VMware vRealize Automation - 7.0 Installation Manual
Installing vRealize
Automation
vRealize Automation 7.0
Installing vRealize Automation
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
docfeedback@vmware.com
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Copyright © 2008–2018 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2
Contents
vRealize Automation Installation 6
Updated Information 7
vRealize Automation Installation Overview 8
1
Choosing Your Deployment Path 8
Minimal Deployment Overview 10
Enterprise Deployment Overview 10
vRealize Automation Installation Components 11
VMware vRealize Automation Appliance 12
Management Agents 12
vRealize Automation Infrastructure as a Service 12
Preparing for Installation 15
2
DNS and Host Name Resolution 15
Hardware and Virtual Machine Requirements 15
Browser Considerations 16
Password Considerations 16
Windows Server Requirements 17
IaaS Database Server Requirements 17
IaaS Web Service and Model Manager Server Requirements 17
IaaS Manager Service 19
Distributed Execution Manager Requirements 19
Port Requirements 21
User Accounts and Credentials Required for Installation 23
Security 25
Certificates 25
Extracting Certificates and Private Keys 26
Security Passphrase 26
Third-Party Software 27
Time Synchronization 27
VMware, Inc.
Installing vRealize Automation with the Installation Wizard 28
3
Deploy the vRealize Automation Appliance 28
Installing a Minimal Deployment with the Installation Wizard 30
Run the Installation Wizard for a Minimal Deployment 30
Installing the Management Agent 31
Synchronize Server Times 34
3
Installing vRealize Automation
Run the Prerequisite Checker 34
Specify Deployment Configuration Parameters 35
Create Snapshots Before You Begin the Installation 35
Scenario: Finish the Installation 36
Address Installation Failures 36
Set Up Credentials for Initial Content Configuration 37
Installing an Enterprise Deployment with the Installation Wizard 38
Run the Installation Wizard for an Enterprise Deployment 38
Installing the Management Agent 39
Synchronize Server Times 42
Run the Prerequisite Checker 42
Specify Deployment Configuration Parameters 43
Create Snapshots Before You Begin the Installation 43
Finish the Installation 44
Address Installation Failures 44
Set Up Credentials for Initial Content Configuration 45
Installing vRealize Automation through the Standard Interfaces 47
4
Minimal Deployment 47
Minimal Deployment Checklist 47
Deploy and Configure the vRealize Automation Appliance 48
Installing IaaS Components 54
Distributed Deployment 60
Distributed Deployment Checklist 60
Distributed Installation Components 61
Certificate Trust Requirements in a Distributed Deployment 62
Installation Worksheets 62
Deploy the vRealize Automation Appliance 64
Configuring Your Load Balancer 66
Configuring Appliances for vRealize Automation 66
Install the IaaS Components in a Distributed Configuration 74
Installing Agents 100
Set the PowerShell Execution Policy to RemoteSigned 100
Choosing the Agent Installation Scenario 101
Agent Installation Location and Requirements 101
Installing and Configuring the Proxy Agent for vSphere 102
Installing the Proxy Agent for Hyper-V or XenServer 107
Installing the VDI Agent for XenDesktop 111
Installing the EPI Agent for Citrix 115
Installing the EPI Agent for Visual Basic Scripting 118
Installing the WMI Agent for Remote WMI Requests 121
VMware, Inc. 4
Installing vRealize Automation
Configure Access to the Default Tenant 124
5
Replacing Self-Signed Certificates with Certificates Provided by an Authority 126
6
Troubleshooting 127
7
Default Log Locations 127
Rolling Back a Failed Installation 129
Roll Back a Minimal Installation 129
Roll Back a Distributed Installation 129
Create a Support Bundle for vRealize Automation 130
General Installation Troubleshooting 131
Installation or Upgrade Fails with a Load Balancer Timeout Error 131
Server Times Are Not Synchronized 131
Blank Pages May Appear When Using Internet Explorer 9 or 10 on Windows 7 132
Cannot Establish Trust Relationship for the SSL/TLS Secure Channel 132
Connect to the Network Through a Proxy Server 133
Proxy Prevents VMware Identity Manager User Log In 134
Troubleshooting vRealize Automation Appliances 134
Installers Fail to Download 134
Encryption.key File has Incorrect Permissions 135
Identity Manager Fails to Start After Horizon-Workspace Restart 136
Troubleshooting IaaS Components 136
Validating Server Certificates for IaaS 136
Credentials Error When Running the IaaS Installer 137
Save Settings Warning Appears During IaaS Installation 137
Website Server and Distributed Execution Managers Fail to Install 138
IaaS Authentication Fails During IaaS Web and Model Management Installation 138
Failed to Install Model Manager Data and Web Components 139
Adding an XaaS Endpoint Causes an Internal Error 140
Uninstalling a Proxy Agent Fails 141
Machine Requests Fail When Remote Transactions Are Disabled 141
Error in Manager Service Communication 142
Email Customization Behavior Has Changed 143
Troubleshooting Log-In Errors 144
Attempts to Log In as the IaaS Administrator with Incorrect UPN Format Credentials Fails with
No Explanation 144
Cannot Log in to a Tenant or Tenant Identity Stores Disappear 144
VMware, Inc. 5
vRealize Automation Installation
vRealize Automation Installation explains how to install VMware vRealize ™ Automation.
Note Not all features and capabilities of vRealize Automation are available in all editions. For a
comparison of feature sets in each edition, see https://www.vmware.com/products/vrealize-automation/.
Intended Audience
This information is intended for experienced Windows or Linux system administrators who are familiar
with virtual machine technology and data center operations.
VMware Technical Publications Glossary
VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For
definitions of terms as they are used in VMware technical documentation, go to
http://www.vmware.com/support/pubs.
VMware, Inc.
6
Updated Information
Installing vRealize Automation 7.0 is updated with each release of the product or when necessary.
This table provides the update history of the Installing vRealize Automation 7.0 publication.
Revision Description
EN-001835-04 Updates to SQL Server prerequisites. See IaaS Database Server Requirements.
EN-001835-03 Additional troubleshooting procedures.
EN-001835-02 Removed outdated procedures about database failovers, from Chapter 4.
EN-001835-01
EN-001835-00 Initial document release.
n
Addition of new deployment scenario for installing and configuring a vRealize Automation proof of concept and
development environment. For an overview of the example scenario, see Choosing Your Deployment Path.
For the full scenario, see Installing and Configuring vRealize Automation for the Rainpole Scenario.
n
Several small updates to clarify that high availability is not fully configured until your tenant administrators set
up Directories Management for high availability.
n
Updates for version 7.0.1 of vRealize Automation.
VMware, Inc. 7
vRealize Automation Installation
Overview 1
vRealize Automation can be deployed in a variety of configurations. To ensure a successful deployment
understand the deployment and configuration options, and the sequence of tasks required.
If you are familiar with earlier versions of vRealize Automation, it might be helpful to note the following
changes before you begin your installation:
n
This release of vRealize Automation introduces the Installation Wizard, the recommended method for
unscripted installations. With the wizard, you can choose a minimal or enterprise deployment.
Enterprise deployments are based on distributed architectures and can include load balancers for
high-availability deployments. You can install vRealize Automation appliances alone or with IaaS
components.
n
Single Sign-On support and identity management is done by means of an embedded VMware Identity
Manager that is administered by the new Directories Management feature . This replaces the use of
the VMware Identity Appliance and vSphere SSO implementations used by previous product
versions.
n
Open LDAP is no longer supported.
After installation, system administrators can customize the installation environment and configure one or
more tenants, which sets up access to self-service provisioning and life-cycle management of cloud
services.
By using the secure portal Web interface, administrators, developers, or business users can request IT
services and manage specific cloud and IT resources based on their roles and privileges. Users can
request infrastructure, applications, desktops, and IT service through a common service catalog.
This chapter includes the following topics:
n
Choosing Your Deployment Path
n
vRealize Automation Installation Components
Choosing Your Deployment Path
Depending on your deployment requirements, you can install and configure vRealize Automation
components by using the rainpole installation scenario, the Installation Wizard, or through the
management console.
VMware, Inc.
8
Installing vRealize Automation
Choose a minimal installation to deploy a proof of concept (PoC) or development environment with a
basic topology. Choose an enterprise installation to deploy a production environment with the topology
best suited to your organizational needs.
Table 1‑1. Choosing Your Installation Method
Installation Method Details
Installation Wizard The Installation Wizard provides the quickest installation path for most deployments. You
can choose a minimal or enterprise deployment to support distributed components with or
without load balancers. Complete and verify all prerequisites before you start the wizard.
For more information, see Chapter 2 Preparing for Installation.
Manual installation Installation through the management console is also supported for minimal, distributed, and
high-availability installations. Complete and verify all prerequisites before you begin the
installation.
For more information, see Chapter 2 Preparing for Installation.
Note If you use the management console to start or configure any part of your installation,
you cannot start or continue use of the Installation Wizard.
Installing and Configuring vRealize
Automation for the Rainpole Scenario
As a vSphere administrator, you want to install a minimal vRealize Automation deployment
into your existing vSphere environment. You use the installation wizard to install
vRealize Automation and create initial content catalog items that help you quickly configure
an environment to use a proof of concept.
A proof of concept deployment is not suitable for production. When you complete the proof
of concept deployment, you configure it as a development environment where you and your
IT team create and test blueprints. You can export blueprints and other design elements out
of your development environment and into your production environment.
To begin this scenario, see Installing and Configuring vRealize Automation for the Rainpole
Scenario.
Table 1‑2. Choosing Your Deployment Type
Deployment Purpose Choose this deployment type
Deploy a proof of concept (PoC) or development environment
with a basic topology.
Deploy a production environment with the topology best suited
to your organizational needs.
Install a minimal deployment.
You deploy a single instance of vRealize Automation appliance
and install all IaaS components on a single Windows server
machine. You can install the databases on the same Windows
machine or on a dedicated SQL Server.
Install an enterprise deployment.
You distribute components across multiple servers.
Optionally, you can deploy load balancers to distribute work
across servers and provide fail over capability and redundancy
in a high-availability environment.
For information about scalability and high availability, see VMware vRealize Automation Reference
Architecture, available as a technical paper at https://www.vmware.com/support/pubs/vcac-pubs.html.
VMware, Inc. 9
vRealize Automation Appliance
Users
Infrastructure as a Service (IaaS)
SQL
Database
Cluster
IaaS Server
Web, MMD,
Manager Service
DEM
Optional
Agent 1
Agent
2, 3,...
DEM
Worker 1
DEM
2, 3,...
Installing vRealize Automation
Minimal Deployment Overview
To complete a minimal deployment, a system administrator installs the vRealize Automation appliance
and Infrastructure as a Service (IaaS) components.
n
vRealize Automation appliance includes the Web console interface and support for single sign-on
capabilities. It is installed as a virtual appliance.
n
Infrastructure as a Service (IaaS) is installed on a Windows Server machine.
n
The IaaS uses an SQL database that can be installed on the same machine as IaaS or on its own
server.
The following figure shows the relationship and purpose of components of a minimal installation.
Enterprise Deployment Overview
The system administrator can deploy and install multiple instances of the vRealize Automation appliance
and individual IaaS components for scale, redundancy, high availability, and disaster recovery.
In a typical architecture, the IaaS components are distributed over multiple machines.
VMware, Inc. 10
Load Balancer
for IaaS Manager Service
Manager
Service 1 (active)
and DEM
Orchestrator 1
Manager
Service 2, 3,...
(passive backup
instance)
Load Balancer
for IaaS Web server
Infrastructure as a Service (IaaS)
Website
Component 1
Model Manager
Data (only one
instance allowed)
Website
Component 2, 3,...
Users
vRealize
Automation
Appliance
vRealize
Automation
Appliance
Agent 1
Agent
2, 3,...
DEM
Worker 1
DEM
2, 3,...
Load Balancer
for vRealize Automation Appliance
SQL
Database
Cluster
Installing vRealize Automation
For high availability deployments, load balancers distribute the workload across the computing
environment. System administrators configure load balancers outside of the vRealize Automation
framework.
The following figure shows the components of an enterprise deployment with distributed components,
redundancy, and load balancers.
Figure 1‑1. Deployment Configuration for Enterprise Installations
vRealize Automation Installation Components
A vRealize Automation installation includes installing and configuring single sign-on (SSO) capabilities,
the user interface portal, and Infrastructure as a Service (IaaS) components.
VMware, Inc. 11
Installing vRealize Automation
An installation consists of the following components.
n
vRealize Automation appliance, which deploys the management console, manages Single Sign-On
(SSO) capabilities for authorization and authentication, and includes an instance of vRealize
Orchestrator.
n
Infrastructure as a Service (IaaS) components, which are installed on a Windows machine (virtual or
physical), and appear largely under the Infrastructure tab on the console.
n
An MS SQL Server Database, which is deployed during the IaaS installation.
VMware vRealize Automation Appliance
The vRealize Automation appliance is a preconfigured virtual appliance that contains the
vRealize Automation server. vRealize Automation is delivered as an open virtualization format (OVF)
template. The system administrator deploys the virtual appliance to an existing virtualized infrastructure.
The server includes the vRealize Automation appliance product console, which provides a single portal
for self-service provisioning and management of cloud services, authoring, administration, and
governance.
Appliance Database
During deployment of the virtual appliances, a PostgreSQL appliance database is created automatically
on the first vRealize Automation appliance. A replica database can be installed on a second vRealize
Automation appliance to create a high-availability environment.
Management Agents
Management Agents are stand-alone IaaS components that register IaaS nodes with
vRealize Automation appliances, automate the installation and management of IaaS components, and
collect support and telemetry information.
A Management Agent must be installed on each Windows machine hosting IaaS components.
vRealize Automation Infrastructure as a Service
Infrastructure as a Service (IaaS) enables the rapid modeling and provisioning of servers and desktops
across private, public or hybrid cloud infrastructures.
The system administrator installs IaaS components on a Windows machine. IaaS capabilities are also
available from the Infrastructure tab on the management console. IaaS has several components that
you can install in a custom configuration to meet the needs of your organization.
VMware, Inc. 12
Installing vRealize Automation
IaaS Website
The IaaS Website component provides the infrastructure administration and service authoring capabilities
to the vRealize Automation console. The Website component communicates with the Manager Service,
which provides it with updates from the Distributed Execution Manager (DEM), proxy agents, and
database.
Model Manager
vRealize Automation models facilitate integration with external systems and databases. They implement
business logic that a Distributed Execution Manager (DEM) uses.
The Model Manager provides services and utilities for persisting, versioning, securing, and distributing
model elements. It communicates with the database, the DEMs, and the console Web site.
vCloud Automation Center Manager Service
The Manager Service coordinates communication between DEMs, agents, and the database. The
Manager Service communicates with the console Web site through the Model Manager. This service
requires administrative privileges to run.
IaaS Database
The IaaS component of vRealize Automation uses a Microsoft SQL Server database to maintain
information about the machines it manages and its own elements and policies. Typically, the database is
created for you during installation. However, a system administrator can create the database separately
as well.
Distributed Execution Managers
A Distributed Execution Manager (DEM) runs the business logic of custom models, interacting with the
database and with external databases and systems as required.
Each DEM instance acts in either a Worker role or in an Orchestrator role. The Worker role is responsible
for running workflows. The Orchestrator role is responsible for monitoring DEM Worker instances,
preprocessing workflows to run, and scheduling workflows.
The DEM Orchestrator performs these specific tasks.
n
Monitors the status of DEM Workers and ensures that if a Worker instance stops or loses its
connection to the Model Manager, its workflows are put back in the queue for another DEM Worker to
pick up.
n
Manages scheduled workflows by creating new workflow instances at the scheduled time.
n
Ensures that only one instance of a particular scheduled workflow is running at a given time.
n
Preprocesses workflows before they are run, including checking preconditions for workflows, used in
the implementation of the RunOneOnly feature, and creating the workflow execution history.
VMware, Inc. 13
Installing vRealize Automation
One DEM Orchestrator instance is designated as the active Orchestrator that performs these tasks.
Because the DEM Orchestrator is essential to run workflows, install at least one additional Orchestrator
instance on a separate machine for redundancy. The Orchestrator is automatically installed on the
machine that also runs the Manager Service. The additional DEM Orchestrator monitors the status of the
active Orchestrator so that it can take over if the active Orchestrator goes offline.
vRealize Automation Agents
vRealize Automation uses agents to integrate with external systems and to manage information among
vRealize Automation components.
You generally install the vSphere agent as part of a deployment. You can install additional agents
according to your site's requirements.
Integration Agents
Virtual desktop integration (VDI) PowerShell agents allow vRealize Automation to integrate with external
virtual desktop systems. Currently, virtual machines that vRealize Automation provisions can be
registered with XenDesktop on a Citrix Desktop Delivery Controller (DDC) and their owners can access
the XenDesktop Web Interface from vRealize Automation.
External provisioning integration (EPI) PowerShell agents allow vRealize Automation to integrate external
systems into the machine provisioning process. For example, integration with Citrix Provisioning Server
enables provisioning of machines by on-demand disk streaming, and an EPI agent allows you to run
Visual Basic scripts as extra steps during the provisioning process.
VDI and EPI agents require administrator-level access to the external systems with which they interact.
Virtualization Proxy Agents
The virtual machines that vRealize Automation manages are created on virtualization hosts.
vRealize Automation uses virtualization proxy agents to send commands to and collect data from
vSphere ESX Server, XenServer, and Hyper-V virtualization hosts and the virtual machines provisioned
on them. A proxy agent has the following characteristics.
n
Typically requires administrator-level access to the virtualization platform it manages
n
Communicates with the Manager Service
n
Is installed separately with its own configuration file
Windows Management Instrumentation Agent
The vRealize Automation Windows Management Instrumentation (WMI) agent enhances your ability to
monitor and control system information and allows you to manage remote servers from a central location.
It enables the collection of data from Windows machines that vRealize Automation manages.
VMware, Inc. 14
Preparing for Installation 2
System Administrators install vRealize Automation into their existing virtualization environments. Before
you begin an installation, prepare the deployment environment to meet system requirements.
This chapter includes the following topics:
n
DNS and Host Name Resolution
n
Hardware and Virtual Machine Requirements
n
Browser Considerations
n
Password Considerations
n
Windows Server Requirements
n
Port Requirements
n
User Accounts and Credentials Required for Installation
n
Security
n
Time Synchronization
DNS and Host Name Resolution
vRealize Automation requires the system administrator to identify all hosts by using a fully qualified
domain name (FQDN).
In a distributed deployment, all vRealize Automation components must be able to resolve each other by
using an FQDN.
The Model Manager Web service, Manager Service, and Microsoft SQL Server database must also be
able to resolve each other by their Windows Internet Name Service (WINS) name. You must configure the
Domain Name System (DNS) to resolve these host names in your environment.
Important vRealize Automation does not allow navigation to hosts that contain the underscore (_)
character in the host name.
Hardware and Virtual Machine Requirements
Your deployment must meet minimum system resources to install virtual appliances and minimum
hardware requirements to install IaaS components on the Windows Server.
VMware, Inc.
15
Installing vRealize Automation
For operating system and high-level environment requirements, including information about supported
browsers and operating systems, see the vRealize Automation Support Matrix.
The Hardware Requirements table shows the minimum configuration requirements for deployment of
virtual appliances and installation of IaaS components. Appliances are pre-configured virtual machines
that you add to your vCenter Server or ESXi inventory. IaaS components are installed on physical or
virtual Windows 2008 R2 SP1, or Windows 2012 R2 servers.
An Active Directory is considered small when there are up to 25,000 users in the OU to be synced in the
ID Store configuration. An Active Directory is considered large when there are more than 25,000 users in
the OU.
Table 2‑1. Hardware Requirements
vRealize Automation appliance
for Small Active Directories
n
4 CPUs
n
18 GB memory
n
60 GB disk storage
vRealize Automation appliance for Large Active
Directories
n
4 CPUs
n
22 GB memory
n
60 GB disk storage
IaaS Components (Windows
Server).
n
2 CPUs
n
8 GB memory
n
30 GB disk storage
Additional resources are required
when you are include an SQL
Server on a Windows host.
Browser Considerations
Some restrictions exist for browser use with vRealize Automation.
n
Multiple browser windows and tabs are not supported. vRealize Automation supports one session per
user.
n
VMware Remote Consoles provisioned on vSphere support a subset of vRealize Automationsupported browsers.
For operating system and high-level environment requirements, including information about supported
browsers and operating systems, see the vRealize Automation Support Matrix.
Password Considerations
Character restrictions apply to some passwords.
The vRealize Automation administrator password that you define during installation must not contain
special characters. As of this version of vRealize Automation, the following special characters are known
to cause errors:
n
Double quote marks (")
n
Commas (,)
n
A trailing equal sign (=)
n
Blank spaces
n
Non-ASCII or extended ASCII characters
VMware, Inc. 16
Installing vRealize Automation
Passwords that contain special characters might be accepted when you assign them, but cause failures
when you perform operations such as saving endpoints or when the machine attempts to join the
vRealize Automation cluster.
Windows Server Requirements
The virtual or physical Windows machine that hosts the IaaS components must meet configuration
requirements for the IaaS database, the IaaS server components, the IaaS Manager Service, and
Distributed Execution Managers.
As a best practice, all servers should be in the same domain.
The Installation Wizard runs the vRealize Automation prerequisite checker on all Windows servers before
starting the installation process to ensure that the servers meet all necessary configurations.
IaaS Database Server Requirements
The Windows server that hosts the vRealize Automation IaaS SQL Server database must meet certain
prerequisites.
The requirements apply whether you run the Installation Wizard or the legacy setup_vrealize-
automation-appliance-URL.exe installer and select the database role for installation. The
prerequisites also apply if you separately create an empty SQL Server database for use with IaaS.
n
Use a supported SQL Server version from the vRealize Automation Support Matrix.
n
Configure SQL Server on port 1433, the default. Do not use a non-default port.
n
Enable TCP/IP protocol for SQL Server.
n
Enable the Distributed Transaction Coordinator (DTC) service on all IaaS Windows servers and the
machine that hosts SQL Server. IaaS uses DTC for database transactions and actions such as
workflow creation.
Note If you clone a machine to make an IaaS Windows server, install DTC on the clone after
cloning. If you clone a machine that already has DTC, its unique identifier is copied to the clone,
which causes communication to fail. See Error in Manager Service Communication.
For more about DTC enablement, see VMware Knowledge Base article 2038943.
n
Open ports between all IaaS Windows servers and the machine that hosts SQL Server. See Port
Requirements.
Alternatively, if site policies allow, you may disable firewalls between IaaS Windows servers and SQL
Server.
IaaS Web Service and Model Manager Server Requirements
Your environment must meet software and configuration prerequisites that support installation of the IaaS
server components.
VMware, Inc. 17
Installing vRealize Automation
Environment and Database Requirements for IaaS
Your host configuration and MS SQL database must meet the following requirements.
Table 2‑2. IaaS Requirements
Area Requirements
Host Configuration The following components must be installed on the host before installing IaaS:
n
Microsoft .NET Framework 4.5.2 or later.
n
Microsoft PowerShell 2.0 (included with Windows Server 2008 R2 SP1 and
later) or Microsoft PowerShell 3.0 on Windows Server 2012 R2.
n
Microsoft Internet Information Services 7.5.
n
Java must be installed on the machine running the primary Web component to
support deployment of the MS SQL database during installation.
Microsoft SQL Database Requirements The Microsoft SQL database can reside on the IaaS (Windows) server host or on a
remote host.
These Java-related requirements apply for databases on the IaaS (Windows) server
host. They do not apply for external databases.
n
A 64-bit version of Java 1.7 or later must be installed. 32-bit versions are not
supported.
n
The JAVA_HOME environment variable must be set to the Java installation
folder.
n
The %JAVA_HOME%\bin\java.exe file must be available.
Microsoft Internet Information Services Requirements
Your Microsoft Internet Information Services (IIS) must meet the following configuration requirements.
VMware, Inc. 18
Installing vRealize Automation
Table 2‑3. Required Configuration for Microsoft Internet Information Services
IIS Component Setting
Internet Information Services (IIS) modules
installed
IIS Authentication settings
IIS Windows Process Activation Service roles
n
WindowsAuthentication
n
StaticContent
n
DefaultDocument
n
ASPNET 4.5
n
ISAPIExtensions
n
ISAPIFilter
n
Windows Authentication enabled
n
AnonymousAuthentication disabled
n
Negotiate Provider enabled
n
NTLM Provider enabled
n
Windows Authentication Kernel Mode enabled
n
Windows Authentication Extended Protection disabled
n
For certificates using SHA512, TLS1.2 must be disabled on Windows 2012 or
Windows 2012 R2 servers
n
ConfigurationApi
n
NetEnvironment
n
ProcessModel
n
WcfActivation (Windows 2008 only)
n
HttpActivation
n
NonHttpActivation
IaaS Manager Service
Your environment must meet some general requirements that support the installation of the IaaS Manager
Service.
n
Microsoft .NET Framework 4.5.2 is installed.
n
Microsoft PowerShell 2.0 or Microsoft PowerShell 3.0. PowerShell 2.0 is included with Windows
Server 2008 R2 SP1 and later. Microsoft PowerShell 3.0 runs on Windows Server 2012 R2.
n
SecondaryLogOnService is running.
n
No firewalls can exist between DEM host and Windows Server. For port information, see Port
Requirements.
n
IIS is installed and configured.
Distributed Execution Manager Requirements
Your environment must meet some general requirements that support the installation of Distributed
Execution Managers (DEMs).
n
Microsoft .NET Framework 4.5.2 is installed.
n
Microsoft PowerShell 2.0 or Microsoft PowerShell 3.0. PowerShell 2.0 is included with Windows
Server 2008 R2 SP1 and later. Microsoft PowerShell 3.0 runs on Windows Server 2012 R2.
VMware, Inc. 19
Installing vRealize Automation
n
SecondaryLogOnService is running.
n
No firewalls between DEM host and the Windows server, or ports opened as described in Port
Requirements.
Servers that host DEM Worker instances might have additional requirements depending on the
provisioning resources that they interact with.
Amazon Web Services EC2 Requirements
The IaaS Windows server communicates with and collects data from an Amazon EC2 account.
When you use Amazon Web Services for provisioning, the servers that host the DEM workers must meet
the following configuration requirements.
n
Hosts on which DEMs are installed must have access to the Internet.
If there is a firewall, HTTPS traffic must be allowed to and from aws.amazon.com, as well as the
URLs representing all the EC2 regions your AWS accounts have access to, for example ec2.us-
east-1.amazonaws.com for the US East region. Each URL resolves to a range of IP addresses, so
you may need to use a tool, such as the one available from the Network Solutions Web site, to list
and configure these IP addresses.
n
Internet access from the DEM host is through a proxy server, the DEM service must be running under
credentials that can authenticate to the proxy server.
Red Hat Enterprise Virtualization KVM (RHEV) Requirements
When you use Red Hat Enterprise Virtualization for provisioning the IaaS Windows server communicates
with and collects data from that account.
Your environment must meet the following Red Hat Enterprise requirements.
n
Each KVM (RHEV) environment must be joined to the domain containing the IaaS server.
n
The credentials used to manage the endpoint representing a KVM (RHEV) environment must have
Administrator privileges on the RHEV environment. These credentials must also have sufficient
privileges to create objects on the hosts within the environment.
SCVMM Requirements
Any DEM worker used to manage virtual machines through SCVMM must be installed on a host on which
the SCVMM console is already installed.
In addition, the following requirements must be met:
n
The DEM must have access to the SCVMM PowerShell module installed with the console.
VMware, Inc. 20
Installing vRealize Automation
n
The MS PowerShell Execution Policy must be set to RemoteSigned or Unrestricted.
For information on PowerShell Execution Policy issue one of the following commands at Power-Shell
command prompt:
help about_signing
help Set-ExecutionPolicy
n
If all DEM Workers within the instance are not on compute resources meeting these requirements,
Skills must be used to direct all SCVMM-related workflows to those that are.
The following additional requirements apply to SCVMM.
n
You must install the SCVMM console before you install DEM workers that consume SCVMM work
items.
If you install the DEM worker before the SCVMM console, you see log errors similar to the following:
Workflow 'ScvmmEndpointDataCollection' failed with the following
exception: The term 'Get-VMMServer' is not recognized as the name
of a cmdlet, function, script file, or operable program. Check the
spelling of the name, or if a path was included, verify that the
path is correct and try again.
To address this, verify that the SCVMM console is installed and restart the DEM worker service.
n
Each SCVMM instance must be joined to the domain containing the server.
n
The credentials used to manage the endpoint representing an SCVMM instance must have
administrator privileges on the SCVMM server. These credentials must also have administrator
privileges on the Hyper-V servers within the instance.
n
Hyper-V servers within an SCVMM instance to be managed must be Windows 2008 R2 SP1 Servers
with Hyper-V installed. The processor must be equipped with the necessary virtualization
extensions .NET Framework 4.5.1 or later must be installed and Windows Management
Instrumentation (WMI) must be enabled.
n
To provision machines on an SCVMM compute resource, a user must be added in at least one
security role within the SCVMM instance.
Port Requirements
vRealize Automation uses designated ports for communication and data access.
Although vRealize Automation uses only port 443 for communication, there might be other ports open on
the system. Because open, unsecure ports can be sources of security vulnerabilities, review all open
ports on your system and ensure that only the ports that are required by your business applications are
open.
vRealize Automation Appliance
The following ports are used by the vRealize Automation appliance.
VMware, Inc. 21
Installing vRealize Automation
Table 2‑4. Incoming Ports for the vRealize Automation appliance
Port Protocol Comments
22 TCP Optional. SSH.
80 TCP Optional. Redirects to 443.
111 TCP, UDP RPC
443 TCP Access to the vRealize Automation console and API calls.
5480 TCP Access to virtual appliance Web management interface
5480 TCP Used by Management Agent
5488, 5489 TCP Internal. Used by vRealize Automation appliance for updates.
4369,
25672,5671,5672
8230, 8280, 8281 TCP Internal vRealize Orchestrator instance
8444 TCP Console proxy communication for vSphere VMware Remote Console connections
TCP RabbitMQ messaging
Table 2‑5. Outgoing Ports for the vRealize Automation Appliance
Port Protocol Comments
25, 587 TCP, UDP SMTP for sending outbound notification emails
53 TCP, UDP DNS
67, 68, 546, 547 TCP, UDP DHCP
80 TCP Optional. For fetching software updates. Updates can be downloaded separately and
applied.
110, 995 TCP, UDP POP for receiving inbound notification emails
143, 993 TCP, UDP IMAP for receiving inbound notification emails
123 TCP, UDP Optional. For connecting directly to NTP instead of using host time.
443 TCP IaaS Manager Service over HTTPS
Communication with virtualization hosts over HTTPS
902 TCP ESXi network file copy operations and VMware Remote Console (VMRC) connections
5432 TCP, UDP Optional. For communicating with an Appliance Database.
7444 TCP Communication with SSO service over HTTPS
8281 TCP Optional. For communicating with an external vRealize Orchestrator instance .
Other ports might be required by specific vRealize Orchestrator plug-ins that communicate with external
systems. See the documentation for the vRealize Orchestrator plug-in.
Infrastructure as a Service
The ports in the tables Incoming Ports for Infrastructure as a Service Components and Outgoing Ports for
Infrastructure as a Service must be available for use by the IaaS Windows Server.
VMware, Inc. 22
Installing vRealize Automation
Table 2‑6. Incoming Ports for Infrastructure as a Service Components
Component Port Protocol Comments
SQL Server instance 1433 TCP MSSQL
Manager Service 443* TCP Communication with IaaS components and vRealize Automation
appliance over HTTPS
vRealize Automation appliance 443 TCP Communication with IaaS components and vRealize Automation
appliance over HTTPS
* Any virtualization hosts managed by proxy agents must also have TCP port 443 open for incoming
traffic.
Table 2‑7. Outgoing Ports for Infrastructure as a Service Components
Component Port Protocol Comments
All 53 TCP, UDP DNS
All 67, 68, 546,
547
All 123 TCP, UDP Optional. NTP.
Manager Service 443 TCP Communication with vRealize Automation appliance over
Website 443 TCP Communication with Manager Service over HTTPS
Distributed Execution
Managers
Proxy agents 443 TCP Communication with Manager Service and virtualization hosts
Guest agent 443 TCP Communication with Manager Service over HTTPS
Manager Service, Website 1433 TCP MSSQL
443 TCP Communication with Manager Service over HTTPS
TCP, UDP DHCP
HTTPS
over HTTPS
Microsoft Distributed Transaction Coordinator Service
In addition to verifying that the ports listed in the previous tables are free for use, you must enable
Microsoft Distributed Transaction Coordinator Service (MS DTC) communication between all servers in
the deployment. MS DTC requires the use of port 135 over TCP and a random port between 1024 and
65535.
The Prerequisite Checker validates whether MS DTC is running and that the required ports are open.
User Accounts and Credentials Required for Installation
You must verify that you have the roles and credentials to install vRealize Automation components.
vCenter Service Account
If you plan to use a vSphere endpoint, you need a domain or local account that has the appropriate level
of access configured in vCenter.
VMware, Inc. 23
Installing vRealize Automation
Virtual Appliance Installation
To deploy the vRealize Automation appliance, you must have the appropriate privileges on the
deployment platform (for example, vSphere administrator credentials).
During the deployment process, you specify the password for the virtual appliance administrator account.
This account provides access to the vRealize Automation appliance management console from which you
configure and administer the virtual appliances.
IaaS Installation
Before installing IaaS components, add the user under which you plan to execute the IaaS installation
programs to the Administrator group on the installation host.
IaaS Database Credentials
You can create the database during product installation or create it manually in the SQL server.
When you create or populate an MS SQL database through vRealize Automation, either with the
Installation Wizard or through the management console, the following requirements apply:
n
If you use the Use Windows Authentication option, the sysadmin role in SQL Server must be
granted to the user executing the Management Agent on the primary IaaS web server to create and
alter the size of the database.
n
If you do not select Use Windows Authentication, the sysadmin role in SQL Server must be also
be granted to the user executing the Management Agent on the primary IaaS web server. The
credentials are used at runtime.
n
If you populate a pre-created database through vRealize Automation, the user credentials you
provide (either the current Windows user or the specified SQL user) need only dbo privileges for the
IaaS database.
Note vRealize Automation users also require the correct level of Windows authentication access to log
in and use vRealize Automation.
IaaS Service User Credentials
IaaS installs several Windows services that share a single service user.
The following requirements apply to the service user for IaaS services:
n
The user must be a domain user.
n
The user must have local Administrator privileges on all hosts on which the Manager Service or Web
site component is installed. Do not do a workgroup installation.
n
The user is configured with Log on as a service privileges. This privilege ensures that the Manager
Service starts and generates log files.
VMware, Inc. 24
Installing vRealize Automation
n
The user must have dbo privileges for the IaaS database. If you use the installer to create the
database, ensure that the service user login is added to SQL Server prior to running the installer. The
installer grants the service user dbo privileges after creating the database.
n
The installer is run under the account that runs the Management Agent on the primary Web server. If
you want to use the installer to create an MS SQL database during installation, you must have the
sysadmin role enabled under MS SQL. This is not a requirement if you choose to use a pre-created
empty database.
n
The domain user account that you plan to use as the IIS application pool identity for the Model
Manager Web Service is configured with Log on as batch job privileges.
Model Manager Server Specifications
Specify the Model Manager server name by using a fully qualified domain name (FQDN). Do not use an
IP address to specify the server.
Security
vRealize Automation uses SSL to ensure secure communication among components. Passphrases are
used for secure database storage.
For more information see Certificate Trust Requirements in a Distributed Deployment.
Certificates
vRealize Automation uses SSL certificates for secure communication among IaaS components and
instances of the vRealize Automation appliance. The appliances and the Windows installation machines
exchange these certificates to establish a trusted connection. You can obtain certificates from an internal
or external certificate authority, or generate self-signed certificates during the deployment process for
each component.
For important information about troubleshooting, supportability, and trust requirements for certificates, see
the VMware knowledge base article at http://kb.vmware.com/kb/2106583.
You can update or replace certificates after deployment. For example, a certificate may expire or you may
choose to use self-signed certificates during your initial deployment, but then obtain certificates from a
trusted authority before going live with your vRealize Automation implementation.
Table 2‑8. Certificate Implementations
Minimal Deployment (non-
Component
production) Distributed Deployment (production-ready)
vRealize
Automation
Appliance
IaaS Components During installation, accept the
VMware, Inc. 25
Generate a self-signed certificate
during appliance configuration.
generated self-signed certificates or
select certificate suppression.
For each appliance cluster, you can use a certificate from an
internal or external certificate authority. Multi-use and wildcard
certificates are supported.
Obtain a multi-use certificate, such as a Subject Alternative Name
(SAN) certificate, from an internal or external certificate authority
that your Web client trusts.
Installing vRealize Automation
Certificate Chains
If you use certificate chains, specify the certificates in the following order:
n
Client/server certificate signed by the intermediate CA certificate
n
One or more intermediate certificates
n
A root CA certificate
Include the BEGIN CERTIFICATE header and END CERTIFICATE footer for each certificate when you
import certificates.
Extracting Certificates and Private Keys
Certificates that you use with the virtual appliances must be in the PEM file format.
The examples in the following table use Gnu openssl commands to extract the certificate information you
need to configure the virtual appliances.
Table 2‑9. Sample Certificate Values and Commands (openssl)
Certificate Authority Provides Command Virtual Appliance Entries
RSA Private Key openssl pkcs12 -in path _to_.pfx
certificate_file -nocerts -out key.pem
PEM File openssl pkcs12 -in path _to_.pfx
certificate_file -clcerts -nokeys -out
cert.pem
(Optional) Pass Phrase n/a Pass Phrase
RSA Private Key
Certificate Chain
Security Passphrase
vRealize Automation uses security passphrases for database security. A passphrase is a series of words
used to create a phrase that generates the encryption key that protects data while at rest in the database.
Follow these guidelines when creating a security passphrase for the first time.
n
Use the same passphrase across the entire installation to ensure that each component has the same
encryption key.
n
Use a phrase that is greater than eight characters long.
n
Include uppercase, lowercase and numeric characters, and symbols.
n
Memorize the passphrase or keep it in a safe place. The passphrase is required to restore database
information in the event of a system failure or to add components after initial installation. Without the
passphrase, you cannot restore successfully.
VMware, Inc. 26
Installing vRealize Automation
Third-Party Software
Some components of vRealize Automation depend on third-party software, including Microsoft Windows
and SQL Server. To guard against security vulnerabilities in third-party products, ensure that your
software is up-to-date with the latest patches from the vendor.
Time Synchronization
A system administrator must set up accurate timekeeping as part of the vRealize Automation installation.
Installation fails if time synchronization is set up incorrectly.
Timekeeping must be consistent and synchronized across the vRealize Automation appliance and
Windows servers. By using the same timekeeping method for each component, you can ensure this
consistency.
For virtual machines, you can use the following methods:
n
Configuration by using Network Time Protocol (directly)
n
Configuration by using Network Time Protocol through ESXi with VMware Tools. You must have NTP
set up on the ESXi.
For Windows servers, consult Timekeeping best practices for Windows, including NTP.
VMware, Inc. 27
Installing vRealize Automation
with the Installation Wizard 3
The Installation Wizard for vRealize Automation provides a simple and fast way to install minimal or
enterprise deployments.
Before you begin the wizard, you must deploy a vRealize Automation appliance, configure your Windows
servers to meet installation prerequisites, and verify that each appliance and server uses the same
timekeeping method.
Wizard Navigation
The Installation Wizard appears the first time you log in to your vRealize Automation appliance. If you
want to stop the wizard and return later, logout with the Logout button that appears on each screen. Use
the Cancel button to exit the wizard and install through the management console. The wizard is disabled
when you click Cancel, or when you log out of the wizard and begin an installation through the
management console.
Use the Previous and Next buttons to navigate through wizard screens.
This chapter includes the following topics:
n
Deploy the vRealize Automation Appliance
n
Installing a Minimal Deployment with the Installation Wizard
n
Installing an Enterprise Deployment with the Installation Wizard
Deploy the vRealize Automation Appliance
To deploy the vRealize Automation appliance, a system administrator must log in to the vSphere client
and select deployment settings.
Some restrictions apply to the root password you create for the vRealize Automation administrator. See
Password Considerations.
Prerequisites
n
Download the vRealize Automation appliance from the VMware Web site.
n
Log in to the vSphere client as a user with system administrator privileges.
VMware, Inc.
28
Installing vRealize Automation
Procedure
1 Select File > Deploy OVF Template from the vSphere client.
2 Browse to the vRealize Automation appliance file you downloaded and click Open.
3 Click Next.
4 Click Next on the OVF Template Details page.
5 Accept the license agreement and click Next.
6 Enter a unique virtual appliance name according to the IT naming convention of your organization in
the Name text box, select the datacenter and location to which you want to deploy the virtual
appliance, and click Next.
7 Follow the prompts until the Disk Format page appears.
8 Verify on the Disk Format page that enough space exists to deploy the virtual appliance and click
Next.
9 Follow the prompts to the Properties page.
The options that appear depend on your vSphere configuration.
10 Configure the values on the Properties page.
a Enter the root password to use when you log in to the virtual appliance console in the Enter
password and Confirm password text boxes.
b Select or uncheck the SSH service checkbox to choose whether SSH service is enabled for the
appliance.
This value is used to set the initial status of the SSH service in the appliance. If you are installing
with the Installation Wizard, enable this before you begin the wizard. You can change this setting
from the appliance management console after installation.
c Enter the fully qualified domain name of the virtual machine in the Hostname text box, even if
you are using DHCP.
d Configure the networking properties.
11 Click Next.
12 Depending on your vCenter and DNS configurations, it could take some time for the DNS to resolve.
To expedite this process, perform the following steps.
n
If Power on after deployment is available on the Ready to Complete page.
a Select Power on after deployment and click Finish.
b Click Close after the file finishes deploying into vCenter.
VMware, Inc. 29
Installing vRealize Automation
c Wait for the machine to start.
This could take up to 5 minutes.
n
If Power on after deployment is not available on the Ready to Complete page.
a Click Close after the file finishes deploying into vCenter.
b Power on the VM and wait for some time for the VM to start up.
c Verify that you can ping the DNS of the virtual machine. If you cannot ping the DNS, restart
the virtual machine.
d Wait for the machine to start. This could take up to 5 minutes.
13 Open a command prompt and ping the FQDN to verify that the fully qualified domain name can be
resolved against the IP address of vRealize Automation appliance.
Installing a Minimal Deployment with the Installation Wizard
Run the Installation Wizard for a Minimal Deployment
Install a minimal deployment for proof-of-concept work. The wizard for minimal installation assumes you
are installing all IaaS components on a single Windows machine.
Minimal deployments typically support a single vRealize Automation appliance, an IaaS server, and use a
vSphere agent to support endpoints.
Prerequisites
n
Verify that you have met the prerequisites described in Chapter 2 Preparing for Installation
n
Deploy the vRealize Automation Appliance
n
Procedure
1 Open a Web browser.
2 Navigate to the vRealize Automation appliance management console by using its fully qualified
domain name, https://vra-va-hostname.domain.name:5480/.
3 Log in with the user name root and the password you specified when the appliance was deployed.
4 When the Installation Wizard appears, click Next.
5 Accept the End User License Agreement and click Next.
6 Select Minimal Deployment and Install Infrastructure as a Service on the Deployment Type
screen and click Next.
7 Check that the prerequisites listed on the Installation Prerequisites page have been met and that the
Windows servers on which you installed a Management Agent are listed.
VMware, Inc. 30
Loading...