Archive for vRA

Setting up an F5 Load Balancer v12



  • On the F5 website, click trial license and download your software and request a license to be emailed to you (F5 BIG-VE-LAB-LIC)


  • Download the installer (ESXi Server)


  • Open vCenter and select File > Deploy OVF Template


  • Accept License agreement
  • Put in a name


  • Check the resources


  • Choose the storage


  • Choose disk formatting options


  • Check network mappings
  • Management and Internal need to be on different networks so my machines will sit on the F5 network. I’m not worried about the oher 2 networks for now as I will use the management and the Internal only


  • Check details
  • Click Finish


  • Power on the appliance
  • Put in root as the username and default as the password
  • Type config and the following screen will open


  • Say No to automatically configured address
  • Put in your IP address, Subnet Mask and Gateway
  • You should now be able to log into the interface on https://youripaddress


  • The username is admin and the password is admin


  • You will need to activate the license which will have been emailed to you


  • Accept the license agreement


  • You should now see the below screen which shows you current resource reservations, License status and disk provisioning figures


  • Click Next and you will now see your device certificates screen

Screen Shot 2016-07-07 at 10.45.49

  • You will now be on the General properties screen
  • Add in your Hostname in FQDN format, Timezone and change the Root and Admin account password and any other details which require changing

Screen Shot 2016-07-07 at 10.49.55

  • It will ask you to Log out and in again
  • When you log back in you will be presented with a network screen
  • Click Next


  • Click Next on the page below


  • On the VLANs page put in a self IP, and subnet mask this needs to be an address on your internal network, in my case the F5 network
  • Put in a floating IP address on the same network
  • In Internal VAN configuration, select the 1.0 VLAN interface and select untagged and click Add


  • Interface 1.0 is the Management interface that was initialized during the deployment of the OVA and configured earlier in this document.
  • As mentioned earlier for the purpose of this document we will be utilizing only the Internal (Interface 1.1) Interface for load balancing
  • The Internal Interface or Interface 1.1 corresponds to Network Adapter 2 of our F5 appliance
  • You are now on the External Network Configuration screen
  • In External Network Configuration, Choose Select existing VLAN and select Internal
  • In External VLAN configuration delete anything in interfaces then add 1.2 as untagged


  • On the High Availability screen do the same as the above and Select existing VLAN as Internal
  • On the High Availability VLAN Configuration screen, delete the interface in interfaces and choose 1.3 and untagged and add


  • Add in the NTP Configuration. I just pointed to my domain controller.


  • Make sure the correct DNS Lookup Servers and DNS search Domain have been added.


  • Click Next, Next, Next until you get to the Finished screen


  • You will now be on the default F5 page and ready to set up load balancing

Setting up VMware vCenter PSCs with an F5 Load Balancer

Please see the below link to see the F5 in action 🙂

vSphere 6 Platform Services Controller HA Setups – High Availability with an F5 Load Balancer

Useful Links

vRA 7 Part 1 Minimal Installation of vRA7


What is vRA7?

VMware vRealize Automation 7 sets a new standard in cloud automation by radically changing how fast and easy it is to automate the delivery of IT services and thereby accelerating your time to value. This major update has a simplified architecture and includes an installation wizard, the unified blueprint model, and enhanced NSX support.

IT organizations can use VMware vRealize™ Automation to deliver services to their lines of business.

vRealize Automation provides a secure portal where authorized administrators, developers or business users can request new IT services and manage specific cloud and IT resources, while ensuring compliance with business policies. Requests for IT service, including infrastructure, applications, desktops, and many others, are processed through a common service catalog to provide a consistent user experience.

You can improve cost control by using vRealize Automation to monitor resource and capacity usage. For further cost control management, you can integrate vRealize Business Advanced or Enterprise Edition with your vRealize Automation instance to expose the cost of cloud and virtual machine resources, and help you better manage capacity, cost, and efficiency

Support Documentation

New Features Features

Support Matrix

Reference Architecture

Installing vRealize Automation (Minimal Install in lab)

Depending on your deployment requirements, you can install and configure vRealize Automation components by using the Installation Wizard, or manually, through the management console. With either method, you can choose to create a minimal installation, or distribute components over separate servers in a custom distributed installation, with or without load balancers.

Choose a minimal installation to deploy a proof of concept (PoC) or development environment with a basic topology. Choose an enterprise installation to deploy a production environment with the topology best suited to your organizational needs

To complete a minimal deployment, a system administrator installs the vRealize Automation appliance and Infrastructure as a Service (IaaS) components.


vRealize Automation appliance includes the Web console interface and support for single sign-on capabilities. It is installed as a virtual appliance.


Infrastructure as a Service (IaaS) is installed on a Windows Server machine.


The IaaS uses an SQL database that can be installed on the same machine as IaaS or on its own server.

The following figure shows the relationship and purpose of components of a minimal installation.


Step 1 DNS

  • vRealize Automation requires the system administrator to identify all hosts by using a fully qualified domain name (FQDN).
  • In a distributed deployment, all vRealize Automation components must be able to resolve each other by using a FQDN.
  • The Model Manager Web service, Manager Service, and Microsoft SQL Server database must also be able to resolve each other by their Windows Internet Name Service (WINS) name. You must configure the Domain Name System (DNS) to resolve these host names in your environment.
  • So I created an A record in DNS for my vRA7 appliance and an A record in DNS for my IaaS Server

Step 2 Check minimum hardware requirements

  • Your deployment must meet minimum system resources to install virtual appliances and minimum hardware requirements to install IaaS components on the Windows Server.
  • For operating system and high-level environment requirements, including information about supported browsers and operating systems, see the vRealize Automation Support Matrix.
  • The Hardware Requirements table shows the minimum configuration requirements for deployment of virtual appliances and installation of IaaS components. Appliances are preconfigured virtual machines that you add to your vCenter Server or ESXi inventory. IaaS components are installed on physical or virtual Windows 2008 R2 SP1, or Windows 2012 R2 servers. An Active Directory is considered small when there are up to 25,000 users in the OU to be synced in the ID Store configuration. An Active Directory is considered large when there are more than 25,000 users in the O


Step 3 Browser Considerations

Some restrictions exist for browser use with vRealize Automation.


vRealize Automation does not support Compatibility View mode for Internet Explorer 10 on Windows 7 platforms. If you are unable to log in to appliance management consoles or you receive an error on the SSO tab when using Internet Explorer 10, use the Developer Tools to set the browser mode to Internet Explorer 7.


Multiple browser windows and tabs are not supported. vRealize Automation supports one session per user.


VMware Remote Consoles provisioned on support a subset of vRealize Automation-supported browsers.

For operating system and high-level environment requirements, including information about supported browsers and operating systems, see the vRealize Automation Support Matrix

Step 4 Password requirements

  • The vRealize Automation administrator password cannot contain a trailing “=” character.
  • Verify that the adminstrator password you assign during installation does not end with an “=” character. Such passwords are accepted when you assign them, but result in errors when you perform operations such as saving endpoints

Step 5 Database requirements

  • The vRealize Automation administrator password cannot contain a trailing “=” character.Verify that the adminstrator password you assign during installation does not end with an “=” character. Such passwords are accepted when you assign them, but result in errors when you perform operations such as saving endpoints
  • If you clone an IaaS node, install MS DTC on each node after it has been cloned. When you clone a node that has MS DTC installed, its unique identifier is copied to each clone, which causes communication to fail. See Error in Manager Service Communication for further information.
  • The database can reside on the IaaS (Windows) server host or on a remote host.
  • Java-related requirements apply for databases on the IaaS (Windows) server host. They do not apply for external databases.

Step 6 IaaS Server requirements

You can use the following script to install all pre-requisites on your IaaS server but do a double check of everything first


Step 7 Port requirements

vRealize Automation uses designated ports for communication and data access.

  • Although vRealize Automation uses only port 443 for communication, there might be other ports open on the system.
  • Because open, unsecure ports can be sources of security vulnerabilities, review all open ports on your system and ensure that only the ports that are required by your business applications are open

Step 8 Certificates

vRealize Automation uses SSL certificates for secure communication among IaaS components and instances of the vRealize Automation appliance. The appliances and the Windows installation machines exchange these certificates to establish a trusted connection. You can obtain certificates from an internal or external certificate authority, or generate self-signed certificates during the deployment process for each component.

For important information about troubleshooting, supportability, and trust requirements for certificates, see the VMware knowledge base article at

You can update or replace certificates after deployment. For example, a certificate may expire or you may choose to use self-signed certificates during your initial deployment, but then obtain certificates from a trusted authority before going live with your vRealize Automation implementation

Step 10 Deploy the vRealize Automation appliance

Note: If you have to cancel out of the wizard and when you log back in to the appliance, the wizard doesn’t automatically come up then you can do the following

  • ssh into the appliance and run vcac-vami installation-wizard activate
  • Put /#wizard.wizard at the end of the vRA portal address

Follow the instructions below


Download the vRealize Automation appliance from the VMware Web site. Click here

Optionally on the same page you can download the VMware vRealize Orchestrator appliance


Log in to the vSphere client as a user with system administrator privileges.



Select File > Deploy OVF Template from the vSphere client.


Browse to the vRealize Automation appliance file you downloaded and click Open.


Click Next.


Click Next on the OVF Template Details page.



Accept the license agreement and click Next.


Type a unique virtual appliance name according to the IT naming convention of your organization in the Name text box, select the datacenter and location to which you want to deploy the virtual appliance, and click Next.



Follow the prompts until the Disk Format page appears.


Verify on the Disk Format page that enough space exists to deploy the virtual appliance and click Next.



Follow the prompts to the Properties page.

The options that appear depend on your vSphere configuration.


Configure the values on the Properties page.



Type the root password to use when you log in to the virtual appliance console in the Enter password and Confirm password text boxes.


Select or uncheck the SSH service checkbox to choose whether SSH service is enabled for the appliance.

This value is used to set the initial status of the SSH service in the appliance. If you are installing with the Installation Wizard, enable this before you begin the wizard. You can change this setting from the appliance management console after installation.


Type the fully qualified domain name of the virtual machine in the Hostname text box, even if you are using DHCP.


Configure the networking properties.


Click Next.



Start the host machine.


If Power on after deployment is available on the Ready to Complete page.


Select Power on after deployment and click Finish.


Click Close after the file finishes deploying into vCenter.


Wait for the machine to start. This could take up to five minutes.


If Power on after deployment is not available on the Ready to Complete page.


Click Close.


Power on the machine. This could take up to five minutes. Check the Remote console window

After a few moments, a success message appears.



Open a command prompt and ping the FQDN to verify that the fully qualified domain name can be resolved against the IP address of vRealize Automation appliance.

Step 11 Run the Installation Wizard for a Minimal Deployment


Open a Web browser.


Navigate to the vRealize Automation appliance management console by using its fully qualified domain name,


Log in with the user name root and the password you specified when the appliance was deployed.


When the Installation Wizard appears, click Next.



Accept the End User License Agreement and click Next.


Select Minimal Deployment and Install Infrastructure as a Service on the Deployment Type screen and click Next.



Check that the prerequisites listed on the Installation Prerequisites page have been met and that the Windows servers on which you installed a Management Agent are listed.


Click the link and obtain the Management Agent software and install this agent on your IaaS server


The Mangement Agent executes work items which are issued by the VAMI. the context under whom the management agent is running executes the installer. Certificate changes can now be performed from the VAMI for infrastructure machines as well and this is handled by the management agent

The Management agent requires a direct connection to 5480 on all virtual appliances. It becomes aware of all the appliances in the system after the initial connection is established to the first VA. It is also used for log collection and telemetry etc.

The next screen will ask you for account information that has administrative rights on your IaaS Server. This account will be used to install services and additional pre-requisite software


Once the installer finishes, go back to your wizard. Notice that at the bottom of the screen you were on, there is now an IaaS Server listed. Set your NTP settings (THIS IS VERY IMPORTANT !) and click next



If needed, you can change the timekeeping method for your vRealize Automation appliance. Click Change Time Settings, if you make changes.


Click Next.


Click Run on the Run the Prerequisite Checker screen to verify that the Windows servers in your deployment are correctly configured for vRealize Automation use.

Because this step runs remotely, it can take several minutes for the step to run.



If a failed status is returned for a machine, click Fix to start automatic corrections or click Show Details and follow the instructions. Automatic corrections also restart


Click Run to rerun the checker.


When all statuses show success, click Next.


Proceed through the next screens, supplying the requested information to configure your deployment components, including the Web server, Manager Service, Distributed Execution Manager, vSphere proxy agent, and certificate information.

Additional information is available from the Help buttons.

DNS of the vRA appliance


SSO Password


IaaS server details


Database Information


DEM Information


Agents Information


vRealize Appliance Certificate


Web Certificate


Manager Service Certificate


Validate: Click Validate – Can take between 10 minutes and half an hour



Hopefully you should then see


A reminder to take snapshots


Read the message and click Install

The installation can take between 30 minutes and one hour


And hopefully should say completed


Update the license key


Choose Telemetry settings


Initial Content creation

Optionally, you can start an initial content workflow for a vSphere endpoint.
The process uses a local user called configurationadmin that is granted administrator rights.


A configuration admin user is created and a configuration catalog item is created in the default tenant. The

configuration admin is granted the following rights:

  • Approval Administrator
  • Catalog Administrator
  • IaaS Administrator
  • Infrastructure Architect
  • Tenant Administrator
  • XaaS Architect


What to do next

  • After you finish the wizard, log in to the default tenant as the configurationadmin user or as administrator.
  • Go to the service catalog, request the Initial Content catalog item
  • Complete the request form for the Initial Content workflow

Step 12 – Login using the configurationadmin account or administrator

Note you don’t have to put administrator@vsphere.local in, just administrator and your SSO password

  • Type https://vra-appliance-fqdn/vcac


vRealize Automation large scale deployment Part 3 IaaS Server Install


vRealize Automation large scale deployment Part 2 IaaS Server Install

In a distributed installation, the system administrator can deploy multiple instances of the appliances and install IaaS components over multiple machines in the deployment environment.


This install will include the following

  • 2 x Windows 2012 R2 Server running IaaS
  • 2 x Windows 2012 R2 Servers running SQL 2012 in a SQL failover cluster

IP Addresses


IaaS Service Account


Step 1 – Check Pre-requisites

Make sure the server is fully patched and snapshotted prior to installation to allow easy rollback in the event of any issues

There is a great PowerShell script which will install the pre-requisites for you but it is always worth checking all the steps I’ve listed following this for your own sanity. Reboot after running the script


  • TCP/IP protocol enabled for SQL Server


  • Microsoft Distributed Transaction Coordinator Service (MS DTC) enabled on all SQL nodes and IaaS nodes in the system. MS DTC is required to support database transactions and actions such as workflow creation. Start > Run > dcomcnfg > Computer > My Computer > Distributed Transaction Coordinator > Local DTC > Properties
  • Note there may be a clustered DTC, in which case modify this as well


  • No firewalls between Database Server and the Web server or IaaS Server, or ports opened as described in Port Requirement
  • If using SQL Server Express, the SQL Server Browser service must be running
  • For 6.0.x installations, the database name cannot contain a space. For 6.1 and later installations, the use of spaces in names is supported
  • Log into SQL Management Studio and add Domain Admins to Logins


IaaS Pre-requisites

  • Configuration of Active Directory Domain Service Accounts for Local Administrators Group


  • Configuration of Windows Server 2012 R2 Firewall

The firewall can either be turned off or there are certain rules which need enabling as per below if it is turned on


  • Installation of Microsoft .NET 4.5.2 Framework
  • Installation of Java Runtime 64-bit Environment (jre-7u67-windows-x64.exe; required to install the database)
  • Note I had to use the below version. 1.8 did not work and you can use the latest 1.7 version which is jre-7u79 currently I think



  • Click New


  • Type the following path to the Java installation directory


  • Installation and configuration of IIS Server

You can run these commands in PowerShell

  • Add-WindowsFeature -Name Web-Webserver,Web-Http-Redirect,Web-Asp-Net,Web-Windows-Auth,Web-Mgmt-Console,Web-Mgmt-Compat, web-metabase


  • Add-WindowsFeature -Name Was, Was-config-apis, was-Net-Environment,NET-Non-HTTP-Activ


  • Add-WindowsFeature -Name Web-Webserver,Web-Http-Redirect,Web-Asp-Net,Web-Windows-Auth,Web-Mgmt-Console,Web-Mgmt-Compat, web-metabase


  • Add-WindowsFeature -Name Was, Was-config-apis, was-Net-Environment,NET-Non-HTTP-Activ


  • Add-WindowsFeature -Name NET-WCF-HTTP-Activation45


  • Enabling the Secondary Login Service. You can just start this for the installation process then it can be stopped afterwards


  • Configuration of the batch login access and service login
  • Open Local Security Policy
  • Modify the Log on as a batch job and Log on as a service with the account you are going to install IaaS on


  • Next open IIS Manager and navigate to the default website


  • Click on Authentication


  • Next click on Providers and remove NTLM and Negotiate then add Negotiate back in followed by NTLM


  • Next click on Advanced Settings
  • Change it from Off to Accept. Click on OK then change it back to Off


  • Do an iisreset


  • Next we need to register
  • Go to c:\Windows\Microsoft.Net\Framework64\v4.0.30319
  • Type aspnet_regiis -i


  • Do another iisreset
  • The following registry modification is required for the IaaS web server to include Local Security Authority host names that can be referenced in in the NTLM authentication requests for CNAME and load balancer FQDN addresses.
  • Open the Windows registry and browse HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0.
  • Right-click MSV1_0, point to New, and click Multi-String Value.
  • In the Name column, type BackConnectionHostNames, and press Enter.
  • In the Value text box, type the CNAME or DNS alias that is used for the local shares on the computer, and click OK.
  • Example for IaaS Web Servers: f5.ias.techlab.local


  • Before the installation of the IaaS components, verify system cryptography
  • Go to the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, expand Security Options and use FIPS-compliant algorithms for encryption and hashing.  Verify that signing is set to Disabled.


  • Next I also like to add my IaaS service account to the Local Admins group on the server or if it is the Domain Admins group then add this for lab purposes


  • Add REG_DWORD key DisableLoopbackCheck 1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
  • Add REG_DWORD key DisableStrictNameChecking 1 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
  • Next I like to shutdown the server and take a snapshot at this point
  • Do exactly the same procedure on the second IaaS server

Note: Once DTC was enabled on both the IaaS and the remote SQL server, the installation still failed. After some searching, I found that since the IaaS server and SQL server VMs were provisioned using the same Virtual Machine template in vSphere, DTC had to be uninstalled and re-installed on one of the servers, either the IaaS server or the SQL server. To perform this task, execute the following commands from an elevated command prompt (run cmd.exe as an Administrator):

  • msdtc -uninstall
  • msdtc -install
  • Reconfigure settings
  • Reboot

Step 2 – Install certificates

You will need to refer to my other blog about creating and installing vRA IaaS certificates here if you haven’t created them already.

Import the certificate into IIS

Step 3 – Install IaaS Website and Model Manager Data

  • Go to https://yourvRAserver.FQDN:5480/installer
  • Download the IaaS installer


  • Launch the installer from where you saved it and Run as Administrator


  • Click Next


  • Accept the License agreement


  • Put in root and your password


  • Choose Custom Install
  • Select IaaS Server


  • Select the Database checkbox
  • I have a Windows Server 2012 / SQL2012 cluster called SQLCLUSTER which was picked up when I put in my SQL server name and clicked Scan
  • I then unticked Use existing empty database and called it vcac


  • Fix any warnings which appear in the Verify Pre-requisites box


  • Click Check again


  • Click Next and click Install


  • Hopefully you should now see the below screen


  • Untick the box which says Guide me through the initial system configuration and click Finish


Installing the Primary IaaS Web and Model Manager Data Server

  • If you haven’t already, import the certificate you previously created. This is the PFX cert
  • Double click on the certificate
  • Choose Local Machine


  • Check the path to your cert file is correct
  • Click Next


  • Enter the password if you created one
  • Select Mark this key as exportable
  • Click Next


  • Accept the default store


  • Check the final box and click Finish


  • Add certificate into the IIS Console under Server Certificates. It may already be there. Check 443 bindings are linked to your certificate
  • Just double check in Local Security that System Cryptography: Use FIPS compliant algorithms is disabled


  • Launch the IaaS installer as Administrator again
  • Click Next, accept the license agreement put in the root username and password
  • Select Custom Install and IaaS server


  • Select Website and ModelManagerData checkboxes
  • On the Administration and Model Manager Website tab select the certificate that you previously imported
  • Select the Suppress certificate mismatch box


  • You should get a message back when you click Test Binding


  • Click on the Model Manager Data tab
  • Enter the FQDN of the vRA appliance load balanced address. In my case f5.vra.techlab.local
  • On SSO Default Tenant, click Load
  • Under certificate click Download (This is the certificate which should be pre-created from my other blog and imported into IIS
  • Click View Certificate and check it
  • Add in all the rest of the details


  • On the Verify pre-requisites screen, make sure everything is ticked green and fix any issues


  • Under Server and Account Settings put
  • Passwords
  • Passphrase
  • SQL Servername and Database name


  • You may get a message coming up about the user account needed adding to the Local Security Policy if you hadn’t added it there already
  • Click Install


  • It should start installing


  • And hopefully say Completed


Useful Troubleshooting info

Installing IaaS server on the second Iaas Server

This procedure is exactly the same except as the above process. We just install the website component on the second server

  • Don’t forget all the pre-requisites
  • Don’t forget to import your certificate
  • Start the installer
  • Enter your root and password for the vRA appliance screen
  • Enter your details below choosing just the website component


  • Enter all the relevant details again


  • Follow the next prompts to install and finish


vRealize Automation large scale deployment Part 1 Identity and vRA appliance install


vRA Distributed deployment.

This series will cover a larger distributed deployment of vRealize Automation 6.2.3

Software required



Only the Identity and vRA appliances are covered in this blog. The rest will be covered in the series to follow.

  • 1 x Identity appliance
  • 2 x vRA appliances (Postgres Database only)
  • 2 x IaaS servers
  • 2 x Manager Servers
  • 1 x Orchestrator appliance
  • 1 x F5 Load Balancer


  • DNS must be configured for all servers/appliances you use and test it
  • Whatever you use for time sync must be identical for all servers/appliances you use

F5 Load Balancer setup and information



Please follow one of my other blogs for generating and importing certificates into vRA appliances and servers

Step 1 – Deploying the Identity Appliance

  • In the vSphere client or web client select File > Deploy OVF Template


  • Check the details


  • Accept the license agreeement
  • Put in a name for the vRA Identity appliance


  • Choose your storage


  • Leave the defaults for storage


  • Check the details and click Finish


  • Note: The identity appliance cannot be clustered but can be put on a vSphere HA cluster to provide redundancy in the event of hardware failure but not in the event of the Identity appliance having an issue.
  • You may need to go into the vCenter console for the machine and set a root password
  • You will then see this screen where you can see the web browser link to log into the Identity appliance


  • Log into the web link


  • Set the time zone


  • Set the SSO password


  • It should then look like the below screenprint


  • Click on host settings and put in the name of the identity appliance
  • Make sure there is a DNS entry for the identity appliance


  • Click on Network then the Address tab and put in the relevant details


  • You will then need to reboot and relogin
  • Next click on SSO > SSL
  • Generate a certificate for now. Example below


  • Click on Active Directory and put in your details


  • It will then look like the below


  • Go to the Admin tab and click Admin
  • Tick SSH service enabled and Administrator SSH login enabled


  • Click on Time settings and adjust if you have a time server. I left mine on Use host time


  • This should now be complete.
  • Note: You may want to adjust the CPU and RAM depending on customer requirements
  • Note. It might be wise at this point to shutdown the appliance and take a snapshot

Step 2 Deploy 2 vRealize Automation Appliances

Note: Follow the below steps for each appliance

  • In the vSphere client or vSphere Web Client click File > Deploy OVF template


  • Check the details


  • Accept the license agreement
  • Put in a name


  • Choose your storage


  • Choose your storage options


  • Next you will need to type in the hostname, ssh enabled, IP address, subnet mask, gateway and DNS servers


  • Click Next and check all your details


  • Once this is deployed, make sure you have a DNS entry added
  • Log into the appliance
  • Change the time settings first


  • Click on the Network tab and select Host Settings.
  • Fill in your details


  • Reboot the appliance


  • Click on the vRA Host Settings
  • Add in your host settings – this should be your load balanced name
  • Import your certificate in which should have been pre-created from the instructions in my previous vRA certificate blog


  • Click on SSO
  • Put in the SSO details (The identity appliance details)
  • If everything is ok then you will see a certificate message


  • Click Save Settings and note the SSO seems to take a long time


  • You should see the following


  • You should slowly see the services begin to come up
  • Note:  To monitor service startup run the following command:
  • tail -f /var/log/vcac/catalina.out


  • Do exactly the same process on the second appliance
  • Add your license in – Go to vRA Settings > Licensing


  • Next please go to Part 2 for the Postgres clustering of the vRA appliances

Licensing Problems

I had an issue where my license suddenly became invalid which was a little bizarre as it is test non expiring one.

However I followed the steps in the below article on both appliances and it came back fine

Thanks @ vmguru 🙂


vRealize Automation large scale deployment Part 2 Clustering the Postgres Databases on the vRA Appliances v6.2.3


Configuring the vRA Appliances

VMware vRealize Automation Center documentation recommended the utilization of an external instance of VMware vFabric Postgres when setting up a high availability (HA) environment. However, since the release of VMware vRealize Automation standalone, VMware vFabric Postgres is End Of Availability and no longer available as a standalone product. To address customers needs, VMware developed a way to utilize the database instance located in the VMware vRealize Automation appliance in a high availability (HA) mode, without having to incur additional licensing.

Useful Links

Instructions Part 1

Follow the below instructions for both appliances until you get to Part 2

  • Shutdown both vRA appliances and snapshot in vCenter
  • Download the file from the VMware Knowledge Base.
  • Add a 20GB disk to the primary vRA appliance and secondary appliances
  • Power on the primary and secondary vRA appliances
  • Log into both vRA_Appliance:5480 in a web browser
  • Log into both vRA appliances in Putty and WinSCP
  • Extract the tar file from the file attached to this article to both the appliances (I created a /tmp/prostgres folder)
  • Using winscp copy the 2108923_dbcluster.tar file to a tmp folder on both appliances
  • In Putty (See screen below) extract the .tar file on both appliances
  • tar xvf 2108923_dbCluster.tar


  • type parted -l on both appliances
  • You should see Error: /dev/sdd: unrecognized disk label. See the bottom of the screen


  • Run ./ /dev/sdd


  • At this point it is normally a good idea to snapshot both appliances as they seem to be sensitive to the password you use especially the special characters. Do not use = anywhere in the password
  • Run the script to prepare the appliance databases for clustering
  • Note: In our case the db_fqdn was the Load balanced DB FQDN for the Postgres database

./ [-d] db_fqdn [-w] db_pass [-r] replication_password [-p]postgres_password

[-d] Database load balancer fully qualified domain name
[-w] Database password (will set password to this value)
[-r] Replication password (Optional: will use Database password if not set)
[-p] Postgres password (Optional: will use Database password if not set

  • cd /tmp/postgres
  • ./ -d f5.db.techlab.local -w password -r password -p password


  • This is the end of configuration on both appliances

Instructions Part 2

Configuring the database replication on appliance B

  • Type su – postgres
  • Type cd /opt/vmware/vpostgres/current/share/
  • Type ./run_as_replica -h vRA_FQDN -b -W -U replicate (Note don’t copy and paste as needed typing in manually)

./run_as_replica –h Primary Appliance -b -W -U replicate
[-U] The user who will perform replication. For the purpose of this KB this user is replicate
[-W] Prompt for the password of the user performing replication
[-b] Take a base backup from the master. This option destroys the current contents of the data directory
[-h] Hostname of the master database server. Port 5432 is assumed

  • Enter the same password which was created previously
  • It should now look like the below
  • Type yes


  • Type yes

Screen Shot 2015-11-25 at 14.54.23

  • Type the password


  • Type yes to enable WAL archiving on the primary


  • It will now say shutting down and ignore the error message


  • Type yes to the base backup message
  • Note to myself really, I had an issue where I needed to run a command as root on the second vRA appliance to stop the vpostgres service (service vpostgres stop) to get the installer to finish!


  • Next test replication
  • cd /opt/vmware/vpostgres/current/share/
  • Type ./show_replication_status


Validate replication

  • Connect to the appliance with the primary (master) database using SSH.
  • Validate if the WAL process is running. You should see the WAL process by running this command:
  • ps -ef | grep wal

Screen Shot 2015-11-25 at 17.44.06

Validate if the master is ready for read-write connections by running these commands:

  • su – postgres
  • cd /opt/vmware/vpostgres/current/bin
  • ./psql vcac
  • SELECT pg_is_in_recovery();


  • You see output similar to the above
  • Quit psql by running \q
  • Connect to the appliance with the replica database using SSH.
  • Validate if the replica is read only using these commands
  • su – postgres
  • cd /opt/vmware/vpostgres/current/bin
  • ./psql vcac
  • SELECT pg_is_in_recovery();


  • Quit psql by running \q

Instructions Step 3

Testing Failover between the Postgres Databases. Performing a test failover (appliance A to appliance B)

  • Validate if the WAL process is running. You should see the WAL process by running this command:
  • Type ps -ef | grep wal


  • Connect to appliance A using SSH as root
  • Stop the vpostgres service by running service vpostgres stop


  • Connect to appliance B using SSH as root.
  • Promote the replica database to master as the postgres user by running these commands
  • su – postgres
  • cd /opt/vmware/vpostgres/current/share
  • ./promote_replica_to_primary


  • SSH into appliance A as root.
  • Configure database replication as user postgres by running these commands
  • su – postgres
  • cd /opt/vmware/vpostgres/current/share/
  • ./run_as_replica -h FQDNofServer -b -W -U replicate
  • Note the FQDN of the server was the second node which was been promoted to primary


  1. Enter the replicate users password when prompted.
  2. Type yes after verifying the thumbprint of the primary machine when prompted.
  3. Enter the postgres users password when prompted.
  4. Type yes when prompted with Warning: the base backup operation will replace the current contents of the data directory. Please confirm by typing yes
  5. Do a quick check to test which machine is the primary and which is the secondary



Instructions Step 4

Perform a test failback (appliance B to appliance A)

  • Connect to appliance B using SSH as root.
  • Stop the vpostgres service by running this command:
  • service vpostgres stop


  •  Connect to appliance A using SSH as root.
  • Promote the replicate database to master as user postgres by running these commands
  • su – postgres
  • cd /opt/vmware/vpostgres/current/share/
  • ./promote_replica_to_primary


  • Connect to appliance B using SSH as root.
  • Configure database replication as user postgres by running these commands:
  • su – postgres
  • cd /opt/vmware/vpostgres/current/share
  • ./run_as_replica -h FQDNofServer -b -W -U replicate
  • Enter the replicate users password when prompted
  • Type yes when prompted with:WARNING: the base backup operation will replace the current contents of the data


Validate replication

  • Connect to the appliance with the primary (master) database using SSH.
  • Validate if the WAL process is running. You should see the WAL process by running this command:
  • ps -ef | grep wal
  • Validate if the master is ready for read-write connections by running the commands below
  • It should say f indicating it is the master


  • You see output similar to the above
  • Quit psql by running \q
  • Connect to the appliance with the replica database using SSH.
  • Validate if the replica is read only using these commands:


  • Quit psql by running \q
  • If you now log into the VAMI page of the vRA appliances and check the database and cluster page you should see the following


Configuring monitoring of the VMware vRealize Automation appliance databases

Installing vRA 6.x certificates


Installing vRA certificates

This subject is a tricky one to navigate round so I have decided to try and simplify this as much as possible to get a good working procedure to carry out the replacement of certificates correctly and efficiently. The various components of VMware vRealize Automation (formerly known as VMware vCloud Automation Center) have different requirements for the certificates used for authentication

Certificates supportability matrix for vRealize Automation

Screen Shot 2015-11-24 at 08.15.28

Certificate trust requirements between VMware vRealize Automation components

Screen Shot 2015-11-24 at 08.17.19

  • * vRealize certificate thumbprint is stored in IaaS database during installation
  • ** SSO certificate thumbprint is stored in IaaS database during installation
  • *** Application Director and Orchestrator as an external instance are optional services

Update components Certificates in the following order

  • Identity Appliance
  • vCloud Automtation vCenter Appliance
  • IaaS components

Step 1 Installing a Domain Certificate Authority

Note: This will normally be installed on a Domain Controller.

  • On Windows 2012 open Server Manager > Add Roles and Features

Screen Shot 2015-11-24 at 08.45.53

  • Click Next to accept the selections on the next 2 screens
  • Make sure to choose both Certification Authority & Certifications Authority Web Enrollment on the Role Service screen

Screen Shot 2015-11-24 at 09.05.36

  • Choose Enterprise or Subordinate at the setup Type page (Note I am choosing Enterprise and this is in my lab)
  • Assuming this is your first CA, choose Root CA at the CA Type screen
  • Create a new private key
  • In Configure cryptography for CA, choose Microsoft Software Key Storage Provider and SHA1
  • Configure your CA name
  • Set validity period for the certificate generated by this CA

Step 2 Creating vCAC Certificate templates

We now need to create a non-standard Certificate Template, which is a copy of the standard Web Server template modified to allow for export of the certificate key. In addition, the Microsoft CA will be updated to allow for Subject Alternative Names (SANs) as specified in the Attributes.

  • Connect to the Root CA server or Subordinate CA server via RDP.
  • Click Start > Run, type certtmpl.msc, and click OK. The Certificate Template Console opens.
  • In the middle pane, under Template Display Name, locate Web Server.
  • Right-click Web Server and click Duplicate Template.

Screen Shot 2015-11-24 at 09.17.25

  • You should see the Compatibility tab
  • Select Windows Server 2008 R2 as the Certification Authority
  • Select Windows 7 / Server 2008 R2 under Certificate recipient

Screen Shot 2015-11-24 at 12.40.03

  • Click the General tab.
  • In the Template display name field, enter VMware-SSL as the name of the new template.

Screen Shot 2015-11-24 at 12.43.46

  • Click the Request Handling tab
  • Ensure that the Allow private key to be exported option is selected

Screen Shot 2015-11-24 at 15.55.13

  • Select Cryptography

Screen Shot 2015-11-24 at 12.52.51

  • Click Key Attestation

Screen Shot 2015-11-24 at 13.06.22

  • Click Server

Screen Shot 2015-11-24 at 14.20.48

  • Click Security

Screen Shot 2015-11-24 at 14.22.02

  • Click Extensions

Screen Shot 2015-11-24 at 14.22.34

  • Click the Edit button
  • Select the Signature is proof of origin (nonrepudiation) option.
  • Select the Allow encryption of user data option.

Screen Shot 2015-11-24 at 14.29.13

  • Click Application Policies

Screen Shot 2015-11-24 at 14.30.50

  • Click Superseded Templates

Screen Shot 2015-11-24 at 14.23.31

  • Click Subject Name

Screen Shot 2015-11-24 at 14.24.15

  • Click Issuance Requirements

Screen Shot 2015-11-24 at 14.25.07

  • Click OK to save the template.

Step 3 – Adding a new template to certificate templates

To add a new template to certificate templates:

  • Connect to the Root CA server or Subordinate CA server via RDP.Note: Connect to the CA server in which you are intending to perform your certificate generation.
  • Click Start > Run, type certsrv.msc, and click OK. The Certificate Server console opens.
  • In the left pane, if collapsed, expand the node by clicking the [+] icon.
  • Right-click Certificate Templates and click New > Certificate Template to Issue.

Screen Shot 2015-11-24 at 16.24.40

  • Locate the VMware-SSL Certificate under the Name column.
  • Click OK.

A new template option is now created in your Active Directory Certificate Services node. This new template can be used in the place of Web Server for the vSphere 5.x CA certificate.

Step 4 – Checking the web enrollment page

If everything went as planned you will have a new certificate template type when submitting a CSR. If you don’t see your new template, you may not have appropriate CA rights to issue the certificate.

  • Navigate to https://yourcertificateserver/certsrv
  • You should see the template VMware-SSL available

Screen Shot 2015-11-24 at 16.29.54

Step 5 – Creating a certificate configuration file for the Identity appliance

Useful Link

  • Copy the below text into a notepad file and save it as a .cfg file
  • Modify the relevant parts of your appliance and company details
  • Note you may have load balancers such as F5’s in which case you can also put the load balancer address in the subjectAltName section and the common name

default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: techlabvri001, DNS: techlabvri001.techlab.local

countryName = UK
stateOrProvinceName = London
localityName = Norwich
0.organizationName = Techlab
organizationalUnitName = vRA Identity
commonName = techlabvri001.techlab.local

  • So it should look like this for the Identity Appliance


Step 5b – Creating a certificate configuration file for the Automation appliance

Note: I have put in both my vRA appliance hostnames and my load balanced name as I am going to cluster the vRA appliances

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:techlabvra001, DNS:techlabvra001.techlab.local DNS: techlabvra002 DNS: techlabvra002.techlab.local DNS:f5.vra DNS:f5.vra.techlab.local

[ req_distinguished_name ]
countryName = UK
stateOrProvinceName = London
localityName = Norwich
0.organizationName = Techlab
organizationalUnitName = vRA Appliance
commonName = f5.vra.techlab.local


Step 6 Update components certificates in the following order:

  1. Identity Appliance
  2. vCloud Automation vCenter Appliance
  3. IaaS components

Step 7 – Installing OpenSSL version 0.9.8.

Use the following steps to install OpenSSL, which will be used to request the required certificates.

Important: Ensure that you are using OpenSSL version 0.9.8. If you do not use this version, the SSL implementation will fail.

  • Ensure that the Microsoft Visual C++ 2008 Redistributable Package (x86) is installed on the system on which you want to generate the requests. To download the package, see the Microsoft Download Center
  • Download the Shining Light Productions installer for OpenSSL x86 version 0.98r or later on the link below This software was developed by the OpenSSL Project
  • Launch the installer, proceed through the installation, and make a note of the appropriate directory for later use. By default, it is located at c:\OpenSSL-Win32.

Step 8 – Generating certificates for the vRA Identity Appliance and the vRA Appliance

  • Make sure you have your identity appliance and vra appliance config files in a folder (You will need to change the paths highlighted in blue to your own folder)
  • Open cmd.exe and change directory to c:\OpenSSL\bin
  • Run the following commands


openssl req -new -nodes -out F:\Software\vracerts\techlabvri001\rui.csr -keyout F:\Software\vracerts\techlabvri001\rui-orig.key -config F:\Software\vracerts\techlabvri001\vritemplate.cfg



vRA Appliance

openssl req -new -nodes -out F:\Software\vracerts\techlabvra001\rui.csr -keyout F:\Software\vracerts\techlabvra001\rui-orig.key -config F:\Software\vracerts\techlabvra001\vratemplate.cfg



Step 9 Convert the keys to the appropriate RSA format required by the appliances


openssl rsa -in F:\Software\vracerts\techlabvri001\rui-orig.key -out F:\Software\vracerts\techlabvri001\rui.key



openssl rsa -in F:\Software\vracerts\techlabvra001\rui-orig.key -out F:\Software\vracerts\techlabvra001\rui.key


  • Logon to the Microsoft CA Web Interface (https://ca-server/CertSrv)
  • Click on the Request Certificate > Advanced Certificate Request



  • Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
  • Open the rui.csr file for the vCAC Identity Appliance and then copy and paste the contents into the Base-64-encoded certificate request field.



  • Ensure you select the correctly configured Certificate Template


  • Click “Submit” to submit the request.
  • Select the “Base64 encoded” option on the Certificate Issued screen.


  • Click the “Download Certificate” link and save as rui.crt in the same location as your config file and CSR.


  • Repeat the above process for the vRA Appliance Certificate Request.
  • Next go back to https://techlabadc001.techlab.local/certsrv/
  • Click on “Download a CA certificate, certificate chain or CRL”.


  • Select the “Base64 encoded” option.
  • Click the “Download a CA Certificate Chain” link.


  • Save the certificate chain as cachain.p7b in your desired location
  • Double click the cachain.p7b file and navigate to yourlocation\cachain.p7b > Certificates


  • Right click the root certificate and select “All Actions > Export” and then click Next.


Select Base64-encoded X.509 (.CER) and click Next.


  • Save the export to your location/root64.cer and click Next.


Converting the Certificates to PEM Format

  • Launch a command prompt and navigate to your OpenSSL directory. By default this is located in c:\OpenSSL\bin
  • Run the following commands (replacing the path with your desired location) to convert the certificates to the format expected of the Virtual Appliances.


openssl pkcs12 -export -in F:\Software\vracerts\techlabvri001\rui.crt -inkey F:\Software\vracerts\techlabvri001\rui.key -certfile F:\Software\vracerts\Root64.cer -name “rui” -passout pass:testpassword -out F:\Software\vracerts\techlabvri001\rui.pfx


  • You should then see your pfx file in the Identity appliance folder


vRA Appliance

openssl pkcs12 -export -in F:\Software\vracerts\techlabvra001\rui.crt -inkey F:\Software\vracerts\techlabvra001\rui.key -certfile F:\Software\vracerts\Root64.cer -name “rui” -passout pass:testpassword -out F:\Software\vracerts\techlabvra001\rui.pfx


  • You should then see your pfx file in the vRA appliance folder


  • Next type the following commands


openssl pkcs12 -in F:\Software\vracerts\techlabvri001\rui.pfx -inkey F:\Software\vracerts\techlabvri001\rui.key -out F:\Software\vracerts\techlabvri001\rui.pem -nodes


  • You should now see the pem file


vRA Appliance

openssl pkcs12 -in F:\Software\vracerts\techlabvra001\rui.pfx -inkey F:\Software\vracerts\techlabvra001\rui.key -out F:\Software\vracerts\techlabvra001\rui.pem -nodes


  • You should now see the pem file



All of the above instructions worked for me but if the above command does not work to issue the PEM then try the below commands instead for vRA 6.2.

Someone reported that the pem creation syntax above seems to give the  error “unable to create keystore” when installing the cert in the identity appliance in vRA 6.2.

These commands are listed in the vRA 6.2 document at

VMware vRealize Automation Center 6.2

openssl pkcs12 -in C:\certs\identity\rui.pfx -clcerts -nokeys -out C:\certs\identity\rui.pem

openssl pkcs12 -in C:\certs\vcaca\rui.pfx -clcerts -nokeys -out C:\certs\vcaca\rui.pem

Importing the Certificate to your Identity Appliance

  • Login to your identity appliance on https://vCAC.ID.FQDN:5480
  • In my case https://techlabvri001.techlab.local:5480/
  • Click on the SSO tab.
  • Click on the SSL tab.


  • In the “Choose Option” field, click the drop down and select Import PEM encoded certificate.
  • Open the rui.key file for your vCAC ID appliance in a text editor.
  • Copy and paste the contents into the “RSA Private Key” field.


  • Open the rui.pem file for your vRA Identity appliance in a text editor.
  • Copy and paste the contents into the “Certificate” field.
  • Note: It is really important that it looks like the below certificate. if you get any random lines other than these, you need to remove them or it will not work


  • Enter testpassword into the “Pass Phrase” field.


  • Click the “Replace Certificate” button
  • You should now see the certificate imported


Importing the Certificate to your vRA Appliances

Note: Do this on both appliances!

  • Login to https://vRA.FQDN:5480
  • Click on the vRA Settings tab > Host Settings > SSL Configuration
  • In the “Choose Option” field, click the drop down and select Import PEM encoded certificate.
  • Open the rui.key file for your vRA ID appliance in a text editor.
  • Copy and paste the contents into the “RSA Private Key” field.
  • Open the rui.pem file for you vRA ID appliance in a text editor.
  • Copy and past the contents into the “Certificate” field.
  • Enter testpassword into the “Pass Phrase” field.
  • Click the “Replace Certificate” button.

NOTE: If you are replacing the certificates after having registered the vRA VA against the vRA ID VA you will need to re-enter the SSO settings on the vCAC Server to ensure that communications between the VAs are trusted.

1. Login to https://vRA.FQDN:5480 
2. Click on the vRA Settings tab then under Host Settings
3. Click on the SSO tab.
4. Re-enter the SSO Admin User and SSO Admin Password details and then click “Save Settings”.

Not performing this step will result in an error as shown below.


You should now see it is successful


IaaS and Manager certificates

The order of operation is to first generate a PKCS12 formatted certificate. After a certificate is in PKCS12 format, it can be converted to PEM encoding and a DER encoded certificate can be generated from that PEM. In addition, an unencrypted key can be extracted from the PEM certificate

  • First I generated a new certificate template called vratemplate.cfg
  • I put in my 2 IaaS servers and the load balancer name in shorthand and FQDN.


  • Open cmd.exe as Administrator and navigate to the c:\OpenSSL\bin directory


  • Run the following command replacing the highlighted parts with your own paths
  • openssl req -new -nodes -out C:\vracerts\techlabias001\techlabias001.csr -keyout C:\vracerts\techlabias001\techlabias001.key -config C:\vracerts\techlabias001\vratemplate.cfg


  • You should see the following keys created


  • Run the following command in OpenSSL to convert the keys to the RSA format required by the appliances
  • openssl rsa -in C:\vracerts\techlabias001\techlabias001.key -out C:\vracerts\techlabias001\techlabias001.key


  • Next go back to the certificate request home page
  • Click Request a certificate


  • Select Advanced certificate request


  • Click Submit a certificate Request by using a base- 64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.


  • Open the .csr file and copy the request into the box
  • Make sure you select your VMware-SSL certificate


  • Click Submit
  • Click on Download certificate and Base 64 encoded
  • Save this certificate in your certificate folder. I named it techlabias001


  • You will now see your certificate


  • In the same page click on Download certificate chain


  • Save the certificate as cachain.p7b


  • Double click on this file and open it in the certificates console


  • Export the root file


  • Select Base 64 encoded


  • Save the file as root64.cer
  • You will see it as per below in your folder


  • Go back to OpenSSL and run the command to convert the certificates to PKCS format
  • openssl pkcs12 -export -in C:\vracerts\techlabias001\techlabias001.crt -inkey C:\vracerts\techlabias001\techlabias001.key -certfile C:\vracerts\techlabias001\root64.cer -name techlabias001 -passout pass:testpassword -out C:\vracerts\techlabias001\techlabias001.pfx


You will now see your .pfx file in the folder

  • Next we need to import the CA issued certificate for the IaaS web server.
  • On the IaaS server, open the IIS Manager console.
  • Navigate to your Server instance, and open Server Certificates.
  • Select “Import” in the top right hand corner.
  • In File name, browse and select the PKCS file with the .pfx extension that represents the CA issued certificate for IaaS web server.
  • Type the password testpassword
  • Accept the default Place all certificates in the following store.
  • You should now see the imported certificate in your list
  • Navigate to your Default Web Site (the vCAC website) and select “Bindings”.
  • Select “https” and click “Edit”.
  • Click the SSL Certificate drop down and select your certificate, then click OK.

Note: The below information doesn’t need to be done. It’s just information I put here to remind me to look at in relation to replacing certificates

Register the new Certificate with the vCAC Appliance

  • Browse to c:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\cafe
  • Note: CAFE stands for Cloud Automation Framework Extensibility. Just in case you were wondering
  • Register the new certificates on your IaaS Server to the vCAC Appliance with the following set of commands:

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/vcac –Endpoint ui -v

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/vcac/SslCallback.aspx  –Endpoint ssl -v

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/Repository –Endpoint repo -v

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/WAPI –Endpoint wapi -v

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/WAPI/api/status –Endpoint status -v

  • Now you need to follow the exact same steps to generate the manager certificate


VMware vRealize Automation 6.2.2 Monitoring and Reclamation Part 7

magnifying glass

Monitoring and Reclamation

In vRA we need to know what to do when we need to identify and reclaim unused or underused resources and put in an automated solution to manage these.

Reclamation stages

  • Identify

Through endpoint discovery and data collection, vRA creates  list of machines and their characteristics. Using filtering capabilities, administrators can identify machines for reclamation which could be machines which have been powered off, machines that average low usage and machines where the users have left or been disabled in AD

  • Verify

After machines are identified, they are validated before being reclaimed. vRA use workflows to assist customers with the process along with approval processes

  • Reclaim

Once machines are identified for reclamation, vRA goes through the process of reclaiming. Some machines may need to be archived before being removed completely.

  • Improve

Reclamation is designed to improve efficiency and use. Reporting and cost savings are used to manage machines in order to track and monitor environments

Where is Reclamation in vRA?

Tenant Administrators perform reclamation tasks

  • Go to Administration > Tenant Machines > Reclamations
  • The below page appears


  • The tenant administrator can search for underused machines by CPU, memory, disk, network use or idle machines  (Idle meaning a machine which is powered on but with no statistics)



Reclamation Requests and Notifications

The tenant administrator submits a reclamation request specifying the lease length and reason for the request which can then be monitored

  • Go to Administration > Tenant Machines > Reclamations
  • Select the machine you want to use
  • Click Reclaim Virtual machines


  • The next screen has 3 options
  • New lease length (A new amount of lease time is assigned to the machine where if the owner does not respond to the lease request, the machine is powered off an destroyed, if no archive period was set in the blueprint)
  • Wait before forcing lease (days) (This is the time within which the owner of a machine must respond to prevent a new lease from being applied to the machine)
  • Reason for request


  • If an archive period was set, the machine is expired and cannot be powered on until the lease is reset
  • If the lease is not reset at the end of the archive period, the machine is destroyed and the resources are reclaimed
  • Go to the Inbox of the owner. As this is me, I just click Home > My Inbox and I can see the reclamation request which has come in to me


  • Click on this request and select an option
  • One of 3 actions can be taken on a reclamation request
  • The machine owner can select Release for reclamation where the machine is reclaimed and immediately destroyed if no archival period was specified in the blueprint
  • The machine can select item in use. No action is taken and the administrator is notified that the machine should still be used
  • The machine owner can take no action. In this case the machine is assigned a new lease based on the reclamation request. If the owner does not respond, it is powered off and destroyed if no archival period was set. During the archival period, the machine cannot be powered on until the lease is reset


There are 3 states of reclamation requests

  • Pending (Request submitted to the machine owner)
  • Approved (The machine owner has released the machine for reclamation)
  • Rejected (The machine owner has responded that the machine is still in use)

Machine Leases

These are the time periods given to a machine which determine how long they should be active for. Machine leases are used by tenant admins and business group managers

  • Leases can be assigned to blueprints
  • Leases can be assigned to a machine after it is provisioned
  • Leases can be changed after a machine is provisioned
  • if a lease is not assigned then the machine does not have an expiration date
  • Multimachines have one lease date which is applied to all machines in the service

Home Page Portlets

Tenant Administrators can monitor and report reclamation savings by adding portlets to the home page

  • Log into https://vRA_Apppliance.FQDN/shell-ui-app
  • Click Home and at the right side of the screen, click the pencil icon and select Add Portlets


  • Choose the portlets you want
  • They can then be dragged and re-arranged on your home page


  • Users can add portlets but if they don’t have permissions then no data will appear


  • You can also export data as a .csv file



VMware vRealize Automation 6.2.2 Extensibility, Orchestrator and ASD Part 6



There are several challenges involved with automating self service provisioning to enforce governance, minimise user input and provide audit and accounting functionality. vRA can be transformed by using extensibility products such as Advanced Service Designer and VMware vCenter Orchestrator

vCenter Orchestrator

  • Library of workflows and plug-ins which include VMware and partner developed solutions which facilitate integration with existing tools and infrastructure
  • Orchestrator comes built in with vRA or an external Orchestrator server can be used in place of the built in server
  • Blueprints can be created from vCenter Orchestrator workflows and published as catalog items
  • Includes an API which allows an external ecosystem of partners to develop reusuable plugins.
  • Using cluster mode configuration, a collection of Orchestrator nodes can work together and share a common database
  • The extended REST API allows automatic configuration and installation of the necessary vCenter Orchestrator nodes
  • The extended REST API also provides dynamic scale up and scale down of the orchestration capacity when Orchestrator is used with an external load balancer
  • Fully equipped with a workflow debugger

Advanced Service Designer

  • Service Architects can create and publish advanced services to the service catalog. Using the capabilities of ASD, custom resources can be created and mapped to vCenter Orchestrator types and defined as items to be provisioned and managed.
  • Allows administrators to add custom logic to any of the 10 built in IAAS customisable workflows
  • IAAS workflows are created using MS Windows Workflow Foundation which is a part of .NET Framework 4
  • vRA also contains 6 state change workflow templates that can be edited to contain custom logic. These can call out to vRA for bidirectional integration with external management systems
  • You can create up to 4 custom menus
  • Provides a visual workflow editor for customising IAAS workflows

Use cases for extensibility

  • Leverage existing infrastructure and future infrastructure (Multivendor and Multicloud)
  • Configure personalised business relevant services by using custom properties or metadata tags
  • Integration with 3rd party management systems (CMDB, iPAM, Load Balancers and Service Desk apps)
  • ASD is a new feature in vRA 6. Administrators can leverage vCenter Orchestrator workflows and plugins and create new Day 2 operations as custom services
  • vRA provides a RESTful API which can be used to call vRA application and infrastructure services from third party or custom applications


Available plugins can be found at

Custom Services

The following are examples of what can be done

  • New employee onboarding
  • E-mail box setup
  • Storage and networking services
  • Backup and recovery
  • Security and compliance
  • Software install/update
  • Password management

Cloud Util

CloudUtil is a command line interface to Model Manager. It enables admins to install, configure and update entities in the Model Manager. It also

  • Creates and manages skills
  • Stores and manages files
  • Installs custom machine operations

With a vRA Development Kit License, additional functionalities are available such as

  • Installing and managing custom workflows and models created in MS Visual Studio
  • Install custom models and supporting assemblies
  • Generate client classes for a custom model
  • Install custom events and schedules used to trigger workflows
  • Install new workflows

The ASD Console

The Toolbox pane

The Toolbox pane provides access to the vRA workflow activity library where activities for using PowerShell and vCenter Orchestrator integrate vRA with external systems. Common activities used in workflows include

  • InvokeRepositoryWorkflow = Executes a workflow installed in Model Manager
  • GetMachineName = Gets a machine’s name
  • GetMachineOwner = Gets a machine’s owner
  • GetMachineProperties = Gets the list of custom properties associated with a machine
  • GetScriptFromName = Get’s contents of the script stored in the Model Manager under the specified name
  • InvokePowerShell = Executes a PowerShell command
  • InvokeSshCommand = Executes an SSH command
  • LogMachineEvent = Logs a machine event to the user log that is visible to the machine owner
  • RunProcess = Exceutes a process on the same machine as the DEM that executes this activity
  • SendEmail = Sends an email to the given set of addresses
  • SetMachineProperty = Creates or updates a custom property on the machine
  • InvokeVcoWorkflow = Calls a vCenter Orchestrator workflow and blocks further execution of its parent vRA workflow until the vCenter Orchestrator workflow completes
  • InvokeVcoWorkflowAsync = Calls a vCenter Orchestrator workflow and continues to execute activities in vRA without waiting for the vCenter Orchestrator workflow to complete

Extending built in Workflows using Workflow templates

Using ASD, the 10 out of the box workflow templates can be modified to implement custom logic. 6 of these are State change templates and 4 are menu operation workflow templates

The 6 State Change Templates

Each of these 6 state change templates ma to a specific state of the machine lifecycle. They can be modified and then referenced against a blueprint so the customisation can be applied to a machine derived from that template. As an example all machines might require a custom name derived from a naming convention. Using the WFStubBuildingMachine workflow template could meet this criteria

The 4 Menu Operation Workflow Templates

These 4 templates can be used to implement 4 custom menus with their own functionality. Menu operation workflows are implemented when a user selects a menu from the vRA console. An example could be a menu that enables a user to backup a machine

Defining variables

Defining variables is a critical step in the extensibility process. Information must be defined that is required for the workflow and is the source of that information.

For example. The MyScriptText variable is a string and is used to identify the custom code to be loaded from the PowerShell script which is loaded into Model Manager

Adding State Change Workflow Template to a Blueprint

  • Go to Infrastructure > Blueprints > Blueprints > Edit your Blueprint
  • Select Properties
  • Select New Property


Workflow Versioning

You can always revert back to previous versions of a workflow stub by loading the version you want and sending it back. You don’t overwrite the existing version as it created a more recent version which becomes the default version. The Model Manager might store and display multiple versions of a workflow but the DEMs always execute the most recent version of a workflow and not earlier versions

Working with a vCenter Orchestrator Workflow

Workflows can be called synchronously or asynchronously. Some workflows require user interaction and the prompt appears in the vCenter Orchestrator client rather than vRA. To avoid this don’t use workflows which require user interaction from vRA

  • Synchronous

The InvokeVcoWorkflow calls a vCenter Orchestrator workflow and blocks further execution of it’s parent vRA workflow until the vCenter Orchestrator workflow completes

  • Asynchronous

The InvokeVcoWorkflowAsync calls a The InvokeVcoWorkflow workflow and continues to execute activities in the vRA workflow without waiting for the vCenter Orchestrator workflow to complete

vCenter Orchestrator as an endpoint

vRA must be defined as an endpoint to use vCenter Orchestrator

Workflows are built mainly by using existing building blocks

  • Workflows
  • Actions
  • Resource Elements
  • Predefined scriptable tasks

There are more than 200 ready to use workflows included with vCenter Orchestrator

vCenter Orchestrator integration techniques

  • Create a vCenter Orchestrator endpoint in vRA

Using an endpoint, vRA can invoke vCenter Orchestrator workflows

At least one vCenter Orchestrator endpoint is required

Each endpoint must have a unique priority

  • Install vRA plug-in into vCenter Orchestrator

Using a plug-in, vCenter Orchestrator can manage vRA entities

A plug-in automates the configuration of vRA IAAS workflows

A plug-in includes many predefined workflows

Configure an embedded vCenter Orchestrator

vRA includes a built in version of Orchestrator which can be used for running workflows in additional to separate external Orchestrator services

  • Putty into the vRA appliance (where the embedded Orchestrator is)
  • First start the vco-server service
  • Type service vco-server start


  • Next start the vco-configurator service by logging into the vRA appliance via Putty and typing service vco-configurator start


  • Navigate to https://your-VA-appliance:8281/vco


  • If you have an issue accessing the Orchestrator webpages, you can check in vRA whether then Orchestrator service is connected by clicking Test Connection


  • If you experience connection issues you can also type vcac-vami vco-service-reconfigure in the vRA appliance putty page
  • If you encounter a Diffie Hellman error please google for fixes
  • Type https://your-vRA-appliance:8281
  • You should see this page. Click Start Orchestrator client


  • You should see a few prompts such as below from Java


  • Log in


  • You should now see the Orchestrator application


  • In order to configure Orchestrator type in https://your-vRA-server:8283/vco-config/ to access the appliance configuration


  • The default username and password is vmware and vmware
  • You will be prompted to change it
  • Password must have an uppercase letter and a special character


  • You should now be logged into Orchestrator configuration webpage
  • Have a click through the configuration options
  • I clicked on Network and changed the IP address from to my vRA appliance address


  • You need to add the vCenter certificate in to the SSL Trust Manager. You will also need to add the Platform Services Controller if you use this with vSphere 6


  • You need to add your IAAS Server with the FQDN and add the vRA appliance if this is not here but mine already was. (if it is embedded and not external)


  • You should see your certificates


  • Next go back and log into your vRA appliance https://vRA_Appliance.FQDN/shell-ui-app
  • Go to Infrastructure > Endpoints > Credentials > Add new credentials


  • Put in vCO as the Name
  • Put in administrator@vsphere.local as the username
  • Put in the password


  • Go to Endpoints > New Endpoint > Orchestration > vCenter Orchestrator


  • Fill in the details


Install the vSphere Orchestrator Client

  • Go to https://vRA_Appliance.FQDN:8281/vco
  • Click Start Orchestrator client


  • I got an error saying Windows cannot open .jnlp files so I had to select open with then navigate to my java folder and choose javaws
  • Whatever you do don’t update from version 1.7 to 1.8 or things will break
  • You should then see the below 2 screens



  • You should then see the logon screen for vCO appear


  • A certificate warning will appear


  • vCenter Orchestrator will now open


  • Click Administer


  • Expand VCAC and Active Directory in the Inventory section. You should see these are empty although there may already be something in vCloud Automation Center


  • Select Run
  • Go to Workflows
  • Go to Library > Microsoft > Active Directory > Configuration > Configure Active Directory


  • Click Start Workflow
  • Put in the following details


  • Click Use a Shared Session
  • Put in your credentials


  • Next in the same Workflow screen, navigate to Library > vCloud Automation Center > Configuration > Add the IAAS host of a vCAC host


  • Right click on Add the IaaS host of a vCAC host and select Start Workflow


  • Click Next


  • Click Next


  • Click Next


  • Click Submit
  • You should see a green tick and confirmation in the events screen on the right that everything has started


Configuring the vRA workflows templates from vCenter Orchestrator

  • In Orchestrator, navigate to the below menu in Workflow view


  • Right click Install vCO customization and select Start Workflow
  • In the Install vCO customization dialog box choose Not Set and select your vRA server


  • Click Next


  • Click Next


  • Click Submit


  • If you now go back to the ASD and click Load, you will see the new versions of the state change templates (Note you may need to install ASD first, in which case there are instructions further down this post)


Configuring a state change workflow from vCenter Orchestrator

  • Go to https://vRA_Appliance.FQDN/shell-ui-app
  • Go to Infrastructure > Blueprints > Blueprints > Edit your Blueprint
  • If any custom properties are attached to the blueprint then remove them
  • Next log into vCenter Orchestrator > Library > vCloud Automation Center > Infrastructure Administration > Extensibility


  • Right click Assign a state change workflow to a blueprint and select Start Workflow
  • Click Not set and chose the VRA server



  • Click the Array field


  • Click Insert Value


  • Expand down until you can see your Blueprint


  • Click Add
  • Click Select


  • Click Accept > Next
  • Click on Workflow template


  • Type Tools into filter > Select Mount tools installer


  • Click Select
  • Select Submit


  • Go to https://vRA_Appliance.FQDN/shell-ui-app
  • Click Infrastructure > Blueprints > Blueprints and edit your blueprint
  • Click Properties
  • Review the settings. You can see that Orchestrator added the new required custom property


  • You can then go through the process of requesting a VM and seeing if it has indeed mounted the CD Drive

Installing the ASD

  • Go to https://vRA_Appliance.FQDN:5480/installer
  • Click vRealize Automation Designer


  • On the Welcome Page click Next


  • Accept the License agreement


  • Check the location for the install is correct and click Next


  • Put in the IAAS server FQDN. In my case it is dacvtst003.dacmt.local
  • Put in a username and password


  • Click Install


Configuring ASD Endpoints for VMware vCenter Server

  • Log into https://VRA_Appliance.FQDN/shell-ui-app
  • Go to Administration > Users and Groups > Custom Groups
  • Add an AD group and add to Service Architects


  • Click Next


  • Next go to Administration > Orchestrator Configuration > Endpoints
  • Click Add


  • Choose Active Directory from the drop down menu


  • Type a name. I’ve just called mine Active Directory


  • Type in the details


  • Next add an endpoint for vCenter


  • Put in a name


  • Fill in all details


  • Add a user and password


  • You should now see your 2 endpoints


  • Log out of vRA and you may need to log out of the server and back in again. As you can see below this will add the Advanced Service Designer tab to vRA



Create and publish a service to change an AD Users password

  • Log into https://VRA_Appliance.FQDN/shell-ui-app
  • Click the Advanced Services tab
  • Select Service Blueprints
  • Click the + sign next to Service Blueprints


  • Expand Library > Microsoft > Active Directory > User
  • Click Next


  • Click Next


  • Click the pencil icon to bring up the edit box and change the name to user and the type to search


  • Click Submit
  • Click Next


  • Click Add
  • In the list of Service Blueprints select Action > Publish


  • Go to Administration > Catalog Management > Services


  • Add a name for the password service and set to active


  • Select Catalog Items
  • Select your service and select Configure


  • On the Service drop down, select User Password Support or whatever you have named your service


  • Click Update
  • Now select Entitlements from the left hand menu and click Add


  • Put in a name and set to active and add the relevant users and groups


  • Click Next
  • Click Entitled Services and add your service


  • Log out and in again and check that when you click on the catalog tab that you see the Change a user password service


Looking further into Advanced Service Designer

  • On the desktop, click vRealize Automation Designer
  • On the vRA Automation Designer ribbon, click Load


  • You will get the following box


  • Select the WFStubBuildingMachine workflow stub. If multiple versions exist, select the revision 0 version


  • You should see the below screen


  • In the Try area, double click the Building Machine activity


  • Double click the Custom Code activity as highlighted above


  • At the bottom of the design surface in the middle pane, click Variables and click Create Variable


  • Add the following variables
  • Name = HelloMsg
  • Variable Type = String
  • Scope = Custom Code
  • Default = “Hello User”


  • In the Toolbox pane on the left hand side, drag the SetMachineProperty activity to the design surface underneath Start
  • Connect Start to SetMachineProperty by pointing to the bottom of Start and dragging a connecting Line between them


  • Select the SetMachineProperty activity and set the following properties in the Properties pane on the right panel


  • Click Send on the top menu
  • Click ok to the message Send Workflow to Model Manager


  • In the success dialog box, click OK


Assign the Building Machine Workflow to a blueprint

  • Log into https://vRA_Appliance.FQDN/shell-ui-app
  • Go to Infrastructure > Blueprints > Blueprints
  • Edit your Blueprint
  • Click Properties > New Property
  • Add 2 custom properties to the blueprint
  • Click the green tick when complete and click OK


  • Logout and log in again
  • Go to Catalog and request your VM
  • Monitor the build in Requests
  • Once built go to Items select your machine and click the View Details tab


  • Click the Properties tab and check the value





VMware vRealize Automation 6.2.2 Configuration and Management Part 5


Cost Profiles

Fabric administrators can associate compute resources and physical machines with cost profiles to enable calculation of a machine’s cost. The cost is displayed to machine owners, requesters, approvers, and administrators at various points in the request and provisioning life cycle.

A cost profile includes the following values for daily cost:


Cost per GB of memory capacity specified in the virtual blueprint or installed in the physical machine


Cost per CPU specified in the virtual blueprint or installed in the physical machine


Cost per GB of storage capacity as specified in the virtual blueprint (not used for physical machines, because storage attached to physical machines is not discovered or tracked)

For finer definition of storage cost for virtual machines, you can also associate each known datastore on a compute resource with a storage cost profile. A storage cost profile contains only a daily cost per GB of storage. If you assign a storage cost profile to a datastore, this storage cost overrides the storage cost in the cost profile assigned to the compute resource.

For virtual machines, the machine cost is calculated from the cost profile and storage cost profile on the compute resource, the resources it consumes, and the daily blueprint cost. You can use the blueprint cost to represent a markup for using the machine in addition to the resources that the machine consumes, for example to account for the cost of specific software deployed with that blueprint.

For physical machines, the machine cost is calculated from the cost profile on the machine, the CPU and memory on the machine, and the daily blueprint cost. You can use the blueprint cost to represent such factors as storage cost or additional costs for using the machine.

You cannot apply cost profiles to machines provisioned on Amazon Web Services or Red Hat OpenStack. For machines provisioned on these cloud platforms, the only cost factor is the daily cost in the blueprint from which it was provisioned. The cost for vCloud Director vApps includes any cost profile and storage cost profile on the virtual datacenter and the blueprint cost.

Create a Cost Profile 

Fabric administrators can create cost profiles and associate them with compute resources to enable calculation of a machine’s cost.

  • Select Infrastructure > Compute Resources > Cost Profiles.


  • Click New Cost Profile
  • Type new values in for each resource


  • You can also add a Storage Cost Profile for storage of different performance capabilities such as High, Medium and Low cost storage

Using Custom Properties on Blueprints

You can modify a machine using custom properties throughout the lifecycle of the machine

  • Request
  • Provision
  • Manage
  • Retire

As an example they can modify the following

  • Specify the WIM image or PE environment image to use for install
  • Define the number of cores per socket
  • Place the machine in an OU
  • Place the machine in an inventory folder in vCenter
  • Change the network a machine is attached to
  • Update a CMDB

Custom properties can be defined for the following objects

  • Business Groups
  • Compute Resource
  • Build Profiles
  • Reservations
  • Endpoints
  • Blueprints
  • Storage

Useful Link

Set up Custom Properties

As an example I want to add a custom property to a blueprint which puts my machine in a specific folder in vCenter

  • Go to Infrastructure > Blueprints > Select your blueprint and click Edit
  • Click on the Properties tab


  • Add in VMware.VirtualCenter.Folder and type in a name for the inventory folder in vCenter that you want to use which provisioned machines will go into. In my case I have called it vRA.
  • Next go to Infrastructure > Groups > Business Groups > Click edit on your business group


  • Click New Property
  • Type in the name and value of your custom property.
  • Name = VMware.Virtual.Center.Folder
  • Value = vRA


  • Go to Catalog and request a Virtual Machine again
  • Once deployed, check vCenter has deployed the machine to the vRA folder and not the vRM folder


Add Location Information

  • Go to c:\Program Files (x86)\Vmware\vCAC\Server\Website\XmlData
  • Right click DataCenterLocations and click Edit
  • Copy the line with Boston in it and paste it underneath


  • Change all instances of Bolton with a new location


  • Save the file
  • Go back to your vRA webpage and go to Infrastructure > Blueprints > Blueprints
  • Click Edit on your Blueprint
  • Click the Display Location on request


  • Click OK and logout
  • Log back in and go to Infrastructure > Compute Resources > Compute Resources
  • Click Edit
  • From the location menu click the location you want


Other Custom Property Options

  • Hostname

This can be used to prompt a user to put in a hostname other than the ne defined by the machine prefix on the blueprint

  • VirtualMachine.Admin.ThinProvision

This option forces a new machine to be thin provisioned on the storage device


Build Profiles

A build profile is a set of properties to be applied to a machine when it is provisioned. It can be used for the following

  • Determining the spec of a machine
  • Determine how the machine is provisioned
  • Determine the operations to be performed after the machine is provisioned
  • Manage information about the machine

Build Profiles are attached to Blueprints and the spec of the build profile is available to business group users who have access to the blueprints

Build Profiles are constructed from default property sets or custom properties. Default sets include

  • ActiveDirectoryCleanupPlugin
  • CitrixDesktopProperties
  • PxeProvisioningProperties
  • SysprepProperties
  • VmwareXXXXXProperties

Creating a Build Profile

  • Go to Infrastructure > Blueprints > Build Profiles


  • Click New Build Profile
  • Add a name and description
  • From the Add from property set drop down list, select ActiveDirectoryCleanUpPlugin


  • In the Plugin.AdMachineCleanup.UserName, click Edit and add the username of a domain admin. In my case dacmt\administrator
  • In the Plugin.AdMachineCleanup.Password, click Edit and add the password of a domain admin
  • Make sure you click the green tick to confirm the changes
  • Logout
  • Login again
  • Click Infrastructure > Blueprints > Blueprints
  • Click Edit on your Blueprint
  • Click the Properties tab
  • Select the Remove from AD Build build profile


The Property Dictionary

The Property Dictionary can be used with custom properties to create a customised interface. You can statically or dynamically define the interface with the following data specification options

  • Data validation
  • Defined constraints on data values
  • Tooltip
  • Optional data
  • Ordered user control layouts

Using the Property Dictionary helps stop mistakes which occur when the data value of a custom property is passed into extensibility tools like Orchestrator and Powershell

When users request new machines they are prompted for these custom properties in the form of a required text box, drop down menu or buttons and more

  • Go to Infrastructure > Blueprints > Property Dictionary
  • On the Property Dictionary page, click New Property Definition


  • Fill in the required details
  • Click required and then click the green arrow


  • Click Edit under Property Attribute


  • Click New Property Attribute


  • Add in the below values


  • Log off
  • Log on again and go to Infrastructure > Blueprints > Blueprints and edit your blueprint and select the Properties tab
  • Select New Property


  • Type Custom.StorageTier in to the name an leave the value blank with Prompt user selected


  • Click OK
  • Go to Catalog > Request your machine
  • Look at the new option you have on the interface for Storage Tier


  • Note: vRA does not directly use storage tiering. You have to use custom properties and workflow modification with vSphere PowerCLI or Orchestrator

Approval Policies

Any catalog item or entitled action can be subject to an approval. The Approval Policies must first be defined by either a tenant administrator or a business group user and set as active before they appear in an entitlement

There can be multi levels of approvals with all different Boolean conditions as to how the policy can be approved across these levels.

Active and Linked approvals can only be cloned not edited

Creating an Approval Policy

  • Click the Administration tab > Users and Groups > Custom Groups
  • Search for the user or group you want to add as an approver


  • Click Next
  • Add in the users who you want to be Appprovers


  • Next go to Administration > Approval Policies


  • Click Add


  • Click OK
  • I am going to create a vCPU approval policy
  • Put in the name and set to Active


  • Click the green plus sign next to Levels
  • Fill in the required information


  • Click Add and Add again
  • Log out
  • Log in again
  • Click Administration > Catalog Management > Entitlements
  • Highlight your Blueprint and click Edit


  • Click Items and Approvals
  • Click Entitled Catalog Items and Modify Policy


  • Click the drop down menu and select your policy. Note apologies I had to recreate mine as CPU > 2


  • Click on Catalog > Request and select your VM
  • Change the vCPUs to 4


  • Click Submit
  • Now look at the Request tab where we should see the request sitting in the pending approval status


  • If you click on the request and select view details, it will show you who is the approver


  • Click on Inbox > Approvals as I am already logged in as myself as the approver


  • Click View Details and select whether to Approve or Reject


  • This concludes the configuration and management Part 5
  • Part 6 will go into more of the extensibility options like Advanced Service Designer and Orchestrator



VMware vRealize Automation 6.2.2 Configuration and Management Part 4



Blueprints are used to define a machines attributes and methods of provisioning. These blueprints are then added into the Service Catalog ready for users to provision machines. There are 4 different types

  • Cloud
  • Physical
  • Virtual
  • Multimachine (New in vRA 6)

A user can request VMs if the below conditions are met

  • The Blueprint is published as a catalog item
  • The item is added to a service
  • The user is entitled to use the service

Configuring Blueprints

  • Go to Infrastructure -> Blueprints -> Blueprints


  • Click New Blueprint > Virtual > vSphere (vCenter)


  • Put in a name. I am going to call mine Windows2012Blueprint
  • Put in a description
  • (Optional) Select the Master check box to allow users to copy your blueprint.
  • (Optional) Select the Display location on request check box to prompt users to choose a datacenter location when they submit a machine request. This option requires additional configuration to add datacenter locations and associate compute resources with those locations
  • (Optional)Choose your reservation policy
  • Choose the machine prefix you have previously set up
  • Choose the maximum amount of VMs which can be deployed from this blueprint per user
  • Specify the number of days to archive machines provisioned from this blueprint, just keep it at 0 for now. Archive defines the number of days that an expired virtual machine remains available for activation. A zero value destroys the VM upon expiration
  • Add in any additional costs for chargeback purposes. These costs will be added to anything that is set in a cost profile. so you can add in a OS licensing cost or specific application cost for this VM


  • Click Build Information
  • The build information tab options define the type of blueprint, the provisioning action and the associated workflow
  • In Blueprint type, the options are Server / Desktop / Hypervisor
  • In Action, the options are Create, Clone, Linked Clone and NetApp FlexClone. Using the Create option creates an empty container. The clone option creates a new machine as a full copy and the Linked Clone option deploys a space efficient copy based on snapshots and chains of delta disks


  • Next the blueprint provisioning workflow option vary depending on what blueprint action you selected
  • Next we need to select a template to clone from


  • Next Choose a customisation spec. A customization specification is required only if you are cloning with static IP addresses. However, you cannot perform any customizations of Windows machines without a customization specification object. For Linux clone machines, you can use a customization specification, an external script, or both to perform customizations.


  • In Machine Resources, you can define the maximum and minimum resources that can be chosen by a user who wants to provision a VM from this blueprint.  It’s optional but you can specify maximum amounts of vCPU, RAM, and HDD space that can be assigned to this blue print which gives a user the ability to customize to their specific application
  • Next click the Properties tab
  • Additional information can be provided during the provisioning process using Custom Properties
  • Custom Properties can be used throughout the lifecycle of a machine


  • Options for customising properties can include

Specifying the O/S to be used during provisioning

Customizing the O/S

Link for Custom Properties for Basic Workflow Blueprints

Integrating the machine with an external system

  • Click the Actions tab
  • Actions identify the operations that can be carried out on a VM provisioned from a blueprint with additional custom actions being defined in Advanced Services Designer and entitled to users


  • Click OK to finish
  • You should now see your blueprint


Publishing a Blueprint

  • Navigate to Infrastructure > Blueprints > Blueprints. Highlight your new blueprint and click on Publish to publish the blueprint to the vRA catalog


  • You should now see that it is published

Service Catalog

The Service Catalog is a self service portal where users can locate the items they want to request and track requests and manage provisioned items.

Using Service Categories, catalog items can be organised into containers such as Linux, Windows or User Support

  •  Go to Administration > Catalog Management > Services. Click on the green “+” sign to add a new service.


  • Fill in the required data and choose an icon as necessary to reflect the Service, in my case Windows


  • You should now see your service


  • Click on Manage Catalog Items. A catalog item must be associated with a service before it can be requested


  • Click the green + sign


  • Choose your catalog item. In my case the Windws2012 item


Create an Entitlement to the catalog item

  • Go to Administration > Catalog Management > Entitlements and click on the green “+” mark


  • Fill in your details


  • Click Next
  • Click the green + sign next to Entitled Services and select your service


  • Click the green + sign next to Entitled Catalog items and select your Catalog item


  • Click the green + sign next to Entitled Actions and select your Actions


  • Click OK and you should now see your entitlements


Provision a machine

  • Go to the Catalog tab and check if your service is available


  • Click Request
  • Check the details and modify the request reason
  • Remember you can only modify the resources up to the maximum set in the blueprint and sometimes these are subject to approval policies as well. (Which haven’t been covered yet)


  • Click Submit and the VM should be provisioned in vCenter
  • Click the Requests tab to monitor the request


  • If you log into vCenter and go to Virtual Machines and Templates, you will see that vCAC by default will place all provisioned machines into a vCenter folder named VRM.  You can override this using the custom property VMware.VirtualCenter.Folder to tell vRA where to place the provisioned machine.
  • My machine is dacv001


  • If you click on the Items tab once the machine is provisioned, you can manage some actions which are controlled by entitlements


Taking a snapshot

  • Click on Items
  • Click on the Owned by drop down menu and change this to “All groups I manage”
  • Click on View Details


  • Click New Snapshot


  • vRA allows one snapshot per machine and no age limits
Optimization WordPress Plugins & Solutions by W3 EDGE