VMware vRealize Automation - 6.2 Installation Manual

Download

Page 1

Installation and

Conﬁguration

vRealize Automation 6.2

Page 2

Installation and Configuration

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

If you have comments about this documentation, submit your feedback to

docfeedback@vmware.com

VMware, Inc.

3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

VMware, Inc. 2

Page 3

vRealize Automation Installation and Configuration 8

Updated Information 9

vRealize Automation Installation Overview 11

vRealize Automation Installation Components 11

VMware Identity Appliance 12

VMware vRealize Appliance 12

vRealize Automation Infrastructure as a Service 12

Choosing Your Deployment Path 15

Upgrading vRealize Automation 15

Migrating to vRealize Automation 16

Minimal Deployment Overview 17

Distributed Deployment Overview 17

Preparing for Installation 20

DNS and Host Name Resolution 20

Hardware and Virtual Machine Requirements 20

Browser Considerations 21

Password Considerations 21

Windows Server Requirements 21

IaaS Database Server Requirements 22

IaaS Web Service and Model Manager Server Requirements 22

IaaS Manager Service 24

Distributed Execution Manager Requirements 24

Port Requirements 27

User Accounts and Credentials Required for Installation 29

Security 31

Certificates 31

Security Passphrase 32

Third-Party Software 33

Time Synchronization 33

VMware, Inc.

Minimal Deployment Checklist 34

Minimal Deployment 35

Minimal Deployment Checklist 35

Page 4

Installation and Configuration

Deploy and Configure the Identity Appliance 36

Deploy the Identity Appliance 36

Enable Time Synchronization on the Identity Appliance 38

Configure the Identity Appliance 39

Deploy and Configure the vRealize Appliance 41

Deploy the vRealize Appliance 41

Enable Time Synchronization on the vRealize Appliance 43

Configure the vRealize Appliance 43

Installing IaaS Components 47

Enable Time Synchronization on the Windows Server 47

IaaS Certificates 47

Install the Infrastructure Components 47

Distributed Deployment 54

Distributed Deployment Checklist 54

Distributed Installation Components 55

Disabling Load Balancer Health Checks 56

Certificate Trust Requirements in a Distributed Deployment 57

Installation Worksheets 58

Deploy Appliances for vRealize Automation 60

Deploy the Identity Appliance 61

Deploy the vRealize Appliance 62

Configuring Your Load Balancer 64

Configuring Appliances for vRealize Automation 64

Configure the Identity Appliance 64

Configure the Primary vRealize Appliance 68

Configuring Additional Instances of vRealize Appliance 75

Install the IaaS Components in a Distributed Configuration 84

Install IaaS Certificates 86

Download the IaaS Installer 87

Choosing an IaaS Database Scenario 88

Install the Primary IaaS Website Component with Model Manager Data 93

Install Additional IaaS Website Components 97

Install the Primary Manager Service 100

Install an Additional Manager Service Component 102

Installing Distributed Execution Managers 105

Configuring Windows Service to Access the IaaS Database 108

Verify IaaS Services 108

Installing Agents 110

Set the PowerShell Execution Policy to RemoteSigned 111

Choosing the Agent Installation Scenario 111

VMware, Inc. 4

Page 5

Installation and Configuration

Agent Installation Location and Requirements 112

Installing and Configuring the Proxy Agent for vSphere 112

vSphere Agent Requirements 112

Install the vSphere Agent 114

Configure the vSphere Agent 117

Installing the Proxy Agent for Hyper-V or XenServer 118

Hyper-V and XenServer Requirements 118

Install the Hyper-V or XenServer Agent 118

Configure the Hyper-V or XenServer Agent 121

Installing the VDI Agent for XenDesktop 122

XenDesktop Requirements 122

Set the XenServer Host Name 123

Install the XenDesktop Agent 123

Installing the EPI Agent for Citrix 126

Citrix Provisioning Server Requirements 126

Install the Citrix Agent 127

Installing the EPI Agent for Visual Basic Scripting 129

Visual Basic Scripting Requirements 129

Install the Agent for Visual Basic Scripting 130

Installing the WMI Agent for Remote WMI Requests 132

Enable Remote WMI Requests on Windows Machines 132

Install the WMI Agent 132

Configuring Initial Access 135

Configure the Identity Stores for the Default Tenant 135

Configure a Native Active Directory Identity Store 135

Configure an OpenLDAP or Active Directory Identity Store 136

Appoint Administrators 138

Provide the Infrastructure License 139

Configuring Additional Tenants 140

Tenancy Overview 140

User and Group Management 141

Comparison of Single-Tenant and Multitenant Deployments 141

Create and Configure a Tenant 145

Specify Tenant Information 146

Configure Identity Stores 146

Appoint Administrators 147

Updating vRealize Automation Certificates 149

Extracting Certificates and Private Keys 150

VMware, Inc. 5

Page 6

Installation and Configuration

Updating the Identity Appliance Certificate 151

Replace a Certificate in the Identity Appliance 151

Update the vRealize Appliance with the Identity Appliance Certificate 152

Updating the vRealize Appliance Certificate 153

Replace a Certificate in the vRealize Appliance 154

Update SSO Registration for the vRealize Appliance 155

Update the IaaS Servers with the vRealize Appliance Certificate 156

Updating the IaaS Certificate 157

Replace the Internet Information Services Certificate 158

Update the vRealize Appliance with the IaaS Certificate 158

Update Guest Agent Trust Relationship 159

Replace the Identity Appliance Management Site Certificate 160

Updating the vRealize Appliance Management Site Certificate 161

Replace the vRealize Automation Appliance Management Site Certificate 162

Manually Update Management Agents to Recognize a vRealize Appliance Management Site

Certificate 163

Automatically Update Management Agents in a Distributed Environment to Recognize a

vRealize Appliance Management Site Certificate 164

Replace a Management Agent Certificate 164

Troubleshooting 167

Default Log Locations 168

Rolling Back a Failed Installation 169

Roll Back a Minimal Installation 169

Roll Back a Distributed Installation 170

Create a Support Bundle for vRealize Automation 171

Installers Fail to Download 171

Failed to Install Model Manager Data and Web Components 172

Save Settings Warning Appears During IaaS Installation 173

WAPI and Distributed Execution Managers Fail to Install 174

IaaS Authentication Fails During IaaS Web and Model Management Installation 174

Installation or Upgrade Fails with a Load Balancer Timeout Error 174

Uninstalling a Proxy Agent Fails 175

Validating Server Certificates for IaaS 175

Server Times Are Not Synchronized 176

RabbitMQ Configuration Fails in a High-Availability Environment 177

Encryption.key File has Incorrect Permissions 177

Error Communicating to the Remote Server 178

Blank Pages May Appear When Using Internet Explorer 9 or 10 on Windows 7 179

Cannot Establish Trust Relationship for the SSL/TLS Secure Channel 180

Cannot Log in to a Tenant or Tenant Identity Stores Disappear 180

VMware, Inc. 6

Page 7

Installation and Configuration

Adding an Endpoint Causes an Internal Error 181

Error in Manager Service Communication 182

Machine Requests Fail When Remote Transactions Are Disabled 183

Credentials Error When Running the IaaS Installer 184

Attempts to Log In as the IaaS Administrator with Incorrect UPN Format Credentials Fails with No

Explanation 184

Email Customization Behavior Has Changed 184

Changes Made to /etc/hosts Files Might Be Overwritten 185

Network Settings Were Not Successfully Applied 186

VMware, Inc. 7

Page 8

vRealize Automation Installation and

Conﬁguration

vRealize Automation Installation and Configuration explains how to install and configure VMware vRealize ™ Automation.

Note Not all features and capabilities of vRealize Automation are available in all editions. For a

comparison of feature sets in each edition, see https://www.vmware.com/products/vrealize-automation/.

Intended Audience

This information is intended for experienced Windows or Linux system administrators who are familiar with virtual machine technology and data center operations.

vCloud Suite Licensing and Integration

You can license vRealize Automation individually or as part of vCloud Suite. You should consider the licensing and integration options that are available to you.

Some vCloud Suite components are available as standalone products that are licensed on a per-virtual machine basis. When the products are part of vCloud Suite, they are licensed on a per-CPU basis. You can run an unlimited number of virtual machines on CPUs that are licensed with vCloud Suite. For more information, see vCloud Suite Architecture Overview and Use Cases.

VMware Technical Publications Glossary

VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For definitions of terms as they are used in VMware technical documentation, go to

http://www.vmware.com/support/pubs.

VMware, Inc.

Page 9

Updated Information

The following table provides update history for the Installation and Configuration guide.

Revision Description

EN-001649-07

EN-001649-06

EN-001649-05

EN-001649-04

Revisions for vRealize Automation 6.2.5 including minor updates and bug fixes.

Revised Specify Server and Account Settings

Installation instructions for vRealize Automation 6.2.4 including minor updates and bug fixes.

Enhanced Distributed Deployment procedures for appliance database configuration.

Stand-alone PostgreSQL implementations are no longer supported. The PostgreSQL database is now referred to as the appliance database. Changes made to all related topics.

For 6.2.2, updated .NET requirement to .NET 4.5.1 or later.

Updated IaaS Windows Server requirements to specify Java 1.7 or later. See IaaS Web Service and Model

Manager Server Requirements.

Added information about the relationship between the user's identity store and the Identity Appliance domain to User Accounts and Credentials Required for Installation and Log in to the vRealize Automation Console

Fails.

Added a note about using the iisreset command before reinstalling IaaS to Roll Back a Minimal Installation and Roll Back a Distributed Installation.

Updated Install the Primary IaaS Website Component with Model Manager Data and Failed to Install Model

Manager Data and Web Components.

Added port 902 to outgoing ports for the vRealize Appliance and moved port 8444 from outgoing ports to incoming ports in Port Requirements.

Added additional IaaS service user requirements to User Accounts and Credentials Required for Installation.

EN-001649-03 Added port requirements for VMRC and high-availability deployments in the topic Port Requirements.

EN-001649-02

Added version_string argument to the topic Create the IaaS Database Manually.

Corrected default location for installation logs in the topic Default Log Locations.

Clarification of steps in the following topics:

Update the vRealize Appliance with the Identity Appliance Certificate

Update the vRealize Appliance with the IaaS Certificate

VMware, Inc. 9

Page 10

Installation and Configuration

Revision Description

EN-001649-01

Updated IaaS Windows Server requirements to specify Java 1.7 and .NET 4.5.1 and later. See IaaS Web

Service and Model Manager Server Requirements.

Various editorial changes and defect fixes.

Revised and updated documentation for Management Agents. See Manually Update Management Agents to

Recognize a vRealize Appliance Management Site Certificate

Added step to select Mark this key as exportable when importing a new IIS certificate. See Replace the

Internet Information Services Certificate.

EN-001649-00 Initial document release.

VMware, Inc. 10

Page 11

vRealize Automation Installation

Overview 1

vRealize Automation can be deployed in a variety of configurations. To ensure a successful deployment understand the deployment and configuration options, and the sequence of tasks required.

After installation, system administrators can customize the installation environment and configure one or more tenants, which sets up access to self-service provisioning and life-cycle management of cloud services.

By using the secure portal Web interface, administrators, developers, or business users can request IT services and manage specific cloud and IT resources based on their roles and privileges. Users can request infrastructure, applications, desktops, and IT service through a common service catalog.

This chapter includes the following topics:

vRealize Automation Installation Components

Choosing Your Deployment Path

vRealize Automation Installation Components

A vRealize Automation installation includes installing and configuring single sign-on (SSO) capabilities, the user interface portal, and Infrastructure as a Service (IaaS) components.

An installation consists of the following components.

VMware vCloud Automation Center Appliance, which deploys the vCloud Automation Center console (the user interface portal), and manages Single Sign-On (SSO) capabilities for authorization and authentication.

Infrastructure as a Service (IaaS) components, which are installed on a Windows machine (virtual or physical), and appear largely under the Infrastructure tab on the console.

An SQL Server Database, which can be installed as part of IaaS or separately.

VMware Identity Appliance

Identity Appliance is a preconfigured virtual appliance that provides single sign-on (SSO) capabilities for the vRealize Automation environment.

VMware vRealize Appliance

The vRealize Appliance is a preconfigured virtual appliance that deploys the vRealize Automation server. vRealize Automation is delivered as an open virtualization format (OVF) template. The system administrator deploys the virtual appliance to an existing virtualized infrastructure.

VMware, Inc.

Page 12

Installation and Configuration

vRealize Automation Infrastructure as a Service

Infrastructure as a Service (IaaS) enables the rapid modeling and provisioning of servers and desktops across virtual and physical, private and public, or hybrid cloud infrastructures.

VMware Identity Appliance

Identity Appliance is a preconfigured virtual appliance that provides single sign-on (SSO) capabilities for the vRealize Automation environment.

You can use the Identity Appliance SSO provided with vRealize Automation or some versions of the SSO provided with vSphere. For information about supported versions, see vRealize Automation Support Matrix for this release available from https://www.vmware.com/support/pubs/vcac-pubs.html.

The Identity Appliance is delivered as an open virtualization format (OVF) template. The system administrator deploys the virtual appliance to the existing virtualization infrastructure.

SSO is an authentication broker and security token exchange that interacts with the enterprise identity store, Active Directory or OpenLDAP, to authenticate users. A system administrator configures SSO settings to provide access to the Identity Appliance console.

VMware vRealize Appliance

The server includes the vRealize Appliance console, which provides a single portal for self-service provisioning and management of cloud services, authoring, administration, and governance.

Appliance Database

During deployment of the virtual appliances, the Appliance Database is created automatically on the first vRealize Appliance. A replica database can be installed on a second vRealize Appliance to create a highavailability environment.

vRealize Automation Infrastructure as a Service

Infrastructure as a Service (IaaS) enables the rapid modeling and provisioning of servers and desktops across virtual and physical, private and public, or hybrid cloud infrastructures.

The system administrator installs IaaS components on a Windows machine, virtual or physical. IaaS capabilities are then available from the Infrastructure tab on the user interface console. IaaS has several components that you can install in a custom configuration to meet the needs of your organization.

VMware, Inc. 12

Page 13

Installation and Configuration

IaaS Website

The IaaS Website component, also called the Model Manager Web, provides the infrastructure administration and service authoring capabilities to the vRealize Automation console. The Website component communicates with the Model Manager, which provides it with updates from the Distributed Execution Manager (DEM), proxy agents, and database.

Model Manager

vRealize Automation models facilitate integration with external systems and databases. They implement business logic that a Distributed Execution Manager (DEM) uses.

The Model Manager provides services and utilities for persisting, versioning, securing, and distributing model elements. It communicates with the database, the DEMs, and the console Web site.

vCloud Automation Center Manager Service

The Manager Service coordinates communication between DEMS, agents, and the database. The Manager Service communicates with the console Web site through the Model Manager. This service requires administrative privileges to run.

IaaS Database

The IaaS component of vRealize Automation uses a Microsoft SQL Server database to maintain information about the machines it manages and its own elements and policies. Typically, a system administrator creates the database during installation.

Distributed Execution Managers

A Distributed Execution Manager (DEM) runs the business logic of custom models, interacting with the database and with external databases and systems as required.

Each DEM instance acts in either a Worker role or in an Orchestrator role. The Worker role is responsible for running workflows. The Orchestrator role is responsible for monitoring DEM Worker instances, preprocessing workflows to run, and scheduling workflows.

The DEM Orchestrator performs these specific tasks.

Monitors the status of DEM Workers and ensures that if a Worker instance stops or loses its connection to the Model Manager, its workflows are put back in the queue for another DEM Worker to pick up.

Manages scheduled workflows by creating new workflow instances at the scheduled time.

Ensures that only one instance of a particular scheduled workflow is running at a given time.

Preprocesses workflows before they are run, including checking preconditions for workflows, used in the implementation of the RunOneOnly feature, and creating the workflow execution history.

VMware, Inc. 13

Page 14

Installation and Configuration

One DEM Orchestrator instance is designated as the active Orchestrator that performs these tasks. Because the DEM Orchestrator is essential to run workflows, install at least one additional Orchestrator instance on a separate machine for redundancy. The Orchestrator is automatically installed on the machine that also runs the Manager Service. The additional DEM Orchestrator monitors the status of the active Orchestrator so that it can take over if the active Orchestrator goes offline.

vRealize Automation Agents

vRealize Automation uses agents to integrate with external systems. A Management Agent is installed automatically on each IaaS node that you create. You can install the vSphere agent as part of a minimal installation. You can install additional agents as needed by using the Custom Installer.

Integration Agents

Virtual desktop integration (VDI) PowerShell agents allow vRealize Automation to integrate with external virtual desktop systems. Currently, virtual machines that vRealize Automation provisions can be registered with XenDesktop on a Citrix Desktop Delivery Controller (DDC) and their owners can access the XenDesktop Web Interface from vRealize Automation.

External provisioning integration (EPI) PowerShell agents allow vRealize Automation to integrate external systems into the machine provisioning process. For example, integration with Citrix Provisioning Server enables provisioning of machines by on-demand disk streaming, and an EPI agent allows you to run Visual Basic scripts as extra steps during the provisioning process.

VDI and EPI agents require administrator-level access to the external systems with which they interact.

Management Agent

The Management Agent collects support and telemetry information and registers IaaS nodes. A Management Agent is installed automatically on each IaaS node in your deployment.

Management Agents are not automatically deleted when you uninstall an IaaS component. Uninstall the Management Agent as you would uninstall any Windows service.

Virtualization Proxy Agents

The virtual machines that vRealize Automation manages are created on virtualization hosts. vRealize Automation uses virtualization proxy agents to send commands to and collect data from vSphere ESX Server, XenServer, and Hyper-V virtualization hosts and the virtual machines provisioned on them. A proxy agent has the following characteristics.

Typically requires administrator-level access to the virtualization platform it manages

Communicates with the Manager Service

Is installed separately with its own configuration file

Windows Management Instrumentation Agent

The vRealize Automation Windows Management Instrumentation (WMI) agent enhances your ability to monitor and control system information and allows you to manage remote servers from a central location. It enables the collection of data from Windows machines that vRealize Automation manages.

VMware, Inc. 14

Page 15

Installation and Configuration

Choosing Your Deployment Path

You can upgrade from an earlier vCloud Automation Center 6.x version, migrate from a supported vCloud Automation Center 5.2.x version, or install vRealize Automation for the first time.

Table 1‑1. Choosing Your Deployment Path

Your Currently Installed Version How to install the latest vRealize Automation

vCloud Automation Center 5.2.1 Migrate to vCloud Automation Center 6.1 and then perform upgrades incrementally until

you reach the latest version. See Migrating to vCloud Automation Center 6.1 and Upgrading to vRealize Automation 6.2 or Later.

vCloud Automation Center 5.2.2 Migrate to vCloud Automation Center 6.1 and then perform upgrades incrementally until

you reach the latest version. See Migrating to vCloud Automation Center 6.1 and Upgrading to vRealize Automation 6.2 or Later.

vCloud Automation Center 5.2.3 Migrating to vRealize Automation

vCloud Automation Center 6.0 Upgrading vRealize Automation

vCloud Automation Center 6.0.1 Upgrading vRealize Automation

vCloud Automation Center 6.1.x Upgrading vRealize Automation

None Install vRealize Automation for the first time in either a minimal or distributed deployment.

Minimal deployments are typically used in a development environment or as a proof of concept (PoC).

You deploy a single instance of each virtual appliance and install all IaaS components on a single Windows machine. You can install the databases on the same Windows machine or on a dedicated SQL Server.

See Minimal Deployment Overview.

Distributed deployments are typically as a production environment and allow you to design the topology best suited to your organizational needs. You distribute components across multiple servers to provide failover capability and redundancy. See

Distributed Deployment Overview.

For information about scalability and high availability, see VMware vRealize Automation Reference Architecture at https://www.vmware.com/support/pubs/vcac-pubs.html.

Upgrading vRealize Automation

You upgrade incrementally from vRealize Automation 6.x until you reach the latest vRealize Automation.

Locate your currently installed version in the table and then follow the steps in the documents on the right to incrementally upgrade your vRealize Automation environment to the latest release. You can find links to the documentation for all versions of vCloud Automation Center and vRealize Automation at

https://www.vmware.com/support/pubs/vcac-pubs.html.

VMware, Inc. 15

Page 16

Installation and Configuration

Table 1‑2. Supported Upgrade Paths

Your Currently Installed Version Documentation for Incremental Upgrades

vCloud Automation Center 6.0 Perform upgrades in the following order:

Upgrading vCloud Automation Center 6.0 to 6.0.1

Upgrading to vCloud Automation Center 6.1

Upgrading to vRealize Automation 6.2 or Later

vCloud Automation Center 6.0.1 Perform upgrades in the following order:

Upgrading to vCloud Automation Center 6.1

Upgrading to vRealize Automation 6.2 or Later

vCloud Automation Center 6.1.x Upgrading to vRealize Automation 6.2 or Later

vRealize Automation 6.2.x Upgrade directly to the latest 6.2.x release as described in

Upgrading to vRealize Automation 6.2 or Later

Migrating to vRealize Automation

You can migrate your data from vCloud Automation Center 5.2.3 to vRealize Automation 6.2.

The following high-level overview shows the steps required to migrate to vRealize Automation 6.2.

1 Read Migrating vCloud Automation Center 5.2.3 to vRealize Automation 6.2. for important information

about processes and prerequisites.

2 Verify that the Identity Appliance and Windows IaaS servers belong to the same domain as the

source vRealize Automation system servers or to a domain with identical domain trusts to the source system servers.

3 Install vRealize Automation 6.2. Depending on your deployment type, see Chapter 4 Minimal

Deployment or Chapter 5 Distributed Deployment. As you install, note the following configurations

required for migration:

Join your Identity Appliance to your Native Active Directory domain. See Configure the Identity

Appliance.

Verify that the names of Distributed Execution Orchestrators and Distributed Execution Workers for vRealize Automation 6.2 exactly match the names you used in your vCloud Automation Center 5.2.3 deployment. See Install the Distributed Execution Managers.

Verify that agent and proxy agent names for vRealize Automation 6.2 exactly match the names you used in your vCloud Automation Center 5.2.3 deployment. See Chapter 6 Installing Agents.

Configure the default tenant ID store for Native Active Directory. See Configure a Native Active

Directory Identity Store.

You must appoint one or more users to the administrative roles. Groups are not supported for migration. See Appoint Administrators.

4 Migrate your 5.2.3 deployment to vRealize Automation 6.2 using the migration tool. See Migrating

vCloud Automation Center 5.2.3 to vRealize Automation 6.2..

VMware, Inc. 16

Page 17

Identity (SSO)

Virtual

Appliance

Download and

deploy

appliance

from .ova or .ovf

vRealize

Appliance

Download and

deploy

appliance

from .ova or .ovf

Infrastructure as

a Service

Components

Browser-based

install from

vRealize

Appliance

Provides

user

interface

console

Provides

laaS

services

Single

Sign-On

capability

Installation and Configuration

Minimal Deployment Overview

To complete a minimal deployment, the system administrator installs the Identity Appliance, the vRealize Appliance, and Infrastructure as a Service (IaaS).

Identity Appliance, which supports single sign-on capabilities. It is installed as a virtual appliance.

vRealize Appliance, which includes the Web console interface. It is installed as a virtual appliance.

Infrastructure as a Service (IaaS), which is installed on a Windows Server machine.

The IaaS database can be installed on the same machine as IaaS or on its own server.

The following figure shows the relationship and purpose of components of a minimal installation.

Distributed Deployment Overview

The system administrator can deploy and install multiple instances of the vRealize Appliance and individual IaaS components for scale, redundancy, high availability, and disaster recovery.

In this sample architecture, the IaaS components are distributed over multiple machines. This sample installation describes one possible deployment. Load balancers distribute the workload across the servers. In practice, the system administrator chooses a distribution architecture that is compatible with the company environment and goals.

For information about scalability and high availability, see VMware vRealize Automation Reference Architecture at https://www.vmware.com/support/pubs/vcac-pubs.html.

Load balancers distribute the workload across the computing environment. System administrators configure load balancers outside of the vRealize Automation framework.

VMware, Inc. 17

Page 18

Installation and Configuration

The following figure shows the components of a distributed deployment. Each component is numbered to correspond to an entry the Distributed Deployment Components table.

The Distributed Deployment Components table describes each component and presents requirements and options for using each component.

VMware, Inc. 18

Page 19

Installation and Configuration

Table 1‑3. Distributed Deployment Components

Diagram

Number Description Requirements and Options

1 vRealize Appliance Load

Balancer

2 Single Sign-On Server

Appliance

3 vRealize Appliance 1 One instance required. Multiple instances can be used to support high availability and

4 vRealize Appliance 2, 3,

and so on

5 Appliance Database Appliance Database or cluster. If a two vRealize Appliances have been deployed with

6 IaaS Web Load Balancer Only necessary if you are installing more than one Website Component. Install Website

7 SQL Database Cluster Install one instance during IaaS installation. Database administrator handles

8 Website Component 1 and

Model Manager Data

Only necessary if you are deploying more than one vRealize Appliance.

Important Disable all nodes under the load balancer except for the node you are

configuring. For example, if you have three nodes, disable nodes 1 and 2 when you configure node 3.

One instance of a single sign-on server is required. You can use the vRealize Appliance, which is a product component, or some versions of vSphere SSO, which might be preferable for high-availability deployments. Consult the vCloud Automation Center Support Matrix for information about supported versions.

failover recovery. Multiple instances must be deployed with vSphere High Availability.

Deploy multiple instances under the vRealize Appliance Load Balancer.

Appliance Databases, then they can be clustered. If only one vRealize appliance exists, then there is no highly available method for the database.

Component 1 and Model Manager Data on one machine under this load balancer.

redundancy outside of IaaS context. See Choosing an IaaS Database Scenario.

Required. Install together on one machine under the IaaS Web load balancer. Only one instance of Model Manager Data is allowed. See Install the Primary IaaS Website

Component with Model Manager Data

9 Website Component 2, 3,

and so on

10 IaaS Manager Service

Load Balancer

11 Manager Service 1 and

DEM Orchestrator 1

12 Manager Service 2, 3, and

so on

13 Agents and DEMs Install the first DEM Orchestrator on the active Manager Service machine. Install

Optional. Install multiple instances under the IaaS Web load balancer for high availability and failover recovery.

Install the first instance of the Manager Service and the first instance of the DEM Orchestrator together on one machine under this load balancer. See Install the Primary

Manager Service and Install the Distributed Execution Managers.

Install the first instance of the Manager Service and the first instance of the DEM Orchestrator together on one machine under the IaaS Manager Service load balancer. The first Manager Service instance is active. Only one can be active at any given time. See Install the Primary Manager Service and Install the Distributed Execution

Managers.

Passive instances for backup only. If the Active Manager Service fails, start the service on the passive node.

Agents, DEM Orchestrators, and DEM Workers together or on separate machines. See

Chapter 6 Installing Agents and Install the Distributed Execution Managers.

VMware, Inc. 19

Page 20

Preparing for Installation 2

System Administrators install vRealize Automation into their existing virtualization environments. Before the installation begins, there are a number of preliminary steps that must be completed to prepare the deployment environment.

This chapter includes the following topics:

DNS and Host Name Resolution

Hardware and Virtual Machine Requirements

Browser Considerations

Password Considerations

Windows Server Requirements

Port Requirements

User Accounts and Credentials Required for Installation

Security

Time Synchronization

DNS and Host Name Resolution

vRealize Automation requires the system administrator to identify all hosts using a fully qualified domain name (FQDN). In a distributed deployment, all vRealize Automation components must be able to resolve each other by using an FQDN. The Model Manager Web service, Manager Service, and Microsoft SQL Server database must also be able to resolve each other by their Windows Internet Name Service (WINS) name. You must configure the Domain Name System (DNS) to resolve these host names in your environment.

Important vRealize Automation does not allow navigation to hosts that contain the underscore (_)

character in the host name.

Hardware and Virtual Machine Requirements

Installation requires minimum system resources to install virtual appliances and minimum hardware requirements to install IaaS components on the Windows Server.

VMware, Inc.

Page 21

Installation and Configuration

For operating system and high-level environment requirements, including information about supported browsers and operating systems, see the vRealize Automation Support Matrix.

The Hardware Requirements table shows the minimum configuration requirements for deployment of the virtual appliances and installation of IaaS components. The appliances are preconfigured virtual machines that you add to your vCenter Server or ESXi inventory. IaaS components are installed on physical or virtual Windows 2008 R2 SP1, Windows 2012 or Windows 2012 R2 servers.

Table 2‑1. Hardware Requirements

Identity Appliance vRealize Appliance IaaS Components (Windows Server)

1 CPU

2 GB memory

2 GB disk storage

2 CPUs

8 GB memory

30 GB disk storage

2 CPUs

8 GB memory

30 GB disk storage

Browser Considerations

Some restrictions exist for browser use with vRealize Automation.

vRealize Automation does not support Compatibility View mode for Internet Explorer 9 or 10 on Windows 7 platforms. If you are unable to log in to appliance management consoles or you receive an error on the SSO tab when using Internet Explorer 9 or 10, use the Developer Tools to set the browser mode to Internet Explorer 7.

Multiple browser windows and tabs are not supported. vRealize Automation supports one session per user.

VMware remote consoles provisioned on vSphere support a subset of vRealize Automationsupported browsers.

For operating system and high-level environment requirements, including information about supported browsers and operating systems, see the vRealize Automation Support Matrix.

Password Considerations

The vRealize Automation administrator password cannot contain a trailing "=" character.

Verify that the adminstrator password you assign during installation does not end with an "=" character. Such passwords are accepted when you assign them, but result in errors when you perform operations such as saving endpoints.

Windows Server Requirements

The virtual or physical Windows machine that hosts the IaaS components must meet configuration requirements for the IaaS database, the IaaS server components, the IaaS Manager Service, and Distributed Execution Managers.

VMware, Inc. 21

Page 22

Installation and Configuration

IaaS Database Server Requirements

Your environment must meet these general requirements that support the installation of the IaaS Database (SQL Server).

TCP/IP protocol enabled for MS SQL Server

Microsoft Distributed Transaction Coordinator Service (MS DTC) enabled on all SQL nodes in the system. MS DTC is required to support database transactions and actions such as workflow creation.

No firewalls between Database Server and the Web server or IaaS Server, or ports opened as described in Port Requirements.

For 6.0.x installations, the database name cannot contain a space. For 6.1 and later installations, the use of spaces in names is supported.

Note If you clone an IaaS node, install MS DTC on each node after it has been cloned. When you clone

a node that has MS DTC installed, its unique identifier is copied to each clone, which causes communication to fail. See Error in Manager Service Communication for further information.

For information about supported MS SQL versions, see vRealize Automation Support Matrix for this release.

IaaS Web Service and Model Manager Server Requirements

Your environment must meet software and configuration prerequisites that support installation of the IaaS server components.

IaaS Server Requirements

Your Windows server must meet the configuration requirements listed in the following table to support the installation of the vRealize Automation Web service or Model Manager.

VMware, Inc. 22

Page 23

Installation and Configuration

Table 2‑2. IaaS Server Requirements

Area Requirements

Host Configuration The following components must be installed on the host before installing IaaS:

Microsoft .NET Framework 4.5.1 or later

Microsoft PowerShell 2.0 (included with Windows Server 2008 R2 SP1 and later) or Microsoft PowerShell 3.0 on Windows Server 2012 or Windows Server 2012 R2.

Microsoft Internet Information Services 7.5 (see Table 2‑3)

Java requirements for MSSQL, when the database is installed on the IaaS Windows server host.

Microsoft SQL Database Requirements

Microsoft SQL Server database can be located on the IaaS (Windows) server host or on a remote host.

The following Java-related requirements must be met:

A 64-bit version of Java 1.7, or 1.8 or later must be installed. 32-bit versions are not supported.

The JAVA_HOME environment variable must be set to the Java installation folder.

The %JAVA_HOME%\bin\java.exe file must be available.

Microsoft Internet Information Services Conﬁguration

Microsoft Internet Information Services must be configured to meet the requirements listed in the following table to support the installation of the vRealize Automation Web service or Model Manager.

Table 2‑3. Required Conﬁguration for Microsoft Internet Information Services

IIS Component Setting

Internet Information Services (IIS) modules installed

WindowsAuthentication

StaticContent

DefaultDocument

ASPNET 4.5

ISAPIExtensions

ISAPIFilter

IIS Authentication settings

Windows Authentication enabled

AnonymousAuthentication disabled

Negotiate Provider enabled

NTLM Provider enabled

Windows Authentication Kernel Mode enabled

Windows Authentication Extended Protection disabled

For certificates using SHA512, TLS1.2 must be disabled on Windows 2012 or Windows 2012 R2 servers

IIS Windows Process Activation Service roles

VMware, Inc. 23

ConfigurationApi

NetEnvironment

ProcessModel

WcfActivation (Windows 2008 only)

HttpActivation

NonHttpActivation

Page 24

Installation and Configuration

IaaS Manager Service

Your environment must meet some general requirements that support the installation of the IaaS Manager Service.

.NET Framework 4.5.1 or later is installed.

Microsoft PowerShell 2.0 or Microsoft PowerShell 3.0. PowerShell 2.0 is included with Windows Server 2008 R2 SP1 and later. Microsoft PowerShell 3.0 runs on Windows Server 2012 or Windows Server 2012 R2.

SecondaryLogOnService is running.

No firewalls can exist between DEM host and Windows Server, nor can ports be opened as described in Port Requirements.

IIS is installed and configured.

Distributed Execution Manager Requirements

Your environment must meet some general requirements that support the installation of Distributed Execution Managers (DEMs).

.NET Framework 4.5.1 or later is installed.

SecondaryLogOnService is running.

No firewalls between DEM host and the Windows server, or ports opened as described in Port

Requirements.

DEM Worker instances might have additional requirements depending on the provisioning resources that they interact with.

Amazon Web Services EC2 Requirements

The IaaS Windows server communicates with and collects data from an Amazon EC2 account.

When you use Amazon Web Services for provisioning, DEM workers must meet these configuration requirements.

Hosts on which DEMs are installed must have access to the Internet.

If there is a firewall, HTTPS traffic must be allowed to and from aws.amazon.com, as well as the URLs representing all the EC2 regions your AWS accounts have access to, for example ec2.us- east-1.amazonaws.com for the US East region. Each URL resolves to a range of IP addresses, so you may need to use a tool, such as the one available from the Network Solutions Web site, to list and configure these IP addresses.

VMware, Inc. 24

Page 25

Installation and Configuration

Internet access from the DEM host is through a proxy server, the DEM service must be running under credentials that can authenticate to the proxy server.

Openstack and PowerVC Requirements

The machines on which you install your DEMs must meet certain requirements to communicate with and collect data from your Openstack or PowerVC instance.

Table 2‑4. DEM Host Requirements

Your Installation Requirements

All In Windows Registry, enable TLS v1.2 support for .NET

framework. For example:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramew ork\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsof t\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

Windows 2008 DEM Host In Windows Registry, enable TLS v1.2 protocol. For example:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont rol\SecurityProviders\SCHANNEL\Protocols\TLS 1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont rol\SecurityProviders\SCHANNEL\Protocols\TLS

1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont rol\SecurityProviders\SCHANNEL\Protocols\TLS

1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001

Self-signed certificates on your infrastructure endpoint host If your PowerVC or Openstack instance is not using trusted

certificates, import the SSL certificate from your PowerVC or Openstack instance into the Trusted Root Certificate Authorities store on each IaaS Windows server where you intend to install a vRealize Automation DEM.

Red Hat Enterprise Virtualization KVM (RHEV) Requirements

Your environment must meet these Red Hat Enterprise requirements to support installation of Distributed Execution Managers (DEMs).

Each KVM (RHEV) environment must be joined to the domain containing the IaaS server.

The credentials used to manage the endpoint representing a KVM (RHEV) environment must have Administrator privileges on the RHEV environment. These credentials must also have sufficient privileges to create objects on the hosts within the environment.

VMware, Inc. 25

Page 26

Installation and Configuration

SCVMM Requirements

A DEM Worker that manages virtual machines through SCVMM must be installed on a host where the SCVMM console is already installed.

A best practice is to install the SCVMM console on a separate DEM Worker machine. In addition, verify that the following requirements have been met.

The DEM worker must have access to the SCVMM PowerShell module installed with the console.

The PowerShell Execution Policy must be set to RemoteSigned or Unrestricted.

To verify the PowerShell Execution Policy, enter one of the following commands at the PowerShell command prompt.

help about_signing

help Set-ExecutionPolicy

If all DEM Workers within the instance are not on machines that meet these requirements, use Skill commands to direct SCVMM-related workflows to DEM Workers that are.

The following additional requirements apply to SCVMM.

This release supports SCVMM 2012 R2, which requires PowerShell 3 or later.

Install the SCVMM console before you install vRealize Automation DEM Workers that consume SCVMM work items.

If you install the DEM Worker before the SCVMM console, you see log errors similar to the following example.

Workflow 'ScvmmEndpointDataCollection' failed with the following exception: The

term 'Get-VMMServer' is not recognized as the name of a cmdlet, function, script

file, or operable program. Check the spelling of the name, or if a path was

included, verify that the path is correct and try again.

To correct the problem, verify that the SCVMM console is installed, and restart the DEM Worker service.

Each SCVMM instance must be joined to the domain containing the server.

The credentials used to manage the endpoint representing an SCVMM instance must have administrator privileges on the SCVMM server.

The credentials must also have administrator privileges on the Hyper-V servers within the instance.

Hyper-V servers within an SCVMM instance to be managed must be Windows 2008 R2 SP1 Servers with Hyper-V installed. The processor must be equipped with the necessary virtualization extensions .NET Framework 4.5.1 or later must be installed and Windows Management Instrumentation (WMI) must be enabled.

To provision machines on an SCVMM resource, you must add a user in at least one security role within the SCVMM instance.

VMware, Inc. 26

Page 27

Installation and Configuration

To provision a Generation-2 machine on an SCVMM 2012 R2 resource, you must add the following properties in the blueprint.

Scvmm.Generation2 = true

Hyperv.Network.Type = synthetic

Generation-2 blueprints should have an existing data-collected virtualHardDisk (vHDX) in the blueprint build information page. Having it blank causes Generation-2 provisioning to fail.

For more information, see Configure the DEM to Connect to SCVMM at a Different Installation Path. Additional information about preparing for machine provisioning is available in IaaS Configuration for Virtual Platforms.

Port Requirements

vRealize Automation uses designated ports for communication and data access.

Although vRealize Automation uses only port 443 for communication, there might be other ports open on the system. Because open, unsecure ports can be sources of security vulnerabilities, review all open ports on your system and ensure that only the ports that are required by your business applications are open.

Identity Appliance

The following ports are used by the Identity Appliance.

Table 2‑5. Incoming Ports for the Identity Appliance

Port Protocol Comments

22 TCP Optional. SSH

5480 TCP Access to virtual appliance Web management interface

7444 TCP SSO service over HTTPS

Table 2‑6. Outgoing Ports for the Identity Appliance

Port Protocol Comments

53 TCP, UDP DNS

67, 68, 546, 547 TCP, UDP DHCP

80 TCP Optional. For fetching software updates. Updates can be downloaded separately and

applied.

123 TCP, UDP Optional. For connecting directly to NTP instead of using host time.

389, 636 TCP, UDP OpenLDAP and Active Directory

vRealize Appliance

The following ports are used by the vRealize Appliance.

VMware, Inc. 27

Page 28

Installation and Configuration

Table 2‑7. Incoming Ports for the vRealize Appliance

Port Protocol Comments

22 TCP Optional. SSH.

80 TCP Optional. Redirects to 443.

111 TCP, UDP RPC

443 TCP Access to the vRealize Automation console and API calls.

5480 TCP Access to virtual appliance Web management interface

5480 TCP Used by Management Agent

5488, 5489 TCP Internal. Used by vRealize Appliance for updates.

5672 TCP RabbitMQ messaging

8230, 8280, 8281 TCP Internal vRealize Orchestrator instance

8444 TCP Console proxy communication for vSphere VMware Remote Console connections

Table 2‑8. Outgoing Ports for the vRealize Appliance

Port Protocol Comments

25, 587 TCP, UDP SMTP for sending outbound notification emails

53 TCP, UDP DNS

67, 68, 546, 547 TCP, UDP DHCP

80 TCP Optional. For fetching software updates. Updates can be downloaded separately and

applied.

110, 995 TCP, UDP POP for receiving inbound notification emails

143, 993 TCP, UDP IMAP for receiving inbound notification emails

123 TCP, UDP Optional. For connecting directly to NTP instead of using host time.

443 TCP IaaS Manager Service over HTTPS

Communication with virtualization hosts over HTTPS

902 TCP ESXi network file copy operations and for VMware Remote Console (VMRC)

connections

5432 TCP, UDP Optional. For communicating with an Appliance Database.

7444 TCP Communication with SSO service over HTTPS

8281 TCP Optional. For communicating with an external vRealize Orchestrator instance .

Other ports may be required by specific vRealize Orchestrator plugins that communicate with external systems. For more information, see the documentation for the vRealize Orchestrator plugin.

Infrastructure as a Service

The ports in the tables Incoming Ports for Infrastructure as a Service Components and Outgoing Ports for Infrastructure as a Service must be available for use by the IaaS Windows Server.

VMware, Inc. 28

Page 29

Installation and Configuration

Table 2‑9. Incoming Ports for Infrastructure as a Service Components

Component Port Protocol Comments

SQL Server instance 1433 TCP MSSQL

Manager Service 443* TCP Communication with IaaS components and vRealize Appliance

over HTTPS

vRealize Appliance 443 TCP Communication with IaaS components and vRealize Appliance

over HTTPS

* Any virtualization hosts managed by proxy agents must also have TCP port 443 open for incoming traffic.

Table 2‑10. Outgoing Ports for Infrastructure as a Service Components

Component Port Protocol Comments

All 53 TCP, UDP DNS

All 67, 68, 546,

547

All 123 TCP, UDP Optional. NTP.

Manager Service 443 TCP Communication with vRealize Appliance over HTTPS

Website 443 TCP Communication with Manager Service over HTTPS

Distributed Execution Managers

Proxy agents 443 TCP Communication with Manager Service and virtualization hosts

Guest agent 443 TCP Communication with Manager Service over HTTPS

Manager Service, Website 1433 TCP MS SQL

443 TCP Communication with Manager Service over HTTPS

TCP, UDP DHCP

over HTTPS

Microsoft Distributed Transaction Coordinator Service

In addition to verifying that the ports listed in the previous tables are free for use, you must enable Microsoft Distributed Transaction Coordinator Service (MS DTC) communication between all servers in the deployment. MS DTC requires the use of port 135 over TCP and a random port between 1024 and

65535.

The Prerequisite Checker validates whether MS DTC is running and that the required ports are open.

User Accounts and Credentials Required for Installation

You must verify that you have the roles and credentials to install vRealize Automation components.

vCenter Service Account

If you plan to use a vSphere endpoint, you need a domain or local account that has the appropriate level of access configured in vCenter.

VMware, Inc. 29

Page 30

Installation and Configuration

Virtual Appliance Installation

To deploy the Identity Appliance and the vRealize Appliance, you must have administrator privileges on the deployment platform (for example, vSphere administrator credentials).

During the deployment process, you specify the passwords for the virtual appliance administrator accounts and the system administrator account. These accounts provide access to the Identity Appliance and vRealize Appliance management consoles where you configure and administer the virtual appliances.

IaaS Installation

Before installing IaaS components, add the user under which you plan to execute the IaaS installation programs to the Administrator group on the installation host.

IaaS Database Credentials

You can create the database using the installation wizard or create it manually by running the provided scripts. If you use the complete install option to create a minimal installation, you must create the database using the installer.

When you use the IaaS installer to create or populate the IaaS database the following requirements apply:

If you use the installer to create the database and select Use Windows Authentication, the credentials under which you executed the installer must have the sysadmin role in SQL Server to create and alter the size of the database.

If you use the installer to create the database and do not select Use Windows Authentication, you must provide SQL credentials with the sysadmin role. If you do not use Windows authentication, the credentials you provide are used only for database creation (not for run-time access after initial creation).

If you use the installer to populate a pre-created database, the user credentials you provide (either the current Windows user or the specified SQL user) needs only dbo privileges for the IaaS database.

Note vRealize Automation users also require the correct level of Windows authentication access to log

in and use vRealize Automation. The machine from which the user authenticates using Windows Authentication must be joined to the domain in which the vRealize Automation Identity Appliance is configured. See Configure the Identity Stores for the Default Tenant.

IaaS Service User Credentials

IaaS installs several Windows services that share a single service user.

VMware, Inc. 30

Page 31

Installation and Configuration

The following requirements apply to the service user for IaaS services:

The user must be a domain user.

The user must have local Administrator privileges on all hosts on which the Manager Service or Web site component is installed. Do not do a workgroup installation.

The user is configured with Log on as a service privileges. This privilege ensures that the Manager Service starts and generates log files.

The user must have dbo privileges for the IaaS database. If you use the installer to create the database, ensure that the service user login is added to SQL Server prior to running the installer. The installer grants the service user dbo privileges after creating the database.

The account under which the installer is running should have the sysadmin role enabled under MSSQL.

The Management Agent is installed with LocalSystem (NT AUTHORITY\SYSTEM) built-in Windows Account. For more information about Local System accounts, see the Microsoft article

http://msdn.microsoft.com/en-us/library/windows/desktop/ms684190%28v=vs.85%29.aspx.

The domain user account that you plan to use as the IIS application pool identity for the Model Manager Web Service is configured with Log on as batch job privileges.

Model Manager Server Speciﬁcations

Always specify the Model Manager server name by using a fully qualified domain name (FQDN). Do not use an IP address to specify the server.

Security

vRealize Automation uses SSL to ensure secure communication among components. Passphrases are used for secure database storage.

For more information see Certificate Trust Requirements in a Distributed Deployment and Chapter 9

Updating vRealize Automation Certificates.

Certiﬁcates

vRealize Automation uses SSL certificates for secure communication among IaaS components, the Identity Appliance, and instances of the vRealize Appliance.

The appliances and the Windows installation machines exchange these certificates to establish a trusted connection. You can obtain certificates from an internal or external certificate authority, or generate selfsigned certificates during the deployment process for each component.

If you want to use certificates generated by a certificate authority that is not located on the addressable network, you must modify the web.config file for your web apps to ignore certificate revocation errors. Otherwise, HTTP requests fail with an invalid certificate error.

For important information about troubleshooting, supportability, and trust requirements for certificates, see the VMware knowledge base article at http://kb.vmware.com/kb/2106583.

VMware, Inc. 31

Page 32

Installation and Configuration

You can update or replace certificates after deployment. For example, you may choose to use self-signed certificates during deployment, but then obtain certificates from a trusted authority before going live with your vRealize Automation implementation or a certificate may expire.

Table 2‑11. Certiﬁcate Implementations

Minimal Deployment (non

Component

production) Distributed Deployment (production ready)

Virtual Appliances Generate a self-signed certificate

during appliance configuration.

IaaS Components During installation, accept the

generated self-signed certificates or select certificate suppression.

For each appliance cluster, obtain a multi-use certificate, such as a Subject Alternative Name (SAN) certificate, from an internal or external certificate authority. Wildcard certificates are also supported.

Obtain a multi-use certificate, such as a Subject Alternative Name (SAN) certificate, from an internal or external certificate authority that your Web client trusts. Install the same multi-use certificate on each IaaS installation machine.

Note If you do not have sufficient permissions to install IIS domain certificates, your Web browser

prompts you with security exceptions when you open vRealize Automation. Follow the instructions for your browser to permanently trust each self-signed certificate.

Certiﬁcate Chains

If you use certificate chains, specify the certificates in the following order:

Client/server certificate signed by the intermediate CA certificate

One or more intermediate certificates

A root CA certificate

Include the BEGIN CERTIFICATE header and END CERTIFICATE footer for each certificate when you import certificates.

Security Passphrase

vRealize Automation uses security passphrases for database security. A passphrase is a series of words used to create a phrase that generates the encryption key that protects data while at rest in the database.

Use the same passphrase for all components in a distributed environment.

Follow these guidelines when creating a security passphrase for the first time.

Use the same passphrase across the entire installation to ensure that each component has the same encryption key.

Use a phrase that is greater than eight characters long.

Include uppercase, lowercase and numeric characters, and symbols.

Memorize the passphrase or keep it in a safe place. The passphrase is required to restore database information in the event of a system failure. Without the passphrase, you cannot restore successfully.

VMware, Inc. 32

Page 33

Installation and Configuration

Third-Party Software

Some components of vRealize Automation depend on third-party software, including Microsoft Windows and SQL Server. To guard against security vulnerabilities in third-party products, ensure that your software is up-to-date with the latest patches from the vendor.

Time Synchronization

A system administrator must set up accurate timekeeping as part of the vRealize Automation installation.

Installation fails if time synchronization is set up incorrectly.

Timekeeping must be consistent and synchronized across the Identity Appliance, vRealize Appliance, and Windows servers. By using the same timekeeping method for each component, you can ensure this consistency.

For virtual machines, you can use the following methods:

Configuration by using Network Time Protocol (directly)

Configuration by using Network Time Protocol through ESXi with VMware Tools. You must have NTP set up on the ESXi.

For Windows servers, consult Timekeeping best practices for Windows, including NTP.

VMware, Inc. 33

Page 34

Minimal Deployment Checklist 3

A system administrator can deploy a complete vRealize Automation in a minimal configuration. Minimal deployments are typically used in a development environment or as a proof of concept and require fewer steps to install.

The Minimal Deployment Checklist provides a high-level overview of the sequence of tasks you must perform to complete a minimal installation.

Print out a copy of the checklist and use it to track your work as you complete the installation. Complete the tasks in the order in which they are given.

Table 3‑1. Minimal Deployment Checklist

Task Details

Plan and prepare the installation environment and verify that all installation prerequisites are met.

Set up your Identity Appliance Deploy and Configure the Identity Appliance

Set up your vRealize Appliance Deploy and Configure the vRealize Appliance

Install IaaS components on a single Windows server. Installing IaaS Components

Install additional agents, if required. Chapter 6 Installing Agents

Perform post-installation tasks such as configuring the default tenant and entering the IaaS license

If needed, configure additional tenants to represent business units in an enterprise or companies that subscribe to cloud services from a service provider.

Chapter 2 Preparing for Installation

Chapter 7 Configuring Initial Access

Chapter 8 Configuring Additional Tenants

VMware, Inc. 34

Page 35

Minimal Deployment 4

You can install a standalone, minimal deployment for use in a development environment or as a proof of concept. Minimal deployments are not suitable for a production environment.

This chapter includes the following topics:

Minimal Deployment Checklist

Deploy and Configure the Identity Appliance

Deploy and Configure the vRealize Appliance

Installing IaaS Components

Minimal Deployment Checklist

The Minimal Deployment Checklist provides a high-level overview of the sequence of tasks you must perform to complete a minimal installation.

Print out a copy of the checklist and use it to track your work as you complete the installation. Complete the tasks in the order in which they are given.

Table 4‑1. Minimal Deployment Checklist

Task Details

Plan and prepare the installation environment and verify that all installation prerequisites are met.

Set up your Identity Appliance Deploy and Configure the Identity Appliance

Set up your vRealize Appliance Deploy and Configure the vRealize Appliance

Install IaaS components on a single Windows server. Installing IaaS Components

Install additional agents, if required. Chapter 6 Installing Agents

VMware, Inc. 35

Chapter 2 Preparing for Installation

Page 36

Installation and Configuration

Table 4‑1. Minimal Deployment Checklist (Continued)

Task Details

Perform post-installation tasks such as configuring the default tenant and entering the IaaS license

If needed, configure additional tenants to represent business units in an enterprise or companies that subscribe to cloud services from a service provider.

Chapter 7 Configuring Initial Access

Chapter 8 Configuring Additional Tenants

Deploy and Conﬁgure the Identity Appliance

Download and configure the Identity Appliance to provide Single Sign-On (SSO) capability for the vRealize Automation environment.

Note PSC version 6.0, the vSphere SSO component introduced in vSphere 6.0, allows you to specify a

tenant name other than vsphere.local. vRealize Automation requires vsphere.local as the name of the default tenant because you cannot enter the name of the tenant on the SSO tab of the management console when you configure vRealize Automation. If you have used another name, rename the tenant to vsphere.local.

1 Deploy the Identity Appliance

The Identity Appliance is a preconfigured virtual appliance that provides single sign-on capabilities. You download the Identity Appliance and deploy it into vCenter Server or ESX/ESXi inventory.

2 Enable Time Synchronization on the Identity Appliance

You must synchronize the clocks on the Identity Appliance server, the vRealize Automation server, and Windows servers to ensure a successful installation.

3 Configure the Identity Appliance

The Identity Appliance provides Single-Sign On (SSO) capability for vRealize Automation users. SSO is an authentication broker and security token exchange that interacts with the enterprise identity store (Active Directory or OpenLDAP) to authenticate users. A system administrator configures SSO settings to provide access to the vRealize Automation.

Deploy the Identity Appliance

The Identity Appliance is a preconfigured virtual appliance that provides single sign-on capabilities. You download the Identity Appliance and deploy it into vCenter Server or ESX/ESXi inventory.

Exact steps for this procedure vary depending on whether you use the native or Web vSphere client. Also, specific steps can vary depending on the your data center configuration. If you are using VSphere Single-Sign (SSO), you can skip to Configure the Identity Appliance.

VMware, Inc. 36

Page 37

Installation and Configuration

Prerequisites

Download the Identity Appliance from the VMware Web site.

Procedure

1 In the vSphere client, select File > Deploy OVF Template.

2 Browse to the Identity Appliance file with the .ova or .ovf extension and click Open.

3 Click Next.

4 Click Next on the OVF Template Details page.

5 Accept the license agreement and click Next.

6 Type a unique virtual appliance name according to the IT naming convention of your organization in

the Name text box, select the datacenter and location to which you want to deploy the virtual appliance, and click Next.

7 Follow the prompts until the Disk Format page appears.

8 Verify on the Disk Format page that enough space exists to deploy the virtual appliance and click

Next.

9 Follow the prompts to the Properties page.

The options that appear depend on your vSphere configuration.

10 Configure the values on the Properties page.

a Type the root password to use when you log in to the virtual appliance console in the Enter

password and Confirm password text boxes.

b Select or uncheck the SSH service checkbox to choose whether SSH service is enabled for the

appliance.

This value is used to set the initial status of the SSH service in the appliance. You can change this setting from the appliance management console when you configure the appliance.

c Type the fully qualified domain name of the virtual machine in the Hostname text box, even if you

are using DHCP.

d Configure the networking properties.

11 Click Next.

12 Depending on your vCenter and DNS configurations, it could take some time for the DNS to resolve.

To expedite this process, perform the following steps.

If Power on after deployment is available on the Ready to Complete page.

a Select Power on after deployment and click Finish.

b Click Close after the file finishes deploying into vCenter.

VMware, Inc. 37

Page 38

Installation and Configuration

c Wait for the machine to restart. This could take up to five minutes.

If Power on after deployment is not available on the Ready to Complete page.

a Click Close after the file finishes deploying into vCenter.

b Power on the VM and wait for some time for the VM to start up.

c Verify that you can ping the DNS of the VM. If you cannot ping the DNS, restart the VM.

d Wait for the machine to start. This could take up to five minutes.

13 Open a command prompt and ping the FQDN to verify that the fully qualified domain name can be

resolved against the IP address of vRealize Appliance.

Enable Time Synchronization on the Identity Appliance

You must synchronize the clocks on the Identity Appliance server, the vRealize Automation server, and Windows servers to ensure a successful installation.

If you see certificate warnings during this procedure, continue past them.

Prerequisites

Deploy the Identity Appliance.

Procedure

1 Navigate to the Identity Appliance management console by using its fully qualified domain name,

https://identity-hostname.domain.name:5480/.

2 Log in by using the user name root and the password you specified when you deployed the Identity

Appliance.

3 Select Admin > Time Settings.

4 Select an option from the Time Sync Mode menu.

Option Action

Use Time Server Select Use Time Server from the Time Sync Mode menu to use Network Time

Protocol . For each time server that you are using, type the IP address or the host name in the Time Server text box.

Use Host Time Select Use Host Time from the Time Sync Mode menu to use VMware Tools

time synchronization. You must configure the connections to Network Time Protocol servers before you can use VMware Tools time synchronization.

5 Click Save Settings.

6 Click Refresh.

7 Verify that the value in Current Time is correct.

You can change the time zone as required from the Time Zone Setting page on the System tab.

VMware, Inc. 38

Page 39

Installation and Configuration

Conﬁgure the Identity Appliance

Migration Note If you plan to use the vRealize Automation migration tool, you must specify a Native

Active Directory when you configure the appliance.

Native Active Directories have the following characteristics:

Use Kerberos to authenticate

Do not require a search base, making it easier to find the correct Active Directory store

Can be used only with the default tenant

You must also specify an identity store when you configure tenants, even if you specify Native Active Directory settings here.

Prerequisites

Enable Time Synchronization on the Identity Appliance.

Procedure

1 Navigate to the Identity Appliance management console by using its fully qualified domain name,

https://identity-hostname.domain.name:5480/.

2 Continue past the certificate warning.

3 Log in with the user name root and the password you specified when the appliance was deployed.

You can use a service account or user account.

4 Click the SSO tab.

The red text is a prompt, not an error message.

5 Specify a password for the system administrator by entering the same value in the Admin Password

and Repeat password text boxes.

The System Domain text field has the value vsphere.local, which is the local default domain for the Identity Appliance. The default tenant is created with this name and the system administrator is administrator@vsphere.local. Record the user name and password in a secure place for later use.

6 Click Apply.

It can take several minutes for the success message to appear. Do not interrupt the process.

7 When the success message appears, click the Host Settings tab.

8 Verify that the SSO Hostname does not include a port suffix, such as :7444.

VMware, Inc. 39

Page 40

Installation and Configuration

9 (Optional) You can import a certificate or generate a self-signed certificate for the Identity Appliance.

A self-signed certificate is also created for you when you deploy the Identity Appliance. Click SSL

10 Select the certificate type from the Choose Action menu.

If you are using a PEM-encoded certificate, for example for a distributed environment, select Import PEM Encoded Certificate.

Certificates that you import must be trusted and must also be applicable to all instances of vRealize Appliance and any load balancer by using Subject Alternative Name (SAN) certificates.

Note If you use certificate chains, specify the certificates in the following order:

The client/server certificate signed by the intermediate CA certificate

One or more intermediate certificates

A root CA certificate

Option Action

Import PEM Encoded Certificate a Copy the certificate values from BEGIN PRIVATE KEY to END PRIVATE KEY,

including the header and footer, and paste them in the RSA Private Key text box.

b Copy the certificate values from BEGIN CERTIFICATE to END

CERTIFICATE, including the header and footer, and paste them in the Certificate Chain text box.

c (Optional) If your certificate uses a pass phrase to encrypt the certificate key,

copy the pass phrase and paste it in the Pass Phrase text box.

Generate Self-Signed Certificate a Type a common name for the self-signed certificate in the Common Name

text box. You can use the fully qualified domain name of the virtual appliance (hostname.domain.name) or a wild card, such as *.mycompany.com.

b Type your organization name, such as your company name, in the

Organization text box.

c Type your organizational unit, such as your department name or location, in

the Organizational Unit text box.

d Type a two-letter ISO 3166 country code, such as US, in the Country text

box.

Keep Existing Leave the current SSL configuration. Select this option to cancel your changes.

11 Click Apply Settings.

After a few minutes the certificate details appear on the page.

12 Join the Identity Appliance to your Native Active Directory domain.

For migration, you must configure Native Active Directory. If you are not using the migration tool, this step is optional.

a Click the Active Directory tab.

b Type the domain name of the Active Directory in Domain Name.

VMware, Inc. 40

Page 41

Installation and Configuration

c Enter the credentials for the domain administrator in the Domain User and Password text boxes.

d Click Join AD Domain.

13 Click the Admin tab.

14 Verify that the SSH settings are correct.

When SSH service enabled is selected, SSH is enabled for all but the root user. Select or uncheck Administrator SSH login enabled to enable or disable SSH login for the root user.

The SSO host is initialized. If your Identity Appliance does not function correctly after configuration, redeploy and reconfigure the appliance. Do not make changes to the existing appliance.

Deploy and Conﬁgure the vRealize Appliance

The vRealize Appliance is a preconfigured virtual appliance that deploys the vRealize Appliance server and Web console (the user portal). It is delivered as an open virtualization format (OVF) template. The system administrator downloads the appliance and deploys it into the vCenter Server or ESX/ESXi inventory.

1 Deploy the vRealize Appliance

To deploy the vRealize Appliance, a system administrator must log in to the vSphere client and select deployment settings.

2 Enable Time Synchronization on the vRealize Appliance

Clocks on the Identity Appliance server, vRealize Automation server, and Windows servers must be synchronized to ensure a successful installation.

3 Configure the vRealize Appliance

To prepare the vRealize Appliance for use, a system administrator configures the host settings, generates an SSL certificate, and provides SSO connection information.

Deploy the vRealize Appliance

To deploy the vRealize Appliance, a system administrator must log in to the vSphere client and select deployment settings.

Prerequisites

Download the vRealize Appliance from the VMware Web site.

Procedure

1 Select File > Deploy OVF Template from the vSphere client.

2 Browse to the vRealize Appliance file you downloaded and click Open.

3 Click Next.

4 Click Next on the OVF Template Details page.

VMware, Inc. 41

Page 42

Installation and Configuration

5 Accept the license agreement and click Next.

6 Type a unique virtual appliance name according to the IT naming convention of your organization in

the Name text box, select the datacenter and location to which you want to deploy the virtual appliance, and click Next.

7 Follow the prompts until the Disk Format page appears.

8 Verify on the Disk Format page that enough space exists to deploy the virtual appliance and click

Next.

9 Follow the prompts to the Properties page.

The options that appear depend on your vSphere configuration.

10 Enter properties for this vRealize Appliance.

a Enter and confirm a password for the vRealize Appliance root account.

This setting can be changed later, from the vRealize Appliance management interface.

b Enable or disable SSH connections to the vRealize Appliance.

This setting can be changed later, from the vRealize Appliance management interface.

c Review the Customer Experience Improvement Program description. If you want to leave the

program without joining, you may uncheck the checkbox.

This setting can be changed later, from the vRealize Appliance management interface.

d In the Hostname text box, enter the fully qualified domain name of the vRealize Appliance, even

if you are using DHCP.

e Enter networking properties.