understand when you design blueprints for your service catalog users. The following definitions help you understand the terms used when working with XaaS blueprints.
PAGE 451
Configuring vRealize Automation entitlement to make it available to the service catalog users, it is listed as a Composite Blueprint. A composite blueprint can have one blueprint component, or it can include an entire application with multiple machines, software, and networking. Resource action A workflow that you can run on a deployed provisioning blueprint.
PAGE 452
Configuring vRealize Automation Add an XaaS Custom Resource You create a custom resource to define the XaaS item for provisioning. Before you can create an XaaS blueprint or action, you must have a custom resource that is compatible with the object type of the blueprint or action workflow. By creating a custom resource, you map an object type exposed through the API of a vRealize Orchestrator plug-in as a resource.
PAGE 453
Configuring vRealize Automation n Create an XaaS resource action. See Create an XaaS Resource Action. XaaS Custom Resource Wizard Options You use these custom resource options to create or modify a custom resource so that you can run XaaS blueprint and resource action workflows that provision resources or modify provisioned resources. You can create only one custom resource for an object type. You can use the custom resource for multiple blueprints and resource actions.
PAGE 454
Configuring vRealize Automation Table 3‑56. Where Used Options Option Description XaaS Blueprints A list of the blueprints that are configured to use this custom resource. From this page you can perform the following actions: Resource Actions n Edit. Opens the blueprint so that you can see how it is configured or to modify it. n Publish/Unpublish. Change the state of the blueprint by making it available to use in a composite blueprint or to add to a service.
PAGE 455
Configuring vRealize Automation Add an XaaS Blueprint An XaaS blueprint is a specification to run a vRealize Orchestrator workflow that makes a change to a target system in your environment. The blueprint includes the workflow, and it can include the input parameters, submission and read-only forms, sequence of actions, and the provisioning or nonprovisioning operation. You can create XaaS blueprints that you use in one or more of the following ways: n Create an XaaS blueprint component.
PAGE 456
Configuring vRealize Automation 4 On the General tab, configure the options and click Next. a In the Name text box, enter a name that differentiates this blueprint from similar blueprints. b If you do not want to use this blueprint as a component in a composite blueprint, deselect the Make available as a component in the design canvas check box. 5 On the Blueprint Form tab, edit the form as needed and click Next. 6 On the Provisioned Resource page, select a value and click Next.
PAGE 457
Configuring vRealize Automation Figure 3‑4. Workflow Tab in the XaaS Blueprint Wizard Review the input and output parameters to ensure that you or your service catalog users can provide the correct values under the following circumstances: n If you customize the blueprint form in this wizard or in the blueprint design canvas. n If you leave all the input parameters blank, the service catalog users can set the values. General Tab Configure the metadata about and the behavior of the blueprint.
PAGE 458
Configuring vRealize Automation Table 3‑57. General Tab Options (Continued) Option Description Version The supported format extends to major.minor.micro-revision. Make available as a component in the design canvas If you plan to use the blueprint as a component in a design canvas blueprint, select this option. When it is published, the blueprint is available in the category you selected when you configured the custom resource.
PAGE 459
Configuring vRealize Automation Table 3‑58. Provisioned Resource Options Option Description A custom resource that you previously created Select the custom resource that defines the vRealize Orchestrator resource type required to run the provisioning blueprint. A provisioning blueprint runs a vRealize Orchestrator workflow to provision resources on the target endpoint using the vRealize Orchestrator plug-in API for the endpoint. For example, add virtual NICs to a network device in vSphere.
PAGE 460
Configuring vRealize Automation Table 3‑59. Component Lifecycle Options Option Description Scalable Select the option to allow the service catalog user to change the number of instances of this blueprint component after it is deployed as part of a scale-in or scale-out operation. This option is available if you selected a custom resource on the Provisioned Resource tab. It is not available if you selected the No provisioning option.
PAGE 461
Configuring vRealize Automation Table 3‑59. Component Lifecycle Options (Continued) Option Description Update workflow Select the workflow that runs during update operations, including scale-in or scale out where a component is not scalable, but it can be updated. For example, a load balancer is updated with the new configuration created with the scale-in or scale-out operation for any of the components in the composite blueprint.
PAGE 462
Configuring vRealize Automation Table 3‑59. Component Lifecycle Options (Continued) Option Description Deallocation workflow Select the workflow that runs after any destroy or scale-in operation. If the deallocation fails during the operation, the destroy workflow still runs as expected. Deallocation is the final process when you scale-in or destroy a composite blueprint. It runs after to the destroy operation, releasing resources. This life cycle workflow type is available for Azure allocations.
PAGE 463
Configuring vRealize Automation 3 In the Categories list, locate the blueprint. 4 Drag your blueprint to the canvas. 5 Configure the default values on the General and Create tabs. These are the default values that appear in the service catalog form when a user requests the item. 6 Click Finish. 7 Select the blueprint and click Publish. The XaaS blueprint is now part of the composite blueprint. What to do next Add the composite blueprint to a service. See Managing the Service Catalog.
PAGE 464
Configuring vRealize Automation Prerequisites n Log in to the vRealize Automation console as an XaaS architect. n Create a custom resource corresponding to the input parameter of the resource action. Procedure 1 Select Design > XaaS > Resource Actions. 2 Click the New icon ( 3 Navigate through the vRealize Orchestrator workflow library and select a workflow relevant to your custom resource. ).
PAGE 465
Configuring vRealize Automation 13 (Optional) Edit the form of the resource action on the Form tab. The form of the resource action maps the vRealize Orchestrator workflow presentation. You can change the form by deleting, editing, and rearranging the elements. You can also add a new form and form pages and drag the necessary elements to the new form and form page. Option Add a form Edit a form Action Click the New Form icon ( ) next to the form name, provide the required information, and click Submit.
PAGE 466
Configuring vRealize Automation The status of the resource action changes to Published. What to do next Assign an icon to the resource action. See Assign an Icon to an XaaS Resource Action. Business group managers and tenant administrators can then use the action when they create an entitlement. Assign an Icon to an XaaS Resource Action After you create and publish a resource action, you can edit it and assign an icon to the action.
PAGE 467
Configuring vRealize Automation When you create a resource action that runs on a deployed composite blueprint that uses a vRealize Orchestrator workflow with vCACAFE:CatalogResource as an input parameter, the Deployment mapping is applied as the input resource type. The Deployment mapping is applied only if the selected workflow includes vCACAFE:CatalogResource as an input parameter.
PAGE 468
Configuring vRealize Automation 5 Enter the type of the catalog resource in the Catalog Resource Type text box and press enter. The type of catalog resource appears on the details view of the provisioned item. 6 Enter the vRealize Orchestrator object type in the Orchestrator Type text box and press enter. This is the output parameter of the resource mapping workflow. 7 (Optional) Add target criteria to restrict the availability of resource actions created by using this resource mapping.
PAGE 469
Configuring vRealize Automation Table 3‑60. XaaS Object Types and Associated Forms Object Type Default Form Additional Forms Custom resource Resource details form based on the attributes of the vRealize Orchestrator plug-in inventory type (read-only). n None XaaS blueprint Request submission form based on the presentation of the selected workflow.
PAGE 470
Configuring vRealize Automation you also want to restrict the options to ports that are open. You can add an external value definition to a dual list field and select a custom vRealize Orchestrator script action that queries for open ports. When the request form loads, the script actions runs, and the open ports are presented as options to the user.
PAGE 471
Configuring vRealize Automation Table 3‑61. New Fields in the Resource Action or XaaS Blueprint Form (Continued) Field Description Tree Tree that consumers use to browse and select available objects Map Map table that consumers use to define key-value pairs for properties You can also use the Section header form field to split form pages in sections with separate headings and the Text form field to add read-only informational texts.
PAGE 472
Configuring vRealize Automation Table 3‑62. Constraints in the Forms Designer (Continued) Constraint Description Visible Indicates whether the consumer can see the element. If you apply a visibility constraint on a display group in the vRealize Orchestrator workflow, the constraint is ignored in the XaaS Submitted Request Details form and the fields that you want hidden appear in the form.
PAGE 473
Configuring vRealize Automation For instance, you might want to publish a resource action to install software on a provisioned machine. Instead of providing the consumer with a static list of all software available for download, you can dynamically populate that list with software that is relevant for the machine's operating system, software that the user has not previously installed on the machine, or software that is out of date on the machine and requires an update.
PAGE 474
Configuring vRealize Automation The steps in the vRealize Orchestrator presentation are represented as form pages and the vRealize Orchestrator presentation groups are represented as separate sections. The input types of the selected workflow are displayed as various fields in the form. For example, the vRealize Orchestrator type string is represented by a text box.
PAGE 475
Configuring vRealize Automation n Insert a Text Element in a Custom Resource Form You can insert a text box to add some descriptive text to the form. n Insert an Externally Defined Field in a Custom Resource Form You can insert a new field and assign it an external value definition to dynamically provide read-only information that consumers can see on the item details page when they provision a custom resource.
PAGE 476
Configuring vRealize Automation 3 Click the Details Form tab. 4 Click the New Page icon ( 5 Select the unused screen type and click Submit. ) next to the Form page name. If you already have a resource details or resource list view, you cannot create two of the same type. 6 Click Submit. 7 Configure the form. 8 Click Finish.
PAGE 477
Configuring vRealize Automation 3 Click the Details Form tab. 4 Drag the Text element from the Form pane to the Form page pane. 5 Enter the text you want to add. 6 Click outside of the element to save the changes. 7 Click Finish. Insert an Externally Defined Field in a Custom Resource Form You can insert a new field and assign it an external value definition to dynamically provide read-only information that consumers can see on the item details page when they provision a custom resource.
PAGE 478
Configuring vRealize Automation When the form is presented to your consumers, the script action retrieves your custom information and displays it to your consumer. Designing an XaaS Blueprint Form When you create an XaaS blueprint, you can edit the form of the blueprint by adding new fields to the form, modifying the existing fields, deleting, or rearranging fields. You can also create new forms and form pages, and drag and drop new fields to them.
PAGE 479
Configuring vRealize Automation 5 Enter a name and, optionally, a description. 6 Select the screen type from the Screen type menu. 7 Option Description Catalog item details A catalog item details page that consumers see when they click a catalog item. Request form The default XaaS blueprint form. The consumers see the request form when they request the catalog item.
PAGE 480
Configuring vRealize Automation 11 Edit the default value of the element. Option Description Not set Gets the value of the element you are editing from the vRealize Orchestrator workflow presentation. Constant Sets the default value of the element you are editing to a constant value that you specify. Field Binds the default value of the element to a parameter of another element from the representation. Conditional Applies a condition.
PAGE 481
Configuring vRealize Automation 14 Click Submit. 15 Click Finish. Add a New Element When you edit the default generated form of a XaaS blueprint, you can add a predefined new element to the form. For example, if you do not want to use a default generated field, you can delete it and replace it with a new one. Prerequisites n Log in to the vRealize Automation console as a tenant administrator or XaaS architect. n Add an XaaS Blueprint. Procedure 1 Select Design > XaaS > XaaS Blueprints.
PAGE 482
Configuring vRealize Automation What to do next You can edit the element to change the default settings and apply various constraints or values. Insert a Section Header in a XaaS Blueprint Form You can insert a section header to split the form into sections. Prerequisites n Log in to the vRealize Automation console as a tenant administrator or XaaS architect. n Add an XaaS Blueprint. Procedure 1 Select Design > XaaS > XaaS Blueprints. 2 Click the XaaS blueprint you want to edit.
PAGE 483
Configuring vRealize Automation Designing a Resource Action Form When you create a resource action, you can edit the form of the action by adding new fields to the form, modifying the existing fields, deleting, or rearranging fields. You can also create new forms and form pages, and drag and drop new fields to them. Add a New Resource Action Form When you edit the default generated form of a workflow you want to publish as a resource action, you can add a new resource action form.
PAGE 484
Configuring vRealize Automation n Create a Resource Action. Procedure 1 Select Design > XaaS > Resource Actions. 2 Click the resource action you want to edit. 3 Click the Form tab. 4 Drag an element from the New Fields pane and drop it to the Form page pane. 5 Enter the ID of a workflow input parameter in the ID text box. 6 Enter a label in the Label text box. Labels appear to consumers on the forms. 7 (Optional) Select a type for the field from the Type drop-down menu.
PAGE 485
Configuring vRealize Automation Procedure 1 Select Design > XaaS > Resource Actions. 2 Click the resource action you want to edit. 3 Click the Form tab. 4 Locate the element you want to edit. 5 Click the Edit icon ( 6 Enter a new name for the field in the Label text box to change the label that consumers see. 7 Edit the description in the Description text box. 8 Select an option from the Type drop-down menu to change the display type of the element. ).
PAGE 486
Configuring vRealize Automation 13 Add one or more values for the element on the Values tab. The options available depend on the type of element you are editing. Option Description Not set Gets the value of the element you are editing from the vRealize Orchestrator workflow presentation. Predefined values Select values from a list of related objects from the vRealize Orchestrator inventory. Value a Enter a value in the Predefined values search box to search the vRealize Orchestrator inventory.
PAGE 487
Configuring vRealize Automation Prerequisites n Log in to the vRealize Automation console as a tenant administrator or XaaS architect. n Create a Resource Action. Procedure 1 Select Design > XaaS > Resource Actions. 2 Click the resource action you want to edit. 3 Click the Form tab. 4 Drag the Text element from the New Fields pane to the Form page pane. 5 Enter the text you want to add. 6 Click outside of the element to save the changes. 7 Click Finish.
PAGE 488
Configuring vRealize Automation 2 Create an XaaS Blueprint for Creating a User You create the Create a user in a group XaaS blueprint so that you can run the workflow that adds an Active Directory user and assigns the user to an Active Directory group. You can create the blueprint as a standalone XaaS blueprint or as a blueprint component. In this scenario, you are creating a standalone blueprint.
PAGE 489
Configuring vRealize Automation What to do next Create an XaaS blueprint. Create an XaaS Blueprint for Creating a User You create the Create a user in a group XaaS blueprint so that you can run the workflow that adds an Active Directory user and assigns the user to an Active Directory group. You can create the blueprint as a standalone XaaS blueprint or as a blueprint component. In this scenario, you are creating a standalone blueprint.
PAGE 490
Configuring vRealize Automation d Click the Visible drop-down arrow, select Constant in the drop-down menu, and select No in the drop-down menu. You made the domain name invisible to the consumer of the catalog item. e Click Apply to save the changes. 8 Click Next. 9 Select newUser [Test User] as an output parameter to be provisioned. 10 Click Next. 11 Click Finish. 12 On the XaaS Blueprints page, select the Create a test user row and click Publish.
PAGE 491
Configuring vRealize Automation 9 Click Next. 10 (Optional) Leave the form as is. 11 Click Finish. 12 On the Resource Actions page, select the Change the password of the Test User row and click Publish. You created a resource action for changing the password of a user, and you made it available to add to an entitlement. What to do next Add the Create a test user blueprint to a service. See Create a Service and Add Creating a Test User Blueprint to the Service.
PAGE 492
Configuring vRealize Automation What to do next You can entitle users to request the blueprint and the run the action. See Entitle the Service and the Resource Action to a Consumer. Entitle the Service and the Resource Action to a Consumer Business group managers and tenant administrators can entitle the service and the resource action to a user or a group of users.
PAGE 493
Configuring vRealize Automation What to do next Log in as user who is entitled to create an Active Directory user. On the Catalog tab, verify that the XaaS blueprint creates the user as expected. After the user is created, run the change password action from the Items tab. Create and Publish an XaaS Action to Migrate a Virtual Machine You can create and publish an XaaS resource action to extend the operations that consumers can perform on IaaS-provisioned vSphere virtual machines.
PAGE 494
Configuring vRealize Automation 11 Click Finish. You created a resource action for migrating a virtual machine and you can see it listed on the Resource Actions page. What to do next Publish the Action for Migrating a vSphere Virtual Machine Publish the Action for Migrating a vSphere Virtual Machine To use the Quick migration of virtual machine resource action as a post-provisioning operation, you must publish it. Procedure 1 Select Design > XaaS > Resource Actions.
PAGE 495
Configuring vRealize Automation 3 Add a Submitted Action Details Form and Save the Action You can add a new form to the Migrate a virtual machine with vMotion resource action to define what the consumers see after they request to run the post-provisioning operation. 4 Publish the Action for Migrating a Virtual Machine with vMotion To use the Migrate a virtual machine with vMotion resource action as a post-provisioning operation, you must publish it.
PAGE 496
Configuring vRealize Automation d Click the Constraints tab. e Select Constant from the Required drop-down menu and select Yes. You made the host field always required. f 3 Click Submit. Edit the priority element. a Click the Edit icon ( b Type Priority of the task in the Label text box. c Select Radio button group from the Type drop-down menu. d Click the Values tab, and deselect the Not set check box. e Enter lowPriority in the Predefined values search text box, and press Enter.
PAGE 497
Configuring vRealize Automation Add a Submitted Action Details Form and Save the Action You can add a new form to the Migrate a virtual machine with vMotion resource action to define what the consumers see after they request to run the post-provisioning operation. Procedure 1 Click the New Form icon ( 2 Type Submitted action in the Name text box. 3 Leave the Description field blank. 4 Select Submitted action details from the Screen type menu. 5 Click Submit.
PAGE 498
Configuring vRealize Automation You created and published a vRealize Orchestrator workflow as a resource action. You can navigate to Administration > Catalog Management > Actions and see the Migrate virtual machine with vMotion resource action in the list of actions. You can assign an icon to the resource action. See Assign an Icon to an XaaS Resource Action. You also edited the presentation of the workflow and defined the look and feel of the action.
PAGE 499
Configuring vRealize Automation 7 Click Next. 8 Leave the name of the resource action and the description as they appear on the Details tab. 9 Click Next. 10 Leave the form as is. 11 Click Add. You created a resource action for taking a snapshot of a virtual machine and you can see it listed on the Resource Actions page. What to do next Publish the Action for Taking a Snapshot.
PAGE 500
Configuring vRealize Automation Procedure 1 Create a Resource Mapping for Amazon Instances You can create a resource mapping to associate Amazon instances provisioned by using IaaS with the vRealize Orchestrator type AWS:EC2Instance exposed by the Amazon Web Services plug-in. 2 Create a Resource Action to Start an Amazon Virtual Machine You can create a resource action so that the consumers can start provisioned Amazon virtual machines.
PAGE 501
Configuring vRealize Automation Prerequisites Log in to the vRealize Automation console as an XaaS architect. Procedure 1 Select Design > XaaS > Resource Actions. 2 Click Add ( 3 Select Orchestrator > Library > Amazon Web Services > Elastic Cloud > Instances and select the Start Instances workflow in the workflows folder. 4 Click Next. 5 Select EC2 Instance from the Resource type drop-down menu. ). This is the name of the resource mapping you previously created.
PAGE 502
Configuring vRealize Automation What to do next Add the start instances action to the entitlement that includes the Amazon catalog item. See Entitle Users to Services, Catalog Items, and Actions. Troubleshooting Incorrect Accents and Special Characters in XaaS Blueprints When you create XaaS blueprints for languages that use non-ASCII strings, the accents and special characters are displayed as unusable strings.
PAGE 503
Configuring vRealize Automation 2 Click Blueprints. 3 Point to the blueprint to publish and click Publish. 4 Click OK. The blueprint is published as a catalog item but you must first entitle it to make it available to users in the service catalog. What to do next Add the blueprint to the catalog service and entitle users to request the catalog item for machine provisioning as defined in the blueprint.
PAGE 504
Configuring vRealize Automation Figure 3‑5. Workflow for Assembling Composite Blueprints Blueprint architects create reusable blueprint components for the design library. Do you want to publish a vRealize Orchestrator workflow as an XaaS blueprint? Yes Identify (or create) a published XaaS blueprint. No Identify (or create) a published Software component.
PAGE 505
Configuring vRealize Automation n Understanding Nested Blueprint Behavior You can reuse blueprints by nesting them in another blueprint as a component. You nest blueprints for reuse and modularity control in machine provisioning, but there are specific rules and considerations when you work with nested blueprints. n Selecting a Machine Component that Supports Software Components You deliver Software components by placing them on top of supported machine components when you assemble blueprints.
PAGE 506
Configuring vRealize Automation n When you edit a published blueprint, you are not changing deployments that are already provisioned by using that blueprint. At the time of provisioning, the resulting deployment reads current values from the blueprint, including from its nested blueprints. The only changes you can pass on to provisioned deployments are edits to software components, for example edits to update or uninstall scripts.
PAGE 507
Configuring vRealize Automation Networking and Security Rules and Considerations for Nesting Blueprints n Networking and security components in outer blueprints can be associated with machines that are defined in nested blueprints. n NSX network, security, and load balancer components and their settings are not supported in nested blueprints. n When app isolation is applied in the outer blueprint, it overrides app isolation settings specified in nested blueprints.
PAGE 508
Configuring vRealize Automation Software Component Considerations for Nesting Blueprints For scalable blueprints, it is a best practice to create single layer blueprints that do not reuse other blueprints. Normally, update processes during scale operations are triggered by implicit dependencies such as dependencies you create when you bind a software property to a machine property. However, implicit dependencies in a nested blueprint do not always trigger update processes.
PAGE 509
Configuring vRealize Automation Creating Property Bindings Between Blueprint Components In several deployment scenarios, a component needs the property value of another component to customize itself. You can bind properties of XaaS, machines, Software, and custom properties to other properties in a blueprint. For example, your software architect might modify property definitions in the life cycle scripts of a WAR component.
PAGE 510
Configuring vRealize Automation Creating Explicit Dependencies and Controlling the Order of Provisioning If you need information from one of your blueprint components to complete the provisioning of another component, you can draw an explicit dependency on the design canvas to stagger provisioning so the dependent component is not provisioned prematurely. Explicit dependencies control the build order of a deployment and always trigger dependent updates during a scale in or scale out operation.
PAGE 511
Configuring vRealize Automation Blueprints and Actions are published as Catalog Items and Actions Create a Service Add a Catalog Item to a Service Do you want to apply approval policies to one or more catalog items that are included in the Service? No Yes Do you have an approval policy applicable to the Catalog Items in Service? No Create an approval policy now or later? Now Yes Later Create an Approval Policy Create an Entitlement without approval policies Create an Entitlement with approval
PAGE 512
Configuring vRealize Automation Table 3‑65. Configuring the Service Catalog Checklist Task Required Role Details Add a service. tenant administrator or catalog administrator See Add a Service. Add a catalog item to a service. tenant administrator or catalog administrator See Add Catalog Items to a Service. Configure the catalog item in the service. tenant administrator or catalog administrator See Configure a Catalog Item. Create and apply entitlements to the catalog item.
PAGE 513
Configuring vRealize Automation Prerequisites Log in to the vRealize Automation console as a tenant administrator or catalog administrator. Procedure 1 Select Administration > Catalog Management > Services. 2 Click the New icon ( 3 Enter a name and description. ). These values appear in the service catalog for the catalog users. 4 To add a specific icon for the service in the service catalog, click Browse and select an image. The supported image file types are GIF, JPG, and PNG.
PAGE 514
Configuring vRealize Automation 7 Click Add. What to do next Associate catalog items with a service so that you can entitle users to the items. See Add Catalog Items to a Service. Add Catalog Items to a Service Add catalog items to services so that you can entitle users to request the items in the service catalog. A catalog item can be associated with only one service. Prerequisites n Log in to the vRealize Automation console as a tenant administrator or catalog administrator.
PAGE 515
Configuring vRealize Automation Published Catalog Items A catalog item is a published blueprint. Published blueprints can also be used in other blueprints. The reuse of blueprints in other blueprints is not displayed in the catalog items list. The published catalog items can also include items that are only components of blueprints. For example, published software components are listed as catalog items, but they are available only as part of a deployment.
PAGE 516
Configuring vRealize Automation 2 Select the catalog item and click Configure. 3 Configure the catalog item settings. Option Description Icon Browse for an image. The supported image file types are GIF, JPG, and PNG. The displayed image is 40 x 40 pixels. If you do not select a custom image, the default catalog icon appears in the service catalog. Status Possible values include Active, Inactive, and Staging. n Active.
PAGE 517
Configuring vRealize Automation n Verify that you have at least one published action. See Publish a Blueprint and Publish a Resource Action. Procedure 1 Select Administration > Catalog Management > Actions. 2 Select the shared action and click View Details. 3 Browse for an image. 4 To view the entitlements where the action is made available to users, click the Entitlements tab. 5 Click Update. What to do next Entitle Users to Services, Catalog Items, and Actions.
PAGE 518
Configuring vRealize Automation n Actions in Entitlements Actions run on deployed catalog items. Provisioned catalog items, and the actions you are entitled to run on them, appear in your Items tab. To run actions on a deployed item, the action must be included in the same entitlement as the catalog item that provisioned the item from the service catalog. n Approval Policies in Entitlements Approval policies are applied in entitlements so that you can manage resources in your environment.
PAGE 519
Configuring vRealize Automation For example, an item includes a machine and software. The machine is available as a provisionable item and has an approval policy that requires site manager approval. The software is not available as a standalone, provisionable item, only as part of a machine request, but the approval policy for the software requires approval from your organization's software licensing administrator.
PAGE 520
Configuring vRealize Automation n When you entitle service catalog users to the Change Lease, Change Owner, Expire, Reconfigure and other actions that can apply to machines and to deployments, entitle them to both actions. Approval Policies in Entitlements Approval policies are applied in entitlements so that you can manage resources in your environment. To apply an approval policy when you create the entitlement, the policy must already exist.
PAGE 521
Configuring vRealize Automation 3 Configure the Details options. Details determine how the entitlement appears in the entitlement list and which users have access to the items in the service catalog. Option Description Name and Description Information about the entitlement that appears in the entitlements list. Expiration Date Set the date and time if you want the entitlement to become inactive on a particular date. Status Possible values include Active, Inactive, and Deleted.
PAGE 522
Configuring vRealize Automation 5 Click an New icon ( ) to entitle users to services, catalog items, or actions with this entitlement. You can create an entitlement with various combinations of the services, items, and actions. Option Description Entitled Services Add a service when you want to allow entitled users access to all the published catalog items associated with the service. An entitled service is a dynamic entitlement.
PAGE 523
Configuring vRealize Automation 9 Click OK. The service, item, or action is added to the entitlement. 10 Click Finish to save the entitlement. If entitlement status is active, the service and items are added to the service catalog. What to do next Verify that the entitled services and catalog items appear in the service catalog for the entitled users and that the requested items provision the target objects as expected. You can request the item on behalf of the selected users.
PAGE 524
Configuring vRealize Automation Prerequisites Log in to the vRealize Automation console as a tenant administrator or catalog administrator. Procedure 1 Select Administration > Catalog Management > Entitlements. 2 Click the Prioritize icon ( 3 Select a business group from the Business Group drop-down list. 4 Drag an entitlement to a new location in the list to change its priority. 5 Select an update method. ). Option Description Update Saves your changes.
PAGE 525
Configuring vRealize Automation Finally, when a service catalog user requests an item to which an approval policy is applied, the approvers approve or reject the request on their Inbox tab, on Approvals page . The requesting user can track the approval status for a specific request on their Requests tab.
PAGE 526
Configuring vRealize Automation Table 3‑68. Examples of Approval Policies and Results (Continued) Governance Goals Selected Policy Type Pre or Post Approval To manage virtual infrastructure resources and to control prices, you add two preapproval levels because one approval is for machine resources and the other is for price of machine per day. Service Catalog - Catalog Item Request Virtual Machine Add To Pre Approval tab VMware, Inc.
PAGE 527
Configuring vRealize Automation Table 3‑68. Examples of Approval Policies and Results (Continued) Governance Goals Selected Policy Type Pre or Post Approval When is Approval Required Level 2 Select Required based on conditions. Configure the condition Price > 15.00 per day. For parameterized blueprint catalog items, a cloud administrator must approve deployment requests in which a vSphere machine component profile of size is set to large.
PAGE 528
Configuring vRealize Automation Example Blueprint In this example, you configure a blueprint that includes a nested blueprint with a virtual machine. n Blueprint 1 - Continuous Integration Blueprint n Blueprint 2 - Pre-Production Blueprint n Virtual Machine 1 - TestAsAService vSphere VM Approval Policies for Destroy Actions You configure the two approval policies to destroy provisioned items. A Destroy - Deployment action can run on Blueprint 1 or Blueprint 2 in this example.
PAGE 529
Configuring vRealize Automation Entitlement Name Approval Policy on Actions Entitlement 1 Destroy Deployment Approval Policy Policy A (Destroy Deployment Approval Policy) on Destroy Deployment action only Entitlement 2 Entitlement 3 Policy B (Destroy Virtual Machine Policy) on Destroy - Virtual Machine action only Policy A (Destroy Deployment Approval Policy) on Destroy Deployment action and Policy B (Destroy Virtual Machine Policy) on Destroy - Virtual Machine action User Action Approval Request
PAGE 530
Configuring vRealize Automation n QE Testing includes RHEL vSphere virtual machine n QE Training includes RHEL vSphere virtual machine Services n The QE Testing blueprint is associated with the Testing service n The QE Training blueprint is associated with the Training service Entitlements n Entitlement 1 n Entitlement 2 Table 3‑69.
PAGE 531
Configuring vRealize Automation Request item in the service catalog Is approval required on item or component? Yes Approval request sent to approver’s Inbox tab Approver approves request? No Requestor notified of rejection on Requests tab No Yes Item is provisioned Requester’s Request tab - in progress Requesters’s Item tab - when provisioned Create an Approval Policy Tenant administrators and approval administrators can define approval policies and use them in entitlements.
PAGE 532
Configuring vRealize Automation 3 Configure the Approval Form to Include System and Custom Properties You can add system and custom properties that appear on an approval form. You add these properties so that the approvers can change the values of system properties for machine resource settings such as CPU, lease, or memory, and custom properties before they complete an approval request.
PAGE 533
Configuring vRealize Automation 5 Enter a name and, optionally, a description. 6 Select the state of the policy from the Status drop-down menu. Option Description Draft Saves the approval policy in an editable state. Active Saves the approval policy in a read-only state that you can use in an entitlement. Inactive Saves the approval policy in a read-only state that you cannot use in an entitlement until you activate the policy. What to do next Create the pre-approval and post-approval levels.
PAGE 534
Configuring vRealize Automation 4 Select the approvers. Option Action Specific Users and Groups Sends the approval request to the selected users. Determine approvers from the request Sends the approval request to the users based on the defined condition. Use event subscription Processes the approval request based on defined event subscriptions. The workflow subscription must be defined in Adminstration > Events > Subcriptions. The applicable workflow subscriptions are pre-approval and postapproval.
PAGE 535
Configuring vRealize Automation Procedure 1 On the Pre Approval or Post Approval tab, click the New icon ( 2 Click the System Properties tab. 3 Select the check box for each system property that you want the approver to configure during the approval process. 4 Configure the custom properties. ). Add one or more custom properties that you want the approver to configure during the approval process. a Click the Custom Properties tab. b Click the New icon ( c Enter the custom property values.
PAGE 536
Configuring vRealize Automation n Add Approval Policy Settings You configure the basic information about the approval policy, including the state to the policy, so that you can manage the policy. n Add Level Information to Approval Policy Settings An approval level includes the conditions that trigger an approval process when the service catalog user requests the item, and any system properties and customer properties that you want to include.
PAGE 537
Configuring vRealize Automation Table 3‑70. Approval Policy Type Options Option Description Select an approval policy type Create an approval policy based on the policy request type. Select this option to define an approval policy that is applicable to all catalog items of that type. The request type can be a generic request, a catalog item request, or a resource action request. The available condition configuration options vary depending on the type.
PAGE 538
Configuring vRealize Automation Table 3‑71. Approval Policy Options (Continued) Option Description Status Possible values include: Policy Type n Draft. The approval policy is not available to apply in entitlements. After you make a policy active, you can never return it to draft. n Active. The approval policy is available to apply in entitlements. n Inactive. The approval policy is not available to apply in entitlements.
PAGE 539
Configuring vRealize Automation To define the basic approval policy information, select Administration > Approval Polices. Click New. Select the policy type and click OK. On the Pre Approval or Post Approval tab, click the New icon ( ). You prioritize levels based on the order that you want them processed. When the approval policy is triggered, if the first level of approval is rejected, the request is rejected. Table 3‑72. Level Information Options Option Description Name Enter a name.
PAGE 540
Configuring vRealize Automation Table 3‑72. Level Information Options (Continued) Option Description Specific Users and Groups Sends the approval request to the selected users. Select the users or user groups that must approve the service catalog request before it is provisioned or an action runs. For example, the request goes to the virtual infrastructure administrator group with Anyone can approve selected.
PAGE 541
Configuring vRealize Automation To select system properties, select Administration > Approval Polices. Click New. Select the policy type and click OK. On the Pre Approval or Post Approval tab, click the New icon ( System Properties tab. ) and click the Table 3‑73. System Properties Options Option Description Properties The list of available system properties depends on the selected request type or catalog item, and whether system properties exist for the item.
PAGE 542
Configuring vRealize Automation Prerequisites Log in to the vRealize Automation console as a tenant administrator or approval administrator. Procedure 1 Select Administration > Approval Policies. 2 Select the row of the approval policy to copy. 3 Click the Copy icon ( ). A copy of the approval policy is created. 4 Select the new approval policy to edit. 5 Enter a name in the Name text box. 6 (Optional) Enter a description in the Description text box.
PAGE 543
Configuring vRealize Automation 2 Click the approval policy name. 3 Click View Linked Entitlements. a In the Replace All With drop-down menu, select the new approval policy. If the list includes more than one entitlement, the new approval policy is applied to all the listed entitlements. b Click OK. 4 After you verify that no entitlements that are linked to the approval policy, select Inactive from the Status drop-menu. 5 Click OK.
PAGE 544
Configuring vRealize Automation Scenario: Create and Apply CentOS with MySQL Approval Policies As the tenant administrator for the development and quality engineering business group, you want to apply strict governance to catalog item requests. Before your users can provision the CentOS with MySQL catalog item, you want your vSphere virtual infrastructure administrator to approve the machine request and you want your software manager to approve the software request.
PAGE 545
Configuring vRealize Automation d Click OK. e Configure the following options: Option Configuration Name Enter CentOS on vSphere CPU or Memory VM. Description Enter Requires VI Admin approval for CPU>2 or Memory>2048. Status Select Active. 3 On the Pre Approval tab, click the Add icon ( 4 Configure the Level Information tab with the triggering criteria and the approval actions. ). a In the Name text box, enter CPU>2 or Memory>2048 - VI Admin.
PAGE 546
Configuring vRealize Automation In some environments you might need this type of approval because license keys must be provided by the software manager. In this scenario, you only need the software manager to track and approve the request. After you create the approval policy, you apply the policy to the MySQL for Linux Virtual Machines catalog item. This approval policy is very specific and can only be applied to the MySQL for Linux Virtual Machines Software component in the entitlements.
PAGE 547
Configuring vRealize Automation Scenario: Apply Approval Policies to CentOS with MySQL Components As the tenant administrator, you can create approval policies and entitlements. You modify the Dev and QE entitlement to apply the approval policies that you created so that approvals are triggered when a service catalog user requests the item.
PAGE 548
Configuring vRealize Automation 5 Add the MySQL for Linux Virtual Machine software component as an item and apply an approval policy to the MySQL item. a Click the Add Catalog Items and Components icon ( Components heading. b In the Catalog Items and Components drop-down menu, select No. ) beside the Entitled Catalog Items and Software components are always associated with a machine. They are not available to individually request in the service catalog.
PAGE 549
Configuring vRealize Automation Request Machine Provisioning By Using a Parameterized Blueprint When you request machine provisioning for a vSphere machine blueprint that has been designed to include the size or image component profiles, you specify provisioning setting by selecting an available value set. When you request provisioning from the catalog, you can select from available value set choices for the Size and Image component profiles.
PAGE 550
Configuring vRealize Automation 4 Select an image value set option from the Image drop-down menu. 5 Select a size value set option from the Size drop-down menu. 6 Click Submit. What to do next The value sets that you defined for the Size and Image component profiles are now available on the Image and Size drop-down menus on the Catalog tab in the catalog provisioning request form.
PAGE 551
Configuring vRealize Automation Procedure 1 Scenario: Create a Development and Quality Engineering Catalog Service As the tenant administrator, you want to create a separate catalog service for your development and quality engineering group so your other groups, such as finance and human resources, don't see the specialized catalog items. You create a catalog service called Dev and QE Service to publish all the catalog items development and engineering need to run their test cases.
PAGE 552
Configuring vRealize Automation Scenario: Add CentOS with MySQL to Your Dev and QE Service As the tenant administrator, you want to add the CentOS with MySQL catalog item to the Dev and QE service. Procedure 1 Select Administration > Catalog Management > Services. 2 Select the Dev and QE Service row in the Services list and click Manage Catalog Items. 3 Click the New icon ( 4 Select CentOS with MySQL. ).
PAGE 553
Configuring vRealize Automation d In the Users and Groups area, add one or more users. Add yourself only, unless you are certain that the blueprint is working as intended. If it is, you can add individual users and you can add custom user groups. e 4 Click Next. Add the service.
PAGE 554
Configuring vRealize Automation What to do next After you verify your work by provisioning the CentOS with MySQL catalog item, you can add additional users to the entitlement to make the catalog item publicly available to your development and quality engineering users. If you want to further govern the provisioning of resources in your environment, you can create approval policies for the MySQL Software component and the CentOS for Software Testing machine.
PAGE 555
Configuring vRealize Automation Table 3‑75. Action Menu Commands Action Resource Type Description Associate Floating IP Machine (OpenStack) Associate a floating IP address with an OpenStack machine. Cancel Reconfigure Machine Cancel a running reconfiguration action. Change Lease Deployment and Machine Change the number of days remaining in the lease for either a specific machine or for all resources included in a deployment. If you do not provide a value, the lease does not expire.
PAGE 556
Configuring vRealize Automation Table 3‑75. Action Menu Commands (Continued) Action Resource Type Description Connect using ICA Machine (Citrix) Connect to the Citrix machine using the Independent Computing Architecture. Connect using RDP Machine Connect to the machine by using Microsoft Remote Desktop Protocol. Connect using SSH Machine Connect to the selected machine by using SSH.
PAGE 557
Configuring vRealize Automation Table 3‑75. Action Menu Commands (Continued) Action Resource Type Description Destroy Cloud Machine, Deployment, Virtual Machine, and NSX Edge Immediately destroy a provisioned resource. You must run this action to destroy XaaS resources, even if they are part of a deployment you are destroying. Other resources are destroyed when their lease or their archival period ends. Except for XaaS, destroying components of a deployment is not a best practice.
PAGE 558
Configuring vRealize Automation Table 3‑75. Action Menu Commands (Continued) Action Resource Type Description deployment. For more information on using force destroy, see Force Destroy a Deployment After a Failed Destroy Request. Note Storage and memory that are assigned to a provisioned machine by a reservation are released when the machine to which they are assigned is deleted in vRealize Automation by the Destroy action.
PAGE 559
Configuring vRealize Automation Table 3‑75. Action Menu Commands (Continued) Action Resource Type Description Power Cycle Machine Power off the machine, then power it back on. Power Off Machine Power off the machine without shutting down the guest operating system. Power On Machine Power on the machine. If the machine was suspended, normal operation resumes from the point at which the machine was suspended. Reboot Machine Reboot the guest operating system on a vSphere virtual machine.
PAGE 560
Configuring vRealize Automation Table 3‑75. Action Menu Commands (Continued) Action Resource Type Description Register VDI Virtual Machine (XenServer) Register the virtual disk image on XenServer items. Reprovision Machine Destroys the machine, then initiates the provisioning workflow to create a machine with the same name.
PAGE 561
Configuring vRealize Automation Table 3‑75. Action Menu Commands (Continued) Action Resource Type Description Scale In Deployment Destroy unneeded instances of machines in your deployment to adjust to reduced capacity requirements. Machine components and any software components installed on them are destroyed. Dependent software components and networking and security components are updated for the new deployment configuration.
PAGE 562
Configuring vRealize Automation Table 3‑75. Action Menu Commands (Continued) Action Resource Type Description Scale Out Deployment Provision additional instances of machines in your deployment to adjust to expanding capacity requirements. Machine components and any software components installed on them are provisioned. Dependent software components and networking and security components are updated for the new deployment configuration.
PAGE 563
Configuring vRealize Automation Configure a Metrics Provider You can configure vRealize Automation to use vRealize Operations Manager health and resource metrics for vSphere virtual machines. For more information about vRealize Operations Manager health badges and metrics, see the vRealize Operations Manager documentation. Prerequisites n Log in to the vRealize Automation console as a tenant administrator, business group manager, or machine owner.
PAGE 564
Configuring vRealize Automation Prerequisites n Log in to the vRealize Automation console as a tenant administrator. n (Optional) To see health badges or view metrics provided by vRealize Operations Manager, see Configure a Metrics Provider. Procedure 1 Select Administration > Reclamation > Deployments. VMware, Inc.
PAGE 565
Configuring vRealize Automation 2 Find virtual machine deployments that match your search criteria. You must select platform type vSphere to view metrics provided by vRealize Operations Manager. a Click the Advanced Search down arrow to open the search box. b Enter or select one or more search values. Option Action Virtual Machine name contains Enter one or more characters in the text box to find virtual machine names that match.
PAGE 566
Configuring vRealize Automation 4 Click Reclaim. The deployments that contain virtual machines that are selected on the current page are included in the request. Note The Reclaim Deployment page can list machines that are not available for reclamation, such as machines for which the lease has expired. If you specify a machine that is not available for reclamation, you receive the following error: Selection Error: Virtual machine name is not in valid state for reclamation.
PAGE 567
Configuring vRealize Automation Procedure 1 Select Administration > Reclamation > Reclamation Requests. 2 Find the virtual machines that match your search criteria. 3 a Click the Advanced Search down arrow to open the search box. b Type or select one or more search values. Option Action Virtual Machine name contains Type one or more characters in the text box to find virtual machine names that match.
PAGE 568
Configuring vRealize Automation Prerequisites Log in to the vRealize Automation console as a fabric administrator. Procedure 1 Select Infrastructure > Managed Machines. 2 Locate the machine with the reservation to change. 3 Click Change Reservation in the drop-down menu. You can view information about the managed machine, such as its associated blueprint and compute resource, by clicking View in the drop-down menu. 4 (Optional) Select a business group from the Business group drop-down menu.
PAGE 569
Configuring vRealize Automation 5 Enter a name and, optionally, a description. 6 If you want to capture the memory and power settings of the machine, select Include memory. 7 Click Submit. Connect Remotely to a Machine You can connect remotely to a machine from the vRealize Automation console. Prerequisites n Log in to the vRealize Automation console as a machine owner, tenant administrator, or business group manager. n Verify that VMware Tools is installed.
PAGE 570
Configuring vRealize Automation Remote connections using VMware Remote Console for machines provisioned on vSphere are secured by vRealize Automation appliance certificates through a proxy console. VMware Remote Console requires WebSockets support in the browser and browsers must trust the vRealize Automation appliance certificate. The certificate can be obtained by going to the root-level virtual appliance at an address of the form https://vra-va.eng.mycompany.com/.
PAGE 571
Configuring vRealize Automation 8 9 Click the Authorities tab in the Certificate Management text box. Option Action Windows Select Preference > Advanced > Certificates from the Firefox menu. iOS Select Preference > Advanced > Certificates from the Firefox menu and click View Certificates. Click the Authorities tab and click Import. 10 Select the certificate file you saved earlier and click Open in the text box. 11 Edit the trust settings.
PAGE 572
Configuring vRealize Automation 9 Click Yes in the Security Warning dialog box to install the certificate. 10 Restart the browser. You can connect to the remote console without certificate errors. Configure Chrome to Trust a Certificate for vRealize Automation Appliance Untrusted vRealize Automation appliance certificates must be manually imported to client browsers to support VMware Remote Console on clients provisioned on vSphere.
PAGE 573
Configuring vRealize Automation When vRealize Automation fails to destroy a deployment resource during a destroy deployment operation, the destroy operation stops immediately without destroying the remaining deployment resources. This failure leaves the deployment in an inconsistent state, using up resources with no obvious way of destroying the deployment. Business group administrators can force destroy deployments that are left in this inconsistent state.
PAGE 574
Configuring vRealize Automation n The action is not applicable to the selected item type. If the item does not support the action, it does not appear in the list. For example, the Create Snapshot action is not available for a physical machine, and the Connect by Using RDP action is not available if the selected item is a Linux machine. n The action is applicable for the provisioned resource type, but the action is disabled in the Infrastructure blueprint.
PAGE 575
Configuring vRealize Automation 2 Locate the workflow logs in vRealize Orchestrator using the Control Center a Enter the base URL for vRealize Automation in a browser search box. The VMware vRealize Automation Appliance page appears. b Click vRealize Orchestrator Control Center. c Log in as a user with root privileges. d Click Inspect Workflows. e Click Finished Workflows. f Paste the workflow token in the Token ID text box. The list displays on the workflow that matches the token ID.
PAGE 576
Configuring vRealize Automation Prerequisites n Log in to the vRealize Automation console as a machine owner, support user, business group user with a shared access role, or business group manager. n The machine you want to reconfigure must have the status On or Off with no active reconfigure status. n The machine type must be vSphere, vCloud Air, or vCloud Director although the NSX settings apply only to vSphere. n Verify that you are entitled to reconfigure a machine.
PAGE 577
Configuring vRealize Automation Prerequisites Specify Machine Reconfiguration Settings and Considerations for Reconfiguration. Procedure 1 Click the General tab. 2 Enter the number of CPUs in the # CPUs text box. 3 Enter the amount of memory in the Memory (MB) text box. 4 Enter the amount of storage in the Storage (GB) text box. What to do next Specify additional machine reconfiguration settings. If you have finished changing machine settings, start the machine reconfiguration request.
PAGE 578
Configuring vRealize Automation 3 Delete a volume. a b Locate the volume. Click the Delete icon ( ). An unselectable icon indicates an undeletable volume such as one from a linked clone. 4 Increase the size of a volume. You cannot reduce the size of existing volumes. Volume size is limited by the total amount of storage specified in the blueprint, less the amount allocated to other volumes. a Locate the volume. b Click the Edit icon ( c Type the new size in the Capacity (GB) text box.
PAGE 579
Configuring vRealize Automation Changing NSX network settings is not supported for deployments that were upgraded or migrated from vRealize Automation 6.2.x to this vRealize Automation release. Prerequisites Specify Machine Reconfiguration Settings and Considerations for Reconfiguration. Procedure 1 Click the Network tab. 2 (Optional) Add a network adapter. a Click New Network Adapter. b Select a network from the Network Path drop-down menu.
PAGE 580
Configuring vRealize Automation Prerequisites Specify Machine Reconfiguration Settings and Considerations for Reconfiguration. Procedure 1 Click the Properties tab. 2 To add a property, click New Property. 3 Enter the property name in the Name text box. 4 Enter the property value in the Value text box. 5 Select the Encrypted check box to encrypt the value. 6 Select the Prompt user check box to prompt users for the value when they request the machine.
PAGE 581
Configuring vRealize Automation 4 (Optional) Select a power action from the Power action drop-down menu. Option Description Reboot if required (Default) If required, reboot the machine before reconfiguring it. Reboot Reboot the machine before reconfiguring it, regardless of whether reboot is required. Do not reboot Do not reboot the machine before reconfiguring it, even if reboot is required.
PAGE 582
Configuring vRealize Automation Reconfigure a Load Balancer in a Deployment You can add, edit, or delete a virtual server in a deployed NSX load balancer. The following considerations apply to deployments that originated in vRealize Automation 7.2 or earlier: n Load balancer reconfiguration is limited to deployments that contain a single load balancer. n The Items detail page for any load balancer in a deployment displays the virtual servers that are used by all the load balancers in the deployment.
PAGE 583
Configuring vRealize Automation Procedure 1 Select Items > Deployment. 2 Locate the deployment and display its children components. 3 Select the NSX load balancer to edit. 4 Select Reconfigure from the Actions menu. 5 Add, edit, or remove virtual servers. 6 When you have finished adding, editing, or deleting virtual servers click Submit to submit the reconfiguration request.
PAGE 584
Configuring vRealize Automation 2 Locate the deployment and display its children components. 3 Select the NAT network component to edit. 4 Click Change NAT Rules from the Actions menu. 5 Add new NAT port forwarding rules, reorder rules, edit existing rules, or delete rules. 6 When you have finished making changes, click Save or Submit to submit the reconfiguration request.
PAGE 585
Configuring vRealize Automation 4 Select the deployed machine component or cluster in which to add or remove security items. 5 Add or remove existing security groups and security tags for each machine component or cluster in the deployment as required. 6 Remove on-demand security groups for each machine component or cluster in the deployment as required. 7 (Optional) Click the Reason tab and enter a reason for the request.