Archive for vRA

Setting up an F5 Load Balancer v12

arrow-of-double-point-pointing-different-directions_318-50733

Instructions

  • On the F5 website, click trial license and download your software and request a license to be emailed to you (F5 BIG-VE-LAB-LIC)

https://f5.com/products/trials/product-trials

F5a

  • Download the installer (ESXi Server)

F5b

  • Open vCenter and select File > Deploy OVF Template

F5c

  • Accept License agreement
  • Put in a name

F5dPNG

  • Check the resources

f55PNG

  • Choose the storage

f56PNG

  • Choose disk formatting options

f57PNG

  • Check network mappings
  • Management and Internal need to be on different networks so my machines will sit on the F5 network. I’m not worried about the oher 2 networks for now as I will use the management and the Internal only

F5e

  • Check details
  • Click Finish

F5f

  • Power on the appliance
  • Put in root as the username and default as the password
  • Type config and the following screen will open

vRAD133

  • Say No to automatically configured address
  • Put in your IP address, Subnet Mask and Gateway
  • You should now be able to log into the interface on https://youripaddress

vRAD134

  • The username is admin and the password is admin

vRAD135

  • You will need to activate the license which will have been emailed to you

vRAD136

  • Accept the license agreement

vRAD137

  • You should now see the below screen which shows you current resource reservations, License status and disk provisioning figures

vRAD138

  • Click Next and you will now see your device certificates screen

Screen Shot 2016-07-07 at 10.45.49

  • You will now be on the General properties screen
  • Add in your Hostname in FQDN format, Timezone and change the Root and Admin account password and any other details which require changing

Screen Shot 2016-07-07 at 10.49.55

  • It will ask you to Log out and in again
  • When you log back in you will be presented with a network screen
  • Click Next

F5g

  • Click Next on the page below

F5h

  • On the VLANs page put in a self IP, and subnet mask this needs to be an address on your internal network, in my case the F5 network
  • Put in a floating IP address on the same network
  • In Internal VAN configuration, select the 1.0 VLAN interface and select untagged and click Add

F5i

  • Interface 1.0 is the Management interface that was initialized during the deployment of the OVA and configured earlier in this document.
  • As mentioned earlier for the purpose of this document we will be utilizing only the Internal (Interface 1.1) Interface for load balancing
  • The Internal Interface or Interface 1.1 corresponds to Network Adapter 2 of our F5 appliance
  • You are now on the External Network Configuration screen
  • In External Network Configuration, Choose Select existing VLAN and select Internal
  • In External VLAN configuration delete anything in interfaces then add 1.2 as untagged

F5k

  • On the High Availability screen do the same as the above and Select existing VLAN as Internal
  • On the High Availability VLAN Configuration screen, delete the interface in interfaces and choose 1.3 and untagged and add

F5l

  • Add in the NTP Configuration. I just pointed to my domain controller.

F5m

  • Make sure the correct DNS Lookup Servers and DNS search Domain have been added.

vRAD143

  • Click Next, Next, Next until you get to the Finished screen

F5o

  • You will now be on the default F5 page and ready to set up load balancing

Setting up VMware vCenter PSCs with an F5 Load Balancer

Please see the below link to see the F5 in action 🙂

vSphere 6 Platform Services Controller HA Setups – High Availability with an F5 Load Balancer

Useful Links

http://kaloferov.com/blog/configuring-vrealize-automation-load-balancing-using-f5-big-ip/

http://networkjutsu.com/f5-big-ip-ltm-ve-home-lab/

https://downloads.f5.com/esd/ecc.sv?sw=BIG-IP&pro=big-ip_v11.x&ver=11.6.0&container=Virtual-Edition

vRA 7 Part 1 Minimal Installation of vRA7

vRARobot2

What is vRA7?

VMware vRealize Automation 7 sets a new standard in cloud automation by radically changing how fast and easy it is to automate the delivery of IT services and thereby accelerating your time to value. This major update has a simplified architecture and includes an installation wizard, the unified blueprint model, and enhanced NSX support.

IT organizations can use VMware vRealize™ Automation to deliver services to their lines of business.

vRealize Automation provides a secure portal where authorized administrators, developers or business users can request new IT services and manage specific cloud and IT resources, while ensuring compliance with business policies. Requests for IT service, including infrastructure, applications, desktops, and many others, are processed through a common service catalog to provide a consistent user experience.

You can improve cost control by using vRealize Automation to monitor resource and capacity usage. For further cost control management, you can integrate vRealize Business Advanced or Enterprise Edition with your vRealize Automation instance to expose the cost of cloud and virtual machine resources, and help you better manage capacity, cost, and efficiency

Support Documentation

https://www.vmware.com/support/pubs/vrealize-automation-pubs.html

New Features

http://pubs.vmware.com/New Features

Support Matrix

https://www.vmware.com/pdf/vrealize-automation-70-support-matrix.pdf

Reference Architecture

http://pubs.vmware.com/vra-70/topic/com.vmware.ICbase/PDF/vrealize-automation-70-reference-architecture.pdf

Installing vRealize Automation (Minimal Install in lab)

Depending on your deployment requirements, you can install and configure vRealize Automation components by using the Installation Wizard, or manually, through the management console. With either method, you can choose to create a minimal installation, or distribute components over separate servers in a custom distributed installation, with or without load balancers.

Choose a minimal installation to deploy a proof of concept (PoC) or development environment with a basic topology. Choose an enterprise installation to deploy a production environment with the topology best suited to your organizational needs

To complete a minimal deployment, a system administrator installs the vRealize Automation appliance and Infrastructure as a Service (IaaS) components.

â– 

vRealize Automation appliance includes the Web console interface and support for single sign-on capabilities. It is installed as a virtual appliance.

â– 

Infrastructure as a Service (IaaS) is installed on a Windows Server machine.

â– 

The IaaS uses an SQL database that can be installed on the same machine as IaaS or on its own server.

The following figure shows the relationship and purpose of components of a minimal installation.

vRA71

Step 1 DNS

  • vRealize Automation requires the system administrator to identify all hosts by using a fully qualified domain name (FQDN).
  • In a distributed deployment, all vRealize Automation components must be able to resolve each other by using a FQDN.
  • The Model Manager Web service, Manager Service, and Microsoft SQL Server database must also be able to resolve each other by their Windows Internet Name Service (WINS) name. You must configure the Domain Name System (DNS) to resolve these host names in your environment.
  • So I created an A record in DNS for my vRA7 appliance and an A record in DNS for my IaaS Server

Step 2 Check minimum hardware requirements

  • Your deployment must meet minimum system resources to install virtual appliances and minimum hardware requirements to install IaaS components on the Windows Server.
  • For operating system and high-level environment requirements, including information about supported browsers and operating systems, see the vRealize Automation Support Matrix.
  • The Hardware Requirements table shows the minimum configuration requirements for deployment of virtual appliances and installation of IaaS components. Appliances are preconfigured virtual machines that you add to your vCenter Server or ESXi inventory. IaaS components are installed on physical or virtual Windows 2008 R2 SP1, or Windows 2012 R2 servers. An Active Directory is considered small when there are up to 25,000 users in the OU to be synced in the ID Store configuration. An Active Directory is considered large when there are more than 25,000 users in the O

vRA72

Step 3 Browser Considerations

Some restrictions exist for browser use with vRealize Automation.

â– 

vRealize Automation does not support Compatibility View mode for Internet Explorer 10 on Windows 7 platforms. If you are unable to log in to appliance management consoles or you receive an error on the SSO tab when using Internet Explorer 10, use the Developer Tools to set the browser mode to Internet Explorer 7.

â– 

Multiple browser windows and tabs are not supported. vRealize Automation supports one session per user.

â– 

VMware Remote Consoles provisioned on support a subset of vRealize Automation-supported browsers.

For operating system and high-level environment requirements, including information about supported browsers and operating systems, see the vRealize Automation Support Matrix

Step 4 Password requirements

  • The vRealize Automation administrator password cannot contain a trailing “=” character.
  • Verify that the adminstrator password you assign during installation does not end with an “=” character. Such passwords are accepted when you assign them, but result in errors when you perform operations such as saving endpoints

Step 5 Database requirements

  • The vRealize Automation administrator password cannot contain a trailing “=” character.Verify that the adminstrator password you assign during installation does not end with an “=” character. Such passwords are accepted when you assign them, but result in errors when you perform operations such as saving endpoints
  • If you clone an IaaS node, install MS DTC on each node after it has been cloned. When you clone a node that has MS DTC installed, its unique identifier is copied to each clone, which causes communication to fail. See Error in Manager Service Communication for further information.
  • The database can reside on the IaaS (Windows) server host or on a remote host.
  • Java-related requirements apply for databases on the IaaS (Windows) server host. They do not apply for external databases.

Step 6 IaaS Server requirements

You can use the following script to install all pre-requisites on your IaaS server but do a double check of everything first

https://github.com/vtagion/Scripts/blob/master/vRA%206.2%20PreReq%20Automation%20Script.ps1

vRA73

Step 7 Port requirements

vRealize Automation uses designated ports for communication and data access.

  • Although vRealize Automation uses only port 443 for communication, there might be other ports open on the system.
  • Because open, unsecure ports can be sources of security vulnerabilities, review all open ports on your system and ensure that only the ports that are required by your business applications are open

Step 8 Certificates

vRealize Automation uses SSL certificates for secure communication among IaaS components and instances of the vRealize Automation appliance. The appliances and the Windows installation machines exchange these certificates to establish a trusted connection. You can obtain certificates from an internal or external certificate authority, or generate self-signed certificates during the deployment process for each component.

For important information about troubleshooting, supportability, and trust requirements for certificates, see the VMware knowledge base article at http://kb.vmware.com/kb/2106583.

You can update or replace certificates after deployment. For example, a certificate may expire or you may choose to use self-signed certificates during your initial deployment, but then obtain certificates from a trusted authority before going live with your vRealize Automation implementation

Step 10 Deploy the vRealize Automation appliance

Note: If you have to cancel out of the wizard and when you log back in to the appliance, the wizard doesn’t automatically come up then you can do the following

  • ssh into the appliance and run vcac-vami installation-wizard activate
  • Put /#wizard.wizard at the end of the vRA portal address

Follow the instructions below

1

Download the vRealize Automation appliance from the VMware Web site. Click here

Optionally on the same page you can download the VMware vRealize Orchestrator appliance

2

Log in to the vSphere client as a user with system administrator privileges.

Procedure

1

Select File > Deploy OVF Template from the vSphere client.

2

Browse to the vRealize Automation appliance file you downloaded and click Open.

3

Click Next.

4

Click Next on the OVF Template Details page.

vRA74

5

Accept the license agreement and click Next.

6

Type a unique virtual appliance name according to the IT naming convention of your organization in the Name text box, select the datacenter and location to which you want to deploy the virtual appliance, and click Next.

vRA75

7

Follow the prompts until the Disk Format page appears.

8

Verify on the Disk Format page that enough space exists to deploy the virtual appliance and click Next.

vRA76

9

Follow the prompts to the Properties page.

The options that appear depend on your vSphere configuration.

10

Configure the values on the Properties page.

vRA77

a

Type the root password to use when you log in to the virtual appliance console in the Enter password and Confirm password text boxes.

b

Select or uncheck the SSH service checkbox to choose whether SSH service is enabled for the appliance.

This value is used to set the initial status of the SSH service in the appliance. If you are installing with the Installation Wizard, enable this before you begin the wizard. You can change this setting from the appliance management console after installation.

c

Type the fully qualified domain name of the virtual machine in the Hostname text box, even if you are using DHCP.

d

Configure the networking properties.

11

Click Next.

vRA78

12

Start the host machine.

â– 

If Power on after deployment is available on the Ready to Complete page.

a

Select Power on after deployment and click Finish.

b

Click Close after the file finishes deploying into vCenter.

c

Wait for the machine to start. This could take up to five minutes.

â– 

If Power on after deployment is not available on the Ready to Complete page.

a

Click Close.

b

Power on the machine. This could take up to five minutes. Check the Remote console window

After a few moments, a success message appears.

vRA79

13

Open a command prompt and ping the FQDN to verify that the fully qualified domain name can be resolved against the IP address of vRealize Automation appliance.

Step 11 Run the Installation Wizard for a Minimal Deployment

1

Open a Web browser.

2

Navigate to the vRealize Automation appliance management console by using its fully qualified domain name, https://vra-va-hostname.domain.name:5480/.

3

Log in with the user name root and the password you specified when the appliance was deployed.

4

When the Installation Wizard appears, click Next.

vRA710

5

Accept the End User License Agreement and click Next.

6

Select Minimal Deployment and Install Infrastructure as a Service on the Deployment Type screen and click Next.

vRA711

7

Check that the prerequisites listed on the Installation Prerequisites page have been met and that the Windows servers on which you installed a Management Agent are listed.

vRA712

Click the link and obtain the Management Agent software and install this agent on your IaaS server

vRA713

The Mangement Agent executes work items which are issued by the VAMI. the context under whom the management agent is running executes the installer. Certificate changes can now be performed from the VAMI for infrastructure machines as well and this is handled by the management agent

The Management agent requires a direct connection to 5480 on all virtual appliances. It becomes aware of all the appliances in the system after the initial connection is established to the first VA. It is also used for log collection and telemetry etc.

The next screen will ask you for account information that has administrative rights on your IaaS Server. This account will be used to install services and additional pre-requisite software

vRA714

Once the installer finishes, go back to your wizard. Notice that at the bottom of the screen you were on, there is now an IaaS Server listed. Set your NTP settings (THIS IS VERY IMPORTANT !) and click next

vRA715

8

If needed, you can change the timekeeping method for your vRealize Automation appliance. Click Change Time Settings, if you make changes.

9

Click Next.

10

Click Run on the Run the Prerequisite Checker screen to verify that the Windows servers in your deployment are correctly configured for vRealize Automation use.

Because this step runs remotely, it can take several minutes for the step to run.

vRA716

a

If a failed status is returned for a machine, click Fix to start automatic corrections or click Show Details and follow the instructions. Automatic corrections also restart

b

Click Run to rerun the checker.

c

When all statuses show success, click Next.

11

Proceed through the next screens, supplying the requested information to configure your deployment components, including the Web server, Manager Service, Distributed Execution Manager, vSphere proxy agent, and certificate information.

Additional information is available from the Help buttons.

DNS of the vRA appliance

vRA717

SSO Password

vRA718

IaaS server details

vRA719

Database Information

vRA720

DEM Information

vRA721

Agents Information

vRA722

vRealize Appliance Certificate

vRA723

Web Certificate

vRA724

Manager Service Certificate

vRA725

Validate: Click Validate – Can take between 10 minutes and half an hour

vRA726

vRA727

Hopefully you should then see

vRA728

A reminder to take snapshots

vRA729

Read the message and click Install

The installation can take between 30 minutes and one hour

vRA730

And hopefully should say completed

vRA731

Update the license key

vRA732

Choose Telemetry settings

vRA733

Initial Content creation

Optionally, you can start an initial content workflow for a vSphere endpoint.
The process uses a local user called configurationadmin that is granted administrator rights.

vRA734

A configuration admin user is created and a configuration catalog item is created in the default tenant. The

configuration admin is granted the following rights:

  • Approval Administrator
  • Catalog Administrator
  • IaaS Administrator
  • Infrastructure Architect
  • Tenant Administrator
  • XaaS Architect

vRA735

What to do next

  • After you finish the wizard, log in to the default tenant as the configurationadmin user or as administrator.
  • Go to the service catalog, request the Initial Content catalog item
  • Complete the request form for the Initial Content workflow

Step 12 – Login using the configurationadmin account or administrator

Note you don’t have to put administrator@vsphere.local in, just administrator and your SSO password

  • Type https://vra-appliance-fqdn/vcac

vRA736

vRealize Automation large scale deployment Part 3 IaaS Server Install

vRARobot2

vRealize Automation large scale deployment Part 2 IaaS Server Install

In a distributed installation, the system administrator can deploy multiple instances of the appliances and install IaaS components over multiple machines in the deployment environment.

vRA294

This install will include the following

  • 2 x Windows 2012 R2 Server running IaaS
  • 2 x Windows 2012 R2 Servers running SQL 2012 in a SQL failover cluster

IP Addresses

vRA263

IaaS Service Account

vRA264

Step 1 – Check Pre-requisites

Make sure the server is fully patched and snapshotted prior to installation to allow easy rollback in the event of any issues

There is a great PowerShell script which will install the pre-requisites for you but it is always worth checking all the steps I’ve listed following this for your own sanity. Reboot after running the script

https://github.com/vtagion/Scripts

SQL

  • TCP/IP protocol enabled for SQL Server

vRA12

  • Microsoft Distributed Transaction Coordinator Service (MS DTC) enabled on all SQL nodes and IaaS nodes in the system. MS DTC is required to support database transactions and actions such as workflow creation. Start > Run > dcomcnfg > Computer > My Computer > Distributed Transaction Coordinator > Local DTC > Properties
  • Note there may be a clustered DTC, in which case modify this as well

vRA13

  • No firewalls between Database Server and the Web server or IaaS Server, or ports opened as described in Port Requirement
  • If using SQL Server Express, the SQL Server Browser service must be running
  • For 6.0.x installations, the database name cannot contain a space. For 6.1 and later installations, the use of spaces in names is supported
  • Log into SQL Management Studio and add Domain Admins to Logins

vRAD108

IaaS Pre-requisites

  • Configuration of Active Directory Domain Service Accounts for Local Administrators Group

vRAD92

  • Configuration of Windows Server 2012 R2 Firewall

The firewall can either be turned off or there are certain rules which need enabling as per below if it is turned on

vRAD93

  • Installation of Microsoft .NET 4.5.2 Framework
  • Installation of Java Runtime 64-bit Environment (jre-7u67-windows-x64.exe; required to install the database)
  • Note I had to use the below version. 1.8 did not work and you can use the latest 1.7 version which is jre-7u79 currently I think

vRA18

vRA14

  • Click New

vRA15

  • Type the following path to the Java installation directory

vRA16

  • Installation and configuration of IIS Server

You can run these commands in PowerShell

  • Add-WindowsFeature -Name Web-Webserver,Web-Http-Redirect,Web-Asp-Net,Web-Windows-Auth,Web-Mgmt-Console,Web-Mgmt-Compat, web-metabase

vRAD94

  • Add-WindowsFeature -Name Was, Was-config-apis, was-Net-Environment,NET-Non-HTTP-Activ

vRAD95

  • Add-WindowsFeature -Name Web-Webserver,Web-Http-Redirect,Web-Asp-Net,Web-Windows-Auth,Web-Mgmt-Console,Web-Mgmt-Compat, web-metabase

vRAD96

  • Add-WindowsFeature -Name Was, Was-config-apis, was-Net-Environment,NET-Non-HTTP-Activ

vRAD98

  • Add-WindowsFeature -Name NET-WCF-HTTP-Activation45

vRAD99

  • Enabling the Secondary Login Service. You can just start this for the installation process then it can be stopped afterwards

vRAD100

  • Configuration of the batch login access and service login
  • Open Local Security Policy
  • Modify the Log on as a batch job and Log on as a service with the account you are going to install IaaS on

vRAD101

  • Next open IIS Manager and navigate to the default website

vRAD102

  • Click on Authentication

vRAD103

  • Next click on Providers and remove NTLM and Negotiate then add Negotiate back in followed by NTLM

vRAD104

  • Next click on Advanced Settings
  • Change it from Off to Accept. Click on OK then change it back to Off

vRAD105

  • Do an iisreset

vRAD106

  • Next we need to register asp.net
  • Go to c:\Windows\Microsoft.Net\Framework64\v4.0.30319
  • Type aspnet_regiis -i

vRAD107

  • Do another iisreset
  • The following registry modification is required for the IaaS web server to include Local Security Authority host names that can be referenced in in the NTLM authentication requests for CNAME and load balancer FQDN addresses.
  • Open the Windows registry and browse HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0.
  • Right-click MSV1_0, point to New, and click Multi-String Value.
  • In the Name column, type BackConnectionHostNames, and press Enter.
  • In the Value text box, type the CNAME or DNS alias that is used for the local shares on the computer, and click OK.
  • Example for IaaS Web Servers: f5.ias.techlab.local

vRAD129

  • Before the installation of the IaaS components, verify system cryptography
  • Go to the Local Group Policy Editor, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, expand Security Options and use FIPS-compliant algorithms for encryption and hashing.  Verify that signing is set to Disabled.

vRAD130

  • Next I also like to add my IaaS service account to the Local Admins group on the server or if it is the Domain Admins group then add this for lab purposes

vRAD109

  • Add REG_DWORD key DisableLoopbackCheck 1
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\
  • Add REG_DWORD key DisableStrictNameChecking 1 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters
  • Next I like to shutdown the server and take a snapshot at this point
  • Do exactly the same procedure on the second IaaS server

Note: Once DTC was enabled on both the IaaS and the remote SQL server, the installation still failed. After some searching, I found that since the IaaS server and SQL server VMs were provisioned using the same Virtual Machine template in vSphere, DTC had to be uninstalled and re-installed on one of the servers, either the IaaS server or the SQL server. To perform this task, execute the following commands from an elevated command prompt (run cmd.exe as an Administrator):

  • msdtc -uninstall
  • msdtc -install
  • Reconfigure settings
  • Reboot

Step 2 – Install certificates

You will need to refer to my other blog about creating and installing vRA IaaS certificates here if you haven’t created them already.

http://www.electricmonk.org.uk/2015/12/03/installing-vra-6-x-certificates/

Import the certificate into IIS

Step 3 – Install IaaS Website and Model Manager Data

  • Go to https://yourvRAserver.FQDN:5480/installer
  • Download the IaaS installer

vRA265

  • Launch the installer from where you saved it and Run as Administrator

vRA266

  • Click Next

vRA267

  • Accept the License agreement

vRA268

  • Put in root and your password

vRA269

  • Choose Custom Install
  • Select IaaS Server

vRA270

  • Select the Database checkbox
  • I have a Windows Server 2012 / SQL2012 cluster called SQLCLUSTER which was picked up when I put in my SQL server name and clicked Scan
  • I then unticked Use existing empty database and called it vcac

vRA272

  • Fix any warnings which appear in the Verify Pre-requisites box

vRA273

  • Click Check again

vRA274

  • Click Next and click Install

vRA275

  • Hopefully you should now see the below screen

vRA276

  • Untick the box which says Guide me through the initial system configuration and click Finish

vRA277

Installing the Primary IaaS Web and Model Manager Data Server

  • If you haven’t already, import the certificate you previously created. This is the PFX cert
  • Double click on the certificate
  • Choose Local Machine

vRA278

  • Check the path to your cert file is correct
  • Click Next

vRA279

  • Enter the password if you created one
  • Select Mark this key as exportable
  • Click Next

vRA280

  • Accept the default store

vRA281

  • Check the final box and click Finish

vRA282

  • Add certificate into the IIS Console under Server Certificates. It may already be there. Check 443 bindings are linked to your certificate
  • Just double check in Local Security that System Cryptography: Use FIPS compliant algorithms is disabled

vRA283

  • Launch the IaaS installer as Administrator again
  • Click Next, accept the license agreement put in the root username and password
  • Select Custom Install and IaaS server

vRA284

  • Select Website and ModelManagerData checkboxes
  • On the Administration and Model Manager Website tab select the certificate that you previously imported
  • Select the Suppress certificate mismatch box

vRA285

  • You should get a message back when you click Test Binding

vRA286

  • Click on the Model Manager Data tab
  • Enter the FQDN of the vRA appliance load balanced address. In my case f5.vra.techlab.local
  • On SSO Default Tenant, click Load
  • Under certificate click Download (This is the certificate which should be pre-created from my other blog and imported into IIS
  • Click View Certificate and check it
  • Add in all the rest of the details

vRA288

  • On the Verify pre-requisites screen, make sure everything is ticked green and fix any issues

vRA289

  • Under Server and Account Settings put
  • Passwords
  • Passphrase
  • SQL Servername and Database name

vRA291

  • You may get a message coming up about the user account needed adding to the Local Security Policy if you hadn’t added it there already
  • Click Install

vRA292

  • It should start installing

vRA293

  • And hopefully say Completed

vRA295

Useful Troubleshooting info

http://www.virtualvcp.com/vmware-vrealize-automation-vcac/208-vrealize-automation-6-2-installation-and-configuration-gotchas

Installing IaaS server on the second Iaas Server

This procedure is exactly the same except as the above process. We just install the website component on the second server

  • Don’t forget all the pre-requisites
  • Don’t forget to import your certificate
  • Start the installer
  • Enter your root and password for the vRA appliance screen
  • Enter your details below choosing just the website component

vRA296

  • Enter all the relevant details again

vRA298

  • Follow the next prompts to install and finish

 

vRealize Automation large scale deployment Part 1 Identity and vRA appliance install

vRARobot2

vRA Distributed deployment.

This series will cover a larger distributed deployment of vRealize Automation 6.2.3

Software required

vRAD1

Components

Only the Identity and vRA appliances are covered in this blog. The rest will be covered in the series to follow.

  • 1 x Identity appliance
  • 2 x vRA appliances (Postgres Database only)
  • 2 x IaaS servers
  • 2 x Manager Servers
  • 1 x Orchestrator appliance
  • 1 x F5 Load Balancer

Important

  • DNS must be configured for all servers/appliances you use and test it
  • Whatever you use for time sync must be identical for all servers/appliances you use

F5 Load Balancer setup and information

  • http://kaloferov.com/blog/configuring-vrealize-automation-load-balancing-using-f5-big-ip/

Certificates

Please follow one of my other blogs for generating and importing certificates into vRA appliances and servers

http://www.electricmonk.org.uk/2015/12/03/installing-vra-6-x-certificates/

Step 1 – Deploying the Identity Appliance

  • In the vSphere client or web client select File > Deploy OVF Template

vRAD2

  • Check the details

vRAD3

  • Accept the license agreeement
  • Put in a name for the vRA Identity appliance

vRAD4

  • Choose your storage

vRAD5

  • Leave the defaults for storage

vRAD6

  • Check the details and click Finish

vRAD7

  • Note: The identity appliance cannot be clustered but can be put on a vSphere HA cluster to provide redundancy in the event of hardware failure but not in the event of the Identity appliance having an issue.
  • You may need to go into the vCenter console for the machine and set a root password
  • You will then see this screen where you can see the web browser link to log into the Identity appliance

vRAD8

  • Log into the web link

vRAD9

  • Set the time zone

vRAD10

  • Set the SSO password

vRAD11

  • It should then look like the below screenprint

vRAD12

  • Click on host settings and put in the name of the identity appliance
  • Make sure there is a DNS entry for the identity appliance

vRAD14

  • Click on Network then the Address tab and put in the relevant details

vRAD16

  • You will then need to reboot and relogin
  • Next click on SSO > SSL
  • Generate a certificate for now. Example below

vRAD39PNG

  • Click on Active Directory and put in your details

vRAD15

  • It will then look like the below

vRAD17

  • Go to the Admin tab and click Admin
  • Tick SSH service enabled and Administrator SSH login enabled

vRAD18

  • Click on Time settings and adjust if you have a time server. I left mine on Use host time

vRAD19

  • This should now be complete.
  • Note: You may want to adjust the CPU and RAM depending on customer requirements
  • Note. It might be wise at this point to shutdown the appliance and take a snapshot

Step 2 Deploy 2 vRealize Automation Appliances

Note: Follow the below steps for each appliance

  • In the vSphere client or vSphere Web Client click File > Deploy OVF template

vRAD20

  • Check the details

vRAD21

  • Accept the license agreement
  • Put in a name

vRAD22

  • Choose your storage

vRAD23

  • Choose your storage options

vRAD24

  • Next you will need to type in the hostname, ssh enabled, IP address, subnet mask, gateway and DNS servers

vRAD25

  • Click Next and check all your details

vRAD26

  • Once this is deployed, make sure you have a DNS entry added
  • Log into the appliance
  • Change the time settings first

vRAD27

  • Click on the Network tab and select Host Settings.
  • Fill in your details

vRAD36PNG

  • Reboot the appliance

vRAD37PNG

  • Click on the vRA Host Settings
  • Add in your host settings – this should be your load balanced name
  • Import your certificate in which should have been pre-created from the instructions in my previous vRA certificate blog

vRA233

  • Click on SSO
  • Put in the SSO details (The identity appliance details)
  • If everything is ok then you will see a certificate message

vRAD40PNG

  • Click Save Settings and note the SSO seems to take a long time

vRAD50

  • You should see the following

vRAD51

  • You should slowly see the services begin to come up
  • Note:  To monitor service startup run the following command:
  • tail -f /var/log/vcac/catalina.out

vRAD52

  • Do exactly the same process on the second appliance
  • Add your license in – Go to vRA Settings > Licensing

vRA234

  • Next please go to Part 2 for the Postgres clustering of the vRA appliances

http://www.electricmonk.org.uk/2016/01/07/vrealize-automation-large-scale-deployment-part-2-clustering-the-postgres-databases-on-the-vra-appliances-v6-0-2/

Licensing Problems

I had an issue where my license suddenly became invalid which was a little bizarre as it is test non expiring one.

However I followed the steps in the below article on both appliances and it came back fine

Thanks @ vmguru 🙂

https://www.vmguru.com/2015/09/downgrade-the-vrealize-automation-license/

 

vRealize Automation large scale deployment Part 2 Clustering the Postgres Databases on the vRA Appliances v6.2.3

vRARobot2

Configuring the vRA Appliances

VMware vRealize Automation Center documentation recommended the utilization of an external instance of VMware vFabric Postgres when setting up a high availability (HA) environment. However, since the release of VMware vRealize Automation standalone, VMware vFabric Postgres is End Of Availability and no longer available as a standalone product. To address customers needs, VMware developed a way to utilize the database instance located in the VMware vRealize Automation appliance in a high availability (HA) mode, without having to incur additional licensing.

Useful Links

http://pubs.vmware.com/vra-62/index.jsp#com.vmware.vra.install.doc/GUID-8E631C5E-97D7-4D2B-945A-33B5DDBA452F.html

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=2108923

Instructions Part 1

Follow the below instructions for both appliances until you get to Part 2

  • Shutdown both vRA appliances and snapshot in vCenter
  • Download the 2108923_dbCluster.zip file from the VMware Knowledge Base.
  • Add a 20GB disk to the primary vRA appliance and secondary appliances
  • Power on the primary and secondary vRA appliances
  • Log into both vRA_Appliance:5480 in a web browser
  • Log into both vRA appliances in Putty and WinSCP
  • Extract the tar file from the 2108923_dbCluster.zip file attached to this article to both the appliances (I created a /tmp/prostgres folder)
  • Using winscp copy the 2108923_dbcluster.tar file to a tmp folder on both appliances
  • In Putty (See screen below) extract the .tar file on both appliances
  • tar xvf 2108923_dbCluster.tar

vRA235

  • type parted -l on both appliances
  • You should see Error: /dev/sdd: unrecognized disk label. See the bottom of the screen

vRA236

  • Run ./configureDisk.sh /dev/sdd

vRA237

  • At this point it is normally a good idea to snapshot both appliances as they seem to be sensitive to the password you use especially the special characters. Do not use = anywhere in the password
  • Run the pgClusterSetup.sh script to prepare the appliance databases for clustering
  • Note: In our case the db_fqdn was the Load balanced DB FQDN for the Postgres database

./pgClusterSetup.sh [-d] db_fqdn [-w] db_pass [-r] replication_password [-p]postgres_password

[-d] Database load balancer fully qualified domain name
[-w] Database password (will set password to this value)
[-r] Replication password (Optional: will use Database password if not set)
[-p] Postgres password (Optional: will use Database password if not set

  • cd /tmp/postgres
  • ./pgClusterSetup.sh -d f5.db.techlab.local -w password -r password -p password

vRA238

  • This is the end of configuration on both appliances

Instructions Part 2

Configuring the database replication on appliance B

  • Type su – postgres
  • Type cd /opt/vmware/vpostgres/current/share/
  • Type ./run_as_replica -h vRA_FQDN -b -W -U replicate (Note don’t copy and paste as needed typing in manually)

./run_as_replica –h Primary Appliance -b -W -U replicate
[-U] The user who will perform replication. For the purpose of this KB this user is replicate
[-W] Prompt for the password of the user performing replication
[-b] Take a base backup from the master. This option destroys the current contents of the data directory
[-h] Hostname of the master database server. Port 5432 is assumed

  • Enter the same password which was created previously
  • It should now look like the below
  • Type yes

vRA239

  • Type yes

Screen Shot 2015-11-25 at 14.54.23

  • Type the password

vRA240

  • Type yes to enable WAL archiving on the primary

vRA241

  • It will now say shutting down and ignore the error message

vRA242

  • Type yes to the base backup message
  • Note to myself really, I had an issue where I needed to run a command as root on the second vRA appliance to stop the vpostgres service (service vpostgres stop) to get the installer to finish!

vRA243

  • Next test replication
  • cd /opt/vmware/vpostgres/current/share/
  • Type ./show_replication_status

vRA244

Validate replication

  • Connect to the appliance with the primary (master) database using SSH.
  • Validate if the WAL process is running. You should see the WAL process by running this command:
  • ps -ef | grep wal

Screen Shot 2015-11-25 at 17.44.06

Validate if the master is ready for read-write connections by running these commands:

  • su – postgres
  • cd /opt/vmware/vpostgres/current/bin
  • ./psql vcac
  • SELECT pg_is_in_recovery();

vRA248

  • You see output similar to the above
  • Quit psql by running \q
  • Connect to the appliance with the replica database using SSH.
  • Validate if the replica is read only using these commands
  • su – postgres
  • cd /opt/vmware/vpostgres/current/bin
  • ./psql vcac
  • SELECT pg_is_in_recovery();

vRA247

  • Quit psql by running \q

Instructions Step 3

Testing Failover between the Postgres Databases. Performing a test failover (appliance A to appliance B)

  • Validate if the WAL process is running. You should see the WAL process by running this command:
  • Type ps -ef | grep wal

vRA245

  • Connect to appliance A using SSH as root
  • Stop the vpostgres service by running service vpostgres stop

vRA249

  • Connect to appliance B using SSH as root.
  • Promote the replica database to master as the postgres user by running these commands
  • su – postgres
  • cd /opt/vmware/vpostgres/current/share
  • ./promote_replica_to_primary

vRA250

  • SSH into appliance A as root.
  • Configure database replication as user postgres by running these commands
  • su – postgres
  • cd /opt/vmware/vpostgres/current/share/
  • ./run_as_replica -h FQDNofServer -b -W -U replicate
  • Note the FQDN of the server was the second node which was been promoted to primary

vRA251

  1. Enter the replicate users password when prompted.
  2. Type yes after verifying the thumbprint of the primary machine when prompted.
  3. Enter the postgres users password when prompted.
  4. Type yes when prompted with Warning: the base backup operation will replace the current contents of the data directory. Please confirm by typing yes
  5. Do a quick check to test which machine is the primary and which is the secondary

vRA252

vRA254

Instructions Step 4

Perform a test failback (appliance B to appliance A)

  • Connect to appliance B using SSH as root.
  • Stop the vpostgres service by running this command:
  • service vpostgres stop

vRA256

  •  Connect to appliance A using SSH as root.
  • Promote the replicate database to master as user postgres by running these commands
  • su – postgres
  • cd /opt/vmware/vpostgres/current/share/
  • ./promote_replica_to_primary

vRA255

  • Connect to appliance B using SSH as root.
  • Configure database replication as user postgres by running these commands:
  • su – postgres
  • cd /opt/vmware/vpostgres/current/share
  • ./run_as_replica -h FQDNofServer -b -W -U replicate
  • Enter the replicate users password when prompted
  • Type yes when prompted with:WARNING: the base backup operation will replace the current contents of the data

vRA257

Validate replication

  • Connect to the appliance with the primary (master) database using SSH.
  • Validate if the WAL process is running. You should see the WAL process by running this command:
  • ps -ef | grep wal
  • Validate if the master is ready for read-write connections by running the commands below
  • It should say f indicating it is the master

vRA258

  • You see output similar to the above
  • Quit psql by running \q
  • Connect to the appliance with the replica database using SSH.
  • Validate if the replica is read only using these commands:

vRA259

  • Quit psql by running \q
  • If you now log into the VAMI page of the vRA appliances and check the database and cluster page you should see the following

vRA260

Configuring monitoring of the VMware vRealize Automation appliance databases

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2127052

Installing vRA 6.x certificates

certificate

Installing vRA certificates

This subject is a tricky one to navigate round so I have decided to try and simplify this as much as possible to get a good working procedure to carry out the replacement of certificates correctly and efficiently. The various components of VMware vRealize Automation (formerly known as VMware vCloud Automation Center) have different requirements for the certificates used for authentication

Certificates supportability matrix for vRealize Automation

Screen Shot 2015-11-24 at 08.15.28

Certificate trust requirements between VMware vRealize Automation components

Screen Shot 2015-11-24 at 08.17.19

  • * vRealize certificate thumbprint is stored in IaaS database during installation
  • ** SSO certificate thumbprint is stored in IaaS database during installation
  • *** Application Director and Orchestrator as an external instance are optional services

Update components Certificates in the following order

  • Identity Appliance
  • vCloud Automtation vCenter Appliance
  • IaaS components

Step 1 Installing a Domain Certificate Authority

Note: This will normally be installed on a Domain Controller.

  • On Windows 2012 open Server Manager > Add Roles and Features

Screen Shot 2015-11-24 at 08.45.53

  • Click Next to accept the selections on the next 2 screens
  • Make sure to choose both Certification Authority & Certifications Authority Web Enrollment on the Role Service screen

Screen Shot 2015-11-24 at 09.05.36

  • Choose Enterprise or Subordinate at the setup Type page (Note I am choosing Enterprise and this is in my lab)
  • Assuming this is your first CA, choose Root CA at the CA Type screen
  • Create a new private key
  • In Configure cryptography for CA, choose Microsoft Software Key Storage Provider and SHA1
  • Configure your CA name
  • Set validity period for the certificate generated by this CA

Step 2 Creating vCAC Certificate templates

We now need to create a non-standard Certificate Template, which is a copy of the standard Web Server template modified to allow for export of the certificate key. In addition, the Microsoft CA will be updated to allow for Subject Alternative Names (SANs) as specified in the Attributes.

  • Connect to the Root CA server or Subordinate CA server via RDP.
  • Click Start > Run, type certtmpl.msc, and click OK. The Certificate Template Console opens.
  • In the middle pane, under Template Display Name, locate Web Server.
  • Right-click Web Server and click Duplicate Template.

Screen Shot 2015-11-24 at 09.17.25

  • You should see the Compatibility tab
  • Select Windows Server 2008 R2 as the Certification Authority
  • Select Windows 7 / Server 2008 R2 under Certificate recipient

Screen Shot 2015-11-24 at 12.40.03

  • Click the General tab.
  • In the Template display name field, enter VMware-SSL as the name of the new template.

Screen Shot 2015-11-24 at 12.43.46

  • Click the Request Handling tab
  • Ensure that the Allow private key to be exported option is selected

Screen Shot 2015-11-24 at 15.55.13

  • Select Cryptography

Screen Shot 2015-11-24 at 12.52.51

  • Click Key Attestation

Screen Shot 2015-11-24 at 13.06.22

  • Click Server

Screen Shot 2015-11-24 at 14.20.48

  • Click Security

Screen Shot 2015-11-24 at 14.22.02

  • Click Extensions

Screen Shot 2015-11-24 at 14.22.34

  • Click the Edit button
  • Select the Signature is proof of origin (nonrepudiation) option.
  • Select the Allow encryption of user data option.

Screen Shot 2015-11-24 at 14.29.13

  • Click Application Policies

Screen Shot 2015-11-24 at 14.30.50

  • Click Superseded Templates

Screen Shot 2015-11-24 at 14.23.31

  • Click Subject Name

Screen Shot 2015-11-24 at 14.24.15

  • Click Issuance Requirements

Screen Shot 2015-11-24 at 14.25.07

  • Click OK to save the template.

Step 3 – Adding a new template to certificate templates

To add a new template to certificate templates:

  • Connect to the Root CA server or Subordinate CA server via RDP.Note: Connect to the CA server in which you are intending to perform your certificate generation.
  • Click Start > Run, type certsrv.msc, and click OK. The Certificate Server console opens.
  • In the left pane, if collapsed, expand the node by clicking the [+] icon.
  • Right-click Certificate Templates and click New > Certificate Template to Issue.

Screen Shot 2015-11-24 at 16.24.40

  • Locate the VMware-SSL Certificate under the Name column.
  • Click OK.

A new template option is now created in your Active Directory Certificate Services node. This new template can be used in the place of Web Server for the vSphere 5.x CA certificate.

Step 4 – Checking the web enrollment page

If everything went as planned you will have a new certificate template type when submitting a CSR. If you don’t see your new template, you may not have appropriate CA rights to issue the certificate.

  • Navigate to https://yourcertificateserver/certsrv
  • You should see the template VMware-SSL available

Screen Shot 2015-11-24 at 16.29.54

Step 5 – Creating a certificate configuration file for the Identity appliance

Useful Link

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=2015387

  • Copy the below text into a notepad file and save it as a .cfg file
  • Modify the relevant parts of your appliance and company details
  • Note you may have load balancers such as F5’s in which case you can also put the load balancer address in the subjectAltName section and the common name

[req]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[v3_req]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS: techlabvri001, DNS: techlabvri001.techlab.local

[req_distinguished_name]
countryName = UK
stateOrProvinceName = London
localityName = Norwich
0.organizationName = Techlab
organizationalUnitName = vRA Identity
commonName = techlabvri001.techlab.local

  • So it should look like this for the Identity Appliance

vRAD87

Step 5b – Creating a certificate configuration file for the Automation appliance

Note: I have put in both my vRA appliance hostnames and my load balanced name as I am going to cluster the vRA appliances

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:techlabvra001, DNS:techlabvra001.techlab.local DNS: techlabvra002 DNS: techlabvra002.techlab.local DNS:f5.vra DNS:f5.vra.techlab.local

[ req_distinguished_name ]
countryName = UK
stateOrProvinceName = London
localityName = Norwich
0.organizationName = Techlab
organizationalUnitName = vRA Appliance
commonName = f5.vra.techlab.local

vRA232

Step 6 Update components certificates in the following order:

  1. Identity Appliance
  2. vCloud Automation vCenter Appliance
  3. IaaS components

Step 7 – Installing OpenSSL version 0.9.8.

Use the following steps to install OpenSSL, which will be used to request the required certificates.

Important: Ensure that you are using OpenSSL version 0.9.8. If you do not use this version, the SSL implementation will fail.

  • Ensure that the Microsoft Visual C++ 2008 Redistributable Package (x86) is installed on the system on which you want to generate the requests. To download the package, see the Microsoft Download Center
  • Download the Shining Light Productions installer for OpenSSL x86 version 0.98r or later on the link below http://www.slproweb.com/products/Win32OpenSSL.html. This software was developed by the OpenSSL Project
  • Launch the installer, proceed through the installation, and make a note of the appropriate directory for later use. By default, it is located at c:\OpenSSL-Win32.

Step 8 – Generating certificates for the vRA Identity Appliance and the vRA Appliance

  • Make sure you have your identity appliance and vra appliance config files in a folder (You will need to change the paths highlighted in blue to your own folder)
  • Open cmd.exe and change directory to c:\OpenSSL\bin
  • Run the following commands

Identity

openssl req -new -nodes -out F:\Software\vracerts\techlabvri001\rui.csr -keyout F:\Software\vracerts\techlabvri001\rui-orig.key -config F:\Software\vracerts\techlabvri001\vritemplate.cfg

vRAD54

vRAD56

vRA Appliance

openssl req -new -nodes -out F:\Software\vracerts\techlabvra001\rui.csr -keyout F:\Software\vracerts\techlabvra001\rui-orig.key -config F:\Software\vracerts\techlabvra001\vratemplate.cfg

vRAD55

vRAD57

Step 9 Convert the keys to the appropriate RSA format required by the appliances

Identity

openssl rsa -in F:\Software\vracerts\techlabvri001\rui-orig.key -out F:\Software\vracerts\techlabvri001\rui.key

vRAD58

Appliance

openssl rsa -in F:\Software\vracerts\techlabvra001\rui-orig.key -out F:\Software\vracerts\techlabvra001\rui.key

vRAD59

  • Logon to the Microsoft CA Web Interface (https://ca-server/CertSrv)
  • Click on the Request Certificate > Advanced Certificate Request

vRAD60

vRAD61

  • Click Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
  • Open the rui.csr file for the vCAC Identity Appliance and then copy and paste the contents into the Base-64-encoded certificate request field.

vRAD62

vRAD63

  • Ensure you select the correctly configured Certificate Template

vRAD64

  • Click “Submit” to submit the request.
  • Select the “Base64 encoded” option on the Certificate Issued screen.

vRAD65

  • Click the “Download Certificate” link and save as rui.crt in the same location as your config file and CSR.

vRAD74

  • Repeat the above process for the vRA Appliance Certificate Request.
  • Next go back to https://techlabadc001.techlab.local/certsrv/
  • Click on “Download a CA certificate, certificate chain or CRL”.

vRAD67

  • Select the “Base64 encoded” option.
  • Click the “Download a CA Certificate Chain” link.

vRAD69

  • Save the certificate chain as cachain.p7b in your desired location
  • Double click the cachain.p7b file and navigate to yourlocation\cachain.p7b > Certificates

vRAD70

  • Right click the root certificate and select “All Actions > Export” and then click Next.

vRAD71

Select Base64-encoded X.509 (.CER) and click Next.

vRAD72

  • Save the export to your location/root64.cer and click Next.

vRAD73

Converting the Certificates to PEM Format

  • Launch a command prompt and navigate to your OpenSSL directory. By default this is located in c:\OpenSSL\bin
  • Run the following commands (replacing the path with your desired location) to convert the certificates to the format expected of the Virtual Appliances.

Identity

openssl pkcs12 -export -in F:\Software\vracerts\techlabvri001\rui.crt -inkey F:\Software\vracerts\techlabvri001\rui.key -certfile F:\Software\vracerts\Root64.cer -name “rui” -passout pass:testpassword -out F:\Software\vracerts\techlabvri001\rui.pfx

vRAD77

  • You should then see your pfx file in the Identity appliance folder

vRAD76

vRA Appliance

openssl pkcs12 -export -in F:\Software\vracerts\techlabvra001\rui.crt -inkey F:\Software\vracerts\techlabvra001\rui.key -certfile F:\Software\vracerts\Root64.cer -name “rui” -passout pass:testpassword -out F:\Software\vracerts\techlabvra001\rui.pfx

vRAD78

  • You should then see your pfx file in the vRA appliance folder

vRAD79

  • Next type the following commands

Identity

openssl pkcs12 -in F:\Software\vracerts\techlabvri001\rui.pfx -inkey F:\Software\vracerts\techlabvri001\rui.key -out F:\Software\vracerts\techlabvri001\rui.pem -nodes

vRAD80

  • You should now see the pem file

vRAD81

vRA Appliance

openssl pkcs12 -in F:\Software\vracerts\techlabvra001\rui.pfx -inkey F:\Software\vracerts\techlabvra001\rui.key -out F:\Software\vracerts\techlabvra001\rui.pem -nodes

vRAD82

  • You should now see the pem file

vRAD83

Note:

All of the above instructions worked for me but if the above command does not work to issue the PEM then try the below commands instead for vRA 6.2.

Someone reported that the pem creation syntax above seems to give the  error “unable to create keystore” when installing the cert in the identity appliance in vRA 6.2.

These commands are listed in the vRA 6.2 document at

VMware vRealize Automation Center 6.2

openssl pkcs12 -in C:\certs\identity\rui.pfx -clcerts -nokeys -out C:\certs\identity\rui.pem

openssl pkcs12 -in C:\certs\vcaca\rui.pfx -clcerts -nokeys -out C:\certs\vcaca\rui.pem

Importing the Certificate to your Identity Appliance

  • Login to your identity appliance on https://vCAC.ID.FQDN:5480
  • In my case https://techlabvri001.techlab.local:5480/
  • Click on the SSO tab.
  • Click on the SSL tab.

vRAD84

  • In the “Choose Option” field, click the drop down and select Import PEM encoded certificate.
  • Open the rui.key file for your vCAC ID appliance in a text editor.
  • Copy and paste the contents into the “RSA Private Key” field.

vRAD85

  • Open the rui.pem file for your vRA Identity appliance in a text editor.
  • Copy and paste the contents into the “Certificate” field.
  • Note: It is really important that it looks like the below certificate. if you get any random lines other than these, you need to remove them or it will not work

vRAD89

  • Enter testpassword into the “Pass Phrase” field.

vRAD86

  • Click the “Replace Certificate” button
  • You should now see the certificate imported

vRAD90

Importing the Certificate to your vRA Appliances

Note: Do this on both appliances!

  • Login to https://vRA.FQDN:5480
  • Click on the vRA Settings tab > Host Settings > SSL Configuration
  • In the “Choose Option” field, click the drop down and select Import PEM encoded certificate.
  • Open the rui.key file for your vRA ID appliance in a text editor.
  • Copy and paste the contents into the “RSA Private Key” field.
  • Open the rui.pem file for you vRA ID appliance in a text editor.
  • Copy and past the contents into the “Certificate” field.
  • Enter testpassword into the “Pass Phrase” field.
  • Click the “Replace Certificate” button.

NOTE: If you are replacing the certificates after having registered the vRA VA against the vRA ID VA you will need to re-enter the SSO settings on the vCAC Server to ensure that communications between the VAs are trusted.

1. Login to https://vRA.FQDN:5480 
2. Click on the vRA Settings tab then under Host Settings
3. Click on the SSO tab.
4. Re-enter the SSO Admin User and SSO Admin Password details and then click “Save Settings”.

Not performing this step will result in an error as shown below.

vRAD91

You should now see it is successful

vRA233

IaaS and Manager certificates

The order of operation is to first generate a PKCS12 formatted certificate. After a certificate is in PKCS12 format, it can be converted to PEM encoding and a DER encoded certificate can be generated from that PEM. In addition, an unencrypted key can be extracted from the PEM certificate

  • First I generated a new certificate template called vratemplate.cfg
  • I put in my 2 IaaS servers and the load balancer name in shorthand and FQDN.

vRA261

  • Open cmd.exe as Administrator and navigate to the c:\OpenSSL\bin directory

vRAD110

  • Run the following command replacing the highlighted parts with your own paths
  • openssl req -new -nodes -out C:\vracerts\techlabias001\techlabias001.csr -keyout C:\vracerts\techlabias001\techlabias001.key -config C:\vracerts\techlabias001\vratemplate.cfg

vRAD112

  • You should see the following keys created

vRAD113

  • Run the following command in OpenSSL to convert the keys to the RSA format required by the appliances
  • openssl rsa -in C:\vracerts\techlabias001\techlabias001.key -out C:\vracerts\techlabias001\techlabias001.key

vRAD115

  • Next go back to the certificate request home page
  • Click Request a certificate

vRAD116

  • Select Advanced certificate request

vRAD117

  • Click Submit a certificate Request by using a base- 64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

vRAD118

  • Open the .csr file and copy the request into the box
  • Make sure you select your VMware-SSL certificate

vRAD119

  • Click Submit
  • Click on Download certificate and Base 64 encoded
  • Save this certificate in your certificate folder. I named it techlabias001

vRAD120

  • You will now see your certificate

vRAD121

  • In the same page click on Download certificate chain

vRAD122

  • Save the certificate as cachain.p7b

vRAD123

  • Double click on this file and open it in the certificates console

vRAD124

  • Export the root file

vRAD125

  • Select Base 64 encoded

vRAD126

  • Save the file as root64.cer
  • You will see it as per below in your folder

vRAD127

  • Go back to OpenSSL and run the command to convert the certificates to PKCS format
  • openssl pkcs12 -export -in C:\vracerts\techlabias001\techlabias001.crt -inkey C:\vracerts\techlabias001\techlabias001.key -certfile C:\vracerts\techlabias001\root64.cer -name techlabias001 -passout pass:testpassword -out C:\vracerts\techlabias001\techlabias001.pfx

vRA315

You will now see your .pfx file in the folder

  • Next we need to import the CA issued certificate for the IaaS web server.
  • On the IaaS server, open the IIS Manager console.
  • Navigate to your Server instance, and open Server Certificates.
  • Select “Import” in the top right hand corner.
  • In File name, browse and select the PKCS file with the .pfx extension that represents the CA issued certificate for IaaS web server.
  • Type the password testpassword
  • Accept the default Place all certificates in the following store.
  • You should now see the imported certificate in your list
  • Navigate to your Default Web Site (the vCAC website) and select “Bindings”.
  • Select “https” and click “Edit”.
  • Click the SSL Certificate drop down and select your certificate, then click OK.

Note: The below information doesn’t need to be done. It’s just information I put here to remind me to look at in relation to replacing certificates

Register the new Certificate with the vCAC Appliance

  • Browse to c:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\cafe
  • Note: CAFE stands for Cloud Automation Framework Extensibility. Just in case you were wondering
  • Register the new certificates on your IaaS Server to the vCAC Appliance with the following set of commands:

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/vcac –Endpoint ui -v

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/vcac/SslCallback.aspx  –Endpoint ssl -v

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/Repository –Endpoint repo -v

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/WAPI –Endpoint wapi -v

vcac-config RegisterEndpoint –EndpointAddress https://techlabias001.techalab.local/WAPI/api/status –Endpoint status -v

  • Now you need to follow the exact same steps to generate the manager certificate

 

VMware vRealize Automation 6.2.2 Monitoring and Reclamation Part 7

magnifying glass

Monitoring and Reclamation

In vRA we need to know what to do when we need to identify and reclaim unused or underused resources and put in an automated solution to manage these.

Reclamation stages

  • Identify

Through endpoint discovery and data collection, vRA creates  list of machines and their characteristics. Using filtering capabilities, administrators can identify machines for reclamation which could be machines which have been powered off, machines that average low usage and machines where the users have left or been disabled in AD

  • Verify

After machines are identified, they are validated before being reclaimed. vRA use workflows to assist customers with the process along with approval processes

  • Reclaim

Once machines are identified for reclamation, vRA goes through the process of reclaiming. Some machines may need to be archived before being removed completely.

  • Improve

Reclamation is designed to improve efficiency and use. Reporting and cost savings are used to manage machines in order to track and monitor environments

Where is Reclamation in vRA?

Tenant Administrators perform reclamation tasks

  • Go to Administration > Tenant Machines > Reclamations
  • The below page appears

vRA218

  • The tenant administrator can search for underused machines by CPU, memory, disk, network use or idle machines  (Idle meaning a machine which is powered on but with no statistics)

Thresholds

vRA219

Reclamation Requests and Notifications

The tenant administrator submits a reclamation request specifying the lease length and reason for the request which can then be monitored

  • Go to Administration > Tenant Machines > Reclamations
  • Select the machine you want to use
  • Click Reclaim Virtual machines

vRA220

  • The next screen has 3 options
  • New lease length (A new amount of lease time is assigned to the machine where if the owner does not respond to the lease request, the machine is powered off an destroyed, if no archive period was set in the blueprint)
  • Wait before forcing lease (days) (This is the time within which the owner of a machine must respond to prevent a new lease from being applied to the machine)
  • Reason for request

vRA221

  • If an archive period was set, the machine is expired and cannot be powered on until the lease is reset
  • If the lease is not reset at the end of the archive period, the machine is destroyed and the resources are reclaimed
  • Go to the Inbox of the owner. As this is me, I just click Home > My Inbox and I can see the reclamation request which has come in to me

vRA227

  • Click on this request and select an option
  • One of 3 actions can be taken on a reclamation request
  • The machine owner can select Release for reclamation where the machine is reclaimed and immediately destroyed if no archival period was specified in the blueprint
  • The machine can select item in use. No action is taken and the administrator is notified that the machine should still be used
  • The machine owner can take no action. In this case the machine is assigned a new lease based on the reclamation request. If the owner does not respond, it is powered off and destroyed if no archival period was set. During the archival period, the machine cannot be powered on until the lease is reset

vRA228

There are 3 states of reclamation requests

  • Pending (Request submitted to the machine owner)
  • Approved (The machine owner has released the machine for reclamation)
  • Rejected (The machine owner has responded that the machine is still in use)

Machine Leases

These are the time periods given to a machine which determine how long they should be active for. Machine leases are used by tenant admins and business group managers

  • Leases can be assigned to blueprints
  • Leases can be assigned to a machine after it is provisioned
  • Leases can be changed after a machine is provisioned
  • if a lease is not assigned then the machine does not have an expiration date
  • Multimachines have one lease date which is applied to all machines in the service

Home Page Portlets

Tenant Administrators can monitor and report reclamation savings by adding portlets to the home page

  • Log into https://vRA_Apppliance.FQDN/shell-ui-app
  • Click Home and at the right side of the screen, click the pencil icon and select Add Portlets

vRA223

  • Choose the portlets you want
  • They can then be dragged and re-arranged on your home page

vRA224

  • Users can add portlets but if they don’t have permissions then no data will appear

vRA225

  • You can also export data as a .csv file

vRA226

 

VMware vRealize Automation 6.2.2 Extensibility, Orchestrator and ASD Part 6

vRARobot2

Extensibility

There are several challenges involved with automating self service provisioning to enforce governance, minimise user input and provide audit and accounting functionality. vRA can be transformed by using extensibility products such as Advanced Service Designer and VMware vCenter Orchestrator

vCenter Orchestrator

  • Library of workflows and plug-ins which include VMware and partner developed solutions which facilitate integration with existing tools and infrastructure
  • Orchestrator comes built in with vRA or an external Orchestrator server can be used in place of the built in server
  • Blueprints can be created from vCenter Orchestrator workflows and published as catalog items
  • Includes an API which allows an external ecosystem of partners to develop reusuable plugins.
  • Using cluster mode configuration, a collection of Orchestrator nodes can work together and share a common database
  • The extended REST API allows automatic configuration and installation of the necessary vCenter Orchestrator nodes
  • The extended REST API also provides dynamic scale up and scale down of the orchestration capacity when Orchestrator is used with an external load balancer
  • Fully equipped with a workflow debugger

Advanced Service Designer

  • Service Architects can create and publish advanced services to the service catalog. Using the capabilities of ASD, custom resources can be created and mapped to vCenter Orchestrator types and defined as items to be provisioned and managed.
  • Allows administrators to add custom logic to any of the 10 built in IAAS customisable workflows
  • IAAS workflows are created using MS Windows Workflow Foundation which is a part of .NET Framework 4
  • vRA also contains 6 state change workflow templates that can be edited to contain custom logic. These can call out to vRA for bidirectional integration with external management systems
  • You can create up to 4 custom menus
  • Provides a visual workflow editor for customising IAAS workflows

Use cases for extensibility

  • Leverage existing infrastructure and future infrastructure (Multivendor and Multicloud)
  • Configure personalised business relevant services by using custom properties or metadata tags
  • Integration with 3rd party management systems (CMDB, iPAM, Load Balancers and Service Desk apps)
  • ASD is a new feature in vRA 6. Administrators can leverage vCenter Orchestrator workflows and plugins and create new Day 2 operations as custom services
  • vRA provides a RESTful API which can be used to call vRA application and infrastructure services from third party or custom applications

Plugins

Available plugins can be found at http://solutionexchange.vmware.com

Custom Services

The following are examples of what can be done

  • New employee onboarding
  • E-mail box setup
  • Storage and networking services
  • Backup and recovery
  • Security and compliance
  • Software install/update
  • Password management

Cloud Util

CloudUtil is a command line interface to Model Manager. It enables admins to install, configure and update entities in the Model Manager. It also

  • Creates and manages skills
  • Stores and manages files
  • Installs custom machine operations

With a vRA Development Kit License, additional functionalities are available such as

  • Installing and managing custom workflows and models created in MS Visual Studio
  • Install custom models and supporting assemblies
  • Generate client classes for a custom model
  • Install custom events and schedules used to trigger workflows
  • Install new workflows

The ASD Console

The Toolbox pane

The Toolbox pane provides access to the vRA workflow activity library where activities for using PowerShell and vCenter Orchestrator integrate vRA with external systems. Common activities used in workflows include

  • InvokeRepositoryWorkflow = Executes a workflow installed in Model Manager
  • GetMachineName = Gets a machine’s name
  • GetMachineOwner = Gets a machine’s owner
  • GetMachineProperties = Gets the list of custom properties associated with a machine
  • GetScriptFromName = Get’s contents of the script stored in the Model Manager under the specified name
  • InvokePowerShell = Executes a PowerShell command
  • InvokeSshCommand = Executes an SSH command
  • LogMachineEvent = Logs a machine event to the user log that is visible to the machine owner
  • RunProcess = Exceutes a process on the same machine as the DEM that executes this activity
  • SendEmail = Sends an email to the given set of addresses
  • SetMachineProperty = Creates or updates a custom property on the machine
  • InvokeVcoWorkflow = Calls a vCenter Orchestrator workflow and blocks further execution of its parent vRA workflow until the vCenter Orchestrator workflow completes
  • InvokeVcoWorkflowAsync = Calls a vCenter Orchestrator workflow and continues to execute activities in vRA without waiting for the vCenter Orchestrator workflow to complete

Extending built in Workflows using Workflow templates

Using ASD, the 10 out of the box workflow templates can be modified to implement custom logic. 6 of these are State change templates and 4 are menu operation workflow templates

The 6 State Change Templates

Each of these 6 state change templates ma to a specific state of the machine lifecycle. They can be modified and then referenced against a blueprint so the customisation can be applied to a machine derived from that template. As an example all machines might require a custom name derived from a naming convention. Using the WFStubBuildingMachine workflow template could meet this criteria

The 4 Menu Operation Workflow Templates

These 4 templates can be used to implement 4 custom menus with their own functionality. Menu operation workflows are implemented when a user selects a menu from the vRA console. An example could be a menu that enables a user to backup a machine

Defining variables

Defining variables is a critical step in the extensibility process. Information must be defined that is required for the workflow and is the source of that information.

For example. The MyScriptText variable is a string and is used to identify the custom code to be loaded from the PowerShell script which is loaded into Model Manager

Adding State Change Workflow Template to a Blueprint

  • Go to Infrastructure > Blueprints > Blueprints > Edit your Blueprint
  • Select Properties
  • Select New Property

vRA115

Workflow Versioning

You can always revert back to previous versions of a workflow stub by loading the version you want and sending it back. You don’t overwrite the existing version as it created a more recent version which becomes the default version. The Model Manager might store and display multiple versions of a workflow but the DEMs always execute the most recent version of a workflow and not earlier versions

Working with a vCenter Orchestrator Workflow

Workflows can be called synchronously or asynchronously. Some workflows require user interaction and the prompt appears in the vCenter Orchestrator client rather than vRA. To avoid this don’t use workflows which require user interaction from vRA

  • Synchronous

The InvokeVcoWorkflow calls a vCenter Orchestrator workflow and blocks further execution of it’s parent vRA workflow until the vCenter Orchestrator workflow completes

  • Asynchronous

The InvokeVcoWorkflowAsync calls a The InvokeVcoWorkflow workflow and continues to execute activities in the vRA workflow without waiting for the vCenter Orchestrator workflow to complete

vCenter Orchestrator as an endpoint

vRA must be defined as an endpoint to use vCenter Orchestrator

Workflows are built mainly by using existing building blocks

  • Workflows
  • Actions
  • Resource Elements
  • Predefined scriptable tasks

There are more than 200 ready to use workflows included with vCenter Orchestrator

vCenter Orchestrator integration techniques

  • Create a vCenter Orchestrator endpoint in vRA

Using an endpoint, vRA can invoke vCenter Orchestrator workflows

At least one vCenter Orchestrator endpoint is required

Each endpoint must have a unique priority

  • Install vRA plug-in into vCenter Orchestrator

Using a plug-in, vCenter Orchestrator can manage vRA entities

A plug-in automates the configuration of vRA IAAS workflows

A plug-in includes many predefined workflows

Configure an embedded vCenter Orchestrator

vRA includes a built in version of Orchestrator which can be used for running workflows in additional to separate external Orchestrator services

  • Putty into the vRA appliance (where the embedded Orchestrator is)
  • First start the vco-server service
  • Type service vco-server start

vco1

  • Next start the vco-configurator service by logging into the vRA appliance via Putty and typing service vco-configurator start

vRA326

  • Navigate to https://your-VA-appliance:8281/vco

vROConfig

  • If you have an issue accessing the Orchestrator webpages, you can check in vRA whether then Orchestrator service is connected by clicking Test Connection

vco3

  • If you experience connection issues you can also type vcac-vami vco-service-reconfigure in the vRA appliance putty page
  • If you encounter a Diffie Hellman error please google for fixes
  • Type https://your-vRA-appliance:8281
  • You should see this page. Click Start Orchestrator client

vRAConfig38

  • You should see a few prompts such as below from Java

vRA330

  • Log in

vRA229

  • You should now see the Orchestrator application

vRA230

  • In order to configure Orchestrator type in https://your-vRA-server:8283/vco-config/ to access the appliance configuration

vRA327

  • The default username and password is vmware and vmware
  • You will be prompted to change it
  • Password must have an uppercase letter and a special character

vRA328

  • You should now be logged into Orchestrator configuration webpage
  • Have a click through the configuration options
  • I clicked on Network and changed the IP address from 0.0.0.0 to my vRA appliance address

vco2

  • You need to add the vCenter certificate in to the SSL Trust Manager. You will also need to add the Platform Services Controller if you use this with vSphere 6

vco1

  • You need to add your IAAS Server with the FQDN and add the vRA appliance if this is not here but mine already was. (if it is embedded and not external)

vRA148

  • You should see your certificates

vRA149

  • Next go back and log into your vRA appliance https://vRA_Appliance.FQDN/shell-ui-app
  • Go to Infrastructure > Endpoints > Credentials > Add new credentials

vRA150

  • Put in vCO as the Name
  • Put in administrator@vsphere.local as the username
  • Put in the password

vRA151

  • Go to Endpoints > New Endpoint > Orchestration > vCenter Orchestrator

vRA152

  • Fill in the details

vRA153

Install the vSphere Orchestrator Client

  • Go to https://vRA_Appliance.FQDN:8281/vco
  • Click Start Orchestrator client

vRA154

  • I got an error saying Windows cannot open .jnlp files so I had to select open with then navigate to my java folder and choose javaws
  • Whatever you do don’t update from version 1.7 to 1.8 or things will break
  • You should then see the below 2 screens

vRA155

vRA156

  • You should then see the logon screen for vCO appear

vRA157

  • A certificate warning will appear

vRA158

  • vCenter Orchestrator will now open

vRA159

  • Click Administer

vRA160

  • Expand VCAC and Active Directory in the Inventory section. You should see these are empty although there may already be something in vCloud Automation Center

vRA161

  • Select Run
  • Go to Workflows
  • Go to Library > Microsoft > Active Directory > Configuration > Configure Active Directory

vRA162

  • Click Start Workflow
  • Put in the following details

vRA163

  • Click Use a Shared Session
  • Put in your credentials

vRA164

  • Next in the same Workflow screen, navigate to Library > vCloud Automation Center > Configuration > Add the IAAS host of a vCAC host

vRA175

  • Right click on Add the IaaS host of a vCAC host and select Start Workflow

vRA176

  • Click Next

vRA177

  • Click Next

vRA178

  • Click Next

vRA179

  • Click Submit
  • You should see a green tick and confirmation in the events screen on the right that everything has started

vRA180

Configuring the vRA workflows templates from vCenter Orchestrator

  • In Orchestrator, navigate to the below menu in Workflow view

vRA171

  • Right click Install vCO customization and select Start Workflow
  • In the Install vCO customization dialog box choose Not Set and select your vRA server

vRA172

  • Click Next

vRA173

  • Click Next

vRA174

  • Click Submit

vRA181

  • If you now go back to the ASD and click Load, you will see the new versions of the state change templates (Note you may need to install ASD first, in which case there are instructions further down this post)

vRA182

Configuring a state change workflow from vCenter Orchestrator

  • Go to https://vRA_Appliance.FQDN/shell-ui-app
  • Go to Infrastructure > Blueprints > Blueprints > Edit your Blueprint
  • If any custom properties are attached to the blueprint then remove them
  • Next log into vCenter Orchestrator > Library > vCloud Automation Center > Infrastructure Administration > Extensibility

vRA183

  • Right click Assign a state change workflow to a blueprint and select Start Workflow
  • Click Not set and chose the VRA server

vRA184

vRA193

  • Click the Array field

vRA186

  • Click Insert Value

vRA187

  • Expand down until you can see your Blueprint

vRA188

  • Click Add
  • Click Select

vRA189

  • Click Accept > Next
  • Click on Workflow template

vRA190

  • Type Tools into filter > Select Mount tools installer

vRA191

  • Click Select
  • Select Submit

vRA192

  • Go to https://vRA_Appliance.FQDN/shell-ui-app
  • Click Infrastructure > Blueprints > Blueprints and edit your blueprint
  • Click Properties
  • Review the settings. You can see that Orchestrator added the new required custom property

vRA194

  • You can then go through the process of requesting a VM and seeing if it has indeed mounted the CD Drive

Installing the ASD

  • Go to https://vRA_Appliance.FQDN:5480/installer
  • Click vRealize Automation Designer

vRA117

  • On the Welcome Page click Next

vRA118

  • Accept the License agreement

vRA119

  • Check the location for the install is correct and click Next

vRA120

  • Put in the IAAS server FQDN. In my case it is dacvtst003.dacmt.local
  • Put in a username and password

vRA121

  • Click Install

vRA122

Configuring ASD Endpoints for VMware vCenter Server

  • Log into https://VRA_Appliance.FQDN/shell-ui-app
  • Go to Administration > Users and Groups > Custom Groups
  • Add an AD group and add to Service Architects

vRA195

  • Click Next

vRA196

  • Next go to Administration > Orchestrator Configuration > Endpoints
  • Click Add

vRA197

  • Choose Active Directory from the drop down menu

vRA198

  • Type a name. I’ve just called mine Active Directory

vRA199

  • Type in the details

vRA200

  • Next add an endpoint for vCenter

vRA201

  • Put in a name

vRA202

  • Fill in all details

vRA203

  • Add a user and password

vRA204

  • You should now see your 2 endpoints

vRA205

  • Log out of vRA and you may need to log out of the server and back in again. As you can see below this will add the Advanced Service Designer tab to vRA

vRA206

vRA207

Create and publish a service to change an AD Users password

  • Log into https://VRA_Appliance.FQDN/shell-ui-app
  • Click the Advanced Services tab
  • Select Service Blueprints
  • Click the + sign next to Service Blueprints

vRA208

  • Expand Library > Microsoft > Active Directory > User
  • Click Next

vRA209

  • Click Next

vRA210

  • Click the pencil icon to bring up the edit box and change the name to user and the type to search

vRA211

  • Click Submit
  • Click Next

vRA212

  • Click Add
  • In the list of Service Blueprints select Action > Publish

vRA213

  • Go to Administration > Catalog Management > Services

vRA214

  • Add a name for the password service and set to active

vRA215

  • Select Catalog Items
  • Select your service and select Configure

vRA216

  • On the Service drop down, select User Password Support or whatever you have named your service

vRA217

  • Click Update
  • Now select Entitlements from the left hand menu and click Add

vRA218

  • Put in a name and set to active and add the relevant users and groups

vRA219

  • Click Next
  • Click Entitled Services and add your service

vRA220

  • Log out and in again and check that when you click on the catalog tab that you see the Change a user password service

vRA221

Looking further into Advanced Service Designer

  • On the desktop, click vRealize Automation Designer
  • On the vRA Automation Designer ribbon, click Load

vRA124

  • You will get the following box

vRA125

  • Select the WFStubBuildingMachine workflow stub. If multiple versions exist, select the revision 0 version

vRA126

  • You should see the below screen

vRA127

  • In the Try area, double click the Building Machine activity

vRA128

  • Double click the Custom Code activity as highlighted above

vRA129

  • At the bottom of the design surface in the middle pane, click Variables and click Create Variable

vRA130

  • Add the following variables
  • Name = HelloMsg
  • Variable Type = String
  • Scope = Custom Code
  • Default = “Hello User”

vRA131

  • In the Toolbox pane on the left hand side, drag the SetMachineProperty activity to the design surface underneath Start
  • Connect Start to SetMachineProperty by pointing to the bottom of Start and dragging a connecting Line between them

vRA132

  • Select the SetMachineProperty activity and set the following properties in the Properties pane on the right panel

vRA133

  • Click Send on the top menu
  • Click ok to the message Send Workflow to Model Manager

vRA134

  • In the success dialog box, click OK

vRA135

Assign the Building Machine Workflow to a blueprint

  • Log into https://vRA_Appliance.FQDN/shell-ui-app
  • Go to Infrastructure > Blueprints > Blueprints
  • Edit your Blueprint
  • Click Properties > New Property
  • Add 2 custom properties to the blueprint
  • Click the green tick when complete and click OK

vRA136

  • Logout and log in again
  • Go to Catalog and request your VM
  • Monitor the build in Requests
  • Once built go to Items select your machine and click the View Details tab

vRA137

  • Click the Properties tab and check the value

vRA138

n

 

 

VMware vRealize Automation 6.2.2 Configuration and Management Part 5

vRARobot

Cost Profiles

Fabric administrators can associate compute resources and physical machines with cost profiles to enable calculation of a machine’s cost. The cost is displayed to machine owners, requesters, approvers, and administrators at various points in the request and provisioning life cycle.

A cost profile includes the following values for daily cost:

â– 

Cost per GB of memory capacity specified in the virtual blueprint or installed in the physical machine

â– 

Cost per CPU specified in the virtual blueprint or installed in the physical machine

â– 

Cost per GB of storage capacity as specified in the virtual blueprint (not used for physical machines, because storage attached to physical machines is not discovered or tracked)

For finer definition of storage cost for virtual machines, you can also associate each known datastore on a compute resource with a storage cost profile. A storage cost profile contains only a daily cost per GB of storage. If you assign a storage cost profile to a datastore, this storage cost overrides the storage cost in the cost profile assigned to the compute resource.

For virtual machines, the machine cost is calculated from the cost profile and storage cost profile on the compute resource, the resources it consumes, and the daily blueprint cost. You can use the blueprint cost to represent a markup for using the machine in addition to the resources that the machine consumes, for example to account for the cost of specific software deployed with that blueprint.

For physical machines, the machine cost is calculated from the cost profile on the machine, the CPU and memory on the machine, and the daily blueprint cost. You can use the blueprint cost to represent such factors as storage cost or additional costs for using the machine.

You cannot apply cost profiles to machines provisioned on Amazon Web Services or Red Hat OpenStack. For machines provisioned on these cloud platforms, the only cost factor is the daily cost in the blueprint from which it was provisioned. The cost for vCloud Director vApps includes any cost profile and storage cost profile on the virtual datacenter and the blueprint cost.

Create a Cost Profile 

Fabric administrators can create cost profiles and associate them with compute resources to enable calculation of a machine’s cost.

  • Select Infrastructure > Compute Resources > Cost Profiles.

vRA70

  • Click New Cost Profile
  • Type new values in for each resource

vRA71

  • You can also add a Storage Cost Profile for storage of different performance capabilities such as High, Medium and Low cost storage

Using Custom Properties on Blueprints

You can modify a machine using custom properties throughout the lifecycle of the machine

  • Request
  • Provision
  • Manage
  • Retire

As an example they can modify the following

  • Specify the WIM image or PE environment image to use for install
  • Define the number of cores per socket
  • Place the machine in an OU
  • Place the machine in an inventory folder in vCenter
  • Change the network a machine is attached to
  • Update a CMDB

Custom properties can be defined for the following objects

  • Business Groups
  • Compute Resource
  • Build Profiles
  • Reservations
  • Endpoints
  • Blueprints
  • Storage

Useful Link

http://www.vmware.com/support/pubs/vcac-pubs.html

Set up Custom Properties

As an example I want to add a custom property to a blueprint which puts my machine in a specific folder in vCenter

  • Go to Infrastructure > Blueprints > Select your blueprint and click Edit
  • Click on the Properties tab

vRA77

  • Add in VMware.VirtualCenter.Folder and type in a name for the inventory folder in vCenter that you want to use which provisioned machines will go into. In my case I have called it vRA.
  • Next go to Infrastructure > Groups > Business Groups > Click edit on your business group

vRA78

  • Click New Property
  • Type in the name and value of your custom property.
  • Name = VMware.Virtual.Center.Folder
  • Value = vRA

vRA79

  • Go to Catalog and request a Virtual Machine again
  • Once deployed, check vCenter has deployed the machine to the vRA folder and not the vRM folder

vRA80

Add Location Information

  • Go to c:\Program Files (x86)\Vmware\vCAC\Server\Website\XmlData
  • Right click DataCenterLocations and click Edit
  • Copy the line with Boston in it and paste it underneath

vRA81

  • Change all instances of Bolton with a new location

vRA82

  • Save the file
  • Go back to your vRA webpage and go to Infrastructure > Blueprints > Blueprints
  • Click Edit on your Blueprint
  • Click the Display Location on request

vRA83

  • Click OK and logout
  • Log back in and go to Infrastructure > Compute Resources > Compute Resources
  • Click Edit
  • From the location menu click the location you want

vRA84

Other Custom Property Options

  • Hostname

This can be used to prompt a user to put in a hostname other than the ne defined by the machine prefix on the blueprint

  • VirtualMachine.Admin.ThinProvision

This option forces a new machine to be thin provisioned on the storage device

vRA85

Build Profiles

A build profile is a set of properties to be applied to a machine when it is provisioned. It can be used for the following

  • Determining the spec of a machine
  • Determine how the machine is provisioned
  • Determine the operations to be performed after the machine is provisioned
  • Manage information about the machine

Build Profiles are attached to Blueprints and the spec of the build profile is available to business group users who have access to the blueprints

Build Profiles are constructed from default property sets or custom properties. Default sets include

  • ActiveDirectoryCleanupPlugin
  • CitrixDesktopProperties
  • PxeProvisioningProperties
  • SysprepProperties
  • VmwareXXXXXProperties

Creating a Build Profile

  • Go to Infrastructure > Blueprints > Build Profiles

vRA86

  • Click New Build Profile
  • Add a name and description
  • From the Add from property set drop down list, select ActiveDirectoryCleanUpPlugin

vRA87

  • In the Plugin.AdMachineCleanup.UserName, click Edit and add the username of a domain admin. In my case dacmt\administrator
  • In the Plugin.AdMachineCleanup.Password, click Edit and add the password of a domain admin
  • Make sure you click the green tick to confirm the changes
  • Logout
  • Login again
  • Click Infrastructure > Blueprints > Blueprints
  • Click Edit on your Blueprint
  • Click the Properties tab
  • Select the Remove from AD Build build profile

vRA88

The Property Dictionary

The Property Dictionary can be used with custom properties to create a customised interface. You can statically or dynamically define the interface with the following data specification options

  • Data validation
  • Defined constraints on data values
  • Tooltip
  • Optional data
  • Ordered user control layouts

Using the Property Dictionary helps stop mistakes which occur when the data value of a custom property is passed into extensibility tools like Orchestrator and Powershell

When users request new machines they are prompted for these custom properties in the form of a required text box, drop down menu or buttons and more

  • Go to Infrastructure > Blueprints > Property Dictionary
  • On the Property Dictionary page, click New Property Definition

vRA89

  • Fill in the required details
  • Click required and then click the green arrow

vRA90

  • Click Edit under Property Attribute

vRA91

  • Click New Property Attribute

vRA92

  • Add in the below values

vRA93

  • Log off
  • Log on again and go to Infrastructure > Blueprints > Blueprints and edit your blueprint and select the Properties tab
  • Select New Property

vRA94

  • Type Custom.StorageTier in to the name an leave the value blank with Prompt user selected

vRA96

  • Click OK
  • Go to Catalog > Request your machine
  • Look at the new option you have on the interface for Storage Tier

vRA95

  • Note: vRA does not directly use storage tiering. You have to use custom properties and workflow modification with vSphere PowerCLI or Orchestrator

Approval Policies

Any catalog item or entitled action can be subject to an approval. The Approval Policies must first be defined by either a tenant administrator or a business group user and set as active before they appear in an entitlement

There can be multi levels of approvals with all different Boolean conditions as to how the policy can be approved across these levels.

Active and Linked approvals can only be cloned not edited

Creating an Approval Policy

  • Click the Administration tab > Users and Groups > Custom Groups
  • Search for the user or group you want to add as an approver

vRA98

  • Click Next
  • Add in the users who you want to be Appprovers

vRA99

  • Next go to Administration > Approval Policies

vRA101

  • Click Add

vRA102

  • Click OK
  • I am going to create a vCPU approval policy
  • Put in the name and set to Active

vRA103

  • Click the green plus sign next to Levels
  • Fill in the required information

vRA106

  • Click Add and Add again
  • Log out
  • Log in again
  • Click Administration > Catalog Management > Entitlements
  • Highlight your Blueprint and click Edit

vRA107

  • Click Items and Approvals
  • Click Entitled Catalog Items and Modify Policy

vRA108

  • Click the drop down menu and select your policy. Note apologies I had to recreate mine as CPU > 2

vRA109

  • Click on Catalog > Request and select your VM
  • Change the vCPUs to 4

vRA110

  • Click Submit
  • Now look at the Request tab where we should see the request sitting in the pending approval status

vRA111

  • If you click on the request and select view details, it will show you who is the approver

vRA112

  • Click on Inbox > Approvals as I am already logged in as myself as the approver

vRA113

  • Click View Details and select whether to Approve or Reject

vRA114

  • This concludes the configuration and management Part 5
  • Part 6 will go into more of the extensibility options like Advanced Service Designer and Orchestrator

 

 

VMware vRealize Automation 6.2.2 Configuration and Management Part 4

vRARobot2

Blueprints

Blueprints are used to define a machines attributes and methods of provisioning. These blueprints are then added into the Service Catalog ready for users to provision machines. There are 4 different types

  • Cloud
  • Physical
  • Virtual
  • Multimachine (New in vRA 6)

A user can request VMs if the below conditions are met

  • The Blueprint is published as a catalog item
  • The item is added to a service
  • The user is entitled to use the service

Configuring Blueprints

  • Go to Infrastructure -> Blueprints -> Blueprints

vRA40

  • Click New Blueprint > Virtual > vSphere (vCenter)

vRA41

  • Put in a name. I am going to call mine Windows2012Blueprint
  • Put in a description
  • (Optional) Select the Master check box to allow users to copy your blueprint.
  • (Optional) Select the Display location on request check box to prompt users to choose a datacenter location when they submit a machine request. This option requires additional configuration to add datacenter locations and associate compute resources with those locations
  • (Optional)Choose your reservation policy
  • Choose the machine prefix you have previously set up
  • Choose the maximum amount of VMs which can be deployed from this blueprint per user
  • Specify the number of days to archive machines provisioned from this blueprint, just keep it at 0 for now. Archive defines the number of days that an expired virtual machine remains available for activation. A zero value destroys the VM upon expiration
  • Add in any additional costs for chargeback purposes. These costs will be added to anything that is set in a cost profile. so you can add in a OS licensing cost or specific application cost for this VM

vRA45

  • Click Build Information
  • The build information tab options define the type of blueprint, the provisioning action and the associated workflow
  • In Blueprint type, the options are Server / Desktop / Hypervisor
  • In Action, the options are Create, Clone, Linked Clone and NetApp FlexClone. Using the Create option creates an empty container. The clone option creates a new machine as a full copy and the Linked Clone option deploys a space efficient copy based on snapshots and chains of delta disks

vRA46

  • Next the blueprint provisioning workflow option vary depending on what blueprint action you selected
  • Next we need to select a template to clone from

vRA51

  • Next Choose a customisation spec. A customization specification is required only if you are cloning with static IP addresses. However, you cannot perform any customizations of Windows machines without a customization specification object. For Linux clone machines, you can use a customization specification, an external script, or both to perform customizations.

vRA48

  • In Machine Resources, you can define the maximum and minimum resources that can be chosen by a user who wants to provision a VM from this blueprint.  It’s optional but you can specify maximum amounts of vCPU, RAM, and HDD space that can be assigned to this blue print which gives a user the ability to customize to their specific application
  • Next click the Properties tab
  • Additional information can be provided during the provisioning process using Custom Properties
  • Custom Properties can be used throughout the lifecycle of a machine

vRA49

  • Options for customising properties can include

Specifying the O/S to be used during provisioning

Customizing the O/S

Link for Custom Properties for Basic Workflow Blueprints 

http://pubs.vmware.com/vra-62/index.jsp#com.vmware.vra.iaas.virtual.doc/GUID-15B1491D-BECF-40DE-9F2C-315975476B3B.html

Integrating the machine with an external system

  • Click the Actions tab
  • Actions identify the operations that can be carried out on a VM provisioned from a blueprint with additional custom actions being defined in Advanced Services Designer and entitled to users

vRA50

  • Click OK to finish
  • You should now see your blueprint

vRA52

Publishing a Blueprint

  • Navigate to Infrastructure > Blueprints > Blueprints. Highlight your new blueprint and click on Publish to publish the blueprint to the vRA catalog

vRA53

  • You should now see that it is published

Service Catalog

The Service Catalog is a self service portal where users can locate the items they want to request and track requests and manage provisioned items.

Using Service Categories, catalog items can be organised into containers such as Linux, Windows or User Support

  •  Go to Administration > Catalog Management > Services. Click on the green “+” sign to add a new service.

vRA54

  • Fill in the required data and choose an icon as necessary to reflect the Service, in my case Windows

vRA55

  • You should now see your service

vRA56

  • Click on Manage Catalog Items. A catalog item must be associated with a service before it can be requested

vRA57

  • Click the green + sign

vRA58

  • Choose your catalog item. In my case the Windws2012 item

vRA59

Create an Entitlement to the catalog item

  • Go to Administration > Catalog Management > Entitlements and click on the green “+” mark

vRA60

  • Fill in your details

vRA61

  • Click Next
  • Click the green + sign next to Entitled Services and select your service

vRA62

  • Click the green + sign next to Entitled Catalog items and select your Catalog item

vRA63

  • Click the green + sign next to Entitled Actions and select your Actions

vRA64

  • Click OK and you should now see your entitlements

vRA65

Provision a machine

  • Go to the Catalog tab and check if your service is available

vRA66

  • Click Request
  • Check the details and modify the request reason
  • Remember you can only modify the resources up to the maximum set in the blueprint and sometimes these are subject to approval policies as well. (Which haven’t been covered yet)

vRA67

  • Click Submit and the VM should be provisioned in vCenter
  • Click the Requests tab to monitor the request

vRA68

  • If you log into vCenter and go to Virtual Machines and Templates, you will see that vCAC by default will place all provisioned machines into a vCenter folder named VRM.  You can override this using the custom property VMware.VirtualCenter.Folder to tell vRA where to place the provisioned machine.
  • My machine is dacv001

vRA69

  • If you click on the Items tab once the machine is provisioned, you can manage some actions which are controlled by entitlements

vRA72

Taking a snapshot

  • Click on Items
  • Click on the Owned by drop down menu and change this to “All groups I manage”
  • Click on View Details

vRA73

  • Click New Snapshot

vRA74

  • vRA allows one snapshot per machine and no age limits
Optimization WordPress Plugins & Solutions by W3 EDGE