Archive for VMware

vRealize Automation large scale deployment Part 1 Identity and vRA appliance install

vRARobot2

vRA Distributed deployment.

This series will cover a larger distributed deployment of vRealize Automation 6.2.3

Software required

vRAD1

Components

Only the Identity and vRA appliances are covered in this blog. The rest will be covered in the series to follow.

  • 1 x Identity appliance
  • 2 x vRA appliances (Postgres Database only)
  • 2 x IaaS servers
  • 2 x Manager Servers
  • 1 x Orchestrator appliance
  • 1 x F5 Load Balancer

Important

  • DNS must be configured for all servers/appliances you use and test it
  • Whatever you use for time sync must be identical for all servers/appliances you use

F5 Load Balancer setup and information

  • http://kaloferov.com/blog/configuring-vrealize-automation-load-balancing-using-f5-big-ip/

Certificates

Please follow one of my other blogs for generating and importing certificates into vRA appliances and servers

http://www.electricmonk.org.uk/2015/12/03/installing-vra-6-x-certificates/

Step 1 – Deploying the Identity Appliance

  • In the vSphere client or web client select File > Deploy OVF Template

vRAD2

  • Check the details

vRAD3

  • Accept the license agreeement
  • Put in a name for the vRA Identity appliance

vRAD4

  • Choose your storage

vRAD5

  • Leave the defaults for storage

vRAD6

  • Check the details and click Finish

vRAD7

  • Note: The identity appliance cannot be clustered but can be put on a vSphere HA cluster to provide redundancy in the event of hardware failure but not in the event of the Identity appliance having an issue.
  • You may need to go into the vCenter console for the machine and set a root password
  • You will then see this screen where you can see the web browser link to log into the Identity appliance

vRAD8

  • Log into the web link

vRAD9

  • Set the time zone

vRAD10

  • Set the SSO password

vRAD11

  • It should then look like the below screenprint

vRAD12

  • Click on host settings and put in the name of the identity appliance
  • Make sure there is a DNS entry for the identity appliance

vRAD14

  • Click on Network then the Address tab and put in the relevant details

vRAD16

  • You will then need to reboot and relogin
  • Next click on SSO > SSL
  • Generate a certificate for now. Example below

vRAD39PNG

  • Click on Active Directory and put in your details

vRAD15

  • It will then look like the below

vRAD17

  • Go to the Admin tab and click Admin
  • Tick SSH service enabled and Administrator SSH login enabled

vRAD18

  • Click on Time settings and adjust if you have a time server. I left mine on Use host time

vRAD19

  • This should now be complete.
  • Note: You may want to adjust the CPU and RAM depending on customer requirements
  • Note. It might be wise at this point to shutdown the appliance and take a snapshot

Step 2 Deploy 2 vRealize Automation Appliances

Note: Follow the below steps for each appliance

  • In the vSphere client or vSphere Web Client click File > Deploy OVF template

vRAD20

  • Check the details

vRAD21

  • Accept the license agreement
  • Put in a name

vRAD22

  • Choose your storage

vRAD23

  • Choose your storage options

vRAD24

  • Next you will need to type in the hostname, ssh enabled, IP address, subnet mask, gateway and DNS servers

vRAD25

  • Click Next and check all your details

vRAD26

  • Once this is deployed, make sure you have a DNS entry added
  • Log into the appliance
  • Change the time settings first

vRAD27

  • Click on the Network tab and select Host Settings.
  • Fill in your details

vRAD36PNG

  • Reboot the appliance

vRAD37PNG

  • Click on the vRA Host Settings
  • Add in your host settings – this should be your load balanced name
  • Import your certificate in which should have been pre-created from the instructions in my previous vRA certificate blog

vRA233

  • Click on SSO
  • Put in the SSO details (The identity appliance details)
  • If everything is ok then you will see a certificate message

vRAD40PNG

  • Click Save Settings and note the SSO seems to take a long time

vRAD50

  • You should see the following

vRAD51

  • You should slowly see the services begin to come up
  • Note:  To monitor service startup run the following command:
  • tail -f /var/log/vcac/catalina.out

vRAD52

  • Do exactly the same process on the second appliance
  • Add your license in – Go to vRA Settings > Licensing

vRA234

  • Next please go to Part 2 for the Postgres clustering of the vRA appliances

http://www.electricmonk.org.uk/2016/01/07/vrealize-automation-large-scale-deployment-part-2-clustering-the-postgres-databases-on-the-vra-appliances-v6-0-2/

Licensing Problems

I had an issue where my license suddenly became invalid which was a little bizarre as it is test non expiring one.

However I followed the steps in the below article on both appliances and it came back fine

Thanks @ vmguru 🙂

https://www.vmguru.com/2015/09/downgrade-the-vrealize-automation-license/

 

vRealize Automation large scale deployment Part 2 Clustering the Postgres Databases on the vRA Appliances v6.2.3

vRARobot2

Configuring the vRA Appliances

VMware vRealize Automation Center documentation recommended the utilization of an external instance of VMware vFabric Postgres when setting up a high availability (HA) environment. However, since the release of VMware vRealize Automation standalone, VMware vFabric Postgres is End Of Availability and no longer available as a standalone product. To address customers needs, VMware developed a way to utilize the database instance located in the VMware vRealize Automation appliance in a high availability (HA) mode, without having to incur additional licensing.

Useful Links

http://pubs.vmware.com/vra-62/index.jsp#com.vmware.vra.install.doc/GUID-8E631C5E-97D7-4D2B-945A-33B5DDBA452F.html

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2108923

Instructions Part 1

Follow the below instructions for both appliances until you get to Part 2

  • Shutdown both vRA appliances and snapshot in vCenter
  • Download the 2108923_dbCluster.zip file from the VMware Knowledge Base.
  • Add a 20GB disk to the primary vRA appliance and secondary appliances
  • Power on the primary and secondary vRA appliances
  • Log into both vRA_Appliance:5480 in a web browser
  • Log into both vRA appliances in Putty and WinSCP
  • Extract the tar file from the 2108923_dbCluster.zip file attached to this article to both the appliances (I created a /tmp/prostgres folder)
  • Using winscp copy the 2108923_dbcluster.tar file to a tmp folder on both appliances
  • In Putty (See screen below) extract the .tar file on both appliances
  • tar xvf 2108923_dbCluster.tar

vRA235

  • type parted -l on both appliances
  • You should see Error: /dev/sdd: unrecognized disk label. See the bottom of the screen

vRA236

  • Run ./configureDisk.sh /dev/sdd

vRA237

  • At this point it is normally a good idea to snapshot both appliances as they seem to be sensitive to the password you use especially the special characters. Do not use = anywhere in the password
  • Run the pgClusterSetup.sh script to prepare the appliance databases for clustering
  • Note: In our case the db_fqdn was the Load balanced DB FQDN for the Postgres database

./pgClusterSetup.sh [-d] db_fqdn [-w] db_pass [-r] replication_password [-p]postgres_password

[-d] Database load balancer fully qualified domain name
[-w] Database password (will set password to this value)
[-r] Replication password (Optional: will use Database password if not set)
[-p] Postgres password (Optional: will use Database password if not set

  • cd /tmp/postgres
  • ./pgClusterSetup.sh -d f5.db.techlab.local -w password -r password -p password

vRA238

  • This is the end of configuration on both appliances

Instructions Part 2

Configuring the database replication on appliance B

  • Type su – postgres
  • Type cd /opt/vmware/vpostgres/current/share/
  • Type ./run_as_replica -h vRA_FQDN -b -W -U replicate (Note don’t copy and paste as needed typing in manually)

./run_as_replica –h Primary Appliance -b -W -U replicate
[-U] The user who will perform replication. For the purpose of this KB this user is replicate
[-W] Prompt for the password of the user performing replication
[-b] Take a base backup from the master. This option destroys the current contents of the data directory
[-h] Hostname of the master database server. Port 5432 is assumed

  • Enter the same password which was created previously
  • It should now look like the below
  • Type yes

vRA239

  • Type yes

Screen Shot 2015-11-25 at 14.54.23

  • Type the password

vRA240

  • Type yes to enable WAL archiving on the primary

vRA241

  • It will now say shutting down and ignore the error message

vRA242

  • Type yes to the base backup message
  • Note to myself really, I had an issue where I needed to run a command as root on the second vRA appliance to stop the vpostgres service (service vpostgres stop) to get the installer to finish!

vRA243

  • Next test replication
  • cd /opt/vmware/vpostgres/current/share/
  • Type ./show_replication_status

vRA244

Validate replication

  • Connect to the appliance with the primary (master) database using SSH.
  • Validate if the WAL process is running. You should see the WAL process by running this command:
  • ps -ef | grep wal

Screen Shot 2015-11-25 at 17.44.06

Validate if the master is ready for read-write connections by running these commands:

  • su – postgres
  • cd /opt/vmware/vpostgres/current/bin
  • ./psql vcac
  • SELECT pg_is_in_recovery();

vRA248

  • You see output similar to the above
  • Quit psql by running \q
  • Connect to the appliance with the replica database using SSH.
  • Validate if the replica is read only using these commands
  • su – postgres
  • cd /opt/vmware/vpostgres/current/bin
  • ./psql vcac
  • SELECT pg_is_in_recovery();

vRA247

  • Quit psql by running \q

Instructions Step 3

Testing Failover between the Postgres Databases. Performing a test failover (appliance A to appliance B)

  • Validate if the WAL process is running. You should see the WAL process by running this command:
  • Type ps -ef | grep wal

vRA245

  • Connect to appliance A using SSH as root
  • Stop the vpostgres service by running service vpostgres stop

vRA249

  • Connect to appliance B using SSH as root.
  • Promote the replica database to master as the postgres user by running these commands
  • su – postgres
  • cd /opt/vmware/vpostgres/current/share
  • ./promote_replica_to_primary

vRA250

  • SSH into appliance A as root.
  • Configure database replication as user postgres by running these commands
  • su – postgres
  • cd /opt/vmware/vpostgres/current/share/
  • ./run_as_replica -h FQDNofServer -b -W -U replicate
  • Note the FQDN of the server was the second node which was been promoted to primary

vRA251

  1. Enter the replicate users password when prompted.
  2. Type yes after verifying the thumbprint of the primary machine when prompted.
  3. Enter the postgres users password when prompted.
  4. Type yes when prompted with Warning: the base backup operation will replace the current contents of the data directory. Please confirm by typing yes
  5. Do a quick check to test which machine is the primary and which is the secondary

vRA252

vRA254

Instructions Step 4

Perform a test failback (appliance B to appliance A)

  • Connect to appliance B using SSH as root.
  • Stop the vpostgres service by running this command:
  • service vpostgres stop

vRA256

  •  Connect to appliance A using SSH as root.
  • Promote the replicate database to master as user postgres by running these commands
  • su – postgres
  • cd /opt/vmware/vpostgres/current/share/
  • ./promote_replica_to_primary

vRA255

  • Connect to appliance B using SSH as root.
  • Configure database replication as user postgres by running these commands:
  • su – postgres
  • cd /opt/vmware/vpostgres/current/share
  • ./run_as_replica -h FQDNofServer -b -W -U replicate
  • Enter the replicate users password when prompted
  • Type yes when prompted with:WARNING: the base backup operation will replace the current contents of the data

vRA257

Validate replication

  • Connect to the appliance with the primary (master) database using SSH.
  • Validate if the WAL process is running. You should see the WAL process by running this command:
  • ps -ef | grep wal
  • Validate if the master is ready for read-write connections by running the commands below
  • It should say f indicating it is the master

vRA258

  • You see output similar to the above
  • Quit psql by running \q
  • Connect to the appliance with the replica database using SSH.
  • Validate if the replica is read only using these commands:

vRA259

  • Quit psql by running \q
  • If you now log into the VAMI page of the vRA appliances and check the database and cluster page you should see the following

vRA260

Configuring monitoring of the VMware vRealize Automation appliance databases

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2127052

Installing vRA 6.x certificates

certificate

Installing vRA certificates

This subject is a tricky one to navigate round so I have decided to try and simplify this as much as possible to get a good working procedure to carry out the replacement of certificates correctly and efficiently. The various components of VMware vRealize Automation (formerly known as VMware vCloud Automation Center) have different requirements for the certificates used for authentication

Certificates supportability matrix for vRealize Automation

Screen Shot 2015-11-24 at 08.15.28

Certificate trust requirements between VMware vRealize Automation components

Screen Shot 2015-11-24 at 08.17.19

  • * vRealize certificate thumbprint is stored in IaaS database during installation
  • ** SSO certificate thumbprint is stored in IaaS database during installation
  • *** Application Director and Orchestrator as an external instance are optional services

Update components Certificates in the following order

  • Identity Appliance
  • vCloud Automtation vCenter Appliance
  • IaaS components

Step 1 Installing a Domain Certificate Authority

Note: This will normally be installed on a Domain Controller.

  • On Windows 2012 open Server Manager > Add Roles and Features

Screen Shot 2015-11-24 at 08.45.53

  • Click Next to accept the selections on the next 2 screens
  • Make sure to choose both Certification Authority & Certifications Authority Web Enrollment on the Role Service screen

Screen Shot 2015-11-24 at 09.05.36

  • Choose Enterprise or Subordinate at the setup Type page (Note I am choosing Enterprise and this is in my lab)
  • Assuming this is your first CA, choose Root CA at the CA Type screen
  • Create a new private key
  • In Configure cryptography for CA, choose Microsoft Software Key Storage Provider and SHA1
  • Configure your CA name
  • Set validity period for the certificate generated by this CA

Step 2 Creating vCAC Certificate templates

We now need to create a non-standard Certificate Template, which is a copy of the standard Web Server template modified to allow for export of the certificate key. In addition, the Microsoft CA will be updated to allow for Subject Alternative Names (SANs) as specified in the Attributes.

  • Connect to the Root CA server or Subordinate CA server via RDP.
  • Click Start > Run, type certtmpl.msc, and click OK. The Certificate Template Console opens.
  • In the middle pane, under Template Display Name, locate Web Server.
  • Right-click Web Server and click Duplicate Template.

Screen Shot 2015-11-24 at 09.17.25

  • You should see the Compatibility tab
  • Select Windows Server 2008 R2 as the Certification Authority
  • Select Windows 7 / Server 2008 R2 under Certificate recipient

Screen Shot 2015-11-24 at 12.40.03

  • Click the General tab.
  • In the Template display name field, enter VMware-SSL as the name of the new template.

Screen Shot 2015-11-24 at 12.43.46

  • Click the Request Handling tab
  • Ensure that the Allow private key to be exported option is selected

Screen Shot 2015-11-24 at 15.55.13

  • Select Cryptography

Screen Shot 2015-11-24 at 12.52.51

  • Click Key Attestation

Screen Shot 2015-11-24 at 13.06.22

  • Click Server

Screen Shot 2015-11-24 at 14.20.48

  • Click Security

Screen Shot 2015-11-24 at 14.22.02

  • Click Extensions

Screen Shot 2015-11-24 at 14.22.34

  • Click the Edit button
  • Select the Signature is proof of origin (nonrepudiation) option.
  • Select the Allow encryption of user data option.

Screen Shot 2015-11-24 at 14.29.13

  • Click Application Policies

Screen Shot 2015-11-24 at 14.30.50

  • Click Superseded Templates

Screen Shot 2015-11-24 at 14.23.31

  • Click Subject Name

Screen Shot 2015-11-24 at 14.24.15

  • Click Issuance Requirements

Screen Shot 2015-11-24 at 14.25.07

  • Click OK to save the template.

Step 3 – Adding a new template to certificate templates

To add a new template to certificate templates:

  • Connect to the Root CA server or Subordinate CA server via RDP.Note: Connect to the CA server in which you are intending to perform your certificate generation.
  • Click Start > Run, type certsrv.msc, and click OK. The Certificate Server console opens.
  • In the left pane, if collapsed, expand the node by clicking the [+] icon.
  • Right-click Certificate Templates and click New > Certificate Template to Issue.

Screen Shot 2015-11-24 at 16.24.40

  • Locate the VMware-SSL Certificate under the Name column.
  • Click OK.

A new template option is now created in your Active Directory Certificate Services node. This new template can be used in the place of Web Server for the vSphere 5.x CA certificate.

Step 4 – Checking the web enrollment page

If everything went as planned you will have a new certificate template type when submitting a CSR. If you don’t see your new template, you may not have appropriate CA rights to issue the certificate.

  • Navigate to https://yourcertificateserver/certsrv
  • You should see the template VMware-SSL available

Screen Shot 2015-11-24 at 16.29.54

Step 5 – Creating a certificate configuration file for the Identity appliance

Useful Link

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2015387

  • Copy the below text into a notepad file and save it as a .cfg file
  • Modify the relevant parts of your appliance and company details
  • Note you may have load balancers such as F5’s in which case you can also put the load balancer address in the subjectAltName section and the common name

[req]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: techlabvri001, DNS: techlabvri001.techlab.local

[req_distinguished_name]
countryName = UK
stateOrProvinceName = London
localityName = Norwich
0.organizationName = Techlab
organizationalUnitName = vRA Identity
commonName = techlabvri001.techlab.local

  • So it should look like this for the Identity Appliance

vRAD87

Step 5b – Creating a certificate configuration file for the Automation appliance

Note: I have put in both my vRA appliance hostnames and my load balanced name as I am going to cluster the vRA appliances

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:techlabvra001, DNS:techlabvra001.techlab.local DNS: techlabvra002 DNS: techlabvra002.techlab.local DNS:f5.vra DNS:f5.vra.techlab.local

[ req_distinguished_name ]
countryName = UK
stateOrProvinceName = London
localityName = Norwich
0.organizationName = Techlab
organizationalUnitName = vRA Appliance
commonName = f5.vra.techlab.local

vRA232

Step 6 Update components certificates in the following order:

  1. Identity Appliance
  2. vCloud Automation vCenter Appliance
  3. IaaS components

Step 7 – Installing OpenSSL version 0.9.8.

Use the following steps to install OpenSSL, which will be used to request the required certificates.

Important: Ensure that you are using OpenSSL version 0.9.8. If you do not use this version, the SSL implementation will fail.

  • Ensure that the Microsoft Visual C++ 2008 Redistributable Package (x86) is installed on the system on which you want to generate the requests. To download the package, see the Microsoft Download Center
  • Download the Shining Light Productions installer for OpenSSL x86 version 0.98r or later on the link below http://www.slproweb.com/products/Win32OpenSSL.html. This software was developed by the OpenSSL Project
  • Launch the installer, proceed through the installation, and make a note of the appropriate directory for later use. By default, it is located at c:\OpenSSL-Win32.

Step 8 – Generating certificates for the vRA Identity Appliance and the vRA Appliance

  • Make sure you have your identity appliance and vra appliance config files in a folder (You will need to change the paths highlighted in blue to your own folder)
  • Open cmd.exe and change directory to c:\OpenSSL\bin
  • Run the following commands

Identity

openssl req -new -nodes -out F:\Software\vracerts\techlabvri001\rui.csr -keyout F:\Software\vracerts\techlabvri001\rui-orig.key -config F:\Software\vracerts\techlabvri001\vritemplate.cfg

vRAD54

vRAD56

vRA Appliance

openssl req -new -nodes -out F:\Software\vracerts\techlabvra001\rui.csr -keyout F:\Software\vracerts\techlabvra001\rui-orig.key -config F:\Software\vracerts\techlabvra001\vratemplate.cfg

vRAD55

vRAD57

Step 9 Convert the keys to the appropriate RSA format required by the appliances

Identity

openssl rsa -in F:\Software\vracerts\techlabvri001\rui-orig.key -out F:\Software\vracerts\techlabvri001\rui.key

vRAD58

Appliance

openssl rsa -in F:\Software\vracerts\techlabvra001\rui-orig.key -out F:\Software\vracerts\techlabvra001\rui.key

vRAD59

  • Logon to the Microsoft CA Web Interface (https://ca-server/CertSrv)
  • Click on the Request Certificate > Advanced Certificate Request

vRAD60

vRAD61

  • Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
  • Open the rui.csr file for the vCAC Identity Appliance and then copy and paste the contents into the Base-64-encoded certificate request field.

vRAD62

vRAD63

  • Ensure you select the correctly configured Certificate Template

vRAD64

  • Click “Submit” to submit the request.
  • Select the “Base64 encoded” option on the Certificate Issued screen.

vRAD65

  • Click the “Download Certificate” link and save as rui.crt in the same location as your config file and CSR.

vRAD74

  • Repeat the above process for the vRA Appliance Certificate Request.
  • Next go back to https://techlabadc001.techlab.local/certsrv/
  • Click on “Download a CA certificate, certificate chain or CRL”.

vRAD67

  • Select the “Base64 encoded” option.
  • Click the “Download a CA Certificate Chain” link.

vRAD69

  • Save the certificate chain as cachain.p7b in your desired location
  • Double click the cachain.p7b file and navigate to yourlocation\cachain.p7b > Certificates

vRAD70

  • Right click the root certificate and select “All Actions > Export” and then click Next.

vRAD71

Select Base64-encoded X.509 (.CER) and click Next.

vRAD72

  • Save the export to your location/root64.cer and click Next.

vRAD73

Converting the Certificates to PEM Format

  • Launch a command prompt and navigate to your OpenSSL directory. By default this is located in c:\OpenSSL\bin
  • Run the following commands (replacing the path with your desired location) to convert the certificates to the format expected of the Virtual Appliances.

Identity

openssl pkcs12 -export -in F:\Software\vracerts\techlabvri001\rui.crt -inkey F:\Software\vracerts\techlabvri001\rui.key -certfile F:\Software\vracerts\Root64.cer -name “rui” -passout pass:testpassword -out F:\Software\vracerts\techlabvri001\rui.pfx

vRAD77

  • You should then see your pfx file in the Identity appliance folder

vRAD76

vRA Appliance

openssl pkcs12 -export -in F:\Software\vracerts\techlabvra001\rui.crt -inkey F:\Software\vracerts\techlabvra001\rui.key -certfile F:\Software\vracerts\Root64.cer -name “rui” -passout pass:testpassword -out F:\Software\vracerts\techlabvra001\rui.pfx

vRAD78

  • You should then see your pfx file in the vRA appliance folder

vRAD79

  • Next type the following commands

Identity

openssl pkcs12 -in F:\Software\vracerts\techlabvri001\rui.pfx -inkey F:\Software\vracerts\techlabvri001\rui.key -out F:\Software\vracerts\techlabvri001\rui.pem -nodes

vRAD80

  • You should now see the pem file

vRAD81

vRA Appliance

openssl pkcs12 -in F:\Software\vracerts\techlabvra001\rui.pfx -inkey F:\Software\vracerts\techlabvra001\rui.key -out F:\Software\vracerts\techlabvra001\rui.pem -nodes

vRAD82

  • You should now see the pem file

vRAD83

Note:

All of the above instructions worked for me but if the above command does not work to issue the PEM then try the below commands instead for vRA 6.2.

Someone reported that the pem creation syntax above seems to give the  error “unable to create keystore” when installing the cert in the identity appliance in vRA 6.2.

These commands are listed in the vRA 6.2 document at

VMware vRealize Automation Center 6.2

openssl pkcs12 -in C:\certs\identity\rui.pfx -clcerts -nokeys -out C:\certs\identity\rui.pem

openssl pkcs12 -in C:\certs\vcaca\rui.pfx -clcerts -nokeys -out C:\certs\vcaca\rui.pem

Importing the Certificate to your Identity Appliance

  • Login to your identity appliance on https://vCAC.ID.FQDN:5480
  • In my case https://techlabvri001.techlab.local:5480/
  • Click on the SSO tab.
  • Click on the SSL tab.

vRAD84

  • In the “Choose Option” field, click the drop down and select Import PEM encoded certificate.
  • Open the rui.key file for your vCAC ID appliance in a text editor.
  • Copy and paste the contents into the “RSA Private Key” field.

vRAD85

  • Open the rui.pem file for your vRA Identity appliance in a text editor.
  • Copy and paste the contents into the “Certificate” field.
  • Note: It is really important that it looks like the below certificate. if you get any random lines other than these, you need to remove them or it will not work

vRAD89

  • Enter testpassword into the “Pass Phrase” field.

vRAD86

  • Click the “Replace Certificate” button
  • You should now see the certificate imported

vRAD90

Importing the Certificate to your vRA Appliances

Note: Do this on both appliances!

  • Login to https://vRA.FQDN:5480
  • Click on the vRA Settings tab > Host Settings > SSL Configuration
  • In the “Choose Option” field, click the drop down and select Import PEM encoded certificate.
  • Open the rui.key file for your vRA ID appliance in a text editor.
  • Copy and paste the contents into the “RSA Private Key” field.
  • Open the rui.pem file for you vRA ID appliance in a text editor.
  • Copy and past the contents into the “Certificate” field.
  • Enter testpassword into the “Pass Phrase” field.
  • Click the “Replace Certificate” button.

NOTE: If you are replacing the certificates after having registered the vRA VA against the vRA ID VA you will need to re-enter the SSO settings on the vCAC Server to ensure that communications between the VAs are trusted.

1. Login to https://vRA.FQDN:5480 
2. Click on the vRA Settings tab then under Host Settings
3. Click on the SSO tab.
4. Re-enter the SSO Admin User and SSO Admin Password details and then click “Save Settings”.

Not performing this step will result in an error as shown below.

vRAD91

You should now see it is successful

vRA233

IaaS and Manager certificates

The order of operation is to first generate a PKCS12 formatted certificate. After a certificate is in PKCS12 format, it can be converted to PEM encoding and a DER encoded certificate can be generated from that PEM. In addition, an unencrypted key can be extracted from the PEM certificate

  • First I generated a new certificate template called vratemplate.cfg
  • I put in my 2 IaaS servers and the load balancer name in shorthand and FQDN.

vRA261

  • Open cmd.exe as Administrator and navigate to the c:\OpenSSL\bin directory

vRAD110

  • Run the following command replacing the highlighted parts with your own paths
  • openssl req -new -nodes -out C:\vracerts\techlabias001\techlabias001.csr -keyout C:\vracerts\techlabias001\techlabias001.key -config C:\vracerts\techlabias001\vratemplate.cfg

vRAD112

  • You should see the following keys created

vRAD113

  • Run the following command in OpenSSL to convert the keys to the RSA format required by the appliances
  • openssl rsa -in C:\vracerts\techlabias001\techlabias001.key -out C:\vracerts\techlabias001\techlabias001.key

vRAD115

  • Next go back to the certificate request home page
  • Click Request a certificate

vRAD116

  • Select Advanced certificate request

vRAD117

  • Click Submit a certificate Request by using a base- 64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

vRAD118

  • Open the .csr file and copy the request into the box
  • Make sure you select your VMware-SSL certificate

vRAD119

  • Click Submit
  • Click on Download certificate and Base 64 encoded
  • Save this certificate in your certificate folder. I named it techlabias001

vRAD120

  • You will now see your certificate

vRAD121

  • In the same page click on Download certificate chain

vRAD122

  • Save the certificate as cachain.p7b

vRAD123

  • Double click on this file and open it in the certificates console

vRAD124

  • Export the root file

vRAD125

  • Select Base 64 encoded

vRAD126

  • Save the file as root64.cer
  • You will see it as per below in your folder

vRAD127

  • Go back to OpenSSL and run the command to convert the certificates to PKCS format
  • openssl pkcs12 -export -in C:\vracerts\techlabias001\techlabias001.crt -inkey C:\vracerts\techlabias001\techlabias001.key -certfile C:\vracerts\techlabias001\root64.cer -name techlabias001 -passout pass:testpassword -out C:\vracerts\techlabias001\techlabias001.pfx

vRA315

You will now see your .pfx file in the folder

  • Next we need to import the CA issued certificate for the IaaS web server.
  • On the IaaS server, open the IIS Manager console.
  • Navigate to your Server instance, and open Server Certificates.
  • Select “Import” in the top right hand corner.
  • In File name, browse and select the PKCS file with the .pfx extension that represents the CA issued certificate for IaaS web server.
  • Type the password testpassword
  • Accept the default Place all certificates in the following store.
  • You should now see the imported certificate in your list
  • Navigate to your Default Web Site (the vCAC website) and select “Bindings”.
  • Select “https” and click “Edit”.
  • Click the SSL Certificate drop down and select your certificate, then click OK.

Note: The below information doesn’t need to be done. It’s just information I put here to remind me to look at in relation to replacing certificates

Register the new Certificate with the vCAC Appliance

  • Browse to c:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\cafe
  • Note: CAFE stands for Cloud Automation Framework Extensibility. Just in case you were wondering
  • Register the new certificates on your IaaS Server to the vCAC Appliance with the following set of commands:

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/vcac –Endpoint ui -v

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/vcac/SslCallback.aspx  –Endpoint ssl -v

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/Repository –Endpoint repo -v

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/WAPI –Endpoint wapi -v

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/WAPI/api/status –Endpoint status -v

  • Now you need to follow the exact same steps to generate the manager certificate

 

VMware vRealize Automation 6.2.2 Monitoring and Reclamation Part 7

magnifying glass

Monitoring and Reclamation

In vRA we need to know what to do when we need to identify and reclaim unused or underused resources and put in an automated solution to manage these.

Reclamation stages

  • Identify

Through endpoint discovery and data collection, vRA creates  list of machines and their characteristics. Using filtering capabilities, administrators can identify machines for reclamation which could be machines which have been powered off, machines that average low usage and machines where the users have left or been disabled in AD

  • Verify

After machines are identified, they are validated before being reclaimed. vRA use workflows to assist customers with the process along with approval processes

  • Reclaim

Once machines are identified for reclamation, vRA goes through the process of reclaiming. Some machines may need to be archived before being removed completely.

  • Improve

Reclamation is designed to improve efficiency and use. Reporting and cost savings are used to manage machines in order to track and monitor environments

Where is Reclamation in vRA?

Tenant Administrators perform reclamation tasks

  • Go to Administration > Tenant Machines > Reclamations
  • The below page appears

vRA218

  • The tenant administrator can search for underused machines by CPU, memory, disk, network use or idle machines  (Idle meaning a machine which is powered on but with no statistics)

Thresholds

vRA219

Reclamation Requests and Notifications

The tenant administrator submits a reclamation request specifying the lease length and reason for the request which can then be monitored

  • Go to Administration > Tenant Machines > Reclamations
  • Select the machine you want to use
  • Click Reclaim Virtual machines

vRA220

  • The next screen has 3 options
  • New lease length (A new amount of lease time is assigned to the machine where if the owner does not respond to the lease request, the machine is powered off an destroyed, if no archive period was set in the blueprint)
  • Wait before forcing lease (days) (This is the time within which the owner of a machine must respond to prevent a new lease from being applied to the machine)
  • Reason for request

vRA221

  • If an archive period was set, the machine is expired and cannot be powered on until the lease is reset
  • If the lease is not reset at the end of the archive period, the machine is destroyed and the resources are reclaimed
  • Go to the Inbox of the owner. As this is me, I just click Home > My Inbox and I can see the reclamation request which has come in to me

vRA227

  • Click on this request and select an option
  • One of 3 actions can be taken on a reclamation request
  • The machine owner can select Release for reclamation where the machine is reclaimed and immediately destroyed if no archival period was specified in the blueprint
  • The machine can select item in use. No action is taken and the administrator is notified that the machine should still be used
  • The machine owner can take no action. In this case the machine is assigned a new lease based on the reclamation request. If the owner does not respond, it is powered off and destroyed if no archival period was set. During the archival period, the machine cannot be powered on until the lease is reset

vRA228

There are 3 states of reclamation requests

  • Pending (Request submitted to the machine owner)
  • Approved (The machine owner has released the machine for reclamation)
  • Rejected (The machine owner has responded that the machine is still in use)

Machine Leases

These are the time periods given to a machine which determine how long they should be active for. Machine leases are used by tenant admins and business group managers

  • Leases can be assigned to blueprints
  • Leases can be assigned to a machine after it is provisioned
  • Leases can be changed after a machine is provisioned
  • if a lease is not assigned then the machine does not have an expiration date
  • Multimachines have one lease date which is applied to all machines in the service

Home Page Portlets

Tenant Administrators can monitor and report reclamation savings by adding portlets to the home page

  • Log into https://vRA_Apppliance.FQDN/shell-ui-app
  • Click Home and at the right side of the screen, click the pencil icon and select Add Portlets

vRA223

  • Choose the portlets you want
  • They can then be dragged and re-arranged on your home page

vRA224

  • Users can add portlets but if they don’t have permissions then no data will appear

vRA225

  • You can also export data as a .csv file

vRA226

 

VMware vRealize Automation 6.2.2 Extensibility, Orchestrator and ASD Part 6

vRARobot2

Extensibility

There are several challenges involved with automating self service provisioning to enforce governance, minimise user input and provide audit and accounting functionality. vRA can be transformed by using extensibility products such as Advanced Service Designer and VMware vCenter Orchestrator

vCenter Orchestrator

  • Library of workflows and plug-ins which include VMware and partner developed solutions which facilitate integration with existing tools and infrastructure
  • Orchestrator comes built in with vRA or an external Orchestrator server can be used in place of the built in server
  • Blueprints can be created from vCenter Orchestrator workflows and published as catalog items
  • Includes an API which allows an external ecosystem of partners to develop reusuable plugins.
  • Using cluster mode configuration, a collection of Orchestrator nodes can work together and share a common database
  • The extended REST API allows automatic configuration and installation of the necessary vCenter Orchestrator nodes
  • The extended REST API also provides dynamic scale up and scale down of the orchestration capacity when Orchestrator is used with an external load balancer
  • Fully equipped with a workflow debugger

Advanced Service Designer

  • Service Architects can create and publish advanced services to the service catalog. Using the capabilities of ASD, custom resources can be created and mapped to vCenter Orchestrator types and defined as items to be provisioned and managed.
  • Allows administrators to add custom logic to any of the 10 built in IAAS customisable workflows
  • IAAS workflows are created using MS Windows Workflow Foundation which is a part of .NET Framework 4
  • vRA also contains 6 state change workflow templates that can be edited to contain custom logic. These can call out to vRA for bidirectional integration with external management systems
  • You can create up to 4 custom menus
  • Provides a visual workflow editor for customising IAAS workflows

Use cases for extensibility

  • Leverage existing infrastructure and future infrastructure (Multivendor and Multicloud)
  • Configure personalised business relevant services by using custom properties or metadata tags
  • Integration with 3rd party management systems (CMDB, iPAM, Load Balancers and Service Desk apps)
  • ASD is a new feature in vRA 6. Administrators can leverage vCenter Orchestrator workflows and plugins and create new Day 2 operations as custom services
  • vRA provides a RESTful API which can be used to call vRA application and infrastructure services from third party or custom applications

Plugins

Available plugins can be found at http://solutionexchange.vmware.com

Custom Services

The following are examples of what can be done

  • New employee onboarding
  • E-mail box setup
  • Storage and networking services
  • Backup and recovery
  • Security and compliance
  • Software install/update
  • Password management

Cloud Util

CloudUtil is a command line interface to Model Manager. It enables admins to install, configure and update entities in the Model Manager. It also

  • Creates and manages skills
  • Stores and manages files
  • Installs custom machine operations

With a vRA Development Kit License, additional functionalities are available such as

  • Installing and managing custom workflows and models created in MS Visual Studio
  • Install custom models and supporting assemblies
  • Generate client classes for a custom model
  • Install custom events and schedules used to trigger workflows
  • Install new workflows

The ASD Console

The Toolbox pane

The Toolbox pane provides access to the vRA workflow activity library where activities for using PowerShell and vCenter Orchestrator integrate vRA with external systems. Common activities used in workflows include

  • InvokeRepositoryWorkflow = Executes a workflow installed in Model Manager
  • GetMachineName = Gets a machine’s name
  • GetMachineOwner = Gets a machine’s owner
  • GetMachineProperties = Gets the list of custom properties associated with a machine
  • GetScriptFromName = Get’s contents of the script stored in the Model Manager under the specified name
  • InvokePowerShell = Executes a PowerShell command
  • InvokeSshCommand = Executes an SSH command
  • LogMachineEvent = Logs a machine event to the user log that is visible to the machine owner
  • RunProcess = Exceutes a process on the same machine as the DEM that executes this activity
  • SendEmail = Sends an email to the given set of addresses
  • SetMachineProperty = Creates or updates a custom property on the machine
  • InvokeVcoWorkflow = Calls a vCenter Orchestrator workflow and blocks further execution of its parent vRA workflow until the vCenter Orchestrator workflow completes
  • InvokeVcoWorkflowAsync = Calls a vCenter Orchestrator workflow and continues to execute activities in vRA without waiting for the vCenter Orchestrator workflow to complete

Extending built in Workflows using Workflow templates

Using ASD, the 10 out of the box workflow templates can be modified to implement custom logic. 6 of these are State change templates and 4 are menu operation workflow templates

The 6 State Change Templates

Each of these 6 state change templates ma to a specific state of the machine lifecycle. They can be modified and then referenced against a blueprint so the customisation can be applied to a machine derived from that template. As an example all machines might require a custom name derived from a naming convention. Using the WFStubBuildingMachine workflow template could meet this criteria

The 4 Menu Operation Workflow Templates

These 4 templates can be used to implement 4 custom menus with their own functionality. Menu operation workflows are implemented when a user selects a menu from the vRA console. An example could be a menu that enables a user to backup a machine

Defining variables

Defining variables is a critical step in the extensibility process. Information must be defined that is required for the workflow and is the source of that information.

For example. The MyScriptText variable is a string and is used to identify the custom code to be loaded from the PowerShell script which is loaded into Model Manager

Adding State Change Workflow Template to a Blueprint

  • Go to Infrastructure > Blueprints > Blueprints > Edit your Blueprint
  • Select Properties
  • Select New Property

vRA115

Workflow Versioning

You can always revert back to previous versions of a workflow stub by loading the version you want and sending it back. You don’t overwrite the existing version as it created a more recent version which becomes the default version. The Model Manager might store and display multiple versions of a workflow but the DEMs always execute the most recent version of a workflow and not earlier versions

Working with a vCenter Orchestrator Workflow

Workflows can be called synchronously or asynchronously. Some workflows require user interaction and the prompt appears in the vCenter Orchestrator client rather than vRA. To avoid this don’t use workflows which require user interaction from vRA

  • Synchronous

The InvokeVcoWorkflow calls a vCenter Orchestrator workflow and blocks further execution of it’s parent vRA workflow until the vCenter Orchestrator workflow completes

  • Asynchronous

The InvokeVcoWorkflowAsync calls a The InvokeVcoWorkflow workflow and continues to execute activities in the vRA workflow without waiting for the vCenter Orchestrator workflow to complete

vCenter Orchestrator as an endpoint

vRA must be defined as an endpoint to use vCenter Orchestrator

Workflows are built mainly by using existing building blocks

  • Workflows
  • Actions
  • Resource Elements
  • Predefined scriptable tasks

There are more than 200 ready to use workflows included with vCenter Orchestrator

vCenter Orchestrator integration techniques

  • Create a vCenter Orchestrator endpoint in vRA

Using an endpoint, vRA can invoke vCenter Orchestrator workflows

At least one vCenter Orchestrator endpoint is required

Each endpoint must have a unique priority

  • Install vRA plug-in into vCenter Orchestrator

Using a plug-in, vCenter Orchestrator can manage vRA entities

A plug-in automates the configuration of vRA IAAS workflows

A plug-in includes many predefined workflows

Configure an embedded vCenter Orchestrator

vRA includes a built in version of Orchestrator which can be used for running workflows in additional to separate external Orchestrator services

  • Putty into the vRA appliance (where the embedded Orchestrator is)
  • First start the vco-server service
  • Type service vco-server start

vco1

  • Next start the vco-configurator service by logging into the vRA appliance via Putty and typing service vco-configurator start

vRA326

  • Navigate to https://your-VA-appliance:8281/vco

vROConfig

  • If you have an issue accessing the Orchestrator webpages, you can check in vRA whether then Orchestrator service is connected by clicking Test Connection

vco3

  • If you experience connection issues you can also type vcac-vami vco-service-reconfigure in the vRA appliance putty page
  • If you encounter a Diffie Hellman error please google for fixes
  • Type https://your-vRA-appliance:8281
  • You should see this page. Click Start Orchestrator client

vRAConfig38

  • You should see a few prompts such as below from Java

vRA330

  • Log in

vRA229

  • You should now see the Orchestrator application

vRA230

  • In order to configure Orchestrator type in https://your-vRA-server:8283/vco-config/ to access the appliance configuration

vRA327

  • The default username and password is vmware and vmware
  • You will be prompted to change it
  • Password must have an uppercase letter and a special character

vRA328

  • You should now be logged into Orchestrator configuration webpage
  • Have a click through the configuration options
  • I clicked on Network and changed the IP address from 0.0.0.0 to my vRA appliance address

vco2

  • You need to add the vCenter certificate in to the SSL Trust Manager. You will also need to add the Platform Services Controller if you use this with vSphere 6

vco1

  • You need to add your IAAS Server with the FQDN and add the vRA appliance if this is not here but mine already was. (if it is embedded and not external)

vRA148

  • You should see your certificates

vRA149

  • Next go back and log into your vRA appliance https://vRA_Appliance.FQDN/shell-ui-app
  • Go to Infrastructure > Endpoints > Credentials > Add new credentials

vRA150

  • Put in vCO as the Name
  • Put in administrator@vsphere.local as the username
  • Put in the password

vRA151

  • Go to Endpoints > New Endpoint > Orchestration > vCenter Orchestrator

vRA152

  • Fill in the details

vRA153

Install the vSphere Orchestrator Client

  • Go to https://vRA_Appliance.FQDN:8281/vco
  • Click Start Orchestrator client

vRA154

  • I got an error saying Windows cannot open .jnlp files so I had to select open with then navigate to my java folder and choose javaws
  • Whatever you do don’t update from version 1.7 to 1.8 or things will break
  • You should then see the below 2 screens

vRA155

vRA156

  • You should then see the logon screen for vCO appear

vRA157

  • A certificate warning will appear

vRA158

  • vCenter Orchestrator will now open

vRA159

  • Click Administer

vRA160

  • Expand VCAC and Active Directory in the Inventory section. You should see these are empty although there may already be something in vCloud Automation Center

vRA161

  • Select Run
  • Go to Workflows
  • Go to Library > Microsoft > Active Directory > Configuration > Configure Active Directory

vRA162

  • Click Start Workflow
  • Put in the following details

vRA163

  • Click Use a Shared Session
  • Put in your credentials

vRA164

  • Next in the same Workflow screen, navigate to Library > vCloud Automation Center > Configuration > Add the IAAS host of a vCAC host

vRA175

  • Right click on Add the IaaS host of a vCAC host and select Start Workflow

vRA176

  • Click Next

vRA177

  • Click Next

vRA178

  • Click Next

vRA179

  • Click Submit
  • You should see a green tick and confirmation in the events screen on the right that everything has started

vRA180

Configuring the vRA workflows templates from vCenter Orchestrator

  • In Orchestrator, navigate to the below menu in Workflow view

vRA171

  • Right click Install vCO customization and select Start Workflow
  • In the Install vCO customization dialog box choose Not Set and select your vRA server

vRA172

  • Click Next

vRA173

  • Click Next

vRA174

  • Click Submit

vRA181

  • If you now go back to the ASD and click Load, you will see the new versions of the state change templates (Note you may need to install ASD first, in which case there are instructions further down this post)

vRA182

Configuring a state change workflow from vCenter Orchestrator

  • Go to https://vRA_Appliance.FQDN/shell-ui-app
  • Go to Infrastructure > Blueprints > Blueprints > Edit your Blueprint
  • If any custom properties are attached to the blueprint then remove them
  • Next log into vCenter Orchestrator > Library > vCloud Automation Center > Infrastructure Administration > Extensibility

vRA183

  • Right click Assign a state change workflow to a blueprint and select Start Workflow
  • Click Not set and chose the VRA server

vRA184

vRA193

  • Click the Array field

vRA186

  • Click Insert Value

vRA187

  • Expand down until you can see your Blueprint

vRA188

  • Click Add
  • Click Select

vRA189

  • Click Accept > Next
  • Click on Workflow template

vRA190

  • Type Tools into filter > Select Mount tools installer

vRA191

  • Click Select
  • Select Submit

vRA192

  • Go to https://vRA_Appliance.FQDN/shell-ui-app
  • Click Infrastructure > Blueprints > Blueprints and edit your blueprint
  • Click Properties
  • Review the settings. You can see that Orchestrator added the new required custom property

vRA194

  • You can then go through the process of requesting a VM and seeing if it has indeed mounted the CD Drive

Installing the ASD

  • Go to https://vRA_Appliance.FQDN:5480/installer
  • Click vRealize Automation Designer

vRA117

  • On the Welcome Page click Next

vRA118

  • Accept the License agreement

vRA119

  • Check the location for the install is correct and click Next

vRA120

  • Put in the IAAS server FQDN. In my case it is dacvtst003.dacmt.local
  • Put in a username and password

vRA121

  • Click Install

vRA122

Configuring ASD Endpoints for VMware vCenter Server

  • Log into https://VRA_Appliance.FQDN/shell-ui-app
  • Go to Administration > Users and Groups > Custom Groups
  • Add an AD group and add to Service Architects

vRA195

  • Click Next

vRA196

  • Next go to Administration > Orchestrator Configuration > Endpoints
  • Click Add

vRA197

  • Choose Active Directory from the drop down menu

vRA198

  • Type a name. I’ve just called mine Active Directory

vRA199

  • Type in the details

vRA200

  • Next add an endpoint for vCenter

vRA201

  • Put in a name

vRA202

  • Fill in all details

vRA203

  • Add a user and password

vRA204

  • You should now see your 2 endpoints

vRA205

  • Log out of vRA and you may need to log out of the server and back in again. As you can see below this will add the Advanced Service Designer tab to vRA

vRA206

vRA207

Create and publish a service to change an AD Users password

  • Log into https://VRA_Appliance.FQDN/shell-ui-app
  • Click the Advanced Services tab
  • Select Service Blueprints
  • Click the + sign next to Service Blueprints

vRA208

  • Expand Library > Microsoft > Active Directory > User
  • Click Next

vRA209

  • Click Next

vRA210

  • Click the pencil icon to bring up the edit box and change the name to user and the type to search

vRA211

  • Click Submit
  • Click Next

vRA212

  • Click Add
  • In the list of Service Blueprints select Action > Publish

vRA213

  • Go to Administration > Catalog Management > Services

vRA214

  • Add a name for the password service and set to active

vRA215

  • Select Catalog Items
  • Select your service and select Configure

vRA216

  • On the Service drop down, select User Password Support or whatever you have named your service

vRA217

  • Click Update
  • Now select Entitlements from the left hand menu and click Add

vRA218

  • Put in a name and set to active and add the relevant users and groups

vRA219

  • Click Next
  • Click Entitled Services and add your service

vRA220

  • Log out and in again and check that when you click on the catalog tab that you see the Change a user password service

vRA221

Looking further into Advanced Service Designer

  • On the desktop, click vRealize Automation Designer
  • On the vRA Automation Designer ribbon, click Load

vRA124

  • You will get the following box

vRA125

  • Select the WFStubBuildingMachine workflow stub. If multiple versions exist, select the revision 0 version

vRA126

  • You should see the below screen

vRA127

  • In the Try area, double click the Building Machine activity

vRA128

  • Double click the Custom Code activity as highlighted above

vRA129

  • At the bottom of the design surface in the middle pane, click Variables and click Create Variable

vRA130

  • Add the following variables
  • Name = HelloMsg
  • Variable Type = String
  • Scope = Custom Code
  • Default = “Hello User”

vRA131

  • In the Toolbox pane on the left hand side, drag the SetMachineProperty activity to the design surface underneath Start
  • Connect Start to SetMachineProperty by pointing to the bottom of Start and dragging a connecting Line between them

vRA132

  • Select the SetMachineProperty activity and set the following properties in the Properties pane on the right panel

vRA133

  • Click Send on the top menu
  • Click ok to the message Send Workflow to Model Manager

vRA134

  • In the success dialog box, click OK

vRA135

Assign the Building Machine Workflow to a blueprint

  • Log into https://vRA_Appliance.FQDN/shell-ui-app
  • Go to Infrastructure > Blueprints > Blueprints
  • Edit your Blueprint
  • Click Properties > New Property
  • Add 2 custom properties to the blueprint
  • Click the green tick when complete and click OK

vRA136

  • Logout and log in again
  • Go to Catalog and request your VM
  • Monitor the build in Requests
  • Once built go to Items select your machine and click the View Details tab

vRA137

  • Click the Properties tab and check the value

vRA138

n

 

 

VMware vRealize Automation 6.2.2 Configuration and Management Part 5

vRARobot

Cost Profiles

Fabric administrators can associate compute resources and physical machines with cost profiles to enable calculation of a machine’s cost. The cost is displayed to machine owners, requesters, approvers, and administrators at various points in the request and provisioning life cycle.

A cost profile includes the following values for daily cost:

â– 

Cost per GB of memory capacity specified in the virtual blueprint or installed in the physical machine

â– 

Cost per CPU specified in the virtual blueprint or installed in the physical machine

â– 

Cost per GB of storage capacity as specified in the virtual blueprint (not used for physical machines, because storage attached to physical machines is not discovered or tracked)

For finer definition of storage cost for virtual machines, you can also associate each known datastore on a compute resource with a storage cost profile. A storage cost profile contains only a daily cost per GB of storage. If you assign a storage cost profile to a datastore, this storage cost overrides the storage cost in the cost profile assigned to the compute resource.

For virtual machines, the machine cost is calculated from the cost profile and storage cost profile on the compute resource, the resources it consumes, and the daily blueprint cost. You can use the blueprint cost to represent a markup for using the machine in addition to the resources that the machine consumes, for example to account for the cost of specific software deployed with that blueprint.

For physical machines, the machine cost is calculated from the cost profile on the machine, the CPU and memory on the machine, and the daily blueprint cost. You can use the blueprint cost to represent such factors as storage cost or additional costs for using the machine.

You cannot apply cost profiles to machines provisioned on Amazon Web Services or Red Hat OpenStack. For machines provisioned on these cloud platforms, the only cost factor is the daily cost in the blueprint from which it was provisioned. The cost for vCloud Director vApps includes any cost profile and storage cost profile on the virtual datacenter and the blueprint cost.

Create a Cost Profile 

Fabric administrators can create cost profiles and associate them with compute resources to enable calculation of a machine’s cost.

  • Select Infrastructure > Compute Resources > Cost Profiles.

vRA70

  • Click New Cost Profile
  • Type new values in for each resource

vRA71

  • You can also add a Storage Cost Profile for storage of different performance capabilities such as High, Medium and Low cost storage

Using Custom Properties on Blueprints

You can modify a machine using custom properties throughout the lifecycle of the machine

  • Request
  • Provision
  • Manage
  • Retire

As an example they can modify the following

  • Specify the WIM image or PE environment image to use for install
  • Define the number of cores per socket
  • Place the machine in an OU
  • Place the machine in an inventory folder in vCenter
  • Change the network a machine is attached to
  • Update a CMDB

Custom properties can be defined for the following objects

  • Business Groups
  • Compute Resource
  • Build Profiles
  • Reservations
  • Endpoints
  • Blueprints
  • Storage

Useful Link

http://www.vmware.com/support/pubs/vcac-pubs.html

Set up Custom Properties

As an example I want to add a custom property to a blueprint which puts my machine in a specific folder in vCenter

  • Go to Infrastructure > Blueprints > Select your blueprint and click Edit
  • Click on the Properties tab

vRA77

  • Add in VMware.VirtualCenter.Folder and type in a name for the inventory folder in vCenter that you want to use which provisioned machines will go into. In my case I have called it vRA.
  • Next go to Infrastructure > Groups > Business Groups > Click edit on your business group

vRA78

  • Click New Property
  • Type in the name and value of your custom property.
  • Name = VMware.Virtual.Center.Folder
  • Value = vRA

vRA79

  • Go to Catalog and request a Virtual Machine again
  • Once deployed, check vCenter has deployed the machine to the vRA folder and not the vRM folder

vRA80

Add Location Information

  • Go to c:\Program Files (x86)\Vmware\vCAC\Server\Website\XmlData
  • Right click DataCenterLocations and click Edit
  • Copy the line with Boston in it and paste it underneath

vRA81

  • Change all instances of Bolton with a new location

vRA82

  • Save the file
  • Go back to your vRA webpage and go to Infrastructure > Blueprints > Blueprints
  • Click Edit on your Blueprint
  • Click the Display Location on request

vRA83

  • Click OK and logout
  • Log back in and go to Infrastructure > Compute Resources > Compute Resources
  • Click Edit
  • From the location menu click the location you want

vRA84

Other Custom Property Options

  • Hostname

This can be used to prompt a user to put in a hostname other than the ne defined by the machine prefix on the blueprint

  • VirtualMachine.Admin.ThinProvision

This option forces a new machine to be thin provisioned on the storage device

vRA85

Build Profiles

A build profile is a set of properties to be applied to a machine when it is provisioned. It can be used for the following

  • Determining the spec of a machine
  • Determine how the machine is provisioned
  • Determine the operations to be performed after the machine is provisioned
  • Manage information about the machine

Build Profiles are attached to Blueprints and the spec of the build profile is available to business group users who have access to the blueprints

Build Profiles are constructed from default property sets or custom properties. Default sets include

  • ActiveDirectoryCleanupPlugin
  • CitrixDesktopProperties
  • PxeProvisioningProperties
  • SysprepProperties
  • VmwareXXXXXProperties

Creating a Build Profile

  • Go to Infrastructure > Blueprints > Build Profiles

vRA86

  • Click New Build Profile
  • Add a name and description
  • From the Add from property set drop down list, select ActiveDirectoryCleanUpPlugin

vRA87

  • In the Plugin.AdMachineCleanup.UserName, click Edit and add the username of a domain admin. In my case dacmt\administrator
  • In the Plugin.AdMachineCleanup.Password, click Edit and add the password of a domain admin
  • Make sure you click the green tick to confirm the changes
  • Logout
  • Login again
  • Click Infrastructure > Blueprints > Blueprints
  • Click Edit on your Blueprint
  • Click the Properties tab
  • Select the Remove from AD Build build profile

vRA88

The Property Dictionary

The Property Dictionary can be used with custom properties to create a customised interface. You can statically or dynamically define the interface with the following data specification options

  • Data validation
  • Defined constraints on data values
  • Tooltip
  • Optional data
  • Ordered user control layouts

Using the Property Dictionary helps stop mistakes which occur when the data value of a custom property is passed into extensibility tools like Orchestrator and Powershell

When users request new machines they are prompted for these custom properties in the form of a required text box, drop down menu or buttons and more

  • Go to Infrastructure > Blueprints > Property Dictionary
  • On the Property Dictionary page, click New Property Definition

vRA89

  • Fill in the required details
  • Click required and then click the green arrow

vRA90

  • Click Edit under Property Attribute

vRA91

  • Click New Property Attribute

vRA92

  • Add in the below values

vRA93

  • Log off
  • Log on again and go to Infrastructure > Blueprints > Blueprints and edit your blueprint and select the Properties tab
  • Select New Property

vRA94

  • Type Custom.StorageTier in to the name an leave the value blank with Prompt user selected

vRA96

  • Click OK
  • Go to Catalog > Request your machine
  • Look at the new option you have on the interface for Storage Tier

vRA95

  • Note: vRA does not directly use storage tiering. You have to use custom properties and workflow modification with vSphere PowerCLI or Orchestrator

Approval Policies

Any catalog item or entitled action can be subject to an approval. The Approval Policies must first be defined by either a tenant administrator or a business group user and set as active before they appear in an entitlement

There can be multi levels of approvals with all different Boolean conditions as to how the policy can be approved across these levels.

Active and Linked approvals can only be cloned not edited

Creating an Approval Policy

  • Click the Administration tab > Users and Groups > Custom Groups
  • Search for the user or group you want to add as an approver

vRA98

  • Click Next
  • Add in the users who you want to be Appprovers

vRA99

  • Next go to Administration > Approval Policies

vRA101

  • Click Add

vRA102

  • Click OK
  • I am going to create a vCPU approval policy
  • Put in the name and set to Active

vRA103

  • Click the green plus sign next to Levels
  • Fill in the required information

vRA106

  • Click Add and Add again
  • Log out
  • Log in again
  • Click Administration > Catalog Management > Entitlements
  • Highlight your Blueprint and click Edit

vRA107

  • Click Items and Approvals
  • Click Entitled Catalog Items and Modify Policy

vRA108

  • Click the drop down menu and select your policy. Note apologies I had to recreate mine as CPU > 2

vRA109

  • Click on Catalog > Request and select your VM
  • Change the vCPUs to 4

vRA110

  • Click Submit
  • Now look at the Request tab where we should see the request sitting in the pending approval status

vRA111

  • If you click on the request and select view details, it will show you who is the approver

vRA112

  • Click on Inbox > Approvals as I am already logged in as myself as the approver

vRA113

  • Click View Details and select whether to Approve or Reject

vRA114

  • This concludes the configuration and management Part 5
  • Part 6 will go into more of the extensibility options like Advanced Service Designer and Orchestrator

 

 

VMware vRealize Automation 6.2.2 Configuration and Management Part 4

vRARobot2

Blueprints

Blueprints are used to define a machines attributes and methods of provisioning. These blueprints are then added into the Service Catalog ready for users to provision machines. There are 4 different types

  • Cloud
  • Physical
  • Virtual
  • Multimachine (New in vRA 6)

A user can request VMs if the below conditions are met

  • The Blueprint is published as a catalog item
  • The item is added to a service
  • The user is entitled to use the service

Configuring Blueprints

  • Go to Infrastructure -> Blueprints -> Blueprints

vRA40

  • Click New Blueprint > Virtual > vSphere (vCenter)

vRA41

  • Put in a name. I am going to call mine Windows2012Blueprint
  • Put in a description
  • (Optional) Select the Master check box to allow users to copy your blueprint.
  • (Optional) Select the Display location on request check box to prompt users to choose a datacenter location when they submit a machine request. This option requires additional configuration to add datacenter locations and associate compute resources with those locations
  • (Optional)Choose your reservation policy
  • Choose the machine prefix you have previously set up
  • Choose the maximum amount of VMs which can be deployed from this blueprint per user
  • Specify the number of days to archive machines provisioned from this blueprint, just keep it at 0 for now. Archive defines the number of days that an expired virtual machine remains available for activation. A zero value destroys the VM upon expiration
  • Add in any additional costs for chargeback purposes. These costs will be added to anything that is set in a cost profile. so you can add in a OS licensing cost or specific application cost for this VM

vRA45

  • Click Build Information
  • The build information tab options define the type of blueprint, the provisioning action and the associated workflow
  • In Blueprint type, the options are Server / Desktop / Hypervisor
  • In Action, the options are Create, Clone, Linked Clone and NetApp FlexClone. Using the Create option creates an empty container. The clone option creates a new machine as a full copy and the Linked Clone option deploys a space efficient copy based on snapshots and chains of delta disks

vRA46

  • Next the blueprint provisioning workflow option vary depending on what blueprint action you selected
  • Next we need to select a template to clone from

vRA51

  • Next Choose a customisation spec. A customization specification is required only if you are cloning with static IP addresses. However, you cannot perform any customizations of Windows machines without a customization specification object. For Linux clone machines, you can use a customization specification, an external script, or both to perform customizations.

vRA48

  • In Machine Resources, you can define the maximum and minimum resources that can be chosen by a user who wants to provision a VM from this blueprint.  It’s optional but you can specify maximum amounts of vCPU, RAM, and HDD space that can be assigned to this blue print which gives a user the ability to customize to their specific application
  • Next click the Properties tab
  • Additional information can be provided during the provisioning process using Custom Properties
  • Custom Properties can be used throughout the lifecycle of a machine

vRA49

  • Options for customising properties can include

Specifying the O/S to be used during provisioning

Customizing the O/S

Link for Custom Properties for Basic Workflow Blueprints 

http://pubs.vmware.com/vra-62/index.jsp#com.vmware.vra.iaas.virtual.doc/GUID-15B1491D-BECF-40DE-9F2C-315975476B3B.html

Integrating the machine with an external system

  • Click the Actions tab
  • Actions identify the operations that can be carried out on a VM provisioned from a blueprint with additional custom actions being defined in Advanced Services Designer and entitled to users

vRA50

  • Click OK to finish
  • You should now see your blueprint

vRA52

Publishing a Blueprint

  • Navigate to Infrastructure > Blueprints > Blueprints. Highlight your new blueprint and click on Publish to publish the blueprint to the vRA catalog

vRA53

  • You should now see that it is published

Service Catalog

The Service Catalog is a self service portal where users can locate the items they want to request and track requests and manage provisioned items.

Using Service Categories, catalog items can be organised into containers such as Linux, Windows or User Support

  •  Go to Administration > Catalog Management > Services. Click on the green “+” sign to add a new service.

vRA54

  • Fill in the required data and choose an icon as necessary to reflect the Service, in my case Windows

vRA55

  • You should now see your service

vRA56

  • Click on Manage Catalog Items. A catalog item must be associated with a service before it can be requested

vRA57

  • Click the green + sign

vRA58

  • Choose your catalog item. In my case the Windws2012 item

vRA59

Create an Entitlement to the catalog item

  • Go to Administration > Catalog Management > Entitlements and click on the green “+” mark

vRA60

  • Fill in your details

vRA61

  • Click Next
  • Click the green + sign next to Entitled Services and select your service

vRA62

  • Click the green + sign next to Entitled Catalog items and select your Catalog item

vRA63

  • Click the green + sign next to Entitled Actions and select your Actions

vRA64

  • Click OK and you should now see your entitlements

vRA65

Provision a machine

  • Go to the Catalog tab and check if your service is available

vRA66

  • Click Request
  • Check the details and modify the request reason
  • Remember you can only modify the resources up to the maximum set in the blueprint and sometimes these are subject to approval policies as well. (Which haven’t been covered yet)

vRA67

  • Click Submit and the VM should be provisioned in vCenter
  • Click the Requests tab to monitor the request

vRA68

  • If you log into vCenter and go to Virtual Machines and Templates, you will see that vCAC by default will place all provisioned machines into a vCenter folder named VRM.  You can override this using the custom property VMware.VirtualCenter.Folder to tell vRA where to place the provisioned machine.
  • My machine is dacv001

vRA69

  • If you click on the Items tab once the machine is provisioned, you can manage some actions which are controlled by entitlements

vRA72

Taking a snapshot

  • Click on Items
  • Click on the Owned by drop down menu and change this to “All groups I manage”
  • Click on View Details

vRA73

  • Click New Snapshot

vRA74

  • vRA allows one snapshot per machine and no age limits

VMware vRealize Automation 6.2.2 Configuration and Management Part 3

vRARobot2

Configuration and Management

So in Part 2 I set up the following

  • 1 x Windows 2012 SQL Server
  • 1 x VMware vRA 6.2.2 appliance
  • 1 x Windows 2012 Datacenter IaaS Sever
  • 1 x vCenter 5.5 server providing SSO capabilities to vRA
  • Make sure the IaaS server is patched.

Configuration Start

Setting up User accounts and tenants

  • Log into vRA by opening a web browser and typing in https://vcac-appliance-name.domain.name/shell-ui-app (The default tenant)
  • Log in using the administrator@vsphere.local SSO account
  • You should now see the following page showing the default tenant vsphere.local. Ignore the second tenant for now. It is one I set up to work with vR Business.

vRAConfig1

vRA can be a Single Tenant or Multi-Tenant application. A tenant is an organizational unit in a vRA deployment. A tenant can represent a business unit in an enterprise or a company that subscribes to cloud services from a service provider. Each tenant has it’s own dedicated configuration although some system-level config is shared across tenants.

The system administrator – administrator@vsphere.local can create additional tenants.

Each tenant has a unique URL to the vRA console where the default is

  • https://vcac-appliance-name.domain.name/shell-ui-app

while mutli-tenant resources will be given a URL such as

  • https://vra-appliance-domain-name/shell-ui-app/org/tenant-name.

The default tenant is the only tenant that supports native Active Directory authentication; all other tenants must use Active Directory over LDAP or OpenLDAP

Tenant Services

  • Non Tenanted

Non tenanted items are visible and consumable by all tenants

  • Endpoints
  • Compute Resources
  • Reservations
  • Managed machines
  • Networking
  • Machine Prefixes
  • Build profiles
  • Data Dictionary
  • Tenanted

Tenants requiring exclusive access to their own build profiles, machine prefixes and non tenanted objects may require their own vRA instance

  • Catalog
  • Approvals
  • Entitlements
  • Tenant identity store
  • Branding
  • Advanced Service Designer

In a single tenant configuration, everything is handled at the default instance. This includes system wide configurations. Tenant administrators can manage users and groups, configure tenant-specific branding, notifications, business policies, and catalog offerings. The system administrator account is always administrator@vsphere.local, while the tenant administrator must be a user in one of the tenant identity stores, such as username@mycompany.com

In a multi-tenant environment, the system administrator creates new tenants for each organization that uses the same vRA instance. Tenant users log in to the vRA console at a URL specific to their tenant. There are 2 different deployments which we will not go into further

  • Default tenant-managed multitenancy
  • Individual tenant-managed multitenancy

Configuring the default tenant

  • Highlight vSphere.local and click edit
  • Click Identity Store and click Edit

vRAConfig20

  • Test Connection and click Update
  • Add your tenant admin account and infrastructure admin account. Note I have created AD accounts which are distinguishable as these vRA accounts.

vRAConfig8

  • Click Update
  • Your default tenant is complete

Adding a second tenant

  • Click Add tenant and you will see this screen
  • As an example I am creating a developer tenant

vRAConfig2

  • Click Submit and Next
  • Click Add identity store

vRAConfig3

  • Fill in the details – example below
  • Click Test Connection

vRAConfig4

  • Click Add
  • Click Submit and Next

vRAConfig5

  • Type in the username for your Tenant Adminstrators and Infrastructure Administrators
  • Click Update
  • You will now see your Developer tenant

vRAConfig6

vRA Roles recap

  • System-wide roles

vRAConfig9a

  • Tenant Roles

vRAConfig10

  • Business Group Roles

vRAConfig11

Licensing

Before doing anything make sure you have licensed you vRA

  • Log in as your Infrastructure account
  • Go to Infrastructure > Administration > Licensing
  • Add your license and click OK

vRAConfig16

Creating an endpoint credential prior to creating an endpoint

  • Log into your vRA console using the IAAS Admin account and click on the Infrastructure tab

vRAConfig12

  • Click on Endpoints then click on Credentials > New Credentials

vRAConfig13

  • I put in my domain admin account details and clicked the green tick

vRAConfig14

Endpoints

Endpoints are the infrastructure points which are consumed by vRA. IAAS Administrators can manage endpoints and vRA uses DEMs (Distributed execution managers) or agents to communicate with these endpoints.

Endpoints can be

  • vCenter
  • Open Stack
  • vCo
  • vApp vCloud Director
  • vCloud Hybrid Service
  • SCVMM
  • Amazon EC2
  • RHELV
  • Physical machines
  • Communication with storage devices which use Netapp FlexClone technology

Endpoints

  • Next click on Endpoints > New endpoint > Virtual > vSphere (vCenter)

vRAConfig17

  • Put in a name. E.g. vCenter
  • Put in a description
  • Put in the address as https://your-vCenter-Server/sdk
  • Select the credentials
  • Click OK

vRAConfig18

  • You should now see your endpoint
  • Note: Different endpoints need the credentials being put in the correct format (user@domain or domain\user) Check the vendor documentation
  • Note: Additional configuration is necessary when configuring an endpoint for vSphere which is supported by an underlying network platform such as vCloud networking or VMware NSX

vRAConfig19

  • At this point I recommend restarting the vCloud Automation Center Agent service on the IaaS server or restarting the IaaS server altogether especially if in the next step, you find you can’t see your cluster resource like I couldn’t to start with!!

Fabric Groups

The fabric contains all the compute resources which are discovered by the end point which is then organized into fabric groups for provisioning

Fabric groups are created in a tenant but their resources are available to all userswho belong in business groups in all tenants. Large enterprises might create fabric groups to reflect physical locations and smaller enterprises might just have one fabric group

  • Navigate to Infrastructure > Group > Fabric Groups. Click on New Fabric Group on the right hand side. The IAAS Admin creates fabric groups and assigns a fabric admin

vRAConfig21

  • Enter your Fabric details and choose a compute resource
  • If you gave fabric admin to the same user you are logged in as then you need to log out and in again

vRAConfig22

  • I then go to Infrastructure > Compute Resources > Computer Resources and hover over my compute resource and select Data Collection

vRA323

  • Check the status of the Compute Resource Data Collections

vRA324

  • It’s also worth checking Infrastructure > Monitoring > Log as you can see below I had some IIS issues which I had to sort and DEO and DEM issues

vRA325

Machine Prefixes

Machine prefixes are used to create names for machines provisioned through vCloud Automation Center. Tenant administrators and business group managers select these machine prefixes and assign them to provisioned machines through blueprints and business group defaults

Fabric Admins create machine prefixes and these prefixes are shared across all tenants. Every blueprint must have a machine prefix or use a default machine prefix

  • Go to Infrastructure > Blueprints > Machine Prefixes.

vRAConfig25

  • Click on New Machine Prefix on the right hand side

vRAConfig26

  • Machine prefixes must conform with DNS with no special characters and Windows OS’s must not exceed 15 characters

Business Groups

A business group links a set of resources or services to a set of users in a department or OU and is created by the tenant admin. In order to request machines a user must be a member of a business group

  • Go to Infrastructure > Groups > Business Groups, fill in the required detail

vRAConfig27

  • Click New Business Group

vRAConfig28

  • The Business Group manager can see all the machines which have been built and manage the groups’s blueprints
  • Multiple entries must be separated with commas. For example, JoeAdmin@mycompany.com,WeiMgr@mycompany.com.
  • Support users can work for another user
  • Normal users will just be able to see blueprints in the catalog

Reservations

A reservation is a share of the CPU, Memory, storage and networking resources from a fabric group and reserved for use by a business group. No relation to vSphere relations

  • Each reservation is for one business group
  • Business groups can have multiple reservations on a single compute resource
  • Each business group can have multiple reservations on compute resources of a different type
  • Reservations may also define priorities, policies an quotas that determine machine placement

Types

  • Virtual – Allocates resources on compute resource for use by the business group
  • Physical – Set of physical machines reserved for use by a business group
  • Cloud – Provides access to the provisioning services of a cloud services account

Reservation Policies

  • A reservation can only belong to one policy
  • You can add multiple reservations to a reservation policy
  • You can assign a reservation policy to more than one blueprint
  • A blueprint can have only one reservation policy
  • Can be used for tiering

Creating a reservation

  • Go to Infrastructure > Reservations > Reservations

vRAConfig29

  • Click New Reservation > Virtual > vSphere (vCenter)
  • Select the Compute Resource and select the value you set up previously. Some values will automatically populate

vRAConfig30

  • Click the Resources tab
  • Fill in your memory reservation
  • Select the datastore(s) you want to use and the reseravtion of storage you want to use. Don’t forget to tick the green button

vRAConfig31

  • Click on Network

vRAConfig32

  • Choose your networks
  • If you choose a network profile, it can allow machines to be assigned specific addresses. The profiles must be configured with IP addresses which can be used
  • Click the Alerts tab

vRAConfig33

  • Alerts are optional and you can put in recipients and schedule how often you want reminders to be sent out

Creating Reservation Policies

  • Go to Infrastructure > Reservations > Reservation Policies

vRAConfig34

  • Click New Reservation Policy
  • Fill in the details. For example you could set up policies for High end compute, mid range compute and low end compute etc

vRAConfig35

A quick look at network profiles

  • Go to Infrastructure > Reservations > Network Profiles
  • Select New network profile

vRAConfig36

  • Fill in your details as appropriate

vRAConfig37

A quick overview of DEMs and Agents

DEMs are used for provisioning and managing machines on

  • VMware vCloud Director and VMware Hybrid Service
  • RHELv Manager
  • Microsoft System Center Virtual Machine Manager
  • Amazon Web Services
  • Physical server management interfaces (Dell/Cisco/IBM)

Agents are used for provisioning and managing machines and services on

  • Hypervisor proxy agents (vSphere, Citrix, Xen and Hyper-V)
  • External provisioning infrastructure
  • Virtual desktop infrastructures
  • WMI (Windows management instrumentation)

DEMS

Can be installed as orchestrator or worker DEMs

DEM Orchestrator

  • Monitors and manages the DEM worker status so if a worker fails the orchestrator DEM moves the workflow to another DEM worker instance
  • Schedules workflows
  • Ensures only one instance of a scheduled workflow is running at any one time
  • Generates workflow history for reporting
  • One DEM orchestrator is always the active one. It is recommended to install an additional orchestrator instance on another machine for redundancy

DEM Workers

  • DEM workers communicate with the external systems to execute workflows
  • Dem workers must be able to communicate with external firewalls
  • The minimum installation installs the required DEMs and default vSphere Proxy agent. Additional proxy agents such as Hyper V and Xen server can be installed post installation.

Checking the DEM status

  • Go to Infrastructure > Monitoring > Distributed Execution Status

vRAConfig23

Agents

vRA uses agents to integrate with the following external systems. Endpoints must be configured before the agents are started and the endpoint and agent name has to match.

Agents are installed under Program Files (x86) > VMware > vCAC > Agents > agentname with the config being stored in VRMAgent.exe.config in the same folder

Hypervisor proxy agents

  • vCenter
  • Citrix Xenserver
  • Hyper-V

Integration agents

  • External provisioning agents (Integration with Citrix Provisioning server)
  • VDI (Used to register provisioned machines with a VDI Connection Broker)
  • WMI

Setup an additional vSphere Agent (for more than 1 vCenter instance)

  • Right click on setup_vcac-va-hostname.domain.name@5480.exe and “Run as Administrator”. We have the same installer screen as before
  • Accept the EULA and click next
  • Log into your appliance with the root credentials
  • Now we want to choose Custom Install. Click on Proxy Agents. Click Next
  • Enter the username and password you plan on using as your service account to run this service.
  • Configure the agent details
  • Select vSphere from the Agent Type Drop Down
  • Type in an agent name. All agent names must be unique and there cannot be two alike.
  • Type the FQDN of the server with the Manager Service (this was a complete install done on the iaas box)
  • Type the FQDN of the server with the Manager Web Service (this was a complete install done on the iaas box)
  • Type in the complete Endpoint address as well as port.
  • Click Finish.

Thank you for following Part 3 of the vRA series. The next series will be Part 4 which will cover Blueprints and Catalog Services.

 

Installing VMware vRealize Automation 6.2.2 Part 2

vRARobot

Installing VMware vRA 6.2.2

vRA is software which provides a secure portal for authorised architects, business managers and users to request IT services through a commons service catalog. Tasks vRA can perform are

  • Provisioning of machines
  • Reclamation of machines
  • Services such as adding AD users
  • Storage as a Service

vRealize Automation Support Matrix

https://www.vmware.com/pdf/vrealize-automation-62-support-matrix.pdf

VMware vRealize Automation 6.2 Documentation Center

http://pubs.vmware.com/vra-62/index.jsp

vRA Components

  • VMware Identity Appliance – Preconfigured virtual appliance. You can alternatively use some versions of SSO provided with vSphere
  • VMware vRealize Appliance – Preconfigured virtual appliance that deploys the vRealize server
  • vRealize Automation Infrastructure as a Service – Enables the rapid modelling and provisioning of servers and desktops across virtual, physical, private, public and hybrid clouds
  • SQL server Database
  • IIS Server for IAAS

vRealize Automation Infrastructure as a Service has several components you can install in a custom configuration

  • IAAS website
  • Model Manager
  • vCloud Automation Center Manager Service
  • IAAS Database
  • Distributed Execution Managers
  • vRealize Automation Agents

Types of deployment

Click the links below for further information

Let’s get started

Installing the VMware vRealize Appliance

  • Download the .ova installer from the VMware site and I saved this to my vCenter server

vRA1

  • In vCenter click File > Deploy OVF template

vRA2

  • Select your ovf file which you downloaded

vRA3

  • Click Next and you should see the following information populate

vRA4

  • Click Next and accept the license agreement

vRA5

  • Put in a name and an inventory location

vRA6

  • Choose a storage location

vRA7

  • Choose a disk layout

vRA8

  • You will now need to add in a root password to access the device, enable SSH, set a hostname, set a gateway, DNS and IP address/subnet mask

vRA9

  • Check all the details. Note this is my lab environment

vRA10

  • Click Finish and you can now see the appliance deploying

vRA11

  • Once the appliance has finished installing open a web browser and navigate to

https://appliance-hostname.domain.name:5480/

  • Login with username ‘root’ and the password that was configured during deployment.

vRA31

  • Go to System > Time Zone and select the correct timezone

vRA33

  • Go to vRA Settings and make sure your hostname is correct and add certificate details. Note my details below are just for a self signed certificate. Type a common name for the certificate in the Common Name text box. You can use the fully qualified domain name of the virtual appliance.

vRA32

  • Go to Admin > Time settings and make sure the time is correct
  • You can use the host time if it is correct or you can use your own time server or an external time server such as 0.uk.pool,ntp.org etc
  • Time is very important in these installations and must be exact.

vRA34

  • Go to vRA Settings > SSO and configure SSO.
  • Note I am using my vCenter server as it is version 5.5 and already has SSO setup

vRA35

  • Enter your license key and you should be good to go.

vRA36

  • You can check all the services are running by logging into the appliance

vRA319

  • You can also use the below link to check. Replace the server name with your vRA appliance. You should see an xml file where you can check the status of services

https://techlabvra001.techlab.local/component-registry/services/status/current

vRA320

  • If you need to check any logs go to the catalina.out log file, located at /var/log/vmware/vcac/
  • Confirm that you can log into vCloud Automation Center console by going to https://vRA-Appliance-name.domain.name/shell-ui-app .in my case https://dacvvra001.dacmt.local/shell-ui-app. After accepting 2 SSL certs if you use self-signed certificates you will see this screen

vRA37

  • Log in using the vRA SSO username ‘administrator@vsphere.local‘ and the password that was configured to verify we can log in. if successful, we will see the vCAC home page

vRA38

Installing the IAAS Server and DB considerations

It is really important to pay attention to the pre-requisites for this part and note I am using a separate SQL DB server and a separate IAAS server

I use a script to do all the hard work/steps found below but I do double check things afterwards. Click RAW and copy into a notepad file and rename to whatever.ps1

https://github.com/vtagion/Scripts/blob/master/vRA%206.2%20PreReq%20Automation%20Script.ps1

vRA321

DB considerations

  • TCP/IP protocol enabled for SQL Server

vRA12

  • Microsoft Distributed Transaction Coordinator Service (MS DTC) enabled on all SQL nodes in the system. MS DTC is required to support database transactions and actions such as workflow creation. Start > Run > dcomcnfg
  • If you have a clustered SQL box you will see a clustered dtc – modify this the same way.

vRA13

  • No firewalls between Database Server and the Web server or IaaS Server, or ports opened as described in Port Requirements
  • If using SQL Server Express, the SQL Server Browser service must be running
  • For 6.0.x installations, the database name cannot contain a space. For 6.1 and later installations, the use of spaces in names is supported

IaaS Considerations

  • Create a service account with Local Admin rights on all IaaS components and Log on as a Service and Log on as a Batch job on all IaaS components.
  • Make sure the service account has a non expiring password or changing it can be time consuming throughout the whole vRA infrastructure.
  • Microsoft .NET Framework 4.5.1 or later
  • Microsoft PowerShell 2.0 (included with Windows Server 2008 R2 SP1 and later) or Microsoft PowerShell 3.0 on Windows Server 2012 or Windows Server 2012 R2. Execution policy must be remote signed as per below screenprint

vRA17

  • SecondaryLogOnService is running.
  • Java requirements for MSSQL, when the database is installed on the IaaS Windows server host. Note I had to use the below version. 1.8 did not work

vRA18

vRA14

  • Click New

vRA15

  • Type the following path to the Java installation directory

vRA16

Installing IAAS

Note: The database will create itself unless you want to use a customised script with your DB admin which is available on the Documentation Center

Note: Install all Windows updates

Note: I also installed Chrome on my server as it seems to work better

  • On your designated IAAS server go to the following link in your browser

https://hostname.domain.name:5480/installer

  • You should see this page
  • Click IaaS Installer below and it will download the files into the Downloads folder

vRA19

  • You should now see the software as per below
  • Right click and Run as Administrator

vRA20

  • You will see the IAAs wizard pop up
  • Click Next

vRA21

  • Accept the license agreement

vRA22

  • Put in the username and password that you used to configure the vRA appliance prior to this

vRA23

  • Choose Complete Install

vRA24

  • Make sure all the pre-requisites are fulfilled. They should all be green. If not go back and fix any issues

vRA25

  • Click Next
  • You now have to enter your user installer password and a passphrase and your database info. Make sure the account you use for your database has the correct permissions to create the DB

vRA27

  • You might get the following messages come up and you will need to follow the instructions

vRA28

vRA29

  • Click next
  • Accept all the defaults on the next page

vRA30

  • Click Next
  • Fill in all the relevant information on the Component registry screen

vRA39

  • Click Finish and wait for the installation to finish

vRA40

vRA41

vRA42

  • The next part of this series on vRA will focus on going deeper into the configuration of vRA and what we can do with this software including integration with vRealize Orchestrator and Advanced Service Designer 🙂

Important Information (Your service account password is changed)

Note: Just set password never expires on the user account basically unless a company has an absolute specific need to have a password policy which resets all passwords after a certain period of time.

You will see on the vRA appliance under services that iaas-service will be blank and no amount of rebooting will solve it!

IIS Services

  • The below vRA pools run under your service account identity. If you use a user account which has a password which expires then you will need to update all vCac services with the new password which is a pain in the backside (as I found out)
  • To reset the pools, right click on each of the 3 pools one at a time and select Advanced settings

vRA316

  • You should see this

vRA317

  • Find the account and click the radio button and click set to change the username/password

vRA318

  • You will also need to change the Windows services to run under the new password

vRA322

 

 

 

VMware vRealize Automation 6.2.2 Part 1

vRARobot

Why use vRA?

  • Increase Business Agility
  • Improve efficiency
  • Fast time to cloud value
  • Consumerization of IT

What does it do?

  • It allows IT departments to accelerate the delivery and ongoing management of custom virtual machines, applications and business relevant infrastructure to improve efficiency and streamline processes. This can sometimes take weeks or months.
  • Policy based governance and application modelling ensures IT services are delivered with the correct service levels and configuration.
  • Life-cycle management allows the control of services from start to end, maintaining operational efficiency. Release automation also allows multi tier application deployments to be maintained in sync with company policies and processes.
  • Using a unified IT self-service catalog, business users can request and manage a large range of custom services.\Administrators can use a wizard driven service designer to define request forms and automate the delivery of their services along with application and other infrastructure services.
  • vRA can integrate with other enterprise systems such as DNS, AD, IPAM, CMDBs and load balancers
  • There is also Accelerated Application Deployment for application release automation which allows integration with the automation suite.
  • It can be integrated with VMware IT Business Management Standard Edition which automatically populates cost profiles where businesses can then compare private and public cloud service offerings.
  • It can allow businesses to keep control over service provisioning and who has access to use service catalogs and processes

vRA versions

  • Standard (1000 managed machines, 2500 concurrent deployments and 10 concurrent deployments and extension to cloud support)
  • Advanced (10,000 managed machines, 2500 catalog items, 50 concurrent deployments, High availability firewall setup and configuration of network load balancers
  • Enterprise (50,000 managed machines, 2500 catalog items, 100 concurrent deployments.) Platform as a service, application delivery, service level agreements and the leveraging of disaster recovery when managing and delivering applications

Check the link below for a more detailed comparison

http://www.vmware.com/products/vrealize-automation/compare.html

vRA Primary Policies

  • Business Groups – Administrators can define a multi level grouping structure linked to AD allowing role based access in the groups
  • Resource Reservations – Virtual, physical or cloud resources can be allocated to each group. Costs and service levels can be applied to the resource reservations. A request will generate a cost to the business.
  • Service Blueprints – These define policies which will control the provisioning and ongoing management of compute and application services. Each blueprint can be unique
  • Entitlements – Merge business groups and specified users with services and policies. A variety of groups can then use the same blueprint with their own group policy rather than have a unique blueprint for each business group

vRA Roles

System Administrator

  • Installs vRA
  • Creates Tenants
  • Manages system wide configuration
  • Designates who is going to manage the infrastructure fabric

IAAS Administrator

  • Manages the discovery and organization of compute, network and storage groups
  • Manages endpoints requires to interact with resources on virtual, physical and public cloud environments
  • Configures and manages fabric groups post discovery of fabric resources. Fabric groups can be used to divide resources used by one organisation to another. Many companies will only have one fabric group however if you need to allow isolation between groups in a company or need specific tenant branding then a number of tenants can be configured.

Tenant Administrator

  • Configures vRA according to the requirements of the business
  • Responsible for user and group management
  • Tenant branding
  • Business policies such as entitlements and approvals
  • Track resource usage by all the users within the tenant and initiate reclamation requests for machines no longer being used.
  • Responsible for creating one or more business groups within the tenant group and assigning users

Business Group Administrator

  • Able to make blueprints for their business group only
  • Take the business groups that the tenant admin issues to them and create content for the business users

What is the Service Catalog?

  • Contains Service Categories which can be broken down into groups to abstract services
  • They contain the unique application, infrastructure or other services available to request and use
  • Service architects can define and publish new services from the catalog
  • The tenant administrator and the business group manager will organise the catalog
  • Contains a goal navigator which guides you through vRA administration tasks such as organizing the fabric, configuring tenants or designing and publishing blueprint information.

Catalog Management

This has 4 functions

  • Services – Examples such as Development services or Production Services
  • Catalog Items – Items such as Linux web server or hardened Windows 2012 server
  • Actions – Ability to carry out actions on a catalog item such as Destroy virtual machine, expire virtual machine, power off and restart etc
  • Entitlements – Defines which users or groups can request catalog items or perform actions

What are Blueprints?

  • A whole specification containing resource such as CPU, RAM and storage for a virtual, physical or cloud machine along with attributes and the way it is provisioned.
  • They specify the workflow associated with blueprint and additional provisioning information
  • Examples might include a Windows Server 2012 server with 4G RAM, 6 vCPUs and 40GB of storage
  • Specify policies such as lease time of the machine and what actions are able to be carried out on the provisioned service.
  • Multi machine services can be configured into a single blueprint making it extremely efficient to build a service containing a web server, database server and an application server.
  • Note: It is only through the multi-machine blueprint that you are able to configure advanced operations such as the dynamic creation of NAT, Routed and Private networks

Application Blueprints

Enables the concept of Design Once – Deploy anywhere

  • Uses a drag and drop screen to model an application blueprint
  • Logical templates, application components and scripts can be added to the application blueprint
  • Component installation order is done by creating dependency links
  • Users do not need to know the underlying infrastructure in order to create the applications
  • The type of cloud to deploy to can be selected such as vRA, vCD or Amazon AWS
  • Each application can have multiple deployment profiles if it needs to be deployed in multiple cloud providers
  • Inconsistencies, errors and rework can be reduced or eliminated
  • Blacklisting can be used to prevent applications being deployed in a particular environment.

IT Business Management

  • Relates to chargeback and making the consumer aware of the cost of infrastructure and consumption
  • ITBM makes it easier to set up and implement a charging model and also compare internal costs to public cloud vendor costs

Advanced Service Designer

ASD allows administrators to deliver additional services not covered by the out of the box functionality

  • Wizard driven approach to designing end to end functionality
  • Once built the custom service can be published in the vCloud Automation Center
  • The process can define service capabilities, user interaction and entitlements
  • Define the automated workflows for the service by using existing vCloud Orchestrator workflows and plugins along with custom scripts

Extensibility

  • Leverage existing and future infrastructure with multi-vendors, multi-cloud infrastructures (Physical, Public and Cloud)
  • Configure personalised business services. Modification of vRA policies and custom properties (metadata tags)
  • Integration with third-party management systems. Using ASD and VCO you can extend the out of the box functionaility
  • Adding new IT services and creation of new Day2 Operations allows the use of workflows and plugins to deliver the Anything as a Service
  • vRA provides a REST API which can be used to call vRA from other infrastructure applications

Configuration Management

  • Configurations tend to drift over time and third-party products can complement vRA by providing configuration management and configuration drift management
  • Puppet Labs is an example of this providing thousand of out of the box modules which can be used in vRA. These modules can describe configurations of OS, networks, storage, middleware components and applications
  • The cloud management marketplace provides these modules
  • Puppet supports environments such as hybrid clouds giving companies the flexibility to deploy any service into any environment

Distributed Execution Manager (DEMs)

  • Executes the business logic of custom models interacting with internal, external databases and systems as required.
  • DEMs can manage cloud and physical machines
  • Each DEM instance performs either a Worker or Orchestrator role

DEM Worker

  • The Worker role executes workflows

DEM Orchestrator 

  • The Orchestrator role monitors DEM Worker instances, pre-processing workflows and scheduling workflows
  • Monitors the status of DEM workers and if a worker instance stops or loses connection to the Model Manager then the workflows are resubmitted for another DEM Worker to pick up.
  • Manages scheduled workflows and starts new workflows at scheduled times
  • Ensures that one scheduled workflow is running at a given time
  • Pre processes workflows before execution checking preconditions (RunOneOnly feature) and creating the history of the workflow
  • It is recommended to have at least one redundant Orchestrator instance on a separate machine for redundancy. This 2nd instance monitors the status of the active Orchestrator and will take over if this goes offline

vRA Agents

vRA uses agents to integrate with external systems

Proxy Agents

  • vRA uses virtualization proxy agents to send commands and collect data from ESXi, Xen Server and Hyper V hosts and the VMs provisioned on them
  • These proxy agents require Admin access to the virtualisation hosts, communication with the vRA Management Service and is installed separately with its own configuration file

Integration Agents

  • VDI PowerShell agents allow vRA to integrate with external VDI systems
  • VMs can be registered with XenDesktop on a Citrix Desktop Delivery Controller and users can access the Xen Desktop Web interface from vRA for example
  • External provisioning integration PowerShell agents (EPI) allow vRA to integrate external systems into the machine provisioning workflow such as integration with Citrix Provisioning Server
  • Requires Admin access to external systems

WMI Agent

  • vRA WMI agents allows you to monitor and control system information allowing you to manage remote servers from a central location
  • Enables the collection of data from vRA managed Windows machines

Managing EndPoints

  • The Infrastructure Admin defines endpoints which are required to discover virtual, physical or public cloud infrastructure resources
  • vRA discovers and manages the underlying infrastructure through the device managers which manages those resources
  • Ongoing rediscovery happens daily
  • Can be configured via the infrastructure tab or select the fabric configuration option from the goals navigator

vCloud Hybrid Service

  • Allows companies to expand their private data centers to the cloud
  • Allows applications to run on site and offsite without interruption
  • Supports more than 3500 applications certified to run on vSphere
  • Now certified out of the box with vRA
  • Customers can use the vCloud Hybrid Service as another vCloud Director end point in vRA
  • Endpoint information includes the location and credentials required to access each vCenter instance which is stored and encrypted in the vRA repository
  • Endpoints can be defined one at a time by the management console to imported in bulk via a .csv file

NSX

  • Network virtualization allows VMs to communicate securely with each other over physical and virtual networks
  • vRA supports NSX
  • Fabric Admins can create external network profiles to define existing physical networks and create NAT, Routed and Private network profiles
  • Network templates specify items such as IP address, DNS server, DHCP server
  • Multi machine blueprints allow configuration of network adapters and load balancing
  • Multi machine blueprints allow the selection of a transport zone which identifies the vSphere endpoint. Both the blueprint and the reservations used in the provisioning must have the same transport zone settings
  • Transport zones are defined in the NSX and vCloud Networking and Security environments

vRA installation components

  • SSO (Single Sign On) capabilities
  • User interface portal
  • IAAS components

VMware Identity Appliance

  • Pre-configured virtual appliance that provides single sign on capabilities for vRA. vCenter SSO 5.5.0b can be used as an alternative

VMware VRA Appliance

  • Pre-configured virtual appliance that deploys the vRA server delivered as an OVF (Open virtualization format)
  • Deployed into the existing infrastructure
  • Postgres database
  • vCO and ASD integration

IAAS

  • Enables the efficient provisioning of servers and desktops across virtual, physical, private and hybrid clouds
  • Contains customisable components such as IAAS website, DEMs, Model Manger, Manager Services, Database and agents

Installation Minimums

Check browser compatibility along with resource minimums

SSO

  • 1 CPU
  • 2GB RAM
  • 2GB storage

vRA Appliance

  • 2 CPU
  • 8GB RAM
  • 30GB storage

IAAS Components

  • 2 CPU
  • 8GB RAM
  • 30GB storage