
Configuring vRealize
Automation
vRealize Automation 7.2

Configuring vRealize Automation
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
docfeedback@vmware.com
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Copyright © 2015–2017 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2

Contents
Configuring vRealize Automation 7
Updated Information 8
External Preparations for Provisioning 9
1
Preparing Your Environment for vRealize Automation Management 9
Checklist for Preparing NSX Network and Security Configuration 10
Checklist for Preparing For Third-Party IPAM Provider Support 13
Checklist for Configuring Containers for vRealize Automation 16
Preparing Your vCloud Director Environment for vRealize Automation 17
Preparing Your vCloud Air Environment for vRealize Automation 18
Preparing Your Amazon AWS Environment 18
Preparing Red Hat OpenStack Network and Security Features 24
Preparing Your SCVMM Environment 25
Preparing for Machine Provisioning 26
Choosing a Machine Provisioning Method to Prepare 26
Checklist for Running Visual Basic Scripts During Provisioning 28
Using vRealize Automation Guest Agent in Provisioning 29
Checklist for Preparing to Provision by Cloning 37
Preparing for vCloud Air and vCloud Director Provisioning 50
Preparing for Linux Kickstart Provisioning 51
Preparing for SCCM Provisioning 54
Preparing for WIM Provisioning 55
Preparing for Virtual Machine Image Provisioning 66
Preparing for Amazon Machine Image Provisioning 67
Scenario: Prepare vSphere Resources for Machine Provisioning in Rainpole 69
Preparing for Software Provisioning 72
Preparing to Provision Machines with Software 72
Scenario: Prepare a vSphere CentOS Template for Clone Machine and Software Component
Blueprints 77
Scenario: Prepare for Importing the Dukes Bank for vSphere Sample Application Blueprint 81
VMware, Inc.
Configuring Tenant Settings 86
2
Choosing Directories Management Configuration Options 87
Directories Management Overview 88
Using Directories Management to Create an Active Directory Link 91
Managing User Attributes that Sync from Active Directory 110
Managing Connectors and Connector Clusters 111
3

Configuring vRealize Automation
Join a Connector Machine to a Domain 112
About Domain Controller Selection 113
Managing Access Policies 117
Integrating Alternative User Authentication Products with Directories Management 122
Upgrading External Connectors for Directories Management 142
Preparing to Upgrade an External Connector 143
Upgrade an External Connector Online 144
Upgrade an External Connector Offline 145
Configuring Settings After Upgrading an External Connector 148
Troubleshooting External Connector Upgrade Errors 149
Scenario: Configure an Active Directory Link for a Highly Available vRealize Automation 150
Configure Smart Card Authentication for vRealize Automation 152
Generate a Connector Activation Token 153
Deploy the Connector OVA File 154
Configure Connector Settings 155
Apply Public Certificate Authority 156
Create a Workspace Identity Provider 158
Configure Certificate Authentication and Configure Default Access Policy Rules 159
Create a Multi Domain or Multi Forest Active Directory Link 159
Configuring Groups and User Roles 161
Assign Roles to Directory Users or Groups 161
Create a Custom Group 162
Create a Business Group 163
Troubleshooting Slow Performance When Displaying Group Members 165
Scenario: Configure the Default Tenant for Rainpole 165
Scenario: Create Local User Accounts for Rainpole 166
Scenario: Connect Your Corporate Active Directory to vRealize Automation for Rainpole 167
Scenario: Configure Branding for the Default Tenant for Rainpole 169
Scenario: Create a Custom Group for Your Rainpole Architects 169
Scenario: Assign IaaS Administrator Privileges to Your Custom Group of Rainpole Architects 170
Create Additional Tenants 171
Specify Tenant Information 172
Configure Local Users 172
Appoint Administrators 173
Delete a Tenant 173
Configuring Custom Branding 174
Custom Branding for Tenant Login Page 174
Custom Branding for Tenant Applications 175
Checklist for Configuring Notifications 176
Configuring Global Email Servers for Notifications 179
Add a Tenant-Specific Outbound Email Server 181
Add a Tenant-Specific Inbound Email Server 182
VMware, Inc. 4

Configuring vRealize Automation
Override a System Default Outbound Email Server 183
Override a System Default Inbound Email Server 184
Revert to System Default Email Servers 185
Configure Notifications 185
Customize the Date for Email Notification for Machine Expiration 185
Configuring Templates for Automatic IaaS Emails 186
Subscribe to Notifications 186
Create a Custom RDP File to Support RDP Connections for Provisioned Machines 187
Scenario: Add Datacenter Locations for Cross Region Deployments 187
Configuring vRealize Orchestrator and Plug-Ins 189
Configure the Default Workflow Folder for a Tenant 189
Configure an External vRealize Orchestrator Server 190
Log in to the vRealize Orchestrator Configuration Interface 191
Log in to the vRealize Orchestrator Client 191
Configuring Resources 193
3
Checklist for Configuring IaaS Resources 193
Store User Credentials 194
Choosing an Endpoint Scenario 196
Create a Fabric Group 217
Configure Machine Prefixes 218
Managing Key Pairs 219
Creating a Network Profile 220
Configuring Reservations and Reservation Policies 241
Scenario: Configure IaaS Resources for Rainpole 281
Scenario: Apply a Location to a Compute Resource for Cross Region Deployments 284
Checklist for Provisioning a vRealize Automation Deployment Using an External IPAM Provider 285
Configuring XaaS Resources 286
Configure the Active Directory Plug-In as an Endpoint 287
Configure the HTTP-REST Plug-In as an Endpoint 288
Configure the PowerShell Plug-In as an Endpoint 291
Configure the SOAP Plug-In as an Endpoint 292
Configure the vCenter Server Plug-In as an Endpoint 293
Create a Microsoft Azure Endpoint 295
Creating and Configuring Containers 297
View and Manage Container Hosts 298
Using Container Deployment Placements 299
Using Container Placement Zones 301
Configuring Container Settings 301
Configuring and Using Templates and Images in Containers 307
Using Container Registries 311
Configuring Network Resources for Containers 313
VMware, Inc. 5

Configuring vRealize Automation
Installing Additional Plug-Ins on the Default vRealize Orchestrator Server 317
Working With Active Directory Policies 317
Create and Apply Active Directory Policies 318
Providing On-Demand Services to Users 322
4
Designing Blueprints 322
Exporting and Importing Blueprints 324
Scenario: Importing the Dukes Bank for vSphere Sample Application and Configuring for Your
Environment 325
Scenario: Test the Dukes Bank Sample Application 329
Building Your Design Library 330
Designing Machine Blueprints 332
Designing Software Components 401
Designing XaaS Blueprints and Resource Actions 419
Publishing a Blueprint 478
Assembling Composite Blueprints 479
Understanding Nested Blueprint Behavior 481
Selecting a Machine Component that Supports Software Components 484
Creating Property Bindings Between Blueprint Components 484
Creating Explicit Dependencies and Controlling the Order of Provisioning 485
Scenario: Assemble and Test a Blueprint to Deliver MySQL on Rainpole Linked Clone
Machines 486
Managing the Service Catalog 489
Checklist for Configuring the Service Catalog 490
Creating a Service 491
Working with Catalog Items and Actions 493
Creating Entitlements 496
Working with Approval Policies 503
Scenario: Configure the Catalog for Rainpole Architects to Test Blueprints 522
Scenario: Test Your Rainpole CentOS Machine 525
Scenario: Make the CentOS with MySQL Application Blueprint Available in the Service Catalog 526
Scenario: Create and Apply CentOS with MySQL Approval Policies 530
VMware, Inc. 6

Configuring vRealize Automation
Configuring vRealize Automation provides information about configuring vRealize Automation and your
external environments to prepare for vRealize Automation provisioning and catalog management.
For information about supported integrations, see https://www.vmware.com/pdf/vrealize-automation-72-
support-matrix.pdf.
Intended Audience
This information is intended for IT professionals who are responsible for configuring vRealize Automation
environment, and for infrastructure administrators who are responsible for preparing elements in their
existing infrastructure for use in vRealize Automation provisioning. The information is written for
experienced Windows and Linux system administrators who are familiar with virtual machine technology
and datacenter operations.
VMware Technical Publications Glossary
VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For
definitions of terms as they are used in VMware technical documentation, go to
http://www.vmware.com/support/pubs.
VMware, Inc.
7

Updated Information
This Configuring vRealize Automation is updated with each release of the product or when necessary.
This table provides the update history of the Configuring vRealize Automation.
Revision Description
EN-002290-05
EN-002290-04
EN-002290-03
EN-002290-02
n
Updated Managing Connectors and Connector Clusters.
n
Updated Configure Connector Settings.
n
Updated Create a Microsoft Azure Endpoint.
n
Updated Create a Blueprint for Microsoft Azure.
n
Updated Configure an OpenLDAP Directory Connection.
n
Updated Configure an Identity Provider Instance.
n
Updated Prepare a Windows Reference Machine to Support Software.
n
Updated Understanding Nested Blueprint Behavior.
n
Updated Create a Microsoft Azure Endpoint.
n
Updated Create a Blueprint for Microsoft Azure.
n
Updated Prepare a Windows Reference Machine to Support Software.
n
Updated Prepare a Linux Reference Machine to Support Software.
n
Updated Preparing for Software Provisioning.
n
Updated Designing Software Components.
EN-002290-01 Updated Specify External Network Profile Information By Using the Supplied IPAM Endpoint.
EN-002290-00 Initial release.
VMware, Inc. 8

External Preparations for
Provisioning 1
You may need to create or prepare some elements outside of vRealize Automation to support catalog
item provisioning. For example, if you want to provide a catalog item for provisioning a clone machine,
you need to create a template on your hypervisor to clone from.
This chapter includes the following topics:
n
Preparing Your Environment for vRealize Automation Management
n
Preparing for Machine Provisioning
n
Preparing for Software Provisioning
Preparing Your Environment for vRealize Automation
Management
Depending on your integration platform, you might have to make some configuration changes before you
can bring your environment under vRealize Automation management, or before you can leverage certain
features.
Table 1‑1. Preparing Your Environment for vRealize Automation Integration
Environment Preparations
If you want to leverage NSX to manage
NSX
vCloud Director
networking and security features of machines
provisioned with vRealize Automation, prepare
your NSX instance for integration. See
Checklist for Preparing NSX Network and
Security Configuration.
Install and configure your vCloud Director
instance, set up your vSphere and cloud
resources, and identify or create appropriate
credentials to provide vRealize Automation with
access to your vCloud Director environment.
See Preparing Your vCloud Director
Environment for vRealize Automation.
VMware, Inc. 9

Configuring vRealize Automation
Table 1‑1. Preparing Your Environment for vRealize Automation Integration (Continued)
Environment Preparations
vCloud Air
Amazon AWS
Red Hat OpenStack
SCVMM
Register for your vCloud Air account, set up
your vCloud Air environment, and identify or
create appropriate credentials to provide
vRealize Automation with access to your
environment. See Preparing for vCloud Air and
vCloud Director Provisioning.
Prepare elements and user roles in your
Amazon AWS environment for use in
vRealize Automation, and understand how
Amazon AWS features map to
vRealize Automation features. See Preparing
Your Amazon AWS Environment.
If you want to leverage Red Hat OpenStack to
manage networking and security features of
machines provisioned with
vRealize Automation, prepare your
Red Hat OpenStack instance for integration.
See Preparing Red Hat OpenStack Network
and Security Features.
Configure storage, networking, and understand
template and hardware profile naming
restrictions. See Preparing Your SCVMM
Environment.
External IPAM Providers Register an external IPAM provider package or
plug-in, run the configuration workflows, and
register the IPAM solution as a new
vRealize Automation endpoint. See Checklist
for Preparing For Third-Party IPAM Provider
Support.
All other environments You do not need to make changes to your
environment. You can begin preparing for
machine provisioning by creating templates,
boot environments, or machine images. See
Preparing for Machine Provisioning.
Checklist for Preparing NSX Network and Security Configuration
Before you can use NSX network and security options in vRealize Automation, you must configure the
external NSX network and security environment that you intend to use.
Much of the vRealize Automation support for network and security configuration that you specify in
blueprints and reservations is configured externally and made available to vRealize Automation after data
collection is run on the compute resources.
For more information about NSX settings that you can configure for vRealize Automation blueprints, see
Configuring Network and Security Component Settings.
VMware, Inc. 10

Configuring vRealize Automation
Table 1‑2. Preparing NSX Networking and Security Checklist
Task Location Details
Install and
configure the NSX
plug-in.
Configure NSX
network settings,
including gateway
and transport zone
settings.
Create NSX
security policies,
tags, and groups.
Configure NSX
load balancer
settings.
For cross-virtual
center
deployments, verify
that the compute
NSX manager has
the primary NSX
manager role.
Install the NSX plug-in in vRealize Orchestrator. See Install the NSX Plug-In on vRealize
Orchestrator and the NSX Administration
Guide.
Configure network settings in NSX. See the NSX Administration Guide.
Configure security settings in NSX. See the NSX Administration Guide.
Configure an NSX load balancer to work with
vRealize Automation.
vRealize Automation provisioning requires that the compute
NSX manager for the region in which the machines reside has
the primary NSX manager role.
See the NSX Administration Guide.
Also see Custom Properties for
Networking in Custom Properties
Reference.
See Administrator Requirements for
Provisioning NSX Universal Objects.
See the NSX Installation Guide and NSX
Administration Guide for information about
cross-virtual center deployment, universal
objects, and the primary NSX manager
role.
Install the NSX Plug-In on vRealize Orchestrator
Installing the NSX plug-in requires that you download the vRealize Orchestrator installer file, use the
vRealize Orchestrator Configuration interface to upload the plug-in file, and install the plug-in on a
vRealize Orchestrator server.
Note If you are using an embedded vRealize Orchestrator that contains an installed NSX plug-in, you do
not need to perform the following plug-in installation steps because the NSX plug-in is already installed.
For general plug-in update and troubleshooting information, see vRealize Orchestrator documentation at
https://www.vmware.com/support/pubs/orchestrator_pubs.html.
Prerequisites
n
Verify that you are running a supported vRealize Orchestrator instance.
For information about setting up vRealize Orchestrator, see Installing and Configuring VMware
vRealize Orchestrator.
n
Verify that you have credentials for an account with permission to install vRealize Orchestrator plug-
ins and to authenticate through vCenter Single Sign-On.
n
Verify that you installed the correct version of the NSX plug-in. See vRealize Automation Support
Matrix.
VMware, Inc. 11

Configuring vRealize Automation
n
Verify that you installed the vRealize Orchestrator client and that you can log in with Administrator
credentials.
Procedure
1 Download the plug-in file to a location accessible from the vRealize Orchestrator server.
The plug-in installer file name format, with appropriate version values, is o11nplugin-
nsx-1.n.n.vmoapp. Plug-in installation files for the NSX networking and security product are
available from the VMware product download site at http://vmware.com/web/vmware/downloads.
2 Open a browser and start the vRealize Orchestrator configuration interface.
An example of the URL format is https://orchestrator_server.com:8283.
3 Click Plug-Ins in the left pane and scroll down to the Install new plug-in section.
4 In the Plug-In file text box, browse to the plug-in installer file and click Upload and install.
The file must be in .vmoapp format.
5 At the prompt, accept the license agreement in the Install a plug-in pane.
6 In the Enabled plug-ins installation status section, confirm that the correct NSX plug-in name is
specified.
See vRealize Automation Support Matrix for version information.
The status Plug-in will be installed at next server startup, appears.
7 Restart the vRealize Orchestrator server service.
8 Restart the vRealize Orchestrator configuration interface.
9 Click Plug-Ins and verify that the status changed to Installation OK.
10 Start the vRealize Orchestrator client application, log in, and use the Workflow tab to navigate
through the library to the NSX folder.
You can browse through the workflows that the NSX plug-in provides.
What to do next
Create a vRealize Orchestrator endpoint in vRealize Automation to use for running workflows. See Create
a vRealize Orchestrator Endpoint.
Run a vRealize Orchestrator and NSX Security Workflow
Before you use the NSX security policy features from vRealize Automation, an administrator must run the
Enable security policy support for overlapping subnets workflow in vRealize Orchestrator.
Security policy support for the overlapping subnets workflow is applicable to an NSX 6.1 and later
endpoint. Run this workflow only once to enable this support.
Prerequisites
n
Verify that a vSphere endpoint is registered with an NSX endpoint. See Create a vSphere Endpoint.
VMware, Inc. 12

Configuring vRealize Automation
n
Log in to the vRealize Orchestrator client as an administrator.
n
Verify that you ran the Create NSX endpoint vRO work flow.
Procedure
1 Click the Workflow tab and select NSX > NSX workflows for VCAC.
2 Run the Create NSX endpoint workflow and respond to prompts.
3 Run the Enable security policy support for overlapping subnets workflow.
4 Select the NSX endpoint as the input parameter for the workflow.
Use the IP address you specified when you created the vSphere endpoint to register an NSX
instance.
After you run this workflow, the distributed firewall rules defined in the security policy are applied only on
the vNICs of the security group members to which this security policy is applied.
What to do next
Apply the applicable security features for the blueprint.
Administrator Requirements for Provisioning NSX Universal Objects
To provision machines in a cross-vCenter deployment when using NSX universal objects such as an edge
gateway or load balancer, you must provision to a region in which the compute NSX manager has the
primary role.
There is only one primary NSX manager in a cross-vCenter NSX environment. To provision machines in a
cross-vCenter deployment, the machines must reside in a region in which the NSX compute manager has
the primary role. Provisioning fails when the machines exist in a region in which the compute NSX
manager has the secondary role.
You can use NSX local objects, such as a local edge gateway or load balancer. When using NSX local
objects, you must also use a region-specific NSX local transport zone and object virtual wire. You can
configure vRealize Automation reservations to use the local transport zone and virtual wires for
deployments in that local region.
See the VMware Knowledge Base article Deployment of vRealize Automation blueprints with NSX objects
fail (2147240) at http://kb.vmware.com/kb/2147240 for more information.
See the NSX Administration Guide and Cross-vCenter NSX Installation Guide for information about how
to configure and assign the primary NSX manager role for a cross-vCenter deployment.
Checklist for Preparing For Third-Party IPAM Provider Support
You can obtain IP addresses and ranges for use in network profile definition from a supported third-party
IPAM provider, such as Infoblox.
VMware, Inc. 13

Configuring vRealize Automation
Before you can create and use an external IPAM provider endpoint in a vRealize Automation network
profile, you must download or otherwise obtain a vRealize Orchestrator IPAM provider plug-in or package,
import the plug-in or package and run required workflows in vRealize Orchestrator, and register the IPAM
solution as a vRealize Automation endpoint.
For an overview of the provisioning process for using an external IPAM provider to supply a range of
possible IP addresses, see Checklist for Provisioning a vRealize Automation Deployment Using an
External IPAM Provider.
Table 1‑3. Preparing for External IPAM Provider Support Checklist
Task Location Details
Obtain and
import the
supported external
IPAM Provider
vRealize
Orchestrator plug-
in.
Run the required
configuration
workflows and
register the external
IPAM solution as a
vRealize
Automation
endpoint.
Download the IPAM provider plug-in or package, for example
the Infoblox IPAM plug-in or the VMware-provided third party
IPAM starter SDK package, from the VMware Solution
Exchange and import the plug-in or package to
vRealize Orchestrator.
If the VMware Solution Exchange
(https://solutionexchange.vmware.com/store/category_group
s/cloud-management) does not contain the IPAM provider
package that you need, you can create your own using the
IPAM Solution Provider SDK and supporting documentation.
Run the vRealize Orchestrator configuration workflows and
register the IPAM provider endpoint type in
vRealize Orchestrator.
See Obtain and Import the External IPAM
Provider Package in vRealize
Orchestrator.
See Run Workflow to Register Third-Party
IPAM Endpoint Type in vRealize
Orchestrator.
Obtain and Import the External IPAM Provider Package in
vRealize Orchestrator
To prepare to define and use an external IPAM provider endpoint, you must first obtain the external IPAM
provider package and import the package in vRealize Orchestrator.
You can download and use an existing third-party IP Address Management provider plug-in, such as
Infoblox IPAM. You can also create your own plug-in or package by using a VMware-supplied starter
package and accompanying SDK documentation for use with another third-party IPAM solution provider
such as Bluecat.
After you import the external IPAM provider plug-in or package in vRealize Orchestrator, run the required
workflows and register the IPAM endpoint type.
For more information about importing plug-ins and packages and running vRealize Orchestrator
workflows, see Using the VMware vRealize Orchestrator Client. For more information about extending
vRealize Automation with vRealize Orchestrator plug-ins, packages, and workflows, see Life Cycle
Extensibility.
VMware, Inc. 14

Configuring vRealize Automation
Prerequisites
n
Log in to vRealize Orchestrator with administrator privileges for importing, configuring, and registering
a vRealize Orchestrator plug-in or package.
Procedure
1 Open the VMware Solution Exchange site at https://solutionexchange.vmware.com/store.
2 Select Cloud Management Marketplace.
3 Locate and download the plug-in or package.
For example, import the Infoblox plug-in that supports the Infoblox third-party IPAM endpoint in
vRealize Automation.
4 In vRealize Orchestrator, click the Administrator tab and click Import package.
5 For example, select the vRealize Orchestrator third-party IPAM package.
Select com.vmware.vra.ipam.service.sdk from source\vcac\components\ipam\vro-
sdk\target\ipam-package-sdk-7.1.0-SNAPSHOT.package.
6 Select all workflows and artifacts and click Import selected elements.
What to do next
Run Workflow to Register Third-Party IPAM Endpoint Type in vRealize Orchestrator.
Run Workflow to Register Third-Party IPAM Endpoint Type in
vRealize Orchestrator
Run the registration workflow in vRealize Orchestrator to support vRealize Automation use of the third-
party IPAM provider and register the IPAM endpoint type for use in vRealize Automation.
To register IPAM endpoint types in vRealize Orchestrator, you are prompted to supply
vRealize Automation vRA Administrator credentials.
For more information about importing packages and running vRealize Orchestrator workflows, see Using
the VMware vRealize Orchestrator Client. For more information about extending vRealize Automation
with vRealize Orchestrator packages and workflows, see Life Cycle Extensibility.
Prerequisites
n
Obtain and Import the External IPAM Provider Package in vRealize Orchestrator
n
Verify that you are logged in to vRealize Orchestrator with vRealize Automation with authority to run
workflows.
n
Be prepared to supply vRealize Automation vRealize Automation administrator credentials when
prompted.
VMware, Inc. 15

Configuring vRealize Automation
Procedure
1 In vRealize Orchestrator, click the Design tab, select Administrator > Library, and select IPAM
Service Package SDK.
Each IPAM provider package is uniquely named and contains unique workflows. Each provider
supplies their own registration workflow. While the workflow names might be similar between provider
packages, the location of the workflows in vRealize Orchestrator can be different and is provider-
specific.
2 For this example, run the Register IPAM Endpoint registration workflow and specify the IPAM
Infloblox endpoint type.
3 At the prompt for vRealize Automation credentials, enter your vRealize Automation vRA administrator
credentials.
The package registers Infoblox as a new IPAM endpoint type in the vRealize Automation endpoint service
and makes the endpoint type available when you define endpoints in vRealize Automation.
Note If the Infoblox IPAM connection disappears from the vRealize Orchestrator Inventory tab after you
restart the vRealize Orchestrator server in the vRealize Orchestrator Control Center. To resolve this issue,
run the Create IPAM Connection workflow from the vRO admin > Library > Infoblox > vRA > Helpers
menu sequence. You can then the vRealize Orchestrator Inventory tab, select Infoblox IPAM, and
refresh the page to display the Infoblox IPAM connection.
What to do next
You can now create an IPAM Infloblox type endpoint, or and endpoint for whatever third-party package or
plug-in you have just registered, in vRealize Automation. See Create a Third-Party IPAM Provider
Endpoint.
Checklist for Configuring Containers for vRealize Automation
To get started with Containers, you must configure the feature to support vRealize Automation user roles.
After you configure container definitions in Containers you can add and configure container components
in a blueprint.
Table 1‑4. Checklist for Configuring Containers for vRealize Automation
Task Details
Assign the container administrator and container architect roles. See Container roles information in Foundations and
Concepts.
Display the Containers context-sensitive help system. See Containers help information in Foundations and
Concepts.
Define container definitions in the Containers tab in vRealize Automation. See Configuring vRealize Automation.
Add container components and container networking components to
blueprints in the Design tab in vRealize Automation.
See Configuring vRealize Automation.
VMware, Inc. 16

Configuring vRealize Automation
Configuring Containers Using the vRealize Automation Automation
Appliance
Xenon service information is accessible in the vRealize Automation vRealize Automation appliance (vRA
Settings > Xenon.
It contains information about the Xenon host VM, listening port, and service status. It also displays
information about clustered Xenon nodes.
You can manage the Xenon Linux service with the following CLI commands in the vRealize Automation
appliance.
Command Description
service xenon-service status
service xenon-service start
service xenon-service stop
service xenon-service restart
service xenon-service get_host
service xenon-service get_port
service xenon-service status_cluster
service xenon-service reset
Shows the status of the service as either running or stopped.
Starts the service.
Stops the service.
Restarts the service.
Shows the hostname on which the service is running.
Shows the service port.
Shows information about all clustered nodes in JSON format.
Deletes the directory where Xenon keeps all configuration files and restarts the
service.
Clustering Containers
You can use the Xenon service in conjunction with Containers for vRealize Automation to join nodes to a
cluster. If the nodes are clustered, the Xenon service connects other nodes automatically when it starts.
You can monitor the cluster status on the Xenon tab in the vRealize Automation appliance or by running
the following command in a CLI:
service xenon-service status_cluster
Xenon works on quorum-based clustering. The quorum is calculated by using the (number of nodes /
2) + 1 formula.
Preparing Your vCloud Director Environment for
vRealize Automation
Before you can integrate vCloud Director with vRealize Automation, you must install and configure your
vCloud Director instance, set up your vSphere and cloud resources, and identify or create appropriate
credentials to provide vRealize Automation with access to your vCloud Director environment.
VMware, Inc. 17

Configuring vRealize Automation
Configure Your Environment
Configure your vSphere resources and cloud resources, including virtual datacenters and networks. For
more information, see the vCloud Director documentation.
Required Credentials for Integration
Create or identify either organization administrator or system administrator credentials that your
vRealize Automation IaaS administrators can use to bring your vCloud Director environment under
vRealize Automation management as an endpoint.
User Role Considerations
vCloud Director user roles in an organization do not need to correspond with roles in vRealize Automation
business groups. If the user account does not exist in vCloud Director, vCloud Director performs a lookup
in the associated LDAP or Active Directory and creates the user account if the user exists in the identity
store. If it cannot create the user account, it logs a warning but does not fail the provisioning process. The
provisioned machine is then assigned to the account that was used to configure the vCloud Director
endpoint.
For related information about vCloud Director user management, see the vCloud Director documentation.
Preparing Your vCloud Air Environment for vRealize Automation
Before you integrate vCloud Air with vRealize Automation, you must register for your vCloud Air account,
set up your vCloud Air environment, and identify or create appropriate credentials to provide
vRealize Automation with access to your environment.
Configure Your Environment
Configure your environment as instructed in the vCloud Air documentation.
Required Credentials for Integration
Create or identify either virtual infrastructure administrator or account administrator credentials that your
vRealize Automation IaaS administrators can use to bring your vCloud Air environment under
vRealize Automation management as an endpoint.
User Role Considerations
vCloud Air user roles in an organization do not need to correspond with roles in vRealize Automation
business groups. For related information about vCloud Air user management, see the vCloud Air
documentation.
Preparing Your Amazon AWS Environment
Prepare elements and user roles in your Amazon AWS environment, prepare Amazon AWS to
communicate with the guest agent and Software bootstrap agent, and understand how Amazon AWS
features map to vRealize Automation features.
VMware, Inc. 18

Configuring vRealize Automation
Amazon AWS User Roles and Credentials Required for vRealize Automation
You must configure credentials in Amazon AWS with the permissions required for vRealize Automation to
manage your environment.
You must have certain Amazon access rights to successfully provision machines by using
vRealize Automation.
n
Role and Permission Authorization in Amazon Web Services
The Power User role in AWS provides an AWS Directory Service user or group with full access to
AWS services and resources.
You do not need any AWS credentials to create an AWS endpoint in vRealize Automation. However,
the AWS user who creates an Amazon machine image is expected by vRealize Automation to have
the Power User role.
n
Authentication Credentials in Amazon Web Services
The AWS Power User role does not allow management of AWS Identity and Access Management
(IAM) users and groups. For management of IAM users and groups, you must be configured with
AWS Full Access Administrator credentials.
vRealize Automation requires access keys for endpoint credentials and does not support user names
and passwords. To obtain the access key needed to create the Amazon endpoint, the Power User
must either request a key from a user who has AWS Full Access Administrator credentials or be
additionally configured with the AWS Full Access Administrator policy.
For information about enabling policies and roles, see the AWS Identity and Access Management (IAM)
section of Amazon Web Services product documentation.
Allow Amazon AWS to Communicate with the Software Bootstrap Agent and
Guest Agent
If you intend to provision application blueprints that contain Software, or if you want the ability to further
customize provisioned machines by using the guest agent, you must enable connectivity between your
Amazon AWS environment, where your machines are provisioned, and your vRealize Automation
environment, where the agents download packages and receive instructions.
When you use vRealize Automation to provision Amazon AWS machines with the vRealize Automation
guest agent and Software bootstrap agent, you must set up network-to-Amazon VPC connectivity so your
provisioned machines can communicate back to vRealize Automation to customize your machines.
For more information about Amazon AWS VPC connectivity options, see the Amazon AWS
documentation.
Using Optional Amazon Features
vRealize Automation supports several Amazon features, including Amazon Virtual Private Cloud, elastic
load balancers, elastic IP addresses, and elastic block storage.
VMware, Inc. 19

Configuring vRealize Automation
Using Amazon Security Groups
Specify at least one security group when creating an Amazon reservation. Each available region requires
at least one specified security group.
A security group acts as a firewall to control access to a machine. Every region includes at least the
default security group. Administrators can use the Amazon Web Services Management Console to create
additional security groups, configure ports for Microsoft Remote Desktop Protocol or SSH, and set up a
virtual private network for an Amazon VPN.
When you create an Amazon reservation or configure a machine component in the blueprint, you can
choose from the list of security groups that are available to the specified Amazon account region. Security
groups are imported during data collection.
For information about creating and using security groups in Amazon Web Services, see Amazon
documentation.
Understanding Amazon Web Service Regions
Each Amazon Web Services account is represented by a cloud endpoint. When you create an
Amazon Elastic Cloud Computing endpoint in vRealize Automation, regions are collected as compute
resources. After the IaaS administrator selects compute resources for a business group, inventory and
state data collections occur automatically.
Inventory data collection, which occurs automatically once a day, collects data about what is on a
compute resource, such as the following data:
n
Elastic IP addresses
n
Elastic load balancers
n
Elastic block storage volumes
State data collection occurs automatically every 15 minutes by default. It gathers information about the
state of managed instances, which are instances that vRealize Automation creates. The following are
examples of state data:
n
Windows passwords
n
State of machines in load balancers
n
Elastic IP addresses
A fabric administrator can initiate inventory and state data collection and disable or change the frequency
of inventory and state data collection.
Using Amazon Virtual Private Cloud
Amazon Virtual Private Cloud allows you to provision Amazon machine instances in a private section of
the Amazon Web Services cloud.
Amazon Web Services users can use Amazon VPC to design a virtual network topology according to your
specifications. You can assign an Amazon VPC in vRealize Automation. However, vRealize Automation
does not track the cost of using the Amazon VPC.
VMware, Inc. 20

Configuring vRealize Automation
When you provision using Amazon VPC, vRealize Automation expects there to be a VPC subnet from
which Amazon obtains a primary IP address. This address is static until the instance is terminated. You
can also use the elastic IP pool to also attach an elastic IP address to an instance in
vRealize Automation. That would allow the user to keep the same IP if they are continually provisioning
and tearing down an instance in Amazon Web Services.
Use the AWS Management Console to create the following elements:
n
An Amazon VPC, which includes Internet gateways, routing table, security groups and subnets, and
available IP addresses.
n
An Amazon Virtual Private Network if users need to log in to Amazon machines instances outside of
the AWS Management Console.
vRealize Automation users can perform the following tasks when working with an Amazon VPC:
n
A fabric administrator can assign an Amazon VPC to a cloud reservation. See Create an Amazon
Reservation.
n
A machine owner can assign an Amazon machine instance to an Amazon VPC.
For more information about creating an Amazon VPC, see Amazon Web Services documentation.
Using Elastic Load Balancers for Amazon Web Services
Elastic load balancers distribute incoming application traffic across Amazon Web Services instances.
Amazon load balancing enables improved fault tolerance and performance.
Amazon makes elastic load balancing available for machines provisioned using Amazon EC2 blueprints.
The elastic load balancer must be available in the Amazon Web Services,
Amazon Virtual Private Network and at the provisioning location. For example, if a load balancer is
available in us-east1c and a machine location is us-east1b, the machine cannot use the available load
balancer.
vRealize Automation does not create, manage, or monitor the elastic load balancers.
For information about creating Amazon elastic load balancers by using the
Amazon Web Services Management Console, see Amazon Web Services documentation.
Using Elastic IP Addresses for Amazon Web Services
Using an elastic IP address allows you to rapidly fail over to another machine in a dynamic
Amazon Web Services cloud environment. In vRealize Automation, the elastic IP address is available to
all business groups that have rights to the region.
An administrator can allocate elastic IP addresses to your Amazon Web Services account by using the
AWS Management Console. There are two groups of elastic IP addresses in any given a region, one
range is allocated for non-Amazon VPC instances and another range is for Amazon VPCs. If you allocate
addresses in a non-Amazon VPC region only, the addresses are not available in an Amazon VPC. The
reverse is also true. If you allocate addresses in an Amazon VPC only, the addresses are not available in
a non-Amazon VPC region.
VMware, Inc. 21

Configuring vRealize Automation
The elastic IP address is associated with your Amazon Web Services account, not a particular machine,
but only one machine at a time can use the address. The address remains associated with your
Amazon Web Services account until you choose to release it. You can release it to map it to a specific
machine instance.
An IaaS architect can add a custom property to a blueprint to assign an elastic IP address to machines
during provisioning. Machine owners and administrators can view the elastic IP addresses assigned to
machines, and machine owners or administrators with rights to edit machines can assign an elastic IP
addresses after provisioning. However, if the address is already associated to a machine instance, and
the instance is part of the Amazon Virtual Private Cloud deployment, Amazon does not assign the
address.
For more information about creating and using Amazon elastic IP addresses, see Amazon Web Services
documentation.
Using Elastic Block Storage for Amazon Web Services
Amazon elastic block storage provides block level storage volumes to use with an Amazon machine
instance and Amazon Virtual Private Cloud. The storage volume can persist past the life of its associated
Amazon machine instance in the Amazon Web Services cloud environment.
When you use an Amazon elastic block storage volume in conjunction with vRealize Automation, the
following caveats apply:
n
You cannot attach an existing elastic block storage volume when you provision a machine instance.
However, if you create a new volume and request more than one machine at a time, the volume is
created and attached to each instance. For example, if you create one volume named volume_1 and
request three machines, a volume is created for each machine. Three volumes named volume_1 are
created and attached to each machine. Each volume has a unique volume ID. Each volume is the
same size and in the same location.
n
The volume must be of the same operating system and in the same location as the machine to which
you attach it.
n
vRealize Automation does not manage the primary volume of an elastic block storage-backed
instance.
For more information about Amazon elastic block storage, and details on how to enable it by using
Amazon Web Services Management Console, see Amazon Web Services documentation.
Scenario: Configure Network-to-Amazon VPC Connectivity for a Proof of
Concept Environment
As the IT professional setting up a proof of concept environment to evaluate vRealize Automation, you
want to temporarily configure network-to-Amazon VPC connectivity to support the vRealize Automation
Software feature.
VMware, Inc. 22

Configuring vRealize Automation
Network-to-Amazon VPC connectivity is only required if you want to use the guest agent to customize
provisioned machines, or if you want to include Software components in your blueprints. For a production
environment, you would configure this connectivity officially through Amazon Web Services, but because
you are working in a proof of concept environment, you want to create temporary network-to-Amazon
VPC connectivity. You establish the SSH tunnel and then configure an Amazon reservation in
vRealize Automation to route through your tunnel.
Prerequisites
n
Install and fully configure vRealize Automation. See Installing and Configuring vRealize Automation
for the Rainpole Scenario.
n
Create an Amazon AWS security group called TunnelGroup and configure it to allow access on port
22.
n
Create or identify a CentOS machine in your Amazon AWS TunnelGroup security group and note the
following configurations:
n
Administrative user credentials, for example root.
n
Public IP address.
n
Private IP address.
n
Create or identify a CentOS machine on the same local network as your vRealize Automation
installation.
n
Install OpenSSH SSHD Server on both tunnel machines.
Procedure
1 Log in to your Amazon AWS tunnel machine as the root user or similar.
2 Disable iptables.
# service iptables save
# service iptables stop
# chkconfig iptables off
3 Edit /etc/ssh/sshd_config to enable AllowTCPForwarding and GatewayPorts.
4 Restart the service.
/etc/init.d/sshd restart
5 Log in to the CentOS machine on the same local network as your vRealize Automation installation as
the root user.
VMware, Inc. 23

Configuring vRealize Automation
6 Invoke the SSH Tunnel from the local network machine to the Amazon AWS tunnel machine.
ssh -N -v -o "ServerAliveInterval 30" -o "ServerAliveCountMax 40" -o "TCPKeepAlive yes” \
-R 1442:vRealize_automation_appliance_fqdn:5480 \
-R 1443:vRealize_automation_appliance_fqdn:443 \
-R 1444:manager_service_fqdn:443 \
User of Amazon tunnel machine@Public IP Address of Amazon tunnel machine
You configured port forwarding to allow your Amazon AWS tunnel machine to access
vRealize Automation resources, but your SSH tunnel does not function until you configure an Amazon
reservation to route through the tunnel.
What to do next
1 Install the software bootstrap agent and the guest agent on a Windows or Linux reference machine to
create an Amazon Machine Image that your IaaS architects can use to create blueprints. See
Preparing for Software Provisioning.
2 Configure your Amazon reservation in vRealize Automation to route through your SSH tunnel. See
Scenario: Create an Amazon Reservation for a Proof of Concept Environment.
Preparing Red Hat OpenStack Network and Security Features
vRealize Automation supports several features in OpenStack including security groups and floating IP
addresses. Understand how these features work with vRealize Automation and configure them in your
environment.
Using OpenStack Security Groups
Security groups allow you to specify rules to control network traffic over specific ports.
You can specify security groups in a reservation when requesting a machine. You can also specify an
existing or on-demand NSX security group in the design canvas.
Security groups are imported during data collection.
Each available region requires at least one specified security group. When you create a reservation, the
available security groups that are available to you in that region are displayed. Every region includes at
least the default security group.
Additional security groups must be managed in the source resource. For more information about
managing security groups for the various machines, see the OpenStack documentation.
Using Floating IP Addresses with OpenStack
You can assign floating IP addresses to a running virtual instance in OpenStack.
To enable assignment of floating IP addresses, you must configure IP forwarding and create a floating IP
pool in Red Hat OpenStack. For more information, see the Red Hat OpenStack documentation.
VMware, Inc. 24

Configuring vRealize Automation
You must entitle the Associate Floating IP and Disassociate Floating IP actions to machine owners. The
entitled users can then associate a floating IP address to a provisioned machine from the external
networks attached to the machine by selecting an available address from the floating IP address pool.
After a floating IP address has been associated with a machine, a vRealize Automation user can select a
Disassociate Floating IP option to view the currently assigned floating IP addresses and disassociate an
address from a machine.
Preparing Your SCVMM Environment
Before you begin creating SCVMM templates and hardware profiles for use in vRealize Automation
machine provisioning, you must understand the naming restrictions on template and hardware profile
names, and configure SCVMM network and storage settings.
For related information about preparing your environment, see SCVMM requirements information in
Installing vRealize Automation 7.2.
For related information about machine provisioning, see Create a Hyper-V (SCVMM) Endpoint.
Template and Hardware Profile Naming
Because of naming conventions that SCVMM and vRealize Automation use for templates and hardware
profiles, do not start your template or hardware profile names with the words temporary or profile. For
example, the following words are ignored during data collection:
n
TemporaryTemplate
n
Temporary Template
n
TemporaryProfile
n
Temporary Profile
n
Profile
Required Network Configuration for SCVMM Clusters
SCVMM clusters only expose virtual networks to vRealize Automation, so you must have a 1:1
relationship between your virtual and logical networks. Using the SCVMM console, map each logical
network to a virtual network and configure your SCVMM cluster to access machines through the virtual
network.
Required Storage Configuration for SCVMM Clusters
On SCVMM Hyper-V clusters, vRealize Automation collects data and provisions on shared volumes only.
Using the SCVMM console, configure your clusters to use shared resource volumes for storage.
Required Storage Configuration for Standalone SCVMM Hosts
For standalone SCVMM hosts, vRealize Automation collects data and provisions on the default virtual
machine path. Using the SCVMM console, configure default virtual machine paths for your standalone
hosts.
VMware, Inc. 25

Configuring vRealize Automation
Preparing for Machine Provisioning
Depending on your environment and your method of machine provisioning, you might need to configure
elements outside of vRealize Automation. For example, you might need to configure machine templates
or machine images. You might also need to configure NSX settings or run vRealize Orchestrator
workflows.
Choosing a Machine Provisioning Method to Prepare
For most machine provisioning methods, you must prepare some elements outside of
vRealize Automation.
Table 1‑5. Choosing a Machine Provisioning Method to Prepare
Supported
Scenario
Endpoint Agent Support Provisioning Method Pre-provisioning Preparations
Configure
vRealize Automation to run
custom Visual Basic scripts
as additional steps in the
machine life cycle, either
before or after machine
provisioning. For example,
you could use a pre-
provisioning script to
generate certificates or
security tokens before
provisioning, and then a
post-provisioning script to
use the certificates and
tokens after machine
provisioning.
Provision application
blueprints that automate
the installation,
configuration, and life cycle
management of
middleware and application
deployment components
such as Oracle, MySQL,
WAR, and database
Schemas.
You can run
Visual Basic
scripts with
any
supported
endpoint
except
Amazon
AWS.
n
vSphere
n
vCloud
Air
n
vCloud
Director
n
Amazon
AWS
Depends on the
provisioning
method you
choose.
n
(Required)
Guest agent
n
(Required)
Software
bootstrap agent
and guest
agent
Supported as an
additional step in any
provisioning method,
but you cannot use
Visual Basic scripts
with Amazon AWS
machines.
n
Clone
n
Clone (for
vCloud Air or
vCloud Director)
n
Linked clone
n
Amazon Machine
Image
Checklist for Running Visual Basic
Scripts During Provisioning
If you want the ability to use Software
components in your blueprints,
prepare a provisioning method that
supports the guest agent and
Software bootstrap agent. For more
information about preparing for
Software, see Preparing for Software
Provisioning.
Further customize
machines after provisioning
by using the guest agent.
VMware, Inc. 26
All virtual
endpoints
and
Amazon
AWS.
n
(Required)
Guest agent
n
(Optional)
Software
bootstrap agent
and guest
agent
Supported for all
provisioning methods
except Virtual
Machine Image.
If you want the ability to customize
machines after provisioning, select a
provisioning method that supports
the guest agent. For more
information about the guest agent,
see Using vRealize Automation
Guest Agent in Provisioning.

Configuring vRealize Automation
Table 1‑5. Choosing a Machine Provisioning Method to Prepare (Continued)
Supported
Scenario
Endpoint Agent Support Provisioning Method Pre-provisioning Preparations
Provision machines with no
guest operating system.
You can install an
operating system after
provisioning.
Provision a space-efficient
copy of a virtual machine
called a linked clone.
Linked clones are based
on a snapshot of a VM and
use a chain of delta disks
to track differences from a
parent machine.
Provision a space-efficient
copy of a virtual machine
by using
Net App FlexClone
technology.
Provision machines by
cloning from a template
object created from an
existing Windows or Linux
machine, called the
reference machine, and a
customization object.
All virtual
Not supported Basic No required pre-provisioning
machine
endpoints.
vSphere
n
(Optional)
Guest agent
n
(Optional)
Software
bootstrap agent
and guest
agent
vSphere (Optional) Guest
agent
n
n
n
vSphere
KVM
(RHEV)
SCVMM
n
(Optional)
Guest agent
n
(Optional for
vSphere only)
Software
bootstrap agent
and guest
agent
preparations outside of
vRealize Automation.
Linked Clone You must have an existing vSphere
virtual machine.
If you want to support Software, you
must install the guest agent and
software bootstrap agent on the
machine you intend to clone.
The VM snapshot identified in the
blueprint should be powered off
before you provision the linked clone
VMs.
NetApp FlexClone Checklist for Preparing to Provision
by Cloning
Clone See Checklist for Preparing to
Provision by Cloning.
If you want to support Software, you
must install the guest agent and
software bootstrap agent on the
vSpheremachine you intend to clone.
Provision vCloud Air or
vCloud Director machines
by cloning from a template
and customization object.
n
n
vCloud
Air
vCloud
Director
n
(Optional)
Guest agent
n
(Optional)
Software
bootstrap agent
and guest
agent
vCloud Air or
vCloud Director
Cloning
See Preparing for vCloud Air and
vCloud Director Provisioning.
If you want to support Software,
create a template that contains the
guest agent and software bootstrap
agent. For vCloud Air, configure
network connectivity between your
vRealize Automation environment
and your vCloud Air environment.
Provision a machine by
booting from an ISO
image, using a kickstart or
autoYaSt configuration file
and a Linux distribution
image to install the
operating system on the
n
n
All
virtual
endpoint
s
Red Hat
OpenSt
ack
Guest agent is
installed as part of
the preparation
instructions.
Linux Kickstart Preparing for Linux Kickstart
Provisioning
machine.
VMware, Inc. 27

Configuring vRealize Automation
Table 1‑5. Choosing a Machine Provisioning Method to Prepare (Continued)
Supported
Scenario
Endpoint Agent Support Provisioning Method Pre-provisioning Preparations
Provision a machine and
pass control to an SCCM
task sequence to boot from
an ISO image, deploy a
Windows operating
system, and install the
vRealize Automation guest
agent.
Provision a machine by
booting into a WinPE
environment and installing
an operating system using
a Windows Imaging File
Format (WIM) image of an
existing Windows
reference machine.
Launch an instance from a
virtual machine image.
All virtual
machine
endpoints.
n
All
virtual
endpoint
s
n
Red Hat
OpenSt
ack
Red Hat
OpenStack
Guest agent is
installed as part of
the preparation
instructions.
Guest agent is
required. You can
use PEBuilder to
create a WinPE
image that includes
the guest agent.
You can create the
WinPE image by
using another
method, but you
must manually
insert the guest
agent.
Not supported Virtual Machine Image See Preparing for Virtual Machine
SCCM Preparing for SCCM Provisioning
WIM Preparing for WIM Provisioning
Image Provisioning.
Launch an instance from
an Amazon Machine
Image.
Amazon
AWS
n
(Optional)
Guest agent
n
(Optional)
Software
bootstrap agent
and guest
agent
Amazon Machine
Image
Associate Amazon machine images
and instance types with your
Amazon AWS account.
If you want to support Software,
create an Amazon Machine Image
that contains the guest agent and
software bootstrap agent, and
configure network-to-VPC
connectivity between your
Amazon AWS and
vRealize Automation environments.
Checklist for Running Visual Basic Scripts During Provisioning
You can configure vRealize Automation to run your custom Visual Basic scripts as additional steps in the
machine life cycle, either before or after machine provisioning. For example, you could use a pre-
provisioning script to generate certificates or security tokens before provisioning, and then a post-
provisioning script to use the certificates and tokens after machine provisioning. You can run Visual Basic
scripts with any provisioning method, but you cannot use Visual Basic scripts with Amazon AWS
machines.
VMware, Inc. 28

Configuring vRealize Automation
Table 1‑6. Running Visual Basic Scripts During Provisioning Checklist
Task Location Details
Install and configure the EPI agent for
Visual Basic scripts.
Create your visual basic scripts.
Gather the information required to
include your scripts in blueprints.
Typically the Manager Service host See Installing vRealize Automation 7.2.
Machine where EPI agent is installed vRealize Automation includes a sample
Visual Basic script
PrePostProvisioningExample.vbs in
the Scripts subdirectory of the EPI agent
installation directory. This script contains a
header to load all arguments into a
dictionary, a body in which you can
include your functions, and a footer to
return updated custom properties to
vRealize Automation.
When executing a Visual Basic script, the
EPI agent passes all machine custom
properties as arguments to the script. To
return updated property values to
vRealize Automation, place these
properties in a dictionary and call a
function provided by vRealize Automation.
Capture information and transfer to your
infrastructure architects
Note A fabric administrator can create
a property group by using the property
sets ExternalPreProvisioningVbScript
and ExternalPostProvisioningVbScript to
provide this required information. Doing
so makes it easier for blueprint architects
to include this information correctly in
their blueprints.
n
The complete path to the Visual Basic
script, including the filename and
extension. For example, %System
Drive%Program Files
(x86)\VMware\vCAC
Agents\EPI_Agents\Scripts\Send
Email.vbs.
n
To run a script before provisioning,
instruct infrastructure architects to
enter the complete path to the script
as the value of the custom property
ExternalPreProvisioningVbScrip
t. To run a script after provisioning,
they need to use the custom property
ExternalPostProvisioningVbScri
pt.
Using vRealize Automation Guest Agent in Provisioning
You can install the guest agent on reference machines to further customize a machine after deployment.
You can use the reserved guest agent custom properties to perform basic customizations such as adding
and formatting disks, or you can create your own custom scripts for the guest agent to run within the
guest operating system of a provisioned machine.
After the deployment is completed and the customization specification is run (if you provided one), the
guest agent creates an XML file that contains all of the deployed machine's custom properties
c:\VRMGuestAgent\site\workitem.xml, completes any tasks assigned to it with the guest agent
custom properties, and then deletes itself from the provisioned machine.
VMware, Inc. 29

Configuring vRealize Automation
You can write your own custom scripts for the guest agent to run on deployed machines, and use custom
properties on the machine blueprint to specify the location of those scripts and the order in which to run
them. You can also use custom properties on the machine blueprint to pass custom property values to
your scripts as parameters.
For example, you could use the guest agent to make the following customizations on deployed machines:
n
Change the IP address
n
Add or format drives
n
Run security scripts
n
Initialize another agent, for example Puppet or Chef
You can also provide an encrypted string as a custom property in a command line argument. This allows
you to store encrypted information that the guest agent can decrypt and understand as a valid command
line argument.
Your custom scripts do not have to be locally installed on the machine. As long as the provisioned
machine has network access to the script location, the guest agent can access and run the scripts. This
lowers maintenance costs because you can update your scripts without having to rebuild all of your
templates.
You can configure security settings for the virtual machines to be provisioned by specifying information in
a reservation, blueprint, or guest agent script. If the machines to be provisioned requires a guest agent,
you must add a security rule that contains that requirement to the reservation or the blueprint. For
example, if you use a default security policy that denies communication between all machines, and rely
on a separate security policy to allow communication between specific machines, the guest agent might
be unable to communicate with vRealize Automation during the customization phase. To avoid this
problem during machine provisioning, use a default security policy that allows communication during the
customization phase.
If you choose to install the guest agent to run custom scripts on provisioned machines, your blueprints
must include the appropriate guest agent custom properties. For example, if you install the guest agent
on a template for cloning, create a custom script that changes the provisioned machine's IP address, and
place the script in a shared location, you need to include a number of custom properties in your blueprint.
Table 1‑7. Custom Properties for Changing IP Address of a Provisioned Machine with a Guest
Agent
Custom Property Description
VirtualMachine.Admin.UseGuestAgent
VirtualMachine.Customize.WaitComplete
Set to true to initialize the guest agent when the provisioned
machine is started.
Set to True to prevent the provisioning workflow from sending
work items to the guest agent until all customizations are
complete.
VMware, Inc. 30

Configuring vRealize Automation
Table 1‑7. Custom Properties for Changing IP Address of a Provisioned Machine with a Guest
Agent (Continued)
Custom Property Description
VirtualMachine.SoftwareN.ScriptPath
VirtualMachine.ScriptPath.Decrypt
Specifies the full path to an application's install script. The path
must be a valid absolute path as seen by the guest operating
system and must include the name of the script filename.
You can pass custom property values as parameters to the
script by inserting {CustomPropertyName} in the path string. For
example, if you have a custom property named ActivationKey
whose value is 1234, the script path is D:\InstallApp.bat –
key {ActivationKey}. The guest agent runs the command
D:\InstallApp.bat –key 1234. Your script file can then be
programmed to accept and use this value.
Insert {Owner} to pass the machine owner name to the script.
You can also pass custom property values as parameters to the
script by inserting {YourCustomProperty} in the path string. For
example, entering the
value \\vra-
scripts.mycompany.com\scripts\changeIP.bat runs the
changeIP.bat script from a shared location, but entering the
value \\vra-
scripts.mycompany.com\scripts\changeIP.bat
{VirtualMachine.Network0.Address} runs the changeIP
script but also passes the value of the
VirtualMachine.Network0.Address property to the script as
a parameter.
Allows vRealize Automation to obtain an encrypted string that is
passed as a properly formatted
VirtualMachine.SoftwareN.ScriptPath custom property
statement to the gugent command line.
You can provide an encrypted string, such as your password, as
a custom property in a command-line argument. This allows you
to store encrypted information that the guest agent can decrypt
and understand as a valid command-line argument. For
example, the VirtualMachine.Software0.ScriptPath =
c:\dosomething.bat password custom property string is not
secure as it contains an actual password.
To encrypt the password, you can create a vRealize Automation
custom property, for example MyPassword = password, and
enable encryption by selecting the available check box. The
guest agent decrypts the [MyPassword] entry to the value in the
custom property MyPassword and runs the script as
c:\dosomething.bat password.
n
Create custom property MyPassword = password where
password is the value of your actual password. Enable
encryption by selecting the available check box.
n
Set custom property
VirtualMachine.ScriptPath.Decrypt as
VirtualMachine.ScriptPath.Decrypt = true.
VMware, Inc. 31

Configuring vRealize Automation
Table 1‑7. Custom Properties for Changing IP Address of a Provisioned Machine with a Guest
Agent (Continued)
Custom Property Description
n
Set custom property
VirtualMachine.Software0.ScriptPath as
VirtualMachine.Software0.ScriptPath =
c:\dosomething.bat [MyPassword].
If you set VirtualMachine.ScriptPath.Decrypt to false, or
do not create the VirtualMachine.ScriptPath.Decrypt
custom property, then the string inside the square brackets
( [ and ]) is not decrypted.
For more information about custom properties you can use with the guest agent, see Custom Properties
Reference.
Configuring the Guest Agent to Trust a Server
Installing the public key PEM file for the vRealize Automation Manager Service Host in the correct guest
agent folder is the most secure approach to configuring the guest agent to trust a server.
Locate the guest agent folder on each template for the cert.pem PEM file for the Manager Service Host
to trust a server:
n
Windows guest agent folder on each template that uses the gugent
C:\VRMGuestAgent\cert.pem
n
Linux guest agent folder on each template that uses the gugent
/usr/share/gugent/cert.pem
If you do not put the cert.pem file in this location, the template reference machine cannot use the
guest agent. For example, if you try to collect the public key information after the VM is started for by
altering scripts, you break the security condition.
Note As an alternative, you can configure the guest agent to populate the trusted cert.pem file on first
use but this is less secure than manually installing the cert.pem file on each template. Consider this
alternative if you use a single template for multiple servers. To allow the guest agent to trust the first
server it connects to, create a template with no cert.pem file in the Windows VRMGuestAgent or
Linux /usr/share/gugent directory. The guest agent populates the cert.pem file the first time it
connects to a server.
Additional considerations apply, depending on your configured environment:
n
For WIM installations, you must add the public key PEM file contents to the PEBuilder console
executable and user interface. The console flag is /cert filename.
n
For RedHat kickstart installations, you must cut and paste the public key into the sample file,
otherwise the guest agent fails to execute.
VMware, Inc. 32

Configuring vRealize Automation
n
For SCCM installation, the cert.pem file must reside in the VRMGuestAgent folder.
n
For Linux vSphere installs, the cert.pem file must reside in the /usr/share/gugent folder.
Note You can optionally install software and guest agents together by downloading the following script
from https://APPLIANCE/software/index.html. The script allows you to handle acceptance of SSL
certificate fingerprints as you create the templates.
n
Linux
prepare_vra_template.sh
n
Windows
prepare_vra_template.ps1
If you install the software and guest agent together, you do not need to use the instructions in Install the
Guest Agent on a Linux Reference Machine or Install the Guest Agent on a Windows Reference Machine.
The template always trusts the first system to which it connects. For security, the guest agent does not
check for a certificate if a cert.pem file exists in the Windows VRMGuestAgent or
Linux /usr/share/gugent directory. If the server certificate changes, you must remove the cert.pem file
from the Windows VRMGuestAgent or Linux /usr/share/gugent directory. The guest agent installs the
new cert.pem file the next time it connects to the server.
Install the Guest Agent on a Linux Reference Machine
Install the Linux guest agent on your reference machines to further customize machines after deployment.
Prerequisites
n
Identify or create the reference machine.
n
The guest agent files you download contain both tar.gz and RPM package formats. If your operating
system cannot install tar.gz or RPM files, use a conversion tool to convert the installation files to your
preferred package format.
n
Establish secure trust between the guest agent and your Manager Service machine. See Configuring
the Guest Agent to Trust a Server.
Procedure
1 Navigate to the vCloud Automation Center Appliance management console page.
For example: https://va-hostname.domain.com.
2 Click Guest and software agents page in the vRealize Automation component installation section of
the page.
For example: https://va-hostname.domain.com/software/index.html.
The Guest and Software Agent Installers page opens, displaying links to available downloads.
3 Click Linux guest agent packages in the guest agent installers section of the page to download and
save the LinuxGuestAgentPkgs.zip file.
VMware, Inc. 33

Configuring vRealize Automation
4 Unpack the downloaded LinuxGuestAgentPkgs.zip file to create the VraLinuxGuestAgent folder.
5 Install the guest agent package that corresponds to the guest operating system you are deploying
during provisioning.
a Navigate to the VraLinuxGuestAgent subdirectory that corresponds to the guest operating
system to deploy during provisioning, for example rhel32.
b Locate your preferred package format or convert a package to your preferred package format.
c Install the guest agent package on your reference machine.
For example, to install the files from the RPM package, run rpm -i gugent-
gugent-7.1.0-4201531.i386.rpm.
6 Configure the guest agent to communicate with the Manager Service by running installgugent.sh
Manager_Service_Hostname_fdqn:portnumber ssl platform.
The default port number for the Manager Service is 443. Accepted platform values are ec2, vcd, vca,
and vsphere.
Option Description
If you are using a load balancer Enter the fully qualified domain name and port number of your Manager Service
load balancer. For example:
cd /usr/share/gugent
./installgugent.sh load_balancer_manager_service.mycompany.com:
443 ssl ec2
With no load balancer Enter the fully qualified domain name and port number of your Manager Service
machine. For example:
cd /usr/share/gugent
./installgugent.sh manager_service_machine.mycompany.com:443
ssl vsphere
VMware, Inc. 34

Configuring vRealize Automation
7 If deployed machines are not already configured to trust the Manager Service SSL certificate, you
must install the cert.pem file on your reference machine to establish trust.
n
For the most secure approach, obtain the cert.pem certificate and manually install the file on the
reference machine.
n
For a more convenient approach, you can connect to the manager service load balancer or
manager service machine and download the cert.pem certificate.
Option Description
If you are using a load balancer As the root user on the reference machine, run the following command:
echo | openssl s_client -connect
manager_service_load_balancer.mycompany.com:443 | sed -ne '/BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem
With no load balancer As the root user on the reference machine, run the following command:
echo | openssl s_client -connect
manager_service_machine.mycompany.com:443 | sed -ne '/-BEGIN
CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem
8 If you are installing the guest agent on a Ubuntu operating system, create symbolic links for shared
objects by running one of the following command sets.
Option Description
64-bit systems
32-bit systems
cd /lib/x86_64-linux-gnu
sudo ln -s libssl.so.1.0.0 libssl.so.10
sudo ln -s libcrypto.so.1.0.0 libcrypto.so.10
cd /lib/i386-linux-gnu
sudo ln -s libssl.so.1.0.0 libssl.so.10
sudo ln -s libcrypto.so.1.0.0 libcrypto.so.10
What to do next
Convert your reference machine into a template for cloning, an Amazon Machine Image, or a snapshot
that your IaaS architects can use when creating blueprints.
Install the Guest Agent on a Windows Reference Machine
Install the Windows guest agent on a Windows reference machine to run as a Windows service and
enable further customization of machines.
Prerequisites
n
Identify or create the reference machine.
n
Establish secure trust between the guest agent and your Manager Service machine. See Configuring
the Guest Agent to Trust a Server.
VMware, Inc. 35

Configuring vRealize Automation
Procedure
1 Navigate to the vCloud Automation Center Appliance management console page.
For example: https://va-hostname.domain.com.
2 Click Guest and software agents page in the vRealize Automation component installation section of
the page.
For example: https://va-hostname.domain.com/software/index.html.
The Guest and Software Agent Installers page opens, displaying links to available downloads.
3 Click Windows guest agent files (32-bit) or (64-bit) in the component installation section of the page
to download and save the GuestAgentInstaller.exe or GuestAgentInstaller_x64.exe file.
4 Extract the Windows guest agent files to a location available to the Windows machine.
This produces the directory C:\VRMGuestAgent. Do not rename this directory.
5 Configure the guest agent to communicate with the Manager Service.
a Open an elevated command prompt.
b Navigate to C:\VRMGuestAgent.
c Configure the guest agent to trust your Manager Service machine.
Option Description
Allow the guest agent to trust the
first machine to which it connects.
Manually install the trusted PEM file. Place the Manager Service PEM file in the C:\VRMGuestAgent\ directory.
No configuration required.
d Run winservice -i -h Manager_Service_Hostname_fdqn:portnumber -p ssl.
The default port number for the Manager Service is 443.
Option Description
If you are using a load balancer Enter the fully qualified domain name and port number of your Manager
Service load balancer. For example, winservice -i -h
load_balancer_manager_service.mycompany.com:443 -p ssl.
With no load balancer Enter the fully qualified domain name and port number of your Manager
Service machine. For example, winservice -i -h
manager_service_machine.mycompany.com:443 -p ssl.
If you are preparing an Amazon
machine image
You need to specify that you are using Amazon. For example, winservice -i
-h manager_service_machine.mycompany.com:443:443 -p ssl -c ec2
The name of the Windows service is VCACGuestAgentService. You can find the installation log VCAC-
GuestAgentService.log in C:\VRMGuestAgent.
What to do next
Convert your reference machine into a template for cloning, an Amazon machine image, or a snapshot so
your IaaS architects can use your template when creating blueprints.
VMware, Inc. 36

TEMPLATE
Identify or create
a reference machine.
No
Yes
No
No
Convert your reference
machine to a template.
Install the guest agent and
the software bootstrap
agent.
Install the guest agent.
Install VMware Tools.
Yes
Are you working in
vCenter Server?
Do you want
to support software
components in
your blueprints?
Do you want
the ability to
customize
machines after
deployment?
Yes
Configuring vRealize Automation
Checklist for Preparing to Provision by Cloning
You must perform some preparation outside of vRealize Automation to create the template and the
customization objects used to clone Linux and Windows virtual machines.
Cloning requires a template to clone from, created from a reference machine.
VMware, Inc. 37

Configuring vRealize Automation
If you are provisioning a Windows machine by cloning, the only way to join the provisioned machine to an
Active Directory domain is by using the customization specification from vCenter Server or by including a
guest operating system profile with your SCVMM template. Machines provisioned by cloning cannot be
placed in an Active Directory container during provisioning. You must do this manually after provisioning.
Table 1‑8. Checklist for Preparing to Provision by Cloning
Task Location Details
Identify or create the reference machine.
(Optional) If you want your clone template to
support Software components, install the
vRealize Automation guest agent and software
bootstrap agent on your reference machine.
(Optional) If you do not need your clone template
to support Software components, but you do want
the ability to customize deployed machines, install
the vRealize Automation guest agent on your
reference machine.
If you are working in a vCenter Server
environment, install VMware Tools on the reference
machine.
Use the reference machine to create a template
for cloning.
Create the customization object to configure
cloned machines by applying System Preparation
Utility information or a Linux customization.
Hypervisor See the documentation provided by your
hypervisor.
Reference machine For Windows reference machines, see Prepare
a Windows Reference Machine to Support
Software.
For Linux reference machines, see Prepare a
Linux Reference Machine to Support Software.
Reference machine See Using vRealize Automation Guest Agent in
Provisioning.
vCenter Server See the VMware Tools documentation.
Hypervisor The reference machine may be powered on or
off. If you are cloning in vCenter Server, you can
use a reference machine directly without
creating a template.
See the documentation provided by your
hypervisor.
Hypervisor If you are cloning for Linux you can install the
Linux guest agent and provide external
customization scripts instead of creating a
customization object. If you are cloning with
vCenter Server, you must provide the
customization specification as the customization
object.
See the documentation provided by your
hypervisor.
Gather the information required to create
blueprints that clone your template.
Capture information and
transfer to your IaaS
architects.
See Worksheet for Virtual Provisioning by
Cloning.
Worksheet for Virtual Provisioning by Cloning
Complete the knowledge transfer worksheet to capture information about the template, customizations,
and custom properties required to create clone blueprints for the templates you prepared in your
environment. Not all of this information is required for every implementation. Use this worksheet as a
guide, or copy and paste the worksheet tables into a word processing tool for editing.
VMware, Inc. 38

Configuring vRealize Automation
Required Template and Reservation Information
Table 1‑9. Template and Reservation Information Worksheet
Required Information My Value Details
Template name
Reservations on which the template
is available, or reservation policy to
apply
(vSphere only) Type of cloning
requested for this template
Customization specification name
(Required for cloning with static IP
addresses)
(SCVMM only) ISO name
(SCVMM only) Virtual hard disk
(SCVMM only) Hardware profile to
attach to provisioned machines
To avoid errors during provisioning, ensure that
the template is available on all reservations or
create reservation policies that architects can
use to restrict the blueprint to reservations
where the template is available.
n
Clone
n
Linked Clone
n
NetApp FlexClone
You cannot perform customizations of Windows
machines without a customization specification
object.
Required Property Groups
You can complete the custom property information sections of the worksheet, or you can create property
groups and ask architects to add your property groups to their blueprints instead of numerous individual
custom properties.
Required vCenter Server Operating System
You must supply the guest operating system custom property for vCenter Server provisioning.
Table 1‑10. vCenter Server Operating System
Custom Property My Value Description
VMware.VirtualCenter.OperatingSy
stem
Specifies the vCenter Server guest
operating system version
(VirtualMachineGuestOsIdentifier)
with which vCenter Server creates the
machine. This operating system version
must match the operating system version
to be installed on the provisioned machine.
Administrators can create property groups
using one of several property sets, for
example,
VMware[OS_Version]Properties, that
are predefined to include the correct
VMware.VirtualCenter.OperatingSyst
em values. This property is for virtual
provisioning.
VMware, Inc. 39

Configuring vRealize Automation
Visual Basic Script Information
If you configured vRealize Automation to run your custom Visual Basic scripts as additional steps in the
machine life cycle, you must include information about the scripts in the blueprint.
Note A fabric administrator can create a property group by using the property sets
ExternalPreProvisioningVbScript and ExternalPostProvisioningVbScript to provide this required
information. Doing so makes it easier for blueprint architects to include this information correctly in their
blueprints.
Table 1‑11. Visual Basic Script Information
Custom Property My Value Description
ExternalPreProvisioningVbScript
ExternalPostProvisioningVbScript
Run a script before provisioning. Enter the
complete path to the script including the
filename and extension. %System Drive
%Program Files (x86)\VMware\vCAC
Agents\EPI_Agents\Scripts\SendEmai
l.vbs.
Run a script after provisioning. Enter the
complete path to the script including the
filename and extension. %System Drive
%Program Files (x86)\VMware\vCAC
Agents\EPI_Agents\Scripts\SendEmai
l.vbs
Linux Guest Agent Customization Script Information
If you configured your Linux template to use the guest agent for running customization scripts, you must
include information about the scripts in the blueprint.
VMware, Inc. 40

Configuring vRealize Automation
Table 1‑12. Linux Guest Agent Customization Script Information Worksheet
Custom Property My Value Description
Linux.ExternalScript.Name
Linux.ExternalScript.LocationTy
pe
Linux.ExternalScript.Server
Specifies the name of an optional
customization script, for example
config.sh, that the Linux guest agent
runs after the operating system is
installed. This property is available for
Linux machines cloned from templates on
which the Linux agent is installed.
If you specify an external script, you must
also define its location by using the
Linux.ExternalScript.LocationType
and Linux.ExternalScript.Path
properties.
Specifies the location type of the
customization script named in the
Linux.ExternalScript.Name property.
This can be either local or nfs.
You must also specify the script location
using the Linux.ExternalScript.Path
property. If the location type is nfs, also
use the Linux.ExternalScript.Server
property.
Specifies the name of the NFS server, for
example lab-ad.lab.local, on which the
Linux external customization script
named in Linux.ExternalScript.Name
is located.
Linux.ExternalScript.Path
Specifies the local path to the Linux
customization script or the export path to
the Linux customization on the NFS
server. The value must begin with a
forward slash and not include the file
name, for
example /scripts/linux/config.sh.
Other Guest Agent Custom Properties
If you installed the guest agent on your reference machine, you can use custom properties to further
customize machines after deployment.
VMware, Inc. 41

Configuring vRealize Automation
Table 1‑13. Custom Properties for Customizing Cloned Machines with a Guest Agent
Worksheet
Custom Property My Value Description
VirtualMachine.Admin.AddOwnerToAd
mins
VirtualMachine.Admin.AllowLogin
VirtualMachine.Admin.UseGuestAgen
t
Set to True (default) to add the machine’s
owner, as specified by the
VirtualMachine.Admin.Owner property, to
the local administrators group on the
machine.
Set to True (default) to add the machine
owner to the local remote desktop users
group, as specified by the
VirtualMachine.Admin.Owner property.
If the guest agent is installed as a service on
a template for cloning, set to True on the
machine blueprint to enable the guest agent
service on machines cloned from that
template. When the machine is started, the
guest agent service is started. Set to False
to disable the guest agent. If set to False,
the enhanced clone workfow will not use the
guest agent for guest operating system
tasks, reducing its functionality to
VMwareCloneWorkflow. If not specified or
set to anything other than False, the
enhanced clone workflow sends work items
to the guest agent.
VirtualMachine.DiskN.Active
Set to True (default) to specify that the
machine's disk N is active. Set to False to
specify that the machine's disk N is not
active.
VMware, Inc. 42

Configuring vRealize Automation
Table 1‑13. Custom Properties for Customizing Cloned Machines with a Guest Agent
Worksheet (Continued)
Custom Property My Value Description
VirtualMachine.DiskN.Size
Defines the size in GB of disk N. For
example, to give a size of 150 GB to a disk
G, define the custom property
VirtualMachine.Disk0.Size and enter a
value of 150. Disk numbering must be
sequential. By default a machine has one
disk referred to by
VirtualMachine.Disk0.Size, where size
is specified by the storage value on the
blueprint from which the machine is
provisioned. The storage value on the
blueprint user interface overwrites the value
in the VirtualMachine.Disk0.Size
property. The
VirtualMachine.Disk0.Size property is
not available as a custom property because
of its relationship with the storage option on
the blueprint. More disks can be added by
specifying VirtualMachine.Disk1.Size,
VirtualMachine.Disk2.Size and so on.
VirtualMachine.Admin.TotalDiskUsage
always represents the total of
the .DiskN.Size properties plus the
VMware.Memory.Reservation size
allocation.
VirtualMachine.DiskN.Label
VirtualMachine.DiskN.Letter
Specifies the label for a machine’s disk N.
The disk label maximum is 32 characters.
Disk numbering must be sequential. When
used with a guest agent, specifies the label
of a machine's disk N inside the guest
operating system.
Specifies the drive letter or mount point of a
machine’s disk N. The default is C. For
example, to specify the letter D for Disk 1,
define the custom property as
VirtualMachine.Disk1.Letter and enter
the value D. Disk numbering must be
sequential. When used in conjunction with a
guest agent, this value specifies the drive
letter or mount point under which an
additional disk N is mounted by the guest
agent in the guest operating system.
VMware, Inc. 43

Configuring vRealize Automation
Table 1‑13. Custom Properties for Customizing Cloned Machines with a Guest Agent
Worksheet (Continued)
Custom Property My Value Description
VirtualMachine.Admin.CustomizeGue
stOSDelay
VirtualMachine.Customize.WaitComp
lete
VirtualMachine.SoftwareN.Name
VirtualMachine.SoftwareN.ScriptPa
th
Specifies the time to wait after customization
is complete and before starting the guest
operating system customization. The value
must be in HH:MM:SS format. If the value is
not set, the default value is one minute
(00:01:00). If you choose not to include this
custom property, provisioning can fail if the
virtual machine reboots before guest agent
work items are completed, causing
provisioning to fail.
Set to True to prevent the provisioning
workflow from sending work items to the
guest agent until all customizations are
complete.
Specifies the descriptive name of a software
application N or script to install or run during
provisioning. This is an optional and
information-only property. It serves no real
function for the enhanced clone workflow or
the guest agent but it is useful for a custom
software selection in a user interface or for
software use reporting.
Specifies the full path to an application's
install script. The path must be a valid
absolute path as seen by the guest
operating system and must include the
name of the script filename.
You can pass custom property values as
parameters to the script by inserting
{CustomPropertyName} in the path string.
For example, if you have a custom property
named ActivationKey whose value is
1234, the script path is
D:\InstallApp.bat –key
{ActivationKey}. The guest agent runs
the command D:\InstallApp.bat –key
1234. Your script file can then be
programmed to accept and use this value.
VMware, Inc. 44

Configuring vRealize Automation
Table 1‑13. Custom Properties for Customizing Cloned Machines with a Guest Agent
Worksheet (Continued)
Custom Property My Value Description
VirtualMachine.SoftwareN.ISOName
VirtualMachine.SoftwareN.ISOLocat
ion
Specifies the path and filename of the ISO
file relative to the datastore root. The format
is /folder_name/subfolder_name/file_
name.iso. If a value is not specified, the
ISO is not mounted.
Specifies the storage path that contains the
ISO image file to be used by the application
or script. Format the path as it appears on
the host reservation, for example
netapp-1:it_nfs_1. If a value is not
specified, the ISO is not mounted.
Networking Custom Properties
You can specify configuration for specific network devices on a machine by using custom properties.
Common networking-related custom properties are listed in the following table. For additional and related
custom properties, see Custom Properties for Clone Blueprints and Custom Properties for Networking in
Custom Properties Reference.
Table 1‑14. Custom Properties for Networking Configuration
Custom Property My Value Description
VirtualMachine.NetworkN.Address
Specifies the IP address of network
device N in a machine provisioned with a
static IP address.
VirtualMachine.NetworkN.MacAddr
essType
Indicates whether the MAC address of
network device N is generated or user-
defined (static). This property is available
for cloning.
The default value is generated. If the
value is static, you must also use
VirtualMachine.NetworkN.MacAddres
s to specify the MAC address.
VirtualMachine.NetworkN custom
properties are specific to individual
blueprints and machines. When a
machine is requested, network and IP
address allocation is performed before
the machine is assigned to a reservation.
Because blueprints are not guaranteed to
be allocated to a specific reservation, do
not use this property on a reservation.
This property is not supported for on-
demand NAT or on-demand routed
networks.
VMware, Inc. 45

Configuring vRealize Automation
Table 1‑14. Custom Properties for Networking Configuration (Continued)
Custom Property My Value Description
VirtualMachine.NetworkN.MacAddr
ess
Specifies the MAC address of a network
device N. This property is available for
cloning.
If the value of
VirtualMachine.NetworkN.MacAddres
sType is generated, this property contains
the generated address.
If the value of
VirtualMachine.NetworkN.MacAddres
sType is static, this property specifies the
MAC address. For virtual machines
provisioned on ESX server hosts, the
address must be in the range specified by
VMware. For details, see vSphere
documentation.
VirtualMachine.NetworkN custom
properties are specific to individual
blueprints and machines. When a
machine is requested, network and IP
address allocation is performed before
the machine is assigned to a reservation.
Because blueprints are not guaranteed to
be allocated to a specific reservation, do
not use this property on a reservation.
This property is not supported for on-
demand NAT or on-demand routed
networks.
VMware, Inc. 46

Configuring vRealize Automation
Table 1‑14. Custom Properties for Networking Configuration (Continued)
Custom Property My Value Description
VirtualMachine.NetworkN.Name
Specifies the name of the network to
connect to, for example the network
device N to which a machine is attached.
This is equivalent to a network interface
card (NIC).
By default, a network is assigned from the
network paths available on the
reservation on which the machine is
provisioned. Also see
VirtualMachine.NetworkN.AddressTy
pe.
You can ensure that a network device is
connected to a specific network by setting
the value of this property to the name of a
network on an available reservation. For
example, if you give properties for N= 0
and 1, you get 2 NICs and their assigned
value, provided the network is selected in
the associated reservation.
VirtualMachine.NetworkN custom
properties are specific to blueprints and
machines. When a machine is requested,
network and IP address allocation is
performed before the machine is
assigned to a reservation. Because
blueprints are not guaranteed to be
allocated to a specific reservation, do not
use this property on a reservation.
You can add this property to a vCloud Air
or vCloud Director machine component in
a blueprint. This property is not supported
for on-demand NAT or on-demand routed
networks.
VirtualMachine.NetworkN.PortID
VMware, Inc. 47
Specifies the port ID to use for network
device N when using a dvPort group with
a vSphere distributed switch.
VirtualMachine.NetworkN custom
properties are specific to individual
blueprints and machines. When a
machine is requested, network and IP
address allocation is performed before
the machine is assigned to a reservation.
Because blueprints are not guaranteed to
be allocated to a specific reservation, do
not use this property on a reservation.
This property is not supported for on-
demand NAT or on-demand routed
networks.

Configuring vRealize Automation
Table 1‑14. Custom Properties for Networking Configuration (Continued)
Custom Property My Value Description
VirtualMachine.NetworkN.Profile
Name
n
VirtualMachine.NetworkN.Subn
etMask
n
VirtualMachine.NetworkN.Gate
way
n
VirtualMachine.NetworkN.Prim
aryDns
n
VirtualMachine.NetworkN.Seco
ndaryDns
n
VirtualMachine.NetworkN.Prim
aryWins
n
VirtualMachine.NetworkN.Seco
ndaryWins
n
VirtualMachine.NetworkN.DnsS
uffix
n
VirtualMachine.NetworkN.DnsS
earchSuffixes
Specifies the name of a network profile
from which to assign a static IP address
to network device N or from which to
obtain the range of static IP addresses
that can be assigned to network device N
of a cloned machine, where N=0 for the
first device, 1 for the second, and so on.
When you use the
VirtualMachine.NetworkN.ProfileNa
me property, the network profile it points to
is used to allocate an IP address.
However, the provisioned machine is
attached to any network that is selected in
the reservation using a round-robin
fashion model.
Appending a name allows you to create
multiple versions of a custom property.
For example, the following properties
might list load balancing pools set up for
general use and machines with high,
moderate, and low performance
requirements:
n
VCNS.LoadBalancerEdgePool.Name
s
n
VCNS.LoadBalancerEdgePool.Name
s.moderate
n
VCNS.LoadBalancerEdgePool.Name
s.high
n
VCNS.LoadBalancerEdgePool.Name
s.low
Configures attributes of the network
profile specified in
VirtualMachine.NetworkN.ProfileNa
me.
VMware, Inc. 48

Configuring vRealize Automation
Table 1‑14. Custom Properties for Networking Configuration (Continued)
Custom Property My Value Description
VCNS.LoadBalancerEdgePool.Names.
name
Specifies the NSX load balancing pools to
which the virtual machine is assigned
during provisioning. The virtual machine
is assigned to all service ports of all
specified pools. The value is an edge/pool
name or a list of edge/pool names
separated by commas. Names are case-
sensitive.
Appending a name allows you to create
multiple versions of a custom property.
For example, the following properties
might list load balancing pools set up for
general use and machines with high,
moderate, and low performance
requirements:
n
VCNS.LoadBalancerEdgePool.Name
s
n
VCNS.LoadBalancerEdgePool.Name
s.moderate
n
VCNS.LoadBalancerEdgePool.Name
s.high
n
VCNS.LoadBalancerEdgePool.Name
s.low
VMware, Inc. 49

Configuring vRealize Automation
Table 1‑14. Custom Properties for Networking Configuration (Continued)
Custom Property My Value Description
VCNS.SecurityGroup.Names.name Specifies the NSX security group or
groups to which the virtual machine is
assigned during provisioning. The value is
a security group name or a list of names
separated by commas. Names are case-
sensitive.
Appending a name allows you to create
multiple versions of the property, which
can be used separately or in combination.
For example, the following properties can
list security groups intended for general
use, for the sales force, and for support:
n
VCNS.SecurityGroup.Names
n
VCNS.SecurityGroup.Names.sales
n
VCNS.SecurityGroup.Names.suppo
rt
VCNS.SecurityTag.Names.name Specifies the NSX security tag or tags to
which the virtual machine is associated
during provisioning. The value is a
security tag name or a list of names
separated by commas. Names are case-
sensitive.
Appending a name allows you to create
multiple versions of the property, which
can be used separately or in combination.
For example, the following properties can
list security tags intended for general use,
for the sales force, and for support:
n
VCNS.SecurityTag.Names
n
VCNS.SecurityTag.Names.sales
n
VCNS.SecurityTag.Names.support
Preparing for vCloud Air and vCloud Director Provisioning
To prepare for provisioning vCloud Air and vCloud Director machines by using vRealize Automation, you
must configure the organization virtual data center with templates and customization objects.
To provision vCloud Air and vCloud Director resources using vRealize Automation, the organization
requires a template to clone from that consists of one or more machine resources.
VMware, Inc. 50

Configuring vRealize Automation
Templates that are to be shared across organizations must be public. Only reserved templates are
available to vRealize Automation as a cloning source.
Note When you create a blueprint by cloning from a template, that template's unique identifier becomes
associated with the blueprint. When the blueprint is published to the vRealize Automation catalog and
used in the provisioning and data collection processes, the associated template is recognized. If you
delete the template in vCloud Air or vCloud Director, subsequent vRealize Automation provisioning and
data collection fails because the associated template no longer exists. Instead of deleting and recreating
a template, for example to upload an updated version, replace the template using the vCloud Air
vCloud Director template replacement process. Using vCloud Air or vCloud Director to replace the
template, rather than deleting and recreating the template, keeps the template's unique ID intact and
allows provisioning and data collection to continue functioning.
The following overview illustrates the steps you need to perform before you use vRealize Automation to
create endpoints and define reservations and blueprints. For more information about these administrative
tasks, see vCloud Air and vCloud Director product documentation.
1 In vCloud Air or vCloud Director, create a template for cloning and add it to the organization catalog.
2 In vCloud Air or vCloud Director, use the template to specify custom settings such as passwords,
domain, and scripts for the guest operating system on each machine.
You can use vRealize Automation to override some of these settings.
Customization can vary depending on the guest operating system of the resource.
3 In vCloud Air or vCloud Director, configure the catalog to be shared with everyone in the organization.
In vCloud Air or vCloud Director, configure account administrator access to applicable organizations
to allow all users and groups in the organization to have access to the catalog. Without this sharing
designation, the catalog templates are not be visible to endpoint or blueprint architects in
vRealize Automation.
4 Gather the following information so that you can include it in blueprints:
n
Name of the vCloud Air or vCloud Director template.
n
Amount of total storage specified for the template.
Preparing for Linux Kickstart Provisioning
Linux Kickstart provisioning uses a configuration file to automate a Linux installation on a newly
provisioned machine. To prepare for provisioning you must create a bootable ISO image and a Kickstart
or autoYaST configuration file.
The following is a high-level overview of the steps required to prepare for Linux Kickstart provisioning:
1 Verify that a DHCP server is available on the network. vRealize Automation cannot provision
machines by using Linux Kickstart provisioning unless DHCP is available.
2 Prepare the configuration file. In the configuration file, you must specify the locations of the
vRealize Automation server and the Linux agent installation package. See Prepare the Linux Kickstart
Configuration Sample File.
VMware, Inc. 51

Configuring vRealize Automation
3 Edit the isolinux/isolinux.cfg or loader/isolinux.cfg to specify the name and location of the
configuration file and the appropriate Linux distribution source.
4 Create the boot ISO image and save it to the location required by your virtualization platform. See the
documentation provided by your hypervisor for information about the required location.
5 (Optional) Add customization scripts.
a To specify post-installation customization scripts in the configuration file, see Specify Custom
Scripts in a kickstart/autoYaST Configuration File.
b To call Visual Basic scripts in blueprint, see Checklist for Running Visual Basic Scripts During
Provisioning.
6 Gather the following information so that blueprint architects can include it in their blueprints:
a The name and location of the ISO image.
b For vCenter Server integrations, the vCenter Server guest operating system version with which
vCenter Server is to create the machine.
Note You can create a property group with the property set BootIsoProperties to include the required
ISO information. This makes it easier to include this information correctly on blueprints.
Prepare the Linux Kickstart Configuration Sample File
vRealize Automation provides sample configuration files that you can modify and edit to suit your needs.
There are several changes required to make the files usable.
Procedure
1 Navigate to the vCloud Automation Center Appliance management console page.
For example: https://va-hostname.domain.com.
2 Click Guest and software agents page in the vRealize Automation component installation section of
the page.
For example: https://va-hostname.domain.com/software/index.html.
The Guest and Software Agent Installers page opens, displaying links to available downloads.
3 Click Linux guest agent packages in the guest agent installers section of the page to download and
save the LinuxGuestAgentPkgs.zip file.
4 Unpack the downloaded LinuxGuestAgentPkgs.zip file to create the VraLinuxGuestAgent folder.
5 Navigate to the VraLinuxGuestAgent subdirectory that corresponds to the guest operating system to
deploy during provisioning.
For example: rhel32.
6 Open a file in the samples subdirectory that corresponds to your target system.
For example, samples/sample-https-rhel6-x86.cfg.
VMware, Inc. 52

Configuring vRealize Automation
7 Replace all instances of the string host=dcac.example.net with the IP address or fully qualified
domain name and port number for the Manager Service or the load balancer for the Manager Service.
Platform Required Format
vSphere ESXi IP Address, for example: --host=172.20.9.59
vSphere ESX IP Address, for example: --host=172.20.9.58
SUSE 10 IP Address, for example: --host=172.20.9.57
All others FQDN, for example: --host=mycompany-host1.mycompany.local:443
8 Locate each instance of gugent.rpm or gugent.tar.gz and replace the URL rpm.example.net
with the location of the guest agent package.
For example:
rpm -i nfs:172.20.9.59/suseagent/gugent.rpm
9 Save the file to a location accessible to newly provisioned machines.
Specify Custom Scripts in a kickstart/autoYaST Configuration File
You can modify the configuration file to copy or install custom scripts onto newly provisioned machines.
The Linux agent runs the scripts at the specified point in the workflow.
Your script can reference any of the ./properties.xml files in
the /usr/share/gugent/site/workitem directories.
Prerequisites
n
Prepare a kickstart or autoYaST configuration file. See Prepare the Linux Kickstart Configuration
Sample File.
n
Your script must return a non-zero value on failure to prevent machine provisioning failure.
Procedure
1 Create or identify the script you want to use.
2 Save the script as NN_scriptname.
NN is a two digit number. Scripts are executed in order from lowest to highest. If two scripts have the
same number, the order is alphabetical based on scriptname.
3 Make your script executable.
4 Locate the post-installation section of your kickstart or autoYaST configuration file.
In kickstart, this is indicated by %post. In autoYaST, this is indicated by post-scripts.
VMware, Inc. 53

Configuring vRealize Automation
5 Modify the post-installation section of the configuration file to copy or install your script into
the /usr/share/gugent/site/workitem directory of your choice.
Custom scripts are most commonly run for virtual kickstart/autoYaST with the work items SetupOS
(for create provisioning) and CustomizeOS (for clone provisioning), but you can run scripts at any
point in the workflow.
For example, you can modify the configuration file to copy the script 11_addusers.sh to
the /usr/share/gugent/site/SetupOS directory on a newly provisioned machine by using the
following command:
cp nfs:172.20.9.59/linuxscripts/11_addusers.sh /usr/share/gugent/site/SetupOS
The Linux agent runs the script in the order specified by the work item directory and the script file name.
Preparing for SCCM Provisioning
vRealize Automation boots a newly provisioned machine from an ISO image, and then passes control to
the specified SCCM task sequence.
SCCM provisioning is supported for the deployment of Windows operating systems. Linux is not
supported. Software distribution and updates are not supported.
The following is a high-level overview of the steps required to prepare for SCCM provisioning:
1 Consult with your network administrator to ensure that the following network requirements are met:
n
Communication with SCCM requires the NetBios name of the SCCM server. At least one
Distributed Execution Manager (DEM) must be able to resolve the fully qualified name of the
SCCM server to its NetBios name.
n
The SCCM server and the vRealize Automation server must be on the same network and
available to each other.
2 Create a software package that includes the vRealize Automation guest agent. See Create a
Software Package for SCCM Provisioning.
3 In SCCM, create the desired task sequence for provisioning the machine. The final step must be to
install the software package you created that contains the vRealize Automation guest agent. For
information about creating task sequences and installing software packages, see SCCM
documentation.
4 Create a zero touch boot ISO image for the task sequence. By default, SCCM creates a light touch
boot ISO image. For information about configuring SCCM for zero touch ISO images, see SCCM
documentation.
5 Copy the ISO image to the location required by your virtualization platform. If you do not know the
appropriate location, refer to the documentation provided by your hypervisor.
6 Gather the following information so that blueprint architects can include it on blueprints:
a The name of the collection containing the task sequence.
VMware, Inc. 54

Configuring vRealize Automation
b The fully qualified domain name of the SCCM server on which the collection containing the
sequence resides.
c The site code of the SCCM server.
d Administrator-level credentials for the SCCM server.
e (Optional) For SCVMM integrations, the ISO, virtual hard disk, or hardware profile to attach to
provisioned machines.
Note You can create a property group with the SCCMProvisioningProperties property set to include
all of this required information. This makes it easier to include the information on blueprints.
Create a Software Package for SCCM Provisioning
The final step in your SCCM task sequence must be to install a software package that includes the
vRealize Automation guest agent.
Procedure
1 Navigate to the vCloud Automation Center Appliance management console page.
For example: https://va-hostname.domain.com.
2 Click Guest and software agents page in the vRealize Automation component installation section of
the page.
For example: https://va-hostname.domain.com/software/index.html.
The Guest and Software Agent Installers page opens, displaying links to available downloads.
3 Click Windows guest agent files (32-bit) or (64-bit) in the component installation section of the page
to download and save the GuestAgentInstaller.exe or GuestAgentInstaller_x64.exe file.
4 Extract the Windows guest agent files to a location available to SCCM.
This produces the directory C:\VRMGuestAgent. Do not rename this directory.
5 Create a software package from the definition file SCCMPackageDefinitionFile.sms.
6 Make the software package available to your distribution point.
7 Select the contents of the extracted Windows guest agent files as your source files.
Preparing for WIM Provisioning
Provision a machine by booting into a WinPE environment and then install an operating system using a
Windows Imaging File Format (WIM) image of an existing Windows reference machine.
The following is a high-level overview of the steps required to prepare for WIM provisioning:
1 Identify or create the staging area. This should be a network directory that can be specified as a UNC
path or mounted as a network drive by the reference machine, the system on which you build the
WinPE image, and the virtualization host on which machines are provisioned.
VMware, Inc. 55

Configuring vRealize Automation
2 Ensure that a DHCP server is available on the network. vRealize Automation cannot provision
machines by using a WIM image unless DHCP is available.
3 Identify or create the reference machine within the virtualization platform you intend to use for
provisioning. For vRealize Automation requirements, see Reference Machine Requirements for WIM
Provisioning. For information about creating a reference machine, see the documentation provided by
your hypervisor.
4 Using the System Preparation Utility for Windows, prepare the reference machine's operating system
for deployment. See SysPrep Requirements for the Reference Machine.
5 Create the WIM image of the reference machine. Do not include any spaces in the WIM image file
name or provisioning fails.
6 Create a WinPE image that contains the vRealize Automation guest agent. You can use the
vRealize Automation PEBuilder to create a WinPE image that includes the guest agent.
n
Install PEBuilder.
n
(Optional) Create any custom scripts you want to use to customize provisioned machines and
place them in the appropriate work item directory of your PEBuilder installation. See Specify
Custom Scripts in a PEBuilder WinPE.
n
If you are using VirtIO for network or storage interfaces, you must ensure that the necessary
drivers are included in your WinPE image and WIM image. See Preparing for WIM Provisioning
with VirtIO Drivers.
n
Create a WinPE Image by Using PEBuilder.
You can create the WinPE image by using another method, but you must manually insert the
vRealize Automation guest agent. See Manually Insert the Guest Agent into a WinPE Image.
7 Place the WinPE image in the location required by your virtualization platform. If you do not know the
location, see the documentation provided by your hypervisor.
8 Gather the following information so that you can include it the blueprint:
a The name and location of the WinPE ISO image.
b The name of the WIM file, the UNC path to the WIM file, and the index used to extract the desired
image from the WIM file.
c The user name and password under which to map the WIM image path to a network drive on the
provisioned machine.
d (Optional) If you do not want to accept the default, K, the drive letter to which the WIM image path
is mapped on the provisioned machine.
e For vCenter Server integrations, the vCenter Server guest operating system version with which
vCenter Server is to create the machine.
VMware, Inc. 56

Configuring vRealize Automation
f (Optional) For SCVMM integrations, the ISO, virtual hard disk, or hardware profile to attach to
provisioned machines.
Note You can create a property group to include all of this required information. Using a property
group makes it easier to include all the information correctly in blueprints.
1 Reference Machine Requirements for WIM Provisioning
WIM provisioning involves creating a WIM image from a reference machine. The reference machine
must meet basic requirements for the WIM image to work for provisioning in vRealize Automation.
2 SysPrep Requirements for the Reference Machine
A SysPrep answer file contains several required settings that are used for WIM provisioning.
3 Install PEBuilder
The PEBuilder tool provided by vRealize Automation provides a simple way to include the
vRealize Automation guest agent in your WinPE images.
4 Specify Custom Scripts in a PEBuilder WinPE
You can use PEBuilder to customize machines by running custom bat scripts at specified points in
the provisioning workflow.
5 Preparing for WIM Provisioning with VirtIO Drivers
If you are using VirtIO for network or storage interfaces, you must ensure that the necessary drivers
are included in your WinPE image and WIM image. VirtIO generally offers better performance when
provisioning with KVM (RHEV).
6 Create a WinPE Image by Using PEBuilder
Use the PEBuilder tool provided by vRealize Automation to create a WinPE ISO file that includes the
vRealize Automation guest agent.
7 Manually Insert the Guest Agent into a WinPE Image
You do not have to use the vRealize Automation PEBuilder to create your WinPE. However, if you
do not use the PEBuilder you must manually insert the vRealize Automation guest agent into your
WinPE image.
Reference Machine Requirements for WIM Provisioning
WIM provisioning involves creating a WIM image from a reference machine. The reference machine must
meet basic requirements for the WIM image to work for provisioning in vRealize Automation.
The following is a high-level overview of the steps to prepare a reference machine:
1 If the operating system on your reference machine is Windows Server 2008 R2, Windows Server
2012, Windows 7, or Windows 8, the default installation creates a small partition on the system's hard
disk in addition to the main partition. vRealize Automation does not support the use of WIM images
created on such multi-partitioned reference machines. You must delete this partition during the
installation process.
2 Install NET 4.5 and Windows Automated Installation Kit (AIK) for Windows 7 (including WinPE 3.0) on
the reference machine.
VMware, Inc. 57

Configuring vRealize Automation
3 If the reference machine operating system is Windows Server 2003 or Windows XP, reset the
administrator password to be blank. (There is no password.)
4 (Optional) If you want to enable XenDesktop integration, install and configure a
Citrix Virtual Desktop Agent.
5 (Optional) A Windows Management Instrumentation (WMI) agent is required to collect certain data
from a Windows machine managed by vRealize Automation, for example the Active Directory status
of a machine’s owner. To ensure successful management of Windows machines, you must install a
WMI agent (typically on the Manager Service host) and enable the agent to collect data from
Windows machines. See Installing vRealize Automation 7.2.
SysPrep Requirements for the Reference Machine
A SysPrep answer file contains several required settings that are used for WIM provisioning.
Table 1‑15. Windows Server or Windows XP reference machine SysPrep required settings
GuiUnattended Settings
AutoLogon Yes
AutoLogonCount 1
AutoLogonUsername
AutoLogonPassword
Value
username
(username and password are the credentials used for auto
logon when the newly provisioned machine boots into the guest
operating system. Administrator is typically used.)
password corresponding to the AutoLogonUsername.
Table 1‑16. Required SysPrep Settings for reference machine that are not using Windows
Server 2003 or Windows XP:
AutoLogon Settings
Enabled Yes
LogonCount 1
Value
VMware, Inc. 58

Configuring vRealize Automation
Table 1‑16. Required SysPrep Settings for reference machine that are not using Windows
Server 2003 or Windows XP: (Continued)
AutoLogon Settings
Username
Password
Value
username
(username and password are the credentials used for auto
logon when the newly provisioned machine boots into the guest
operating system. Administrator is typically used.)
password
(username andpassword are the credentials used for auto logon
when the newly provisioned machine boots into the guest
operating system. Administrator is typically used.)
Note For reference machines that use a Windows platform
newer than Windows Server 2003/Windows XP, you must set
the autologon password by using the custom property
Sysprep.GuiUnattended.AdminPassword. A convenient way
to ensure this is done is to create a property group that includes
this custom property so that tenant administrators and business
group managers can include this information correctly in their
blueprints.
Install PEBuilder
The PEBuilder tool provided by vRealize Automation provides a simple way to include the
vRealize Automation guest agent in your WinPE images.
PEBuilder has a 32 bit guest agent. If you need to run commands specific to 64 bit, install PEBuilder and
then get the 64 bit files from the GugentZipx64.zip file.
Install PEBuilder in a location where you can access your staging environment.
Prerequisites
n
Install NET Framework 4.5.
n
Windows Automated Installation Kit (AIK) for Windows 7 (including WinPE 3.0) is installed.
Procedure
1 Navigate to the vCloud Automation Center Appliance management console page.
For example: https://va-hostname.domain.com.
2 Click Guest and software agents page in the vRealize Automation component installation section of
the page.
For example: https://va-hostname.domain.com/software/index.html.
The Guest and Software Agent Installers page opens, displaying links to available downloads.
3 Click PE Builder utility in the component installation section of the page to download and save the
vCAC-WinPEBuilder-Setup.exe file.
4 Run vCAC-WinPEBuilder-Setup.exe.
VMware, Inc. 59

Configuring vRealize Automation
5 Follow the prompts to install PEBuilder.
6 (Optional) Replace the Windows 32-bit guest agent files located in \PE Builder\Plugins\VRM
Agent\VRMGuestAgent with the 64-bit files to include the 64-bit agent in your WinPE.
You can use PEBuilder to create a WinPE for use in WIM provisioning.
Specify Custom Scripts in a PEBuilder WinPE
You can use PEBuilder to customize machines by running custom bat scripts at specified points in the
provisioning workflow.
Prerequisites
Install PEBuilder.
Procedure
1 Create or identify the bat script you want to use.
Your script must return a non-zero value on failure to prevent machine provisioning failure.
2 Save the script as NN_scriptname.
NN is a two digit number. Scripts are executed in order from lowest to highest. If two scripts have the
same number, the order is alphabetical based on scriptname.
3 Make your script executable.
4 Place the scripts in the work item subdirectory that corresponds to the point in the provisioning
workflow you want the script to run.
For example, C:\Program Files (x86)\VMware\vRA\PE Builder\Plugins\VRM
Agent\VRMGuestAgent\site\SetupOS.
The agent runs the script in the order specified by the work item directory and the script file name.
Preparing for WIM Provisioning with VirtIO Drivers
If you are using VirtIO for network or storage interfaces, you must ensure that the necessary drivers are
included in your WinPE image and WIM image. VirtIO generally offers better performance when
provisioning with KVM (RHEV).
Windows drivers for VirtIO are included as part of the Red Hat Enterprise Virtualization and are located in
the /usr/share/virtio-win directory on the file system of the Red Hat Enterprise Virtualization
Manager. The drivers are also included in the Red Hat Enterprise Virtualization Guest Tools
located /usr/share/rhev-guest-tools-iso/rhev-tools-setup.iso.
The high-level process for enabling WIM-based provisioning with VirtIO drivers is as follows:
1 Create a WIM image from a Windows reference machine with the VirtIO drivers installed or insert the
drivers into an existing WIM image.
2 Copy the VirtIO driver files to the Plugins subdirectory of your PEBuilder installation directory before
creating a WinPE image, or insert the drivers into a WinPE image created using other means.
VMware, Inc. 60

Configuring vRealize Automation
3 Upload the WinPE image ISO to the Red Hat Enterprise Virtualization ISO storage domains using the
rhevm-iso-uploader command. For more information about managing ISO images in RHEV refer
to the Red Hat documentation.
4 Create a KVM (RHEV) blueprint for WIM provisioning and select the WinPE ISO option. The custom
property VirtualMachine.Admin.DiskInterfaceType must be included with the value VirtIO. A
fabric administrator can include this information in a property group for inclusion on blueprints.
The custom properties Image.ISO.Location and Image.ISO.Name are not used for KVM (RHEV)
blueprints.
Create a WinPE Image by Using PEBuilder
Use the PEBuilder tool provided by vRealize Automation to create a WinPE ISO file that includes the
vRealize Automation guest agent.
Prerequisites
n
Install PEBuilder.
n
(Optional) Configure PEBuilder to include the Windows 64-bit guest agent in your WinPE instead of
the Windows 32-bit guest agent. See Install PEBuilder.
n
(Optional) Add any third party plugins you want to add to the WinPE image to the PlugIns
subdirectory of the PEBuilder installation directory.
n
(Optional) Specify Custom Scripts in a PEBuilder WinPE.
Procedure
1 Run PEBuilder.
2 Enter the IaaS Manager Service host information.
Option Description
If you are using a load balancer a Enter the fully qualified domain name of the load balancer for the IaaS
Manager Service in the vCAC Hostname text box. For example,
manager_service_LB.mycompany.com.
b Enter the port number for the IaaS Manager Service load balancer in the
vCAC Port text box. For example, 443.
With no load balancer a Enter the fully qualified domain name of the IaaS Manager Service machine
in the vCAC Hostname text box. For example,
manager_service.mycompany.com.
b Enter the port number for the IaaS Manager Service machine in the vCAC
Port text box. For example, 443.
3 Enter the path to the PEBuilder plugins directory.
This depends on the installation directory specified during installation. The default is C:\Program
Files (x86)\VMware\vCAC\PE Builder\PlugIns.
VMware, Inc. 61

Configuring vRealize Automation
4 Enter the output path for the ISO file you are creating in the ISO Output Path text box.
This location should be on the staging area you prepared.
5 Click File > Advanced.
Note Do not change the WinPE Architecture or Protocol settings.
6 Select the Include vCAC Guest Agent in WinPE ISO check box.
7 Click OK.
8 Click Build.
What to do next
Place the WinPE image in the location required by your integration platform. If you do not know the
location, please see the documentation provided by your platform.
If you are provisioning HP iLO machines, place the WinPE image in a web-accessible location. For
Dell iDRAC machines, place the image in a location available to NFS or CIFS. Record the address.
Manually Insert the Guest Agent into a WinPE Image
You do not have to use the vRealize Automation PEBuilder to create your WinPE. However, if you do not
use the PEBuilder you must manually insert the vRealize Automation guest agent into your WinPE image.
Prerequisites
n
Select a Windows system from which the staging area you prepared is accessible and on which .NET
4.5 and Windows Automated Installation Kit (AIK) for Windows 7 (including WinPE 3.0) are installed.
n
Create a WinPE.
Procedure
1 Install the Guest Agent in a WinPE
If you choose not to use the vRealize Automation PEBuilder to create you WinPE, you must install
PEBuilder to manually copy the guest agent files to your WinPE image.
2 Configure the doagent.bat File
If you choose not to use the vRealize Automation PEBuilder, you must manually configure the
doagent.bat file.
3 Configure the doagentc.bat File
If you choose not to use the vRealize Automation PEBuilder, you must manually configure the
doagentc.bat file.
4 Configure the Guest Agent Properties Files
If you choose not to use the vRealize Automation PEBuilder, you must manually configure the guest
agent properties files.
VMware, Inc. 62

Configuring vRealize Automation
Procedure
1 Install the Guest Agent in a WinPE.
2 Configure the doagent.bat File.
3 Configure the doagentc.bat File.
4 Configure the Guest Agent Properties Files.
Install the Guest Agent in a WinPE
If you choose not to use the vRealize Automation PEBuilder to create you WinPE, you must install
PEBuilder to manually copy the guest agent files to your WinPE image.
PEBuilder has a 32 bit guest agent. If you need to run commands specific to 64 bit, install PEBuilder and
then get the 64 bit files from the GugentZipx64.zip file.
Prerequisites
n
Select a Windows system from which the staging area you prepared is accessible and on which .NET
4.5 and Windows Automated Installation Kit (AIK) for Windows 7 (including WinPE 3.0) are installed.
n
Create a WinPE.
Procedure
1 Navigate to the vCloud Automation Center Appliance management console page.
For example: https://va-hostname.domain.com.
2 Download the PEBuilder.
3 (Optional) Download the Windows 64-bit guest agent package if you want to include the Windows 64-
bit guest agent in your WinPE instead of the Windows 32-bit guest agent.
4 Execute vCAC-WinPEBuilder-Setup.exe.
5 Deselect both Plugins and PEBuilder.
6 Expand Plugins and select VRMAgent.
7 Follow the prompts to complete the installation.
8 (Optional) After installation is complete, replace the Windows 32-bit guest agent files located in \PE
Builder\Plugins\VRM Agent\VRMGuestAgent with the 64-bit files to include the 64-bit agent in
your WinPE.
9 Copy the contents of %SystemDrive%\Program Files (x86)\VMware\PE Builder\Plugins\VRM
Agent\VRMGuestAgent to a new location within your WinPE Image.
For example: C:\Program Files (x86)\VMware\PE Builder\Plugins\VRM
Agent\VRMGuestAgent.
What to do next
Configure the doagent.bat File.
VMware, Inc. 63

Configuring vRealize Automation
Configure the doagent.bat File
If you choose not to use the vRealize Automation PEBuilder, you must manually configure the
doagent.bat file.
Prerequisites
Install the Guest Agent in a WinPE.
Procedure
1 Navigate to the VRMGuestAgent directory within your WinPE Image.
For example: C:\Program Files (x86)\VMware\PE Builder\Plugins\VRM
Agent\VRMGuestAgent.
2 Make a copy of the file doagent-template.bat and name it doagent.bat.
3 Open doagent.bat in a text editor.
4 Replace all instances of the string #Dcac Hostname# with the fully qualified domain name and port
number of the IaaS Manager Service host.
Option Description
If you are using a load balancer Enter the fully qualified domain name and port of the load balancer for the IaaS
Manager Service. For example,
manager_service_LB.mycompany.com:443
With no load balancer Enter the fully qualified domain name and port of the machine on which the IaaS
Manager Service is installed. For example,
manager_service.mycompany.com:443
5 Replace all instances of the string #Protocol# with the string /ssl.
6 Replace all instances of the string #Comment# with REM (REM must be followed by a trailing space).
7 (Optional) If you are using self-signed certificates, uncomment the openSSL command.
echo QUIT | c:\VRMGuestAgent\bin\openssl s_client –connect
8 Save and close the file.
9 Edit the Startnet.cmd script for your WinPE to include the doagent.bat as a custom script.
What to do next
Configure the doagentc.bat File.
Configure the doagentc.bat File
If you choose not to use the vRealize Automation PEBuilder, you must manually configure the
doagentc.bat file.
VMware, Inc. 64

Configuring vRealize Automation
Prerequisites
Configure the doagent.bat File.
Procedure
1 Navigate to the VRMGuestAgent directory within your WinPE Image.
For example: C:\Program Files (x86)\VMware\PE Builder\Plugins\VRM
Agent\VRMGuestAgent.
2 Make a copy of the file doagentsvc-template.bat and name it doagentc.bat.
3 Open doagentc.bat in a text editor.
4 Remove all instance of the string #Comment#.
5 Replace all instances of the string #Dcac Hostname# with the fully qualified domain name and port
number of the Manager Service host.
The default port for the Manager Service is 443.
Option Description
If you are using a load balancer Enter the fully qualified domain name and port of the load balancer for the
Manager Service. For example,
load_balancer_manager_service.mycompany.com:443
With no load balancer Enter the fully qualified domain name and port of the Manager Service. For
example,
manager_service.mycompany.com:443
6 Replace all instances of the string #errorlevel# with the character 1.
7 Replace all instances of the string #Protocol# with the string /ssl.
8 Save and close the file.
What to do next
Configure the Guest Agent Properties Files.
Configure the Guest Agent Properties Files
If you choose not to use the vRealize Automation PEBuilder, you must manually configure the guest
agent properties files.
Prerequisites
Configure the doagentc.bat File.
VMware, Inc. 65

Configuring vRealize Automation
Procedure
1 Navigate to the VRMGuestAgent directory within your WinPE Image.
For example: C:\Program Files (x86)\VMware\PE Builder\Plugins\VRM
Agent\VRMGuestAgent.
2 Make a copy of the file gugent.properties and name it gugent.properties.template.
3 Make a copy of the file gugent.properties.template and name it gugentc.properties.
4 Open gugent.properties in a text editor.
5 Replace all instances of the string GuestAgent.log the string
X:/VRMGuestAgent/GuestAgent.log.
6 Save and close the file.
7 Open gugentc.properties in a text editor.
8 Replace all instances of the string GuestAgent.log the string
C:/VRMGuestAgent/GuestAgent.log.
9 Save and close the file.
Preparing for Virtual Machine Image Provisioning
Before you provision instances with OpenStack, you must have virtual machine images and flavors
configured in the OpenStack provider.
Virtual Machine Images
You can select an virtual machine image from a list of available images when creating blueprints for
OpenStack resources.
A virtual machine image is a template that contains a software configuration, including an operating
system. Virtual machine images are managed by the OpenStack provider and are imported during data
collection.
If an image that is used in a blueprint is later deleted from the OpenStack provider, it is also removed from
the blueprint. If all the images have been removed from a blueprint, the blueprint is disabled and cannot
be used for machine requests until it is edited to add at least one image.
OpenStack Flavors
You can select one or more flavors when creating OpenStack blueprints.
OpenStack flavors are virtual hardware templates that define the machine resource specifications for
instances provisioned in OpenStack. Flavors are managed by the OpenStack provider and are imported
during data collection.
vRealize Automation supports several flavors of OpenStack. For the most current information about
OpenStack flavor support, see the vRealize Automation Support Matrix at
https://www.vmware.com/support/pubs/vcac-pubs.html.
VMware, Inc. 66

Configuring vRealize Automation
Preparing for Amazon Machine Image Provisioning
Prepare your Amazon Machine Images and instance types for provisioning in vRealize Automation.
Understanding Amazon Machine Images
You can select an Amazon machine image from a list of available images when creating Amazon
machine blueprints.
An Amazon machine image is a template that contains a software configuration, including an operating
system. They are managed by Amazon Web Services accounts. vRealize Automation manages the
instance types that are available for provisioning.
The Amazon machine image and instance type must be available in an Amazon region. Not all instance
types are available in all regions.
You can select an Amazon machine image provided by Amazon Web Services, a user community, or the
AWS Marketplace site. You can also create and optionally share your own Amazon machine images. A
single Amazon machine image can be used to launch one or many instances.
The following considerations apply to Amazon machine images in the Amazon Web Services accounts
from which you provision cloud machines:
n
Each blueprint must specify an Amazon machine image.
A private Amazon machine image is available to a specific account and all its regions. A public
Amazon machine image is available to all accounts, but only to a specific region in each account.
n
When the blueprint is created, the specified Amazon machine image is selected from regions that
have been data-collected. If multiple Amazon Web Services accounts are available, the business
group manager must have rights to any private Amazon machine images. The Amazon machine
image region and the specified user location restrict provisioning request to reservations that match
the corresponding region and location.
n
Use reservations and policies to distribute Amazon machine images in your Amazon Web Services
accounts. Use policies to restrict provisioning from a blueprint to a particular set of reservations.
n
vRealize Automation cannot create user accounts on a cloud machine. The first time a machine
owner connects to a cloud machine, she must log in as an administrator and add her
vRealize Automation user credentials or an administrator must do that for her. She can then log in
using her vRealize Automation user credentials.
If the Amazon machine image generates the administrator password on every boot, the Edit Machine
Record page displays the password. If it does not, you can find the password in the Amazon Web
Services account. You can configure all Amazon machine images to generate the administrator
password on every boot. You can also provide administrator password information to support users
who provision machines for other users.
VMware, Inc. 67

Configuring vRealize Automation
n
To allow remote Microsoft Windows Management Instrumentation (WMI) requests on cloud machines
provisioned in Amazon Web Services accounts, enable a Microsoft Windows Remote Management
(WinRM) agent to collect data from Windows machines managed by vRealize Automation. See
Installing vRealize Automation 7.2.
n
A private Amazon machine image can be seen across tenants.
For related information, see Amazon Machine Images (AMI) topics in Amazon documentation.
Understanding Amazon Instance Types
An IaaS architect selects one or more Amazon instance types when creating Amazon EC2 blueprints. An
IaaS administrator can add or remove instance types to control the choices available to the architects.
An Amazon EC2 instance is a virtual server that can run applications in Amazon Web Services. Instances
are created from an Amazon machine image and by choosing an appropriate instance type.
To provision a machine in an Amazon Web Services account, an instance type is applied to the specified
Amazon machine image. The available instance types are listed when architects create the Amazon EC2
blueprint. Architects select one or more instance types, and those instance types become choices
available to the user when they request to provision a machine. The instance types must be supported in
the designated region.
For related information, see Selecting Instance Types and Amazon EC2 Instance Details topics in
Amazon documentation.
Add an Amazon Instance Type
Several instance types are supplied with vRealize Automation for use with Amazon blueprints. An
administrator can add and remove instance types.
The machine instance types managed by IaaS administrators are available to blueprint architects when
they create or edit an Amazon blueprint. Amazon machine images and instance types are made available
through the Amazon Web Services product.
Prerequisites
Log in to the vRealize Automation console as an IaaS administrator.
Procedure
1 Click Infrastructure > Administration > Instance Types.
2 Click New.
VMware, Inc. 68

TEMPLATE
You are here
Prepare
Installation
Install
Prepare
Template
Request Initial
Content
Configuring vRealize Automation
3 Add a new instance type, specifying the following parameters.
Information about the available Amazon instances types and the setting values that you can specify
for these parameters is available from Amazon Web Services documentation in EC2 Instance Types -
Amazon Web Services (AWS) at aws.amazon.com/ec2 and Instance Types at
docs.aws.amazon.com.
n
Name
n
API name
n
Type Name
n
IO Performance Name
n
CPUs
n
Memory (GB)
n
Storage (GB)
n
Compute Units
4
Click the Save icon ( ).
When IaaS architects create Amazon Web Services blueprints, they can use your custom instance types.
What to do next
Add the compute resources from your endpoint to a fabric group. See Create a Fabric Group.
Scenario: Prepare vSphere Resources for Machine Provisioning in
Rainpole
As the vSphere administrator creating templates for vRealize Automation, you want to use the vSphere
Web Client to prepare for cloning CentOS machines in vRealize Automation.
You want to convert an existing CentOS reference machine into a vSphere template so you and your
Rainpole architects can create blueprints for cloning CentOS machines in vRealize Automation. To
prevent any conflicts that might arise from deploying multiple virtual machines with identical settings, you
also want to create a general customization specification that you and your architects can use to create
clone blueprints for Linux templates.
VMware, Inc. 69

Configuring vRealize Automation
Procedure
1 Scenario: Convert Your CentOS Reference Machine into a Template for Rainpole
Using the vSphere Client, you convert your existing CentOS reference machine into a vSphere
template for your vRealize Automation IaaS architects to reference as the base for their clone
blueprints.
2 Scenario: Create a Customization Specification for Cloning Linux Machines in Rainpole
Using the vSphere Client, you create a standard customization specification for your
vRealize Automation IaaS architects to use when they create clone blueprints for Linux machines.
Scenario: Convert Your CentOS Reference Machine into a Template for
Rainpole
Using the vSphere Client, you convert your existing CentOS reference machine into a vSphere template
for your vRealize Automation IaaS architects to reference as the base for their clone blueprints.
Procedure
1 Log in to your reference machine as the root user and prepare the machine for conversion.
a Remove udev persistence rules.
/bin/rm -f /etc/udev/rules.d/70*
b Enable machines cloned from this template to have their own unique identifiers.
/bin/sed -i '/^\(HWADDR\|UUID\)=/d'
/etc/sysconfig/network-scripts/ifcfg-eth0
c Power down the machine.
shutdown -h now
2 Log in to the vSphere Web Client as an administrator.
3 Click the VM Options tab.
4 Right-click your reference machine and select Edit Settings.
5 Enter Rainpole_centos_63_x86 in the VM Name text box.
6 Even though your reference machine has a CentOS guest operating system, select Red Hat
Enterprise Linux 6 (64-bit) from the Guest OS Version drop-down menu.
If you select CentOS, your template and customization specification might not work as expected.
7 Right-click your Rainpole_centos_63_x86 reference machine in the vSphere Web Client and select
Template > Convert to Template.
vCenter Server marks your Rainpole_centos_63_x86 reference machine as a template and displays the
task in the Recent Tasks pane.
VMware, Inc. 70

Configuring vRealize Automation
What to do next
To prevent any conflicts that might arise from deploying multiple virtual machines with identical settings,
you create a general customization specification that you and your Rainpole architects can use to create
clone blueprints for Linux templates.
Scenario: Create a Customization Specification for Cloning Linux Machines in
Rainpole
Using the vSphere Client, you create a standard customization specification for your vRealize Automation
IaaS architects to use when they create clone blueprints for Linux machines.
Procedure
1 On the home page, click Customization Specification Manager to open the wizard.
2 Click the New icon.
3 Specify properties.
a Select Linux from the Target VM Operating System drop-down menu.
b Enter Linux in the Customization Spec Name text box.
c Enter Rainpole Linux cloning with vRealize Automation in the Description text box.
d Click Next.
4 Set computer name.
a Select Use the virtual machine name.
b Enter the domain on which cloned machines are going to be provisioned in the Domain name
text box.
For example, rainpole.local.
c Click Next.
5 Configure time zone settings.
6 Click Next.
7 Select Use standard network settings for the guest operating system, including enabling
DHCP on all network interfaces.
8 Follow the prompts to enter the remaining required information.
9 On the Ready to complete page, review your selections and click Finish.
You have a general customization specification that you can use to create blueprints for cloning Linux
machines.
What to do next
Log in to the vRealize Automation console as the configuration administrator you created during the
installation and request the catalog items that quickly set up your proof of concept.
VMware, Inc. 71

Configuring vRealize Automation
Preparing for Software Provisioning
Use Software to deploy applications and middleware as part of the vRealize Automation provisioning
process for vSphere, vCloud Director,vCloud Air, and Amazon AWS machines.
You can deploy Software on machines if your blueprint supports Software and if you install the guest
agent and software bootstrap agent on your reference machines before you convert them into templates,
snapshots, or Amazon Machine Images.
Table 1‑17. Provisioning Methods that Support Software
Provisioning
Machine Type
vSphere Clone A clone blueprint provisions a complete and independent virtual machine based on a
vSphere Linked Clone A linked clone blueprint provisions a space-efficient copy of a vSphere machine based on a
Method Required Preparation
vCenter Server virtual machine template. If you want your templates for cloning to support
Software components, install the guest agent and software bootstrap agent on your
reference machine as you prepare a template for cloning. See Checklist for Preparing to
Provision by Cloning.
snapshot, using a chain of delta disks to track differences from the parent machine. If you
want your linked clone blueprints to support Software components, install the guest agent
and software bootstrap agent on the machine before you take the snapshot.
If your snapshot machine was cloned from a template that supports Software, the required
agents are already installed.
vCloud Director Clone A clone blueprint provisions a complete and independent virtual machine based on a
vCenter Server virtual machine template. If you want your templates for cloning to support
Software components, install the guest agent and software bootstrap agent on your
reference machine as you prepare a template for cloning. See Checklist for Preparing to
Provision by Cloning.
vCloud Air Clone A clone blueprint provisions a complete and independent virtual machine based on a
vCenter Server virtual machine template. If you want your templates for cloning to support
Software components, install the guest agent and software bootstrap agent on your
reference machine as you prepare a template for cloning. See Checklist for Preparing to
Provision by Cloning.
Amazon AWS Amazon
Machine
Image
An Amazon machine image is a template that contains a software configuration, including
an operating system. If you want to create an Amazon machine image that supports
Software, connect to a running Amazon AWS instance that uses an EBS volume for the root
device. Install the guest agent and software bootstrap agent on the reference machine, then
create an Amazon Machine Image from your instance. For instruction on creating Amazon
EBS-backed AMIs, see the Amazon AWS documentation.
For the guest agent and Software bootstrap agent to function on provisioned machines, you
must configure network-to-VPC connectivity.
Preparing to Provision Machines with Software
To support Software components, you must install the guest agent and Software bootstrap agent on your
reference machine before you convert to a template for cloning, create an Amazon machine image, or
take a snapshot.
VMware, Inc. 72

Configuring vRealize Automation
Prepare a Windows Reference Machine to Support Software
You install the supported Java Runtime Environment, the guest agent, and the Software bootstrap agent
on your Windows reference machine to create a template, snapshot, or Amazon Machine Instance that
supports Software components.
Software supports scripting with Windows CMD and PowerShell 2.0.
Important Because the boot process must not be interrupted, configure the virtual machine so that
nothing causes the virtual machine's boot process to pause before reaching the final operating system
login prompt. For example, verify that no processes or scripts prompt for user interaction when the virtual
machine starts.
The install.bat file configures the guest agent to communicate with the Manager Service. The
install.bat file can receive the following argument schemas:
n
[Backwards compatible darwin Local User] password=Password
n
password=Password localUser=Username
n
password=Password domainUser=Domainname\Username
n
localSystem=true
If passwordNeverExpire=false(default) then password expiration follows group policy. If it is set to true or
not set at all then the password never expires.
Prerequisites
n
Identify or create a reference machine.
n
If you have previously installed the guest agent or Software bootstrap agent on this machine, remove
the agents and runtime logs. See Updating Existing Virtual Machine Templates in vRealize
Automation.
n
If you plan to remotely access the virtual machine Windows remote desktop for troubleshooting or for
other reasons, install the Remote Desktop Services (RDS) for Windows.
n
Verify that all of the network configuration artifacts are removed from the network configuration files.
n
Establish secure trust between the guest agent and your Manager Service machine. See Configuring
the Guest Agent to Trust a Server.
n
Verify that the Darwin user has Log on as a service access rights on the Windows reference
machine.
Procedure
1 Log in to your Windows reference machine as a Windows Administrator and open a command
prompt.
VMware, Inc. 73

Configuring vRealize Automation
2 Download and install the supported Java Runtime Environment from
https://vRealize_VA_Hostname_fqdn/software/index.html.
a Download the Java SE Runtime Environment .zip file
https://vRealize_VA_Hostname_fqdn/software/download/jre-version-win64.zip.
b Create a c:\opt\vmware-jre folder and unzip the JRE .zip file to the folder.
c Open a command prompt window and enter c:\opt\vmware-jre\bin\java -version to verify
the installation.
The installed version of Java appears.
3 Download and install the vRealize Automation guest agent from
https://vRealize_VA_Hostname_fqdn/software/index.html.
a Download GugentZip_version to the C drive on the reference machine.
Select either GuestAgentInstaller.exe (32-bit) or GuestAgentInstaller_x64.exe (64-bit)
depending on which is appropriate for your operating system.
b Right-click the file and select Properties.
c Click General.
d Click Unblock.
e Extract the files to C:\.
This produces the directory C:\VRMGuestAgent. Do not rename this directory.
4 Download the Software Agent bootstrap file from
https://vRealize_VA_Hostname_fqdn/software/index.html.
a Download the Software bootstrap agent file
https://vRealize_VA_Hostname_fqdn/software/download/vmware-vra-software-
agent-bootstrap-windows_version.zip.
b Right-click the file and select Properties.
c Click General.
d Click Unblock.
Important If you do not disable this Windows security feature, you cannot use the Software
agent bootstrap file.
e Unzip the vmware-vra-software-agent-bootstrap-windows_version.zip file to the
c:\temp folder.
VMware, Inc. 74

Configuring vRealize Automation
5 Install the Software bootstrap agent.
a Open a Windows CMD console and navigate to the c:\temp folder.
b Enter the command to install the agent bootstrap.
install.bat password=Password managerServiceHost=manager_service_machine.mycompany.com
managerServicePort=443 httpsMode=true cloudProvider=ec2|vca|vcd|vsphere
The default port number for the Manager Service is 443. Accepted values for cloudprovider are
ec2, vca, vcd, and vsphere. The install.bat script creates a user account called darwin for
the software bootstrap agent using the password you set in the install command. The Password
you set must meet the Windows password requirements.
If your install fails due to a .NET dependency, refer to the following article for assistance:
https://technet.microsoft.com/en-us/library/dn482071.aspx
6 Verify that the user darwin exists.
a Enter lusrmgr.msc at a command prompt.
b Verify that the user darwin_user exists and belongs to the administrator group.
c Set the password to never expire.
The setting ensures that the template remains usable after 30 days.
If the user is not available, verify that the Windows server password is accurate.
7 Shut down the Windows virtual machine.
What to do next
Convert your reference machine into a template for cloning, an Amazon machine image, or a snapshot so
your IaaS architects can use your template when creating blueprints.
Prepare a Linux Reference Machine to Support Software
You use a single script to install the supported Java Runtime Environment, the guest agent, and the
Software bootstrap agent on your Linux reference machine to create a template, snapshot, or Amazon
Machine Instance that supports Software components.
Software supports scripting with Bash.
Important Because the boot process must not be interrupted, configure the virtual machine so that
nothing causes the virtual machine's boot process to pause before reaching the final operating system
login prompt. For example, verify that no processes or scripts prompt for user interaction when the virtual
machine starts.
VMware, Inc. 75

Configuring vRealize Automation
Prerequisites
n
Identify or create a Linux reference machine and verify that the following commands are available
depending on your Linux system:
n
yum or apt-get
n
wget or curl
n
python
n
dmidecode as required by cloud providers
n
Common requirements such as sed, awk, perl, chkconfig, unzip, and grep depending on your
Linux distribution
For related information about Linux prerequisites, see the prepare_vra_template.sh script.
n
If you plan to remotely access the virtual machine using Linux ssh logging for troubleshooting or for
other reasons, install the OpenSSH server and client for Linux.
n
Remove network configuration artifacts from the network configuration files.
Procedure
1 Log in to your reference machine as the root user.
2 Download the installation script from your vRealize Automation appliance.
wget https://vRealize_VA_Hostname_fqdn/software/download/prepare_vra_template.sh
If your environment is using self-signed certificates, you might have to use the wget option --no-
check-certificate option. For example:
wget --no-check-certificate
https://vRealize_VA_Hostname_fqdn/software/download/prepare_vra_template.sh
3 Make the prepare_vra_template.sh script executable.
chmod +x prepare_vra_template.sh
4 Run the prepare_vra_template.sh installer script.
./prepare_vra_template.sh
You can run the help command ./prepare_vra_template.sh --help for information about non-
interactive options and expected values.
5 Follow the prompts to complete the installation.
You see a confirmation message when the installation is successfully completed. If you see an error
message and logs in the console, resolve the errors and run the installer script again.
6 Shut down the Linux virtual machine.
VMware, Inc. 76

Configuring vRealize Automation
The script removes any previous installations of the Software bootstrap agent and installs the supported
versions of the Java Runtime Environment, the guest agent, and the Software bootstrap agent.
What to do next
On your hypervisor or cloud provider, turn your reference machine into a template, snapshot, or Amazon
Machine Image that your infrastructure architects can use when creating blueprints.
Updating Existing Virtual Machine Templates in vRealize Automation
If you are updating your templates, Amazon Machine Images, or snapshots for the latest version of the
Windows Software bootstrap agent, or if you are manually updating to the latest Linux Software bootstrap
agent instead of using the prepare_vra_template.sh script, you need to remove any existing
versions and delete any logs.
Linux
For Linux reference machines, running the prepare_vra_template.sh script script resets the agent
and removes any logs for you before reinstalling. However, if you intend to manually install, you need to
log in to the reference machine as the root user and run the command to reset and remove the artifacts.
/opt/vmware-appdirector/agent-bootstrap/agent_reset.sh
Windows
For Windows reference machines, you remove the existing Software agent bootstrap and
vRealize Automation 6.0 or later guest agent, and delete any existing runtime log files. In a PowerShell
command window, run the commands to remove the agent and artifacts.
c:\opt\vmware-appdirector\agent-bootstrap\agent_bootstrap_removal.bat
c:\opt\vmware-appdirector\agent-bootstrap\agent_reset.bat
Scenario: Prepare a vSphere CentOS Template for Clone Machine
and Software Component Blueprints
As a vCenter Server administrator, you want to prepare a vSphere template that your
vRealize Automation architects can use to clone Linux CentOS machines. You want to ensure that your
template supports blueprints with software components, so you install the guest agent and the software
bootstrap agent before you turn your reference machine into a template.
Prerequisites
n
Identify or create a Linux CentOS reference machine with VMware Tools installed. Include at least
one Network Adapter to provide internet connectivity in case blueprint architects do not add this
functionality at the blueprint level. For information about creating virtual machines, see the vSphere
documentation.
n
You must be connected to a vCenter Server to convert a virtual machine to a template. You cannot
create templates if you connect the vSphere Client directly to an vSphere ESXi host.
VMware, Inc. 77

Configuring vRealize Automation
Procedure
1 Scenario: Prepare Your Reference Machine for Guest Agent Customizations and Software
Components
So that your template can support software components, you install the software bootstrap agent
and its prerequisite, the guest agent, on your reference machine. The agents ensure that
vRealize Automation architects who use your template can include software components in their
blueprints.
2 Scenario: Convert Your CentOS Reference Machine into a Template
After you install the guest agent and software bootstrap agent onto your reference machine, you turn
your reference machine into a template that vRealize Automation architects can use to create clone
machine blueprints.
3 Scenario: Create a Customization Specification for vSphere Cloning
Create a customization specification for your blueprint architects to use with your
cpb_centos_63_x84 template.
You created a template and customization specification from your reference machine that blueprint
architects can use to create vRealize Automation blueprints that clone Linux CentOS machines. Because
you installed the Software bootstrap agent and the guest agent on your reference machine, architects can
use your template to create elaborate catalog item blueprints that include Software components or other
guest agent customizations such as running scripts or formatting disks. Because you installed
VMware Tools, architects and catalog administrators can allow users to perform actions against
machines, such as reconfigure, snapshot, and reboot.
What to do next
After you configure vRealize Automation users, groups, and resources, you can use your template and
customization specification to create a machine blueprint for cloning. See Scenario: Create a vSphere
CentOS Blueprint for Cloning in Rainpole.
Scenario: Prepare Your Reference Machine for Guest Agent Customizations
and Software Components
So that your template can support software components, you install the software bootstrap agent and its
prerequisite, the guest agent, on your reference machine. The agents ensure that vRealize Automation
architects who use your template can include software components in their blueprints.
To simplify the process, you download and run a vRealize Automation script that installs both agents,
instead of downloading and installing separate packages.
The script also connects to the Manager Service instance and downloads the SSL certificate, which
establishes trust between the Manager Service and machines deployed from the template. Note that
having the script download the certificate is less secure than manually obtaining the Manager Service
SSL certificate and installing it on your reference machine in /usr/share/gugent/cert.pem.
VMware, Inc. 78

Configuring vRealize Automation
Procedure
1 In your Web browser, open the following URL.
https://vrealize-automation-appliance-FQDN/software/index.html
2 Save the prepare_vra_template.sh script to your reference machine.
3 On the reference machine, make prepare_vra_template.sh executable.
chmod +x prepare_vra_template.sh
4 Run prepare_vra_template.sh.
./prepare_vra_template.sh
5 Follow the prompts.
If you need non-interactive information about options and values,
enter ./prepare_vra_template.sh --help.
A confirmation message appears when installation finishes. If error messages and logs appear, correct
the issues and rerun the script.
Scenario: Convert Your CentOS Reference Machine into a Template
After you install the guest agent and software bootstrap agent onto your reference machine, you turn your
reference machine into a template that vRealize Automation architects can use to create clone machine
blueprints.
After you convert your reference machine to a template, you cannot edit or power on the template unless
you convert it back to a virtual machine.
Procedure
1 Log in to your reference machine as the root user and prepare the machine for conversion.
a Remove udev persistence rules.
/bin/rm -f /etc/udev/rules.d/70*
b Enable machines cloned from this template to have their own unique identifiers.
/bin/sed -i '/^\(HWADDR\|UUID\)=/d'
/etc/sysconfig/network-scripts/ifcfg-eth0
VMware, Inc. 79

Configuring vRealize Automation
c If you rebooted or reconfigured the reference machine after installing the software bootstrap
agent, reset the agent.
/opt/vmware-appdirector/agent-bootstrap/agent_reset.sh
d Power down the machine.
shutdown -h now
2 Log in to the vSphere Web Client as an administrator.
3 Right-click your reference machine and select Edit Settings.
4 Enter cpb_centos_63_x84 in the VM Name text box.
5 Even though your reference machine has a CentOS guest operating system, select Red Hat
Enterprise Linux 6 (64-bit) from the Guest OS Version drop-down menu.
If you select CentOS, your template and customization specification might not work as expected.
6 Right-click your reference machine in the vSphere Web Client and select Template > Convert to
Template.
vCenter Server marks your cpb_centos_63_x84 reference machine as a template and displays the task in
the Recent Tasks pane. If you have already brought your vSphere environment under
vRealize Automation management, your template is discovered during the next automated data
collection. If you have not configured your vRealize Automation yet, the template is collected during that
process.
Scenario: Create a Customization Specification for vSphere Cloning
Create a customization specification for your blueprint architects to use with your cpb_centos_63_x84
template.
Procedure
1 Log in to the vSphere Web Client as an administrator.
2 On the home page, click Customization Specification Manager to open the wizard.
3 Click the New icon.
4 Click the New icon.
5 Specify properties.
a Select Linux from the Target VM Operating System drop-down menu.
b Enter Customspecs in the Customization Spec Name text box.
c Enter cpb_centos_63_x84 cloning with vRealize Automation in the Description text box.
d Click Next.
VMware, Inc. 80

Configuring vRealize Automation
6 Set computer name.
a Select Use the virtual machine name.
b Enter the domain on which cloned machines are going to be provisioned in the Domain name
text box.
c Click Next.
7 Configure time zone settings.
8 Click Next.
9 Select Use standard network settings for the guest operating system, including enabling
DHCP on all network interfaces.
Fabric administrators and infrastructure architects handle network settings for provisioned machine by
creating and using Network profiles in vRealize Automation.
10 Follow the prompts to enter the remaining required information.
11 On the Ready to complete page, review your selections and click Finish.
Scenario: Prepare for Importing the Dukes Bank for vSphere
Sample Application Blueprint
As a vCenter Server administrator, you want to prepare a vSphere CentOS 6.x Linux template and
customization specification that you can use to provision the vRealize Automation Dukes Bank sample
application.
You want to ensure that your template supports the sample application software components, so you
install the guest agent and the software bootstrap agent onto your Linux reference machine before you
convert it to a template and create a customization specification. You disable SELinux on your reference
machine to ensure your template supports the specific implementation of MySQL used in the Dukes Bank
sample application.
Prerequisites
n
Install and fully configure vRealize Automation. See Installing and Configuring vRealize Automation
for the Rainpole Scenario.
n
Identify or create a CentOS 6.x Linux reference machine with VMware Tools installed. For information
about creating virtual machines, see the vSphere documentation.
n
You must be connected to a vCenter Server to convert a virtual machine to a template. You cannot
create templates if you connect the vSphere Client directly to an vSphere ESXi host.
VMware, Inc. 81

Configuring vRealize Automation
Procedure
1 Scenario: Prepare Your Reference Machine for the Dukes Bank vSphere Sample Application
You want your template to support the Dukes Bank sample application, so you must install both the
guest agent and the software bootstrap agent on your reference machine so vRealize Automation
can provision the software components. To simplify the process, you download and run a
vRealize Automation script that installs both the guest agent and the software bootstrap agent
instead of downloading and installing the packages separately.
2 Scenario: Convert Your Reference Machine into a Template for the Dukes Bank vSphere Application
After you install the guest agent and software bootstrap agent on your reference machine, you
disable SELinux to ensure your template supports the specific implementation of MySQL used in the
Dukes Bank sample application. You turn your reference machine into a template that you can use
to provision the Dukes Bank vSphere sample application.
3 Scenario: Create a Customization Specification for Cloning the Dukes Bank vSphere Sample
Application Machines
You create a customization specification to use with your Dukes Bank machine template.
You created a template and customization specification from your reference machine that supports the
vRealize Automation Dukes Bank sample application.
Scenario: Prepare Your Reference Machine for the Dukes Bank vSphere
Sample Application
You want your template to support the Dukes Bank sample application, so you must install both the guest
agent and the software bootstrap agent on your reference machine so vRealize Automation can provision
the software components. To simplify the process, you download and run a vRealize Automation script
that installs both the guest agent and the software bootstrap agent instead of downloading and installing
the packages separately.
Procedure
1 Log in to your reference machine as the root user.
2 Download the installation script from your vRealize Automation appliance.
wget https://vRealize_VA_Hostname_fqdn/software/download/prepare_vra_template.sh
If your environment is using self-signed certificates, you might have to use the wget option --no-
check-certificate option. For example:
wget --no-check-certificate
https://vRealize_VA_Hostname_fqdn/software/download/prepare_vra_template.sh
3 Make the prepare_vra_template.sh script executable.
chmod +x prepare_vra_template.sh
VMware, Inc. 82

Configuring vRealize Automation
4 Run the prepare_vra_template.sh installer script.
./prepare_vra_template.sh
You can run the help command ./prepare_vra_template.sh --help for information about non-
interactive options and expected values.
5 Follow the prompts to complete the installation.
You see a confirmation message when the installation is successfully completed. If you see an error
message and logs in the console, resolve the errors and run the installer script again.
You installed both the software bootstrap agent and its prerequisite, the guest agent, to ensure the Dukes
Bank sample application successfully provisions software components. The script also connected to your
Manager Service instance and downloaded the SSL certificate to establish trust between the Manager
Service and machines deployed from your template. This is a less secure approach than obtaining the
Manager Service SSL certificate and manually installing it on your reference machine
in /usr/share/gugent/cert.pem, and you can manually replace this certificate now if security is a high
priority.
Scenario: Convert Your Reference Machine into a Template for the Dukes
Bank vSphere Application
After you install the guest agent and software bootstrap agent on your reference machine, you disable
SELinux to ensure your template supports the specific implementation of MySQL used in the Dukes Bank
sample application. You turn your reference machine into a template that you can use to provision the
Dukes Bank vSphere sample application.
After you convert your reference machine to a template, you cannot edit or power on the template unless
you convert it back to a virtual machine.
Procedure
1 Log in to your reference machine as the root user.
a Edit your /etc/selinux/config file to disable SELinux.
SELINUX=disabled
If you do not disable SELinux, the MySQL software component of the Duke's Bank Sample
application might not work as expected.
b Remove udev persistence rules.
/bin/rm -f /etc/udev/rules.d/70*
c Enable machines cloned from this template to have their own unique identifiers.
/bin/sed -i '/^\(HWADDR\|UUID\)=/d'
/etc/sysconfig/network-scripts/ifcfg-eth0
VMware, Inc. 83

Configuring vRealize Automation
d If you rebooted or reconfigured the reference machine after installing the software bootstrap
agent, reset the agent.
/opt/vmware-appdirector/agent-bootstrap/agent_reset.sh
e Power down the machine.
shutdown -h now
2 Log in to the vSphere Web Client as an administrator.
3 Right-click your reference machine and select Edit Settings.
4 Enter dukes_bank_template in the VM Name text box.
5 If your reference machine has a CentOS guest operating system, select Red Hat Enterprise Linux 6
(64-bit) from the Guest OS Version drop-down menu.
If you select CentOS, your template and customization specification might not work as expected.
6 Click OK.
7 Right-click your reference machine in the vSphere Web Client and select Template > Convert to
Template.
vCenter Server marks your dukes_bank_template reference machine as a template and displays the task
in the Recent Tasks pane. If you have already brought your vSphere environment under
vRealize Automation management, your template is discovered during the next automated data
collection. If you have not configured your vRealize Automation yet, the template is collected during that
process.
Scenario: Create a Customization Specification for Cloning the Dukes Bank
vSphere Sample Application Machines
You create a customization specification to use with your Dukes Bank machine template.
Procedure
1 Log in to the vSphere Web Client as an administrator.
2 On the home page, click Customization Specification Manager to open the wizard.
3 Click the New icon.
4 Specify properties.
a Select Linux from the Target VM Operating System drop-down menu.
b Enter Customspecs_sample in the Customization Spec Name text box.
c Enter Dukes Bank customization spec in the Description text box.
d Click Next.
VMware, Inc. 84

Configuring vRealize Automation
5 Set computer name.
a Select Use the virtual machine name.
b Enter the domain on which you want to provision the Dukes Bank sample application in the
Domain name text box.
c Click Next.
6 Configure time zone settings.
7 Click Next.
8 Select Use standard network settings for the guest operating system, including enabling
DHCP on all network interfaces.
Fabric administrators and infrastructure architects handle network settings for provisioned machine by
creating and using Network profiles in vRealize Automation.
9 Follow the prompts to enter the remaining required information.
10 On the Ready to complete page, review your selections and click Finish.
You created a template and customization specification that you can use to provision the Dukes Bank
sample application.
What to do next
1 Create an external network profile to provide a gateway and a range of IP addresses. See Create an
External Network Profile by Using A Third-Party IPAM Provider.
2 Map your external network profile to your vSphere reservation. See Create a Reservation for Hyper-V,
KVM, SCVMM, vSphere, or XenServer. The sample application cannot provision successfully without
an external network profile.
3 Import the Duke's Bank sample application into your environment. See Scenario: Importing the Dukes
Bank for vSphere Sample Application and Configuring for Your Environment.
VMware, Inc. 85

Configuring Tenant Settings 2
Tenant administrators configure tenant settings such as user authentication, and manage user roles and
business groups. System administrators and tenant administrators configure options such as email
servers to handle notifications, and branding for the vRealize Automation console.
You can use the Configuring Tenant Settings Checklist to see a high-level overview of the sequence of
steps required to configure tenant settings.
Table 2‑1. Checklist for Configuring Tenant Settings
vRealize
Task
Automation Role Details
Create local user accounts and assign a tenant
administrator.
Configure Directories Management to set up tenant identity
management and access control settings.
Create business groups and custom groups, and grant
user access rights to the vRealize Automation console.
(Optional) Create additional tenants so users can access
the appropriate applications and resources they need to
complete their work assignments.
(Optional) Configure custom branding on the tenant login
and application pages of the vRealize Automation console.
(Optional) Configure vRealize Automation to send users
notifications when specific events occur.
(Optional) Configure vRealize Orchestrator to support
XaaS and other extensibility.
System
administrator
Tenant
administrator
Tenant
administrator
System
administrator
n
System
administrator
n
Tenant
administrator
n
System
administrator
n
Tenant
administrator
n
System
administrator
n
Tenant
administrator
For an example of creating local user
accounts, see Scenario: Create Local User
Accounts for Rainpole.
Choosing Directories Management
Configuration Options
Configuring Groups and User Roles
Create Additional Tenants
Configuring Custom Branding
Checklist for Configuring Notifications
Configuring vRealize Orchestrator and Plug-
Ins
VMware, Inc. 86

Configuring vRealize Automation
Table 2‑1. Checklist for Configuring Tenant Settings (Continued)
vRealize
Task
Automation Role Details
(Optional) Create a custom remote desktop protocol file
that IaaS architects use in blueprints to configure RDP
settings.
(Optional) Define datacenter locations that your fabric
administrators and IaaS architects can leverage to allow
users to select an appropriate location for provisioning when
they request machines.
System
administrator
System
administrator
Create a Custom RDP File to Support RDP
Connections for Provisioned Machines
For an example of adding datacenter
locations, see Scenario: Add Datacenter
Locations for Cross Region Deployments.
This chapter includes the following topics:
n
Choosing Directories Management Configuration Options
n
Upgrading External Connectors for Directories Management
n
Scenario: Configure an Active Directory Link for a Highly Available vRealize Automation
n
Configure Smart Card Authentication for vRealize Automation
n
Create a Multi Domain or Multi Forest Active Directory Link
n
Configuring Groups and User Roles
n
Scenario: Configure the Default Tenant for Rainpole
n
Create Additional Tenants
n
Delete a Tenant
n
Configuring Custom Branding
n
Checklist for Configuring Notifications
n
Create a Custom RDP File to Support RDP Connections for Provisioned Machines
n
Scenario: Add Datacenter Locations for Cross Region Deployments
n
Configuring vRealize Orchestrator and Plug-Ins
Choosing Directories Management Configuration Options
You can use vRealize Automation Directories Management features to configure an Active Directory link
in accordance with your user authentication requirements.
Directories Management provides many options to support a highly customized user authentication.
VMware, Inc. 87

Configuring vRealize Automation
Table 2‑2. Choosing Directories Management Configuration Options
Configuration Option Procedure
Configure a link to your Active Directory. 1 Configure a link to your Active Directory. See Configure an
Active Directory over LDAP/IWA Link.
2 If you configured vRealize Automation for high availability,
see Configure Directories Management for High Availability.
(Optional) Enhance security of a user ID and password based
directory link by configuring bi-directional integration with Active
Directory Federated Services.
(Optional) Add users and groups to an existing Active Directory
Link .
(Optional) Edit the default policy to apply custom rules for an
Active Directory link.
(Optional) Configure network ranges to restrict the IP addresses
through which users can log in to the system, manage login
restrictions (timeout, number of login attempts before lock-out).
Configure a Bi Directional Trust Relationship Between vRealize
Automation and Active Directory
Add Users or Groups to an Active Directory Connection.
Manage the User Access Policy.
Add or Edit a Network Range.
Directories Management Overview
Tenant administrators can configure tenant identity management and access control settings using the
Directories Management options on the vRealize Automation application console.
You can manage the following settings from the Administration > Directories Management tab.
Table 2‑3. Directories Management Settings
Setting Description
Directories The Directories page enables you to create and manage Active Directory links to support
vRealize Automation tenant user authentication and authorization. You create one or more
directories and then sync those directories with your Active Directory deployment. This page
displays the number of groups and users that are synced to the directory and the last sync time.
You can click Sync Now, to manually start the directory sync.
See Using Directories Management to Create an Active Directory Link.
When you click on a directory and then click the Sync Settings button, you can edit the sync
settings, navigate the Identity Providers page, and view the sync log.
From the directories sync settings page you can schedule the sync frequency, see the list of
domains associated with this directory, change the mapped attributes list, update the user and
groups list that syncs, and set the safeguard targets.
Connectors The Connectors page lists deployed connectors for your enterprise network. A connector syncs
user and group data between Active Directory and the Directories Management service, and when
it is used as the identity provider, authenticates users to the service. Each vRealize Automation
appliance contains a connector by default. See Managing Connectors and Connector Clusters.
User Attributes The User Attributes page lists the default user attributes that sync in the directory and you can add
other attributes that you can map to Active Directory attributes. See Select Attributes to Sync with
Directory.
Network Ranges This page lists the network ranges that are configured for your system. You configure a network
range to allow users access through those IP addresses. You can add additional network ranges
and you can edit existing ranges. See Add or Edit a Network Range.
VMware, Inc. 88

Configuring vRealize Automation
Table 2‑3. Directories Management Settings (Continued)
Setting Description
Identity Providers The Identity Providers page lists identity providers that are available on your system. vRealize
Automation systems contain a connector that serves as the default identity provider and that
suffices for many user needs. You can add third-party identity provider instances or have a
combination of both.
See Configure an Identity Provider Instance.
Policies The Policies page lists the default access policy and any other web application access policies you
created. Policies are a set of rules that specify criteria that must be met for users to access their
application portals or to launch Web applications that are enabled for them. The default policy
should be suitable for most vRealize Automation deployments, but you can edit it if needed. See
Manage the User Access Policy.
Important Concepts Related to Active Directory
Several concepts related to Active Directory are integral to understanding how Directories Management
integrates with your Active Directory environments.
Connector
The connector, a component of the service, performs the following functions.
n
Syncs user and group data your active Directory or LDAP directory to the service.
n
When being used as an identity provider, authenticates users to the service.
The connector is the default identity provider. For the authentication methods the connector supports,
see VMware Identity Manager Administration. You can also use third-party identity providers that
support the SAML 2.0 protocol. Use a third-party identity provider for an authentication type the
connector does not support or for an authentication type the connector does support, if the third-party
identity provider is preferable based on your enterprise security policy.
Note If you use third-party identity providers, you can either configure the connector to sync user
and group data or configure Just-in-Time user provisioning. See the Just-in-Time User Provisioning
section in VMware Identity Manager Administration for more information.
Note Even if you use third-party identity providers, you must configure the connector to sync user
and group data.
Directory
The Directories Management service has its own concept of a directory, corresponding to the Active
Directory or LDAP directory in your environment. This directory uses attributes to define users and
groups.
n
Active Directory
n
Active Directory over LDAP. Create this directory type if you plan to connect to a single Active
Directory domain environment. For the Active Directory over LDAP directory type, the connector
binds to Active Directory using simple bind authentication.
VMware, Inc. 89

Configuring vRealize Automation
n
Active Directory, Integrated Windows Authentication. Create this directory type if you plan to
connect to a multi-domain or multi-forest Active Directory environment. The connector binds to
Active Directory using Integrated Windows Authentication.
The type and number of directories that you create varies depending on your Active Directory
environment, such as single domain or multi-domain, and on the type of trust used between domains.
In most environments, you create one directory.
n
LDAP Directory
The service does not have direct access to your Active Directory or LDAP directory. Only the connector
has direct access. Therefore, you associate each directory created in the service with a connector
instance.
Worker
When you associate a directory with a connector instance, the connector creates a partition for the
associated directory called a worker. A connector instance can have multiple workers associated with it.
Each worker acts as an identity provider. You define and configure authentication methods per worker.
The connector syncs user and group data between your Active Directory or LDAP directory and the
service through one or more workers.
Important You cannot have two workers of the Active Directory, Integrated Windows Authentication type
on the same connector instance.
Active Directory Environments
You can integrate the service with an Active Directory environment that consists of a single Active
Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple
Active Directory forests.
Single Active Directory Domain Environment
A single Active Directory deployment allows you to sync users and groups from a single Active Directory
domain.
See Configure an Active Directory over LDAP/IWA Link. For this environment, when you add a directory
to the service, select the Active Directory over LDAP option.
Multi-Domain, Single Forest Active Directory Environment
A multi-domain, single forest Active Directory deployment allows you to sync users and groups from
multiple Active Directory domains within a single forest.
You can configure the service for this Active Directory environment as a single Active Directory, Integrated
Windows Authentication directory type or, alternatively, as an Active Directory over LDAP directory type
configured with the global catalog option.
n
The recommended option is to create a single Active Directory, Integrated Windows Authentication
directory type.
VMware, Inc. 90

Configuring vRealize Automation
See Configure an Active Directory over LDAP/IWA Link. When you add a directory for this
environment, select the Active Directory (Integrated Windows Authentication) option.
Multi-Forest Active Directory Environment with Trust Relationships
A multi-forest Active Directory deployment with trust relationships allows you to sync users and groups
from multiple Active Directory domains across forests where two-way trust exists between the domains.
See Configure an Active Directory over LDAP/IWA Link. When you add a directory for this environment,
select the Active Directory (Integrated Windows Authentication) option.
Multi-Forest Active Directory Environment Without Trust Relationships
A multi-forest Active Directory deployment without trust relationships allows you to sync users and groups
from multiple Active Directory domains across forests without a trust relationship between the domains. In
this environment, you create multiple directories in the service, one directory for each forest.
See Configure an Active Directory over LDAP/IWA Link. The type of directories you create in the service
depends on the forest. For forests with multiple domains, select the Active Directory (Integrated Windows
Authentication) option. For a forest with a single domain, select the Active Directory over LDAP option.
Using Directories Management to Create an Active Directory Link
After you create vRealize Automation tenants, you must log in to the system console as a tenant
administrator and create an Active Directory link to support user authentication.
There are three Active Directory communication protocol options when configuring an Active Directory
connection using Directories Management.
n
Active Directory over LDAP - An Active Directory over LDAP protocol supports DNS Service Location
lookup by default.
n
Active Directory (Integrated Windows Authentication) - With Active Directory (Integrated Windows
Authentication), you configure the domain to join. Active Directory over LDAP is appropriate for single
domain deployments. Use Active Directory (Integrated Windows Authentication) for all multi-domain
and multi-forest deployments.
n
OpenLDAP - You can use the open source version of LDAP to support Directories Management user
authentication.
After you select a communication protocol and configure an Active Directory link, you can specify the
domains to use with the Active Directory configuration and then select the users and groups to sync with
the specified configuration.
Configure an Active Directory over LDAP/IWA Link
You can configure an Active Directory over LDAP/IWA link to support user authentication using the
Directories Management feature to configure a link to Active Directory to support user authentication for
all tenants and select users and groups to sync with the Directories Management directory.
For information and instructions about using OpenLDAP with Directories Management, see Configure an
OpenLDAP Directory Connection.
VMware, Inc. 91

Configuring vRealize Automation
Prerequisites
n
Connector installed and the activation code activated.
n
Select the required default attributes and add additional attributes on the User Attributes page. See
Select Attributes to Sync with Directory.
n
List of the Active Directory groups and users to sync from Active Directory.
n
For Active Directory over LDAP, information required includes the Base DN, Bind DN, and Bind DN
password.
n
For Active Directory Integrated Windows Authentication, required information includes the domain's
Bind user UPN address and password.
n
If Active Directory is accessed over SSL, a copy of the SSL certificate is required.
n
For Active Directory (Integrated Windows Authentication), when you have multi-forest Active Directory
configured and the Domain Local group contains members from domains in different forests, make
sure that the Bind user is added to the Administrators group of the domain in which the Domain Local
group resides. If you fail to do this, these members will be missing from the Domain Local group.
n
Log in to the vRealize Automation console as a tenant administrator.
Procedure
1 Select Administration > Directories Management > Directories.
2 Click Add Directory and select Add Active Directory over LDAP/IWA.
3 On the Add Directory page, specify the IP address for the Active Directory server in the Directory
Name text box.
4 Select the appropriate Active Directory communication protocol using the radio buttons under the
Directory Name text box.
Option Description
Windows Authentication Select Active Directory (Integrated Windows Authentication)
LDAP Select Active Directory over LDAP.
VMware, Inc. 92

Configuring vRealize Automation
5 Configure the connector that synchronizes users from the Active Directory to the VMware
Directories Management directory in the Directory Sync and Authentication section.
Option Description
Sync Connector Select the appropriate connector to use for your system. Each
vRealize Automation appliance contains a default connector. Consult your system
administrator if you need help in choosing the appropriate connector.
Authentication Click the appropriate radio button to indicate whether the selected connector also
performs authentication.
Directory Search Attribute Select the appropriate account attribute that contains the user name. VMware
recommends using the sAMAccount attribute rather than userPrincipleName. If
you use userPrincipleName for sync operations, integration with second and third
party software that requires a user name may not function correctly.
Note If you select sAMAccountName when using a global catalog, indicated by
selecting theThis Directory has a Global Catalog check box in the Server
Location area, users will be unable to log in.
6 Enter the appropriate information in the Server Location text box if you selected Active Directory over
LDAP or in the Join Domain Details text boxes if you selected Active Directory (Integrated Windows
Authentication)
Option Description
Server Location - Displayed when
Active Directory over LDAP is selected
Join Domain Details - Displayed when
Active Directory (Integrated Windows
Authentication) is selected
n
If you want to use DNS Service Location to locate Active Directory domains,
leave the This Directory supports DNS Service Location check box
selected.
n
If the specified Active Directory does not use DNS Service Location lookup,
deselect the check box beside This Directory supports DNS Service
Location in the Server Location fields and enter the Active Directory server
host name and port number in the appropriate text boxes.
Select the This Directory has a Global Catalog check box if the associated
Active Directory uses a global catalog. A global catalog contains a
representation of all objects in every domain in a multi-domain Active
Directory forest.
n
If Active Directory requires access over SSL, select the This Directory
requires all connections to use SSL check box under the Certificates
heading and provide the Active Directory SSL certificate.
Enter the appropriate credentials in the Domain Name, Domain Admin User
Name, and Domain Admin Password text boxes.
VMware, Inc. 93

Configuring vRealize Automation
7 In the Bind User Details section, enter the appropriate credentials to facilitate directory
synchronization.
For Active Directory over LDAP:
Option Description
Base DN Enter the search base distinguished name. For example,
cn=users,dc=corp,dc=local.
Bind DN Enter the bind distinguished name. For example,
cn=fritz infra,cn=users,dc=corp,dc=local
For Active Directory (Integrated Windows Authentication):
Option Description
Bind User UPN Enter the User Principal Name of the user who can authenticate with the domain.
For example, UserName@example.com.
Bind DN Password Enter the Bind User password.
8 Click Test Connection to test the connection to the configured directory.
This button does not appear if you selected Active Directory (Integrated Windows Authentication).
9 Click Save & Next.
The Select the Domains page appears with the list of domains.
10 Review and update the domains listed for the Active Directory connection.
n
For Active Directory (Integrated Windows Authentication), select the domains that should be
associated with this Active Directory connection.
n
For Active Directory over LDAP, the available domain is listed with a checkmark.
Note If you add a trusting domain after the directory is created, the service does not
automatically detect the newly trusting domain. To enable the service to detect the domain, the
connector must leave and then rejoin the domain. When the connector rejoins the domain, the
trusting domain appears in the list.
11 Click Next.
12 Verify that the Directories Management directory attribute names are mapped to the correct Active
Directory attributes.
If the directory attribute names are not mapped correctly, select the correct Active Directory attribute
from the drop-down menu.
13 Click Next.
VMware, Inc. 94

Configuring vRealize Automation
14
Click to select the groups you want to sync from Active Directory to the directory.
When you add a group from Active Directory, if members of that group are not in the Users list, they
are added. When you sync a group, any users that lack Domain Users as their primary group in
Active Directory are not synced.
Note The Directories Management user authentication system imports data from Active Directory
when adding groups and users, and the speed of the system is limited by Active Directory
capabilities. As a result, import operations may require a significant amount of time depending on the
number of groups and users being added. To minimize the potential for delays or problems, limit the
number of groups and users to only those required for vRealize Automation operation.
If your system performance degrades or if errors occur, close any unneeded applications and ensure
that your system has appropriate memory allocated to Active Directory. If problems persist, increase
the Active Directory memory allocation as needed. For systems with large numbers of users and
groups, you may need to increase the Active Directory memory allocation to as much as 24 GB.
15 Click Next.
16
Click to add additional users. For example, enter as
CN-username,CN=Users,OU-myUnit,DC=myCorp,DC=com.
To exclude users, click to create a filter to exclude some types of users. You select the user
attribute to filter by, the query rule, and the value.
17 Click Next.
18 Review the page to see how many users and groups are syncing to the directory.
If you want to make changes to users and groups, click the Edit links.
Note Ensure that you specify user DNs that are under the Base DN specified previously. If the user
DN is outside of the Base DN, users from that DN are synced but will be unable to log in.
19 Click Push to Workspace to start the synchronization to the directory.
The connection to the Active Directory is complete and the selected users and groups are added to the
directory. You can now assign user and groups to the appropriate vRealize Automation roles by selecting
Administration > Users and Groups > Directory Users and Groups. See Assign Roles to Directory
Users or Groups for more information.
What to do next
If your vRealize Automation environment is configured for high availability, you must specifically configure
Directories Management for high availability. See Configure Directories Management for High Availability.
n
Set up authentication methods. After users and groups sync to the directory, if the connector is also
used for authentication, you can set up additional authentication methods on the connector. If a third
party is the authentication identity provider, configure that identity provider in the connector.
VMware, Inc. 95

Configuring vRealize Automation
n
Review the default access policy. The default access policy is configured to allow all appliances in all
network ranges to access the Web browser, with a session time out set to eight hours or to access a
client app with a session time out of 2160 hours (90 days). You can change the default access policy
and when you add Web applications to the catalog, you can create new ones.
n
Apply custom branding to the administration console, user portal pages and the sign-in screen.
Configure an OpenLDAP Directory Connection
You can configure an OpenLDAP Directory connection with Directories Management.
Though there are several different LDAP protocols, OpenLDAP is the only protocol that is tested and
approved for use with vRealize Automation Directories Management.
To integrate your LDAP directory, you create a corresponding Directories Management directory and sync
users and groups from your LDAP directory to the Directories Management directory. You can set up a
regular sync schedule for subsequent updates.
You also select the LDAP attributes that you want to sync for users and map them to
Directories Management attributes.
Your LDAP directory configuration may be based on default schemas or you may have created custom
schemas. You may also have defined custom attributes. For Directories Management to be able to query
your LDAP directory to obtain user or group objects, you need to provide the LDAP search filters and
attribute names that are applicable to your LDAP directory.
Specifically, you need to provide the following information.
n
LDAP search filters for obtaining groups, users, and the bind user
n
LDAP attribute names for group membership, UUID, and distinguished name
Prerequisites
n
Review the configuration on the User Attributes page and add any other attributes that you want to
sync. You will map the Directories Management attributes to your LDAP directory attributes when you
create the directory. These attributes will be synced for the users in the directory.
Note When you make changes to user attributes, consider the effect on other directories in the
service. If you plan to add both Active Directory and LDAP directories, ensure that you do not mark
any attributes as required except for userName. The settings on the User Attributes page apply to all
directories in the service. If an attribute is marked required, users without that attribute are not synced
to the Directories Management service.
n
A Bind DN user account. Using a Bind DN user account with a non-expiring password is
recommended.
n
In your LDAP directory, the UUID of users and groups must be in plain text format.
VMware, Inc. 96

Configuring vRealize Automation
n
In your LDAP directory, a domain attribute must exist for all users and groups.
You map this attribute to the Directories Management domain attribute when you create the
Directories Management directory.
n
User names must not contain spaces. If a user name contains a space, the user is synced but
entitlements are not available to the user.
n
If you use certificate authentication, users must have values for userPrincipalName and email
address attributes.
Procedure
1 Select Administration > Directories Management > Directories.
2 Click Add Directory and select Add LDAP Directory.
3 Enter the required information in the Add LDAP Directory page.
Option Description
Directory Name Enter a name for the Directories Management directory.
Directory Sync and Authentication a In the Sync Connector field, select the connector you want to use to sync
users and groups from your LDAP directory to the Directories Management
directory.
A connector component is always available with the Directories Management
service by default. This connector appears in the drop-down list. If you install
multiple Directories Management appliances for high availability, the
connector component of each appears in the list.
You do not need a separate connector for an LDAP directory. A connector
can support multiple directories, regardless of whether they are Active
Directory or LDAP directories.
b In the Authentication field, if you want to use this LDAP directory to
authenticate users, select Yes.
If you want to use a third-party identity provider to authenticate users, select
No. After you add the directory connection to sync users and groups, go to
the Administration > Directories Management > Identity Providers page
to add the third-party identity provider for authentication.
c For most configurations, leave the Custom default selected in the Directory
Search Attribute text box. In the Custom Directory Search Attribute field,
specify the LDAP directory attribute to be used for user and group names.
This attribute uniquely identifies entities, such as users and groups, from the
LDAP server. For example, cn.
Server Location Enter the LDAP Directory server host and port number. For the server host, you
can specify either the fully-qualified domain name or the IP address. For example,
myLDAPserver.example.com or 100.00.00.0.
If you have a cluster of servers behind a load balancer, enter the load balancer
information instead.
VMware, Inc. 97

Configuring vRealize Automation
Option Description
LDAP Configuration Specify the LDAP search filters and attributes that Directories Management can
use to query your LDAP directory. Default values are provided based on the core
LDAP schema.
Filter Queries
n
Groups: The search filter for obtaining group objects.
For example: (objectClass=group)
n
Bind user: The search filter for obtaining the bind user object, that is, the
user that can bind to the directory.
For example: (objectClass=person)
n
Users: The search filter for obtaining users to sync.
For example:(&(objectClass=user)(objectCategory=person))
Attributes
n
Membership: The attribute that is used in your LDAP directory to define the
members of a group.
For example: member
n
Object UUID: The attribute that is used in your LDAP directory to define the
UUID of a user or group.
For example: entryUUID
n
Distinguished Name: The attribute that is used in your LDAP directory for
the distinguished name of a user or group.
For example: entryDN
Certificates If your LDAP directory requires access over SSL, select the This Directory
requires all connections to use SSL check box. Then copy and paste the LDAP
directory server's root CA SSL certificate into the SSL Certificate text box.
Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE"
and "END CERTIFICATE" lines.
Finally, ensure that the correct port number is specified in the Server Port field in
the Server Location section of the page.
Bind User Details Base DN: Enter the DN from which to start searches. For example,
cn=users,dc=example,dc=com
All applicable users must reside under the Base DN. If a particular user is not
located under the Base DN, that user will be unable to log in even if he is a
member of a group that is under the Base DN.
Bind DN: Enter the DN to use to bind to the LDAP directory. You can also enter
user names, but a DN is more appropriate for most deployments.
Note Using a Bind DN user account with a non-expiring password is
recommended.
Bind DN Password: Enter the password for the Bind DN user.
4 To test the connection to the LDAP directory server, click Test Connection.
If the connection is not successful, check the information you entered and make the appropriate
changes.
5 Click Save & Next.
6 Verify the correct domain is selected on the Select the Domains page, and then click Next.
VMware, Inc. 98

Configuring vRealize Automation
7 In the Map Attributes page, verify that the Directories Management attributes are mapped to the
correct LDAP attributes.
These attributes will be synced for users.
Important You must specify a mapping for the domain attribute.
You can add attributes to the list from the User Attributes page.
8 Click Next.
9 Click + to select the groups you want to sync from the LDAP directory to the Directories Management
directory on Select the groups (users) you want to sync page.
If you have multiple groups with the same name in your LDAP directory, you must specify unique
names for them in the groups page.
When you add a group from Active Directory, if members of that group are not in the Users list, they
are added. When you sync a group, any users that lack Domain Users as their primary group in
Active Directory are not synced.
The Sync nested group members option is enabled by default. When this option is enabled, all the
users that belong directly to the group you select as well as all the users that belong to nested groups
under it are synced. Note that the nested groups are not synced; only the users that belong to the
nested groups are synced. In the Directories Management directory, these users will appear as
members of the top-level group that you selected for sync. In effect, the hierarchy under a selected
group is flattened and users from all levels appear in Directories Management as members of the
selected group.
If this option is disabled, when you specify a group to sync, all the users that belong directly to that
group are synced. Users that belong to nested groups under it are not synced. Disabling this option is
useful for large directory configurations where traversing a group tree is resource and time intensive.
If you disable this option, ensure that you select all the groups whose users you want to sync.
Note The Directories Management user authentication system imports data from Active Directory
when adding groups and users, and the speed of the system is limited by Active Directory
capabilities. As a result, import operations may require a significant amount of time depending on the
number of groups and users being added. To minimize the potential for delays or problems, limit the
number of groups and users to only those required for vRealize Automation operation.
If your system performance degrades or if errors occur, close any unneeded applications and ensure
that your system has appropriate memory allocated to Directories Management. If problems persist,
increase the Directories Management memory allocation as needed. For systems with large numbers
of users and groups, you may need to increase the Directories Management memory allocation to as
much as 24 GB.
10 Click Next.
VMware, Inc. 99

Configuring vRealize Automation
11 Click + to add additional users. For example, enter
CN=username,CN=Users,OU=myUnit,DC=myCorp,DC=com.
You can add organizational units as well as individual users here.
You can create a filter to exclude some types of users. Select the user attribute to filter by, the query
rule, and the value.
12 Click Next.
13 Review the page to see how many users and groups will sync to the directory and to view the default
sync schedule.
To make changes to users and groups, or to the sync frequency, click the Edit links.
14 Click Sync Directory to start the directory sync.
The connection to the LDAP directory is established and users and groups are synced from the LDAP
directory to the Directories Management directory.
You can now assign user and groups to the appropriate vRealize Automation roles by selecting
Administration > Users and Groups > Directory Users and Groups. See Assign Roles to Directory
Users or Groups for more information.
Limitations of LDAP Directory Integration
There are several important limitations related to LDAP Directory integration in Directories Management.
n
You can only integrate a single-domain LDAP directory environment.
To integrate multiple domains from an LDAP directory, you need to create additional
Directories Management directories, one for each domain.
n
The following authentication methods are not supported for Directories Management directories of
type LDAP directory.
n
Kerberos authentication
n
RSA Adaptive Authentication
n
ADFS as a third-party identity provider
n
SecurID
n
Radius authentication with Vasco and SMS Passcode server
n
You cannot join an LDAP domain.
n
Integration with View or Citrix-published resources is not supported for Directories Management
directories of type LDAP directory.
n
User names must not contain spaces. If a user name contains a space, the user is synced but
entitlements are not available to the user.
VMware, Inc. 100