VMware vRealize Automation - 7.1 User’s Manual

Download

Conﬁguring vRealize Automation

vRealize Automation 7.1

Configuring vRealize Automation

You can ﬁnd the most up-to-date technical documentation on the VMware Web site at:

hps://docs.vmware.com/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

VMware, Inc.

3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

2 VMware, Inc.

Conguring vRealize Automation 7

Updated Information 9

External Preparations for Provisioning 11

Preparing Your Environment for vRealize Automation Management 11

Checklist for Preparing NSX Network and Security Conguration 12

Checklist for Preparing External IPAM Provider Support 14

Preparing Your vCloud Director Environment for vRealize Automation 16

Preparing Your vCloud Air Environment for vRealize Automation 17

Preparing Your Amazon AWS Environment 17

Preparing Red Hat OpenStack Network and Security Features 22

Preparing Your SCVMM Environment 23

Preparing for Machine Provisioning 24

Choosing a Machine Provisioning Method to Prepare 24

Checklist for Running Visual Basic Scripts During Provisioning 27

Using vRealize Automation Guest Agent in Provisioning 28

Checklist for Preparing to Provision by Cloning 33

Preparing for vCloud Air and vCloud Director Provisioning 45

Preparing for Linux Kickstart Provisioning 46

Preparing for SCCM Provisioning 48

Preparing for WIM Provisioning 49

Preparing for Virtual Machine Image Provisioning 57

Preparing for Amazon Machine Image Provisioning 58

Scenario: Prepare vSphere Resources for Machine Provisioning in Rainpole 60

Preparing for Software Provisioning 62

Preparing to Provision Machines with Software 63

Scenario: Prepare a vSphere CentOS Template for Clone Machine and Software Component

Blueprints 67

Scenario: Prepare for Importing the Dukes Bank for vSphere Sample Application Blueprint 70

VMware, Inc.

Conguring Tenant Seings 75

Choosing Directories Management Conguration Options 76

Directories Management Overview 76

Using Directories Management to Create an Active Directory Link 79

Managing User Aributes that Sync from Active Directory 91

Managing Connectors 92

Join a Connector Machine to a Domain 92

About Domain Controller Selection 93

Managing Access Policies 96

Integrating Alternative User Authentication Products with Directories Management 101

Scenario: Congure an Active Directory Link for a Highly Available vRealize Automation 118

Configuring vRealize Automation

Congure Smart Card Authentication for vRealize Automation 120

Generate a Connector Activation Token 121

Deploy the Connector OVA File 121

Congure Connector Seings 122

Apply Public Certicate Authority 123

Create a Workspace Identity Provider 125

Congure Certicate Authentication and Congure Default Access Policy Rules 125

Create a Multi Domain or Multi Forest Active Directory Link 126

Conguring Groups and User Roles 127

Assign Roles to Directory Users or Groups 127

Create a Custom Group 128

Create a Business Group 129

Troubleshooting Slow Performance When Displaying Group Members 131

Scenario: Congure the Default Tenant for Rainpole 131

Scenario: Create Local User Accounts for Rainpole 132

Scenario: Connect Your Corporate Active Directory to vRealize Automation for Rainpole 133

Scenario: Congure Branding for the Default Tenant for Rainpole 134

Scenario: Create a Custom Group for Your Rainpole Architects 135

Scenario: Assign IaaS Administrator Privileges to Your Custom Group of Rainpole Architects 136

Create Additional Tenants 136

Specify Tenant Information 137

Congure Local Users 137

Appoint Administrators 138

Delete a Tenant 138

Conguring Custom Branding 139

Custom Branding for Tenant Login Page 139

Custom Branding for Tenant Applications 140

Checklist for Conguring Notications 141

Conguring Global Email Servers for Notications 144

Add a Tenant-Specic Outbound Email Server 145

Add a Tenant-Specic Inbound Email Server 146

Override a System Default Outbound Email Server 147

Override a System Default Inbound Email Server 148

Revert to System Default Email Servers 149

Congure Notications 149

Customize the Date for Email Notication for Machine Expiration 149

Conguring Templates for Automatic IaaS Emails 150

Subscribe to Notications 150

Create a Custom RDP File to Support RDP Connections for Provisioned Machines 150

Scenario: Add Datacenter Locations for Cross Region Deployments 151

Conguring vRealize Orchestrator and Plug-Ins 152

Congure the Default Workow Folder for a Tenant 152

Congure an External vRealize Orchestrator Server 153

Conguring Resources 157

Checklist for Conguring IaaS Resources 157

Store User Credentials 158

4 VMware, Inc.

Choosing an Endpoint Scenario 160

Create a Fabric Group 175

Congure Machine Prexes 176

Managing Key Pairs 176

Creating a Network Prole 178

Conguring Reservations and Reservation Policies 191

Scenario: Congure IaaS Resources for Rainpole 221

Scenario: Apply a Location to a Compute Resource for Cross Region Deployments 225

Checklist for Provisioning a vRealize Automation Deployment Using an External IPAM

Provider 225

Conguring XaaS Resources 226

Congure the Active Directory Plug-In as an Endpoint 227

Congure the HTTP-REST Plug-In as an Endpoint 228

Congure the PowerShell Plug-In as an Endpoint 230

Congure the SOAP Plug-In as an Endpoint 231

Congure the vCenter Server Plug-In as an Endpoint 232

Installing Additional Plug-Ins on the Default vRealize Orchestrator Server 233

Working With Active Directory Policies 234

Create and Apply Active Directory Policies 234

Contents

Providing On-Demand Services to Users 237

Designing Blueprints 237

Exporting and Importing Blueprints 239

Scenario: Importing the Dukes Bank for vSphere Sample Application and Conguring for Your

Environment 240

Scenario: Test the Dukes Bank Sample Application 243

Building Your Design Library 244

Designing Machine Blueprints 246

Designing Machine Blueprints with NSX Networking and Security 278

Designing Software Components 290

Creating XaaS Blueprints and Resource Actions 306

Publishing a Blueprint 348

Assembling Composite Blueprints 349

Understanding Nested Blueprint Behavior 350

Selecting a Machine Component that Supports Software Components 352

Creating Property Bindings Between Blueprint Components 352

Creating Explicit Dependencies and Controlling the Order of Provisioning 353

Scenario: Assemble and Test a Blueprint to Deliver MySQL on Rainpole Linked Clone

Machines 354

Managing the Service Catalog 357

Checklist for Conguring the Service Catalog 358

Creating a Service 359

Working with Catalog Items and Actions 361

Creating Entitlements 363

Working with Approval Policies 369

Scenario: Congure the Catalog for Rainpole Architects to Test Blueprints 386

Scenario: Test Your Rainpole CentOS Machine 389

Scenario: Make the CentOS with MySQL Application Blueprint Available in the Service Catalog 390

Scenario: Create and Apply CentOS with MySQL Approval Policies 393

VMware, Inc. 5

Configuring vRealize Automation

Index 399

6 VMware, Inc.

Configuring vRealize Automation

Conguring vRealize Automation provides information about conguring vRealize Automation and your external environments to prepare for vRealize Automation provisioning and catalog management.

For information about supported integrations, see hps://www.vmware.com/pdf/vrealize-automation-71-

support-matrix.pdf.

Intended Audience

This information is intended for IT professionals who are responsible for conguring vRealize Automation environment, and for infrastructure administrators who are responsible for preparing elements in their existing infrastructure for use in vRealize Automation provisioning. The information is wrien for experienced Windows and Linux system administrators who are familiar with virtual machine technology and datacenter operations.

VMware Technical Publications Glossary

VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For denitions of terms as they are used in VMware technical documentation, go to

hp://www.vmware.com/support/pubs.

VMware, Inc.

Configuring vRealize Automation

8 VMware, Inc.

Updated Information

This Conguring vRealize Automation is updated with each release of the product or when necessary.

This table provides the update history of the Conguring vRealize Automation.

Revision Description

EN-002076-04

EN-002076-03 Added a note to “Specify Tenant Information,” on page 137 indicating that tenant URLs must use only

EN-002076-02

EN-002076-01

EN-002076-00 Initial 7.1 release.

Updated “Install the Guest Agent on a Windows Reference Machine,” on page 31.

Updated “Prepare a Windows Reference Machine to Support Software,” on page 63.

Updated “Prepare a Linux Reference Machine to Support Software,” on page 65.

Updated “Create an Active Directory Policy,” on page 235.

lowercase characters.

Updated “Preparing for vCloud Air and vCloud Director Provisioning,” on page 45.

Updated “Create a vCloud Director Endpoint,” on page 165.

Updated “Exporting and Importing Blueprints,” on page 239.

Updated “vSphere Machine Component Seings,” on page 250.

Added “Delete a Tenant,” on page 138.

Updated “Amazon Machine Component Seings,” on page 259.

Updated “Troubleshooting Blueprints for Clone and Linked Clone,” on page 267.

VMware, Inc. 9

Configuring vRealize Automation

10 VMware, Inc.

External Preparations for

Provisioning 1

You may need to create or prepare some elements outside of vRealize Automation to support catalog item provisioning. For example, if you want to provide a catalog item for provisioning a clone machine, you need to create a template on your hypervisor to clone from.

This chapter includes the following topics:

“Preparing Your Environment for vRealize Automation Management,” on page 11

“Preparing for Machine Provisioning,” on page 24

“Preparing for Software Provisioning,” on page 62

Preparing Your Environment for vRealize Automation Management

Depending on your integration platform, you might have to make some conguration changes before you can bring your environment under vRealize Automation management, or before you can leverage certain features.

Table 1‑1. Preparing Your Environment for vRealize Automation Integration

Environment Preparations

If you want to leverage NSX to manage

NSX

vCloud Director

vCloud Air

networking and security features of machines provisioned with vRealize Automation, prepare your NSX instance for integration. See “Checklist for

Preparing NSX Network and Security

Conguration,” on page 12.

Install and congure your vCloud Director instance, set up your vSphere and cloud resources, and identify or create appropriate credentials to provide vRealize Automation with access to your vCloud Director environment. See

“Preparing Your vCloud Director Environment for vRealize Automation,” on

page 16.

Register for your vCloud Air account, set up your vCloud Air environment, and identify or create appropriate credentials to provide vRealize Automation with access to your environment. See “Preparing for

vCloud Air and vCloud Director Provisioning,” on page 45.

VMware, Inc. 11

Configuring vRealize Automation

Table 1‑1. Preparing Your Environment for vRealize Automation Integration (Continued)

Environment Preparations

Amazon AWS

Red Hat OpenStack

SCVMM

External IPAM Providers Register an external IPAM provider

All other environments You do not need to make changes to your

Prepare elements and user roles in your Amazon AWS environment for use in vRealize Automation, and understand how Amazon AWS features map to vRealize Automation features. See

“Preparing Your Amazon AWS Environment,” on page 17.

If you want to leverage Red Hat OpenStack to manage networking and security features of machines provisioned with vRealize Automation, prepare your Red Hat OpenStack instance for integration. See “Preparing Red Hat

OpenStack Network and Security Features,” on page 22.

Congure storage, networking, and understand template and hardware prole naming restrictions. See “Preparing Your

SCVMM Environment,” on page 23.

package or plug-in, run the conguration workows, and register the IPAM solution as a new vRealize Automation endpoint. See “Checklist for Preparing External IPAM

Provider Support,” on page 14.

environment. You can begin preparing for machine provisioning by creating templates, boot environments, or machine images. See “Preparing for Machine

Provisioning,” on page 24.

Checklist for Preparing NSX Network and Security Configuration

Before you can use NSX network and security options in vRealize Automation, you must congure the external NSX network and security environment that you intend to use.

Much of the vRealize Automation support for network and security conguration that you specify in blueprints and reservations is congured externally and made available to vRealize Automation after data collection is run on the compute resources.

For more information about the available network and conguration options that you can congure for vRealize Automation, see “Conguring Network and Security Component Seings,” on page 281.

Table 1‑2. Preparing NSX Networking and Security Checklist

Task Location Details

Install and congure the NSX plug-in.

Congure NSX network seings, including gateway and transport zone seings.

Install the NSX plug-in in vRealize Orchestrator. See “Install the NSX Plug-In on

vRealize Orchestrator,” on page 13

and the NSX Administration Guide.

Congure network seings in NSX. See the NSX Administration Guide.

12 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Table 1‑2. Preparing NSX Networking and Security Checklist (Continued)

Task Location Details

Create NSX security policies, tags, and groups.

Congure NSX load balancer

seings.

Congure security seings in NSX. See the NSX Administration Guide.

Congure an NSX load balancer to work with

vRealize Automation.

See the NSX Administration Guide.

Also see Custom Properties for Networking in Custom Properties Reference.

Install the NSX Plug-In on vRealize Orchestrator

Installing the NSX plug-in requires that you download the vRealize Orchestrator installer le, use the vRealize Orchestrator Conguration interface to upload the plug-in le, and install the plug-in on a vRealize Orchestrator server.

N If you are using an embedded vRealize Orchestrator that contains an installed NSX plug-in, you do not need to perform the following plug-in installation steps because the NSX plug-in is already installed.

For general plug-in update and troubleshooting information, see vRealize Orchestrator documentation at

hps://www.vmware.com/support/pubs/orchestrator_pubs.html.

Prerequisites

Verify that you are running a supported vRealize Orchestrator instance.

For information about seing up vRealize Orchestrator, see Installing and Conguring VMware vRealize Orchestrator.

Verify that you have credentials for an account with permission to install vRealize Orchestrator plug-ins

and to authenticate through vCenter Single Sign-On.

Verify that you installed the correct version of the NSX plug-in. See vRealize Automation Support Matrix.

Verify that you installed the vRealize Orchestrator client and that you can log in with Administrator

credentials.

Procedure

1 Download the plug-in le to a location accessible from the vRealize Orchestrator server.

The plug-in installer le name format, with appropriate version values, is o11nplugin-

nsx-1.n.n.vmoapp. Plug-in installation les for the NSX networking and security product are available

from the VMware product download site at hp://vmware.com/web/vmware/downloads.

2 Open a browser and start the vRealize Orchestrator conguration interface.

An example of the URL format is hps://orchestrator_server.com:8283.

3 Click Plug-Ins in the left pane and scroll down to the Install new plug-in section.

4 In the Plug-In  text box, browse to the plug-in installer le and click Upload and install.

The le must be in .vmoapp format.

5 At the prompt, accept the license agreement in the Install a plug-in pane.

6 In the Enabled plug-ins installation status section, conrm that the correct NSX plug-in name is

specied.

See vRealize Automation Support Matrix for version information.

The status Plug-in will be installed at next server startup, appears.

VMware, Inc. 13

Configuring vRealize Automation

7 Restart the vRealize Orchestrator server service.

8 Restart the vRealize Orchestrator conguration interface.

9 Click Plug-Ins and verify that the status changed to Installation OK.

10 Start the vRealize Orchestrator client application, log in, and use the  tab to navigate through

the library to the NSX folder.

You can browse through the workows that the NSX plug-in provides.

What to do next

Create a vRealize Orchestrator endpoint in vRealize Automation to use for running workows. See “Create

a vRealize Orchestrator Endpoint,” on page 162.

Run a vRealize Orchestrator and NSX Security Workflow

Before you use the NSX security policy features from vRealize Automation, an administrator must run the

Enable security policy support for overlapping subnets workow in vRealize Orchestrator.

Security policy support for the overlapping subnets workow is applicable to an NSX 6.1 and later endpoint. Run this workow only once to enable this support.

Prerequisites

Verify that a vSphere endpoint is registered with an NSX endpoint. See “Create a vSphere Endpoint,”

on page 160.

Verify that you ran the Create NSX endpoint vRO work ow.

Procedure

1 Click the  tab and select NSX > NSX  for VCAC.

2 Run the Create NSX endpoint workow and respond to prompts.

3 Run the Enable security policy support for overlapping subnets workow.

4 Select the NSX endpoint as the input parameter for the workow.

Use the IP address you specied when you created the vSphere endpoint to register an NSX instance.

After you run this workow, the distributed rewall rules dened in the security policy are applied only on the vNICs of the security group members to which this security policy is applied.

What to do next

Apply the applicable security features for the blueprint.

Checklist for Preparing External IPAM Provider Support

You can obtain IP addresses and ranges for use in network prole denition from a supported external IPAM provider, such as Infoblox.

Before you can use an external IPAM provider endpoint in a vRealize Automation network prole, you must download or otherwise obtain a vRealize Orchestrator IPAM provider package, import the package and run required workows in vRealize Orchestrator, and register the IPAM solution as a vRealize Automation endpoint in vRealize Orchestrator.

For an overview of the provisioning process for using an external IPAM provider to supply a range of possible IP addresses, see “Checklist for Provisioning a vRealize Automation Deployment Using an External

IPAM Provider,” on page 225.

14 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Table 1‑3. Preparing for External IPAM Provider Support Checklist

Task Location Details

Obtain and import the supported external IPAM Provider vRealize Orchestrator plugin.

Run the required

conguration workows and

Download the IPAM provider package, for example Infoblox IPAM, from the VMware Solution Exchange and import the package to vRealize Orchestrator.

If the VMware Solution Exchange (hps://solutionexchange.vmware.com/store/category_gr

oups/cloud-management) does not contain the IPAM

provider package that you need, you can create your own using the IPAM Solution Provider SDK and supporting documentation.

Run the vRealize Orchestrator conguration workows and register the IPAM provider endpoint type in vRealize Orchestrator.

See “Obtain and Import the External

IPAM Provider Package in vRealize Orchestrator,” on page 15.

See “Run the Workow to Register the

Infoblox IPAM Endpoint Type in vRealize Orchestrator,” on page 16.

Obtain and Import the External IPAM Provider Package in vRealize Orchestrator

To prepare to dene and use an external IPAM provider endpoint, you must rst obtain the external IPAM provider package and import the package in vRealize Orchestrator.

You can download and use an existing third-party IP Address Management provider package, such as Infoblox IPAM. You can also create your own package using a VMware-supplied SDK and accompanying SDK documentation, for example to create a package for use with Bluecat IPAM. This example uses the Infoblox IPAM package.

After you obtain and import the external IPAM provider package in vRealize Orchestrator, run the required workows and register the IPAM endpoint type.

For more information about importing packages and running vRealize Orchestrator workows, see Using the VMware vRealize Orchestrator Client. For more information about extending vRealize Automation with vRealize Orchestrator packages and workows, see Life Cycle Extensibility.

Prerequisites

registering a vRealize Orchestrator package.

Procedure

1 Open the VMware Solution Exchange site at

hps://solutionexchange.vmware.com/store/category_groups/cloud-management.

2 Select Cloud Management Marketplace.

3 Locate and download the plug-in or package, for example Infoblox VIPAM Plug-in.

4 In vRealize Orchestrator, click the Administrator tab and click Import package.

5 Select the package or plug-in, for example select the Infoblox IPAM plug-in.

6 Select all workows and artifacts and click Import selected elements.

What to do next

“Run the Workow to Register the Infoblox IPAM Endpoint Type in vRealize Orchestrator,” on page 16.

VMware, Inc. 15

Configuring vRealize Automation

Run the Workflow to Register the Infoblox IPAM Endpoint Type in vRealize Orchestrator

Run the registration workow in vRealize Orchestrator to support vRealize Automation use of the external IPAM provider and register the Infoblox IPAM endpoint type for use in vRealize Automation.

To register IPAM endpoint types in vRealize Orchestrator, you are prompted to supply vRealize Automation vRA Administrator credentials. T

Prerequisites

“Obtain and Import the External IPAM Provider Package in vRealize Orchestrator,” on page 15

Verify that you are logged in to vRealize Orchestrator with vRealize Automation with authority to run

workows.

Be prepared to supply vRealize Automation IaaS administrator credentials when prompted.

Procedure

1 In vRealize Orchestrator, click the Design tab, select Administrator > Library, and select IPAM Service

Package SDK.

Each IPAM provider package is uniquely named and contains unique workows. The workow names might be similar between provider packages. The location of the workows in vRealize Orchestrator can be dierent and is provider-specic.

2 Run the Register IPAM Endpoint registration workow and specify the IPAM Inoblox endpoint type.

3 At the prompt for vRealize Automation credentials, enter your vRealize Automation IaaS administrator

credentials.

The package registers InfoBlox as a new IPAM endpoint type in the vRealize Automation endpoint service and makes the endpoint type available when you dene endpoints in vRealize Automation.

What to do next

You can now create an IPAM Inoblox type endpoint in vRealize Automation. See “Create an External

IPAM Provider Endpoint,” on page 163.

Preparing Your vCloud Director Environment for vRealize Automation

Before you can integrate vCloud Director with vRealize Automation, you must install and congure your vCloud Director instance, set up your vSphere and cloud resources, and identify or create appropriate credentials to provide vRealize Automation with access to your vCloud Director environment.

Configure Your Environment

Congure your vSphere resources and cloud resources, including virtual datacenters and networks. For more information, see the vCloud Director documentation.

Required Credentials for Integration

Create or identify either organization administrator or system administrator credentials that your vRealize Automation IaaS administrators can use to bring your vCloud Director environment under vRealize Automation management as an endpoint.

16 VMware, Inc.

Chapter 1 External Preparations for Provisioning

User Role Considerations

vCloud Director user roles in an organization do not need to correspond with roles in vRealize Automation business groups. If the user account does not exist in vCloud Director, vCloud Director performs a lookup in the associated LDAP or Active Directory and creates the user account if the user exists in the identity store. If it cannot create the user account, it logs a warning but does not fail the provisioning process. The provisioned machine is then assigned to the account that was used to congure the vCloud Director endpoint.

For related information about vCloud Director user management, see the vCloud Director documentation.

Preparing Your vCloud Air Environment for vRealize Automation

Before you integrate vCloud Air with vRealize Automation, you must register for your vCloud Air account, set up your vCloud Air environment, and identify or create appropriate credentials to provide vRealize Automation with access to your environment.

Configure Your Environment

Congure your environment as instructed in the vCloud Air documentation.

Required Credentials for Integration

Create or identify either virtual infrastructure administrator or account administrator credentials that your vRealize Automation IaaS administrators can use to bring your vCloud Air environment under vRealize Automation management as an endpoint.

User Role Considerations

vCloud Air user roles in an organization do not need to correspond with roles in vRealize Automation business groups. For related information about vCloud Air user management, see the vCloud Air documentation.

Preparing Your Amazon AWS Environment

Prepare elements and user roles in your Amazon AWS environment, prepare Amazon AWS to communicate with the guest agent and Software bootstrap agent, and understand how Amazon AWS features map to vRealize Automation features.

Amazon AWS User Roles and Credentials Required for vRealize Automation

You must congure credentials in Amazon AWS with the permissions required for vRealize Automation to manage your environment.

You must have certain Amazon access rights to successfully provision machines by using vRealize Automation.

Role and Permission Authorization in Amazon Web Services

The Power User role in AWS provides an AWS Directory Service user or group with full access to AWS services and resources.

You do not need any AWS credentials to create an AWS endpoint in vRealize Automation. However, the AWS user who creates an Amazon machine image is expected by vRealize Automation to have the Power User role.

Authentication Credentials in Amazon Web Services

VMware, Inc. 17

Configuring vRealize Automation

The AWS Power User role does not allow management of AWS Identity and Access Management (IAM) users and groups. For management of IAM users and groups, you must be congured with AWS Full Access Administrator credentials.

vRealize Automation requires access keys for endpoint credentials and does not support user names and passwords. To obtain the access key needed to create the Amazon endpoint, the Power User must either request a key from a user who has AWS Full Access Administrator credentials or be additionally congured with the AWS Full Access Administrator policy.

For information about enabling policies and roles, see the AWS Identity and Access Management (IAM) section of Amazon Web Services product documentation.

Allow Amazon AWS to Communicate with the Software Bootstrap Agent and Guest Agent

If you intend to provision application blueprints that contain Software, or if you want the ability to further customize provisioned machines by using the guest agent, you must enable connectivity between your Amazon AWS environment, where your machines are provisioned, and your vRealize Automation environment, where the agents download packages and receive instructions.

When you use vRealize Automation to provision Amazon AWS machines with the vRealize Automation guest agent and Software bootstrap agent, you must set up network-to-Amazon VPC connectivity so your provisioned machines can communicate back to vRealize Automation to customize your machines.

For more information about Amazon AWS VPC connectivity options, see the Amazon AWS documentation.

Using Optional Amazon Features

vRealize Automation supports several Amazon features, including Amazon Virtual Private Cloud, elastic load balancers, elastic IP addresses, and elastic block storage.

Using Amazon Security Groups

Specify at least one security group when creating an Amazon reservation. Each available region requires at least one specied security group.

A security group acts as a rewall to control access to a machine. Every region includes at least the default security group. Administrators can use the Amazon Web Services Management Console to create additional security groups, congure ports for Microsoft Remote Desktop Protocol or SSH, and set up a virtual private network for an Amazon VPN.

When you create an Amazon reservation or congure a machine component in the blueprint, you can choose from the list of security groups that are available to the specied Amazon account region. Security groups are imported during data collection.

For information about creating and using security groups in Amazon Web Services, see Amazon documentation.

Understanding Amazon Web Service Regions

Each Amazon Web Services account is represented by a cloud endpoint. When you create an Amazon Elastic Cloud Computing endpoint in vRealize Automation, regions are collected as compute resources. After the IaaS administrator selects compute resources for a business group, inventory and state data collections occur automatically.

Inventory data collection, which occurs automatically once a day, collects data about what is on a compute resource, such as the following data:

Elastic IP addresses

Elastic load balancers

18 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Elastic block storage volumes

State data collection occurs automatically every 15 minutes by default. It gathers information about the state of managed instances, which are instances that vRealize Automation creates. The following are examples of state data:

Windows passwords

State of machines in load balancers

Elastic IP addresses

A fabric administrator can initiate inventory and state data collection and disable or change the frequency of inventory and state data collection.

Using Amazon Virtual Private Cloud

Amazon Virtual Private Cloud allows you to provision Amazon machine instances in a private section of the Amazon Web Services cloud.

Amazon Web Services users can use Amazon VPC to design a virtual network topology according to your specications. You can assign an Amazon VPC in vRealize Automation. However, vRealize Automation does not track the cost of using the Amazon VPC.

When you provision using Amazon VPC, vRealize Automation expects there to be a VPC subnet from which Amazon obtains a primary IP address. This address is static until the instance is terminated. You can also use the elastic IP pool to also aach an elastic IP address to an instance in vRealize Automation. That would allow the user to keep the same IP if they are continually provisioning and tearing down an instance in Amazon Web Services.

Use the AWS Management Console to create the following elements:

An Amazon VPC, which includes Internet gateways, routing table, security groups and subnets, and

available IP addresses.

An Amazon Virtual Private Network if users need to log in to Amazon machines instances outside of

the AWS Management Console.

vRealize Automation users can perform the following tasks when working with an Amazon VPC:

A fabric administrator can assign an Amazon VPC to a cloud reservation. See “Create an Amazon

Reservation,” on page 194.

A machine owner can assign an Amazon machine instance to an Amazon VPC.

For more information about creating an Amazon VPC, see Amazon Web Services documentation.

Using Elastic Load Balancers for Amazon Web Services

Elastic load balancers distribute incoming application trac across Amazon Web Services instances. Amazon load balancing enables improved fault tolerance and performance.

Amazon makes elastic load balancing available for machines provisioned using Amazon EC2 blueprints.

The elastic load balancer must be available in the Amazon Web Services, Amazon Virtual Private Network and at the provisioning location. For example, if a load balancer is available in us-east1c and a machine location is us-east1b, the machine cannot use the available load balancer.

vRealize Automation does not create, manage, or monitor the elastic load balancers.

For information about creating Amazon elastic load balancers by using the Amazon Web Services Management Console, see Amazon Web Services documentation.

VMware, Inc. 19

Configuring vRealize Automation

Using Elastic IP Addresses for Amazon Web Services

Using an elastic IP address allows you to rapidly fail over to another machine in a dynamic Amazon Web Services cloud environment. In vRealize Automation, the elastic IP address is available to all business groups that have rights to the region.

An administrator can allocate elastic IP addresses to your Amazon Web Services account by using the AWS Management Console. There are two groups of elastic IP addresses in any given a region, one range is allocated for non-Amazon VPC instances and another range is for Amazon VPCs. If you allocate addresses in a non-Amazon VPC region only, the addresses are not available in an Amazon VPC. The reverse is also true. If you allocate addresses in an Amazon VPC only, the addresses are not available in a nonAmazon VPC region.

The elastic IP address is associated with your Amazon Web Services account, not a particular machine, but only one machine at a time can use the address. The address remains associated with your Amazon Web Services account until you choose to release it. You can release it to map it to a specic machine instance.

An IaaS architect can add a custom property to a blueprint to assign an elastic IP address to machines during provisioning. Machine owners and administrators can view the elastic IP addresses assigned to machines, and machine owners or administrators with rights to edit machines can assign an elastic IP addresses after provisioning. However, if the address is already associated to a machine instance, and the instance is part of the Amazon Virtual Private Cloud deployment, Amazon does not assign the address.

For more information about creating and using Amazon elastic IP addresses, see Amazon Web Services documentation.

Using Elastic Block Storage for Amazon Web Services

Amazon elastic block storage provides block level storage volumes to use with an Amazon machine instance and Amazon Virtual Private Cloud. The storage volume can persist past the life of its associated Amazon machine instance in the Amazon Web Services cloud environment.

When you use an Amazon elastic block storage volume in conjunction with vRealize Automation, the following caveats apply:

You cannot aach an existing elastic block storage volume when you provision a machine instance.

However, if you create a new volume and request more than one machine at a time, the volume is created and aached to each instance. For example, if you create one volume named volume_1 and request three machines, a volume is created for each machine. Three volumes named volume_1 are created and aached to each machine. Each volume has a unique volume ID. Each volume is the same size and in the same location.

The volume must be of the same operating system and in the same location as the machine to which

you aach it.

vRealize Automation does not manage the primary volume of an elastic block storage-backed instance.

For more information about Amazon elastic block storage, and details on how to enable it by using Amazon Web Services Management Console, see Amazon Web Services documentation.

20 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Scenario: Configure Network-to-Amazon VPC Connectivity for a Proof of Concept Environment

As the IT professional seing up a proof of concept environment to evaluate vRealize Automation, you want to temporarily congure network-to-Amazon VPC connectivity to support the vRealize Automation Software feature.

Network-to-Amazon VPC connectivity is only required if you want to use the guest agent to customize provisioned machines, or if you want to include Software components in your blueprints. For a production environment, you would congure this connectivity ocially through Amazon Web Services, but because you are working in a proof of concept environment, you want to create temporary network-to-Amazon VPC connectivity. You establish the SSH tunnel and then congure an Amazon reservation in vRealize Automation to route through your tunnel.

Prerequisites

Install and fully congure vRealize Automation. See Installing and Conguring vRealize Automation for the

Rainpole Scenario.

Create an Amazon AWS security group called TunnelGroup and congure it to allow access on port 22.

Create or identify a CentOS machine in your Amazon AWS TunnelGroup security group and note the

following congurations:

Administrative user credentials, for example root.

Public IP address.

Private IP address.

Create or identify a CentOS machine on the same local network as your vRealize Automation

installation.

Install OpenSSH SSHD Server on both tunnel machines.

Procedure

1 Log in to your Amazon AWS tunnel machine as the root user or similar.

2 Disable iptables.

# service iptables save

# service iptables stop

# chkconfig iptables off

3 Edit /etc/ssh/sshd_config to enable AllowTCPForwarding and GatewayPorts.

4 Restart the service.

/etc/init.d/sshd restart

5 Log in to the CentOS machine on the same local network as your vRealize Automation installation as

the root user.

VMware, Inc. 21

Configuring vRealize Automation

6 Invoke the SSH Tunnel from the local network machine to the Amazon AWS tunnel machine.

ssh -N -v -o "ServerAliveInterval 30" -o "ServerAliveCountMax 40" -o "TCPKeepAlive yes” \

-R 1442:vRealize_automation_appliance_fqdn:5480 \

-R 1443:vRealize_automation_appliance_fqdn:443 \

-R 1444:manager_service_fqdn:443 \

User of Amazon tunnel machine@Public IP Address of Amazon tunnel machine

You congured port forwarding to allow your Amazon AWS tunnel machine to access vRealize Automation resources, but your SSH tunnel does not function until you congure an Amazon reservation to route through the tunnel.

What to do next

1 Install the software bootstrap agent and the guest agent on a Windows or Linux reference machine to

create an Amazon Machine Image that your IaaS architects can use to create blueprints. See “Preparing

for Software Provisioning,” on page 62.

2 Congure your Amazon reservation in vRealize Automation to route through your SSH tunnel. See

“Scenario: Create an Amazon Reservation for a Proof of Concept Environment,” on page 209.

Preparing Red Hat OpenStack Network and Security Features

vRealize Automation supports several features in OpenStack including security groups and oating IP addresses. Understand how these features work with vRealize Automation and congure them in your environment.

Using OpenStack Security Groups

Security groups allow you to specify rules to control network trac over specic ports.

You can specify security groups when creating a reservation and also in the blueprint canvas. You can also specify security groups when requesting a machine.

Security groups are imported during data collection.

Each available region requires at least one specied security group. When you create a reservation, the available security groups that are available to you in that region are displayed. Every region includes at least the default security group.

Additional security groups must be managed in the source resource. For more information about managing security groups for the various machines, see the OpenStack documentation.

Using Floating IP Addresses with OpenStack

You can assign oating IP addresses to a running virtual instance in OpenStack.

To enable assignment of oating IP addresses, you must congure IP forwarding and create a oating IP pool in Red Hat OpenStack. For more information, see the Red Hat OpenStack documentation.

You must entitle the Associate Floating IP and Disassociate Floating IP actions to machine owners. The entitled users can then associate a oating IP address to a provisioned machine from the external networks aached to the machine by selecting an available address from the oating IP address pool. After a oating IP address has been associated with a machine, a vRealize Automation user can select a Disassociate Floating IP option to view the currently assigned oating IP addresses and disassociate an address from a machine.

22 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Preparing Your SCVMM Environment

Before you begin creating SCVMM templates and hardware proles for use in vRealize Automation machine provisioning, you must understand the naming restrictions on template and hardware prole names, and congure SCVMM network and storage seings.

Template and Hardware Profile Naming

Because of naming conventions that SCVMM and vRealize Automation use for templates and hardware proles, do not start your template or hardware prole names with the words temporary or prole. For example, the following words are ignored during data collection:

TemporaryTemplate

Temporary Template

TemporaryProle

Temporary Prole

Prole

Required Network Configuration for SCVMM Clusters

SCVMM clusters only expose virtual networks to vRealize Automation, so you must have a 1:1 relationship between your virtual and logical networks. Using the SCVMM console, map each logical network to a virtual network and congure your SCVMM cluster to access machines through the virtual network.

Required Storage Configuration for SCVMM Clusters

On SCVMM Hyper-V clusters, vRealize Automation collects data and provisions on shared volumes only. Using the SCVMM console, congure your clusters to use shared resource volumes for storage.

Required Storage Configuration for Standalone SCVMM Hosts

For standalone SCVMM hosts, vRealize Automation collects data and provisions on the default virtual machine path. Using the SCVMM console, congure default virtual machine paths for your standalone hosts.

VMware, Inc. 23

Configuring vRealize Automation

Preparing for Machine Provisioning

Depending on your environment and your method of machine provisioning, you might need to congure elements outside of vRealize Automation. For example, you might need to congure machine templates or machine images. You might also need to congure NSX seings or run vRealize Orchestrator workows.

Choosing a Machine Provisioning Method to Prepare

For most machine provisioning methods, you must prepare some elements outside of vRealize Automation.

Table 1‑4. Choosing a Machine Provisioning Method to Prepare

Scenario

Congure

vRealize Automation to run custom Visual Basic scripts as additional steps in the machine life cycle, either before or after machine provisioning. For example, you could use a pre-provisioning script to generate certicates or security tokens before provisioning, and then a post-provisioning script to use the certicates and tokens after machine provisioning.

Provision application blueprints that automate the installation, conguration, and life cycle management of middleware and application deployment components such as Oracle, MySQL, WAR, and database Schemas.

Further customize machines after provisioning by using the guest agent.

Provision machines with no guest operating system. You can install an operating system after provisioning.

Supported Endpoint Agent Support

You can run Visual Basic scripts with any supported endpoint except Amazon AWS.

vSpher

vCloud

Air

vCloud

Directo r

Amazo

n AWS

All virtual endpoints and Amazon AWS.

All virtual machine endpoints.

Depends on the provisioning method you choose.

(Required)

Guest agent

(Required)

Software bootstrap agent and guest agent

(Required)

Guest agent

(Optional)

Software bootstrap agent and guest agent

Not supported Basic No required pre-provisioning

Provisioning Method Pre-provisioning Preparations

Supported as an additional step in any provisioning method, but you cannot use Visual Basic scripts with Amazon AWS machines.

Clone

Clone (for

vCloud Air or vCloud Director)

Linked clone

Amazon

Machine Image

Supported for all provisioning methods except Virtual Machine Image.

“Checklist for Running Visual Basic Scripts During Provisioning,” on page 27

If you want the ability to use Software components in your blueprints, prepare a provisioning method that supports the guest agent and Software bootstrap agent. For more information about preparing for Software, see

“Preparing for Software Provisioning,” on page 62.

If you want the ability to customize machines after provisioning, select a provisioning method that supports the guest agent. For more information about the guest agent, see “Using

vRealize Automation Guest Agent in Provisioning,” on page 28.

preparations outside of vRealize Automation.

24 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Table 1‑4. Choosing a Machine Provisioning Method to Prepare (Continued)

Scenario

Provision a spaceecient copy of a virtual

machine called a linked clone. Linked clones are based on a snapshot of a VM and use a chain of delta disks to track dierences from a parent machine.

Provision a space- ecient copy of a virtual machine by using Net App FlexClone technology.

Provision machines by cloning from a template object created from an existing Windows or Linux machine, called the reference machine, and a customization object.

Provision vCloud Air or vCloud Director machines by cloning from a template and customization object.

Provision a machine by booting from an ISO image, using a kickstart or autoYaSt conguration le and a Linux distribution image to install the operating system on the machine.

Provision a machine and pass control to an SCCM task sequence to boot from an ISO image, deploy a Windows operating system, and install the vRealize Automation guest agent.

Supported Endpoint Agent Support

vSphere

(Optional) Guest agent

(Optional)

Software bootstrap agent and guest agent

vSphere (Optional) Guest

agent

vSpher e

KVM (RHEV )

SCVM M

(Optional)

Guest agent

(Optional for

vSphere only) Software bootstrap agent and guest agent

vCloud Air

vCloud Directo r

(Optional)

Guest agent

(Optional)

Software bootstrap agent and guest agent

All virtual endpoi nts

Red

Guest agent is installed as part of the preparation instructions.

Hat OpenSt ack

All virtual machine endpoints.

Guest agent is installed as part of the preparation instructions.

Provisioning Method Pre-provisioning Preparations

Linked Clone You must have an existing

NetApp FlexClone “Checklist for Preparing to

Clone See “Checklist for Preparing to

vCloud Air or vCloud Director Cloning

Linux Kickstart “Preparing for Linux Kickstart

SCCM “Preparing for SCCM

vSphere virtual machine.

If you want to support Software, you must install the guest agent and software bootstrap agent on the machine you intend to clone.

Provision by Cloning,” on

page 33

Provision by Cloning,” on

page 33.

If you want to support Software, you must install the guest agent and software bootstrap agent on the vSpheremachine you intend to clone.

See “Preparing for vCloud Air

and vCloud Director Provisioning,” on page 45.

If you want to support Software, create a template that contains the guest agent and software bootstrap agent. For vCloud Air, congure network connectivity between your vRealize Automation environment and your vCloud Air environment.

Provisioning,” on page 46

Provisioning,” on page 48

VMware, Inc. 25

Configuring vRealize Automation

Table 1‑4. Choosing a Machine Provisioning Method to Prepare (Continued)

Scenario

Provision a machine by booting into a WinPE environment and installing an operating system using a Windows Imaging File Format (WIM) image of an existing Windows reference machine.

Launch an instance from a virtual machine image.

Launch an instance from an Amazon Machine Image.

Supported Endpoint Agent Support

All virtual endpoi nts

Red Hat OpenSt ack

Guest agent is required. You can use PEBuilder to create a WinPE image that includes the guest agent. You can create the WinPE image by using another method, but you must manually insert the guest agent.

Red Hat

Not supported Virtual Machine

OpenStack

Amazon AWS

(Optional)

Guest agent

(Optional)

Software bootstrap agent and guest agent

Provisioning Method Pre-provisioning Preparations

WIM “Preparing for WIM

Provisioning,” on page 49

See “Preparing for Virtual

Image

Machine Image Provisioning,” on

page 57.

Amazon Machine Image

Associate Amazon machine images and instance types with your Amazon AWS account.

If you want to support Software, create an Amazon Machine Image that contains the guest agent and software bootstrap agent, and congure network-to-VPC connectivity between your Amazon AWS and vRealize Automation environments.

26 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Checklist for Running Visual Basic Scripts During Provisioning

You can congure vRealize Automation to run your custom Visual Basic scripts as additional steps in the machine life cycle, either before or after machine provisioning. For example, you could use a preprovisioning script to generate certicates or security tokens before provisioning, and then a postprovisioning script to use the certicates and tokens after machine provisioning. You can run Visual Basic scripts with any provisioning method, but you cannot use Visual Basic scripts with Amazon AWS machines.

Table 1‑5. Running Visual Basic Scripts During Provisioning Checklist

Task Location Details

Install and congure the EPI agent for Visual Basic scripts.

Create your visual basic scripts.

Gather the information required to include your scripts in blueprints.

Typically the Manager Service host See Installing vRealize Automation 7.1.

Machine where EPI agent is installed vRealize Automation includes a

sample Visual Basic script

PrePostProvisioningExample.vbs

in the Scripts subdirectory of the EPI agent installation directory. This script contains a header to load all arguments into a dictionary, a body in which you can include your functions, and a footer to return updated custom properties to vRealize Automation.

When executing a Visual Basic script, the EPI agent passes all machine custom properties as arguments to the script. To return updated property values to vRealize Automation, place these properties in a dictionary and call a function provided by vRealize Automation.

Capture information and transfer to your infrastructure architects

N A fabric administrator can create a property group by using the property sets ExternalPreProvisioningVbScript and ExternalPostProvisioningVbScript to provide this required information. Doing so makes it easier for blueprint architects to include this information correctly in their blueprints.

The complete path to the Visual

Basic script, including the lename and extension. For example,

%System Drive%Program Files (x86)\VMware\vCAC Agents\EPI_Agents\Scripts\Se ndEmail.vbs.

To run a script before

provisioning, instruct infrastructure architects to enter the complete path to the script as the value of the custom property

ExternalPreProvisioningVbScr ipt. To run a script after

provisioning, they need to use the custom property

ExternalPostProvisioningVbSc ript.

VMware, Inc. 27

Configuring vRealize Automation

Using vRealize Automation Guest Agent in Provisioning

You can install the guest agent on reference machines to further customize a machine after deployment. You can use the reserved guest agent custom properties to perform basic customizations such as adding and formaing disks, or you can create your own custom scripts for the guest agent to run within the guest operating system of a provisioned machine.

After the deployment is completed and the customization specication is run (if you provided one), the guest agent creates an XML le that contains all of the deployed machine's custom properties

c:\VRMGuestAgent\site\workitem.xml, completes any tasks assigned to it with the guest agent custom

properties, and then deletes itself from the provisioned machine.

You can write your own custom scripts for the guest agent to run on deployed machines, and use custom properties on the machine blueprint to specify the location of those scripts and the order in which to run them. You can also use custom properties on the machine blueprint to pass custom property values to your scripts as parameters.

For example, you could use the guest agent to make the following customizations on deployed machines:

Change the IP address

Add or format drives

Run security scripts

Initialize another agent, for example Puppet or Chef

You can also provide an encrypted string as a custom property in a command line argument. This allows you to store encrypted information that the guest agent can decrypt and understand as a valid command line argument.

Your custom scripts do not have to be locally installed on the machine. As long as the provisioned machine has network access to the script location, the guest agent can access and run the scripts. This lowers maintenance costs because you can update your scripts without having to rebuild all of your templates.

If you choose to install the guest agent to run custom scripts on provisioned machines, your blueprints must include the appropriate guest agent custom properties. For example, if you install the guest agent on a template for cloning, create a custom script that changes the provisioned machine's IP address, and place the script in a shared location, you need to include a number of custom properties in your blueprint.

Table 1‑6. Custom Properties for Changing IP Address of a Provisioned Machine with a Guest Agent

Custom Property Description

VirtualMachine.Admin.UseGuestAgent Set to true to initialize the guest agent when the

provisioned machine is started.

VirtualMachine.Customize.WaitComplete

Set to True to prevent the provisioning workow from sending work items to the guest agent until all customizations are complete.

28 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Table 1‑6. Custom Properties for Changing IP Address of a Provisioned Machine with a Guest Agent (Continued)

Custom Property Description

VirtualMachine.SoftwareN.ScriptPath

VirtualMachine.ScriptPath.Decrypt

Species the full path to an application's install script. The path must be a valid absolute path as seen by the guest operating system and must include the name of the script

lename.

You can pass custom property values as parameters to the script by inserting {CustomPropertyName} in the path string. For example, if you have a custom property named

ActivationKey whose value is 1234, the script path is D:\InstallApp.bat –key {ActivationKey}. The guest agent runs the command D:\InstallApp.bat –key

1234. Your script le can then be programmed to accept

and use this value.

Insert {Owner} to pass the machine owner name to the script.

You can also pass custom property values as parameters to the script by inserting {YourCustomProperty} in the path string. For example, entering the value \\vra- scripts.mycompany.com\scripts\changeIP.bat runs the changeIP.bat script from a shared location, but entering the value \\vra-

scripts.mycompany.com\scripts\changeIP.bat {VirtualMachine.Network0.Address} runs the

changeIP script but also passes the value of the VirtualMachine.Network0.Address property to the script as a parameter.

Allows vRealize Automation to obtain an encrypted string that is passed as a properly formaed VirtualMachine.SoftwareN.ScriptPath custom property statement to the gugent command line.

You can provide an encrypted string, such as your password, as a custom property in a command-line argument. This allows you to store encrypted information that the guest agent can decrypt and understand as a valid command-line argument. For example, the

VirtualMachine.Software0.ScriptPath = c:\dosomething.bat password custom property string

is not secure as it contains an actual password.

To encrypt the password, you can create a vRealize Automation custom property, for example MyPassword = password, and enable encryption by selecting the available check box. The guest agent decrypts the [MyPassword] entry to the value in the custom property MyPassword and runs the script as c:\dosomething.bat password.

Create custom property MyPassword = password where password is the value of your actual password. Enable encryption by selecting the available check box.

Set custom property

VirtualMachine.ScriptPath.Decrypt as

VirtualMachine.ScriptPath.Decrypt = true.

Set custom property

VirtualMachine.Software0.ScriptPath as

VirtualMachine.Software0.ScriptPath = c:\dosomething.bat [MyPassword].

VMware, Inc. 29

Configuring vRealize Automation

Table 1‑6. Custom Properties for Changing IP Address of a Provisioned Machine with a Guest Agent (Continued)

Custom Property Description

For more information about custom properties you can use with the guest agent, see Custom Properties Reference.

Install the Guest Agent on a Linux Reference Machine

Install the Linux guest agent on your reference machines to further customize machines after deployment.

Prerequisites

Identify or create the reference machine.

The guest agent les you download contain both tar.gz and RPM package formats. If your operating

system cannot install tar.gz or RPM les, use a conversion tool to convert the installation les to your preferred package format.

If you set VirtualMachine.ScriptPath.Decrypt to false, or do not create the VirtualMachine.ScriptPath.Decrypt custom property, then the string inside the square brackets ( [ and ]) is not decrypted.

Procedure

1 Navigate to the vCloud Automation Center Appliance management console installation page.

For example: hps://vcac-hostname.domain.name:5480/installer/.

2 Download and save the Linux Guest Agent Packages.

3 Unpack the LinuxGuestAgentPkgs le.

4 Install the guest agent package that corresponds to the guest operating system you are deploying

during provisioning.

a Navigate to the LinuxGuestAgentPkgs subdirectory for your guest operating system.

b Locate your preferred package format or convert a package to your preferred package format.

c Install the guest agent package on your reference machine.

For example, to install the les from the RPM package, run rpm -i

gugent-7.0.0-012715.x86_64.rpm.

5 Congure the guest agent to communicate with the Manager Service by running installgugent.sh

Manager_Service_Hostname_fdqn:portnumber ssl platform.

The default port number for the Manager Service is 443. Accepted platform values are ec2, vcd, vca, and

vsphere.

Option Description

If you are using a load balancer

With no load balancer

Enter the fully qualied domain name and port number of your Manager Service load balancer. For example:

cd /usr/share/gugent ./installgugent.sh load_balancer_manager_service.mycompany.com:443 ssl ec2

Enter the fully qualied domain name and port number of your Manager Service machine. For example:

cd /usr/share/gugent ./installgugent.sh manager_service_machine.mycompany.com: 443 ssl vsphere

30 VMware, Inc.

Chapter 1 External Preparations for Provisioning

6 If deployed machines are not already congured to trust the Manager Service SSL certicate, you must

install the cert.pem le on your reference machine to establish trust.

For the most secure approach, obtain the cert.pem certicate and manually install the le on the

reference machine.

For a more convenient approach, you can connect to the manager service load balancer or manager

service machine and download the cert.pem certicate.

Option Description

If you are using a load balancer

With no load balancer

As the root user on the reference machine, run the following command:

echo | openssl s_client -connect manager_service_load_balancer.mycompany.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem

As the root user on the reference machine, run the following command:

echo | openssl s_client -connect manager_service_machine.mycompany.com:443 | sed -ne '/BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem

7 If you are installing the guest agent on a Ubuntu operating system, create symbolic links for shared

objects by running one of the following command sets.

Option Description

64-bit systems

32-bit systems

cd /lib/x86_64-linux-gnu sudo ln -s libssl.so.1.0.0 libssl.so.10 sudo ln -s libcrypto.so.1.0.0 libcrypto.so.10

cd /lib/i386-linux-gnu sudo ln -s libssl.so.1.0.0 libssl.so.10 sudo ln -s libcrypto.so.1.0.0 libcrypto.so.10

What to do next

Convert your reference machine into a template for cloning, an Amazon Machine Image, or a snapshot that your IaaS architects can use when creating blueprints.

Install the Guest Agent on a Windows Reference Machine

Install the Windows guest agent on a Windows reference machines to run as a Windows service and enable further customization of machines.

Prerequisites

Identify or create the reference machine.

If you want to use the most secure approach for establishing trust between the guest agent and your

Manager Service machine, obtain the SSL certicate in PEM format from your Manager Service machine. For more information about how the guest agent establishes trust, see “Conguring the

Windows Guest Agent to Trust a Server,” on page 32.

Procedure

1 Navigate to the vCloud Automation Center Appliance management console installation page.

For example: hps://vcac-hostname.domain.name:5480/installer/.

2 Click Guest and software agents page in the vRealize Automation component installation section of the

page.

For example: https://va-hostname.domain.com/software/index.html.

The Guest and Software Agent Installers page opens, displaying links to available downloads.

VMware, Inc. 31

Configuring vRealize Automation

3 Download and save the Windows guest agent installation le to the C drive of your reference machine.

Windows guest agent les (32-bit.)

Windows guest agent les (64-bit.)

4 Install the guest agent on the reference machine.

a Right-click the le and select Properties.

b Click General.

c Click Unblock.

d Extract the les.

This produces the directory C:\VRMGuestAgent. Do not rename this directory.

5 Congure the guest agent to communicate with the Manager Service.

a Open an elevated command prompt.

b Navigate to C:\VRMGuestAgent.

c Congure the guest agent to trust your Manager Service machine.

Option Description

Allow the guest agent to trust the first machine to which it connects.

Manually install the trusted PEM file.

d Run winservice -i -h Manager_Service_Hostname_fdqn:portnumber -p ssl.

No conguration required.

Place the Manager Service PEM le in the C:\VRMGuestAgent\ directory.

The default port number for the Manager Service is 443.

Option Description

If you are using a load balancer

With no load balancer

If you are preparing an Amazon machine image

Enter the fully qualied domain name and port number of your Manager Service load balancer. For example, winservice -i -h load_balancer_manager_service.mycompany.com:443 -p ssl.

Enter the fully qualied domain name and port number of your Manager Service machine. For example, winservice -i -h manager_service_machine.mycompany.com:443 -p ssl.

You need to specify that you are using Amazon. For example,

winservice -i -h manager_service_machine.mycompany.com: 443:443 -p ssl -c ec2

The name of the Windows service is VCACGuestAgentService. You can nd the installation log VCAC-

GuestAgentService.log in C:\VRMGuestAgent.

What to do next

Convert your reference machine into a template for cloning, an Amazon machine image, or a snapshot so your IaaS architects can use your template when creating blueprints.

Configuring the Windows Guest Agent to Trust a Server

The most secure approach is to install the trusted PEM le manually on each template that uses the guest agent, but you can also allow the guest agent to trust the rst machine to which it connects.

Installing the PEM le for the trusted server on each template along with the guest agent is the most secure approach. For security, the guest agent does not check for a certicate if a PEM le already exists in the

VRMGuestAgent directory. If the server certicates change, you must manually rebuild your templates with

the new PEM les.

32 VMware, Inc.

Chapter 1 External Preparations for Provisioning

You can also congure the guest agent to populate the trusted PEM le on rst use. This is less secure than manually installing the PEM les on each template, but is more exible for environments where you might use a single template for multiple servers. To allow the guest agent to trust the rst server it connects to, you create a template with no PEM les in the VRMGuestAgent directory. The guest agent populates the PEM le the rst time it connect to a server. The template always trusts the rst system to which it connects. For security, the guest agent does not check for a certicate if a PEM le already exists in the VRMGuestAgent directory. If the server certicate changes, you must remove the PEM le from your VRMGuestAgent directory. The guest agent installs the new PEM le the next time it connects to the server.

Checklist for Preparing to Provision by Cloning

You must perform some preparation outside of vRealize Automation to create the template and the customization objects used to clone Linux and Windows virtual machines.

Cloning requires a template to clone from, created from a reference machine.

VMware, Inc. 33

TEMPLATE

Identify or create

a reference machine.

Yes

Convert your reference

machine to a template.

Install the guest agent and

the software bootstrap

agent.

Install the guest agent.

Install VMware Tools.

Yes

Are you working in

vCenter Server?

Do you want

to support software

components in

your blueprints?

Do you want

the ability to

customize

machines after

deployment?

Yes

Configuring vRealize Automation

If you are provisioning a Windows machine by cloning, the only way to join the provisioned machine to an Active Directory domain is by using the customization specication from vCenter Server or by including a guest operating system prole with your SCVMM template. Machines provisioned by cloning cannot be placed in an Active Directory container during provisioning. You must do this manually after provisioning.

34 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Table 1‑7. Checklist for Preparing to Provision by Cloning

Task Location Details

Identify or create the reference machine.

(Optional) If you want your clone template to support Software components, install the vRealize Automation guest agent and software bootstrap agent on your reference machine.

(Optional) If you do not need your clone template to support Software components, but you do want the ability to customize deployed machines, install the vRealize Automation guest agent on your reference machine.

If you are working in a vCenter Server environment, install VMware Tools on the reference machine.

Use the reference machine to create a template for cloning.

Create the customization object to congure cloned machines by applying System Preparation Utility information or a Linux customization.

Gather the information required to create blueprints that clone your template.

Hypervisor See the documentation provided by your

hypervisor.

Reference machine For Windows reference machines, see

“Prepare a Windows Reference Machine to Support Software,” on page 63.

For Linux reference machines, see “Prepare

a Linux Reference Machine to Support Software,” on page 65.

Reference machine See “Using vRealize Automation Guest

Agent in Provisioning,” on page 28.

vCenter Server See the VMware Tools documentation.

Hypervisor The reference machine may be powered on

or o. If you are cloning in vCenter Server, you can use a reference machine directly without creating a template.

See the documentation provided by your hypervisor.

Hypervisor If you are cloning for Linux you can install

the Linux guest agent and provide external customization scripts instead of creating a customization object. If you are cloning with vCenter Server, you must provide the customization specication as the customization object.

See the documentation provided by your hypervisor.

Capture information and transfer to your IaaS architects.

See “Worksheet for Virtual Provisioning by

Cloning,” on page 35.

Worksheet for Virtual Provisioning by Cloning

Complete the knowledge transfer worksheet to capture information about the template, customizations, and custom properties required to create clone blueprints for the templates you prepared in your environment. Not all of this information is required for every implementation. Use this worksheet as a guide, or copy and paste the worksheet tables into a word processing tool for editing.

Required Template and Reservation Information

Table 1‑8. Template and Reservation Information Worksheet

Required Information My Value Details

Template name

Reservations on which the template is available, or reservation policy to apply

VMware, Inc. 35

To avoid errors during provisioning, ensure that the template is available on all reservations or create reservation policies that architects can use to restrict the blueprint to reservations where the template is available.

Configuring vRealize Automation

Table 1‑8. Template and Reservation Information Worksheet (Continued)

Required Information My Value Details

(vSphere only) Type of cloning requested for this template

Customization specication name (Required for cloning with static IP addresses)

(SCVMM only) ISO name

(SCVMM only) Virtual hard disk

(SCVMM only) Hardware prole to aach to provisioned machines

Required Property Groups

You can complete the custom property information sections of the worksheet, or you can create property groups and ask architects to add your property groups to their blueprints instead of numerous individual custom properties.

Clone

Linked Clone

NetApp FlexClone

You cannot perform customizations of Windows machines without a customization specication object.

Required vCenter Server Operating System

You must supply the guest operating system custom property for vCenter Server provisioning.

Table 1‑9. vCenter Server Operating System

Custom Property My Value Description

VMware.VirtualCenter.Operating System

Species the vCenter Server guest operating system version (VirtualMachineGuestOsIdentifier ) with which vCenter Server creates the machine. This operating system version must match the operating system version to be installed on the provisioned machine. Administrators can create property groups using one of several property sets, for example, VMware[OS_Version]Properties, that are predened to include the correct

VMware.VirtualCenter.OperatingS ystem values. This property is for

virtual provisioning.

Visual Basic Script Information

If you congured vRealize Automation to run your custom Visual Basic scripts as additional steps in the machine life cycle, you must include information about the scripts in the blueprint.

36 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Table 1‑10. Visual Basic Script Information

Custom Property My Value Description

ExternalPreProvisioningVbScrip t

ExternalPostProvisioningVbScri pt

Run a script before provisioning. Enter the complete path to the script including the lename and extension.

%System Drive%Program Files (x86)\VMware\vCAC Agents\EPI_Agents\Scripts\SendE mail.vbs.

Run a script after provisioning. Enter the complete path to the script including the lename and extension.

%System Drive%Program Files (x86)\VMware\vCAC Agents\EPI_Agents\Scripts\SendE mail.vbs

Linux Guest Agent Customization Script Information

If you congured your Linux template to use the guest agent for running customization scripts, you must include information about the scripts in the blueprint.

Table 1‑11. Linux Guest Agent Customization Script Information Worksheet

Custom Property My Value Description

Linux.ExternalScript.Name

Linux.ExternalScript.Locatio nType

Species the name of an optional customization script, for example config.sh, that the Linux guest agent runs after the operating system is installed. This property is available for Linux machines cloned from templates on which the Linux agent is installed.

If you specify an external script, you must also dene its location by using the

Linux.ExternalScript.LocationT ype and Linux.ExternalScript.Path

properties.

Species the location type of the customization script named in the

Linux.ExternalScript.Name

property. This can be either local or nfs.

You must also specify the script location using the

Linux.ExternalScript.Path

property. If the location type is nfs, also use the

Linux.ExternalScript.Server

property.

VMware, Inc. 37

Configuring vRealize Automation

Table 1‑11. Linux Guest Agent Customization Script Information Worksheet (Continued)

Custom Property My Value Description

Linux.ExternalScript.Server

Linux.ExternalScript.Path

Other Guest Agent Custom Properties

If you installed the guest agent on your reference machine, you can use custom properties to further customize machines after deployment.

Table 1‑12. Custom Properties for Customizing Cloned Machines with a Guest Agent Worksheet

Custom Property My Value Description

VirtualMachine.Admin.AddOwnerT oAdmins

VirtualMachine.Admin.AllowLogi n

VirtualMachine.Admin.UseGuestA gent

VirtualMachine.DiskN.Active

Species the name of the NFS server, for example lab-ad.lab.local, on which the Linux external customization script named in Linux.ExternalScript.Name is located.

Species the local path to the Linux customization script or the export path to the Linux customization on the NFS server. The value must begin with a forward slash and not include the le name, for example /scripts/linux/config.s h.

Set to True (default) to add the machine’s owner, as specied by the

VirtualMachine.Admin.Owner

property, to the local administrators group on the machine.

Set to True (default) to add the machine owner to the local remote desktop users group, as specied by the

VirtualMachine.Admin.Owner

property.

If the guest agent is installed as a service on a template for cloning, set to True on the machine blueprint to enable the guest agent service on machines cloned from that template. When the machine is started, the guest agent service is started. Set to False to disable the guest agent. If set to False, the enhanced clone workfow will not use the guest agent for guest operating system tasks, reducing its functionality to VMwareCloneWorkflow. If not specied or set to anything other than False, the enhanced clone workow sends work items to the guest agent.

Set to True (default) to specify that the machine's disk N is active. Set to False to specify that the machine's disk N is not active.

38 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Table 1‑12. Custom Properties for Customizing Cloned Machines with a Guest Agent Worksheet (Continued)

Custom Property My Value Description

VirtualMachine.DiskN.Size

VirtualMachine.DiskN.Label

VirtualMachine.DiskN.Letter

VirtualMachine.Admin.Customize GuestOSDelay

Denes the size in GB of disk N. For example, to give a size of 150 GB to a disk G, dene the custom property VirtualMachine.Disk0.Size and enter a value of 150. Disk numbering must be sequential. By default a machine has one disk referred to by VirtualMachine.Disk0.Size, where size is specied by the storage value on the blueprint from which the machine is provisioned. The storage value on the blueprint user interface overwrites the value in the VirtualMachine.Disk0.Size property. The VirtualMachine.Disk0.Size property is not available as a custom property because of its relationship with the storage option on the blueprint. More disks can be added by specifying

VirtualMachine.Disk1.Size, VirtualMachine.Disk2.Size and so

on.

VirtualMachine.Admin.TotalDiskUs age always represents the total of the .DiskN.Size properties plus the VMware.Memory.Reservation size

allocation.

Species the label for a machine’s disk N. The disk label maximum is 32 characters. Disk numbering must be sequential. When used with a guest agent, species the label of a machine's disk N inside the guest operating system.

Species the drive leer or mount point of a machine’s disk N. The default is C. For example, to specify the leer D for Disk 1, dene the custom property as VirtualMachine.Disk1.Letter and enter the value D. Disk numbering must be sequential. When used in conjunction with a guest agent, this value species the drive leer or mount point under which an additional disk N is mounted by the guest agent in the guest operating system.

Species the time to wait after customization is complete and before starting the guest operating system customization. The value must be in HH:MM:SS format. If the value is not set, the default value is one minute (00:01:00). If you choose not to include this custom property, provisioning can fail if the virtual machine reboots before guest agent work items are completed, causing provisioning to fail.

VMware, Inc. 39

Configuring vRealize Automation

Table 1‑12. Custom Properties for Customizing Cloned Machines with a Guest Agent Worksheet (Continued)

Custom Property My Value Description

VirtualMachine.Customize.WaitC omplete

VirtualMachine.SoftwareN.Name

VirtualMachine.SoftwareN.Scrip tPath

VirtualMachine.SoftwareN.ISONa me

VirtualMachine.SoftwareN.ISOLo cation

Set to True to prevent the provisioning workow from sending work items to the guest agent until all customizations are complete.

Species the descriptive name of a software application N or script to install or run during provisioning. This is an optional and information-only property. It serves no real function for the enhanced clone workow or the guest agent but it is useful for a custom software selection in a user interface or for software use reporting.

Species the full path to an application's install script. The path must be a valid absolute path as seen by the guest operating system and must include the name of the script lename.

You can pass custom property values as parameters to the script by inserting {CustomPropertyName} in the path string. For example, if you have a custom property named ActivationKey whose value is 1234, the script path is

D:\InstallApp.bat –key {ActivationKey}. The guest agent runs the command D:\InstallApp.bat – key 1234. Your script le can then be

programmed to accept and use this value.

Species the path and lename of the ISO le relative to the datastore root. The format is /folder_name/subfolder_name/fil e_name.iso. If a value is not specied, the ISO is not mounted.

Species the storage path that contains the ISO image le to be used by the application or script. Format the path as it appears on the host reservation, for example netapp-1:it_nfs_1. If a value is not specied, the ISO is not mounted.

Networking Custom Properties

If you are not integrating with NSX, you can still specify conguration for specic network devices on a machine by using custom properties.

40 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Table 1‑13. Custom Properties for Networking Configuration

Custom Property My Value Description

VirtualMachine.NetworkN.Addre ss

VirtualMachine.NetworkN.MacAd dressType

VirtualMachine.NetworkN.MacAd dress

Species the IP address of network device N in a machine provisioned with a static IP address.

Indicates whether the MAC address of network device N is generated or user- dened (static). This property is available for cloning.

The default value is generated. If the value is static, you must also use

VirtualMachine.NetworkN.MacAdd ress to specify the MAC address.

VirtualMachine.NetworkN custom

properties are specic to individual blueprints and machines. When a machine is requested, network and IP address allocation is performed before the machine is assigned to a reservation. Because blueprints are not guaranteed to be allocated to a specic reservation, do not use this property on a reservation.

Species the MAC address of a network device N. This property is available for cloning.

If the value of

VirtualMachine.NetworkN.MacAdd ressType is generated, this property

contains the generated address.

If the value of

VirtualMachine.NetworkN.MacAdd ressType is static, this property

species the MAC address. For virtual machines provisioned on ESX server hosts, the address must be in the range specied by VMware. For details, see vSphere documentation.

VirtualMachine.NetworkN custom properties are specic to individual blueprints and machines. When a machine is requested, network and IP address allocation is performed before the machine is assigned to a reservation. Because blueprints are not guaranteed to be allocated to a specic reservation, do not use this property on a reservation.

VMware, Inc. 41

Configuring vRealize Automation

Table 1‑13. Custom Properties for Networking Configuration (Continued)

Custom Property My Value Description

VirtualMachine.NetworkN.Name

VirtualMachine.NetworkN.PortI D

Species the name of the network to connect to, for example the network device N to which a machine is aached. This is equivalent to a network interface card (NIC).

By default, a network is assigned from the network paths available on the reservation on which the machine is provisioned. Also see

VirtualMachine.NetworkN.Addres sType.

You can ensure that a network device is connected to a specic network by seing the value of this property to the name of a network on an available reservation. For example, if you give properties for N= 0 and 1, you get 2 NICs and their assigned value, provided the network is selected in the associated reservation.

VirtualMachine.NetworkN custom properties are specic to blueprints and machines. When a machine is requested, network and IP address allocation is performed before the machine is assigned to a reservation. Because blueprints are not guaranteed to be allocated to a specic reservation, do not use this property on a reservation.

You can add this property to a vCloud Air or vCloud Director machine component in a blueprint.

Species the port ID to use for network device N when using a dvPort group with a vSphere distributed switch.

42 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Table 1‑13. Custom Properties for Networking Configuration (Continued)

Custom Property My Value Description

VirtualMachine.NetworkN.Profi leName

VirtualMachine.NetworkN.S ubnetMask

VirtualMachine.NetworkN.G ateway

VirtualMachine.NetworkN.P rimaryDns

VirtualMachine.NetworkN.S econdaryDns

VirtualMachine.NetworkN.P rimaryWins

VirtualMachine.NetworkN.S econdaryWins

VirtualMachine.NetworkN.D nsSuffix

VirtualMachine.NetworkN.D nsSearchSuffixes

Species the name of a network prole from which to assign a static IP

address to network device N or from which to obtain the range of static IP addresses that can be assigned to network device N of a cloned machine, where N=0 for the rst device, 1 for the second, and so on.

When you use the

VirtualMachine.NetworkN.Profil eName property, the network prole it

points to is used to allocate an IP address. However, the provisioned machine is aached to any network that is selected in the reservation using a round-robin fashion model.

Appending a name allows you to create multiple versions of a custom property. For example, the following properties might list load balancing pools set up for general use and machines with high, moderate, and low performance requirements:

VCNS.LoadBalancerEdgePool.N ames

VCNS.LoadBalancerEdgePool.N ames.moderate

VCNS.LoadBalancerEdgePool.N ames.high

VCNS.LoadBalancerEdgePool.N ames.low

Congures aributes of the network prole specied in

VirtualMachine.NetworkN.Profil eName.

VMware, Inc. 43

Configuring vRealize Automation

Table 1‑13. Custom Properties for Networking Configuration (Continued)

Custom Property My Value Description

VCNS.LoadBalancerEdgePool.Nam es.name

Species the vCloud Networking and Security load balancing pools to which the virtual machine is assigned during provisioning. The virtual machine is assigned to all service ports of all specied pools. The value is an edge/pool name or a list of edge/pool names separated by commas. Names are case-sensitive.

VCNS.LoadBalancerEdgePool.N ames

VCNS.LoadBalancerEdgePool.N ames.moderate

VCNS.LoadBalancerEdgePool.N ames.high

VCNS.LoadBalancerEdgePool.N ames.low

44 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Table 1‑13. Custom Properties for Networking Configuration (Continued)

Custom Property My Value Description

VCNS.SecurityGroup.Names.name

VCNS.SecurityTag.Names.name

Species the vCloud Networking and Security security group or groups to which the virtual machine is assigned during provisioning. The value is a security group name or a list of names separated by commas. Names are case-sensitive.

Appending a name allows you to create multiple versions of the property, which can be used separately or in combination. For example, the following properties can list security groups intended for general use, for the sales force, and for support:

VCNS.SecurityGroup.Names

VCNS.SecurityGroup.Names.sa les

VCNS.SecurityGroup.Names.su pport

Species the vCloud Networking and Security security tag or tags to which the virtual machine is associated during provisioning. The value is a security tag name or a list of names separated by commas. Names are case-sensitive.

Appending a name allows you to create multiple versions of the property, which can be used separately or in combination. For example, the following properties can list security tags intended for general use, for the sales force, and for support:

VCNS.SecurityTag.Names

VCNS.SecurityTag.Names.sale s

VCNS.SecurityTag.Names.supp ort

Preparing for vCloud Air and vCloud Director Provisioning

To prepare for provisioning vCloud Air and vCloud Director machines by using vRealize Automation, you must congure the organization virtual data center with templates and customization objects.

To provision vCloud Air and vCloud Director resources using vRealize Automation, the organization requires a template to clone from that consists of one or more machine resources.

VMware, Inc. 45

Configuring vRealize Automation

Templates that are to be shared across organizations must be public. Only reserved templates are available to vRealize Automation as a cloning source.

N When you create a blueprint by cloning from a template, that template's unique identier becomes associated with the blueprint. When the blueprint is published to the vRealize Automation catalog and used in the provisioning and data collection processes, the associated template is recognized. If you delete the template in vCloud Air or vCloud Director, subsequent vRealize Automation provisioning and data collection fails because the associated template no longer exists. Instead of deleting and recreating a template, for example to upload an updated version, replace the template using the vCloud Air vCloud Director template replacement process. Using vCloud Air or vCloud Director to replace the template, rather than deleting and recreating the template, keeps the template's unique ID intact and allows provisioning and data collection to continue functioning.

vRealize Automation requires that its published catalog be shared with all the vCloud Director organizations. Data collection fails if the published catalog is not shared with all the vCloud Director organizations.

The following overview illustrates the steps you need to perform before using vRA to create endpoints, and dene reservations and blueprints. For more information about these administrative tasks, see vCloud Air and vCloud Director product documentation.

1 In vCloud Air or vCloud Director, create a template for cloning and add it to the organization catalog.

2 In vCloud Air or vCloud Director, use the template to specify custom seings such as passwords,

domain, and scripts for the guest operating system on each machine.

You can use vRealize Automation to override some of these seings.

Customization can vary depending on the guest operating system of the resource.

3 In vCloud Air or vCloud Director, congure the catalog to be shared with everyone in the organization.

In vCloud Air or vCloud Director, congure account administrator access to applicable organizations to allow all users and groups in the organization to have access to the catalog. Without this sharing designation, the catalog templates are not be visible to endpoint or blueprint architects in vRealize Automation.

4 Gather the following information so that you can include it in blueprints:

Name of the vCloud Air or vCloud Director template.

Amount of total storage specied for the template.

Preparing for Linux Kickstart Provisioning

Linux Kickstart provisioning uses a conguration le to automate a Linux installation on a newly provisioned machine. To prepare for provisioning you must create a bootable ISO image and a Kickstart or autoYaST conguration le.

The following is a high-level overview of the steps required to prepare for Linux Kickstart provisioning:

1 Verify that a DHCP server is available on the network. vRealize Automation cannot provision machines

by using Linux Kickstart provisioning unless DHCP is available.

2 Prepare the conguration le. In the conguration le, you must specify the locations of the

vRealize Automation server and the Linux agent installation package. See “Prepare the Linux Kickstart

Conguration Sample File,” on page 47.

3 Edit the isolinux/isolinux.cfg or loader/isolinux.cfg to specify the name and location of the

conguration le and the appropriate Linux distribution source.

4 Create the boot ISO image and save it to the location required by your virtualization platform. See the

documentation provided by your hypervisor for information about the required location.

46 VMware, Inc.

Chapter 1 External Preparations for Provisioning

5 (Optional) Add customization scripts.

a To specify post-installation customization scripts in the conguration le, see “Specify Custom

Scripts in a kickstart/autoYaST Conguration File,” on page 47.

b To call Visual Basic scripts in blueprint, see “Checklist for Running Visual Basic Scripts During

Provisioning,” on page 27.

6 Gather the following information so that blueprint architects can include it in their blueprints:

a The name and location of the ISO image.

b For vCenter Server integrations, the vCenter Server guest operating system version with which

vCenter Server is to create the machine.

N You can create a property group with the property set BootIsoProperties to include the required ISO information. This makes it easier to include this information correctly on blueprints.

Prepare the Linux Kickstart Configuration Sample File

vRealize Automation provides sample conguration les that you can modify and edit to suit your needs. There are several changes required to make the les usable.

Procedure

1 Navigate to the vCloud Automation Center Appliance management console installation page.

For example: hps://vcac-hostname.domain.name:5480/installer/.

2 Download and save the Linux Guest Agent Packages.

3 Unpack the LinuxGuestAgentPkgs le.

4 Navigate to the LinuxGuestAgentPkgs le and locate the subdirectory that corresponds to the guest

operating system that you are deploying during provisioning.

5 Open the sample-https.cfg le.

6 Replace all instances of the string host=dcac.example.net with the IP address or fully qualied domain

name and port number for the vRealize Automation server host.

Platform Required Format

vSphere ESXi

vSphere ESX

SUSE 10

All others

IP Address, for example: --host=172.20.9.59

IP Address, for example: --host=172.20.9.58

IP Address, for example: --host=172.20.9.57

FQDN, for example: --host=mycompany-host1.mycompany.local:443

7 Locate each instance of gugent.rpm or gugent.tar.gz and replace the URL rpm.example.net with the

location of the guest agent package.

For example:

rpm -i nfs:172.20.9.59/suseagent/gugent.rpm

8 Save the le to a location accessible to newly provisioned machines.

Specify Custom Scripts in a kickstart/autoYaST Configuration File

You can modify the conguration le to copy or install custom scripts onto newly provisioned machines. The Linux agent runs the scripts at the specied point in the workow.

Your script can reference any of the ./properties.xml les in the /usr/share/gugent/site/workitem directories.

VMware, Inc. 47

Configuring vRealize Automation

Prerequisites

Prepare a kickstart or autoYaST conguration le. See “Prepare the Linux Kickstart Conguration

Sample File,” on page 47.

Your script must return a non-zero value on failure to prevent machine provisioning failure.

Procedure

1 Create or identify the script you want to use.

2 Save the script as NN_scriptname.

NN is a two digit number. Scripts are executed in order from lowest to highest. If two scripts have the same number, the order is alphabetical based on scriptname.

3 Make your script executable.

4 Locate the post-installation section of your kickstart or autoYaST conguration le.

In kickstart, this is indicated by %post. In autoYaST, this is indicated by post-scripts.

5 Modify the post-installation section of the conguration le to copy or install your script into

the /usr/share/gugent/site/workitem directory of your choice.

Custom scripts are most commonly run for virtual kickstart/autoYaST with the work items SetupOS (for create provisioning) and CustomizeOS (for clone provisioning), but you can run scripts at any point in the workow.

For example, you can modify the conguration le to copy the script 11_addusers.sh to the /usr/share/gugent/site/SetupOS directory on a newly provisioned machine by using the following command:

cp nfs:172.20.9.59/linuxscripts/11_addusers.sh /usr/share/gugent/site/SetupOS

The Linux agent runs the script in the order specied by the work item directory and the script le name.

Preparing for SCCM Provisioning

vRealize Automation boots a newly provisioned machine from an ISO image, and then passes control to the specied SCCM task sequence.

SCCM provisioning is supported for the deployment of Windows operating systems. Linux is not supported. Software distribution and updates are not supported.

The following is a high-level overview of the steps required to prepare for SCCM provisioning:

1 Consult with your network administrator to ensure that the following network requirements are met:

Communication with SCCM requires the NetBios name of the SCCM server. At least one

Distributed Execution Manager (DEM) must be able to resolve the fully qualied name of the SCCM server to its NetBios name.

The SCCM server and the vRealize Automation server must be on the same network and available

to each other.

2 Create a software package that includes the vRealize Automation guest agent. See “Create a Software

Package for SCCM Provisioning,” on page 49.

3 In SCCM, create the desired task sequence for provisioning the machine. The nal step must be to

install the software package you created that contains the vRealize Automation guest agent. For information about creating task sequences and installing software packages, see SCCM documentation.

4 Create a zero touch boot ISO image for the task sequence. By default, SCCM creates a light touch boot

ISO image. For information about conguring SCCM for zero touch ISO images, see SCCM documentation.

48 VMware, Inc.

Chapter 1 External Preparations for Provisioning

5 Copy the ISO image to the location required by your virtualization platform. If you do not know the

appropriate location, refer to the documentation provided by your hypervisor.

6 Gather the following information so that blueprint architects can include it on blueprints:

a The name of the collection containing the task sequence.

b The fully qualied domain name of the SCCM server on which the collection containing the

sequence resides.

c The site code of the SCCM server.

d Administrator-level credentials for the SCCM server.

e (Optional) For SCVMM integrations, the ISO, virtual hard disk, or hardware prole to aach to

provisioned machines.

N You can create a property group with the SCCMProvisioningProperties property set to include all of this required information. This makes it easier to include the information on blueprints.

Create a Software Package for SCCM Provisioning

The nal step in your SCCM task sequence must be to install a software package that includes the vRealize Automation guest agent.

Procedure

1 Navigate to the vCloud Automation Center Appliance management console installation page.

For example: hps://vcac-hostname.domain.name:5480/installer/.

2 Download and save the Windows guest agent les.

Windows guest agent les (32-bit.)

Windows guest agent les (64-bit.)

3 Extract the Windows guest agent les to a location available to SCCM.

4 Create a software package from the denition le SCCMPackageDefinitionFile.sms.

5 Make the software package available to your distribution point.

6 Select the contents of the extracted Windows guest agent les as your source les.

Preparing for WIM Provisioning

Provision a machine by booting into a WinPE environment and then install an operating system using a Windows Imaging File Format (WIM) image of an existing Windows reference machine.

The following is a high-level overview of the steps required to prepare for WIM provisioning:

1 Identify or create the staging area. This should be a network directory that can be specied as a UNC

path or mounted as a network drive by the reference machine, the system on which you build the WinPE image, and the virtualization host on which machines are provisioned.

2 Ensure that a DHCP server is available on the network. vRealize Automation cannot provision

machines by using a WIM image unless DHCP is available.

3 Identify or create the reference machine within the virtualization platform you intend to use for

provisioning. For vRealize Automation requirements, see “Reference Machine Requirements for WIM

Provisioning,” on page 50. For information about creating a reference machine, see the documentation

provided by your hypervisor.

4 Using the System Preparation Utility for Windows, prepare the reference machine's operating system

for deployment. See “SysPrep Requirements for the Reference Machine,” on page 51.

VMware, Inc. 49

Configuring vRealize Automation

5 Create the WIM image of the reference machine. Do not include any spaces in the WIM image le name

or provisioning fails.

6 Create a WinPE image that contains the vRealize Automation guest agent. You can use the

vRealize Automation PEBuilder to create a WinPE image that includes the guest agent.

“Install PEBuilder,” on page 51.

(Optional) Create any custom scripts you want to use to customize provisioned machines and place

them in the appropriate work item directory of your PEBuilder installation. See “Specify Custom

Scripts in a PEBuilder WinPE,” on page 52.

If you are using VirtIO for network or storage interfaces, you must ensure that the necessary

drivers are included in your WinPE image and WIM image. See “Preparing for WIM Provisioning

with VirtIO Drivers,” on page 52.

“Create a WinPE Image by Using PEBuilder,” on page 53.

You can create the WinPE image by using another method, but you must manually insert the vRealize Automation guest agent. See “Manually Insert the Guest Agent into a WinPE Image,” on page 54.

7 Place the WinPE image in the location required by your virtualization platform. If you do not know the

location, see the documentation provided by your hypervisor.

8 Gather the following information so that you can include it the blueprint:

a The name and location of the WinPE ISO image.

b The name of the WIM le, the UNC path to the WIM le, and the index used to extract the desired

image from the WIM le.

c The user name and password under which to map the WIM image path to a network drive on the

provisioned machine.

d (Optional) If you do not want to accept the default, K, the drive leer to which the WIM image path

is mapped on the provisioned machine.

e For vCenter Server integrations, the vCenter Server guest operating system version with which

vCenter Server is to create the machine.

f (Optional) For SCVMM integrations, the ISO, virtual hard disk, or hardware prole to aach to

provisioned machines.

N You can create a property group to include all of this required information. Using a property group makes it easier to include all the information correctly in blueprints.

Reference Machine Requirements for WIM Provisioning

WIM provisioning involves creating a WIM image from a reference machine. The reference machine must meet basic requirements for the WIM image to work for provisioning in vRealize Automation.

The following is a high-level overview of the steps to prepare a reference machine:

1 If the operating system on your reference machine is Windows Server 2008 R2, Windows Server 2012,

Windows 7, or Windows 8, the default installation creates a small partition on the system's hard disk in addition to the main partition. vRealize Automation does not support the use of WIM images created on such multi-partitioned reference machines. You must delete this partition during the installation process.

2 Install NET 4.5 and Windows Automated Installation Kit (AIK) for Windows 7 (including WinPE 3.0)

on the reference machine.

3 If the reference machine operating system is Windows Server 2003 or Windows XP, reset the

administrator password to be blank. (There is no password.)

50 VMware, Inc.

Chapter 1 External Preparations for Provisioning

4 (Optional) If you want to enable XenDesktop integration, install and congure a

Citrix Virtual Desktop Agent.

5 (Optional) A Windows Management Instrumentation (WMI) agent is required to collect certain data

from a Windows machine managed by vRealize Automation, for example the Active Directory status of a machine’s owner. To ensure successful management of Windows machines, you must install a WMI agent (typically on the Manager Service host) and enable the agent to collect data from Windows machines. See Installing vRealize Automation 7.1.

SysPrep Requirements for the Reference Machine

A SysPrep answer le contains several required seings that are used for WIM provisioning.

Table 1‑14. Windows Server or Windows XP reference machine SysPrep required settings

GuiUnattended Settings

AutoLogon Yes

AutoLogonCount 1

AutoLogonUsername

AutoLogonPassword password corresponding to the AutoLogonUsername.

Value

username

(username and password are the credentials used for auto logon when the newly provisioned machine boots into the guest operating system. Administrator is typically used.)

Table 1‑15. Required SysPrep Settings for reference machine that are not using Windows Server 2003 or Windows XP:

AutoLogon Settings

Enabled Yes

LogonCount 1

Username

Password

Value

username

(username and password are the credentials used for auto logon when the newly provisioned machine boots into the guest operating system. Administrator is typically used.)

password

(username andpassword are the credentials used for auto logon when the newly provisioned machine boots into the guest operating system. Administrator is typically used.)

N For reference machines that use a Windows platform newer than Windows Server 2003/Windows XP, you must set the autologon password by using the custom property Sysprep.GuiUnattended.AdminPassword. A convenient way to ensure this is done is to create a property group that includes this custom property so that tenant administrators and business group managers can include this information correctly in their blueprints.

Install PEBuilder

The PEBuilder tool provided by vRealize Automation provides a simple way to include the vRealize Automation guest agent in your WinPE images.

PEBuilder has a 32 bit guest agent. If you need to run commands specic to 64 bit, install PEBuilder and then get the 64 bit les from the GugentZipx64.zip le.

Install PEBuilder in a location where you can access your staging environment.

VMware, Inc. 51

Configuring vRealize Automation

Prerequisites

Install NET Framework 4.5.

Windows Automated Installation Kit (AIK) for Windows 7 (including WinPE 3.0) is installed.

Procedure

1 Navigate to the vCloud Automation Center Appliance management console installation page.

For example: hps://vcac-hostname.domain.name:5480/installer/.

2 Download the PEBuilder.

3 (Optional) Download the Windows 64-bit guest agent package if you want to include the Windows 64-

bit guest agent in your WinPE instead of the Windows 32-bit guest agent.

4 Run vCAC-WinPEBuilder-Setup.exe.

5 Follow the prompts to install PEBuilder.

6 (Optional) Replace the Windows 32-bit guest agent les located in \PE Builder\Plugins\VRM

Agent\VRMGuestAgent with the 64-bit les to include the 64-bit agent in your WinPE.

You can use PEBuilder to create a WinPE for use in WIM provisioning.

Specify Custom Scripts in a PEBuilder WinPE

You can use PEBuilder to customize machines by running custom bat scripts at specied points in the provisioning workow.

Prerequisites

“Install PEBuilder,” on page 51.

Procedure

1 Create or identify the bat script you want to use.

Your script must return a non-zero value on failure to prevent machine provisioning failure.

2 Save the script as NN_scriptname.

NN is a two digit number. Scripts are executed in order from lowest to highest. If two scripts have the same number, the order is alphabetical based on scriptname.

3 Make your script executable.

4 Place the scripts in the work item subdirectory that corresponds to the point in the provisioning

workow you want the script to run.

For example, C:\Program Files (x86)\VMware\vRA\PE Builder\Plugins\VRM

Agent\VRMGuestAgent\site\SetupOS.

The agent runs the script in the order specied by the work item directory and the script le name.

Preparing for WIM Provisioning with VirtIO Drivers

If you are using VirtIO for network or storage interfaces, you must ensure that the necessary drivers are included in your WinPE image and WIM image. VirtIO generally oers beer performance when provisioning with KVM (RHEV).

Windows drivers for VirtIO are included as part of the Red Hat Enterprise Virtualization and are located in the /usr/share/virtio-win directory on the le system of the Red Hat Enterprise Virtualization Manager. The drivers are also included in the Red Hat Enterprise Virtualization Guest Tools located /usr/share/rhev-

guest-tools-iso/rhev-tools-setup.iso.

52 VMware, Inc.

Chapter 1 External Preparations for Provisioning

The high-level process for enabling WIM-based provisioning with VirtIO drivers is as follows:

1 Create a WIM image from a Windows reference machine with the VirtIO drivers installed or insert the

drivers into an existing WIM image.

2 Copy the VirtIO driver les to the Plugins subdirectory of your PEBuilder installation directory before

creating a WinPE image, or insert the drivers into a WinPE image created using other means.

3 Upload the WinPE image ISO to the Red Hat Enterprise Virtualization ISO storage domains using the

rhevm-iso-uploader command. For more information about managing ISO images in RHEV refer to the

Red Hat documentation.

4 Create a KVM (RHEV) blueprint for WIM provisioning and select the WinPE ISO option. The custom

property VirtualMachine.Admin.DiskInterfaceType must be included with the value VirtIO. A fabric administrator can include this information in a property group for inclusion on blueprints.

The custom properties Image.ISO.Location and Image.ISO.Name are not used for KVM (RHEV) blueprints.

Create a WinPE Image by Using PEBuilder

Use the PEBuilder tool provided by vRealize Automation to create a WinPE ISO le that includes the vRealize Automation guest agent.

Prerequisites

“Install PEBuilder,” on page 51.

(Optional) Congure PEBuilder to include the Windows 64-bit guest agent in your WinPE instead of the

Windows 32-bit guest agent. See “Install PEBuilder,” on page 51.

(Optional) Add any third party plugins you want to add to the WinPE image to the PlugIns

subdirectory of the PEBuilder installation directory.

(Optional) “Specify Custom Scripts in a PEBuilder WinPE,” on page 52.

Procedure

1 Run PEBuilder.

2 Enter the IaaS Manager Service host information.

Option Description

If you are using a load balancer

With no load balancer

a Enter the fully qualied domain name of the load balancer for the IaaS

Manager Service in the vCAC Hostname text box. For example, manager_service_LB.mycompany.com.

b Enter the port number for the IaaS Manager Service load balancer in

the vCAC Port text box. For example, 443.

a Enter the fully qualied domain name of the IaaS Manager Service

machine in the vCAC Hostname text box. For example, manager_service.mycompany.com.

b Enter the port number for the IaaS Manager Service machine in the

vCAC Port text box. For example, 443.

3 Enter the path to the PEBuilder plugins directory.

This depends on the installation directory specied during installation. The default is C:\Program Files

(x86)\VMware\vCAC\PE Builder\PlugIns.

4 Enter the output path for the ISO le you are creating in the ISO Output Path text box.

This location should be on the staging area you prepared.

VMware, Inc. 53

Configuring vRealize Automation

5 Click File > Advanced.

N Do not change the WinPE Architecture or Protocol seings.

6 Select the Include vCAC Guest Agent in WinPE ISO check box.

7 Click OK.

8 Click Build.

What to do next

Place the WinPE image in the location required by your integration platform. If you do not know the location, please see the documentation provided by your platform.

If you are provisioning HP iLO machines, place the WinPE image in a web-accessible location. For Dell iDRAC machines, place the image in a location available to NFS or CIFS. Record the address.

Manually Insert the Guest Agent into a WinPE Image

You do not have to use the vRealize Automation PEBuilder to create your WinPE. However, if you do not use the PEBuilder you must manually insert the vRealize Automation guest agent into your WinPE image.

Prerequisites

Select a Windows system from which the staging area you prepared is accessible and on which .NET 4.5

and Windows Automated Installation Kit (AIK) for Windows 7 (including WinPE 3.0) are installed.

Create a WinPE.

Procedure

1 Install the Guest Agent in a WinPE on page 55

If you choose not to use the vRealize Automation PEBuilder to create you WinPE, you must install PEBuilder to manually copy the guest agent les to your WinPE image.

2 Congure the doagent.bat File on page 55

If you choose not to use the vRealize Automation PEBuilder, you must manually congure the

doagent.bat le.

3 Congure the doagentc.bat File on page 56

If you choose not to use the vRealize Automation PEBuilder, you must manually congure the

doagentc.bat le.

4 Congure the Guest Agent Properties Files on page 57

If you choose not to use the vRealize Automation PEBuilder, you must manually congure the guest agent properties les.

Procedure

1 “Install the Guest Agent in a WinPE,” on page 55.

2 “Congure the doagent.bat File,” on page 55.

3 “Congure the doagentc.bat File,” on page 56.

4 “Congure the Guest Agent Properties Files,” on page 57.

54 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Install the Guest Agent in a WinPE

If you choose not to use the vRealize Automation PEBuilder to create you WinPE, you must install PEBuilder to manually copy the guest agent les to your WinPE image.

PEBuilder has a 32 bit guest agent. If you need to run commands specic to 64 bit, install PEBuilder and then get the 64 bit les from the GugentZipx64.zip le.

Prerequisites

Select a Windows system from which the staging area you prepared is accessible and on which .NET 4.5

and Windows Automated Installation Kit (AIK) for Windows 7 (including WinPE 3.0) are installed.

Create a WinPE.

Procedure

1 Navigate to the vCloud Automation Center Appliance management console installation page.

For example: hps://vcac-hostname.domain.name:5480/installer/.

2 Download the PEBuilder.

3 (Optional) Download the Windows 64-bit guest agent package if you want to include the Windows 64-

bit guest agent in your WinPE instead of the Windows 32-bit guest agent.

4 Execute vCAC-WinPEBuilder-Setup.exe.

5 Deselect both Plugins and PEBuilder.

6 Expand Plugins and select VRMAgent.

7 Follow the prompts to complete the installation.

8 (Optional) After installation is complete, replace the Windows 32-bit guest agent les located in \PE

Builder\Plugins\VRM Agent\VRMGuestAgent with the 64-bit les to include the 64-bit agent in your

WinPE.

9 Copy the contents of %SystemDrive%\Program Files (x86)\VMware\PE Builder\Plugins\VRM

Agent\VRMGuestAgent to a new location within your WinPE Image.

For example: C:\Program Files (x86)\VMware\PE Builder\Plugins\VRM Agent\VRMGuestAgent.

What to do next

“Congure the doagent.bat File,” on page 55.

Configure the doagent.bat File

If you choose not to use the vRealize Automation PEBuilder, you must manually congure the doagent.bat le.

Prerequisites

“Install the Guest Agent in a WinPE,” on page 55.

Procedure

1 Navigate to the VRMGuestAgent directory within your WinPE Image.

For example: C:\Program Files (x86)\VMware\PE Builder\Plugins\VRM Agent\VRMGuestAgent.

2 Make a copy of the le doagent-template.bat and name it doagent.bat.

3 Open doagent.bat in a text editor.

VMware, Inc. 55

Configuring vRealize Automation

4 Replace all instances of the string #Dcac Hostname# with the fully qualied domain name and port

number of the IaaS Manager Service host.

Option Description

If you are using a load balancer

With no load balancer

5 Replace all instances of the string #Protocol# with the string /ssl.

6 Replace all instances of the string #Comment# with REM (REM must be followed by a trailing space).

7 (Optional) If you are using self-signed certicates, uncomment the openSSL command.

echo QUIT | c:\VRMGuestAgent\bin\openssl s_client –connect

8 Save and close the le.

9 Edit the Startnet.cmd script for your WinPE to include the doagent.bat as a custom script.

What to do next

Enter the fully qualied domain name and port of the load balancer for the IaaS Manager Service. For example,

manager_service_LB.mycompany.com:443

Enter the fully qualied domain name and port of the machine on which the IaaS Manager Service is installed. For example,

manager_service.mycompany.com:443

“Congure the doagentc.bat File,” on page 56.

Configure the doagentc.bat File

If you choose not to use the vRealize Automation PEBuilder, you must manually congure the doagentc.bat le.

Prerequisites

“Congure the doagent.bat File,” on page 55.

Procedure

1 Navigate to the VRMGuestAgent directory within your WinPE Image.

For example: C:\Program Files (x86)\VMware\PE Builder\Plugins\VRM Agent\VRMGuestAgent.

2 Make a copy of the le doagentsvc-template.bat and name it doagentc.bat.

3 Open doagentc.bat in a text editor.

4 Remove all instance of the string #Comment#.

5 Replace all instances of the string #Dcac Hostname# with the fully qualied domain name and port

number of the Manager Service host.

The default port for the Manager Service is 443.

Option Description

If you are using a load balancer

With no load balancer

Enter the fully qualied domain name and port of the load balancer for the Manager Service. For example,

load_balancer_manager_service.mycompany.com:443

Enter the fully qualied domain name and port of the Manager Service. For example,

manager_service.mycompany.com:443

6 Replace all instances of the string #errorlevel# with the character 1.

7 Replace all instances of the string #Protocol# with the string /ssl.

56 VMware, Inc.

Chapter 1 External Preparations for Provisioning

8 Save and close the le.

What to do next

“Congure the Guest Agent Properties Files,” on page 57.

Configure the Guest Agent Properties Files

If you choose not to use the vRealize Automation PEBuilder, you must manually congure the guest agent properties les.

Prerequisites

“Congure the doagentc.bat File,” on page 56.

Procedure

1 Navigate to the VRMGuestAgent directory within your WinPE Image.

For example: C:\Program Files (x86)\VMware\PE Builder\Plugins\VRM Agent\VRMGuestAgent.

2 Make a copy of the le gugent.properties and name it gugent.properties.template.

3 Make a copy of the le gugent.properties.template and name it gugentc.properties.

4 Open gugent.properties in a text editor.

5 Replace all instances of the string GuestAgent.log the string X:/VRMGuestAgent/GuestAgent.log.

6 Save and close the le.

7 Open gugentc.properties in a text editor.

8 Replace all instances of the string GuestAgent.log the string C:/VRMGuestAgent/GuestAgent.log.

9 Save and close the le.

Preparing for Virtual Machine Image Provisioning

Before you provision instances with OpenStack, you must have virtual machine images and avors congured in the OpenStack provider.

Virtual Machine Images

You can select an virtual machine image from a list of available images when creating blueprints for OpenStack resources.

A virtual machine image is a template that contains a software conguration, including an operating system. Virtual machine images are managed by the OpenStack provider and are imported during data collection.

If an image that is used in a blueprint is later deleted from the OpenStack provider, it is also removed from the blueprint. If all the images have been removed from a blueprint, the blueprint is disabled and cannot be used for machine requests until it is edited to add at least one image.

OpenStack Flavors

You can select one or more avors when creating OpenStack blueprints.

OpenStack avors are virtual hardware templates that dene the machine resource specications for instances provisioned in OpenStack. Flavors are managed by the OpenStack provider and are imported during data collection.

vRealize Automation supports several avors of OpenStack. For the most current information about OpenStack avor support, see the vRealize Automation Support Matrix at

hps://www.vmware.com/support/pubs/vcac-pubs.html.

VMware, Inc. 57

Configuring vRealize Automation

Preparing for Amazon Machine Image Provisioning

Prepare your Amazon Machine Images and instance types for provisioning in vRealize Automation.

Understanding Amazon Machine Images

You can select an Amazon machine image from a list of available images when creating Amazon machine blueprints.

An Amazon machine image is a template that contains a software conguration, including an operating system. They are managed by Amazon Web Services accounts. vRealize Automation manages the instance types that are available for provisioning.

The Amazon machine image and instance type must be available in an Amazon region. Not all instance types are available in all regions.

You can select an Amazon machine image provided by Amazon Web Services, a user community, or the AWS Marketplace site. You can also create and optionally share your own Amazon machine images. A single Amazon machine image can be used to launch one or many instances.

The following considerations apply to Amazon machine images in the Amazon Web Services accounts from which you provision cloud machines:

Each blueprint must specify an Amazon machine image.

A private Amazon machine image is available to a specic account and all its regions. A public Amazon machine image is available to all accounts, but only to a specic region in each account.

When the blueprint is created, the specied Amazon machine image is selected from regions that have

been data-collected. If multiple Amazon Web Services accounts are available, the business group manager must have rights to any private Amazon machine images. The Amazon machine image region and the specied user location restrict provisioning request to reservations that match the corresponding region and location.

Use reservations and policies to distribute Amazon machine images in your Amazon Web Services

accounts. Use policies to restrict provisioning from a blueprint to a particular set of reservations.

vRealize Automation cannot create user accounts on a cloud machine. The rst time a machine owner

connects to a cloud machine, she must log in as an administrator and add her vRealize Automation user credentials or an administrator must do that for her. She can then log in using her vRealize Automation user credentials.

If the Amazon machine image generates the administrator password on every boot, the Edit Machine Record page displays the password. If it does not, you can nd the password in the Amazon Web Services account. You can congure all Amazon machine images to generate the administrator password on every boot. You can also provide administrator password information to support users who provision machines for other users.

To allow remote Microsoft Windows Management Instrumentation (WMI) requests on cloud machines

provisioned in Amazon Web Services accounts, enable a Microsoft Windows Remote Management (WinRM) agent to collect data from Windows machines managed by vRealize Automation. See Installing vRealize Automation 7.1.

A private Amazon machine image can be seen across tenants.

For related information, see Amazon Machine Images (AMI) topics in Amazon documentation.

58 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Understanding Amazon Instance Types

An IaaS architect selects one or more Amazon instance types when creating Amazon EC2 blueprints. An IaaS administrator can add or remove instance types to control the choices available to the architects.

An Amazon EC2 instance is a virtual server that can run applications in Amazon Web Services. Instances are created from an Amazon machine image and by choosing an appropriate instance type.

To provision a machine in an Amazon Web Services account, an instance type is applied to the specied Amazon machine image. The available instance types are listed when architects create the Amazon EC2 blueprint. Architects select one or more instance types, and those instance types become choices available to the user when they request to provision a machine. The instance types must be supported in the designated region.

For related information, see Selecting Instance Types and Amazon EC2 Instance Details topics in Amazon documentation.

Add an Amazon Instance Type

Several instance types are supplied with vRealize Automation for use with Amazon blueprints. An administrator can add and remove instance types.

The machine instance types managed by IaaS administrators are available to blueprint architects when they create or edit an Amazon blueprint. Amazon machine images and instance types are made available through the Amazon Web Services product.

Prerequisites

Procedure

1 Click Infrastructure > Administration > Instance Types.

2 Click New Instance Type.

3 Add a new instance type, specifying the following parameters.

Information about the available Amazon instances types and the seing values that you can specify for these parameters is available from Amazon Web Services documentation in EC2 Instance Types - Amazon Web Services (AWS) at aws.amazon.com/ec2 and Instance Types at docs.aws.amazon.com.

Name

API name

Type Name

IO Performance Name

CPUs

Memory (GB)

Storage (GB)

Compute Units

Click the Save icon (

When IaaS architects create Amazon Web Services blueprints, they can use your custom instance types.

What to do next

Add the compute resources from your endpoint to a fabric group. See “Create a Fabric Group,” on page 175.

VMware, Inc. 59

TEMPLATE

You are here

Prepare

Installation

Install

Prepare

Template

Request Initial

Content

Configuring vRealize Automation

Scenario: Prepare vSphere Resources for Machine Provisioning in Rainpole

As the vSphere administrator creating templates for vRealize Automation, you want to use the vSphere Web Client to prepare for cloning CentOS machines in vRealize Automation.

You want to convert an existing CentOS reference machine into a vSphere template so you and your Rainpole architects can create blueprints for cloning CentOS machines in vRealize Automation. To prevent any conicts that might arise from deploying multiple virtual machines with identical seings, you also want to create a general customization specication that you and your architects can use to create clone blueprints for Linux templates.

Procedure

1 Scenario: Convert Your CentOS Reference Machine into a Template for Rainpole on page 60

Using the vSphere Client, you convert your existing CentOS reference machine into a vSphere template for your vRealize Automation IaaS architects to reference as the base for their clone blueprints.

2 Scenario: Create a Customization Specication for Cloning Linux Machines in Rainpole on page 61

Using the vSphere Client, you create a standard customization specication for your vRealize Automation IaaS architects to use when they create clone blueprints for Linux machines.

Scenario: Convert Your CentOS Reference Machine into a Template for Rainpole

Using the vSphere Client, you convert your existing CentOS reference machine into a vSphere template for your vRealize Automation IaaS architects to reference as the base for their clone blueprints.

Procedure

1 Log in to your reference machine as the root user and prepare the machine for conversion.

a Remove udev persistence rules.

/bin/rm -f /etc/udev/rules.d/70*

b Enable machines cloned from this template to have their own unique identiers.

/bin/sed -i '/^\(HWADDR\|UUID\)=/d'

/etc/sysconfig/network-scripts/ifcfg-eth0

c Power down the machine.

shutdown -h now

2 Log in to the vSphere Web Client as an administrator.

3 Click the VM Options tab.

4 Right-click your reference machine and select Edit .

5 Enter Rainpole_centos_63_x86 in the VM Name text box.

60 VMware, Inc.

Chapter 1 External Preparations for Provisioning

6 Even though your reference machine has a CentOS guest operating system, select Red Hat Enterprise

Linux 6 (64-bit) from the Guest OS Version drop-down menu.

If you select CentOS, your template and customization specication might not work as expected.

7 Right-click your Rainpole_centos_63_x86 reference machine in the vSphere Web Client and select

Template > Convert to Template.

vCenter Server marks your Rainpole_centos_63_x86 reference machine as a template and displays the task in the Recent Tasks pane.

What to do next

To prevent any conicts that might arise from deploying multiple virtual machines with identical seings, you create a general customization specication that you and your Rainpole architects can use to create clone blueprints for Linux templates.

Scenario: Create a Customization Specification for Cloning Linux Machines in Rainpole

Using the vSphere Client, you create a standard customization specication for your vRealize Automation IaaS architects to use when they create clone blueprints for Linux machines.

Procedure

1 On the home page, click Customization  Manager to open the wizard.

2 Click the New icon.

3 Specify properties.

a Select Linux from the Target VM Operating System drop-down menu.

b Enter Linux in the Customization Spec Name text box.

c Enter Rainpole Linux cloning with vRealize Automation in the Description text box.

d Click Next.

4 Set computer name.

a Select Use the virtual machine name.

b Enter the domain on which cloned machines are going to be provisioned in the Domain name text

box.

For example, rainpole.local.

c Click Next.

5 Congure time zone seings.

6 Click Next.

7 Select Use standard network  for the guest operating system, including enabling DHCP on all

network interfaces.

8 Follow the prompts to enter the remaining required information.

9 On the Ready to complete page, review your selections and click Finish.

You have a general customization specication that you can use to create blueprints for cloning Linux machines.

VMware, Inc. 61

Configuring vRealize Automation

What to do next

Log in to the vRealize Automation console as the conguration administrator you created during the installation and request the catalog items that quickly set up your proof of concept.

Preparing for Software Provisioning

Use Software to deploy applications and middleware as part of the vRealize Automation provisioning process for vSphere, vCloud Director,vCloud Air, and Amazon AWS machines.

You can deploy Software on machines if your blueprint supports Software and if you install the guest agent and software bootstrap agent on your reference machines before you convert them into templates, snapshots, or Amazon Machine Images.

Table 1‑16. Provisioning Methods that Support Software

Provisionin

Machine Type

vSphere Clone A clone blueprint provisions a complete and independent virtual machine based on

vSphere Linked

vCloud Director Clone A clone blueprint provisions a complete and independent virtual machine based on

vCloud Air Clone A clone blueprint provisions a complete and independent virtual machine based on

Amazon AWS Amazon

g Method Required Preparation

a vCenter Server virtual machine template. If you want your templates for cloning to support Software components, install the guest agent and software bootstrap agent on your reference machine as you prepare a template for cloning. See “Checklist for

Preparing to Provision by Cloning,” on page 33.

A linked clone blueprint provisions a space-ecient copy of a vSphere machine

Clone

Machine Image

based on a snapshot, using a chain of delta disks to track dierences from the parent machine. If you want your linked clone blueprints to support Software components, install the guest agent and software bootstrap agent on the machine before you take the snapshot.

If your snapshot machine was cloned from a template that supports Software, the required agents are already installed.

Preparing to Provision by Cloning,” on page 33.

An Amazon machine image is a template that contains a software conguration, including an operating system. If you want to create an Amazon machine image that supports Software, connect to a running Amazon AWS instance that uses an EBS volume for the root device. Install the guest agent and software bootstrap agent on the reference machine, then create an Amazon Machine Image from your instance. For instruction on creating Amazon EBS-backed AMIs, see the Amazon AWS documentation.

For the guest agent and Software bootstrap agent to function on provisioned machines, you must congure network-to-VPC connectivity.

62 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Preparing to Provision Machines with Software

To support Software components, you must install the guest agent and Software bootstrap agent on your reference machine before you convert to a template for cloning, create an Amazon machine image, or take a snapshot.

Prepare a Windows Reference Machine to Support Software

You install the supported Java Runtime Environment, the guest agent, and the Software bootstrap agent on your Windows reference machine to create a template, snapshot, or Amazon Machine Instance that supports Software components.

Software supports scripting with Windows CMD and PowerShell 2.0.

I Because the boot process must not be interrupted, congure the virtual machine so that nothing causes the virtual machine's boot process to pause before reaching the nal operating system login prompt. For example, verify that no processes or scripts prompt for user interaction when the virtual machine starts.

Prerequisites

Identify or create a reference machine.

If you have previously installed the guest agent or Software bootstrap agent on this machine, remove

the agents and runtime logs. See “Updating Existing Virtual Machine Templates in vRealize

Automation,” on page 66.

If you plan to remotely access the virtual machine Windows remote desktop for troubleshooting or for

other reasons, install the Remote Desktop Services (RDS) for Windows.

Verify that all of the network conguration artifacts are removed from the network conguration les.

If you want to use the most secure approach for establishing trust between the guest agent and your

Manager Service machine, obtain the SSL certicate in PEM format from your Manager Service machine. For information about installing a guest agent on a Windows machine, see “Install the Guest

Agent on a Windows Reference Machine,” on page 31. For more information about how the guest agent

establishes trust, see “Conguring the Windows Guest Agent to Trust a Server,” on page 32.

Procedure

1 Log in to your Windows reference machine as a Windows Administrator and open a command prompt.

2 Download and install the supported Java Runtime Environment from

https://vRealize_VA_Hostname_fqdn/software/index.html.

a Download the Java SE Runtime Environment .zip le

https://vRealize_VA_Hostname_fqdn/software/download/jre-version-win64.zip.

b Create a c:\opt\vmware-jre folder and unzip the JRE .zip le to the folder.

c Open a command prompt window and enter c:\opt\vmware-jre\bin\java -version to verify the

installation.

The installed version of Java appears.

VMware, Inc. 63

Configuring vRealize Automation

3 Download and install the vRealize Automation guest agent from

https://vRealize_VA_Hostname_fqdn/software/index.html.

a Download GugentZip_version to the C drive on the reference machine.

Select either GuestAgentInstaller.exe (32-bit) or GuestAgentInstaller_x64.exe (64-bit) depending on which is appropriate for your operating system.

b Right-click the le and select Properties.

c Click General.

d Click Unblock.

e Extract the les to C:\.

This produces the directory C:\VRMGuestAgent. Do not rename this directory.

4 Congure the guest agent to communicate with the Manager Service.

a Open an elevated command prompt.

b Navigate to C:\VRMGuestAgent.

c Congure the guest agent to trust your Manager Service machine.

Option Description

Allow the guest agent to trust the first machine to which it connects.

Manually install the trusted PEM file.

d Run the following command: winservice -i -h Manager_Service_Hostname_fdqn:portnumber -p

ssl.

No conguration required.

Place the Manager Service PEM le in the C:\VRMGuestAgent\ directory.

The default port number for the Manager Service is 443.

Option Description

If you are using a load balancer

With no load balancer

If you are preparing an Amazon machine image

Enter the fully qualied domain name and port number of your Manager Service load balancer. For example, winservice -i -h load_balancer_manager_service.mycompany.com:443 -p ssl.

Enter the fully qualied domain name and port number of your Manager Service machine. For example, winservice -i -h manager_service_machine.mycompany.com:443 -p ssl.

You need to specify that you are using Amazon. For example,

winservice -i -h manager_service_machine.mycompany.com: 443:443 -p ssl -c ec2

5 Download the Software Agent bootstrap le from

https://vRealize_VA_Hostname_fqdn/software/index.html.

a Download the Software bootstrap agent le

https://vRealize_VA_Hostname_fqdn/software/download/vmware-vra-software-agent-bootstrapwindows_version.zip.

b Right-click the le and select Properties.

c Click General.

64 VMware, Inc.

Chapter 1 External Preparations for Provisioning

d Click Unblock.

I If you do not disable this Windows security feature, you cannot use the Software

agent bootstrap le.

e Unzip the vmware-vra-software-agent-bootstrap-windows_version.zip le to the c:\temp folder.

6 Install the Software bootstrap agent.

a Open a Windows CMD console and navigate to the c:\temp folder.

b Enter the command to install the agent bootstrap.

install.bat password=Password managerServiceHost=manager_service_machine.mycompany.com

managerServicePort=443 httpsMode=true cloudProvider=ec2|vca|vcd|vsphere

The default port number for the Manager Service is 443. Accepted values for cloudprovider are ec2,

vca, vcd, and vsphere. The install.bat script creates a user account called darwin for the software

bootstrap agent using the password you set in the install command. The Password you set must meet the Windows password requirements.

If your install fails due to a .NET dependency, refer to the following article for assistance:

hps://technet.microsoft.com/en-us/library/dn482071.aspx

7 Verify that the user darwin exists.

a Enter lusrmgr.msc at a command prompt.

b Verify that the user darwin_user exists and belongs to the administrator group.

c Set the password to never expire.

The seing ensures that the template remains usable after 30 days.

If the user is not available, verify that the Windows server password is accurate.

8 Shut down the Windows virtual machine.

What to do next

Convert your reference machine into a template for cloning, an Amazon machine image, or a snapshot so your IaaS architects can use your template when creating blueprints.

Prepare a Linux Reference Machine to Support Software

You use a single script to install the supported Java Runtime Environment, the guest agent, and the Software bootstrap agent on your Linux reference machine to create a template, snapshot, or Amazon Machine Instance that supports Software components.

Software supports scripting with Bash.

Prerequisites

Identify or create a Linux reference machine and verify that the following commands are available

depending on your Linux system:

yum or apt-get

wget or curl

python

VMware, Inc. 65

Configuring vRealize Automation

dmidecode as required by cloud providers

Common requirements such as sed, awk, perl, chkconfig, unzip, and grep depending on your Linux

distribution

For related information about Linux prerequisites, see the prepare_vra_template.sh script.

If you plan to remotely access the virtual machine using Linux ssh logging for troubleshooting or for

other reasons, install the OpenSSH server and client for Linux.

Remove network conguration artifacts from the network conguration les.

Procedure

1 Log in to your reference machine as the root user.

2 Download the installation script from your vRealize Automation appliance.

wget https://vRealize_VA_Hostname_fqdn/software/download/prepare_vra_template.sh

If your environment is using self-signed certicates, you might have to use the wget option --no-check-

certificate option. For example:

wget --no-check-certificate

https://vRealize_VA_Hostname_fqdn/software/download/prepare_vra_template.sh

3 Make the prepare_vra_template.sh script executable.

chmod +x prepare_vra_template.sh

4 Run the prepare_vra_template.sh installer script.

./prepare_vra_template.sh

You can run the help command ./prepare_vra_template.sh --help for information about noninteractive options and expected values.

5 Follow the prompts to complete the installation.

You see a conrmation message when the installation is successfully completed. If you see an error message and logs in the console, resolve the errors and run the installer script again.

6 Shut down the Linux virtual machine.

The script removes any previous installations of the Software bootstrap agent and installs the supported versions of the Java Runtime Environment, the guest agent, and the Software bootstrap agent.

What to do next

On your hypervisor or cloud provider, turn your reference machine into a template, snapshot, or Amazon Machine Image that your infrastructure architects can use when creating blueprints.

Updating Existing Virtual Machine Templates in vRealize Automation

If you are updating your templates, Amazon Machine Images, or snapshots for the latest version of the Windows Software bootstrap agent, or if you are manually updating to the latest Linux Software bootstrap agent instead of using the prepare_vra_template.sh script, you need to remove any existing versions and delete any logs.

Linux

For Linux reference machines, running the prepare_vra_template.sh script script resets the agent and removes any logs for you before reinstalling. However, if you intend to manually install, you need to log in to the reference machine as the root user and run the command to reset and remove the artifacts.

/opt/vmware-appdirector/agent-bootstrap/agent_reset.sh

66 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Windows

For Windows reference machines, you remove the existing Software agent bootstrap and vRealize Automation 6.0 or later guest agent, and delete any existing runtime log les. In a PowerShell command window, run the commands to remove the agent and artifacts.

c:\opt\vmware-appdirector\agent-bootstrap\agent_bootstrap_removal.bat

c:\opt\vmware-appdirector\agent-bootstrap\agent_reset.bat

Scenario: Prepare a vSphere CentOS Template for Clone Machine and Software Component Blueprints

As a vCenter Server administrator, you want to prepare a vSphere template that your vRealize Automation architects can use to clone Linux CentOS machines. You want to ensure that your template supports blueprints with software components, so you install the guest agent and the software bootstrap agent before you turn your reference machine into a template.

Prerequisites

Identify or create a Linux CentOS reference machine with VMware Tools installed. Include at least one

Network Adapter to provide internet connectivity in case blueprint architects do not add this functionality at the blueprint level. For information about creating virtual machines, see the vSphere documentation.

You must be connected to a vCenter Server to convert a virtual machine to a template. You cannot create

templates if you connect the vSphere Client directly to an vSphere ESXi host.

Procedure

1 Scenario: Prepare Your Reference Machine for Guest Agent Customizations and Software Components

on page 68

So that your template can support software components, you install the software bootstrap agent and its prerequisite, the guest agent, on your reference machine. The agents ensure that vRealize Automation architects who use your template can include software components in their blueprints.

2 Scenario: Convert Your CentOS Reference Machine into a Template on page 68

After you install the guest agent and software bootstrap agent onto your reference machine, you turn your reference machine into a template that vRealize Automation architects can use to create clone machine blueprints.

3 Scenario: Create a Customization Specication for vSphere Cloning on page 69

Create a customization specication for your blueprint architects to use with your cpb_centos_63_x84 template.

You created a template and customization specication from your reference machine that blueprint architects can use to create vRealize Automation blueprints that clone Linux CentOS machines. Because you installed the Software bootstrap agent and the guest agent on your reference machine, architects can use your template to create elaborate catalog item blueprints that include Software components or other guest agent customizations such as running scripts or formaing disks. Because you installed VMware Tools, architects and catalog administrators can allow users to perform actions against machines, such as recongure, snapshot, and reboot.

What to do next

After you congure vRealize Automation users, groups, and resources, you can use your template and customization specication to create a machine blueprint for cloning. See “Scenario: Create a vSphere

CentOS Blueprint for Cloning in Rainpole,” on page 268.

VMware, Inc. 67

Configuring vRealize Automation

Scenario: Prepare Your Reference Machine for Guest Agent Customizations and Software Components

To simplify the process, you download and run a vRealize Automation script that installs both agents, instead of downloading and installing separate packages.

The script also connects to the Manager Service instance and downloads the SSL certicate, which establishes trust between the Manager Service and machines deployed from the template. Note that having the script download the certicate is less secure than manually obtaining the Manager Service SSL certicate and installing it on your reference machine in /usr/share/gugent/cert.pem.

Procedure

1 In your Web browser, open the following URL.

hps://vrealize-automation-appliance-FQDN/software/index.html

2 Save the prepare_vra_template.sh script to your reference machine.

3 On the reference machine, make prepare_vra_template.sh executable.

chmod +x prepare_vra_template.sh

4 Run prepare_vra_template.sh.

./prepare_vra_template.sh

5 Follow the prompts.

If you need non-interactive information about options and values, enter ./prepare_vra_template.sh --

help.

A conrmation message appears when installation nishes. If error messages and logs appear, correct the issues and rerun the script.

Scenario: Convert Your CentOS Reference Machine into a Template

After you convert your reference machine to a template, you cannot edit or power on the template unless you convert it back to a virtual machine.

Procedure

1 Log in to your reference machine as the root user and prepare the machine for conversion.

a Remove udev persistence rules.

/bin/rm -f /etc/udev/rules.d/70*

b Enable machines cloned from this template to have their own unique identiers.

/bin/sed -i '/^\(HWADDR\|UUID\)=/d'

/etc/sysconfig/network-scripts/ifcfg-eth0

68 VMware, Inc.

Chapter 1 External Preparations for Provisioning

c If you rebooted or recongured the reference machine after installing the software bootstrap agent,

reset the agent.

/opt/vmware-appdirector/agent-bootstrap/agent_reset.sh

d Power down the machine.

shutdown -h now

2 Log in to the vSphere Web Client as an administrator.

3 Right-click your reference machine and select Edit .

4 Enter cpb_centos_63_x84 in the VM Name text box.

5 Even though your reference machine has a CentOS guest operating system, select Red Hat Enterprise

Linux 6 (64-bit) from the Guest OS Version drop-down menu.

If you select CentOS, your template and customization specication might not work as expected.

6 Right-click your reference machine in the vSphere Web Client and select Template > Convert to

Template.

vCenter Server marks your cpb_centos_63_x84 reference machine as a template and displays the task in the Recent Tasks pane. If you have already brought your vSphere environment under vRealize Automation management, your template is discovered during the next automated data collection. If you have not congured your vRealize Automation yet, the template is collected during that process.

Scenario: Create a Customization Specification for vSphere Cloning

Create a customization specication for your blueprint architects to use with your cpb_centos_63_x84 template.

Procedure

1 Log in to the vSphere Web Client as an administrator.

2 On the home page, click Customization  Manager to open the wizard.

3 Click the New icon.

4 Click the New icon.

5 Specify properties.

a Select Linux from the Target VM Operating System drop-down menu.

b Enter Customspecs in the Customization Spec Name text box.

c Enter cpb_centos_63_x84 cloning with vRealize Automation in the Description text box.

d Click Next.

6 Set computer name.

a Select Use the virtual machine name.

b Enter the domain on which cloned machines are going to be provisioned in the Domain name text

box.

c Click Next.

7 Congure time zone seings.

8 Click Next.

VMware, Inc. 69

Configuring vRealize Automation

9 Select Use standard network  for the guest operating system, including enabling DHCP on all

network interfaces.

Fabric administrators and infrastructure architects handle network seings for provisioned machine by creating and using Network proles in vRealize Automation.

10 Follow the prompts to enter the remaining required information.

11 On the Ready to complete page, review your selections and click Finish.

Scenario: Prepare for Importing the Dukes Bank for vSphere Sample Application Blueprint

As a vCenter Server administrator, you want to prepare a vSphere CentOS 6.x Linux template and customization specication that you can use to provision the vRealize Automation Dukes Bank sample application.

You want to ensure that your template supports the sample application software components, so you install the guest agent and the software bootstrap agent onto your Linux reference machine before you convert it to a template and create a customization specication. You disable SELinux on your reference machine to ensure your template supports the specic implementation of MySQL used in the Dukes Bank sample application.

Prerequisites

Install and fully congure vRealize Automation. See Installing and Conguring vRealize Automation for the

Rainpole Scenario.

Identify or create a CentOS 6.x Linux reference machine with VMware Tools installed. For information

about creating virtual machines, see the vSphere documentation.

You must be connected to a vCenter Server to convert a virtual machine to a template. You cannot create

templates if you connect the vSphere Client directly to an vSphere ESXi host.

Procedure

1 Scenario: Prepare Your Reference Machine for the Dukes Bank vSphere Sample Application on

page 71

You want your template to support the Dukes Bank sample application, so you must install both the guest agent and the software bootstrap agent on your reference machine so vRealize Automation can provision the software components. To simplify the process, you download and run a vRealize Automation script that installs both the guest agent and the software bootstrap agent instead of downloading and installing the packages separately.

2 Scenario: Convert Your Reference Machine into a Template for the Dukes Bank vSphere Application

on page 71

After you install the guest agent and software bootstrap agent on your reference machine, you disable SELinux to ensure your template supports the specic implementation of MySQL used in the Dukes Bank sample application. You turn your reference machine into a template that you can use to provision the Dukes Bank vSphere sample application.

3 Scenario: Create a Customization Specication for Cloning the Dukes Bank vSphere Sample

Application Machines on page 72

You create a customization specication to use with your Dukes Bank machine template.

You created a template and customization specication from your reference machine that supports the vRealize Automation Dukes Bank sample application.

70 VMware, Inc.

Chapter 1 External Preparations for Provisioning

Scenario: Prepare Your Reference Machine for the Dukes Bank vSphere Sample Application

Procedure

1 Log in to your reference machine as the root user.

2 Download the installation script from your vRealize Automation appliance.

wget https://vRealize_VA_Hostname_fqdn/software/download/prepare_vra_template.sh

If your environment is using self-signed certicates, you might have to use the wget option --no-check-

certificate option. For example:

wget --no-check-certificate

https://vRealize_VA_Hostname_fqdn/software/download/prepare_vra_template.sh

3 Make the prepare_vra_template.sh script executable.

chmod +x prepare_vra_template.sh

4 Run the prepare_vra_template.sh installer script.

./prepare_vra_template.sh

You can run the help command ./prepare_vra_template.sh --help for information about noninteractive options and expected values.

5 Follow the prompts to complete the installation.

You see a conrmation message when the installation is successfully completed. If you see an error message and logs in the console, resolve the errors and run the installer script again.

You installed both the software bootstrap agent and its prerequisite, the guest agent, to ensure the Dukes Bank sample application successfully provisions software components. The script also connected to your Manager Service instance and downloaded the SSL certicate to establish trust between the Manager Service and machines deployed from your template. This is a less secure approach than obtaining the Manager Service SSL certicate and manually installing it on your reference machine in /usr/share/gugent/cert.pem, and you can manually replace this certicate now if security is a high priority.

Scenario: Convert Your Reference Machine into a Template for the Dukes Bank vSphere Application

After you convert your reference machine to a template, you cannot edit or power on the template unless you convert it back to a virtual machine.

VMware, Inc. 71

Configuring vRealize Automation

Procedure

1 Log in to your reference machine as the root user.

a Edit your /etc/selinux/config le to disable SELinux.

SELINUX=disabled

If you do not disable SELinux, the MySQL software component of the Duke's Bank Sample application might not work as expected.

b Remove udev persistence rules.

/bin/rm -f /etc/udev/rules.d/70*

c Enable machines cloned from this template to have their own unique identiers.

/bin/sed -i '/^\(HWADDR\|UUID\)=/d'

/etc/sysconfig/network-scripts/ifcfg-eth0

d If you rebooted or recongured the reference machine after installing the software bootstrap agent,

reset the agent.

/opt/vmware-appdirector/agent-bootstrap/agent_reset.sh

e Power down the machine.

shutdown -h now

2 Log in to the vSphere Web Client as an administrator.

3 Right-click your reference machine and select Edit .

4 Enter dukes_bank_template in the VM Name text box.

5 If your reference machine has a CentOS guest operating system, select Red Hat Enterprise Linux 6 (64-

bit) from the Guest OS Version drop-down menu.

If you select CentOS, your template and customization specication might not work as expected.

6 Click OK.

7 Right-click your reference machine in the vSphere Web Client and select Template > Convert to

Template.

vCenter Server marks your dukes_bank_template reference machine as a template and displays the task in the Recent Tasks pane. If you have already brought your vSphere environment under vRealize Automation management, your template is discovered during the next automated data collection. If you have not congured your vRealize Automation yet, the template is collected during that process.

Scenario: Create a Customization Specification for Cloning the Dukes Bank vSphere Sample Application Machines

You create a customization specication to use with your Dukes Bank machine template.

Procedure

1 Log in to the vSphere Web Client as an administrator.

2 On the home page, click Customization  Manager to open the wizard.

3 Click the New icon.

4 Specify properties.

a Select Linux from the Target VM Operating System drop-down menu.

b Enter Customspecs_sample in the Customization Spec Name text box.

72 VMware, Inc.

Chapter 1 External Preparations for Provisioning

c Enter Dukes Bank customization spec in the Description text box.

d Click Next.

5 Set computer name.

a Select Use the virtual machine name.

b Enter the domain on which you want to provision the Dukes Bank sample application in the

Domain name text box.

c Click Next.

6 Congure time zone seings.

7 Click Next.

8 Select Use standard network  for the guest operating system, including enabling DHCP on all

network interfaces.

Fabric administrators and infrastructure architects handle network seings for provisioned machine by creating and using Network proles in vRealize Automation.

9 Follow the prompts to enter the remaining required information.

10 On the Ready to complete page, review your selections and click Finish.

You created a template and customization specication that you can use to provision the Dukes Bank sample application.

What to do next

1 Create an external network prole to provide a gateway and a range of IP addresses. See “Create an

External Network Prole by Using An External IPAM Provider,” on page 184.

2 Map your external network prole to your vSphere reservation. See “Create a Reservation for Hyper-V,

KVM, SCVMM, vSphere, or XenServer,” on page 213. The sample application cannot provision

successfully without an external network prole.

3 Import the Duke's Bank sample application into your environment. See “Scenario: Importing the Dukes

Bank for vSphere Sample Application and Conguring for Your Environment,” on page 240.

VMware, Inc. 73

Configuring vRealize Automation

74 VMware, Inc.

Configuring Tenant Settings 2

Tenant administrators congure tenant seings such as user authentication, and manage user roles and business groups. System administrators and tenant administrators congure options such as email servers to handle notications, and branding for the vRealize Automation console.

You can use the Conguring Tenant Seings Checklist to see a high-level overview of the sequence of steps required to congure tenant seings.

Table 2‑1. Checklist for Configuring Tenant Settings

vRealize

Task

Create local user accounts and assign a tenant administrator.

Congure Directories Management to set up tenant identity management and access control seings.

Create business groups and custom groups, and grant user access rights to the vRealize Automation console.

(Optional) Create additional tenants so users can access the appropriate applications and resources they need to complete their work assignments.

(Optional) Congure custom branding on the tenant login and application pages of the vRealize Automation console.

(Optional) Congure vRealize Automation to send users notications when specic events occur.

(Optional) Congure vRealize Orchestrator to support XaaS and other extensibility.

(Optional) Create a custom remote desktop protocol le that IaaS architects use in blueprints to congure RDP seings.

(Optional) Dene datacenter locations that your fabric administrators and IaaS architects can leverage to allow users to select an appropriate location for provisioning when they request machines.

Automation Role Details

System administrator

Tenant administrator

System administrator

System

administrator

Tenant

administrator

System

administrator

Tenant

administrator

System

administrator

Tenant

administrator

System administrator

For an example of creating local user accounts, see “Scenario: Create Local

User Accounts for Rainpole,” on

page 132.

“Choosing Directories Management

Conguration Options,” on page 76

“Conguring Groups and User Roles,”

on page 127

“Create Additional Tenants,” on

page 136

“Conguring Custom Branding,” on

page 139

“Checklist for Conguring

Notications,” on page 141

“Conguring vRealize Orchestrator and

Plug-Ins,” on page 152

“Create a Custom RDP File to Support RDP Connections for Provisioned Machines,” on page 150

For an example of adding datacenter locations, see “Scenario: Add Datacenter

Locations for Cross Region Deployments,” on page 151.

VMware, Inc. 75

Configuring vRealize Automation

This chapter includes the following topics:

“Choosing Directories Management Conguration Options,” on page 76

“Scenario: Congure an Active Directory Link for a Highly Available vRealize Automation,” on

page 118

“Congure Smart Card Authentication for vRealize Automation,” on page 120

“Create a Multi Domain or Multi Forest Active Directory Link,” on page 126

“Conguring Groups and User Roles,” on page 127

“Scenario: Congure the Default Tenant for Rainpole,” on page 131

“Create Additional Tenants,” on page 136

“Delete a Tenant,” on page 138

“Conguring Custom Branding,” on page 139

“Checklist for Conguring Notications,” on page 141

“Create a Custom RDP File to Support RDP Connections for Provisioned Machines,” on page 150

“Scenario: Add Datacenter Locations for Cross Region Deployments,” on page 151

“Conguring vRealize Orchestrator and Plug-Ins,” on page 152

Choosing Directories Management Configuration Options

You can use vRealize Automation Directories Management features to congure an Active Directory link in accordance with your user authentication requirements.

Directories Management provides many options to support a highly customized user authentication.

Table 2‑2. Choosing Directories Management Configuration Options

Configuration Option Procedure

Congure a link to your Active Directory. 1 Congure a link to your Active Directory. See

“Congure a Link to Active Directory,” on page 79.

2 If you congured vRealize Automation for high

availability, see “Congure Directories Management

for High Availability,” on page 83.

(Optional) Enhance security of a user ID and password based directory link by conguring bi-directional integration with Active Directory Federated Services.

(Optional) Add users and groups to an existing Active Directory Link .

(Optional) Edit the default policy to apply custom rules for an Active Directory link.

(Optional) Congure network ranges to restrict the IP addresses through which users can log in to the system, manage login restrictions (timeout, number of login

aempts before lock-out).

“Congure a Bi Directional Trust Relationship Between

vRealize Automation and Active Directory,” on page 84

“Add Users or Groups to an Active Directory Connection,”

on page 88.

“Manage the User Access Policy,” on page 100.

“Add or Edit a Network Range,” on page 111.

Directories Management Overview

Tenant administrators can congure tenant identity management and access control seings using the Directories Management options on the vRealize Automation application console.

You can manage the following seings from the Administration > Directories Management tab.

76 VMware, Inc.

Chapter 2 Configuring Tenant Settings

Table 2‑3. Directories Management Settings

Setting Description

Directories The Directories page enables you to create and manage Active Directory links to support

vRealize Automation tenant user authentication and authorization. You create one or more directories and then sync those directories with your Active Directory deployment. This page displays the number of groups and users that are synced to the directory and the last sync time. You can click Sync Now, to manually start the directory sync.

See “Using Directories Management to Create an Active Directory Link,” on page 79.

When you click on a directory and then click the Sync  buon, you can edit the sync seings, navigate the Identity Providers page, and view the sync log.

From the directories sync seings page you can schedule the sync frequency, see the list of domains associated with this directory, change the mapped aributes list, update the user and groups list that syncs, and set the safeguard targets.

Connectors The Connectors page lists deployed connectors for your enterprise network. A connector

syncs user and group data between Active Directory and the Directories Management service, and when it is used as the identity provider, authenticates users to the service. Each vRealize Automation appliance contains a connector by default. See “Managing

Connectors,” on page 92.

User Aributes The User Aributes page lists the default user aributes that sync in the directory and you

can add other aributes that you can map to Active Directory aributes. See “Select

Aributes to Sync with Directory,” on page 89.

Network Ranges This page lists the network ranges that are congured for your system. You congure a

network range to allow users access through those IP addresses. You can add additional network ranges and you can edit existing ranges. See “Add or Edit a Network Range,” on page 111.

Identity Providers The Identity Providers page lists identity providers that are available on your system.

vRealize Automation systems contain a connector that serves as the default identity provider and that suces for many user needs. You can add third-party identity provider instances or have a combination of both.

See “Congure an Identity Provider Instance,” on page 110.

Policies The Policies page lists the default access policy and any other web application access

policies you created. Policies are a set of rules that specify criteria that must be met for users to access their application portals or to launch Web applications that are enabled for them. The default policy should be suitable for most vRealize Automation deployments, but you can edit it if needed. See “Manage the User Access Policy,” on page 100.

Important Concepts Related to Active Directory

Several concepts related to Active Directory are integral to understanding how Directories Management integrates with your Active Directory environments.

Connector

The connector, a component of the service, performs the following functions.

Syncs user and group data your active Directory or LDAP directory to the service.

When being used as an identity provider, authenticates users to the service.

VMware, Inc. 77

Configuring vRealize Automation

The connector is the default identity provider. For the authentication methods the connector supports, see VMware Identity Manager Administration. You can also use third-party identity providers that support the SAML 2.0 protocol. Use a third-party identity provider for an authentication type the connector does not support or for an authentication type the connector does support, if the third-party identity provider is preferable based on your enterprise security policy.

N If you use third-party identity providers, you can either congure the connector to sync user and group data or congure Just-in-Time user provisioning. See the Just-in-Time User Provisioning section in VMware Identity Manager Administration for more information.

N Even if you use third-party identity providers, you must congure the connector to sync user and group data.

Active Directory Environments

You can integrate the service with an Active Directory environment that consists of a single Active Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple Active Directory forests.

Single Active Directory Domain Environment

A single Active Directory deployment allows you to sync users and groups from a single Active Directory domain.

See “Congure a Link to Active Directory,” on page 79. For this environment, when you add a directory to the service, select the Active Directory over LDAP option.

78 VMware, Inc.

Chapter 2 Configuring Tenant Settings

Multi-Domain, Single Forest Active Directory Environment

A multi-domain, single forest Active Directory deployment allows you to sync users and groups from multiple Active Directory domains within a single forest.

You can congure the service for this Active Directory environment as a single Active Directory, Integrated Windows Authentication directory type or, alternatively, as an Active Directory over LDAP directory type congured with the global catalog option.

The recommended option is to create a single Active Directory, Integrated Windows Authentication

directory type.

See “Congure a Link to Active Directory,” on page 79. When you add a directory for this environment, select the Active Directory (Integrated Windows Authentication) option.

Multi-Forest Active Directory Environment with Trust Relationships

A multi-forest Active Directory deployment with trust relationships allows you to sync users and groups from multiple Active Directory domains across forests where two-way trust exists between the domains.

See “Congure a Link to Active Directory,” on page 79. When you add a directory for this environment, select the Active Directory (Integrated Windows Authentication) option.

Multi-Forest Active Directory Environment Without Trust Relationships

A multi-forest Active Directory deployment without trust relationships allows you to sync users and groups from multiple Active Directory domains across forests without a trust relationship between the domains. In this environment, you create multiple directories in the service, one directory for each forest.

See “Congure a Link to Active Directory,” on page 79. The type of directories you create in the service depends on the forest. For forests with multiple domains, select the Active Directory (Integrated Windows Authentication) option. For a forest with a single domain, select the Active Directory over LDAP option.

Using Directories Management to Create an Active Directory Link

After you create vRealize Automation tenants, you must log in to the system console as a tenant administrator and create an Active Directory link to support user authentication.

Configure a Link to Active Directory

You must use the Directories Management feature to congure a link to Active Directory to support user authentication for all tenants and select users and groups to sync with the Directories Management directory.

There are two Active Directory communication protocol options: Active Directory over LDAP, and Active Directory (Integrated Windows Authentication). An Active Directory over LDAP protocol supports DNS Service Location lookup by default. With Active Directory (Integrated Windows Authentication), you congure the domain to join. Active Directory over LDAP is appropriate for single domain deployments. Use Active Directory (Integrated Windows Authentication) for all multi-domain and multi-forest deployments.

After you select a communication protocol, you can specify the domains to use with the Active Directory conguration and then select the users and groups to sync with the specied conguration.

Prerequisites

Connector installed and the activation code activated.

Select the required default aributes and add additional aributes on the User Aributes page. See

“Select Aributes to Sync with Directory,” on page 89.

List of the Active Directory groups and users to sync from Active Directory.

VMware, Inc. 79

Configuring vRealize Automation

For Active Directory over LDAP, information required includes the Base DN, Bind DN, and Bind DN

password.

For Active Directory Integrated Windows Authentication, required information includes the domain's

Bind user UPN address and password.

If Active Directory is accessed over SSL, a copy of the SSL certicate is required.

For Active Directory (Integrated Windows Authentication), when you have multi-forest Active

Directory congured and the Domain Local group contains members from domains in dierent forests, make sure that the Bind user is added to the Administrators group of the domain in which the Domain Local group resides. If you fail to do this, these members will be missing from the Domain Local group.

Procedure

1 Select Administration > Directories Management > Directories.

2 Click Add Directory.

3 On the Add Directory page, specify the IP address for the Active Directory server in the Directory

Name text box.

4 Select the appropriate Active Directory communication protocol using the radio buons under the

Directory Name text box.

Option Description

Windows Authentication

LDAP

Select Active Directory (Integrated Windows Authentication)

Select Active Directory over LDAP.

5 Congure the connector that synchronizes users from the Active Directory to the VMware

Directories Management directory in the Directory Sync and Authentication section.

Option Description

Sync Connector

Authentication

Directory Search Attribute

Select the appropriate connector to use for your system. Each vRealize Automation appliance contains a default connector. Consult your system administrator if you need help in choosing the appropriate connector.

Click the appropriate radio buon to indicate whether the selected connector also performs authentication.

Select the appropriate account aribute that contains the user name.

80 VMware, Inc.

Chapter 2 Configuring Tenant Settings

6 Enter the appropriate information in the Server Location text box if you selected Active Directory over

LDAP or in the Join Domain Details text boxes if you selected Active Directory (Integrated Windows Authentication)

Option Description

If you want to use DNS Service Location to locate Active Directory

Server Location - Displayed when Active Directory over LDAP is selected

Join Domain Details - Displayed when Active Directory (Integrated Windows Authentication) is selected

domains, leave the This Directory supports DNS Service Location check box selected.

If the specied Active Directory does not use DNS Service Location

lookup, deselect the check box beside This Directory supports DNS Service Location in the Server Location elds and enter the Active

Directory server host name and port number in the appropriate text boxes.

If Active Directory requires access over SSL, select the This Directory

requires all connections to use SSL check box under the Certicates heading and provide the Active Directory SSL certicate.

Enter the appropriate credentials in the Domain Name, Domain Admin User Name, and Domain Admin Password text boxes.

7 In the Bind User Details section, enter the appropriate credentials to facilitate directory synchronization.

For Active Directory over LDAP:

Option Description

Base DN

Bind DN

Enter the search base distinguished name. For example, cn=users,dc=corp,dc=local.

Enter the bind distinguished name. For example,

cn=fritz infra,cn=users,dc=corp,dc=local

For Active Directory (Integrated Windows Authentication):

Option Description

Bind User UPN

Bind DN Password

Enter the User Principal Name of the user who can authenticate with the domain. For example, UserName@example.com.

Enter the Bind User password.

8 Click Test Connection to test the connection to the congured directory.

This buon does not appear if you selected Active Directory (Integrated Windows Authentication).

9 Click Save & Next.

The Select the Domains page appears with the list of domains.

10 Review and update the domains listed for the Active Directory connection.

For Active Directory (Integrated Windows Authentication), select the domains that should be

associated with this Active Directory connection.

For Active Directory over LDAP, the available domain is listed with a checkmark.

N If you add a trusting domain after the directory is created, the service does not automatically detect the newly trusting domain. To enable the service to detect the domain, the connector must leave and then rejoin the domain. When the connector rejoins the domain, the trusting domain appears in the list.

11 Click Next.

VMware, Inc. 81

Configuring vRealize Automation

12 Verify that the Directories Management directory aribute names are mapped to the correct Active

Directory aributes.

If the directory aribute names are not mapped correctly, select the correct Active Directory aribute from the drop-down menu.

13 Click Next.

Click to select the groups you want to sync from Active Directory to the directory.

When you add a group from Active Directory, if members of that group are not in the Users list, they are added.

N The Directories Management user authentication system imports data from Active Directory when adding groups and users, and the speed of the system is limited by Active Directory capabilities. As a result, import operations may require a signicant amount of time depending on the number of groups and users being added. To minimize the potential for delays or problems, limit the number of groups and users to only those required for vRealize Automation operation. If your system performance degrades or if errors occur, close any unneeded applications and ensure that your system has appropriate memory allocated to Active Directory. If problems persist, increase the Active Directory memory allocation as needed. For systems with large numbers of users and groups, you may need to increase the Active Directory memory allocation to as much as 24 GB.

15 Click Next.

Click to add additional users. For example, enter as

CN-username,CN=Users,OU-myUnit,DC=myCorp,DC=com.

To exclude users, click

to create a lter to exclude some types of users. You select the user aribute

to lter by, the query rule, and the value.

17 Click Next.

18 Review the page to see how many users and groups are syncing to the directory.

If you want to make changes to users and groups, click the Edit links.

19 Click Push to Workspace to start the synchronization to the directory.

The connection to the Active Directory is complete and the selected users and groups are added to the directory.

What to do next

If your vRealize Automation environment is congured for high availability, you must specically congure Directories Management for high availability. See “Congure Directories Management for High

Availability,” on page 83.

Set up authentication methods. After users and groups sync to the directory, if the connector is also

used for authentication, you can set up additional authentication methods on the connector. If a third party is the authentication identity provider, congure that identity provider in the connector.

Review the default access policy. The default access policy is congured to allow all appliances in all

network ranges to access the Web browser, with a session time out set to eight hours or to access a client app with a session time out of 2160 hours (90 days). You can change the default access policy and when you add Web applications to the catalog, you can create new ones.

Apply custom branding to the administration console, user portal pages and the sign-in screen.

82 VMware, Inc.

Chapter 2 Configuring Tenant Settings

Configure Directories Management for High Availability

You can use Directories Management to congure a high availability Active Directory connection in vRealize Automation.

Each vRealize Automation appliance includes a connector that supports user authentication, although only one connector is typically congured to perform directory synchronization. It does not maer which connector you choose to serve as the sync connector. To support Directories Management high availability, you must congure a second connector that corresponds to your second vRealize Automation appliance, which connects to your Identity Provider and points to the same Active Directory. With this conguration, if one appliance fails, the other takes over management of user authentication.

In a high availability environment, all nodes must serve the same set of Active Directories, users, authentication methods, etc. The most direct method to accomplish this is to promote the Identity Provider to the cluster by seing the load balancer host as the Identity Provider host. With this conguration, all authentication requests are directed to the load balancer, which forwards the request to either connector as appropriate.

Prerequisites

Congure your vRealize Automation deployment with at least two instance of the vRealize Automation

appliance.

Install vRealize Automation in Enterprise mode operating in a single domain with two instances of

thevRealize Automation appliance.

Install and congure an appropriate load balancer to work with your vRealize Automation deployment.

Congure tenants and Directories Management using one of the connectors supplied with the installed

instances of the vRealize Automation appliance. For information about tenant conguration, see

Chapter 2, “Conguring Tenant Seings,” on page 75.

Procedure

1 Log in to the load balancer for your vRealize Automation deployment as a tenant administrator.

The load balancer URL is <load balancer address>/vcac/org/tenant_name.

2 Select Administration > Directories Management > Identity Providers.

3 Click the Identity Provider that is currently in use for your system.

The existing directory and connector that provide basic identity management for your system appears.

4 On the Identity Provider properties page, click the Add a Connector drop-down list, and select the

connector that corresponds to your secondary vRealize Automation appliance.

5 Enter the appropriate password in the Bind DN Password text box that appears when you select the

connector.

6 Click Add Connector.

7 The main connector appears in the IdP Hostnametext box by default. Change the host name to point to

the load balancer.

VMware, Inc. 83

Configuring vRealize Automation

Configure a Bi Directional Trust Relationship Between vRealize Automation and Active Directory

You can enhance system security of a basic vRealize Automation Active Directory connection by conguring a bi directional trust relationship between your identity provider and Active Directory Federated Services.

To congure a bi-directional trust relationship between vRealize Automation and Active Directory, you must create a custom identity provider and add Active Directory metadata to this provider. Also, you must modify the default policy used by your vRealize Automation deployment. Finally, you must congure Active Directory to recognize your identity provider.

Prerequisites

Verify that you have congured tenants for your vRealize Automation deployment set up an

appropriate Active Directory link to support basic Active Directory user ID and password authentication.

Active Directory is installed and congured for use on your network.

Obtain the appropriate Active Directory Federated Services (ADFS) metadata.

Procedure

1 Obtain the Federation Metadata le.

You can download this le from hps://servername.domain/FederationMetadata/2007-06/FederationMetadata.xml

2 Search for the word logout, and edit the location of each instance to point to

hps://servername.domain/adfs/ls/logout.aspx

For example, the following:

SingleLogoutService

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

Location="https://servername.domain/adfs/ls/ "/>

Should be changed to:

SingleLogoutService

Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"

Location="https://servername.domain/adfs/ls/logout.aspx"/>

84 VMware, Inc.

3 Create a new Identity Provider for you deployment.

a Select Administration > Directories Management > Identity Providers.

b Click Add Identity Provider and complete the elds as appropriate.

Option Description

Identity Provider Name

Identity Provider Metadata (URI or XML)

Name ID Policy in SAML Request (Optional)

Users

Process IDP Metadata

Network

Authentication Methods

SAML Context

SAML Signing Certificate

Enter a name for the new identity provider

Paste the contents of your Active Directory Federated Services metadata le here.

If appropriate, enter a name for the identity policy SAML request.

Select the domains to which you want users to have access privileges.

Click to process the metadata le that you added.

Select the network ranges to which you want users to have access.

Enter a name for the authentication method used by this identity provider.

Select the appropriate context for your system.

Click the link beside the SAML Metadata heading to download the Directories Management metadata.

c Save the Directories Management metadata le as sp.xml.

Chapter 2 Configuring Tenant Settings

d Click Add.

4 Add a rule to the default policy.

a Select Administration > Directories Management > Policies.

b Click the default policy name.

c Click the + icon under the Policy Rules heading to add a new rule.

Use the elds on the Add a Policy Rule page to create a rule that species the appropriate primary and secondary authentication methods to use for a specic network range and device.

For example, if the user's network range is "My Machine", and the user needs to access content from

"All Device Types," then, for a typical deployment, that user must authenticate using the

following method: ADFS Username and Password.

d Click Save to save your policy updates.

e On the Default Policy page, drag the new rule to the top of the table so that it takes precedence over

existing rules.

5 Using the Active Directory Federated Services management console, or another appropriate tool, set up

a relying party trust relationship with the vRealize Automation identity provider.

To set up this trust, you must import the Directories Management metadata that you previously downloaded. See the Microsoft Active Directory documentation for more information about conguring Active Directory Federated Services for bi-directional trust relationships. As part of this process, you must do the following:

Set up a Relying Party Trust. When you set up this trust, you must import the VMware Identity

Provider service provider metadata XML le that you copied and saved

VMware, Inc. 85

Configuring vRealize Automation

Create a claim rule that transforms the aributes retrieved from LDAP in the Get Aributes rule

into the desired SAML format. After you create the rule,. you must edit the rule by adding the following text:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]

=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",

Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType =

c.ValueType,

Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =

"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",

Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifie

r"] = "vmwareidentity.domain.com");

Configure SAML Federation Between Directories Management and SSO2

You can establish SAML federation between vRealize Automation Directories Management and systems that use SSO2 to support single sign on.

Establish federation between Directories Management and SSO2 by creating a SAML connection between the two parties. Currently, the only supported end-to-end ow is where SSO2 acts as the Identity Provider (IdP) and Directories Management acts as the service provider (SP).

For SSO2 user authentication, the same account must exist in both Directories Management and SSO2. Minimally, the UserPrincipalName (UPN) of the user has to match on both ends. Other aributes can dier as they are required to identify the SAML subject.

For local users in SSO2, such as admin@vsphere.local, corresponding accounts must also exist in Directories Management, where at least the UPN of the user matches. Create these accounts manually or with a script using the Directories Management local user creation APIs.

Seing up SAML between SSO2 and Directories Management involves conguration on the Directories Management and SSO components.

Table 2‑4. SAML Federation Component Configuration

Component Configuration

Directories Management Congure SSO2 as a third-party Identity Provider on Directories Management and

update the default authentication policy. You can create an automated script to set up Directories Management.

SSO2 component Congure Directories Management as a service provider by importing the

Directories Management sp.xml le. This le enables you to congure SSO2 to use Directories Management as the Service Provider (SP).

Prerequisites

Congure tenants for your vRealize Automation deployment. See “Create Additional Tenants,” on

page 136.

Set up an appropriate Active Directory link to support basic Active Directory user ID and password

authentication.

Procedure

1 Download SSO2 Identity Provider metadata through the SSO2 user interface.

a Log in to vCenter as an administrator at https://<cloudvm-hostname>/ .

b Click the Log in to vSphere Web Client link.

c On the left navigation pane, select Administration > Single Sign On > .

86 VMware, Inc.

Chapter 2 Configuring Tenant Settings

d Click Download adjacent to the Metadata for your SAML service provider heading.

The vsphere.local.xml le should begin downloading.

e Copy the contents of the vsphere.local.xml le.

2 On the vRealize Automation Directories Management Identity Providers page, create a new Identity

Provider.

a Log in to vRealize Automation as a tenant administrator.

b Select Administration > Directories Management > Identity Providers.

c Click Add Identity Provider and provide the conguration information.

Option Action

Identity Provider Name

Identity Provider Metadata (URI or XML) text box

Name ID Policy in SAML Request (Optional)

Users

Network

Authentication Methods

SAML Signing Certificate

Enter a name for the new Identity Provider.

Paste the contents of your SSO2 idp.xml metadata le in the text box and click Process IDP Metadata.

Enter http://schemas.xmlsoap.org/claims/UPN.

Select the domains to which you want users to have access privileges.

Select the network ranges from which you want users to have access privileges.

If you want to authenticate users from an IP addresses, select All Ranges.

Enter a name for the authentication method. Then, use the SAML Context drop down menu to the right to map the authentication method to urn:oasis:names:tc:SAML:2.0:ac:classes:Password.

Click the link beside the SAML Metadata heading to download the Directories Management metadata.

d Save the Directories Management metadata le as sp.xml.

e Click Add.

3 Update the relevant authentication policy using the Directories Management Policies page to redirect

authentication to the third party SSO2 identity provider.

a Select Administration > Directories Management > Policies.

b Click the default policy name.

c Click the authentication method under the Policy Rules heading to edit the existing authentication

rule.

d On the Edit a Policy Rule page, change the authentication method from password to the

appropriate method.

In this case, the method should be SSO2.

e Click Save to save your policy updates.

4 On the left navigation pane, select Administration > Single Sign On > , and click Update

to upload the sp.xml le to vSphere.

VMware, Inc. 87

Configuring vRealize Automation

Add Users or Groups to an Active Directory Connection

You can add users or groups to an existing Active Directory connection.

The Directories Management user authentication system imports data from Active Directory when adding groups and users, and the speed of the system is limited by Active Directory capabilities. As a result, import operations may require a signicant amount of time depending on the number of groups and users being added. To minimize the potential for delays or problems, limit the number of groups and users to only those required for vRealize Automation operation. If performance degrades or if errors occur, close any unneeded applications and ensure that your deployment has appropriate memory allocated to Active Directory. If problems persist, increase the Active Directory memory allocation as needed. For deployments with large numbers of users and groups, you may need to increase the Active Directory memory allocation to as much as 24 GB.

When running a synchronize operation for a vRealize Automation deployment with a many users and groups, there may be a delay after the Sync is in progress message disappears before the Sync Log details are displayed. Also, the time stamp on the log le may dier from the time that the user interface indicates that the synchronize operation completed.

N You cannot cancel a synchronize operation after it has been initiated.

Prerequisites

Connector installed and the activation code activated. Select the required default aributes and add

additional aributes on the User Aributes page.

List of the Active Directory groups and users to sync from Active Directory.

For Active Directory over LDAP, information required includes the Base DN, Bind DN, and Bind DN

password.

For Active Directory Integrated Windows Authentication, the information required includes the

domain's Bind user UPN address and password.

If Active Directory is accessed over SSL, a copy of the SSL certicate is required.

For Active Directory Integrated Windows Authentication, when you have multi-forest Active Directory

congured and the Domain Local group contains members from domains in dierent forests, make sure that the Bind user is added to the Administrators group of the domain in which the Domain Local group resides. If this is not done, these members are missing from the Domain Local group.

Procedure

1 Select Administration > Directories Management > Directories

2 Click the desired directory name.

3 Click Sync  to open a dialog with synchronization options.

4 Click the appropriate icon depending on whether you want to change the user or group conguration.

To edit the group conguration:

To add groups, click the + icon to add a new line for group DN denitions and enter the

appropriate group DN.

If you want to delete a group DN denition, click the x icon for the desired group DN.

88 VMware, Inc.

Chapter 2 Configuring Tenant Settings

To edit the user conguration:

To add users, click the + icon to add a new line for user DN denition and enter the appropriate

user DN.

If you want to delete a user DN denition, click the x icon for the desired user DN.

5 Click Save to save your changes without synchronizing to make your updates immediately, or click

Save & Sync to save your changes and synchronize to implement your updates immediately.

Select Attributes to Sync with Directory

When you set up the Directories Management directory to sync with Active Directory, you specify the user aributes that sync to the directory. Before you set up the directory, you can specify on the User Aributes page which default aributes are required and, if you want, add additional aributes that you want to map to Active Directory aributes.

When you congure the User Aributes page before the directory is created, you can change default aributes from required to not required, mark aributes as required, and add custom aributes.

For a list of the default mapped aributes, see “Managing User Aributes that Sync from Active Directory,” on page 91.

After the directory is created, you can change a required aribute to not be required, and you can delete custom aributes. You cannot change an aribute to be a required aribute.

When you add other aributes to sync to the directory, after the directory is created, go to the directory's Mapped Aributes page to map these aributes to Active Directory Aributes.

Procedure

1 Log in to vRealize Automation as a system or tenant administrator.

2 Click the Administration tab.

3 Select Directories Management > User 

4 In the Default Aributes section, review the required aribute list and make appropriate changes to

reect what aributes should be required.

5 In the Aributes section, add the Directories Management directory aribute name to the list.

6 Click Save.

The default aribute status is updated and aributes you added are added on the directory's Mapped Aributes list.

7 After the directory is created, go to the Identity Stores page and select the directory.

8 Click Sync  > Mapped .

9 In the drop-down menu for the aributes that you added, select the Active Directory aribute to map

to.

10 Click Save.

The directory is updated the next time the directory syncs to the Active Directory.

VMware, Inc. 89

Configuring vRealize Automation

Add Memory to Directories Management

You may need to allocate additional memory to Directories Management if you have Active Directory connections that contain a large number of users or groups.

By default, 4 GB of memory is allocated to the Directories Management service. This is sucient for many small to medium sized deployments. If you have an Active Directory connection that uses a large number of users or groups, you may need to increase this memory allocation. Increased memory allocation is appropriate for systems with more than 100,000 users , each in 30 groups and 750 groups overall. For these system, VMware recommends increasing the Directories Management memory allocation to 6 GB.

Directories Management memory is calculated based on the total memory allocated to the vRealize Automation appliance The following table shows memory allocations for relevant components.

Table 2‑5. vRealize Automation appliance Memory Allocation

Virtual Appliance Memory vRA service memory vIDM service memory

18 GB 3.3 GB 4 GB

24 GB 4.9 GB 6 GB

30 GB 7.4 GB 9.1 GB

N These allocations assume that all default services are enabled and running on the virtual appliance. They may change if some services are stopped.

Prerequisites

An appropriate Active Directory connection is congured and functioning on your

vRealize Automation deployment.

Procedure

1 Stop each machine on which a vRealize Automation appliance is running.

2 Increase the virtual appliance memory allocation on each machine.

If you are using the default memory allocation of 18 GB, VMware recommends increasing the memory allocation to 24 GB.

3 Restart the vRealize Automation appliance machines.

Create a Domain Host Lookup File to Override DNS Service Location (SRV) Lookup

When you enable Integrated Windows Authentication, the Directory conguration is changed to enable the DNS Service Location eld. The connector service location lookup is not site aware. If you want to override the random DC selection, you can create a le called domain_krb.properties and add the domain to host values that take precedence over SRV lookup.

Procedure

1 From the appliance-va command line, log in as the user with root privileges.

2 Change directories to /usr/local/horizon/conf and create a le called domain_krb.properties.

3 Edit the domain_krb.properties le to add the list of the domain to host values. Add the information as

<AD Domain>=<host:port>, <host2:port2>, <host2:port2>.

For example, enter the list as example.com=examplehost.com:636, examplehost2.example.com:389

4 Change the owner of the domain_krb.properties le to horizon and group to www. Enter

chown horizon:www /usr/local/horizon/conf/domain_krb.properties.

90 VMware, Inc.

Chapter 2 Configuring Tenant Settings

5 Restart the service. Enter service horizon-workspace restart.

Managing User Attributes that Sync from Active Directory

The Directories Management User Aributes page lists the user aributes that sync to your Active Directory connection.

Changes that are made and saved in the User Aributes page are added to the Mapped Aributes page in the Directories Management directory. The aributes changes are updated to the directory with the next sync to Active Directory.

The User Aributes page lists the default directory aributes that can be mapped to Active Directory aributes. You select the aributes that are required, and you can add other Active Directory aributes that you want to sync to the directory.

Table 2‑6. Default Active Directory Attributes to Sync to Directory

Directory Attribute Name Default Mapping to Active Directory Attribute

userPrincipalName userPrincipalName

distinguishedName distinguishedName

employeeId employeeID

domain canonicalName. Adds the fully qualied domain name of

object.

disabled (external user disabled) userAccountControl. Flagged with UF_Account_Disable

When an account is disabled, users cannot log in to access their applications and resources. The resources that users were entitled to are not removed from the account so that when the ag is removed from the account users can log in and access their entitled resources.

phone telephoneNumber

lastName sn

rstName givenName

email mail

userName sAMAccountName

Table 2‑7. Default Active Directory Attributes to Sync to Directory

Directory Attribute Name Default Mapping to Active Directory Attribute

userPrincipalName userPrincipalName

distinguishedName distinguishedName

employeeId employeeID

domain canonicalName. Adds the fully qualied domain name of

object.

disabled (external user disabled) userAccountControl. Flagged with UF_Account_Disable

phone telephoneNumber

VMware, Inc. 91

Configuring vRealize Automation

Table 2‑7. Default Active Directory Attributes to Sync to Directory (Continued)

Directory Attribute Name Default Mapping to Active Directory Attribute

lastName sn

rstName givenName

email mail

userName sAMAccountName

Managing Connectors

The Connectors page lists deployed connectors for your enterprise network. A connector syncs user and group data between Active Directory and the Directories Management service, and when it is used as the identity provider, authenticates users to the service.

In vRealize Automation, each vRealize Automation appliance contains its own connector, and these connectors are suitable for most deployments.

When you associate a directory with a connector instance, the connector creates a partition for the associated directory called a worker. A connector instance can have multiple workers associated with it. Each worker acts as an identity provider. The connector syncs user and group data between Active Directory and the service through one or more workers. You dene and congure authentication methods on a per worker basis.

You can manage various aspects of an Active Directory link from the Connectors page. This page contains a table and several buons that enable you to complete various management tasks.

In the Worker column, select a worker to view the connector's details and navigate to the Auth

Adapters page to see the status of the available authentication methods. For information about authentication, see “Integrating Alternative User Authentication Products with Directories

Management,” on page 101.

In the Identity Provider column, select the IdP to view, edit or disable. See “Congure an Identity

Provider Instance,” on page 110.

In the Associated Directory column, access the directory associated with this worker.

Click Join Domain to join the connector to a specic Active Directory domain. For example when you

congure Kerberos authentication, you must join the Active Directory domain either containing users or having trust relationship with the domains containing users.

When you congure a directory with an Integrated Windows Authentication Active Directory, the

connector joins the domain according to the conguration details.

Join a Connector Machine to a Domain

In some cases, you may need to join a machine containing a Directories Management connector to a domain.

For Active Directory over LDAP directories, you can join a domain after creating the directory. For Active Directory (Integrated Windows Authentication) directories, the connector is joined to the domain automatically when you create the directory. In both cases, you must supply the appropriate credentials.

To join a domain, you need Active Directory credentials that have the privilege to "join computer to AD domain". This is congured in Active Directory with the following rights:

Create Computer Objects

Delete Computer Objects

When you join a domain, a computer object is created in the default location in Active Directory.

92 VMware, Inc.

Chapter 2 Configuring Tenant Settings

If you do not have the rights to join a domain, or if your company policy requires a custom location for the computer object, you must ask your administrator to create the object and then join the connector machine to the domain.

Procedure

1 Ask your Active Directory administrator to create the computer object in Active Directory in a location

determined by your company policy. You must provide the host name of the connector. Ensure that you provide the fully-qualied domain name, for example server.example.com.

You can nd the host name in the Host Name column on the Connectors page in the administrative console. Select Administration > Directories Management > Connectors.

2 After the computer object is created, click Join Domain on the Connectors page to join the domain

using any domain user account available in Directories Management.

About Domain Controller Selection

The domain_krb.properties le determines which domain controllers are used for directories that have DNS Service Location (SRV records) lookup enabled. It contains a list of domain controllers for each domain. The connector creates the le initially, and you must maintain it subsequently. The le overrides DNS Service Location (SRV) lookup.

The following types of directories have DNS Service Location lookup enabled.

Active Directory over LDAP with the This Directory supports DNS Service Location option selected

Active Directory (Integrated Windows Authentication), which always has DNS Service Location lookup

enabled

When you rst create a directory that has DNS Service Location lookup enabled, a domain_krb.properties le is created automatically in the /usr/local/horizon/conf directory of the virtual machine and is auto- populated with domain controllers for each domain. To populate the le, the connector aempts to nd domain controllers that are at the same site as the connector and selects two that are reachable and that respond the fastest.

When you create additional directories that have DNS Service Location enabled, or add new domains to an Integrated Windows Authentication directory, the new domains, and a list of domain controllers for them, are added to the le.

You can override the default selection at any time by editing the domain_krb.properties le. As a best practice, after you create a directory, view the domain_krb.properties le and verify that the domain controllers listed are the optimal ones for your conguration. For a global Active Directory deployment that has multiple domain controllers across dierent geographical locations, using a domain controller that is in close proximity to the connector ensures faster communication with Active Directory.

You must also update the le manually for any other changes. The following rules apply.

The domain_krb.properties le is created in the virtual machine that contains the connector. In a typical

deployment, with no additional connectors deployed, the le is created in the Directories Management service virtual machine. If you are using an additional connector for the directory, the le is created in the connector virtual machine. A virtual machine can only have one domain_krb.properties le.

The le is created, and auto-populated with domain controllers for each domain, when you rst create a

directory that has DNS Service Location lookup enabled.

Domain controllers for each domain are listed in order of priority. To connect to Active Directory, the

connector tries the rst domain controller in the list. If it is not reachable, it tries the second one in the list, and so on.

The le is updated only when you create a new directory that has DNS Service Location lookup enabled

or when you add a domain to an Integrated Windows Authentication directory. The new domain and a list of domain controllers for it are added to the le.

VMware, Inc. 93

Configuring vRealize Automation

Note that if an entry for a domain already exists in the le, it is not updated. For example, if you created a directory, then deleted it, the original domain entry remains in the le and is not updated.

The le is not updated automatically in any other scenario. For example, if you delete a directory, the

domain entry is not deleted from the le.

If a domain controller listed in the le is not reachable, edit the le and remove it.

If you add or edit a domain entry manually, your changes will not be overwrien.

How Domain Controllers are Selected to Auto-Populate the domain_krb.properties File

To auto-populate the domain_krb.properties le, domain controllers are selected by rst determining the subnet on which the connector resides (based on the IP address and netmask), then using the Active Directory conguration to identify the site of that subnet, geing the list of domain controllers for that site, ltering the list for the appropriate domain, and picking the two domain controllers that respond the fastest.

To detect the domain controllers that are the closest, VMware Identity Manager has the following requirements.

The subnet of the connector must be present in the Active Directory conguration, or a subnet must be

specied in the runtime-config.properties le.

The subnet is used to determine the site.

The Active Directory conguration must be site aware.

If the subnet cannot be determined or if your Active Directory conguration is not site aware, DNS Service Location lookup is used to nd domain controllers, and the le is populated with a few domain controllers that are reachable. Note that these domain controllers may not be at the same geographical location as the connector, which can result in delays or timeouts while communicating with Active Directory. In this case, edit the domain_krb.properties le manually and specify the correct domain controllers to use for each domain.

Sample domain_krb.properties File

example.com=host1.example.com:389,host2.example.com:389

Override the Default Subnet Selection on page 94

To auto-populate the domain_krb.properties le, the connector aempts to nd domain controllers that are at the same site so there is minimal latency between the connector and Active Directory.

Edit the domain_krb.properties le on page 95

The /usr/local/horizon/conf/domain_krb.properties le determines the domain controllers to use for directories that have DNS Service Location lookup enabled. You can edit the le at any time to modify the list of domain controllers for a domain, or to add or delete domain entries. Your changes will not be overridden.

Troubleshooting domain_krb.properties on page 96

Use this information to troubleshoot the domain_krb.properties le.

Override the Default Subnet Selection

To auto-populate the domain_krb.properties le, the connector aempts to nd domain controllers that are at the same site so there is minimal latency between the connector and Active Directory.

To nd the site, the connector determines the subnet on which it resides, based on its IP address and netmask, then uses the Active Directory conguration to identify the site for that subnet. If the subnet of the virtual machine is not in Active Directory, or if you want to override the automatic subnet selection, you can specify a subnet in the runtime-config.properties le.

94 VMware, Inc.

Chapter 2 Configuring Tenant Settings

Procedure

1 Log in to the Directories Management virtual machine as the root user.

N If you are using an additional connector for the directory, log in to the connector virtual machine.

2 Edit the /usr/local/horizon/conf/runtime-config.properties le and add the following aribute.

siteaware.subnet.override=subnet

where subnet is a subnet for the site whose domain controllers you want to use. For example:

siteaware.subnet.override=10.100.0.0/20

3 Save and close the le.

4 Restart the service.

service horizon-workspace restart

Edit the domain_krb.properties file

The le is initially created and auto-populated by the connector. You need to update it manually in some scenarios.

If the domain controllers selected by default are not the optimal ones for your conguration, edit the le

and specify the domain controllers to use.

If you delete a directory, delete the corresponding domain entry from the le.

If any domain controllers in the le are not reachable, remove them from the le.

See also “About Domain Controller Selection,” on page 93.

Procedure

1 Log in to the Directories Management virtual machine as the root user.

N If you are using an additional connector for the directory, log in to the connector virtual machine.

2 Change directories to /usr/local/horizon/conf.

3 Edit the domain_krb.properties le to add or edit the list of domain to host values.

Use the following format:

domain=host:port,host2:port,host3:port

For example:

example.com=examplehost1.example.com:389,examplehost2.example.com:389

List the domain controllers in order of priority. To connect to Active Directory, the connector tries the rst domain controller in the list. If it is not reachable, it tries the second one in the list, and so on.

I Domain names must be in lowercase.

VMware, Inc. 95

Configuring vRealize Automation

4 Change the owner of the domain_krb.properties le to horizon and group to www using the following

command:

chown horizon:www /usr/local/horizon/conf/domain_krb.properties

5 Restart the service.

service horizon-workspace restart

Troubleshooting domain_krb.properties

Use this information to troubleshoot the domain_krb.properties le.

"Error resolving domain" error

If the domain_krb.properties le already includes an entry for a domain, and you try to create a new directory of a dierent type for the same domain, an "Error resolving domain" error occurs. You must edit the domain_krb.properties le and manually remove the domain entry before creating the new directory.

Domain controllers are unreachable

Once a domain entry is added to the domain_krb.properties le, it is not updated automatically. If any domain controllers listed in the le become unreachable, edit the le manually and remove them.

Managing Access Policies

The Directories Management policies are a set of rules that specify criteria that must be met for users to access their app portal or to launch specied Web applications.

You create the rule as part of a policy. Each rule in a policy can specify the following information.

The network range, where users are allowed to log in from, such as inside or outside the enterprise

network.

The device type that can access through this policy.

The order that the enabled authentication methods are applied.

The number of hours the authentication is valid.

Custom access denied message.

N The policies do not control the length of time that a Web application session lasts. They control the amount of time that users have to launch a Web application.

The Directories Management service includes a default policy that you can edit. This policy controls access to the service as a whole. See “Applying the Default Access Policy,” on page 113. To control access to specic Web applications, you can create additional policies. If you do not apply a policy to a Web application, the default policy applies.

Configuring Access Policy Settings

A policy contains one or more access rules. Each rule consists of seings that you can congure to manage user access to their application portals as a whole or to specied Web applications.

Network Range

For each rule, you determine the user base by specifying a network range. A network range consists of one or more IP ranges. You create network ranges from the Identity & Access Management tab, Setup > Network Ranges page prior to conguring access policy sets.

96 VMware, Inc.

Chapter 2 Configuring Tenant Settings

Device Type

Select the type of device that the rule manages. The client types are Web Browser, Identity Manager Client App, iOS, Android, and All device types.

Authentication Methods

Set the priority of the authentication methods for the policy rule. The authentication methods are applied in the order they are listed. The rst identity provider instances that meets the authentication method and network range conguration in the policy is selected, and the user authentication request is forwarded to the identity provider instance for authentication. If authentication fails, the next authentication method in the list is selected. If Certicate authentication is used, this method must be the rst authentication method in the list.

You can congure access policy rules to require users to pass credentials through two authentication methods before they can sign in. If one or both authentication method fails and fallback methods are also

congured, users are prompted to enter their credentials for the next authentication methods that are congured. The following two scenarios describe how authentication chaining can work.

In the rst scenario, the access policy rule is congured to require users to authenticate with their

password and with their Kerberos credential. Fallback authentication is set up to require the password and the RADIUS credential for authentication. A user enters the password correctly, but fails to enter the correct Kerberos authentication credential. Since the user entered the correct password, the fallback authentication request is only for the RADIUS credential. The user does not need to re-enter the password.

In the second scenario, the access policy rule is congured to require users to authenticate with their

password and their Kerberos credential. Fallback authentication is set up to require RSA SecurID and a RADIUS for authentication. A user enters the password correctly but fails to enter the correct Kerberos authentication credential. The fallback authentication request is for both the RSA SecurID credential and the RADIUS credential for authentication.

Authentication Session Length

For each rule, you set the length that this authentication is valid. The value determines the maximum amount of time users have since their last authentication event to access their portal or to launch a specic Web application. For example, a value of 4 in a Web application rule gives users four hours to launch the web application unless they initiate another authentication event that extends the time.

Custom Access Denied Error Message

When users aempt to sign in and fail because of invalid credentials, incorrect conguration, or system error, an access denied message is displayed. The default message is

Access denied as no valid authentication methods were found.

You can create a custom error message for each access policy rule that overrides the default message. The custom message can include text and a link for a call to action message. For example, in a policy rules for mobile devices that you want to manage, if a user tries to sign in from an unenrolled device, the follow custom error message could appear:

Please enroll your device to access corporate resources by clicking the link at the end of this

message. If your device is already enrolled, contact support for help.

Example Default Policy

The following policy serves as an example of how you can congure the default policy to control access to the apps portal. See “Manage the User Access Policy,” on page 100.

The policy rules are evaluated in the order listed. You can change the order of the policy by dragging and dropping the rule in the Policy Rules section.

In the following use case, this policy example applies to all applications.

VMware, Inc. 97

Configuring vRealize Automation

For the internal network (Internal Network Range), two authentication methods are congured for

the rule, Kerberos and password authentication as the fallback method. To access the apps portal from an internal network, the service aempts to authenticate users with Kerberos authentication rst, as it is the rst authentication method listed in the rule. If that fails, users are prompted to enter their Active Directory password. Users log in using a browser and now have access to their user portals for an eight-hour session.

For access from the external network (All Ranges), only one authentication method is congured,

RSA SecurID. To access the apps portal from an external network, users are required to log in with SecurID. Users log in using a browser and now have access to their apps portals for a four-hour session.

2 When a user aempts to access a resource, except for Web applications covered by a Web-application-

specic policy, the default portal access policy applies.

For example, the re-authentication time for such resources matches the re-authentication time of the default access policy rule. If the time for a user who logs in to the apps portal is eight hours according to the default access policy rule, when the user aempts to launch a resource during the session, the application launches without requiring the user to re-authenticate.

Managing Web-Application-Specific Policies

When you add Web applications to the catalog, you can create Web-application-specic access policies. For example, you can create an policy with rules for a Web application that species which IP addresses have access to the application, using which authentication methods, and for how long until reauthentication is required.

The following Web-application-specic policy provides an example of a policy you can create to control access to specied Web applications.

Example 1 Strict Web-Application-Specific Policy

In this example, a new policy is created and applied to a sensitve Web application.

98 VMware, Inc.

Chapter 2 Configuring Tenant Settings

1 To access the service from outside the enterprise network, the user is required to log in with RSA

SecurID. The user logs in using a browser and now has access to the apps portal for a four hour session as provided by the default access rule.

2 After four hours, the user tries to launch a Web application with the Sensitive Web Applications policy

set applied.

3 The service checks the rules in the policy and applies the policy with the ALL RANGES network range

since the user request is coming from a Web browser and from the ALL RANGES network range.

The user logs in using the RSA SecurID authentication method, but the session just expired. The user is redirected for reauthentication. The reauthentication provides the user with another four hour session and the ability to launch the application. For the next four hours, the user can continue to launch the application without having to reauthenticate.

Example 2 Stricter Web-Application-Specific Policy

For a stricter rule to apply to extra sensitve Web applications, you could require re-authentication With SecureId on any device after 1 hour. The following is an example of how this type of policy access rule is implemented.

1 User logs in from an inside the enterprise network using the password authentication method.

Now, the user has access to the apps portal for eight hours, as set up in Example 1.

2 The user immediately tries to launch a Web application with the Example 2 policy rule applied, which

requires RSA SecurID authentication.

3 The user is redirected to an identity provider that provides RSA SecurID authentication.

4 After the user successfully logs in, the service launches the application and saves the authentication

event.

The user can continue to launch this application for up to one hour but is asked to reauthenticate after an hour, as dictated by the policy rule.

VMware, Inc. 99

Configuring vRealize Automation

Manage the User Access Policy

vRealize Automation is supplied with a default user access policy that you can use as is or edit as needed to manage tenant access to applications.

vRealize Automation is supplied with a default user access policy, and you cannot add new policies. You can edit the existing policy to add rules.

Prerequisites

Select or congure the appropriate identity providers for your deployment. See “Congure an Identity

Provider Instance,” on page 110.

Congure the appropriate network ranges for your deployment. See “Add or Edit a Network Range,”

on page 111.

Congure the appropriate authentication methods for your deployment. See “Integrating Alternative

User Authentication Products with Directories Management,” on page 101.

If you plan to edit the default policy (to control user access to the service as a whole), congure it before

creating Web-application-specic policy.

Add Web applications to the Catalog. The Web applications must be listed in the Catalog page before

you can add a policy.

Procedure

1 Select Administration > Directories Management > Policies.

2 Click Edit Policy to add a new policy.

3 Add a policy name and description in the respective text boxes.

4 In the Applies To section, click Select and in the page that appears, select the Web applications that are

associated with this policy.

5 In the Policy Rules section, click + to add a rule.

The Add a Policy Rule page appears.

a Select the network range to apply to this rule.

b Select the type of device that can access the web applications for this rule.

c Select the authentication methods to use in the order the method should be applied.

d Specify the number of hours a Web application session open.

e Click Save.

6 Congure additional rules as appropriate.

7 Click Save.

100 VMware, Inc.

VMware vRealize Automation - 7.1 User’s Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents

Configuring vRealize Automation

Updated Information

Preparing Your Environment for vRealize Automation Management

Checklist for Preparing NSX Network and Security Configuration

Install the NSX Plug-In on vRealize Orchestrator

Run a vRealize Orchestrator and NSX Security Workflow

Checklist for Preparing External IPAM Provider Support

Obtain and Import the External IPAM Provider Package in vRealize Orchestrator

Run the Workflow to Register the Infoblox IPAM Endpoint Type in vRealize Orchestrator

Preparing Your vCloud Director Environment for vRealize Automation

Preparing Your vCloud Air Environment for vRealize Automation

Preparing Your Amazon AWS Environment

Amazon AWS User Roles and Credentials Required for vRealize Automation

Allow Amazon AWS to Communicate with the Software Bootstrap Agent and Guest Agent

Using Optional Amazon Features

Using Amazon Security Groups

Understanding Amazon Web Service Regions

Using Amazon Virtual Private Cloud

Using Elastic Load Balancers for Amazon Web Services

Using Elastic IP Addresses for Amazon Web Services

Using Elastic Block Storage for Amazon Web Services

Scenario: Configure Network-to-Amazon VPC Connectivity for a Proof of Concept Environment

Preparing Red Hat OpenStack Network and Security Features

Using OpenStack Security Groups

Using Floating IP Addresses with OpenStack

Preparing Your SCVMM Environment

Preparing for Machine Provisioning

Choosing a Machine Provisioning Method to Prepare

Checklist for Running Visual Basic Scripts During Provisioning

Using vRealize Automation Guest Agent in Provisioning

Install the Guest Agent on a Linux Reference Machine

Install the Guest Agent on a Windows Reference Machine

Configuring the Windows Guest Agent to Trust a Server

Checklist for Preparing to Provision by Cloning

Worksheet for Virtual Provisioning by Cloning

Preparing for vCloud Air and vCloud Director Provisioning

Preparing for Linux Kickstart Provisioning

Prepare the Linux Kickstart Configuration Sample File

Specify Custom Scripts in a kickstart/autoYaST Configuration File

Preparing for SCCM Provisioning

Create a Software Package for SCCM Provisioning

Preparing for WIM Provisioning

Reference Machine Requirements for WIM Provisioning

SysPrep Requirements for the Reference Machine

Install PEBuilder

Specify Custom Scripts in a PEBuilder WinPE

Preparing for WIM Provisioning with VirtIO Drivers

Create a WinPE Image by Using PEBuilder

Manually Insert the Guest Agent into a WinPE Image

Install the Guest Agent in a WinPE

Configure the doagent.bat File

Configure the doagentc.bat File

Configure the Guest Agent Properties Files

Preparing for Virtual Machine Image Provisioning

Virtual Machine Images

OpenStack Flavors

Preparing for Amazon Machine Image Provisioning

Understanding Amazon Machine Images

Understanding Amazon Instance Types

Add an Amazon Instance Type

Scenario: Prepare vSphere Resources for Machine Provisioning in Rainpole

Scenario: Convert Your CentOS Reference Machine into a Template for Rainpole

Scenario: Create a Customization Specification for Cloning Linux Machines in Rainpole

Preparing for Software Provisioning

Preparing to Provision Machines with Software

Prepare a Windows Reference Machine to Support Software

Prepare a Linux Reference Machine to Support Software

Updating Existing Virtual Machine Templates in vRealize Automation

Scenario: Prepare a vSphere CentOS Template for Clone Machine and Software Component Blueprints

Scenario: Prepare Your Reference Machine for Guest Agent Customizations and Software Components

Scenario: Convert Your CentOS Reference Machine into a Template

Scenario: Create a Customization Specification for vSphere Cloning

Scenario: Prepare for Importing the Dukes Bank for vSphere Sample Application Blueprint

Scenario: Prepare Your Reference Machine for the Dukes Bank vSphere Sample Application

Scenario: Convert Your Reference Machine into a Template for the Dukes Bank vSphere Application