VMware vRealize Automation - 6.2 Installation Manual
Installation and
Configuration
vRealize Automation 6.2
Installation and Configuration
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
docfeedback@vmware.com
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Copyright © 2008–2016 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2
Contents
vRealize Automation Installation and Configuration 8
Updated Information 9
vRealize Automation Installation Overview 11
1
vRealize Automation Installation Components 11
VMware Identity Appliance 12
VMware vRealize Appliance 12
vRealize Automation Infrastructure as a Service 12
Choosing Your Deployment Path 15
Upgrading vRealize Automation 15
Migrating to vRealize Automation 16
Minimal Deployment Overview 17
Distributed Deployment Overview 17
Preparing for Installation 20
2
DNS and Host Name Resolution 20
Hardware and Virtual Machine Requirements 20
Browser Considerations 21
Password Considerations 21
Windows Server Requirements 21
IaaS Database Server Requirements 22
IaaS Web Service and Model Manager Server Requirements 22
IaaS Manager Service 24
Distributed Execution Manager Requirements 24
Port Requirements 27
User Accounts and Credentials Required for Installation 29
Security 31
Certificates 31
Security Passphrase 32
Third-Party Software 33
Time Synchronization 33
VMware, Inc.
Minimal Deployment Checklist 34
3
Minimal Deployment 35
4
Minimal Deployment Checklist 35
3
Installation and Configuration
Deploy and Configure the Identity Appliance 36
Deploy the Identity Appliance 36
Enable Time Synchronization on the Identity Appliance 38
Configure the Identity Appliance 39
Deploy and Configure the vRealize Appliance 41
Deploy the vRealize Appliance 41
Enable Time Synchronization on the vRealize Appliance 43
Configure the vRealize Appliance 43
Installing IaaS Components 47
Enable Time Synchronization on the Windows Server 47
IaaS Certificates 47
Install the Infrastructure Components 47
Distributed Deployment 54
5
Distributed Deployment Checklist 54
Distributed Installation Components 55
Disabling Load Balancer Health Checks 56
Certificate Trust Requirements in a Distributed Deployment 57
Installation Worksheets 58
Deploy Appliances for vRealize Automation 60
Deploy the Identity Appliance 61
Deploy the vRealize Appliance 62
Configuring Your Load Balancer 64
Configuring Appliances for vRealize Automation 64
Configure the Identity Appliance 64
Configure the Primary vRealize Appliance 68
Configuring Additional Instances of vRealize Appliance 75
Install the IaaS Components in a Distributed Configuration 84
Install IaaS Certificates 86
Download the IaaS Installer 87
Choosing an IaaS Database Scenario 88
Install the Primary IaaS Website Component with Model Manager Data 93
Install Additional IaaS Website Components 97
Install the Primary Manager Service 100
Install an Additional Manager Service Component 102
Installing Distributed Execution Managers 105
Configuring Windows Service to Access the IaaS Database 108
Verify IaaS Services 108
Installing Agents 110
6
Set the PowerShell Execution Policy to RemoteSigned 111
Choosing the Agent Installation Scenario 111
VMware, Inc. 4
Installation and Configuration
Agent Installation Location and Requirements 112
Installing and Configuring the Proxy Agent for vSphere 112
vSphere Agent Requirements 112
Install the vSphere Agent 114
Configure the vSphere Agent 117
Installing the Proxy Agent for Hyper-V or XenServer 118
Hyper-V and XenServer Requirements 118
Install the Hyper-V or XenServer Agent 118
Configure the Hyper-V or XenServer Agent 121
Installing the VDI Agent for XenDesktop 122
XenDesktop Requirements 122
Set the XenServer Host Name 123
Install the XenDesktop Agent 123
Installing the EPI Agent for Citrix 126
Citrix Provisioning Server Requirements 126
Install the Citrix Agent 127
Installing the EPI Agent for Visual Basic Scripting 129
Visual Basic Scripting Requirements 129
Install the Agent for Visual Basic Scripting 130
Installing the WMI Agent for Remote WMI Requests 132
Enable Remote WMI Requests on Windows Machines 132
Install the WMI Agent 132
Configuring Initial Access 135
7
Configure the Identity Stores for the Default Tenant 135
Configure a Native Active Directory Identity Store 135
Configure an OpenLDAP or Active Directory Identity Store 136
Appoint Administrators 138
Provide the Infrastructure License 139
Configuring Additional Tenants 140
8
Tenancy Overview 140
User and Group Management 141
Comparison of Single-Tenant and Multitenant Deployments 141
Create and Configure a Tenant 145
Specify Tenant Information 146
Configure Identity Stores 146
Appoint Administrators 147
Updating vRealize Automation Certificates 149
9
Extracting Certificates and Private Keys 150
VMware, Inc. 5
Installation and Configuration
Updating the Identity Appliance Certificate 151
Replace a Certificate in the Identity Appliance 151
Update the vRealize Appliance with the Identity Appliance Certificate 152
Updating the vRealize Appliance Certificate 153
Replace a Certificate in the vRealize Appliance 154
Update SSO Registration for the vRealize Appliance 155
Update the IaaS Servers with the vRealize Appliance Certificate 156
Updating the IaaS Certificate 157
Replace the Internet Information Services Certificate 158
Update the vRealize Appliance with the IaaS Certificate 158
Update Guest Agent Trust Relationship 159
Replace the Identity Appliance Management Site Certificate 160
Updating the vRealize Appliance Management Site Certificate 161
Replace the vRealize Automation Appliance Management Site Certificate 162
Manually Update Management Agents to Recognize a vRealize Appliance Management Site
Certificate 163
Automatically Update Management Agents in a Distributed Environment to Recognize a
vRealize Appliance Management Site Certificate 164
Replace a Management Agent Certificate 164
Troubleshooting 167
10
Default Log Locations 168
Rolling Back a Failed Installation 169
Roll Back a Minimal Installation 169
Roll Back a Distributed Installation 170
Create a Support Bundle for vRealize Automation 171
Installers Fail to Download 171
Failed to Install Model Manager Data and Web Components 172
Save Settings Warning Appears During IaaS Installation 173
WAPI and Distributed Execution Managers Fail to Install 174
IaaS Authentication Fails During IaaS Web and Model Management Installation 174
Installation or Upgrade Fails with a Load Balancer Timeout Error 174
Uninstalling a Proxy Agent Fails 175
Validating Server Certificates for IaaS 175
Server Times Are Not Synchronized 176
RabbitMQ Configuration Fails in a High-Availability Environment 177
Encryption.key File has Incorrect Permissions 177
Log in to the vRealize Automation Console Fails 178
Error Communicating to the Remote Server 178
Blank Pages May Appear When Using Internet Explorer 9 or 10 on Windows 7 179
Cannot Establish Trust Relationship for the SSL/TLS Secure Channel 180
Cannot Log in to a Tenant or Tenant Identity Stores Disappear 180
VMware, Inc. 6
Installation and Configuration
Adding an Endpoint Causes an Internal Error 181
Error in Manager Service Communication 182
Machine Requests Fail When Remote Transactions Are Disabled 183
Credentials Error When Running the IaaS Installer 184
Attempts to Log In as the IaaS Administrator with Incorrect UPN Format Credentials Fails with No
Explanation 184
Email Customization Behavior Has Changed 184
Changes Made to /etc/hosts Files Might Be Overwritten 185
Network Settings Were Not Successfully Applied 186
VMware, Inc. 7
vRealize Automation Installation and
Configuration
vRealize Automation Installation and Configuration explains how to install and configure VMware vRealize ™ Automation.
Note Not all features and capabilities of vRealize Automation are available in all editions. For a
comparison of feature sets in each edition, see https://www.vmware.com/products/vrealize-automation/.
Intended Audience
This information is intended for experienced Windows or Linux system administrators who are familiar
with virtual machine technology and data center operations.
vCloud Suite Licensing and Integration
You can license vRealize Automation individually or as part of vCloud Suite. You should consider the
licensing and integration options that are available to you.
Some vCloud Suite components are available as standalone products that are licensed on a per-virtual
machine basis. When the products are part of vCloud Suite, they are licensed on a per-CPU basis. You
can run an unlimited number of virtual machines on CPUs that are licensed with vCloud Suite. For more
information, see vCloud Suite Architecture Overview and Use Cases.
VMware Technical Publications Glossary
VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For
definitions of terms as they are used in VMware technical documentation, go to
http://www.vmware.com/support/pubs.
VMware, Inc.
8
Updated Information
The following table provides update history for the Installation and Configuration guide.
Revision Description
EN-001649-07
EN-001649-06
EN-001649-05
EN-001649-04
n
Revisions for vRealize Automation 6.2.5 including minor updates and bug fixes.
n
Revised Specify Server and Account Settings
n
Installation instructions for vRealize Automation 6.2.4 including minor updates and bug fixes.
n
Enhanced Distributed Deployment procedures for appliance database configuration.
n
Stand-alone PostgreSQL implementations are no longer supported. The PostgreSQL database is now referred
to as the appliance database. Changes made to all related topics.
n
For 6.2.2, updated .NET requirement to .NET 4.5.1 or later.
n
Updated IaaS Windows Server requirements to specify Java 1.7 or later. See IaaS Web Service and Model
Manager Server Requirements.
n
Added information about the relationship between the user's identity store and the Identity Appliance domain
to User Accounts and Credentials Required for Installation and Log in to the vRealize Automation Console
Fails.
n
Added a note about using the iisreset command before reinstalling IaaS to Roll Back a Minimal Installation
and Roll Back a Distributed Installation.
n
Updated Install the Primary IaaS Website Component with Model Manager Data and Failed to Install Model
Manager Data and Web Components.
n
Added port 902 to outgoing ports for the vRealize Appliance and moved port 8444 from outgoing ports to
incoming ports in Port Requirements.
n
Added additional IaaS service user requirements to User Accounts and Credentials Required for Installation.
EN-001649-03 Added port requirements for VMRC and high-availability deployments in the topic Port Requirements.
EN-001649-02
n
Added version_string argument to the topic Create the IaaS Database Manually.
n
Corrected default location for installation logs in the topic Default Log Locations.
n
Clarification of steps in the following topics:
n
Update the vRealize Appliance with the Identity Appliance Certificate
n
Update the vRealize Appliance with the IaaS Certificate
VMware, Inc. 9
Installation and Configuration
Revision Description
EN-001649-01
n
Updated IaaS Windows Server requirements to specify Java 1.7 and .NET 4.5.1 and later. See IaaS Web
Service and Model Manager Server Requirements.
n
Various editorial changes and defect fixes.
n
Revised and updated documentation for Management Agents. See Manually Update Management Agents to
Recognize a vRealize Appliance Management Site Certificate
n
Added step to select Mark this key as exportable when importing a new IIS certificate. See Replace the
Internet Information Services Certificate.
EN-001649-00 Initial document release.
VMware, Inc. 10
vRealize Automation Installation
Overview 1
vRealize Automation can be deployed in a variety of configurations. To ensure a successful deployment
understand the deployment and configuration options, and the sequence of tasks required.
After installation, system administrators can customize the installation environment and configure one or
more tenants, which sets up access to self-service provisioning and life-cycle management of cloud
services.
By using the secure portal Web interface, administrators, developers, or business users can request IT
services and manage specific cloud and IT resources based on their roles and privileges. Users can
request infrastructure, applications, desktops, and IT service through a common service catalog.
This chapter includes the following topics:
n
vRealize Automation Installation Components
n
Choosing Your Deployment Path
vRealize Automation Installation Components
A vRealize Automation installation includes installing and configuring single sign-on (SSO) capabilities,
the user interface portal, and Infrastructure as a Service (IaaS) components.
An installation consists of the following components.
n
VMware vCloud Automation Center Appliance, which deploys the vCloud Automation Center console
(the user interface portal), and manages Single Sign-On (SSO) capabilities for authorization and
authentication.
n
Infrastructure as a Service (IaaS) components, which are installed on a Windows machine (virtual or
physical), and appear largely under the Infrastructure tab on the console.
n
An SQL Server Database, which can be installed as part of IaaS or separately.
n
VMware Identity Appliance
Identity Appliance is a preconfigured virtual appliance that provides single sign-on (SSO) capabilities
for the vRealize Automation environment.
n
VMware vRealize Appliance
The vRealize Appliance is a preconfigured virtual appliance that deploys the vRealize Automation
server. vRealize Automation is delivered as an open virtualization format (OVF) template. The
system administrator deploys the virtual appliance to an existing virtualized infrastructure.
VMware, Inc.
11
Installation and Configuration
n
vRealize Automation Infrastructure as a Service
Infrastructure as a Service (IaaS) enables the rapid modeling and provisioning of servers and
desktops across virtual and physical, private and public, or hybrid cloud infrastructures.
VMware Identity Appliance
Identity Appliance is a preconfigured virtual appliance that provides single sign-on (SSO) capabilities for
the vRealize Automation environment.
You can use the Identity Appliance SSO provided with vRealize Automation or some versions of the SSO
provided with vSphere. For information about supported versions, see vRealize Automation Support
Matrix for this release available from https://www.vmware.com/support/pubs/vcac-pubs.html.
The Identity Appliance is delivered as an open virtualization format (OVF) template. The system
administrator deploys the virtual appliance to the existing virtualization infrastructure.
SSO is an authentication broker and security token exchange that interacts with the enterprise identity
store, Active Directory or OpenLDAP, to authenticate users. A system administrator configures SSO
settings to provide access to the Identity Appliance console.
VMware vRealize Appliance
The vRealize Appliance is a preconfigured virtual appliance that deploys the vRealize Automation server.
vRealize Automation is delivered as an open virtualization format (OVF) template. The system
administrator deploys the virtual appliance to an existing virtualized infrastructure.
The server includes the vRealize Appliance console, which provides a single portal for self-service
provisioning and management of cloud services, authoring, administration, and governance.
Appliance Database
During deployment of the virtual appliances, the Appliance Database is created automatically on the first
vRealize Appliance. A replica database can be installed on a second vRealize Appliance to create a highavailability environment.
vRealize Automation Infrastructure as a Service
Infrastructure as a Service (IaaS) enables the rapid modeling and provisioning of servers and desktops
across virtual and physical, private and public, or hybrid cloud infrastructures.
The system administrator installs IaaS components on a Windows machine, virtual or physical. IaaS
capabilities are then available from the Infrastructure tab on the user interface console. IaaS has several
components that you can install in a custom configuration to meet the needs of your organization.
VMware, Inc. 12
Installation and Configuration
IaaS Website
The IaaS Website component, also called the Model Manager Web, provides the infrastructure
administration and service authoring capabilities to the vRealize Automation console. The Website
component communicates with the Model Manager, which provides it with updates from the Distributed
Execution Manager (DEM), proxy agents, and database.
Model Manager
vRealize Automation models facilitate integration with external systems and databases. They implement
business logic that a Distributed Execution Manager (DEM) uses.
The Model Manager provides services and utilities for persisting, versioning, securing, and distributing
model elements. It communicates with the database, the DEMs, and the console Web site.
vCloud Automation Center Manager Service
The Manager Service coordinates communication between DEMS, agents, and the database. The
Manager Service communicates with the console Web site through the Model Manager. This service
requires administrative privileges to run.
IaaS Database
The IaaS component of vRealize Automation uses a Microsoft SQL Server database to maintain
information about the machines it manages and its own elements and policies. Typically, a system
administrator creates the database during installation.
Distributed Execution Managers
A Distributed Execution Manager (DEM) runs the business logic of custom models, interacting with the
database and with external databases and systems as required.
Each DEM instance acts in either a Worker role or in an Orchestrator role. The Worker role is responsible
for running workflows. The Orchestrator role is responsible for monitoring DEM Worker instances,
preprocessing workflows to run, and scheduling workflows.
The DEM Orchestrator performs these specific tasks.
n
Monitors the status of DEM Workers and ensures that if a Worker instance stops or loses its
connection to the Model Manager, its workflows are put back in the queue for another DEM Worker to
pick up.
n
Manages scheduled workflows by creating new workflow instances at the scheduled time.
n
Ensures that only one instance of a particular scheduled workflow is running at a given time.
n
Preprocesses workflows before they are run, including checking preconditions for workflows, used in
the implementation of the RunOneOnly feature, and creating the workflow execution history.
VMware, Inc. 13
Installation and Configuration
One DEM Orchestrator instance is designated as the active Orchestrator that performs these tasks.
Because the DEM Orchestrator is essential to run workflows, install at least one additional Orchestrator
instance on a separate machine for redundancy. The Orchestrator is automatically installed on the
machine that also runs the Manager Service. The additional DEM Orchestrator monitors the status of the
active Orchestrator so that it can take over if the active Orchestrator goes offline.
vRealize Automation Agents
vRealize Automation uses agents to integrate with external systems. A Management Agent is installed
automatically on each IaaS node that you create. You can install the vSphere agent as part of a minimal
installation. You can install additional agents as needed by using the Custom Installer.
Integration Agents
Virtual desktop integration (VDI) PowerShell agents allow vRealize Automation to integrate with external
virtual desktop systems. Currently, virtual machines that vRealize Automation provisions can be
registered with XenDesktop on a Citrix Desktop Delivery Controller (DDC) and their owners can access
the XenDesktop Web Interface from vRealize Automation.
External provisioning integration (EPI) PowerShell agents allow vRealize Automation to integrate external
systems into the machine provisioning process. For example, integration with Citrix Provisioning Server
enables provisioning of machines by on-demand disk streaming, and an EPI agent allows you to run
Visual Basic scripts as extra steps during the provisioning process.
VDI and EPI agents require administrator-level access to the external systems with which they interact.
Management Agent
The Management Agent collects support and telemetry information and registers IaaS nodes. A
Management Agent is installed automatically on each IaaS node in your deployment.
Management Agents are not automatically deleted when you uninstall an IaaS component. Uninstall the
Management Agent as you would uninstall any Windows service.
Virtualization Proxy Agents
The virtual machines that vRealize Automation manages are created on virtualization hosts.
vRealize Automation uses virtualization proxy agents to send commands to and collect data from
vSphere ESX Server, XenServer, and Hyper-V virtualization hosts and the virtual machines provisioned
on them. A proxy agent has the following characteristics.
n
Typically requires administrator-level access to the virtualization platform it manages
n
Communicates with the Manager Service
n
Is installed separately with its own configuration file
Windows Management Instrumentation Agent
The vRealize Automation Windows Management Instrumentation (WMI) agent enhances your ability to
monitor and control system information and allows you to manage remote servers from a central location.
It enables the collection of data from Windows machines that vRealize Automation manages.
VMware, Inc. 14
Installation and Configuration
Choosing Your Deployment Path
You can upgrade from an earlier vCloud Automation Center 6.x version, migrate from a supported
vCloud Automation Center 5.2.x version, or install vRealize Automation for the first time.
Table 1‑1. Choosing Your Deployment Path
Your Currently Installed Version How to install the latest vRealize Automation
vCloud Automation Center 5.2.1 Migrate to vCloud Automation Center 6.1 and then perform upgrades incrementally until
you reach the latest version. See Migrating to vCloud Automation Center 6.1 and
Upgrading to vRealize Automation 6.2 or Later.
vCloud Automation Center 5.2.2 Migrate to vCloud Automation Center 6.1 and then perform upgrades incrementally until
you reach the latest version. See Migrating to vCloud Automation Center 6.1 and
Upgrading to vRealize Automation 6.2 or Later.
vCloud Automation Center 5.2.3 Migrating to vRealize Automation
vCloud Automation Center 6.0 Upgrading vRealize Automation
vCloud Automation Center 6.0.1 Upgrading vRealize Automation
vCloud Automation Center 6.1.x Upgrading vRealize Automation
None Install vRealize Automation for the first time in either a minimal or distributed deployment.
n
Minimal deployments are typically used in a development environment or as a proof of
concept (PoC).
You deploy a single instance of each virtual appliance and install all IaaS components
on a single Windows machine. You can install the databases on the same Windows
machine or on a dedicated SQL Server.
See Minimal Deployment Overview.
n
Distributed deployments are typically as a production environment and allow you to
design the topology best suited to your organizational needs. You distribute
components across multiple servers to provide failover capability and redundancy. See
Distributed Deployment Overview.
For information about scalability and high availability, see VMware vRealize Automation
Reference Architecture at https://www.vmware.com/support/pubs/vcac-pubs.html.
Upgrading vRealize Automation
You upgrade incrementally from vRealize Automation 6.x until you reach the latest vRealize Automation.
Locate your currently installed version in the table and then follow the steps in the documents on the right
to incrementally upgrade your vRealize Automation environment to the latest release. You can find links
to the documentation for all versions of vCloud Automation Center and vRealize Automation at
https://www.vmware.com/support/pubs/vcac-pubs.html.
VMware, Inc. 15
Installation and Configuration
Table 1‑2. Supported Upgrade Paths
Your Currently Installed Version Documentation for Incremental Upgrades
vCloud Automation Center 6.0 Perform upgrades in the following order:
n
Upgrading vCloud Automation Center 6.0 to 6.0.1
n
Upgrading to vCloud Automation Center 6.1
n
Upgrading to vRealize Automation 6.2 or Later
vCloud Automation Center 6.0.1 Perform upgrades in the following order:
n
Upgrading to vCloud Automation Center 6.1
n
Upgrading to vRealize Automation 6.2 or Later
vCloud Automation Center 6.1.x Upgrading to vRealize Automation 6.2 or Later
vRealize Automation 6.2.x Upgrade directly to the latest 6.2.x release as described in
Upgrading to vRealize Automation 6.2 or Later
Migrating to vRealize Automation
You can migrate your data from vCloud Automation Center 5.2.3 to vRealize Automation 6.2.
The following high-level overview shows the steps required to migrate to vRealize Automation 6.2.
1 Read Migrating vCloud Automation Center 5.2.3 to vRealize Automation 6.2. for important information
about processes and prerequisites.
2 Verify that the Identity Appliance and Windows IaaS servers belong to the same domain as the
source vRealize Automation system servers or to a domain with identical domain trusts to the source
system servers.
3 Install vRealize Automation 6.2. Depending on your deployment type, see Chapter 4 Minimal
Deployment or Chapter 5 Distributed Deployment. As you install, note the following configurations
required for migration:
n
Join your Identity Appliance to your Native Active Directory domain. See Configure the Identity
Appliance.
n
Verify that the names of Distributed Execution Orchestrators and Distributed Execution Workers
for vRealize Automation 6.2 exactly match the names you used in your vCloud Automation
Center 5.2.3 deployment. See Install the Distributed Execution Managers.
n
Verify that agent and proxy agent names for vRealize Automation 6.2 exactly match the names
you used in your vCloud Automation Center 5.2.3 deployment. See Chapter 6 Installing Agents.
n
Configure the default tenant ID store for Native Active Directory. See Configure a Native Active
Directory Identity Store.
n
You must appoint one or more users to the administrative roles. Groups are not supported for
migration. See Appoint Administrators.
4 Migrate your 5.2.3 deployment to vRealize Automation 6.2 using the migration tool. See Migrating
vCloud Automation Center 5.2.3 to vRealize Automation 6.2..
VMware, Inc. 16
Identity (SSO)
Virtual
Appliance
Download and
deploy
appliance
from .ova or .ovf
vRealize
Appliance
Download and
deploy
appliance
from .ova or .ovf
Infrastructure as
a Service
Components
Browser-based
install from
vRealize
Appliance
Provides
user
interface
console
Provides
laaS
services
Single
Sign-On
capability
Installation and Configuration
Minimal Deployment Overview
To complete a minimal deployment, the system administrator installs the Identity Appliance, the vRealize
Appliance, and Infrastructure as a Service (IaaS).
n
Identity Appliance, which supports single sign-on capabilities. It is installed as a virtual appliance.
n
vRealize Appliance, which includes the Web console interface. It is installed as a virtual appliance.
n
Infrastructure as a Service (IaaS), which is installed on a Windows Server machine.
The IaaS database can be installed on the same machine as IaaS or on its own server.
The following figure shows the relationship and purpose of components of a minimal installation.
Distributed Deployment Overview
The system administrator can deploy and install multiple instances of the vRealize Appliance and
individual IaaS components for scale, redundancy, high availability, and disaster recovery.
In this sample architecture, the IaaS components are distributed over multiple machines. This sample
installation describes one possible deployment. Load balancers distribute the workload across the
servers. In practice, the system administrator chooses a distribution architecture that is compatible with
the company environment and goals.
For information about scalability and high availability, see VMware vRealize Automation Reference
Architecture at https://www.vmware.com/support/pubs/vcac-pubs.html.
Load balancers distribute the workload across the computing environment. System administrators
configure load balancers outside of the vRealize Automation framework.
VMware, Inc. 17
Installation and Configuration
The following figure shows the components of a distributed deployment. Each component is numbered to
correspond to an entry the Distributed Deployment Components table.
The Distributed Deployment Components table describes each component and presents requirements
and options for using each component.
VMware, Inc. 18
Installation and Configuration
Table 1‑3. Distributed Deployment Components
Diagram
Number Description Requirements and Options
1 vRealize Appliance Load
Balancer
2 Single Sign-On Server
Appliance
3 vRealize Appliance 1 One instance required. Multiple instances can be used to support high availability and
4 vRealize Appliance 2, 3,
and so on
5 Appliance Database Appliance Database or cluster. If a two vRealize Appliances have been deployed with
6 IaaS Web Load Balancer Only necessary if you are installing more than one Website Component. Install Website
7 SQL Database Cluster Install one instance during IaaS installation. Database administrator handles
8 Website Component 1 and
Model Manager Data
Only necessary if you are deploying more than one vRealize Appliance.
Important Disable all nodes under the load balancer except for the node you are
configuring. For example, if you have three nodes, disable nodes 1 and 2 when you
configure node 3.
One instance of a single sign-on server is required. You can use the vRealize
Appliance, which is a product component, or some versions of vSphere SSO, which
might be preferable for high-availability deployments. Consult the vCloud Automation
Center Support Matrix for information about supported versions.
failover recovery. Multiple instances must be deployed with vSphere High Availability.
Deploy multiple instances under the vRealize Appliance Load Balancer.
Appliance Databases, then they can be clustered. If only one vRealize appliance
exists, then there is no highly available method for the database.
Component 1 and Model Manager Data on one machine under this load balancer.
redundancy outside of IaaS context. See Choosing an IaaS Database Scenario.
Required. Install together on one machine under the IaaS Web load balancer. Only one
instance of Model Manager Data is allowed. See Install the Primary IaaS Website
Component with Model Manager Data
9 Website Component 2, 3,
and so on
10 IaaS Manager Service
Load Balancer
11 Manager Service 1 and
DEM Orchestrator 1
12 Manager Service 2, 3, and
so on
13 Agents and DEMs Install the first DEM Orchestrator on the active Manager Service machine. Install
Optional. Install multiple instances under the IaaS Web load balancer for high
availability and failover recovery.
Install the first instance of the Manager Service and the first instance of the DEM
Orchestrator together on one machine under this load balancer. See Install the Primary
Manager Service and Install the Distributed Execution Managers.
Install the first instance of the Manager Service and the first instance of the DEM
Orchestrator together on one machine under the IaaS Manager Service load balancer.
The first Manager Service instance is active. Only one can be active at any given time.
See Install the Primary Manager Service and Install the Distributed Execution
Managers.
Passive instances for backup only. If the Active Manager Service fails, start the service
on the passive node.
Agents, DEM Orchestrators, and DEM Workers together or on separate machines. See
Chapter 6 Installing Agents and Install the Distributed Execution Managers.
VMware, Inc. 19
Preparing for Installation 2
System Administrators install vRealize Automation into their existing virtualization environments. Before
the installation begins, there are a number of preliminary steps that must be completed to prepare the
deployment environment.
This chapter includes the following topics:
n
DNS and Host Name Resolution
n
Hardware and Virtual Machine Requirements
n
Browser Considerations
n
Password Considerations
n
Windows Server Requirements
n
Port Requirements
n
User Accounts and Credentials Required for Installation
n
Security
n
Time Synchronization
DNS and Host Name Resolution
vRealize Automation requires the system administrator to identify all hosts using a fully qualified domain
name (FQDN). In a distributed deployment, all vRealize Automation components must be able to resolve
each other by using an FQDN. The Model Manager Web service, Manager Service, and Microsoft SQL
Server database must also be able to resolve each other by their Windows Internet Name Service (WINS)
name. You must configure the Domain Name System (DNS) to resolve these host names in your
environment.
Important vRealize Automation does not allow navigation to hosts that contain the underscore (_)
character in the host name.
Hardware and Virtual Machine Requirements
Installation requires minimum system resources to install virtual appliances and minimum hardware
requirements to install IaaS components on the Windows Server.
VMware, Inc.
20
Installation and Configuration
For operating system and high-level environment requirements, including information about supported
browsers and operating systems, see the vRealize Automation Support Matrix.
The Hardware Requirements table shows the minimum configuration requirements for deployment of the
virtual appliances and installation of IaaS components. The appliances are preconfigured virtual
machines that you add to your vCenter Server or ESXi inventory. IaaS components are installed on
physical or virtual Windows 2008 R2 SP1, Windows 2012 or Windows 2012 R2 servers.
Table 2‑1. Hardware Requirements
Identity Appliance vRealize Appliance IaaS Components (Windows Server)
1 CPU
2 GB memory
2 GB disk storage
2 CPUs
8 GB memory
30 GB disk storage
2 CPUs
8 GB memory
30 GB disk storage
Browser Considerations
Some restrictions exist for browser use with vRealize Automation.
n
vRealize Automation does not support Compatibility View mode for Internet Explorer 9 or 10 on
Windows 7 platforms. If you are unable to log in to appliance management consoles or you receive
an error on the SSO tab when using Internet Explorer 9 or 10, use the Developer Tools to set the
browser mode to Internet Explorer 7.
n
Multiple browser windows and tabs are not supported. vRealize Automation supports one session per
user.
n
VMware remote consoles provisioned on vSphere support a subset of vRealize Automationsupported browsers.
For operating system and high-level environment requirements, including information about supported
browsers and operating systems, see the vRealize Automation Support Matrix.
Password Considerations
The vRealize Automation administrator password cannot contain a trailing "=" character.
Verify that the adminstrator password you assign during installation does not end with an "=" character.
Such passwords are accepted when you assign them, but result in errors when you perform operations
such as saving endpoints.
Windows Server Requirements
The virtual or physical Windows machine that hosts the IaaS components must meet configuration
requirements for the IaaS database, the IaaS server components, the IaaS Manager Service, and
Distributed Execution Managers.
VMware, Inc. 21
Installation and Configuration
IaaS Database Server Requirements
Your environment must meet these general requirements that support the installation of the IaaS
Database (SQL Server).
n
TCP/IP protocol enabled for MS SQL Server
n
Microsoft Distributed Transaction Coordinator Service (MS DTC) enabled on all SQL nodes in the
system. MS DTC is required to support database transactions and actions such as workflow creation.
n
No firewalls between Database Server and the Web server or IaaS Server, or ports opened as
described in Port Requirements.
n
For 6.0.x installations, the database name cannot contain a space. For 6.1 and later installations, the
use of spaces in names is supported.
Note If you clone an IaaS node, install MS DTC on each node after it has been cloned. When you clone
a node that has MS DTC installed, its unique identifier is copied to each clone, which causes
communication to fail. See Error in Manager Service Communication for further information.
For information about supported MS SQL versions, see vRealize Automation Support Matrix for this
release.
IaaS Web Service and Model Manager Server Requirements
Your environment must meet software and configuration prerequisites that support installation of the IaaS
server components.
IaaS Server Requirements
Your Windows server must meet the configuration requirements listed in the following table to support the
installation of the vRealize Automation Web service or Model Manager.
VMware, Inc. 22
Installation and Configuration
Table 2‑2. IaaS Server Requirements
Area Requirements
Host Configuration The following components must be installed on the host before installing IaaS:
n
Microsoft .NET Framework 4.5.1 or later
n
Microsoft PowerShell 2.0 (included with Windows Server 2008 R2 SP1 and
later) or Microsoft PowerShell 3.0 on Windows Server 2012 or Windows Server
2012 R2.
n
Microsoft Internet Information Services 7.5 (see Table 2‑3)
n
Java requirements for MSSQL, when the database is installed on the IaaS
Windows server host.
Microsoft SQL Database Requirements
n
Microsoft SQL Server database can be located on the IaaS (Windows) server
host or on a remote host.
n
The following Java-related requirements must be met:
n
A 64-bit version of Java 1.7, or 1.8 or later must be installed. 32-bit versions
are not supported.
n
The JAVA_HOME environment variable must be set to the Java installation
folder.
n
The %JAVA_HOME%\bin\java.exe file must be available.
Microsoft Internet Information Services Configuration
Microsoft Internet Information Services must be configured to meet the requirements listed in the
following table to support the installation of the vRealize Automation Web service or Model Manager.
Table 2‑3. Required Configuration for Microsoft Internet Information Services
IIS Component Setting
Internet Information Services (IIS) modules
installed
n
WindowsAuthentication
n
StaticContent
n
DefaultDocument
n
ASPNET 4.5
n
ISAPIExtensions
n
ISAPIFilter
IIS Authentication settings
n
Windows Authentication enabled
n
AnonymousAuthentication disabled
n
Negotiate Provider enabled
n
NTLM Provider enabled
n
Windows Authentication Kernel Mode enabled
n
Windows Authentication Extended Protection disabled
n
For certificates using SHA512, TLS1.2 must be disabled on Windows 2012 or
Windows 2012 R2 servers
IIS Windows Process Activation Service roles
VMware, Inc. 23
n
ConfigurationApi
n
NetEnvironment
n
ProcessModel
n
WcfActivation (Windows 2008 only)
n
HttpActivation
n
NonHttpActivation
Installation and Configuration
IaaS Manager Service
Your environment must meet some general requirements that support the installation of the IaaS Manager
Service.
n
.NET Framework 4.5.1 or later is installed.
n
Microsoft PowerShell 2.0 or Microsoft PowerShell 3.0. PowerShell 2.0 is included with Windows
Server 2008 R2 SP1 and later. Microsoft PowerShell 3.0 runs on Windows Server 2012 or Windows
Server 2012 R2.
n
SecondaryLogOnService is running.
n
No firewalls can exist between DEM host and Windows Server, nor can ports be opened as described
in Port Requirements.
n
IIS is installed and configured.
Distributed Execution Manager Requirements
Your environment must meet some general requirements that support the installation of Distributed
Execution Managers (DEMs).
n
.NET Framework 4.5.1 or later is installed.
n
Microsoft PowerShell 2.0 or Microsoft PowerShell 3.0. PowerShell 2.0 is included with Windows
Server 2008 R2 SP1 and later. Microsoft PowerShell 3.0 runs on Windows Server 2012 or Windows
Server 2012 R2.
n
SecondaryLogOnService is running.
n
No firewalls between DEM host and the Windows server, or ports opened as described in Port
Requirements.
DEM Worker instances might have additional requirements depending on the provisioning resources that
they interact with.
Amazon Web Services EC2 Requirements
The IaaS Windows server communicates with and collects data from an Amazon EC2 account.
When you use Amazon Web Services for provisioning, DEM workers must meet these configuration
requirements.
n
Hosts on which DEMs are installed must have access to the Internet.
If there is a firewall, HTTPS traffic must be allowed to and from aws.amazon.com, as well as the
URLs representing all the EC2 regions your AWS accounts have access to, for example ec2.us-
east-1.amazonaws.com for the US East region. Each URL resolves to a range of IP addresses, so
you may need to use a tool, such as the one available from the Network Solutions Web site, to list
and configure these IP addresses.
VMware, Inc. 24
Installation and Configuration
n
Internet access from the DEM host is through a proxy server, the DEM service must be running under
credentials that can authenticate to the proxy server.
Openstack and PowerVC Requirements
The machines on which you install your DEMs must meet certain requirements to communicate with and
collect data from your Openstack or PowerVC instance.
Table 2‑4. DEM Host Requirements
Your Installation Requirements
All In Windows Registry, enable TLS v1.2 support for .NET
framework. For example:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramew
ork\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsof
t\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
Windows 2008 DEM Host In Windows Registry, enable TLS v1.2 protocol. For example:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Cont
rol\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
Self-signed certificates on your infrastructure endpoint host If your PowerVC or Openstack instance is not using trusted
certificates, import the SSL certificate from your PowerVC or
Openstack instance into the Trusted Root Certificate Authorities
store on each IaaS Windows server where you intend to install a
vRealize Automation DEM.
Red Hat Enterprise Virtualization KVM (RHEV) Requirements
Your environment must meet these Red Hat Enterprise requirements to support installation of Distributed
Execution Managers (DEMs).
n
Each KVM (RHEV) environment must be joined to the domain containing the IaaS server.
n
The credentials used to manage the endpoint representing a KVM (RHEV) environment must have
Administrator privileges on the RHEV environment. These credentials must also have sufficient
privileges to create objects on the hosts within the environment.
VMware, Inc. 25
Installation and Configuration
SCVMM Requirements
A DEM Worker that manages virtual machines through SCVMM must be installed on a host where the
SCVMM console is already installed.
A best practice is to install the SCVMM console on a separate DEM Worker machine. In addition, verify
that the following requirements have been met.
n
The DEM worker must have access to the SCVMM PowerShell module installed with the console.
n
The PowerShell Execution Policy must be set to RemoteSigned or Unrestricted.
To verify the PowerShell Execution Policy, enter one of the following commands at the PowerShell
command prompt.
help about_signing
help Set-ExecutionPolicy
n
If all DEM Workers within the instance are not on machines that meet these requirements, use Skill
commands to direct SCVMM-related workflows to DEM Workers that are.
The following additional requirements apply to SCVMM.
n
This release supports SCVMM 2012 R2, which requires PowerShell 3 or later.
n
Install the SCVMM console before you install vRealize Automation DEM Workers that consume
SCVMM work items.
If you install the DEM Worker before the SCVMM console, you see log errors similar to the following
example.
Workflow 'ScvmmEndpointDataCollection' failed with the following exception: The
term 'Get-VMMServer' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again.
To correct the problem, verify that the SCVMM console is installed, and restart the DEM Worker
service.
n
Each SCVMM instance must be joined to the domain containing the server.
n
The credentials used to manage the endpoint representing an SCVMM instance must have
administrator privileges on the SCVMM server.
The credentials must also have administrator privileges on the Hyper-V servers within the instance.
n
Hyper-V servers within an SCVMM instance to be managed must be Windows 2008 R2 SP1 Servers
with Hyper-V installed. The processor must be equipped with the necessary virtualization
extensions .NET Framework 4.5.1 or later must be installed and Windows Management
Instrumentation (WMI) must be enabled.
n
To provision machines on an SCVMM resource, you must add a user in at least one security role
within the SCVMM instance.
VMware, Inc. 26
Installation and Configuration
n
To provision a Generation-2 machine on an SCVMM 2012 R2 resource, you must add the following
properties in the blueprint.
Scvmm.Generation2 = true
Hyperv.Network.Type = synthetic
Generation-2 blueprints should have an existing data-collected virtualHardDisk (vHDX) in the
blueprint build information page. Having it blank causes Generation-2 provisioning to fail.
For more information, see Configure the DEM to Connect to SCVMM at a Different Installation Path.
Additional information about preparing for machine provisioning is available in IaaS Configuration for
Virtual Platforms.
Port Requirements
vRealize Automation uses designated ports for communication and data access.
Although vRealize Automation uses only port 443 for communication, there might be other ports open on
the system. Because open, unsecure ports can be sources of security vulnerabilities, review all open
ports on your system and ensure that only the ports that are required by your business applications are
open.
Identity Appliance
The following ports are used by the Identity Appliance.
Table 2‑5. Incoming Ports for the Identity Appliance
Port Protocol Comments
22 TCP Optional. SSH
5480 TCP Access to virtual appliance Web management interface
7444 TCP SSO service over HTTPS
Table 2‑6. Outgoing Ports for the Identity Appliance
Port Protocol Comments
53 TCP, UDP DNS
67, 68, 546, 547 TCP, UDP DHCP
80 TCP Optional. For fetching software updates. Updates can be downloaded separately and
applied.
123 TCP, UDP Optional. For connecting directly to NTP instead of using host time.
389, 636 TCP, UDP OpenLDAP and Active Directory
vRealize Appliance
The following ports are used by the vRealize Appliance.
VMware, Inc. 27
Installation and Configuration
Table 2‑7. Incoming Ports for the vRealize Appliance
Port Protocol Comments
22 TCP Optional. SSH.
80 TCP Optional. Redirects to 443.
111 TCP, UDP RPC
443 TCP Access to the vRealize Automation console and API calls.
5480 TCP Access to virtual appliance Web management interface
5480 TCP Used by Management Agent
5488, 5489 TCP Internal. Used by vRealize Appliance for updates.
5672 TCP RabbitMQ messaging
8230, 8280, 8281 TCP Internal vRealize Orchestrator instance
8444 TCP Console proxy communication for vSphere VMware Remote Console connections
Table 2‑8. Outgoing Ports for the vRealize Appliance
Port Protocol Comments
25, 587 TCP, UDP SMTP for sending outbound notification emails
53 TCP, UDP DNS
67, 68, 546, 547 TCP, UDP DHCP
80 TCP Optional. For fetching software updates. Updates can be downloaded separately and
applied.
110, 995 TCP, UDP POP for receiving inbound notification emails
143, 993 TCP, UDP IMAP for receiving inbound notification emails
123 TCP, UDP Optional. For connecting directly to NTP instead of using host time.
443 TCP IaaS Manager Service over HTTPS
Communication with virtualization hosts over HTTPS
902 TCP ESXi network file copy operations and for VMware Remote Console (VMRC)
connections
5432 TCP, UDP Optional. For communicating with an Appliance Database.
7444 TCP Communication with SSO service over HTTPS
8281 TCP Optional. For communicating with an external vRealize Orchestrator instance .
Other ports may be required by specific vRealize Orchestrator plugins that communicate with external
systems. For more information, see the documentation for the vRealize Orchestrator plugin.
Infrastructure as a Service
The ports in the tables Incoming Ports for Infrastructure as a Service Components and Outgoing Ports for
Infrastructure as a Service must be available for use by the IaaS Windows Server.
VMware, Inc. 28
Installation and Configuration
Table 2‑9. Incoming Ports for Infrastructure as a Service Components
Component Port Protocol Comments
SQL Server instance 1433 TCP MSSQL
Manager Service 443* TCP Communication with IaaS components and vRealize Appliance
over HTTPS
vRealize Appliance 443 TCP Communication with IaaS components and vRealize Appliance
over HTTPS
* Any virtualization hosts managed by proxy agents must also have TCP port 443 open for incoming
traffic.
Table 2‑10. Outgoing Ports for Infrastructure as a Service Components
Component Port Protocol Comments
All 53 TCP, UDP DNS
All 67, 68, 546,
547
All 123 TCP, UDP Optional. NTP.
Manager Service 443 TCP Communication with vRealize Appliance over HTTPS
Website 443 TCP Communication with Manager Service over HTTPS
Distributed Execution
Managers
Proxy agents 443 TCP Communication with Manager Service and virtualization hosts
Guest agent 443 TCP Communication with Manager Service over HTTPS
Manager Service, Website 1433 TCP MS SQL
443 TCP Communication with Manager Service over HTTPS
TCP, UDP DHCP
over HTTPS
Microsoft Distributed Transaction Coordinator Service
In addition to verifying that the ports listed in the previous tables are free for use, you must enable
Microsoft Distributed Transaction Coordinator Service (MS DTC) communication between all servers in
the deployment. MS DTC requires the use of port 135 over TCP and a random port between 1024 and
65535.
The Prerequisite Checker validates whether MS DTC is running and that the required ports are open.
User Accounts and Credentials Required for Installation
You must verify that you have the roles and credentials to install vRealize Automation components.
vCenter Service Account
If you plan to use a vSphere endpoint, you need a domain or local account that has the appropriate level
of access configured in vCenter.
VMware, Inc. 29
Installation and Configuration
Virtual Appliance Installation
To deploy the Identity Appliance and the vRealize Appliance, you must have administrator privileges on
the deployment platform (for example, vSphere administrator credentials).
During the deployment process, you specify the passwords for the virtual appliance administrator
accounts and the system administrator account. These accounts provide access to the Identity Appliance
and vRealize Appliance management consoles where you configure and administer the virtual
appliances.
IaaS Installation
Before installing IaaS components, add the user under which you plan to execute the IaaS installation
programs to the Administrator group on the installation host.
IaaS Database Credentials
You can create the database using the installation wizard or create it manually by running the provided
scripts. If you use the complete install option to create a minimal installation, you must create the
database using the installer.
When you use the IaaS installer to create or populate the IaaS database the following requirements
apply:
n
If you use the installer to create the database and select Use Windows Authentication, the
credentials under which you executed the installer must have the sysadmin role in SQL Server to
create and alter the size of the database.
n
If you use the installer to create the database and do not select Use Windows Authentication, you
must provide SQL credentials with the sysadmin role. If you do not use Windows authentication, the
credentials you provide are used only for database creation (not for run-time access after initial
creation).
n
If you use the installer to populate a pre-created database, the user credentials you provide (either
the current Windows user or the specified SQL user) needs only dbo privileges for the IaaS
database.
Note vRealize Automation users also require the correct level of Windows authentication access to log
in and use vRealize Automation. The machine from which the user authenticates using Windows
Authentication must be joined to the domain in which the vRealize Automation Identity Appliance is
configured. See Configure the Identity Stores for the Default Tenant.
IaaS Service User Credentials
IaaS installs several Windows services that share a single service user.
VMware, Inc. 30
Loading...