vRA | Electric Monk

Archive for vRA

Setting up an F5 Load Balancer v12

Instructions

On the F5 website, click trial license and download your software and request a license to be emailed to you (F5 BIG-VE-LAB-LIC)

https://f5.com/products/trials/product-trials

Download the installer (ESXi Server)

Open vCenter and select File > Deploy OVF Template

Accept License agreement
Put in a name

Check the resources

Choose the storage

Choose disk formatting options

Check network mappings
Management and Internal need to be on different networks so my machines will sit on the F5 network. I’m not worried about the oher 2 networks for now as I will use the management and the Internal only

Check details
Click Finish

Power on the appliance
Put in root as the username and default as the password
Type config and the following screen will open

Say No to automatically configured address
Put in your IP address, Subnet Mask and Gateway
You should now be able to log into the interface on https://youripaddress

The username is admin and the password is admin

You will need to activate the license which will have been emailed to you

Accept the license agreement

You should now see the below screen which shows you current resource reservations, License status and disk provisioning figures

Click Next and you will now see your device certificates screen

You will now be on the General properties screen
Add in your Hostname in FQDN format, Timezone and change the Root and Admin account password and any other details which require changing

It will ask you to Log out and in again
When you log back in you will be presented with a network screen
Click Next

Click Next on the page below

On the VLANs page put in a self IP, and subnet mask this needs to be an address on your internal network, in my case the F5 network
Put in a floating IP address on the same network
In Internal VAN configuration, select the 1.0 VLAN interface and select untagged and click Add

Interface 1.0 is the Management interface that was initialized during the deployment of the OVA and configured earlier in this document.
As mentioned earlier for the purpose of this document we will be utilizing only the Internal (Interface 1.1) Interface for load balancing
The Internal Interface or Interface 1.1 corresponds to Network Adapter 2 of our F5 appliance
You are now on the External Network Configuration screen
In External Network Configuration, Choose Select existing VLAN and select Internal
In External VLAN configuration delete anything in interfaces then add 1.2 as untagged

On the High Availability screen do the same as the above and Select existing VLAN as Internal
On the High Availability VLAN Configuration screen, delete the interface in interfaces and choose 1.3 and untagged and add

Add in the NTP Configuration. I just pointed to my domain controller.

Make sure the correct DNS Lookup Servers and DNS search Domain have been added.

Click Next, Next, Next until you get to the Finished screen

You will now be on the default F5 page and ready to set up load balancing

Setting up VMware vCenter PSCs with an F5 Load Balancer

Please see the below link to see the F5 in action 🙂

vSphere 6 Platform Services Controller HA Setups – High Availability with an F5 Load Balancer

Useful Links

http://kaloferov.com/blog/configuring-vrealize-automation-load-balancing-using-f5-big-ip/

http://networkjutsu.com/f5-big-ip-ltm-ve-home-lab/

https://downloads.f5.com/esd/ecc.sv?sw=BIG-IP&pro=big-ip_v11.x&ver=11.6.0&container=Virtual-Edition

vRA 7 Part 1 Minimal Installation of vRA7

What is vRA7?

VMware vRealize Automation 7 sets a new standard in cloud automation by radically changing how fast and easy it is to automate the delivery of IT services and thereby accelerating your time to value. This major update has a simplified architecture and includes an installation wizard, the unified blueprint model, and enhanced NSX support.

IT organizations can use VMware vRealize™ Automation to deliver services to their lines of business.

vRealize Automation provides a secure portal where authorized administrators, developers or business users can request new IT services and manage specific cloud and IT resources, while ensuring compliance with business policies. Requests for IT service, including infrastructure, applications, desktops, and many others, are processed through a common service catalog to provide a consistent user experience.

You can improve cost control by using vRealize Automation to monitor resource and capacity usage. For further cost control management, you can integrate vRealize Business Advanced or Enterprise Edition with your vRealize Automation instance to expose the cost of cloud and virtual machine resources, and help you better manage capacity, cost, and efficiency

Support Documentation

https://www.vmware.com/support/pubs/vrealize-automation-pubs.html

New Features

http://pubs.vmware.com/New Features

Support Matrix

https://www.vmware.com/pdf/vrealize-automation-70-support-matrix.pdf

Reference Architecture

http://pubs.vmware.com/vra-70/topic/com.vmware.ICbase/PDF/vrealize-automation-70-reference-architecture.pdf

Installing vRealize Automation (Minimal Install in lab)

Depending on your deployment requirements, you can install and configure vRealize Automation components by using the Installation Wizard, or manually, through the management console. With either method, you can choose to create a minimal installation, or distribute components over separate servers in a custom distributed installation, with or without load balancers.

Choose a minimal installation to deploy a proof of concept (PoC) or development environment with a basic topology. Choose an enterprise installation to deploy a production environment with the topology best suited to your organizational needs

To complete a minimal deployment, a system administrator installs the vRealize Automation appliance and Infrastructure as a Service (IaaS) components.

■	vRealize Automation appliance includes the Web console interface and support for single sign-on capabilities. It is installed as a virtual appliance.
■	Infrastructure as a Service (IaaS) is installed on a Windows Server machine.
■	The IaaS uses an SQL database that can be installed on the same machine as IaaS or on its own server.

The following figure shows the relationship and purpose of components of a minimal installation.

Step 1 DNS

vRealize Automation requires the system administrator to identify all hosts by using a fully qualified domain name (FQDN).
In a distributed deployment, all vRealize Automation components must be able to resolve each other by using a FQDN.
The Model Manager Web service, Manager Service, and Microsoft SQL Server database must also be able to resolve each other by their Windows Internet Name Service (WINS) name. You must configure the Domain Name System (DNS) to resolve these host names in your environment.
So I created an A record in DNS for my vRA7 appliance and an A record in DNS for my IaaS Server

Step 2 Check minimum hardware requirements

Your deployment must meet minimum system resources to install virtual appliances and minimum hardware requirements to install IaaS components on the Windows Server.
For operating system and high-level environment requirements, including information about supported browsers and operating systems, see the vRealize Automation Support Matrix.
The Hardware Requirements table shows the minimum configuration requirements for deployment of virtual appliances and installation of IaaS components. Appliances are preconfigured virtual machines that you add to your vCenter Server or ESXi inventory. IaaS components are installed on physical or virtual Windows 2008 R2 SP1, or Windows 2012 R2 servers. An Active Directory is considered small when there are up to 25,000 users in the OU to be synced in the ID Store configuration. An Active Directory is considered large when there are more than 25,000 users in the O

Step 3 Browser Considerations

Some restrictions exist for browser use with vRealize Automation.

■	vRealize Automation does not support Compatibility View mode for Internet Explorer 10 on Windows 7 platforms. If you are unable to log in to appliance management consoles or you receive an error on the SSO tab when using Internet Explorer 10, use the Developer Tools to set the browser mode to Internet Explorer 7.
■	Multiple browser windows and tabs are not supported. vRealize Automation supports one session per user.
■	VMware Remote Consoles provisioned on support a subset of vRealize Automation-supported browsers.

For operating system and high-level environment requirements, including information about supported browsers and operating systems, see the vRealize Automation Support Matrix

Step 4 Password requirements

The vRealize Automation administrator password cannot contain a trailing “=” character.
Verify that the adminstrator password you assign during installation does not end with an “=” character. Such passwords are accepted when you assign them, but result in errors when you perform operations such as saving endpoints

Step 5 Database requirements

The vRealize Automation administrator password cannot contain a trailing “=” character.Verify that the adminstrator password you assign during installation does not end with an “=” character. Such passwords are accepted when you assign them, but result in errors when you perform operations such as saving endpoints
If you clone an IaaS node, install MS DTC on each node after it has been cloned. When you clone a node that has MS DTC installed, its unique identifier is copied to each clone, which causes communication to fail. See Error in Manager Service Communication for further information.
The database can reside on the IaaS (Windows) server host or on a remote host.
Java-related requirements apply for databases on the IaaS (Windows) server host. They do not apply for external databases.

Step 6 IaaS Server requirements

You can use the following script to install all pre-requisites on your IaaS server but do a double check of everything first

https://github.com/vtagion/Scripts/blob/master/vRA%206.2%20PreReq%20Automation%20Script.ps1

Step 7 Port requirements

vRealize Automation uses designated ports for communication and data access.

Although vRealize Automation uses only port 443 for communication, there might be other ports open on the system.
Because open, unsecure ports can be sources of security vulnerabilities, review all open ports on your system and ensure that only the ports that are required by your business applications are open

Step 8 Certificates

vRealize Automation uses SSL certificates for secure communication among IaaS components and instances of the vRealize Automation appliance. The appliances and the Windows installation machines exchange these certificates to establish a trusted connection. You can obtain certificates from an internal or external certificate authority, or generate self-signed certificates during the deployment process for each component.

For important information about troubleshooting, supportability, and trust requirements for certificates, see the VMware knowledge base article at http://kb.vmware.com/kb/2106583.

You can update or replace certificates after deployment. For example, a certificate may expire or you may choose to use self-signed certificates during your initial deployment, but then obtain certificates from a trusted authority before going live with your vRealize Automation implementation

Step 9 Time Synchronization

A system administrator must set up accurate timekeeping as part of the vRealize Automation installation.

Installation fails if time synchronization is set up incorrectly.

Timekeeping must be consistent and synchronized across the vRealize Automation appliance and Windows servers. By using the same timekeeping method for each component, you can ensure this consistency.

For virtual machines, you can use the following methods:

■	Configuration by using Network Time Protocol (directly)
■	Configuration by using Network Time Protocol through ESXi with VMware Tools. You must have NTP set up on the ESXi.

Step 10 Deploy the vRealize Automation appliance

Note: If you have to cancel out of the wizard and when you log back in to the appliance, the wizard doesn’t automatically come up then you can do the following

ssh into the appliance and run vcac-vami installation-wizard activate
Put /#wizard.wizard at the end of the vRA portal address

Follow the instructions below

Download the vRealize Automation appliance from the VMware Web site. Click here

Optionally on the same page you can download the VMware vRealize Orchestrator appliance

Procedure

Select File > Deploy OVF Template from the vSphere client.

Browse to the vRealize Automation appliance file you downloaded and click Open.

Click Next.

Click Next on the OVF Template Details page.

Accept the license agreement and click Next.

Type a unique virtual appliance name according to the IT naming convention of your organization in the Name text box, select the datacenter and location to which you want to deploy the virtual appliance, and click Next.

Follow the prompts until the Disk Format page appears.

Verify on the Disk Format page that enough space exists to deploy the virtual appliance and click Next.

Follow the prompts to the Properties page.

The options that appear depend on your vSphere configuration.

Configure the values on the Properties page.

a	Type the root password to use when you log in to the virtual appliance console in the Enter password and Confirm password text boxes.
b	Select or uncheck the SSH service checkbox to choose whether SSH service is enabled for the appliance. This value is used to set the initial status of the SSH service in the appliance. If you are installing with the Installation Wizard, enable this before you begin the wizard. You can change this setting from the appliance management console after installation.
c	Type the fully qualified domain name of the virtual machine in the Hostname text box, even if you are using DHCP.
d	Configure the networking properties.

Click Next.

Start the host machine.

■

If Power on after deployment is available on the Ready to Complete page.

a	Select Power on after deployment and click Finish.
b	Click Close after the file finishes deploying into vCenter.
c	Wait for the machine to start. This could take up to five minutes.

■

If Power on after deployment is not available on the Ready to Complete page.

a	Click Close.
b	Power on the machine. This could take up to five minutes. Check the Remote console window

After a few moments, a success message appears.

Open a command prompt and ping the FQDN to verify that the fully qualified domain name can be resolved against the IP address of vRealize Automation appliance.

Step 11 Run the Installation Wizard for a Minimal Deployment

Open a Web browser.

Navigate to the vRealize Automation appliance management console by using its fully qualified domain name, https://vra-va-hostname.domain.name:5480/.

When the Installation Wizard appears, click Next.

Accept the End User License Agreement and click Next.

Select Minimal Deployment and Install Infrastructure as a Service on the Deployment Type screen and click Next.

Check that the prerequisites listed on the Installation Prerequisites page have been met and that the Windows servers on which you installed a Management Agent are listed.

Click the link and obtain the Management Agent software and install this agent on your IaaS server

The Mangement Agent executes work items which are issued by the VAMI. the context under whom the management agent is running executes the installer. Certificate changes can now be performed from the VAMI for infrastructure machines as well and this is handled by the management agent

The Management agent requires a direct connection to 5480 on all virtual appliances. It becomes aware of all the appliances in the system after the initial connection is established to the first VA. It is also used for log collection and telemetry etc.

The next screen will ask you for account information that has administrative rights on your IaaS Server. This account will be used to install services and additional pre-requisite software

Once the installer finishes, go back to your wizard. Notice that at the bottom of the screen you were on, there is now an IaaS Server listed. Set your NTP settings (THIS IS VERY IMPORTANT !) and click next

If needed, you can change the timekeeping method for your vRealize Automation appliance. Click Change Time Settings, if you make changes.

Click Next.

Click Run on the Run the Prerequisite Checker screen to verify that the Windows servers in your deployment are correctly configured for vRealize Automation use.

Because this step runs remotely, it can take several minutes for the step to run.

a	If a failed status is returned for a machine, click Fix to start automatic corrections or click Show Details and follow the instructions. Automatic corrections also restart
b	Click Run to rerun the checker.
c	When all statuses show success, click Next.

Proceed through the next screens, supplying the requested information to configure your deployment components, including the Web server, Manager Service, Distributed Execution Manager, vSphere proxy agent, and certificate information.

Additional information is available from the Help buttons.

DNS of the vRA appliance

SSO Password

IaaS server details

Database Information

DEM Information

Agents Information

vRealize Appliance Certificate

Web Certificate

Manager Service Certificate

Validate: Click Validate – Can take between 10 minutes and half an hour

Hopefully you should then see

A reminder to take snapshots

Read the message and click Install

The installation can take between 30 minutes and one hour

And hopefully should say completed

Update the license key

Choose Telemetry settings

Initial Content creation

Optionally, you can start an initial content workflow for a vSphere endpoint.
The process uses a local user called configurationadmin that is granted administrator rights.

A configuration admin user is created and a configuration catalog item is created in the default tenant. The

configuration admin is granted the following rights:

Approval Administrator
Catalog Administrator
IaaS Administrator
Infrastructure Architect
Tenant Administrator
XaaS Architect

What to do next

After you finish the wizard, log in to the default tenant as the configurationadmin user or as administrator.
Go to the service catalog, request the Initial Content catalog item
Complete the request form for the Initial Content workflow

Step 12 – Login using the configurationadmin account or administrator

Note you don’t have to put administrator@vsphere.local in, just administrator and your SSO password

Type https://vra-appliance-fqdn/vcac

vRealize Automation large scale deployment Part 3 IaaS Server Install

February 1, 2016 Part 3, vRA Distributed Deployment v6.2.3 No comments

vRealize Automation large scale deployment Part 2 IaaS Server Install

In a distributed installation, the system administrator can deploy multiple instances of the appliances and install IaaS components over multiple machines in the deployment environment.

This install will include the following

2 x Windows 2012 R2 Server running IaaS
2 x Windows 2012 R2 Servers running SQL 2012 in a SQL failover cluster

IP Addresses

IaaS Service Account

Step 1 – Check Pre-requisites

Make sure the server is fully patched and snapshotted prior to installation to allow easy rollback in the event of any issues

There is a great PowerShell script which will install the pre-requisites for you but it is always worth checking all the steps I’ve listed following this for your own sanity. Reboot after running the script

https://github.com/vtagion/Scripts

SQL

TCP/IP protocol enabled for SQL Server

Microsoft Distributed Transaction Coordinator Service (MS DTC) enabled on all SQL nodes and IaaS nodes in the system. MS DTC is required to support database transactions and actions such as workflow creation. Start > Run > dcomcnfg > Computer > My Computer > Distributed Transaction Coordinator > Local DTC > Properties
Note there may be a clustered DTC, in which case modify this as well

No firewalls between Database Server and the Web server or IaaS Server, or ports opened as described in Port Requirement
If using SQL Server Express, the SQL Server Browser service must be running
For 6.0.x installations, the database name cannot contain a space. For 6.1 and later installations, the use of spaces in names is supported
Log into SQL Management Studio and add Domain Admins to Logins

IaaS Pre-requisites

Configuration of Active Directory Domain Service Accounts for Local Administrators Group

Configuration of Windows Server 2012 R2 Firewall

The firewall can either be turned off or there are certain rules which need enabling as per below if it is turned on

Installation of Microsoft .NET 4.5.2 Framework
Installation of Java Runtime 64-bit Environment (jre-7u67-windows-x64.exe; required to install the database)
Note I had to use the below version. 1.8 did not work and you can use the latest 1.7 version which is jre-7u79 currently I think

Click New

Type the following path to the Java installation directory

Installation and configuration of IIS Server

You can run these commands in PowerShell

Add-WindowsFeature -Name Web-Webserver,Web-Http-Redirect,Web-Asp-Net,Web-Windows-Auth,Web-Mgmt-Console,Web-Mgmt-Compat, web-metabase

Add-WindowsFeature -Name Was, Was-config-apis, was-Net-Environment,NET-Non-HTTP-Activ

Add-WindowsFeature -Name Web-Webserver,Web-Http-Redirect,Web-Asp-Net,Web-Windows-Auth,Web-Mgmt-Console,Web-Mgmt-Compat, web-metabase

Add-WindowsFeature -Name Was, Was-config-apis, was-Net-Environment,NET-Non-HTTP-Activ

Add-WindowsFeature -Name NET-WCF-HTTP-Activation45

Enabling the Secondary Login Service. You can just start this for the installation process then it can be stopped afterwards

Configuration of the batch login access and service login
Open Local Security Policy
Modify the Log on as a batch job and Log on as a service with the account you are going to install IaaS on

Next open IIS Manager and navigate to the default website

Click on Authentication

Next click on Providers and remove NTLM and Negotiate then add Negotiate back in followed by NTLM

Next click on Advanced Settings
Change it from Off to Accept. Click on OK then change it back to Off

Do an iisreset

Next we need to register asp.net
Go to c:\Windows\Microsoft.Net\Framework64\v4.0.30319
Type aspnet_regiis -i

Do another iisreset
The following registry modification is required for the IaaS web server to include Local Security Authority host names that can be referenced in in the NTLM authentication requests for CNAME and load balancer FQDN addresses.
Open the Windows registry and browse HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0.
Right-click MSV1_0, point to New, and click Multi-String Value.
In the Name column, type BackConnectionHostNames, and press Enter.
In the Value text box, type the CNAME or DNS alias that is used for the local shares on the computer, and click OK.
Example for IaaS Web Servers: f5.ias.techlab.local

Before the installation of the IaaS components, verify system cryptography
Go to the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, expand Security Options and use FIPS-compliant algorithms for encryption and hashing. Verify that signing is set to Disabled.

Next I also like to add my IaaS service account to the Local Admins group on the server or if it is the Domain Admins group then add this for lab purposes

Add REG_DWORD key DisableLoopbackCheck 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
Add REG_DWORD key DisableStrictNameChecking 1 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
Next I like to shutdown the server and take a snapshot at this point
Do exactly the same procedure on the second IaaS server

Note: Once DTC was enabled on both the IaaS and the remote SQL server, the installation still failed. After some searching, I found that since the IaaS server and SQL server VMs were provisioned using the same Virtual Machine template in vSphere, DTC had to be uninstalled and re-installed on one of the servers, either the IaaS server or the SQL server. To perform this task, execute the following commands from an elevated command prompt (run cmd.exe as an Administrator):

msdtc -uninstall
msdtc -install
Reconfigure settings
Reboot

Step 2 – Install certificates

You will need to refer to my other blog about creating and installing vRA IaaS certificates here if you haven’t created them already.

http://www.electricmonk.org.uk/2015/12/03/installing-vra-6-x-certificates/

Import the certificate into IIS

Step 3 – Install IaaS Website and Model Manager Data

Go to https://yourvRAserver.FQDN:5480/installer
Download the IaaS installer

Launch the installer from where you saved it and Run as Administrator

Click Next

Accept the License agreement

Put in root and your password

Choose Custom Install
Select IaaS Server

Select the Database checkbox
I have a Windows Server 2012 / SQL2012 cluster called SQLCLUSTER which was picked up when I put in my SQL server name and clicked Scan
I then unticked Use existing empty database and called it vcac

Fix any warnings which appear in the Verify Pre-requisites box

Click Check again

Click Next and click Install

Hopefully you should now see the below screen

Untick the box which says Guide me through the initial system configuration and click Finish

Installing the Primary IaaS Web and Model Manager Data Server

If you haven’t already, import the certificate you previously created. This is the PFX cert
Double click on the certificate
Choose Local Machine

Check the path to your cert file is correct
Click Next

Enter the password if you created one
Select Mark this key as exportable
Click Next

Accept the default store

Check the final box and click Finish

Add certificate into the IIS Console under Server Certificates. It may already be there. Check 443 bindings are linked to your certificate
Just double check in Local Security that System Cryptography: Use FIPS compliant algorithms is disabled

Launch the IaaS installer as Administrator again
Click Next, accept the license agreement put in the root username and password
Select Custom Install and IaaS server

Select Website and ModelManagerData checkboxes
On the Administration and Model Manager Website tab select the certificate that you previously imported
Select the Suppress certificate mismatch box

You should get a message back when you click Test Binding

Click on the Model Manager Data tab
Enter the FQDN of the vRA appliance load balanced address. In my case f5.vra.techlab.local
On SSO Default Tenant, click Load
Under certificate click Download (This is the certificate which should be pre-created from my other blog and imported into IIS
Click View Certificate and check it
Add in all the rest of the details

On the Verify pre-requisites screen, make sure everything is ticked green and fix any issues

Under Server and Account Settings put
Passwords
Passphrase
SQL Servername and Database name

You may get a message coming up about the user account needed adding to the Local Security Policy if you hadn’t added it there already
Click Install

It should start installing

And hopefully say Completed

Useful Troubleshooting info

http://www.virtualvcp.com/vmware-vrealize-automation-vcac/208-vrealize-automation-6-2-installation-and-configuration-gotchas

Installing IaaS server on the second Iaas Server

This procedure is exactly the same except as the above process. We just install the website component on the second server

Don’t forget all the pre-requisites
Don’t forget to import your certificate
Start the installer
Enter your root and password for the vRA appliance screen
Enter your details below choosing just the website component

Enter all the relevant details again

Follow the next prompts to install and finish

vRealize Automation large scale deployment Part 1 Identity and vRA appliance install

January 7, 2016 Part 1, vRA Distributed Deployment v6.2.3 No comments

vRA Distributed deployment.

This series will cover a larger distributed deployment of vRealize Automation 6.2.3

Software required

Components

Only the Identity and vRA appliances are covered in this blog. The rest will be covered in the series to follow.

1 x Identity appliance
2 x vRA appliances (Postgres Database only)
2 x IaaS servers
2 x Manager Servers
1 x Orchestrator appliance
1 x F5 Load Balancer

Important

DNS must be configured for all servers/appliances you use and test it
Whatever you use for time sync must be identical for all servers/appliances you use

F5 Load Balancer setup and information

http://kaloferov.com/blog/configuring-vrealize-automation-load-balancing-using-f5-big-ip/

Certificates

Please follow one of my other blogs for generating and importing certificates into vRA appliances and servers

http://www.electricmonk.org.uk/2015/12/03/installing-vra-6-x-certificates/

Step 1 – Deploying the Identity Appliance

In the vSphere client or web client select File > Deploy OVF Template

Check the details

Accept the license agreeement
Put in a name for the vRA Identity appliance

Choose your storage

Leave the defaults for storage

Check the details and click Finish

Note: The identity appliance cannot be clustered but can be put on a vSphere HA cluster to provide redundancy in the event of hardware failure but not in the event of the Identity appliance having an issue.
You may need to go into the vCenter console for the machine and set a root password
You will then see this screen where you can see the web browser link to log into the Identity appliance

Log into the web link

Set the time zone

Set the SSO password

It should then look like the below screenprint

Click on host settings and put in the name of the identity appliance
Make sure there is a DNS entry for the identity appliance

Click on Network then the Address tab and put in the relevant details

You will then need to reboot and relogin
Next click on SSO > SSL
Generate a certificate for now. Example below

Click on Active Directory and put in your details

It will then look like the below

Go to the Admin tab and click Admin
Tick SSH service enabled and Administrator SSH login enabled

Click on Time settings and adjust if you have a time server. I left mine on Use host time

This should now be complete.
Note: You may want to adjust the CPU and RAM depending on customer requirements
Note. It might be wise at this point to shutdown the appliance and take a snapshot

Step 2 Deploy 2 vRealize Automation Appliances

Note: Follow the below steps for each appliance

In the vSphere client or vSphere Web Client click File > Deploy OVF template

Check the details

Accept the license agreement
Put in a name

Choose your storage

Choose your storage options

Next you will need to type in the hostname, ssh enabled, IP address, subnet mask, gateway and DNS servers

Click Next and check all your details

Once this is deployed, make sure you have a DNS entry added
Log into the appliance
Change the time settings first

Click on the Network tab and select Host Settings.
Fill in your details

Reboot the appliance

Click on the vRA Host Settings
Add in your host settings – this should be your load balanced name
Import your certificate in which should have been pre-created from the instructions in my previous vRA certificate blog

Click on SSO
Put in the SSO details (The identity appliance details)
If everything is ok then you will see a certificate message

Click Save Settings and note the SSO seems to take a long time

You should see the following

You should slowly see the services begin to come up
Note: To monitor service startup run the following command:
tail -f /var/log/vcac/catalina.out

Do exactly the same process on the second appliance
Add your license in – Go to vRA Settings > Licensing

Next please go to Part 2 for the Postgres clustering of the vRA appliances

http://www.electricmonk.org.uk/2016/01/07/vrealize-automation-large-scale-deployment-part-2-clustering-the-postgres-databases-on-the-vra-appliances-v6-0-2/

Licensing Problems

I had an issue where my license suddenly became invalid which was a little bizarre as it is test non expiring one.

However I followed the steps in the below article on both appliances and it came back fine

Thanks @ vmguru 🙂

https://www.vmguru.com/2015/09/downgrade-the-vrealize-automation-license/

vRealize Automation large scale deployment Part 2 Clustering the Postgres Databases on the vRA Appliances v6.2.3

January 7, 2016 Part 2, vRA Distributed Deployment v6.2.3 One comment

Configuring the vRA Appliances

VMware vRealize Automation Center documentation recommended the utilization of an external instance of VMware vFabric Postgres when setting up a high availability (HA) environment. However, since the release of VMware vRealize Automation standalone, VMware vFabric Postgres is End Of Availability and no longer available as a standalone product. To address customers needs, VMware developed a way to utilize the database instance located in the VMware vRealize Automation appliance in a high availability (HA) mode, without having to incur additional licensing.

Useful Links

http://pubs.vmware.com/vra-62/index.jsp#com.vmware.vra.install.doc/GUID-8E631C5E-97D7-4D2B-945A-33B5DDBA452F.html

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2108923

Instructions Part 1

Follow the below instructions for both appliances until you get to Part 2

Shutdown both vRA appliances and snapshot in vCenter
Download the 2108923_dbCluster.zip file from the VMware Knowledge Base.
Add a 20GB disk to the primary vRA appliance and secondary appliances
Power on the primary and secondary vRA appliances
Log into both vRA_Appliance:5480 in a web browser
Log into both vRA appliances in Putty and WinSCP
Extract the tar file from the 2108923_dbCluster.zip file attached to this article to both the appliances (I created a /tmp/prostgres folder)
Using winscp copy the 2108923_dbcluster.tar file to a tmp folder on both appliances
In Putty (See screen below) extract the .tar file on both appliances
tar xvf 2108923_dbCluster.tar

type parted -l on both appliances
You should see Error: /dev/sdd: unrecognized disk label. See the bottom of the screen

Run ./configureDisk.sh /dev/sdd

At this point it is normally a good idea to snapshot both appliances as they seem to be sensitive to the password you use especially the special characters. Do not use = anywhere in the password
Run the pgClusterSetup.sh script to prepare the appliance databases for clustering
Note: In our case the db_fqdn was the Load balanced DB FQDN for the Postgres database

./pgClusterSetup.sh [-d] db_fqdn [-w] db_pass [-r] replication_password [-p]postgres_password

[-d] Database load balancer fully qualified domain name
[-w] Database password (will set password to this value)
[-r] Replication password (Optional: will use Database password if not set)
[-p] Postgres password (Optional: will use Database password if not set

cd /tmp/postgres
./pgClusterSetup.sh -d f5.db.techlab.local -w password -r password -p password

This is the end of configuration on both appliances

Instructions Part 2

Configuring the database replication on appliance B

Type su – postgres
Type cd /opt/vmware/vpostgres/current/share/
Type ./run_as_replica -h vRA_FQDN -b -W -U replicate (Note don’t copy and paste as needed typing in manually)

./run_as_replica –h Primary Appliance -b -W -U replicate
[-U] The user who will perform replication. For the purpose of this KB this user is replicate
[-W] Prompt for the password of the user performing replication
[-b] Take a base backup from the master. This option destroys the current contents of the data directory
[-h] Hostname of the master database server. Port 5432 is assumed

Enter the same password which was created previously
It should now look like the below
Type yes

Type yes

Type the password

Type yes to enable WAL archiving on the primary

It will now say shutting down and ignore the error message

Type yes to the base backup message
Note to myself really, I had an issue where I needed to run a command as root on the second vRA appliance to stop the vpostgres service (service vpostgres stop) to get the installer to finish!

Next test replication
cd /opt/vmware/vpostgres/current/share/
Type ./show_replication_status

Validate replication

Connect to the appliance with the primary (master) database using SSH.
Validate if the WAL process is running. You should see the WAL process by running this command:
ps -ef | grep wal

Validate if the master is ready for read-write connections by running these commands:

su – postgres
cd /opt/vmware/vpostgres/current/bin
./psql vcac
SELECT pg_is_in_recovery();

You see output similar to the above
Quit psql by running \q
Connect to the appliance with the replica database using SSH.
Validate if the replica is read only using these commands
su – postgres
cd /opt/vmware/vpostgres/current/bin
./psql vcac
SELECT pg_is_in_recovery();

Quit psql by running \q

Instructions Step 3

Testing Failover between the Postgres Databases. Performing a test failover (appliance A to appliance B)

Validate if the WAL process is running. You should see the WAL process by running this command:
Type ps -ef | grep wal

Connect to appliance A using SSH as root
Stop the vpostgres service by running service vpostgres stop

Connect to appliance B using SSH as root.
Promote the replica database to master as the postgres user by running these commands
su – postgres
cd /opt/vmware/vpostgres/current/share
./promote_replica_to_primary

SSH into appliance A as root.
Configure database replication as user postgres by running these commands
su – postgres
cd /opt/vmware/vpostgres/current/share/
./run_as_replica -h FQDNofServer -b -W -U replicate
Note the FQDN of the server was the second node which was been promoted to primary

Enter the replicate users password when prompted.
Type yes after verifying the thumbprint of the primary machine when prompted.
Enter the postgres users password when prompted.
Type yes when prompted with Warning: the base backup operation will replace the current contents of the data directory. Please confirm by typing yes
Do a quick check to test which machine is the primary and which is the secondary

Instructions Step 4

Perform a test failback (appliance B to appliance A)

Connect to appliance B using SSH as root.
Stop the vpostgres service by running this command:
service vpostgres stop

Connect to appliance A using SSH as root.
Promote the replicate database to master as user postgres by running these commands
su – postgres
cd /opt/vmware/vpostgres/current/share/
./promote_replica_to_primary

Connect to appliance B using SSH as root.
Configure database replication as user postgres by running these commands:
su – postgres
cd /opt/vmware/vpostgres/current/share
./run_as_replica -h FQDNofServer -b -W -U replicate
Enter the replicate users password when prompted
Type yes when prompted with:WARNING: the base backup operation will replace the current contents of the data

Validate replication

Connect to the appliance with the primary (master) database using SSH.
Validate if the WAL process is running. You should see the WAL process by running this command:
ps -ef | grep wal
Validate if the master is ready for read-write connections by running the commands below
It should say f indicating it is the master

You see output similar to the above
Quit psql by running \q
Connect to the appliance with the replica database using SSH.
Validate if the replica is read only using these commands:

Quit psql by running \q
If you now log into the VAMI page of the vRA appliances and check the database and cluster page you should see the following

Configuring monitoring of the VMware vRealize Automation appliance databases

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2127052

Installing vRA 6.x certificates

December 3, 2015 vRA Certificates 3 comments

Installing vRA certificates

This subject is a tricky one to navigate round so I have decided to try and simplify this as much as possible to get a good working procedure to carry out the replacement of certificates correctly and efficiently. The various components of VMware vRealize Automation (formerly known as VMware vCloud Automation Center) have different requirements for the certificates used for authentication

Certificates supportability matrix for vRealize Automation

Certificate trust requirements between VMware vRealize Automation components

* vRealize certificate thumbprint is stored in IaaS database during installation
** SSO certificate thumbprint is stored in IaaS database during installation
*** Application Director and Orchestrator as an external instance are optional services

Update components Certificates in the following order

Identity Appliance
vCloud Automtation vCenter Appliance
IaaS components

Step 1 Installing a Domain Certificate Authority

Note: This will normally be installed on a Domain Controller.

On Windows 2012 open Server Manager > Add Roles and Features

Click Next to accept the selections on the next 2 screens
Make sure to choose both Certification Authority & Certifications Authority Web Enrollment on the Role Service screen

Choose Enterprise or Subordinate at the setup Type page (Note I am choosing Enterprise and this is in my lab)
Assuming this is your first CA, choose Root CA at the CA Type screen
Create a new private key
In Configure cryptography for CA, choose Microsoft Software Key Storage Provider and SHA1
Configure your CA name
Set validity period for the certificate generated by this CA

Step 2 Creating vCAC Certificate templates

We now need to create a non-standard Certificate Template, which is a copy of the standard Web Server template modified to allow for export of the certificate key. In addition, the Microsoft CA will be updated to allow for Subject Alternative Names (SANs) as specified in the Attributes.

Connect to the Root CA server or Subordinate CA server via RDP.
Click Start > Run, type certtmpl.msc, and click OK. The Certificate Template Console opens.
In the middle pane, under Template Display Name, locate Web Server.
Right-click Web Server and click Duplicate Template.

You should see the Compatibility tab
Select Windows Server 2008 R2 as the Certification Authority
Select Windows 7 / Server 2008 R2 under Certificate recipient

Click the General tab.
In the Template display name field, enter VMware-SSL as the name of the new template.

Click the Request Handling tab
Ensure that the Allow private key to be exported option is selected

Select Cryptography

Click Key Attestation

Click Server

Click Security

Click Extensions

Click the Edit button
Select the Signature is proof of origin (nonrepudiation) option.
Select the Allow encryption of user data option.

Click Application Policies

Click Superseded Templates

Click Subject Name

Click Issuance Requirements

Click OK to save the template.

Step 3 – Adding a new template to certificate templates

To add a new template to certificate templates:

Connect to the Root CA server or Subordinate CA server via RDP.Note: Connect to the CA server in which you are intending to perform your certificate generation.
Click Start > Run, type certsrv.msc, and click OK. The Certificate Server console opens.
In the left pane, if collapsed, expand the node by clicking the [+] icon.
Right-click Certificate Templates and click New > Certificate Template to Issue.

Locate the VMware-SSL Certificate under the Name column.
Click OK.

A new template option is now created in your Active Directory Certificate Services node. This new template can be used in the place of Web Server for the vSphere 5.x CA certificate.

Step 4 – Checking the web enrollment page

If everything went as planned you will have a new certificate template type when submitting a CSR. If you don’t see your new template, you may not have appropriate CA rights to issue the certificate.

Navigate to https://yourcertificateserver/certsrv
You should see the template VMware-SSL available

Step 5 – Creating a certificate configuration file for the Identity appliance

Useful Link

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2015387

Copy the below text into a notepad file and save it as a .cfg file
Modify the relevant parts of your appliance and company details
Note you may have load balancers such as F5’s in which case you can also put the load balancer address in the subjectAltName section and the common name

[req]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: techlabvri001, DNS: techlabvri001.techlab.local

[req_distinguished_name]
countryName = UK
stateOrProvinceName = London
localityName = Norwich
0.organizationName = Techlab
organizationalUnitName = vRA Identity
commonName = techlabvri001.techlab.local

So it should look like this for the Identity Appliance

Step 5b – Creating a certificate configuration file for the Automation appliance

Note: I have put in both my vRA appliance hostnames and my load balanced name as I am going to cluster the vRA appliances

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:techlabvra001, DNS:techlabvra001.techlab.local DNS: techlabvra002 DNS: techlabvra002.techlab.local DNS:f5.vra DNS:f5.vra.techlab.local

[ req_distinguished_name ]
countryName = UK
stateOrProvinceName = London
localityName = Norwich
0.organizationName = Techlab
organizationalUnitName = vRA Appliance
commonName = f5.vra.techlab.local

Step 6 Update components certificates in the following order:

Identity Appliance
vCloud Automation vCenter Appliance
IaaS components

Step 7 – Installing OpenSSL version 0.9.8.

Use the following steps to install OpenSSL, which will be used to request the required certificates.

Important: Ensure that you are using OpenSSL version 0.9.8. If you do not use this version, the SSL implementation will fail.

Ensure that the Microsoft Visual C++ 2008 Redistributable Package (x86) is installed on the system on which you want to generate the requests. To download the package, see the Microsoft Download Center
Download the Shining Light Productions installer for OpenSSL x86 version 0.98r or later on the link below http://www.slproweb.com/products/Win32OpenSSL.html. This software was developed by the OpenSSL Project
Launch the installer, proceed through the installation, and make a note of the appropriate directory for later use. By default, it is located at c:\OpenSSL-Win32.

Step 8 – Generating certificates for the vRA Identity Appliance and the vRA Appliance

Make sure you have your identity appliance and vra appliance config files in a folder (You will need to change the paths highlighted in blue to your own folder)
Open cmd.exe and change directory to c:\OpenSSL\bin
Run the following commands

Identity

openssl req -new -nodes -out F:\Software\vracerts\techlabvri001\rui.csr -keyout F:\Software\vracerts\techlabvri001\rui-orig.key -config F:\Software\vracerts\techlabvri001\vritemplate.cfg

vRA Appliance

openssl req -new -nodes -out F:\Software\vracerts\techlabvra001\rui.csr -keyout F:\Software\vracerts\techlabvra001\rui-orig.key -config F:\Software\vracerts\techlabvra001\vratemplate.cfg

Step 9 Convert the keys to the appropriate RSA format required by the appliances

Identity

openssl rsa -in F:\Software\vracerts\techlabvri001\rui-orig.key -out F:\Software\vracerts\techlabvri001\rui.key

Appliance

openssl rsa -in F:\Software\vracerts\techlabvra001\rui-orig.key -out F:\Software\vracerts\techlabvra001\rui.key

Logon to the Microsoft CA Web Interface (https://ca-server/CertSrv)
Click on the Request Certificate > Advanced Certificate Request

Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Open the rui.csr file for the vCAC Identity Appliance and then copy and paste the contents into the Base-64-encoded certificate request field.

Ensure you select the correctly configured Certificate Template

Click “Submit” to submit the request.
Select the “Base64 encoded” option on the Certificate Issued screen.

Click the “Download Certificate” link and save as rui.crt in the same location as your config file and CSR.

Repeat the above process for the vRA Appliance Certificate Request.
Next go back to https://techlabadc001.techlab.local/certsrv/
Click on “Download a CA certificate, certificate chain or CRL”.

Select the “Base64 encoded” option.
Click the “Download a CA Certificate Chain” link.

Save the certificate chain as cachain.p7b in your desired location
Double click the cachain.p7b file and navigate to yourlocation\cachain.p7b > Certificates

Right click the root certificate and select “All Actions > Export” and then click Next.

Select Base64-encoded X.509 (.CER) and click Next.

Save the export to your location/root64.cer and click Next.

Converting the Certificates to PEM Format

Launch a command prompt and navigate to your OpenSSL directory. By default this is located in c:\OpenSSL\bin
Run the following commands (replacing the path with your desired location) to convert the certificates to the format expected of the Virtual Appliances.

Identity

openssl pkcs12 -export -in F:\Software\vracerts\techlabvri001\rui.crt -inkey F:\Software\vracerts\techlabvri001\rui.key -certfile F:\Software\vracerts\Root64.cer -name “rui” -passout pass:testpassword -out F:\Software\vracerts\techlabvri001\rui.pfx

You should then see your pfx file in the Identity appliance folder

vRA Appliance

openssl pkcs12 -export -in F:\Software\vracerts\techlabvra001\rui.crt -inkey F:\Software\vracerts\techlabvra001\rui.key -certfile F:\Software\vracerts\Root64.cer -name “rui” -passout pass:testpassword -out F:\Software\vracerts\techlabvra001\rui.pfx

You should then see your pfx file in the vRA appliance folder

Next type the following commands

Identity

openssl pkcs12 -in F:\Software\vracerts\techlabvri001\rui.pfx -inkey F:\Software\vracerts\techlabvri001\rui.key -out F:\Software\vracerts\techlabvri001\rui.pem -nodes

You should now see the pem file

vRA Appliance

openssl pkcs12 -in F:\Software\vracerts\techlabvra001\rui.pfx -inkey F:\Software\vracerts\techlabvra001\rui.key -out F:\Software\vracerts\techlabvra001\rui.pem -nodes

You should now see the pem file

Note:

All of the above instructions worked for me but if the above command does not work to issue the PEM then try the below commands instead for vRA 6.2.

Someone reported that the pem creation syntax above seems to give the error “unable to create keystore” when installing the cert in the identity appliance in vRA 6.2.

These commands are listed in the vRA 6.2 document at

VMware vRealize Automation Center 6.2

openssl pkcs12 -in C:\certs\identity\rui.pfx -clcerts -nokeys -out C:\certs\identity\rui.pem

openssl pkcs12 -in C:\certs\vcaca\rui.pfx -clcerts -nokeys -out C:\certs\vcaca\rui.pem

Importing the Certificate to your Identity Appliance

Login to your identity appliance on https://vCAC.ID.FQDN:5480
In my case https://techlabvri001.techlab.local:5480/
Click on the SSO tab.
Click on the SSL tab.

In the “Choose Option” field, click the drop down and select Import PEM encoded certificate.
Open the rui.key file for your vCAC ID appliance in a text editor.
Copy and paste the contents into the “RSA Private Key” field.

Open the rui.pem file for your vRA Identity appliance in a text editor.
Copy and paste the contents into the “Certificate” field.
Note: It is really important that it looks like the below certificate. if you get any random lines other than these, you need to remove them or it will not work

Enter testpassword into the “Pass Phrase” field.

Click the “Replace Certificate” button
You should now see the certificate imported

Importing the Certificate to your vRA Appliances

Note: Do this on both appliances!

Login to https://vRA.FQDN:5480
Click on the vRA Settings tab > Host Settings > SSL Configuration
In the “Choose Option” field, click the drop down and select Import PEM encoded certificate.
Open the rui.key file for your vRA ID appliance in a text editor.
Copy and paste the contents into the “RSA Private Key” field.
Open the rui.pem file for you vRA ID appliance in a text editor.
Copy and past the contents into the “Certificate” field.
Enter testpassword into the “Pass Phrase” field.
Click the “Replace Certificate” button.

NOTE: If you are replacing the certificates after having registered the vRA VA against the vRA ID VA you will need to re-enter the SSO settings on the vCAC Server to ensure that communications between the VAs are trusted.

1. Login to https://vRA.FQDN:5480
2. Click on the vRA Settings tab then under Host Settings
3. Click on the SSO tab.
4. Re-enter the SSO Admin User and SSO Admin Password details and then click “Save Settings”.

Not performing this step will result in an error as shown below.

You should now see it is successful

IaaS and Manager certificates

The order of operation is to first generate a PKCS12 formatted certificate. After a certificate is in PKCS12 format, it can be converted to PEM encoding and a DER encoded certificate can be generated from that PEM. In addition, an unencrypted key can be extracted from the PEM certificate

First I generated a new certificate template called vratemplate.cfg
I put in my 2 IaaS servers and the load balancer name in shorthand and FQDN.

Open cmd.exe as Administrator and navigate to the c:\OpenSSL\bin directory

Run the following command replacing the highlighted parts with your own paths
openssl req -new -nodes -out C:\vracerts\techlabias001\techlabias001.csr -keyout C:\vracerts\techlabias001\techlabias001.key -config C:\vracerts\techlabias001\vratemplate.cfg

You should see the following keys created

Run the following command in OpenSSL to convert the keys to the RSA format required by the appliances
openssl rsa -in C:\vracerts\techlabias001\techlabias001.key -out C:\vracerts\techlabias001\techlabias001.key

Next go back to the certificate request home page
Click Request a certificate

Select Advanced certificate request

Click Submit a certificate Request by using a base- 64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

Open the .csr file and copy the request into the box
Make sure you select your VMware-SSL certificate

Click Submit
Click on Download certificate and Base 64 encoded
Save this certificate in your certificate folder. I named it techlabias001

You will now see your certificate

In the same page click on Download certificate chain

Save the certificate as cachain.p7b

Double click on this file and open it in the certificates console

Export the root file

Select Base 64 encoded

Save the file as root64.cer
You will see it as per below in your folder

Go back to OpenSSL and run the command to convert the certificates to PKCS format
openssl pkcs12 -export -in C:\vracerts\techlabias001\techlabias001.crt -inkey C:\vracerts\techlabias001\techlabias001.key -certfile C:\vracerts\techlabias001\root64.cer -name techlabias001 -passout pass:testpassword -out C:\vracerts\techlabias001\techlabias001.pfx

You will now see your .pfx file in the folder

Next we need to import the CA issued certificate for the IaaS web server.
On the IaaS server, open the IIS Manager console.
Navigate to your Server instance, and open Server Certificates.
Select “Import” in the top right hand corner.
In File name, browse and select the PKCS file with the .pfx extension that represents the CA issued certificate for IaaS web server.
Type the password testpassword
Accept the default Place all certificates in the following store.
You should now see the imported certificate in your list
Navigate to your Default Web Site (the vCAC website) and select “Bindings”.
Select “https” and click “Edit”.
Click the SSL Certificate drop down and select your certificate, then click OK.

Note: The below information doesn’t need to be done. It’s just information I put here to remind me to look at in relation to replacing certificates

Register the new Certificate with the vCAC Appliance

Browse to c:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\cafe
Note: CAFE stands for Cloud Automation Framework Extensibility. Just in case you were wondering
Register the new certificates on your IaaS Server to the vCAC Appliance with the following set of commands:

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/vcac –Endpoint ui -v

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/vcac/SslCallback.aspx –Endpoint ssl -v

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/Repository –Endpoint repo -v

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/WAPI –Endpoint wapi -v

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/WAPI/api/status –Endpoint status -v

Now you need to follow the exact same steps to generate the manager certificate

VMware vRealize Automation 6.2.2 Monitoring and Reclamation Part 7

December 3, 2015 Part 7 No comments

Monitoring and Reclamation

In vRA we need to know what to do when we need to identify and reclaim unused or underused resources and put in an automated solution to manage these.

Reclamation stages

Identify

Through endpoint discovery and data collection, vRA creates list of machines and their characteristics. Using filtering capabilities, administrators can identify machines for reclamation which could be machines which have been powered off, machines that average low usage and machines where the users have left or been disabled in AD

Verify

After machines are identified, they are validated before being reclaimed. vRA use workflows to assist customers with the process along with approval processes

Reclaim

Once machines are identified for reclamation, vRA goes through the process of reclaiming. Some machines may need to be archived before being removed completely.

Improve

Reclamation is designed to improve efficiency and use. Reporting and cost savings are used to manage machines in order to track and monitor environments

Where is Reclamation in vRA?

Tenant Administrators perform reclamation tasks

Go to Administration > Tenant Machines > Reclamations
The below page appears

The tenant administrator can search for underused machines by CPU, memory, disk, network use or idle machines (Idle meaning a machine which is powered on but with no statistics)

Thresholds

Reclamation Requests and Notifications

The tenant administrator submits a reclamation request specifying the lease length and reason for the request which can then be monitored

Go to Administration > Tenant Machines > Reclamations
Select the machine you want to use
Click Reclaim Virtual machines

The next screen has 3 options
New lease length (A new amount of lease time is assigned to the machine where if the owner does not respond to the lease request, the machine is powered off an destroyed, if no archive period was set in the blueprint)
Wait before forcing lease (days) (This is the time within which the owner of a machine must respond to prevent a new lease from being applied to the machine)
Reason for request

If an archive period was set, the machine is expired and cannot be powered on until the lease is reset
If the lease is not reset at the end of the archive period, the machine is destroyed and the resources are reclaimed
Go to the Inbox of the owner. As this is me, I just click Home > My Inbox and I can see the reclamation request which has come in to me

Click on this request and select an option
One of 3 actions can be taken on a reclamation request
The machine owner can select Release for reclamation where the machine is reclaimed and immediately destroyed if no archival period was specified in the blueprint
The machine can select item in use. No action is taken and the administrator is notified that the machine should still be used
The machine owner can take no action. In this case the machine is assigned a new lease based on the reclamation request. If the owner does not respond, it is powered off and destroyed if no archival period was set. During the archival period, the machine cannot be powered on until the lease is reset

There are 3 states of reclamation requests

Pending (Request submitted to the machine owner)
Approved (The machine owner has released the machine for reclamation)
Rejected (The machine owner has responded that the machine is still in use)

Machine Leases

These are the time periods given to a machine which determine how long they should be active for. Machine leases are used by tenant admins and business group managers

Leases can be assigned to blueprints
Leases can be assigned to a machine after it is provisioned
Leases can be changed after a machine is provisioned
if a lease is not assigned then the machine does not have an expiration date
Multimachines have one lease date which is applied to all machines in the service

Home Page Portlets

Tenant Administrators can monitor and report reclamation savings by adding portlets to the home page

Log into https://vRA_Apppliance.FQDN/shell-ui-app
Click Home and at the right side of the screen, click the pencil icon and select Add Portlets

Choose the portlets you want
They can then be dragged and re-arranged on your home page

Users can add portlets but if they don’t have permissions then no data will appear

You can also export data as a .csv file

VMware vRealize Automation 6.2.2 Extensibility, Orchestrator and ASD Part 6

December 1, 2015 Part 6 2 comments

Extensibility

There are several challenges involved with automating self service provisioning to enforce governance, minimise user input and provide audit and accounting functionality. vRA can be transformed by using extensibility products such as Advanced Service Designer and VMware vCenter Orchestrator

vCenter Orchestrator

Library of workflows and plug-ins which include VMware and partner developed solutions which facilitate integration with existing tools and infrastructure
Orchestrator comes built in with vRA or an external Orchestrator server can be used in place of the built in server
Blueprints can be created from vCenter Orchestrator workflows and published as catalog items
Includes an API which allows an external ecosystem of partners to develop reusuable plugins.
Using cluster mode configuration, a collection of Orchestrator nodes can work together and share a common database
The extended REST API allows automatic configuration and installation of the necessary vCenter Orchestrator nodes
The extended REST API also provides dynamic scale up and scale down of the orchestration capacity when Orchestrator is used with an external load balancer
Fully equipped with a workflow debugger

Advanced Service Designer

Service Architects can create and publish advanced services to the service catalog. Using the capabilities of ASD, custom resources can be created and mapped to vCenter Orchestrator types and defined as items to be provisioned and managed.
Allows administrators to add custom logic to any of the 10 built in IAAS customisable workflows
IAAS workflows are created using MS Windows Workflow Foundation which is a part of .NET Framework 4
vRA also contains 6 state change workflow templates that can be edited to contain custom logic. These can call out to vRA for bidirectional integration with external management systems
You can create up to 4 custom menus
Provides a visual workflow editor for customising IAAS workflows

Use cases for extensibility

Leverage existing infrastructure and future infrastructure (Multivendor and Multicloud)
Configure personalised business relevant services by using custom properties or metadata tags
Integration with 3rd party management systems (CMDB, iPAM, Load Balancers and Service Desk apps)
ASD is a new feature in vRA 6. Administrators can leverage vCenter Orchestrator workflows and plugins and create new Day 2 operations as custom services
vRA provides a RESTful API which can be used to call vRA application and infrastructure services from third party or custom applications

Plugins

Available plugins can be found at http://solutionexchange.vmware.com

Custom Services

The following are examples of what can be done

New employee onboarding
E-mail box setup
Storage and networking services
Backup and recovery
Security and compliance
Software install/update
Password management

Cloud Util

CloudUtil is a command line interface to Model Manager. It enables admins to install, configure and update entities in the Model Manager. It also

Creates and manages skills
Stores and manages files
Installs custom machine operations

With a vRA Development Kit License, additional functionalities are available such as

Installing and managing custom workflows and models created in MS Visual Studio
Install custom models and supporting assemblies
Generate client classes for a custom model
Install custom events and schedules used to trigger workflows
Install new workflows

The ASD Console

The Toolbox pane

The Toolbox pane provides access to the vRA workflow activity library where activities for using PowerShell and vCenter Orchestrator integrate vRA with external systems. Common activities used in workflows include

InvokeRepositoryWorkflow = Executes a workflow installed in Model Manager
GetMachineName = Gets a machine’s name
GetMachineOwner = Gets a machine’s owner
GetMachineProperties = Gets the list of custom properties associated with a machine
GetScriptFromName = Get’s contents of the script stored in the Model Manager under the specified name
InvokePowerShell = Executes a PowerShell command
InvokeSshCommand = Executes an SSH command
LogMachineEvent = Logs a machine event to the user log that is visible to the machine owner
RunProcess = Exceutes a process on the same machine as the DEM that executes this activity
SendEmail = Sends an email to the given set of addresses
SetMachineProperty = Creates or updates a custom property on the machine
InvokeVcoWorkflow = Calls a vCenter Orchestrator workflow and blocks further execution of its parent vRA workflow until the vCenter Orchestrator workflow completes
InvokeVcoWorkflowAsync = Calls a vCenter Orchestrator workflow and continues to execute activities in vRA without waiting for the vCenter Orchestrator workflow to complete

Extending built in Workflows using Workflow templates

Using ASD, the 10 out of the box workflow templates can be modified to implement custom logic. 6 of these are State change templates and 4 are menu operation workflow templates

The 6 State Change Templates

Each of these 6 state change templates ma to a specific state of the machine lifecycle. They can be modified and then referenced against a blueprint so the customisation can be applied to a machine derived from that template. As an example all machines might require a custom name derived from a naming convention. Using the WFStubBuildingMachine workflow template could meet this criteria

The 4 Menu Operation Workflow Templates

These 4 templates can be used to implement 4 custom menus with their own functionality. Menu operation workflows are implemented when a user selects a menu from the vRA console. An example could be a menu that enables a user to backup a machine

Defining variables

Defining variables is a critical step in the extensibility process. Information must be defined that is required for the workflow and is the source of that information.

For example. The MyScriptText variable is a string and is used to identify the custom code to be loaded from the PowerShell script which is loaded into Model Manager

Adding State Change Workflow Template to a Blueprint

Go to Infrastructure > Blueprints > Blueprints > Edit your Blueprint
Select Properties
Select New Property

Workflow Versioning

You can always revert back to previous versions of a workflow stub by loading the version you want and sending it back. You don’t overwrite the existing version as it created a more recent version which becomes the default version. The Model Manager might store and display multiple versions of a workflow but the DEMs always execute the most recent version of a workflow and not earlier versions

Working with a vCenter Orchestrator Workflow

Workflows can be called synchronously or asynchronously. Some workflows require user interaction and the prompt appears in the vCenter Orchestrator client rather than vRA. To avoid this don’t use workflows which require user interaction from vRA

Synchronous

The InvokeVcoWorkflow calls a vCenter Orchestrator workflow and blocks further execution of it’s parent vRA workflow until the vCenter Orchestrator workflow completes

Asynchronous

The InvokeVcoWorkflowAsync calls a The InvokeVcoWorkflow workflow and continues to execute activities in the vRA workflow without waiting for the vCenter Orchestrator workflow to complete

vCenter Orchestrator as an endpoint

vRA must be defined as an endpoint to use vCenter Orchestrator

Workflows are built mainly by using existing building blocks

Workflows
Actions
Resource Elements
Predefined scriptable tasks

There are more than 200 ready to use workflows included with vCenter Orchestrator

vCenter Orchestrator integration techniques

Create a vCenter Orchestrator endpoint in vRA

Using an endpoint, vRA can invoke vCenter Orchestrator workflows

At least one vCenter Orchestrator endpoint is required

Each endpoint must have a unique priority

Install vRA plug-in into vCenter Orchestrator

Using a plug-in, vCenter Orchestrator can manage vRA entities

A plug-in automates the configuration of vRA IAAS workflows

A plug-in includes many predefined workflows

Configure an embedded vCenter Orchestrator

vRA includes a built in version of Orchestrator which can be used for running workflows in additional to separate external Orchestrator services

Putty into the vRA appliance (where the embedded Orchestrator is)
First start the vco-server service
Type service vco-server start

Next start the vco-configurator service by logging into the vRA appliance via Putty and typing service vco-configurator start

Navigate to https://your-VA-appliance:8281/vco

If you have an issue accessing the Orchestrator webpages, you can check in vRA whether then Orchestrator service is connected by clicking Test Connection

If you experience connection issues you can also type vcac-vami vco-service-reconfigure in the vRA appliance putty page
If you encounter a Diffie Hellman error please google for fixes
Type https://your-vRA-appliance:8281
You should see this page. Click Start Orchestrator client

You should see a few prompts such as below from Java

You should now see the Orchestrator application

In order to configure Orchestrator type in https://your-vRA-server:8283/vco-config/ to access the appliance configuration

The default username and password is vmware and vmware
You will be prompted to change it
Password must have an uppercase letter and a special character

You should now be logged into Orchestrator configuration webpage
Have a click through the configuration options
I clicked on Network and changed the IP address from 0.0.0.0 to my vRA appliance address

You need to add the vCenter certificate in to the SSL Trust Manager. You will also need to add the Platform Services Controller if you use this with vSphere 6

You need to add your IAAS Server with the FQDN and add the vRA appliance if this is not here but mine already was. (if it is embedded and not external)

You should see your certificates

Next go back and log into your vRA appliance https://vRA_Appliance.FQDN/shell-ui-app
Go to Infrastructure > Endpoints > Credentials > Add new credentials

Put in vCO as the Name
Put in administrator@vsphere.local as the username
Put in the password

Go to Endpoints > New Endpoint > Orchestration > vCenter Orchestrator

Fill in the details

Install the vSphere Orchestrator Client

Go to https://vRA_Appliance.FQDN:8281/vco
Click Start Orchestrator client

I got an error saying Windows cannot open .jnlp files so I had to select open with then navigate to my java folder and choose javaws
Whatever you do don’t update from version 1.7 to 1.8 or things will break
You should then see the below 2 screens

You should then see the logon screen for vCO appear

A certificate warning will appear

vCenter Orchestrator will now open

Click Administer

Expand VCAC and Active Directory in the Inventory section. You should see these are empty although there may already be something in vCloud Automation Center

Select Run
Go to Workflows
Go to Library > Microsoft > Active Directory > Configuration > Configure Active Directory

Click Start Workflow
Put in the following details

Click Use a Shared Session
Put in your credentials

Next in the same Workflow screen, navigate to Library > vCloud Automation Center > Configuration > Add the IAAS host of a vCAC host

Right click on Add the IaaS host of a vCAC host and select Start Workflow

Click Next

Click Next

Click Next

Click Submit
You should see a green tick and confirmation in the events screen on the right that everything has started

Configuring the vRA workflows templates from vCenter Orchestrator

In Orchestrator, navigate to the below menu in Workflow view

Right click Install vCO customization and select Start Workflow
In the Install vCO customization dialog box choose Not Set and select your vRA server

Click Next

Click Next

Click Submit

If you now go back to the ASD and click Load, you will see the new versions of the state change templates (Note you may need to install ASD first, in which case there are instructions further down this post)

Configuring a state change workflow from vCenter Orchestrator

Go to https://vRA_Appliance.FQDN/shell-ui-app
Go to Infrastructure > Blueprints > Blueprints > Edit your Blueprint
If any custom properties are attached to the blueprint then remove them
Next log into vCenter Orchestrator > Library > vCloud Automation Center > Infrastructure Administration > Extensibility

Right click Assign a state change workflow to a blueprint and select Start Workflow
Click Not set and chose the VRA server

Click the Array field

Click Insert Value

Expand down until you can see your Blueprint

Click Add
Click Select

Click Accept > Next
Click on Workflow template

Type Tools into filter > Select Mount tools installer

Click Select
Select Submit

Go to https://vRA_Appliance.FQDN/shell-ui-app
Click Infrastructure > Blueprints > Blueprints and edit your blueprint
Click Properties
Review the settings. You can see that Orchestrator added the new required custom property

You can then go through the process of requesting a VM and seeing if it has indeed mounted the CD Drive

Installing the ASD

Go to https://vRA_Appliance.FQDN:5480/installer
Click vRealize Automation Designer

On the Welcome Page click Next

Accept the License agreement

Check the location for the install is correct and click Next

Put in the IAAS server FQDN. In my case it is dacvtst003.dacmt.local
Put in a username and password

Click Install

Configuring ASD Endpoints for VMware vCenter Server

Log into https://VRA_Appliance.FQDN/shell-ui-app
Go to Administration > Users and Groups > Custom Groups
Add an AD group and add to Service Architects

Click Next

Next go to Administration > Orchestrator Configuration > Endpoints
Click Add

Choose Active Directory from the drop down menu

Type a name. I’ve just called mine Active Directory

Type in the details

Next add an endpoint for vCenter

Put in a name

Fill in all details

Add a user and password

You should now see your 2 endpoints

Log out of vRA and you may need to log out of the server and back in again. As you can see below this will add the Advanced Service Designer tab to vRA

Create and publish a service to change an AD Users password

Log into https://VRA_Appliance.FQDN/shell-ui-app
Click the Advanced Services tab
Select Service Blueprints
Click the + sign next to Service Blueprints

Expand Library > Microsoft > Active Directory > User
Click Next

Click Next

Click the pencil icon to bring up the edit box and change the name to user and the type to search

Click Submit
Click Next

Click Add
In the list of Service Blueprints select Action > Publish

Go to Administration > Catalog Management > Services

Add a name for the password service and set to active

Select Catalog Items
Select your service and select Configure

On the Service drop down, select User Password Support or whatever you have named your service

Click Update
Now select Entitlements from the left hand menu and click Add

Put in a name and set to active and add the relevant users and groups

Click Next
Click Entitled Services and add your service

Log out and in again and check that when you click on the catalog tab that you see the Change a user password service

Looking further into Advanced Service Designer

On the desktop, click vRealize Automation Designer
On the vRA Automation Designer ribbon, click Load

You will get the following box

Select the WFStubBuildingMachine workflow stub. If multiple versions exist, select the revision 0 version

You should see the below screen

In the Try area, double click the Building Machine activity

Double click the Custom Code activity as highlighted above

At the bottom of the design surface in the middle pane, click Variables and click Create Variable

Add the following variables
Name = HelloMsg
Variable Type = String
Scope = Custom Code
Default = “Hello User”

In the Toolbox pane on the left hand side, drag the SetMachineProperty activity to the design surface underneath Start
Connect Start to SetMachineProperty by pointing to the bottom of Start and dragging a connecting Line between them

Select the SetMachineProperty activity and set the following properties in the Properties pane on the right panel

Click Send on the top menu
Click ok to the message Send Workflow to Model Manager

In the success dialog box, click OK

Assign the Building Machine Workflow to a blueprint

Log into https://vRA_Appliance.FQDN/shell-ui-app
Go to Infrastructure > Blueprints > Blueprints
Edit your Blueprint
Click Properties > New Property
Add 2 custom properties to the blueprint
Click the green tick when complete and click OK

Logout and log in again
Go to Catalog and request your VM
Monitor the build in Requests
Once built go to Items select your machine and click the View Details tab

Click the Properties tab and check the value

VMware vRealize Automation 6.2.2 Configuration and Management Part 5

November 6, 2015 Part 5, vRA Small Deployment v6.2.3 No comments

Cost Profiles

Fabric administrators can associate compute resources and physical machines with cost profiles to enable calculation of a machine’s cost. The cost is displayed to machine owners, requesters, approvers, and administrators at various points in the request and provisioning life cycle.

A cost profile includes the following values for daily cost:

■	Cost per GB of memory capacity specified in the virtual blueprint or installed in the physical machine
■	Cost per CPU specified in the virtual blueprint or installed in the physical machine
■	Cost per GB of storage capacity as specified in the virtual blueprint (not used for physical machines, because storage attached to physical machines is not discovered or tracked)

For finer definition of storage cost for virtual machines, you can also associate each known datastore on a compute resource with a storage cost profile. A storage cost profile contains only a daily cost per GB of storage. If you assign a storage cost profile to a datastore, this storage cost overrides the storage cost in the cost profile assigned to the compute resource.

For virtual machines, the machine cost is calculated from the cost profile and storage cost profile on the compute resource, the resources it consumes, and the daily blueprint cost. You can use the blueprint cost to represent a markup for using the machine in addition to the resources that the machine consumes, for example to account for the cost of specific software deployed with that blueprint.

For physical machines, the machine cost is calculated from the cost profile on the machine, the CPU and memory on the machine, and the daily blueprint cost. You can use the blueprint cost to represent such factors as storage cost or additional costs for using the machine.

You cannot apply cost profiles to machines provisioned on Amazon Web Services or Red Hat OpenStack. For machines provisioned on these cloud platforms, the only cost factor is the daily cost in the blueprint from which it was provisioned. The cost for vCloud Director vApps includes any cost profile and storage cost profile on the virtual datacenter and the blueprint cost.

Create a Cost Profile

Fabric administrators can create cost profiles and associate them with compute resources to enable calculation of a machine’s cost.

Log in to the vRealize Automation console as a fabric administrator
Select Infrastructure > Compute Resources > Cost Profiles.

Click New Cost Profile
Type new values in for each resource

You can also add a Storage Cost Profile for storage of different performance capabilities such as High, Medium and Low cost storage

Using Custom Properties on Blueprints

You can modify a machine using custom properties throughout the lifecycle of the machine

Request
Provision
Manage
Retire

As an example they can modify the following

Specify the WIM image or PE environment image to use for install
Define the number of cores per socket
Place the machine in an OU
Place the machine in an inventory folder in vCenter
Change the network a machine is attached to
Update a CMDB

Custom properties can be defined for the following objects

Business Groups
Compute Resource
Build Profiles
Reservations
Endpoints
Blueprints
Storage

Useful Link

http://www.vmware.com/support/pubs/vcac-pubs.html

Set up Custom Properties

As an example I want to add a custom property to a blueprint which puts my machine in a specific folder in vCenter

Go to Infrastructure > Blueprints > Select your blueprint and click Edit
Click on the Properties tab

Add in VMware.VirtualCenter.Folder and type in a name for the inventory folder in vCenter that you want to use which provisioned machines will go into. In my case I have called it vRA.
Next go to Infrastructure > Groups > Business Groups > Click edit on your business group

Click New Property
Type in the name and value of your custom property.
Name = VMware.Virtual.Center.Folder
Value = vRA

Go to Catalog and request a Virtual Machine again
Once deployed, check vCenter has deployed the machine to the vRA folder and not the vRM folder

Add Location Information

Go to c:\Program Files (x86)\Vmware\vCAC\Server\Website\XmlData
Right click DataCenterLocations and click Edit
Copy the line with Boston in it and paste it underneath

Change all instances of Bolton with a new location

Save the file
Go back to your vRA webpage and go to Infrastructure > Blueprints > Blueprints
Click Edit on your Blueprint
Click the Display Location on request

Click OK and logout
Log back in and go to Infrastructure > Compute Resources > Compute Resources
Click Edit
From the location menu click the location you want

Other Custom Property Options

Hostname

This can be used to prompt a user to put in a hostname other than the ne defined by the machine prefix on the blueprint

VirtualMachine.Admin.ThinProvision

This option forces a new machine to be thin provisioned on the storage device

Build Profiles

A build profile is a set of properties to be applied to a machine when it is provisioned. It can be used for the following

Determining the spec of a machine
Determine how the machine is provisioned
Determine the operations to be performed after the machine is provisioned
Manage information about the machine

Build Profiles are attached to Blueprints and the spec of the build profile is available to business group users who have access to the blueprints

Build Profiles are constructed from default property sets or custom properties. Default sets include

ActiveDirectoryCleanupPlugin
CitrixDesktopProperties
PxeProvisioningProperties
SysprepProperties
VmwareXXXXXProperties

Creating a Build Profile

Go to Infrastructure > Blueprints > Build Profiles

Click New Build Profile
Add a name and description
From the Add from property set drop down list, select ActiveDirectoryCleanUpPlugin

In the Plugin.AdMachineCleanup.UserName, click Edit and add the username of a domain admin. In my case dacmt\administrator
In the Plugin.AdMachineCleanup.Password, click Edit and add the password of a domain admin
Make sure you click the green tick to confirm the changes
Logout
Login again
Click Infrastructure > Blueprints > Blueprints
Click Edit on your Blueprint
Click the Properties tab
Select the Remove from AD Build build profile

The Property Dictionary

The Property Dictionary can be used with custom properties to create a customised interface. You can statically or dynamically define the interface with the following data specification options

Data validation
Defined constraints on data values
Tooltip
Optional data
Ordered user control layouts

Using the Property Dictionary helps stop mistakes which occur when the data value of a custom property is passed into extensibility tools like Orchestrator and Powershell

When users request new machines they are prompted for these custom properties in the form of a required text box, drop down menu or buttons and more

Go to Infrastructure > Blueprints > Property Dictionary
On the Property Dictionary page, click New Property Definition

Fill in the required details
Click required and then click the green arrow

Click Edit under Property Attribute

Click New Property Attribute

Add in the below values

Log off
Log on again and go to Infrastructure > Blueprints > Blueprints and edit your blueprint and select the Properties tab
Select New Property

Type Custom.StorageTier in to the name an leave the value blank with Prompt user selected

Click OK
Go to Catalog > Request your machine
Look at the new option you have on the interface for Storage Tier

Note: vRA does not directly use storage tiering. You have to use custom properties and workflow modification with vSphere PowerCLI or Orchestrator

Approval Policies

Any catalog item or entitled action can be subject to an approval. The Approval Policies must first be defined by either a tenant administrator or a business group user and set as active before they appear in an entitlement

There can be multi levels of approvals with all different Boolean conditions as to how the policy can be approved across these levels.

Active and Linked approvals can only be cloned not edited

Creating an Approval Policy

Click the Administration tab > Users and Groups > Custom Groups
Search for the user or group you want to add as an approver

Click Next
Add in the users who you want to be Appprovers

Next go to Administration > Approval Policies

Click Add

Click OK
I am going to create a vCPU approval policy
Put in the name and set to Active

Click the green plus sign next to Levels
Fill in the required information

Click Add and Add again
Log out
Log in again
Click Administration > Catalog Management > Entitlements
Highlight your Blueprint and click Edit

Click Items and Approvals
Click Entitled Catalog Items and Modify Policy

Click the drop down menu and select your policy. Note apologies I had to recreate mine as CPU > 2

Click on Catalog > Request and select your VM
Change the vCPUs to 4

Click Submit
Now look at the Request tab where we should see the request sitting in the pending approval status

If you click on the request and select view details, it will show you who is the approver

Click on Inbox > Approvals as I am already logged in as myself as the approver

Click View Details and select whether to Approve or Reject

This concludes the configuration and management Part 5
Part 6 will go into more of the extensibility options like Advanced Service Designer and Orchestrator

VMware vRealize Automation 6.2.2 Configuration and Management Part 4

October 16, 2015 Part 4 No comments

Blueprints

Blueprints are used to define a machines attributes and methods of provisioning. These blueprints are then added into the Service Catalog ready for users to provision machines. There are 4 different types

Cloud
Physical
Virtual
Multimachine (New in vRA 6)

A user can request VMs if the below conditions are met

The Blueprint is published as a catalog item
The item is added to a service
The user is entitled to use the service

Configuring Blueprints

Go to Infrastructure -> Blueprints -> Blueprints

Click New Blueprint > Virtual > vSphere (vCenter)

Put in a name. I am going to call mine Windows2012Blueprint
Put in a description
(Optional) Select the Master check box to allow users to copy your blueprint.
(Optional) Select the Display location on request check box to prompt users to choose a datacenter location when they submit a machine request. This option requires additional configuration to add datacenter locations and associate compute resources with those locations
(Optional)Choose your reservation policy
Choose the machine prefix you have previously set up
Choose the maximum amount of VMs which can be deployed from this blueprint per user
Specify the number of days to archive machines provisioned from this blueprint, just keep it at 0 for now. Archive defines the number of days that an expired virtual machine remains available for activation. A zero value destroys the VM upon expiration
Add in any additional costs for chargeback purposes. These costs will be added to anything that is set in a cost profile. so you can add in a OS licensing cost or specific application cost for this VM

Click Build Information
The build information tab options define the type of blueprint, the provisioning action and the associated workflow
In Blueprint type, the options are Server / Desktop / Hypervisor
In Action, the options are Create, Clone, Linked Clone and NetApp FlexClone. Using the Create option creates an empty container. The clone option creates a new machine as a full copy and the Linked Clone option deploys a space efficient copy based on snapshots and chains of delta disks

Next the blueprint provisioning workflow option vary depending on what blueprint action you selected
Next we need to select a template to clone from

Next Choose a customisation spec. A customization specification is required only if you are cloning with static IP addresses. However, you cannot perform any customizations of Windows machines without a customization specification object. For Linux clone machines, you can use a customization specification, an external script, or both to perform customizations.

In Machine Resources, you can define the maximum and minimum resources that can be chosen by a user who wants to provision a VM from this blueprint. It’s optional but you can specify maximum amounts of vCPU, RAM, and HDD space that can be assigned to this blue print which gives a user the ability to customize to their specific application
Next click the Properties tab
Additional information can be provided during the provisioning process using Custom Properties
Custom Properties can be used throughout the lifecycle of a machine

Options for customising properties can include

Specifying the O/S to be used during provisioning

Customizing the O/S

Link for Custom Properties for Basic Workflow Blueprints

http://pubs.vmware.com/vra-62/index.jsp#com.vmware.vra.iaas.virtual.doc/GUID-15B1491D-BECF-40DE-9F2C-315975476B3B.html

Integrating the machine with an external system

Click the Actions tab
Actions identify the operations that can be carried out on a VM provisioned from a blueprint with additional custom actions being defined in Advanced Services Designer and entitled to users

Click OK to finish
You should now see your blueprint

Publishing a Blueprint

Navigate to Infrastructure > Blueprints > Blueprints. Highlight your new blueprint and click on Publish to publish the blueprint to the vRA catalog

You should now see that it is published

Service Catalog

The Service Catalog is a self service portal where users can locate the items they want to request and track requests and manage provisioned items.

Using Service Categories, catalog items can be organised into containers such as Linux, Windows or User Support

Go to Administration > Catalog Management > Services. Click on the green “+” sign to add a new service.

Fill in the required data and choose an icon as necessary to reflect the Service, in my case Windows

You should now see your service

Click on Manage Catalog Items. A catalog item must be associated with a service before it can be requested

Click the green + sign

Choose your catalog item. In my case the Windws2012 item

Create an Entitlement to the catalog item

Go to Administration > Catalog Management > Entitlements and click on the green “+” mark

Fill in your details

Click Next
Click the green + sign next to Entitled Services and select your service

Click the green + sign next to Entitled Catalog items and select your Catalog item

Click the green + sign next to Entitled Actions and select your Actions

Click OK and you should now see your entitlements

Provision a machine

Go to the Catalog tab and check if your service is available

Click Request
Check the details and modify the request reason
Remember you can only modify the resources up to the maximum set in the blueprint and sometimes these are subject to approval policies as well. (Which haven’t been covered yet)

Click Submit and the VM should be provisioned in vCenter
Click the Requests tab to monitor the request

If you log into vCenter and go to Virtual Machines and Templates, you will see that vCAC by default will place all provisioned machines into a vCenter folder named VRM. You can override this using the custom property VMware.VirtualCenter.Folder to tell vRA where to place the provisioned machine.
My machine is dacv001

If you click on the Items tab once the machine is provisioned, you can manage some actions which are controlled by entitlements

Taking a snapshot

Click on Items
Click on the Owned by drop down menu and change this to “All groups I manage”
Click on View Details

Click New Snapshot

vRA allows one snapshot per machine and no age limits

« Older Entries

Archive for vRA

Setting up an F5 Load Balancer v12

vRA 7 Part 1 Minimal Installation of vRA7

vRealize Automation large scale deployment Part 3 IaaS Server Install

vRealize Automation large scale deployment Part 1 Identity and vRA appliance install

vRealize Automation large scale deployment Part 2 Clustering the Postgres Databases on the vRA Appliances v6.2.3

Installing vRA 6.x certificates

VMware vRealize Automation 6.2.2 Monitoring and Reclamation Part 7

VMware vRealize Automation 6.2.2 Extensibility, Orchestrator and ASD Part 6

VMware vRealize Automation 6.2.2 Configuration and Management Part 5

VMware vRealize Automation 6.2.2 Configuration and Management Part 4

Electric Monk

Don't think about what can happen in a month. Don't think what can happen in a year. Just focus on the 24 hours in front of you and do what you can to get closer to where you want to be :-)

Search

Calendar

Social Media and RSS

vExpert

Recent Posts

Archives

Categories

Fatcow Webhosting

Archive for vRA

Electric Monk

Don't think about what can happen in a month. Don't think what can happen in a year. Just focus on the 24 hours in front of you and do what you can to get closer to where you want to be :-)

Search

Calendar

Social Media and RSS

vExpert

Recent Posts

Archives

Categories

Tags

Fatcow Webhosting