6.2

ManualsBrandsVMware ManualsApplicationsvRealize Automation

Table Of Contents

Installation and Configuration

Installation and

Conﬁguration

vRealize Automation 6.2

Summary of content (186 pages)

PAGE 1
Installation and Configuration vRealize Automation 6.
PAGE 2
Installation and Configuration You can find the most up-to-date technical documentation on the VMware website at: https://docs.vmware.com/ If you have comments about this documentation, submit your feedback to docfeedback@vmware.com VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com Copyright © 2008–2016 VMware, Inc. All rights reserved. Copyright and trademark information. VMware, Inc.
PAGE 3
Contents vRealize Automation Installation and Configuration Updated Information 8 9 1 vRealize Automation Installation Overview 11 vRealize Automation Installation Components VMware Identity Appliance 11 12 VMware vRealize Appliance 12 vRealize Automation Infrastructure as a Service Choosing Your Deployment Path 12 15 Upgrading vRealize Automation 15 Migrating to vRealize Automation Minimal Deployment Overview 16 17 Distributed Deployment Overview 17 2 Preparing for Installation 20 DNS and
PAGE 4
Installation and Configuration Deploy and Configure the Identity Appliance Deploy the Identity Appliance 36 36 Enable Time Synchronization on the Identity Appliance Configure the Identity Appliance 39 Deploy and Configure the vRealize Appliance Deploy the vRealize Appliance 38 41 41 Enable Time Synchronization on the vRealize Appliance Configure the vRealize Appliance Installing IaaS Components 43 47 Enable Time Synchronization on the Windows Server IaaS Certificates 43 47 47 Install the In
PAGE 5
Installation and Configuration Agent Installation Location and Requirements 112 Installing and Configuring the Proxy Agent for vSphere vSphere Agent Requirements Install the vSphere Agent 112 114 Configure the vSphere Agent 117 Installing the Proxy Agent for Hyper-V or XenServer Hyper-V and XenServer Requirements 118 Install the Hyper-V or XenServer Agent 118 Configure the Hyper-V or XenServer Agent Installing the VDI Agent for XenDesktop XenDesktop Requirements 118 121 122 122 Set the XenS
PAGE 6
Installation and Configuration Updating the Identity Appliance Certificate 151 Replace a Certificate in the Identity Appliance 151 Update the vRealize Appliance with the Identity Appliance Certificate Updating the vRealize Appliance Certificate 153 Replace a Certificate in the vRealize Appliance 154 Update SSO Registration for the vRealize Appliance 155 Update the IaaS Servers with the vRealize Appliance Certificate Updating the IaaS Certificate 152 156 157 Replace the Internet Information Se
PAGE 7
Installation and Configuration Adding an Endpoint Causes an Internal Error Error in Manager Service Communication 181 182 Machine Requests Fail When Remote Transactions Are Disabled Credentials Error When Running the IaaS Installer 183 184 Attempts to Log In as the IaaS Administrator with Incorrect UPN Format Credentials Fails with No Explanation 184 Email Customization Behavior Has Changed 184 Changes Made to /etc/hosts Files Might Be Overwritten Network Settings Were Not Successfully Applied V
PAGE 8
vRealize Automation Installation and Configuration vRealize Automation Installation and Configuration explains how to install and configure VMware vRealize ™ Automation. Note Not all features and capabilities of vRealize Automation are available in all editions. For a comparison of feature sets in each edition, see https://www.vmware.com/products/vrealize-automation/.
PAGE 9
Updated Information The following table provides update history for the Installation and Configuration guide. Revision Description EN-001649-07 n Revisions for vRealize Automation 6.2.5 including minor updates and bug fixes. n Revised Specify Server and Account Settings EN-001649-06 n Installation instructions for vRealize Automation 6.2.4 including minor updates and bug fixes. EN-001649-05 n Enhanced Distributed Deployment procedures for appliance database configuration.
PAGE 10
Installation and Configuration Revision Description EN-001649-01 n Updated IaaS Windows Server requirements to specify Java 1.7 and .NET 4.5.1 and later. See IaaS Web Service and Model Manager Server Requirements. n Various editorial changes and defect fixes. n Revised and updated documentation for Management Agents.
PAGE 11
vRealize Automation Installation Overview 1 vRealize Automation can be deployed in a variety of configurations. To ensure a successful deployment understand the deployment and configuration options, and the sequence of tasks required. After installation, system administrators can customize the installation environment and configure one or more tenants, which sets up access to self-service provisioning and life-cycle management of cloud services.
PAGE 12
Installation and Configuration n vRealize Automation Infrastructure as a Service Infrastructure as a Service (IaaS) enables the rapid modeling and provisioning of servers and desktops across virtual and physical, private and public, or hybrid cloud infrastructures. VMware Identity Appliance Identity Appliance is a preconfigured virtual appliance that provides single sign-on (SSO) capabilities for the vRealize Automation environment.
PAGE 13
Installation and Configuration IaaS Website The IaaS Website component, also called the Model Manager Web, provides the infrastructure administration and service authoring capabilities to the vRealize Automation console. The Website component communicates with the Model Manager, which provides it with updates from the Distributed Execution Manager (DEM), proxy agents, and database. Model Manager vRealize Automation models facilitate integration with external systems and databases.
PAGE 14
Installation and Configuration One DEM Orchestrator instance is designated as the active Orchestrator that performs these tasks. Because the DEM Orchestrator is essential to run workflows, install at least one additional Orchestrator instance on a separate machine for redundancy. The Orchestrator is automatically installed on the machine that also runs the Manager Service.
PAGE 15
Installation and Configuration Choosing Your Deployment Path You can upgrade from an earlier vCloud Automation Center 6.x version, migrate from a supported vCloud Automation Center 5.2.x version, or install vRealize Automation for the first time. Table 1‑1. Choosing Your Deployment Path Your Currently Installed Version How to install the latest vRealize Automation vCloud Automation Center 5.2.1 Migrate to vCloud Automation Center 6.
PAGE 16
Installation and Configuration Table 1‑2. Supported Upgrade Paths Your Currently Installed Version Documentation for Incremental Upgrades vCloud Automation Center 6.0 Perform upgrades in the following order: vCloud Automation Center 6.0.1 n Upgrading vCloud Automation Center 6.0 to 6.0.1 n Upgrading to vCloud Automation Center 6.1 n Upgrading to vRealize Automation 6.2 or Later Perform upgrades in the following order: n Upgrading to vCloud Automation Center 6.
PAGE 17
Installation and Configuration Minimal Deployment Overview To complete a minimal deployment, the system administrator installs the Identity Appliance, the vRealize Appliance, and Infrastructure as a Service (IaaS). n Identity Appliance, which supports single sign-on capabilities. It is installed as a virtual appliance. n vRealize Appliance, which includes the Web console interface. It is installed as a virtual appliance.
PAGE 18
Installation and Configuration The following figure shows the components of a distributed deployment. Each component is numbered to correspond to an entry the Distributed Deployment Components table. The Distributed Deployment Components table describes each component and presents requirements and options for using each component. VMware, Inc.
PAGE 19
Installation and Configuration Table 1‑3. Distributed Deployment Components Diagram Number Description Requirements and Options vRealize Appliance Load Balancer Only necessary if you are deploying more than one vRealize Appliance. 2 Single Sign-On Server Appliance One instance of a single sign-on server is required. You can use the vRealize Appliance, which is a product component, or some versions of vSphere SSO, which might be preferable for high-availability deployments.
PAGE 20
Preparing for Installation 2 System Administrators install vRealize Automation into their existing virtualization environments. Before the installation begins, there are a number of preliminary steps that must be completed to prepare the deployment environment.
PAGE 21
Installation and Configuration For operating system and high-level environment requirements, including information about supported browsers and operating systems, see the vRealize Automation Support Matrix. The Hardware Requirements table shows the minimum configuration requirements for deployment of the virtual appliances and installation of IaaS components. The appliances are preconfigured virtual machines that you add to your vCenter Server or ESXi inventory.
PAGE 22
Installation and Configuration IaaS Database Server Requirements Your environment must meet these general requirements that support the installation of the IaaS Database (SQL Server). n TCP/IP protocol enabled for MS SQL Server n Microsoft Distributed Transaction Coordinator Service (MS DTC) enabled on all SQL nodes in the system. MS DTC is required to support database transactions and actions such as workflow creation.
PAGE 23
Installation and Configuration Table 2‑2. IaaS Server Requirements Area Host Configuration Microsoft SQL Database Requirements Requirements The following components must be installed on the host before installing IaaS: n Microsoft .NET Framework 4.5.1 or later n Microsoft PowerShell 2.0 (included with Windows Server 2008 R2 SP1 and later) or Microsoft PowerShell 3.0 on Windows Server 2012 or Windows Server 2012 R2. n Microsoft Internet Information Services 7.
PAGE 24
Installation and Configuration IaaS Manager Service Your environment must meet some general requirements that support the installation of the IaaS Manager Service. n .NET Framework 4.5.1 or later is installed. n Microsoft PowerShell 2.0 or Microsoft PowerShell 3.0. PowerShell 2.0 is included with Windows Server 2008 R2 SP1 and later. Microsoft PowerShell 3.0 runs on Windows Server 2012 or Windows Server 2012 R2. n SecondaryLogOnService is running.
PAGE 25
Installation and Configuration n Internet access from the DEM host is through a proxy server, the DEM service must be running under credentials that can authenticate to the proxy server. Openstack and PowerVC Requirements The machines on which you install your DEMs must meet certain requirements to communicate with and collect data from your Openstack or PowerVC instance. Table 2‑4. DEM Host Requirements Your Installation Requirements All In Windows Registry, enable TLS v1.2 support for .
PAGE 26
Installation and Configuration SCVMM Requirements A DEM Worker that manages virtual machines through SCVMM must be installed on a host where the SCVMM console is already installed. A best practice is to install the SCVMM console on a separate DEM Worker machine. In addition, verify that the following requirements have been met. n The DEM worker must have access to the SCVMM PowerShell module installed with the console. n The PowerShell Execution Policy must be set to RemoteSigned or Unrestricted.
PAGE 27
Installation and Configuration n To provision a Generation-2 machine on an SCVMM 2012 R2 resource, you must add the following properties in the blueprint. Scvmm.Generation2 = true Hyperv.Network.Type = synthetic Generation-2 blueprints should have an existing data-collected virtualHardDisk (vHDX) in the blueprint build information page. Having it blank causes Generation-2 provisioning to fail. For more information, see Configure the DEM to Connect to SCVMM at a Different Installation Path.
PAGE 28
Installation and Configuration Table 2‑7. Incoming Ports for the vRealize Appliance Port Protocol Comments 22 TCP Optional. SSH. 80 TCP Optional. Redirects to 443. 111 TCP, UDP RPC 443 TCP Access to the vRealize Automation console and API calls. 5480 TCP Access to virtual appliance Web management interface 5480 TCP Used by Management Agent 5488, 5489 TCP Internal. Used by vRealize Appliance for updates.
PAGE 29
Installation and Configuration Table 2‑9. Incoming Ports for Infrastructure as a Service Components Component Port Protocol Comments SQL Server instance 1433 TCP MSSQL Manager Service 443* TCP Communication with IaaS components and vRealize Appliance over HTTPS vRealize Appliance 443 TCP Communication with IaaS components and vRealize Appliance over HTTPS * Any virtualization hosts managed by proxy agents must also have TCP port 443 open for incoming traffic. Table 2‑10.
PAGE 30
Installation and Configuration Virtual Appliance Installation To deploy the Identity Appliance and the vRealize Appliance, you must have administrator privileges on the deployment platform (for example, vSphere administrator credentials). During the deployment process, you specify the passwords for the virtual appliance administrator accounts and the system administrator account.
PAGE 31
Installation and Configuration The following requirements apply to the service user for IaaS services: n The user must be a domain user. n The user must have local Administrator privileges on all hosts on which the Manager Service or Web site component is installed. Do not do a workgroup installation. n The user is configured with Log on as a service privileges. This privilege ensures that the Manager Service starts and generates log files. n The user must have dbo privileges for the IaaS database.
PAGE 32
Installation and Configuration You can update or replace certificates after deployment. For example, you may choose to use self-signed certificates during deployment, but then obtain certificates from a trusted authority before going live with your vRealize Automation implementation or a certificate may expire. Table 2‑11.
PAGE 33
Installation and Configuration Third-Party Software Some components of vRealize Automation depend on third-party software, including Microsoft Windows and SQL Server. To guard against security vulnerabilities in third-party products, ensure that your software is up-to-date with the latest patches from the vendor. Time Synchronization A system administrator must set up accurate timekeeping as part of the vRealize Automation installation. Installation fails if time synchronization is set up incorrectly.
PAGE 34
Minimal Deployment Checklist 3 A system administrator can deploy a complete vRealize Automation in a minimal configuration. Minimal deployments are typically used in a development environment or as a proof of concept and require fewer steps to install. The Minimal Deployment Checklist provides a high-level overview of the sequence of tasks you must perform to complete a minimal installation. Print out a copy of the checklist and use it to track your work as you complete the installation.
PAGE 35
4 Minimal Deployment You can install a standalone, minimal deployment for use in a development environment or as a proof of concept. Minimal deployments are not suitable for a production environment.
PAGE 36
Installation and Configuration Table 4‑1. Minimal Deployment Checklist (Continued) Task Details Perform post-installation tasks such as configuring the default tenant and entering the IaaS license Chapter 7 Configuring Initial Access If needed, configure additional tenants to represent business units in an enterprise or companies that subscribe to cloud services from a service provider.
PAGE 37
Installation and Configuration Prerequisites n Download the Identity Appliance from the VMware Web site. n Log in to the vSphere client as a user with system administrator privileges. Procedure 1 In the vSphere client, select File > Deploy OVF Template. 2 Browse to the Identity Appliance file with the .ova or .ovf extension and click Open. 3 Click Next. 4 Click Next on the OVF Template Details page. 5 Accept the license agreement and click Next.
PAGE 38
Installation and Configuration c n Wait for the machine to restart. This could take up to five minutes. If Power on after deployment is not available on the Ready to Complete page. a Click Close after the file finishes deploying into vCenter. b Power on the VM and wait for some time for the VM to start up. c Verify that you can ping the DNS of the VM. If you cannot ping the DNS, restart the VM. d Wait for the machine to start. This could take up to five minutes.
PAGE 39
Installation and Configuration Configure the Identity Appliance The Identity Appliance provides Single-Sign On (SSO) capability for vRealize Automation users. SSO is an authentication broker and security token exchange that interacts with the enterprise identity store (Active Directory or OpenLDAP) to authenticate users. A system administrator configures SSO settings to provide access to the vRealize Automation.
PAGE 40
Installation and Configuration 9 (Optional) You can import a certificate or generate a self-signed certificate for the Identity Appliance. A self-signed certificate is also created for you when you deploy the Identity Appliance. Click SSL 10 Select the certificate type from the Choose Action menu. If you are using a PEM-encoded certificate, for example for a distributed environment, select Import PEM Encoded Certificate.
PAGE 41
Installation and Configuration c Enter the credentials for the domain administrator in the Domain User and Password text boxes. d Click Join AD Domain. 13 Click the Admin tab. 14 Verify that the SSH settings are correct. When SSH service enabled is selected, SSH is enabled for all but the root user. Select or uncheck Administrator SSH login enabled to enable or disable SSH login for the root user. The SSO host is initialized.
PAGE 42
Installation and Configuration 5 Accept the license agreement and click Next. 6 Type a unique virtual appliance name according to the IT naming convention of your organization in the Name text box, select the datacenter and location to which you want to deploy the virtual appliance, and click Next. 7 Follow the prompts until the Disk Format page appears. 8 Verify on the Disk Format page that enough space exists to deploy the virtual appliance and click Next.
PAGE 43
Installation and Configuration Enable Time Synchronization on the vRealize Appliance Clocks on the Identity Appliance server, vRealize Automation server, and Windows servers must be synchronized to ensure a successful installation. If you see certificate warnings during this process, continue past them to finish the installation. Prerequisites Deploy the vRealize Appliance.
PAGE 44
Installation and Configuration Procedure 1 Navigate to the vRealize Appliance management console by using its fully qualified domain name, https://vra-va-hostname.domain.name:5480/. 2 Continue past the certificate warning. 3 Log in with user name root and the password you specified when you deployed vRealize Appliance. 4 Select vRA Settings > Host Settings. Option Action Resolve Automatically Select Resolve Automatically to specify the name of the current host for the vRealize Appliance.
PAGE 45
Installation and Configuration 6 Select the certificate type from the Certificate Action menu. If you are using a PEM-encoded certificate, for example for a distributed environment, select Import. Certificates that you import must be trusted and must also be applicable to all instances of vRealize Appliance and any load balancer through the use of Subject Alternative Name (SAN) certificates.
PAGE 46
Installation and Configuration 10 Click the Telemetry tab. This product participates in VMware's Customer Experience Improvement Program (CEIP). Details regarding the data collected through CEIP and the purposes for which it is used by VMware are set forth at the Trust & Assurance Center at http://www.vmware.com/trustvmware/ceip.html. n Select Join the VMware Customer Experience Improvement Program to participate in the program.
PAGE 47
Installation and Configuration Installing IaaS Components The administrator installs a complete set of infrastructure (IaaS) components on a Windows machine (physical or virtual). Administrator rights are required to perform these tasks. A minimal installation installs all of the components on the same Windows server, except for the SQL database, which you can install on a separate server.
PAGE 48
Installation and Configuration Prerequisites n Verify that your installation machine meets the requirements described in IaaS Web Service and Model Manager Server Requirements. n Enable Time Synchronization on the Windows Server. n Verify that you have deployed and fully configured the vRealize Appliance, and that the necessary services are running (plugin-service, catalog-service, iaas-proxy-provider).
PAGE 49
Installation and Configuration n If you are using Internet Explorer for the download, verify that Enhanced Security Configuration is not enabled. See res://iesetup.dll/SoftAdmin.htm. n Log in to the Windows server as a local administrator. Procedure 1 Log in to the Windows machine where you are about to perform the installation. 2 Open a Web browser. 3 Enter the URL of the VMware vRealize Automation IaaS Installation download page. For example, https://vra-va-hostname.domain.
PAGE 50
Installation and Configuration 7 Select Complete Install on the Installation Type page if you are creating a minimal deployment and click Next. Check Prerequisites The Prerequisite Checker verifies that your machine meets IaaS installation requirements. Prerequisites Select the Installation Type. Procedure 1 2 Complete the Prerequisite Check. Option Description No errors Click Next. Noncritical errors Click Bypass. Critical errors Bypassing critical errors causes the installation to fail.
PAGE 51
Installation and Configuration 3 In the Microsoft SQL Server Database Installation Information panel, accept the default server to install the database instance on the same server with the IaaS components, or type a different server name if the database is on another machine. If you specify a different server, you must supply the server name and port number, using the form servername,portnumber[\NamedInstance]. 4 Accept the default in the Database Name text box or type an appropriate name if applicable.
PAGE 52
Installation and Configuration Procedure 1 Accept the default Server value, which is populated with the fully qualified domain name of the vRealize Appliance server from which you downloaded the installer. Verify that a fully qualified domain name is used to identify the server and not an IP address. If you have multiple virtual appliances and are using a load balancer, enter the load balancer virtual appliance path. 2 Click Load to populate the value of SSO Default Tenant (vsphere.local).
PAGE 53
Installation and Configuration What to do next Verify IaaS Services. VMware, Inc.
PAGE 54
Distributed Deployment 5 In a distributed deployment, the system administrator installs components on multiple machines in the deployment environment.
PAGE 55
Installation and Configuration Table 5‑1. Distributed Deployment Checklist (Continued) Task Details Configure your load balancer to handle vRealize Automation appliance traffic. Configuring Your Load Balancer Configure the Identity Appliance, lead vRealize Appliance server, and any additional appliances you deployed for redundancy and high availability.
PAGE 56
Installation and Configuration Table 5‑2. Virtual Appliances and Appliance Database Component Description Single Sign-On Server Identity Appliance, a preconfigured virtual appliance that provides Single Sign-On capabilities. Alternatively, you can use some versions of the SSO provided with vSphere. For information on supported versions, see vRealize Automation Support Matrix. vRealize Appliance A preconfigured virtual appliance that deploys the vRealize Automation server.
PAGE 57
Installation and Configuration For workload distribution and failover, you may place multiple vRealize Appliances behind a load balancer. In addition, you may place multiple IaaS Web servers and multiple IaaS Manager Service servers behind their respective load balancers. When using load balancers, do not allow the load balancers to send health checks at any time during installation. Health checks might interfere with installation or cause the installation to behave unpredictably.
PAGE 58
Installation and Configuration Figure 5‑1. Trust Requirements The Certificate Importation and Registration table summarizes the registration requirements for various imported certificates. Table 5‑4.
PAGE 59
Installation and Configuration Table 5‑5. Identity Appliance Information Variable Value Host Name (FQDN) SSO service over HTTPS Incoming Port vcac-sso.mycompany.com 7444 (do not change) IP Username Example 7444 192.168.1.104 administrator@vsphere.local (default) Password administrator@vsphere.local vmware Table 5‑6. Leading cluster vRealize Appliance Information Variable Value Host Name (FQDN) SSO service over HTTPS Outgoing Port (default) vcac-va.mycompany.
PAGE 60
Installation and Configuration Table 5‑10. IaaS Model Manager Data Variable Value Example Host Name (FQDN) iaas-model-man.mycompany.com SSO service over HTTPS Outgoing Port (default) IP 192.168.1.107 Username Password Table 5‑11. IaaS Model Service Variable Value Example Host Name (FQDN) iaas-model-service.mycompany.com SSO service over HTTPS Outgoing Port (default) IP 192.168.1.108 Username Password Table 5‑12. Distributed Execution Managers Unique Name Orchestrator/Worker ex.
PAGE 61
Installation and Configuration What to do next If you plan to use a load balancer in your environment, install and configure the load balancer for vRealize Automation traffic. See Configuring Your Load Balancer. Deploy the Identity Appliance The Identity Appliance is a preconfigured virtual appliance that provides single sign-on capabilities. It is delivered as an open virtualization format (OVF) template.
PAGE 62
Installation and Configuration c Type the fully qualified domain name of the virtual machine in the Hostname text box, even if you are using DHCP. d Configure the networking properties. 11 Click Next. 12 Depending on your vCenter and DNS configurations, it could take some time for the DNS to resolve. To expedite this process, perform the following steps. n n If Power on after deployment is available on the Ready to Complete page. a Select Power on after deployment and click Finish.
PAGE 63
Installation and Configuration 7 Follow the prompts until the Disk Format page appears. 8 Verify on the Disk Format page that enough space exists to deploy the virtual appliance and click Next. 9 Follow the prompts to the Properties page. The options that appear depend on your vSphere configuration. 10 Enter properties for this vRealize Appliance. a Enter and confirm a password for the vRealize Appliance root account.
PAGE 64
Installation and Configuration Configuring Your Load Balancer After you deploy the appliances for vRealize Automation, you can set up a load balancer to distribute traffic among multiple instances of the vRealize Appliance. The following list provides an overview of the general steps required to configure a load balancer for vRealize Automation traffic: 1 Install your load balancer. 2 Enable session affinity, also known as sticky sessions.
PAGE 65
Installation and Configuration 1 Enable Time Synchronization on the Identity Appliance Clocks on the Identity Appliance server, the vRealize Automation server, and Windows servers must be synchronized to ensure a successful installation. 2 Configure the Identity Appliance The Identity Appliance provides Single-Sign On (SSO) capability for vRealize Automation users.
PAGE 66
Installation and Configuration Configure the Identity Appliance The Identity Appliance provides Single-Sign On (SSO) capability for vRealize Automation users. SSO is an authentication broker and security token exchange that interacts with the enterprise identity store (Active Directory or OpenLDAP) to authenticate users. A system administrator configures SSO settings to provide access to the vRealize Appliance.
PAGE 67
Installation and Configuration 9 (Optional) Click SSL. You can import a certificate or generate a self-signed certificate for the Identity Appliance. A selfsigned certificate is also created for you when you deploy the Identity Appliance. 10 Select the certificate type from the Choose Action menu. If you are using a PEM-encoded certificate, for example for a distributed environment, select Import PEM Encoded Certificate.
PAGE 68
Installation and Configuration c Enter the credentials for the domain administrator in the Domain User and Password text boxes. d Click Join AD Domain. 13 Click the Admin tab. 14 Verify that the SSH settings are correct. When SSH service enabled is selected, SSH is enabled for all but the root user. Select or uncheck Administrator SSH login enabled to enable or disable SSH login for the root user. The SSO host is initialized.
PAGE 69
Installation and Configuration Procedure 1 Navigate to the vRealize Appliance management console by using its fully qualified domain name, https://vra-va-hostname.domain.name:5480/. 2 Log in with the user name root and the password you specified when the appliance was deployed. 3 Select Admin > Time Settings. 4 Select an option from the Time Sync Mode menu. Option Action Use Time Server Select Use Time Server from the Time Sync Mode menu to use Network Time Protocol .
PAGE 70
Installation and Configuration Procedure 1 Perform a graceful shutdown of the target appliance using shut down guest in the VMware vCenter Server™. 2 Add a 20 GB disk to the virtual appliance by using the VMware vCenter Server™. 3 Power on the appliance. 4 Verify that SSH is enabled on the virtual appliance. 5 6 a Log in to the Virtual Appliance Management Interface at https://appliance_IP:5480. b Click the Admin tab.
PAGE 71
Installation and Configuration Replace the parameters with the following values as appropriate for your system. Option Value [-d] Database load balancer FQDN [-D] Database virtual IP address. Optional, will create /etc/hosts entry. [-w] Sets the database password to the specified entry. [-r] Replication password. Optional, will use the database password if not set. [-p] Postgres password. Optional, will use database password if not set. For example, ./pgClusterSetup.sh -d pgCluster.domain.
PAGE 72
Installation and Configuration 4 Select vRA Settings > Host Settings. Option Action Resolve Automatically Select Resolve Automatically to specify the name of the current host for the vRealize Appliance. Update Host For new hosts, select Update Host. Enter the fully qualified domain name of the vRealize Appliance, vra-hostname.domain.name, in the Host Name text box. For distributed deployments that use load balancers, select Update Host.
PAGE 73
Installation and Configuration 5 Select the certificate type from the Certificate Action menu. If you are using a PEM-encoded certificate, for example for a distributed environment, select Import. Certificates that you import must be trusted and must also be applicable to all instances of vRealize Appliance and any load balancer through the use of Subject Alternative Name (SAN) certificates.
PAGE 74
Installation and Configuration d Select the SSH service enabled check box. Deselect the check box to disable SSH when finished. e Select the Administrator SSH login check box. Deselect the check box to disable SSH when finished. f Click Save Settings. 8 Configure the SSO settings. 9 Click Services. All services must be running before you can install a license or log in to the console. They usually start in about 10 minutes.
PAGE 75
Installation and Configuration 14 Confirm that you can log into vRealize Automation console. a Open a browser and navigate to https://vcac-hostname.domain.name/vcac/. If you are using a load balancer, the host name must be the fully qualified domain name of the load balancer. b If prompted, continue past the certificate warnings. c Log in with administrator@vsphere.local and the password you specified when configuring SSO. The console opens to the Tenants page on the Administration tab.
PAGE 76
Installation and Configuration 5 Click Save Settings. 6 Verify that the value in Current Time is correct. You can change the time zone as required from the Time Zone Setting page on the System tab. Configure Appliance Database on the Secondary vRealize Appliance Configure an appliance database on the designated secondary vRealize Appliance.
PAGE 77
Installation and Configuration 6 Extract the configureDisk.sh and pgClusterSetup.sh files using the tar xvf 2108923_dbCluster.tar command. # tar xvf 2108923_dbCluster.tar configureDisk.sh pgClusterSetup.sh 7 Locate the disk you added using the parted -l command. Note For a fresh vRealize Automation deployment, the disk name should be /dev/sdd. The name differs depending on the original version of vRealize Automation deployed. # parted -l ...
PAGE 78
Installation and Configuration For example, ./pgClusterSetup.sh -d pgCluster.domain.local -w changeMe1! -r changeMe1! -p changeMe1! Note Update the password from ChangeMe! to one that is appropriate for your system. Also, if you are using a load balancer virtual IP, specify the -D parameter using the IP address of the virtual IP. # ./pgClusterSetup.sh -d dbCluster.domain.local -w changeMe1! -r changeMe1! -p changeMe1! ...
PAGE 79
Installation and Configuration 6 Type "yes" in response to the following message. "Type yes to enable WAL archiving on primary." 7 Type "yes" in response to the following message. "WARNING: the base backup operation will replace the current contents of the data directory. Please confirm by typing yes." What to do next Validate that the replication was successful. See Validate Appliance Database Replication.
PAGE 80
Installation and Configuration 4 Select vRA Settings > Cluster. 5 Enter the FQDN of a previously configured vRealize Appliance in the Leading Cluster Node text box. You can use the FQDN of the primary vRealize Appliance, or any vRealize Appliance that is already joined to the cluster. 6 Type the root password in the Password text box. 7 Click Join Cluster. 8 Continue past any certificate warnings. Services for the cluster are restarted. 9 Verify that services are running.
PAGE 81
Installation and Configuration 2 Confirm that you can log in to the vRealize Automation console by navigating to https://vcachostname.domain.name/vcac, where vcac-hostname.domain.name is the address of the load balancer. 3 After you have verified that the new vRealize Appliance is accessible by using the load balancer, reenable the other nodes. Test Appliance Database Failover Test failover functionality from the primary appliance database machine to the secondary machine.
PAGE 82
Installation and Configuration Option Value [-h] Host name of the master database server. Port 5432 is assumed. [-b] Take a base backup from the master. This option destroys the current contents of the data directory. [-W] Prompt for the password of the user performing the replication. [-U] The user performing the replication. Generally this user is replicate. For example: # su - postgres /opt/vmware/vpostgres/current/share/run_as_replica -h app2.domain.
PAGE 83
Installation and Configuration 4 Promote the replicate database to master as the postgres user with the /opt/vmware/vpostgre/current/share/promote_replica_to_primary command. # su - postgres /opt/vmware/vpostgres/current/share/promote_replica_to_primary server promoting 5 Log in to the replica appliance machine as root using SSH. 6 Configure database replication as the postgres user with a command of the form .
PAGE 84
Installation and Configuration 3 Run the pg_is_in_recovery command to validate that the master appliance database is ready for read-write connections. su - postgres /opt/vmware/vpostgres/current/bin/psql vcac SELECT pg_is_in_recovery () ; The command returns f for false. vcac=# SELECT pg_is_in_recovery () ; pg_is_in_recovery -------------------f (1 row) 4 Quit psql using the \q command. 5 Log in to the secondary appliance with the replica database using SSH.
PAGE 85
Installation and Configuration n Verify that your installation servers meet the requirements described in IaaS Web Service and Model Manager Server Requirements. n Obtain a certificate from a trusted certificate authority for import to the trusted root certificate store of the machines on which you intend to install the Component Website and Model Manager data. n If you are using load balancers in your environment, verify that they meet the configuration requirements.
PAGE 86
Installation and Configuration 9 Configuring Windows Service to Access the IaaS Database A system administrator can change the authentication method used to access the SQL database during run time (after the installation is complete). By default, the Windows identity of the currently logged on account is used to connect to the database after it is installed. 10 Verify IaaS Services After installation, the system administrator verifies that the IaaS services are running.
PAGE 87
Installation and Configuration 8 Restart IIS or open an elevated command prompt window and type iisreset. 9 Restart IIS or open an elevated command prompt window and type iisreset. What to do next Download the IaaS Installer. Download the IaaS Installer A system administrator downloads the IaaS installer from the vRealize Appliance to a Windows 2008 or Windows 2012 physical or virtual machine. If you see certificate warnings during this process, continue past them to finish the installation.
PAGE 88
Installation and Configuration What to do next Install an IaaS database, see Choosing an IaaS Database Scenario. Choosing an IaaS Database Scenario IaaS uses a Microsoft SQL Server database to maintain information about the machines it manages and its own elements and policies. Depending on your preferences and privileges, there are several procedures to choose from to create the IaaS database. Table 5‑13.
PAGE 89
Installation and Configuration You can also set database growth settings with scripts. The script commands to set the IaaS database to VMware defaults are as follows. In these examples, "dbname" is the name of the database.
PAGE 90
Installation and Configuration Table 5‑15. Database Values Variable Value db_server Specifies the SQL Server instance in the format dbhostname[,port number]\SQL instance. Specify a port number only if you are using a non-default port. The Microsoft SQL default port number is 1433. The default value for db_server is localhost. db_name Name of the database. The default value is vcac. db_dir Path to the data directory for the database, excluding the final slash.
PAGE 91
Installation and Configuration 4 Edit CreateDatabase.sql and replace all instances of the variables in the table with the correct values for your environment. Table 5‑16. Database Values 5 Variable Value $(DBName) Name of the database, such as vCAC. $(DBDir) Path to the data directory for the database, excluding the final slash. $(LogDir) Path to the log directory for the database, excluding the final slash. Review the settings in the DB Settings section of CreateDatabase.
PAGE 92
Installation and Configuration 2 Click Next. 3 Accept the license agreement and click Next. 4 On the Log in page, supply administrator credentials for the vRealize Appliance and verify the SSL Certificate. a Type the user name, which is root, and the password. The password is the password that you specified when you deployed the vRealize Appliance. b Select Accept Certificate. c Click View Certificate. Compare the certificate thumbprint with the thumbprint set for the vRealize Appliance.
PAGE 93
Installation and Configuration 16 Complete the Prerequisite Check. Option Description No errors Click Next. Noncritical errors Click Bypass. Critical errors Bypassing critical errors causes the installation to fail. If warnings appear, select the warning in the left pane and follow the instructions on the right. Address all critical errors and click Check Again to verify. 17 Click Install. 18 When the success message appears, deselect Guide me through initial configuration and click Next.
PAGE 94
Installation and Configuration Install the Primary IaaS Website Component The system administrator installs the Model Manager Website component to provide access to infrastructure capabilities in the vRealize Automation Web console. Prerequisites n Create the IaaS Database Using the Installation Wizard. n Verify that your environment meets the requirements described in IaaS Web Service and Model Manager Server Requirements.
PAGE 95
Installation and Configuration 10 Click Next. 11 Select Website and ModelManagerData on the IaaS Server Custom Install page. 12 Select a Web site from available Web sites or accept the default Web site on the Administration & Model Manager Web Site tab. 13 Type an available port number in the Port number text box, or accept the default port 443. 14 Click Test Binding to confirm that the port number is available for use. 15 Select the certificate for this component.
PAGE 96
Installation and Configuration 4 Click Download to import the certificate from the virtual appliance. It might take several minutes to download the certificate. 5 (Optional) Click View Certificate, view the certificate, and click OK to close the information window. 6 Click Accept Certificate. 7 Type administrator@vsphere.local in the User name text box and the password you created when you configured the SSO in the Password and Confirm text boxes. 8 (Optional) Click Test to verify the credentials.
PAGE 97
Installation and Configuration 16 Click Next. 17 Click Install. 18 When the installation finishes, deselect Guide me through the initial configuration and click Next. What to do next You can install additional Website components or install the Manager Service. See Install Additional IaaS Website Components or Install the Primary Manager Service.
PAGE 98
Installation and Configuration 5 On the Log in page, supply administrator credentials for the vRealize Appliance and verify the SSL Certificate. a Type the user name, which is root, and the password. The password is the password that you specified when you deployed the vRealize Appliance. b Select Accept Certificate. c Click View Certificate. Compare the certificate thumbprint with the thumbprint set for the vRealize Appliance.
PAGE 99
Installation and Configuration 18 Type IaaS server information in the IaaS Server text box. Option Description If you are using a load balancer Type the fully qualified domain name of the load balancer for the IaaS Website Server. For example, IaaS-load-balancer.eng.mycompany.com. With no load balancer Type the fully qualified domain name of the IaaS Website Server. For example, IaaS.eng.mycompany.com. 19 Click Test to verify the server connection. 20 Click Next. 21 Complete the Prerequisite Check.
PAGE 100
Installation and Configuration Install the Primary Manager Service The Manager Service component coordinates communication between agents and proxy agents, the database, and SMTP. A minimum of one instance of the Manager Service component must be installed. You can install one primary instance and one backup instance of the Manager Service component to provide redundancy in a high-availability deployment.
PAGE 101
Installation and Configuration 5 Click Next. 6 Select Custom Install on the Installation Type page. 7 Select IaaS Server under Component Selection on the Installation Type page. 8 Accept the root install location or click Change and select an installation path. 9 Click Next. 10 Select Manager Service on the IaaS Server Custom Install page. 11 Type IaaS server information in the IaaS Server text box.
PAGE 102
Installation and Configuration 21 Provide the passphrase used to generate the encryption key that protects the database. Option Description If you have already installed components in this environment Type the passphrase you created previously in the Passphrase and Confirm text boxes. If this is the first installation Type a passphrase in the Passphrase and Confirm text boxes. You must use this passphrase every time you install a new component. Keep this passphrase in a secure place for later use.
PAGE 103
Installation and Configuration n Verify that the Website load balancer is configured. n Install the Primary IaaS Website Component with Model Manager Data. Procedure 1 If using a load balancer, disable the other nodes under the load balancer, and verify that traffic is directed to the node that you want. In addition, disable load balancer health checks until all vRealize Automation components are installed and configured. 2 Right-click the setup__vra-va-hostname.domain.name@5480.
PAGE 104
Installation and Configuration 14 Select a Web site from available Web sites or accept the default Web site on the Administration & Model Manager Web Site tab. 15 Type an available port number in the Port number text box, or accept the default port 443. 16 Click Test Binding to confirm that the port number is available for use. 17 Select the certificate for this component. a If you imported a certificate after you began the installation, click Refresh to update the list.
PAGE 105
Installation and Configuration What to do next To ensure that the Manager Service you installed is a passive backup instance, verify that the vRealize Automation Service is not running and set it to "Manual" startup type. A system administrator can change the authentication method used to access the SQL database during run time (after the installation is complete). See Configuring Windows Service to Access the IaaS Database.
PAGE 106
Installation and Configuration 2 Click Next. 3 Accept the license agreement and click Next. 4 On the Log in page, supply administrator credentials for the vRealize Appliance and verify the SSL Certificate. a Type the user name, which is root, and the password. The password is the password that you specified when you deployed the vRealize Appliance. b Select Accept Certificate. c Click View Certificate. Compare the certificate thumbprint with the thumbprint set for the vRealize Appliance.
PAGE 107
Installation and Configuration 16 Enter the host names and ports in the Manager Service Host name and Model Manager Web Service Host name text boxes. Option Description If you are using a load balancer Type the fully qualified domain names of the load balancers for the Manager Service and Model Manager Web Service. For example, manager-load-balancer.eng.mycompany.com:443 and web-load-balancer.eng.mycompany.com:443.
PAGE 108
Installation and Configuration Procedure 1 Stop the DEM Worker service. 2 Open the following file in a text editor. Program Files (x86)\VMware\vCAC\Distributed Execution Manager\instancename\DynamicOps.DEM.exe.config 3 Locate the section. 4 Update each path, using the following example as a guideline. PAGE 109
Installation and Configuration 2 3 Locate the following services and verify that their status is Started and the Startup Type is set to Automatic. n VMware DEM – Orchestrator – Name where Name is the string provided in the DEM Name box during installation. n VMware DEM – Worker – Name where Name is the string provided in the DEM Name box during installation. n VMware vCloud Automation Center Agent Agent name n VMware vCloud Automation Center Service Close the Services window.
PAGE 110
Installing Agents 6 vRealize Automation uses agents to integrate with external systems. A system administrator can select agents to install to communicate with other virtualization platforms.
PAGE 111
Installation and Configuration n Installing the WMI Agent for Remote WMI Requests Set the PowerShell Execution Policy to RemoteSigned You must set the PowerShell Execution Policy from Restricted to RemoteSigned or Unrestricted to allow local PowerShell scripts to be run. Prerequisites n Log in as a Windows administrator. n Verify that Microsoft PowerShell is installed on the installation host before agent installation. The version required depends on the operating system of the installation host.
PAGE 112
Installation and Configuration Table 6‑1. Choosing an Agent Scenario (Continued) Integration Scenario Agent Requirements and Procedures Collect data from the provisioned Windows machines, for example the Active Directory status of the owner of a machine. Installing the WMI Agent for Remote WMI Requests Provision virtual machines by integrating with any other supported virtual platform. You do not need to install an agent.
PAGE 113
Installation and Configuration Table 6‑2.
PAGE 114
Installation and Configuration Table 6‑2. Permissions Required for vSphere Agent to Manage vCenter Server Instance (Continued) Attribute Value Permission Set Annotation (version 5.
PAGE 115
Installation and Configuration 4 On the Log in page, supply administrator credentials for the vRealize Appliance and verify the SSL Certificate. a Type the user name, which is root, and the password. The password is the password that you specified when you deployed the vRealize Appliance. b Select Accept Certificate. c Click View Certificate. Compare the certificate thumbprint with the thumbprint set for the vRealize Appliance.
PAGE 116
Installation and Configuration 13 Configure a connection to the Manager Service component. Option Description If you are using a load balancer Enter the fully qualified domain name and port number of the load balancer for the Manager Service component. For example, manager-load-balancer.eng.mycompany.com:443. IP addresses are not recognized. With no load balancer Enter the fully qualified domain name and port number of the machine where you installed the Manager Service component.
PAGE 117
Installation and Configuration Configure the vSphere Agent You can use the proxy agent utility to modify the initial configurations that are encrypted in the agent configuration file, or to change the machine deletion policy for virtualization platforms. Prerequisites Log in as a system administrator to the machine where you installed the agent. Procedure 1 Open a Windows command console as an administrator. 2 Go to the agents installation directory. For example, cd Program Files (x86)\VMware\vCAC\CD
PAGE 118
Installation and Configuration Installing the Proxy Agent for Hyper-V or XenServer A system administrator installs proxy agents to communicate with Hyper-V and XenServer server instances. The agents discover available work, retrieve host information, and report completed work items and other host status changes. Hyper-V and XenServer Requirements Hyper-V Hypervisor proxy agents require system administrator credentials for installation.
PAGE 119
Installation and Configuration n Configure Hyper-V for remote management to enable Hyper-V server communication with vRealize Automation Hyper-V proxy agents. See the Microsoft Windows Server documentation for information about how to configure Hyper-V for remote management. Procedure 1 Right-click the setup__vra-va-hostname.domain.name@5480.exe setup file and select Run as administrator. 2 Click Next. 3 Accept the license agreement and click Next.
PAGE 120
Installation and Configuration 12 Enter an identifier for this agent in the Agent name text box. Maintain a record of the agent name, credentials, endpoint name, and platform instance for each agent. You need this information to configure endpoints and to add hosts in the future. Important Do not duplicate agent names unless you are installing redundant, identically configured agents for high availability.
PAGE 121
Installation and Configuration 20 (Optional) Add another agent. For example, you can add a XEN agent if you previously added the Hyper-V agent. 21 Click Install to begin the installation. After several minutes a success message appears. 22 Click Next. 23 Click Finish. 24 Verify that the installation is successful. What to do next For high-availability, you can install and configure a redundant agent for your endpoint.
PAGE 122
Installation and Configuration 4 Property Description username The username representing administrator-level credentials for the XenServer or Hyper-V server the agent communicates with. password The password for the administrator-level username. Click Start > Administrative Tools > Services and restart the vRealize Automation Agent – agentname service.
PAGE 123
Installation and Configuration XenDesktop Requirements The name given to the XenServer Host on your XenDesktop server must match the UUID of the Xen Pool in XenCenter. See Set the XenServer Host Name for more information. Each XenDesktop DDC server with which you intend to register machines must be configured in the following way: n The group/catalog type must be set to Existing for use with vRealize Automation.
PAGE 124
Installation and Configuration Prerequisites n The IaaS components, including the Manager Service and Website, are installed. n Verify that your environment meets the XenDesktop Requirements. n Download the IaaS Installer. Procedure 1 Right-click the setup__vra-va-hostname.domain.name@5480.exe setup file and select Run as administrator. 2 Click Next. 3 Accept the license agreement and click Next.
PAGE 125
Installation and Configuration 13 Enter an identifier for this agent in the Agent name text box. Maintain a record of the agent name, credentials, endpoint name, and platform instance for each agent. You need this information to configure endpoints and to add hosts in the future. Important Do not duplicate agent names unless you are installing redundant, identically configured agents for high availability.
PAGE 126
Installation and Configuration 22 Click Next. 23 Click Finish. 24 Verify that the installation is successful. 25 (Optional) Add multiple agents with different configurations and an endpoint on the same system. What to do next For high-availability, you can install and configure a redundant agent for your endpoint. Install each redundant agent on a separate server, but name and configure the agents identically.
PAGE 127
Installation and Configuration MS PowerShell Execution Policy is set to RemoteSigned or Unrestricted. See Set the PowerShell Execution Policy to RemoteSigned. For more information about PowerShell Execution Policy, run help about_signing or help SetExecutionPolicy at the PowerShell command prompt. Install the Citrix Agent External provisioning integration (EPI) PowerShell agents integrate external systems into the machine provisioning process.
PAGE 128
Installation and Configuration 11 Select EPIPowerShell from the Agent type list. 12 Enter an identifier for this agent in the Agent name text box. Maintain a record of the agent name, credentials, endpoint name, and platform instance for each agent. You need this information to configure endpoints and to add hosts in the future. Important Do not duplicate agent names unless you are installing redundant, identically configured agents for high availability.
PAGE 129
Installation and Configuration 21 Click Next. 22 Click Finish. 23 Verify that the installation is successful. 24 (Optional) Add multiple agents with different configurations and an endpoint on the same system. What to do next For high-availability, you can install and configure a redundant agent for your endpoint. Install each redundant agent on a separate server, but name and configure the agents identically.
PAGE 130
Installation and Configuration Table 6‑3. EPI Agents for Visual Scripting Requirement Description Credentials Credentials under which the agent will run must have administrative access to the installation host. Microsoft PowerShell Microsoft PowerShell must be installed on the installation host prior to agent installation: The version required depends on the operating system of the installation host and might have been installed with that operating system. Visit http://support.microsoft.
PAGE 131
Installation and Configuration 5 Select Custom Install on the Installation Type page. 6 Select Component Selection on the Installation Type page. 7 Accept the root install location or click Change and select an installation path. 8 Click Next. 9 Log in with administrator privileges for the Windows services on the installation machine. The service must run on the same installation machine. 10 Click Next. 11 Select EPIPowerShell from the Agent type list.
PAGE 132
Installation and Configuration 15 Click Test to verify connectivity to each host. 16 Select the EPI type. 17 Enter the fully qualified domain name of the managed server in the EPI Server text box. 18 Click Add. 19 Click Next. 20 Click Install to begin the installation. After several minutes a success message appears. 21 Click Next. 22 Click Finish. 23 Verify that the installation is successful. 24 (Optional) Add multiple agents with different configurations and an endpoint on the same system.
PAGE 133
Installation and Configuration n Download the IaaS Installer. Procedure 1 Right-click the setup__vra-va-hostname.domain.name@5480.exe setup file and select Run as administrator. 2 Click Next. 3 Accept the license agreement and click Next. 4 On the Log in page, supply administrator credentials for the vRealize Appliance and verify the SSL Certificate. a Type the user name, which is root, and the password. The password is the password that you specified when you deployed the vRealize Appliance.
PAGE 134
Installation and Configuration 13 Configure a connection to the Manager Service component. Option Description If you are using a load balancer Enter the fully qualified domain name and port number of the load balancer for the Manager Service component. For example, manager-load-balancer.eng.mycompany.com:443. IP addresses are not recognized. With no load balancer Enter the fully qualified domain name and port number of the machine where you installed the Manager Service component.
PAGE 135
Configuring Initial Access 7 Before your team can begin setting up for provisioning, you must configure their access to the default tenant by adding an identity store and appointing administrators. If you installed IaaS, you must also provide the infrastructure license.
PAGE 136
Installation and Configuration Prerequisites Verify that your Identity Appliance is joined to your Native Active Directory domain. See Configure the Identity Appliance. Procedure 1 Log in to the vRealize Automation console as the system administrator of the default tenant. a b Navigate to the vRealize Automation console. Option Description If you are using a load balancer https://vrealize-appliance-load-balancer-hostname.domain.name/vcac With no load balancer https://vrealize-appliance-hostname.
PAGE 137
Installation and Configuration Procedure 1 Log in to the vRealize Automation console as the system administrator of the default tenant. a b Navigate to the vRealize Automation console. Option Description If you are using a load balancer https://vrealize-appliance-load-balancer-hostname.domain.name/vcac With no load balancer https://vrealize-appliance-hostname.domain.name/vcac Log in with the user name administrator@vsphere.local and the password you defined for this user when you configured SSO.
PAGE 138
Installation and Configuration 18 Click Next. 19 Click Update. What to do next Appoint Administrators. Appoint Administrators You can appoint one or more tenant administrators and IaaS administrators from the identity stores you configured for a tenant. Tenant administrators are responsible for configuring tenant-specific branding, as well as managing identity stores, users, groups, entitlements, and shared blueprints within the context of their tenant.
PAGE 139
Installation and Configuration For migration, make note of the tenant administrator you appointed. You must supply the tenant administrator credentials to the pre-migration tool when you are prompted for the default tenant administrator credentials. What to do next Provide the Infrastructure License. Provide the Infrastructure License After installation, the IaaS administrator logs into the vRealize Automation console and provides a license for the Infrastructure components.
PAGE 140
Configuring Additional Tenants 8 You create the default tenant when you install vRealize Automation, but you can create additional tenants to represent business units in an enterprise or companies that subscribe to cloud services from a service provider. This chapter includes the following topics: n Tenancy Overview n Create and Configure a Tenant Tenancy Overview A tenant is an organizational unit in a vRealize Automation deployment.
PAGE 141
Installation and Configuration Table 8‑1. Tenant Configuration (Continued) Configuration Area Description Service catalog offerings Service architects can create and publish catalog items to the service catalog and assign them to service categories. Services and catalog items are always specific to a tenant. Infrastructure resources The underlying infrastructure fabric resources, for example, vCenter servers, Amazon AWS accounts, or Cisco UCS pools, are shared among all tenants.
PAGE 142
Installation and Configuration System-wide configuration is always performed in the default tenant and can apply to one or more tenants. For example, system-wide configuration might specify defaults for branding and notification providers. Infrastructure configuration, including the infrastructure sources that are available for provisioning, can be configured in any tenant and is shared among all tenants.
PAGE 143
Installation and Configuration Figure 8‑1. Single-Tenant Example http://vra.mycompany.com/vcac/ Default Tenant (Tenant config) Business group mgr Tenant admin Business Group • User management • Tenant branding • Tenant notification providers • Approval policies • Catalog management Business goup mgr Business Group http://vra.mycompany.
PAGE 144
Installation and Configuration Table 8‑2. Multitenant Deployment Examples Example Description Manage infrastructure configuration only in the default tenant In this example, all infrastructure is centrally managed by IaaS administrators and fabric administrators in the default tenant. The shared infrastructure resources are assigned to the users in each tenant by using reservations.
PAGE 145
Installation and Configuration The following diagram shows a multitenant deployment where each tenant manages their own infrastructure. The system administrator is the only user who logs in to the default tenant to manage system-wide configuration and create tenants. Each tenant has an IaaS administrator, who can create fabric groups and appoint fabric administrators with their respective tenants.
PAGE 146
Installation and Configuration 2 Configure Identity Stores Each tenant must be associated with at least one identity store. Identity stores can be OpenLDAP or Active Directory. Use of Native Active Directory is also supported for the default tenant. 3 Appoint Administrators You can appoint one or more tenant administrators and IaaS administrators from the identity stores you configured for a tenant.
PAGE 147
Installation and Configuration Procedure 1 Click the Add icon ( 2 Enter a name in the Name text box. 3 Select the type of identity store from the Type drop-down menu. 4 Enter the URL for the identity store in the URL text box. ). For example, ldap://ldap.mycompany.com:389 . 5 Enter the domain for the identity store in the Domain text box. 6 (Optional) Enter the domain alias in the Domain Alias text box.
PAGE 148
Installation and Configuration Tenant administrators are responsible for configuring tenant-specific branding, as well as managing identity stores, users, groups, entitlements, and shared blueprints within the context of their tenant. IaaS Administrators are responsible for configuring infrastructure source endpoints in IaaS, appointing fabric administrators, and monitoring IaaS logs. Prerequisites n Configure Identity Stores. n Before you appoint IaaS administrators, you must install IaaS.
PAGE 149
Updating vRealize Automation Certificates 9 A system administrator can replace certificates for vRealize Automation components. Typically, you replace a certificate to switch from self-signed certificates to certificates provided by a certificate authority or when a certificate expires. When you replace a certificate for a vRealize Automation component, components that have a dependency on this certificate are affected.
PAGE 150
Installation and Configuration Table 9‑1.
PAGE 151
Installation and Configuration Table 9‑2. Sample Certificate Values and Commands (openssl) Certificate Authority Provides Command Virtual Appliance Entries RSA Private Key openssl pkcs12 -in path _to_.pfx certificate_file -nocerts -out key.pem RSA Private Key PEM File openssl pkcs12 -in path _to_.pfx certificate_file -clcerts -nokeys -out cert.
PAGE 152
Installation and Configuration 4 Select the certificate type from the Choose Action menu. If you are using a PEM-encoded certificate, for example for a distributed environment, select Import PEM Encoded Certificate. Certificates that you import must be trusted and must also be applicable to all instances of vRealize Appliance and any load balancer by using Subject Alternative Name (SAN) certificates.
PAGE 153
Installation and Configuration Prerequisites Replace a Certificate in the Identity Appliance. Procedure 1 Start Putty or another Unix SSL remote login tool. 2 Log in to the vRealize Appliance with user name root and the password you specified when deploying the appliance. 3 Execute the import-certificate command: /usr/sbin/vcac-config import-certificate --alias websso --url https://identityhostname.domain.
PAGE 154
Installation and Configuration Replace a Certificate in the vRealize Appliance The system administrator can replace a self-signed certificate with a trusted one from a certificate authority. You can use Subject Alternative Name (SAN) certificates, wildcard certificates, or any other method of multi-use certification appropriate for your environment as long as you satisfy the trust requirements.
PAGE 155
Installation and Configuration 5 Select the certificate type from the Certificate Action menu. If you are using a PEM-encoded certificate, for example for a distributed environment, select Import. Certificates that you import must be trusted and must also be applicable to all instances of vRealize Appliance and any load balancer through the use of Subject Alternative Name (SAN) certificates.
PAGE 156
Installation and Configuration Prerequisites Replace a Certificate in the vRealize Appliance. Procedure 1 Navigate to the vRealize Appliance management console by using its fully qualified domain name, https://vra-va-hostname.domain.name:5480/. 2 Log in with user name root and the password you specified when deploying the Identity Appliance. 3 Go to vRA Settings > SSO. 4 Verify that the fully qualified name for the Identity Appliance, identity-va-hostname.domain.
PAGE 157
Installation and Configuration Procedure 1 Open a command prompt as an administrator and navigate to the Cafe directory on the Model Manager Data installation machine. C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Cafe 2 Type the following command to update the IaaS database with the certificate information in one step. Supply the IaaS database name (vcac, by default) and the fully qualified domain name of the database server. vcac-Config.
PAGE 158
Installation and Configuration Replace the Internet Information Services Certificate The system administrator can replace an expired certificate or a self-signed certificate with one from a certificate authority to ensure security in a distributed deployment environment. You can use a Subject Alternative Name (SAN) certificate on multiple machines.
PAGE 159
Installation and Configuration As part of updating an IaaS certificate, you must register the new certificate with the vRealize Appliance. You can use the hostname or IP address of the IaaS machines in the following commands. If you are using a load balancer, supply the host name of the load balancer instead. Note that URL paths are casesensitive. If you encounter errors, see the troubleshooting section in the installation documentation. Prerequisites Replace the Internet Information Services Certificate.
PAGE 160
Installation and Configuration Prerequisites n Obtain the server name and IP address of the server that runs the IaaS Manager Service. n If necessary, convert the template on which the Guest Agent is installed to a virtual machine. Procedure 1 Run the operating system appropriate commands in an elevated command prompt. Option Description Windows Run the following commands: Linux 2 a cd c:\vrmguestagent b echo | openssl s_client -connect manager_service_load_balancer.mycompany.
PAGE 161
Installation and Configuration 4 Run the following command to restart the lighttpd server. service vami-lighttp restart 5 Log in to the management console and validate that the certificate is replaced. You might need to restart your browser. The new Identity Appliance management site certificate is installed.
PAGE 162
Installation and Configuration Replace the vRealize Automation Appliance Management Site Certificate The vRealize Appliance uses lighttpd to run its own management site. You can replace the SSL certificate of the management site service if your certificate expires or if you are using a self-signed certificate and your company security policy requires you to use its SSL certificates. You secure the management site service on port 5480.
PAGE 163
Installation and Configuration n For information about manual update, see Manually Update Management Agents to Recognize a vRealize Appliance Management Site Certificate.
PAGE 164
Installation and Configuration 4 Change the thumbprint to the SHA1 thumbprint of the new certificate. For example: 5 If there are other managementEndpoint entries, delete them.
PAGE 165
Installation and Configuration Each IaaS host runs its own Management Agent. Repeat this procedure on each IaaS node whose Management Agent you want to update. Prerequisites n Before you replace a Management Agent certificate, remove its entry from the Distributed Deployment Information table. Note the Management Agent identifier in the Node ID column before you remove the record. You use this identifier when you create the new Management Agent certificate and when you register it.
PAGE 166
Installation and Configuration 3 Register the Management Agent certificate with the vRealize Appliance management site. a Open a command prompt as an administrator and navigate to the Cafe directory on the machine on which the Management Agent is installed at \Management Agent\Tools\Cafe, typically C:\Program Files (x86)\VMware\vCAC\Management Agent\Tools\Cafe b Type the Vcac-Config.
PAGE 167
Troubleshooting 10 vRealize Automation troubleshooting provides procedures for resolving issues you might encounter when installing or configuring vRealize Automation.
PAGE 168
Installation and Configuration n Machine Requests Fail When Remote Transactions Are Disabled n Credentials Error When Running the IaaS Installer n Attempts to Log In as the IaaS Administrator with Incorrect UPN Format Credentials Fails with No Explanation n Email Customization Behavior Has Changed n Changes Made to /etc/hosts Files Might Be Overwritten n Network Settings Were Not Successfully Applied Default Log Locations Consult system and product log files for information on a failed installa
PAGE 169
Installation and Configuration Log Default Location Manager Service Logs C:\Program Files (x86)\VMware\vCAC\Server\Logs Orchestrator Logs C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\DEO\Logs Worker DEM Logs C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\DEM\Logs Agent Logs C:\Program Files (x86)\VMware\vCAC\Agents\\logs Identity Appliance Logs You can generate a complete log file by creating a support bundle.
PAGE 170
Installation and Configuration n vRealize Automation WAPI Note If you see the following message, restart the machine and then follow the steps in this procedure: Error opening installation log file. Verify that the specified log file location exists and it is writable Note If the Windows system has been reverted or you have uninstalled IaaS, you must run the iisreset command before you reinstall vRealize Automation IaaS. 2 Revert your database to the state it was in before the installation was started.
PAGE 171
Installation and Configuration Table 10‑1. Roll Back Failure Points Failure Point Action Installing Manager Service If present, uninstall vCloud Automation Center Server. Installing DEM-Orchestrator If present, uninstall the DEM Orchestrator . Installing DEM-Worker If present, uninstall all DEM Workers Installing an Agent If present, uninstall all vRealize Automation agents.
PAGE 172
Installation and Configuration Solution 1 Verify that you can connect to the vRealize Appliance by typing the following URL in a Web browser. https://vra-va-hostname.domain.name 2 Check the other vRealize Appliance troubleshooting topics. 3 Download the setup file and reconnect to the vRealize Appliance. Failed to Install Model Manager Data and Web Components Your vRealize Automation installation can fail if the IaaS installer is unable to save the Model Manager Data component and Web component.
PAGE 173
Installation and Configuration n n From a browser, check https:///repository/data/MetaModel.svc and verify that no certificate errors appear in your browser. Certificate Name Mismatch This error can occur when the certificate is issued to a particular name and a different name or IP address is used. You can suppress the certificate name mismatch error during installation by selecting Suppress certificate mismatch.
PAGE 174
Installation and Configuration Solution Ignore the error message and proceed with the installation. This message should not cause the setup to fail. WAPI and Distributed Execution Managers Fail to Install Your installation of vRealize Appliance WAPI and Distributed Execution Managers cannot proceed when the password for your IaaS service account contains double quotation marks.
PAGE 175
Installation and Configuration Problem The installation or upgrade fails because the load balancer timeout setting does not allow enough time for the task to complete. Cause An insufficient load balancer timeout setting might cause failure. You can correct the problem by increasing the load balancer timeout setting to 100 seconds or greater and rerunning the task. Solution 1 Increase your load balancer timeout value to at least 100 seconds.
PAGE 176
Installation and Configuration Cause Authorization errors can occur when IaaS does not recognize security certificates from other components. Solution 1 Open a command prompt as an administrator and navigate to the Cafe directory at \Server\Model Manager Data\Cafe, typically C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Cafe. 2 Type a command of the form Vcac-Config.exe CheckServerCertificates -d [vra-database] -s [vRA SQL server] -v.
PAGE 177
Installation and Configuration RabbitMQ Configuration Fails in a High-Availability Environment When RabbitMQ is restarted in a high-availability environment, vRealize Automation appliances must be shut down and restarted in a specified order. Problem Restart of RabbitMQ for vRealize Automation in a high-availability environment fails. Cause vRealize Automation appliances must be shut down and restarted in a specified order.
PAGE 178
Installation and Configuration 2 Go to the /etc/vcac/ directory and check the permissions and ownership for the Encryption.key file. You should see a line similar to the following one: -rw------- 1 vcac vcac 48 Dec 4 06:48 encryption.key Read and write permission is required and the owner and group for the file must be vcac. 3 If the output you see is different, change the permissions or ownership of the file as needed.
PAGE 179
Installation and Configuration Problem Error Communicating to the Remote Server error message appears when you configure the SSO from the vRealize Appliance management console, even when the configuration is correct and the virtual appliances are communicating successfully. Cause The Common Name or the alternative names in the Identity SSL certificate do not match the hostname in the SSO URL you entered in the vRealize Appliance.
PAGE 180
Installation and Configuration Procedure 1 Select Tools > Compatibility View settings. 2 Deselect Display intranet sites in Compatibility View. 3 Click Close. Cannot Establish Trust Relationship for the SSL/TLS Secure Channel You might receive the message "Cannot establish trust relationship for the SSL/TLS secure channel when upgrading security certificates for vCloud Automation Center." Problem If a certificate issue occurs with vcac-config.
PAGE 181
Installation and Configuration n You cannot log in to a tenant by using an LDAP account. n The catalina.out log located in /var/log/vmware/vcac/ shows an error similar to the following: 12:40:49,190 [tomcat-http--34] [authentication] INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl $RequestResponseProcessor.
PAGE 182
Installation and Configuration Problem Creation of an endpoint fails with the following internal error message, An internal error has occurred. If the problem persists, please contact your system administrator. When contacting your system administrator, use this reference: c0DD0C01. Reference codes are randomly generated and not linked to a particular error message. Cause Solution 1 Open the vRealize Automation appliance log file. /var/log/vcac/catalina.
PAGE 183
Installation and Configuration 4 Open a separate command prompt and run the following command: msdtc -install . Machine Requests Fail When Remote Transactions Are Disabled Machine requests fail when Microsoft Distributed Transaction Coordinator (DTC) remote transactions are disabled on Windows server machines. Problem If you provision a machine when remote transactions are disabled on the Model Manager portal or the SQL Server, the request will not complete.
PAGE 184
Installation and Configuration c Right click on the target machine. d Select Delete to remove the machine. Credentials Error When Running the IaaS Installer When you install IaaS components, you get an error when entering your virtual appliance credentials. Problem After providing credentials in the IaaS installer, an org.xml.sax.SAXParseException error appears. Cause You used incorrect credentials or an incorrect credential format.
PAGE 185
Installation and Configuration Solution You can use the following XSLT templates: n ArchivePeriodExpired n EpiRegister n EpiUnregister n LeaseAboutToExpire n LeaseExpired n LeaseExpiredPowerOff n ManagerLeaseAboutToExpire n ManagerLeaseExpired n ManagerReclamationExpiredLeaseModified n ManagerReclamationForcedLeaseModified n ReclamationExpiredLeaseModified n ReclamationForcedLeaseModified n VdiRegister n VdiUnregister Email templates are located in the \Templates directory unde
PAGE 186
Installation and Configuration Solution To make a permanent change to the /etc/hosts file, you must make the change outside of the VAMI_EDIT_BEGIN to VAMI_EDIT_END section because this section is overwritten when a network change is detected. Network Settings Were Not Successfully Applied An error message that indicates a network problem appears in the console of a newly deployed Identity Appliance.