VMware vRealize Automation - 7.2 User’s Manual

Configuring vRealize

Automation

vRealize Automation 7.2

Configuring vRealize Automation

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

If you have comments about this documentation, submit your feedback to

docfeedback@vmware.com

VMware, Inc.

3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com

Copyright © 2015–2017 VMware, Inc. All rights reserved. Copyright and trademark information.

VMware, Inc. 2

Contents

Configuring vRealize Automation 7

Updated Information 8

External Preparations for Provisioning 9

1

Preparing Your Environment for vRealize Automation Management 9

Checklist for Preparing NSX Network and Security Configuration 10

Checklist for Preparing For Third-Party IPAM Provider Support 13

Checklist for Configuring Containers for vRealize Automation 16

Preparing Your vCloud Director Environment for vRealize Automation 17

Preparing Your vCloud Air Environment for vRealize Automation 18

Preparing Your Amazon AWS Environment 18

Preparing Red Hat OpenStack Network and Security Features 24

Preparing Your SCVMM Environment 25

Preparing for Machine Provisioning 26

Choosing a Machine Provisioning Method to Prepare 26

Checklist for Running Visual Basic Scripts During Provisioning 28

Using vRealize Automation Guest Agent in Provisioning 29

Checklist for Preparing to Provision by Cloning 37

Preparing for vCloud Air and vCloud Director Provisioning 50

Preparing for Linux Kickstart Provisioning 51

Preparing for SCCM Provisioning 54

Preparing for WIM Provisioning 55

Preparing for Virtual Machine Image Provisioning 66

Preparing for Amazon Machine Image Provisioning 67

Scenario: Prepare vSphere Resources for Machine Provisioning in Rainpole 69

Preparing for Software Provisioning 72

Preparing to Provision Machines with Software 72

Scenario: Prepare a vSphere CentOS Template for Clone Machine and Software Component

Blueprints 77

Scenario: Prepare for Importing the Dukes Bank for vSphere Sample Application Blueprint 81

VMware, Inc.

Configuring Tenant Settings 86

2

Choosing Directories Management Configuration Options 87

Directories Management Overview 88

Using Directories Management to Create an Active Directory Link 91

Managing User Attributes that Sync from Active Directory 110

Managing Connectors and Connector Clusters 111

3

Configuring vRealize Automation

Join a Connector Machine to a Domain 112

About Domain Controller Selection 113

Managing Access Policies 117

Integrating Alternative User Authentication Products with Directories Management 122

Upgrading External Connectors for Directories Management 142

Preparing to Upgrade an External Connector 143

Upgrade an External Connector Online 144

Upgrade an External Connector Offline 145

Configuring Settings After Upgrading an External Connector 148

Troubleshooting External Connector Upgrade Errors 149

Scenario: Configure an Active Directory Link for a Highly Available vRealize Automation 150

Configure Smart Card Authentication for vRealize Automation 152

Generate a Connector Activation Token 153

Deploy the Connector OVA File 154

Configure Connector Settings 155

Apply Public Certificate Authority 156

Create a Workspace Identity Provider 158

Configure Certificate Authentication and Configure Default Access Policy Rules 159

Create a Multi Domain or Multi Forest Active Directory Link 159

Configuring Groups and User Roles 161

Assign Roles to Directory Users or Groups 161

Create a Custom Group 162

Create a Business Group 163

Troubleshooting Slow Performance When Displaying Group Members 165

Scenario: Configure the Default Tenant for Rainpole 165

Scenario: Create Local User Accounts for Rainpole 166

Scenario: Connect Your Corporate Active Directory to vRealize Automation for Rainpole 167

Scenario: Configure Branding for the Default Tenant for Rainpole 169

Scenario: Create a Custom Group for Your Rainpole Architects 169

Scenario: Assign IaaS Administrator Privileges to Your Custom Group of Rainpole Architects 170

Create Additional Tenants 171

Specify Tenant Information 172

Configure Local Users 172

Appoint Administrators 173

Delete a Tenant 173

Configuring Custom Branding 174

Custom Branding for Tenant Login Page 174

Custom Branding for Tenant Applications 175

Checklist for Configuring Notifications 176

Configuring Global Email Servers for Notifications 179

Add a Tenant-Specific Outbound Email Server 181

Add a Tenant-Specific Inbound Email Server 182

VMware, Inc. 4

Configuring vRealize Automation

Override a System Default Outbound Email Server 183

Override a System Default Inbound Email Server 184

Revert to System Default Email Servers 185

Configure Notifications 185

Customize the Date for Email Notification for Machine Expiration 185

Configuring Templates for Automatic IaaS Emails 186

Subscribe to Notifications 186

Create a Custom RDP File to Support RDP Connections for Provisioned Machines 187

Scenario: Add Datacenter Locations for Cross Region Deployments 187

Configuring vRealize Orchestrator and Plug-Ins 189

Configure the Default Workflow Folder for a Tenant 189

Configure an External vRealize Orchestrator Server 190

Log in to the vRealize Orchestrator Configuration Interface 191

Log in to the vRealize Orchestrator Client 191

Configuring Resources 193

3

Checklist for Configuring IaaS Resources 193

Store User Credentials 194

Choosing an Endpoint Scenario 196

Create a Fabric Group 217

Configure Machine Prefixes 218

Managing Key Pairs 219

Creating a Network Profile 220

Configuring Reservations and Reservation Policies 241

Scenario: Configure IaaS Resources for Rainpole 281

Scenario: Apply a Location to a Compute Resource for Cross Region Deployments 284

Checklist for Provisioning a vRealize Automation Deployment Using an External IPAM Provider 285

Configuring XaaS Resources 286

Configure the Active Directory Plug-In as an Endpoint 287

Configure the HTTP-REST Plug-In as an Endpoint 288

Configure the PowerShell Plug-In as an Endpoint 291

Configure the SOAP Plug-In as an Endpoint 292

Configure the vCenter Server Plug-In as an Endpoint 293

Create a Microsoft Azure Endpoint 295

Creating and Configuring Containers 297

View and Manage Container Hosts 298

Using Container Deployment Placements 299

Using Container Placement Zones 301

Configuring Container Settings 301

Configuring and Using Templates and Images in Containers 307

Using Container Registries 311

Configuring Network Resources for Containers 313

VMware, Inc. 5

Configuring vRealize Automation

Installing Additional Plug-Ins on the Default vRealize Orchestrator Server 317

Working With Active Directory Policies 317

Create and Apply Active Directory Policies 318

Providing On-Demand Services to Users 322

4

Designing Blueprints 322

Exporting and Importing Blueprints 324

Scenario: Importing the Dukes Bank for vSphere Sample Application and Configuring for Your

Environment 325

Scenario: Test the Dukes Bank Sample Application 329

Building Your Design Library 330

Designing Machine Blueprints 332

Designing Software Components 401

Designing XaaS Blueprints and Resource Actions 419

Publishing a Blueprint 478

Assembling Composite Blueprints 479

Understanding Nested Blueprint Behavior 481

Selecting a Machine Component that Supports Software Components 484

Creating Property Bindings Between Blueprint Components 484

Creating Explicit Dependencies and Controlling the Order of Provisioning 485

Scenario: Assemble and Test a Blueprint to Deliver MySQL on Rainpole Linked Clone

Machines 486

Managing the Service Catalog 489

Checklist for Configuring the Service Catalog 490

Creating a Service 491

Working with Catalog Items and Actions 493

Creating Entitlements 496

Working with Approval Policies 503

Scenario: Configure the Catalog for Rainpole Architects to Test Blueprints 522

Scenario: Test Your Rainpole CentOS Machine 525

Scenario: Make the CentOS with MySQL Application Blueprint Available in the Service Catalog 526

Scenario: Create and Apply CentOS with MySQL Approval Policies 530

VMware, Inc. 6

Configuring vRealize Automation

Configuring vRealize Automation provides information about configuring vRealize Automation and your

external environments to prepare for vRealize Automation provisioning and catalog management.

For information about supported integrations, see https://www.vmware.com/pdf/vrealize-automation-72-

support-matrix.pdf.

Intended Audience

This information is intended for IT professionals who are responsible for configuring vRealize Automation

environment, and for infrastructure administrators who are responsible for preparing elements in their

existing infrastructure for use in vRealize Automation provisioning. The information is written for

experienced Windows and Linux system administrators who are familiar with virtual machine technology

and datacenter operations.

VMware Technical Publications Glossary

VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For

definitions of terms as they are used in VMware technical documentation, go to

http://www.vmware.com/support/pubs.

VMware, Inc.

7

Updated Information

This Configuring vRealize Automation is updated with each release of the product or when necessary.

This table provides the update history of the Configuring vRealize Automation.

Revision Description

EN-002290-05

EN-002290-04

EN-002290-03

EN-002290-02

n

Updated Managing Connectors and Connector Clusters.

n

Updated Configure Connector Settings.

n

Updated Create a Microsoft Azure Endpoint.

n

Updated Create a Blueprint for Microsoft Azure.

n

Updated Configure an OpenLDAP Directory Connection.

n

Updated Configure an Identity Provider Instance.

n

Updated Prepare a Windows Reference Machine to Support Software.

n

Updated Understanding Nested Blueprint Behavior.

n

Updated Create a Microsoft Azure Endpoint.

n

Updated Create a Blueprint for Microsoft Azure.

n

Updated Prepare a Windows Reference Machine to Support Software.

n

Updated Prepare a Linux Reference Machine to Support Software.

n

Updated Preparing for Software Provisioning.

n

Updated Designing Software Components.

EN-002290-01 Updated Specify External Network Profile Information By Using the Supplied IPAM Endpoint.

EN-002290-00 Initial release.

VMware, Inc. 8

External Preparations for

Provisioning 1

You may need to create or prepare some elements outside of vRealize Automation to support catalog

item provisioning. For example, if you want to provide a catalog item for provisioning a clone machine,

you need to create a template on your hypervisor to clone from.

This chapter includes the following topics:

n

Preparing Your Environment for vRealize Automation Management

n

Preparing for Machine Provisioning

n

Preparing for Software Provisioning

Preparing Your Environment for vRealize Automation
Management

Depending on your integration platform, you might have to make some configuration changes before you

can bring your environment under vRealize Automation management, or before you can leverage certain

features.

Table 1‑1. Preparing Your Environment for vRealize Automation Integration

Environment Preparations

If you want to leverage NSX to manage

NSX

vCloud Director

networking and security features of machines

provisioned with vRealize Automation, prepare

your NSX instance for integration. See

Checklist for Preparing NSX Network and

Security Configuration.

Install and configure your vCloud Director

instance, set up your vSphere and cloud

resources, and identify or create appropriate

credentials to provide vRealize Automation with

access to your vCloud Director environment.

See Preparing Your vCloud Director

Environment for vRealize Automation.

VMware, Inc. 9

Configuring vRealize Automation

Table 1‑1. Preparing Your Environment for vRealize Automation Integration (Continued)

Environment Preparations

vCloud Air

Amazon AWS

Red Hat OpenStack

SCVMM

Register for your vCloud Air account, set up

your vCloud Air environment, and identify or

create appropriate credentials to provide

vRealize Automation with access to your

environment. See Preparing for vCloud Air and

vCloud Director Provisioning.

Prepare elements and user roles in your

Amazon AWS environment for use in

vRealize Automation, and understand how

Amazon AWS features map to

vRealize Automation features. See Preparing

Your Amazon AWS Environment.

If you want to leverage Red Hat OpenStack to

manage networking and security features of

machines provisioned with

vRealize Automation, prepare your

Red Hat OpenStack instance for integration.

See Preparing Red Hat OpenStack Network

and Security Features.

Configure storage, networking, and understand

template and hardware profile naming

restrictions. See Preparing Your SCVMM

Environment.

External IPAM Providers Register an external IPAM provider package or

plug-in, run the configuration workflows, and

register the IPAM solution as a new

vRealize Automation endpoint. See Checklist

for Preparing For Third-Party IPAM Provider

Support.

All other environments You do not need to make changes to your

environment. You can begin preparing for

machine provisioning by creating templates,

boot environments, or machine images. See

Preparing for Machine Provisioning.

Checklist for Preparing NSX Network and Security Configuration

Before you can use NSX network and security options in vRealize Automation, you must configure the

external NSX network and security environment that you intend to use.

Much of the vRealize Automation support for network and security configuration that you specify in

blueprints and reservations is configured externally and made available to vRealize Automation after data

collection is run on the compute resources.

For more information about NSX settings that you can configure for vRealize Automation blueprints, see

Configuring Network and Security Component Settings.

VMware, Inc. 10

Configuring vRealize Automation

Table 1‑2. Preparing NSX Networking and Security Checklist

Task Location Details

Install and

configure the NSX

plug-in.

Configure NSX

network settings,

including gateway

and transport zone

settings.

Create NSX

security policies,

tags, and groups.

Configure NSX

load balancer

settings.

For cross-virtual

center

deployments, verify

that the compute

NSX manager has

the primary NSX

manager role.

Install the NSX plug-in in vRealize Orchestrator. See Install the NSX Plug-In on vRealize

Orchestrator and the NSX Administration

Guide.

Configure network settings in NSX. See the NSX Administration Guide.

Configure security settings in NSX. See the NSX Administration Guide.

Configure an NSX load balancer to work with

vRealize Automation.

vRealize Automation provisioning requires that the compute

NSX manager for the region in which the machines reside has

the primary NSX manager role.

See the NSX Administration Guide.

Also see Custom Properties for

Networking in Custom Properties

Reference.

See Administrator Requirements for

Provisioning NSX Universal Objects.

See the NSX Installation Guide and NSX

Administration Guide for information about

cross-virtual center deployment, universal

objects, and the primary NSX manager

role.

Install the NSX Plug-In on vRealize Orchestrator

Installing the NSX plug-in requires that you download the vRealize Orchestrator installer file, use the

vRealize Orchestrator Configuration interface to upload the plug-in file, and install the plug-in on a

vRealize Orchestrator server.

Note If you are using an embedded vRealize Orchestrator that contains an installed NSX plug-in, you do

not need to perform the following plug-in installation steps because the NSX plug-in is already installed.

For general plug-in update and troubleshooting information, see vRealize Orchestrator documentation at

https://www.vmware.com/support/pubs/orchestrator_pubs.html.

Prerequisites

n

Verify that you are running a supported vRealize Orchestrator instance.

For information about setting up vRealize Orchestrator, see Installing and Configuring VMware

vRealize Orchestrator.

n

Verify that you have credentials for an account with permission to install vRealize Orchestrator plug-

ins and to authenticate through vCenter Single Sign-On.

n

Verify that you installed the correct version of the NSX plug-in. See vRealize Automation Support

Matrix.

VMware, Inc. 11

Configuring vRealize Automation

n

Verify that you installed the vRealize Orchestrator client and that you can log in with Administrator

credentials.

Procedure

1 Download the plug-in file to a location accessible from the vRealize Orchestrator server.

The plug-in installer file name format, with appropriate version values, is o11nplugin-

nsx-1.n.n.vmoapp. Plug-in installation files for the NSX networking and security product are

available from the VMware product download site at http://vmware.com/web/vmware/downloads.

2 Open a browser and start the vRealize Orchestrator configuration interface.

An example of the URL format is https://orchestrator_server.com:8283.

3 Click Plug-Ins in the left pane and scroll down to the Install new plug-in section.

4 In the Plug-In file text box, browse to the plug-in installer file and click Upload and install.

The file must be in .vmoapp format.

5 At the prompt, accept the license agreement in the Install a plug-in pane.

6 In the Enabled plug-ins installation status section, confirm that the correct NSX plug-in name is

specified.

See vRealize Automation Support Matrix for version information.

The status Plug-in will be installed at next server startup, appears.

7 Restart the vRealize Orchestrator server service.

8 Restart the vRealize Orchestrator configuration interface.

9 Click Plug-Ins and verify that the status changed to Installation OK.

10 Start the vRealize Orchestrator client application, log in, and use the Workflow tab to navigate

through the library to the NSX folder.

You can browse through the workflows that the NSX plug-in provides.

What to do next

Create a vRealize Orchestrator endpoint in vRealize Automation to use for running workflows. See Create

a vRealize Orchestrator Endpoint.

Run a vRealize Orchestrator and NSX Security Workflow

Before you use the NSX security policy features from vRealize Automation, an administrator must run the

Enable security policy support for overlapping subnets workflow in vRealize Orchestrator.

Security policy support for the overlapping subnets workflow is applicable to an NSX 6.1 and later

endpoint. Run this workflow only once to enable this support.

Prerequisites

n

Verify that a vSphere endpoint is registered with an NSX endpoint. See Create a vSphere Endpoint.

VMware, Inc. 12

Configuring vRealize Automation

n

Log in to the vRealize Orchestrator client as an administrator.

n

Verify that you ran the Create NSX endpoint vRO work flow.

Procedure

1 Click the Workflow tab and select NSX > NSX workflows for VCAC.

2 Run the Create NSX endpoint workflow and respond to prompts.

3 Run the Enable security policy support for overlapping subnets workflow.

4 Select the NSX endpoint as the input parameter for the workflow.

Use the IP address you specified when you created the vSphere endpoint to register an NSX

instance.

After you run this workflow, the distributed firewall rules defined in the security policy are applied only on

the vNICs of the security group members to which this security policy is applied.

What to do next

Apply the applicable security features for the blueprint.

Administrator Requirements for Provisioning NSX Universal Objects

To provision machines in a cross-vCenter deployment when using NSX universal objects such as an edge

gateway or load balancer, you must provision to a region in which the compute NSX manager has the

primary role.

There is only one primary NSX manager in a cross-vCenter NSX environment. To provision machines in a

cross-vCenter deployment, the machines must reside in a region in which the NSX compute manager has

the primary role. Provisioning fails when the machines exist in a region in which the compute NSX

manager has the secondary role.

You can use NSX local objects, such as a local edge gateway or load balancer. When using NSX local

objects, you must also use a region-specific NSX local transport zone and object virtual wire. You can

configure vRealize Automation reservations to use the local transport zone and virtual wires for

deployments in that local region.

See the VMware Knowledge Base article Deployment of vRealize Automation blueprints with NSX objects

fail (2147240) at http://kb.vmware.com/kb/2147240 for more information.

See the NSX Administration Guide and Cross-vCenter NSX Installation Guide for information about how

to configure and assign the primary NSX manager role for a cross-vCenter deployment.

Checklist for Preparing For Third-Party IPAM Provider Support

You can obtain IP addresses and ranges for use in network profile definition from a supported third-party

IPAM provider, such as Infoblox.

VMware, Inc. 13

Configuring vRealize Automation

Before you can create and use an external IPAM provider endpoint in a vRealize Automation network

profile, you must download or otherwise obtain a vRealize Orchestrator IPAM provider plug-in or package,

import the plug-in or package and run required workflows in vRealize Orchestrator, and register the IPAM

solution as a vRealize Automation endpoint.

For an overview of the provisioning process for using an external IPAM provider to supply a range of

possible IP addresses, see Checklist for Provisioning a vRealize Automation Deployment Using an

External IPAM Provider.

Table 1‑3. Preparing for External IPAM Provider Support Checklist

Task Location Details

Obtain and

import the

supported external

IPAM Provider

vRealize

Orchestrator plug-

in.

Run the required

configuration

workflows and

register the external

IPAM solution as a

vRealize

Automation

endpoint.

Download the IPAM provider plug-in or package, for example

the Infoblox IPAM plug-in or the VMware-provided third party

IPAM starter SDK package, from the VMware Solution

Exchange and import the plug-in or package to

vRealize Orchestrator.

If the VMware Solution Exchange

(https://solutionexchange.vmware.com/store/category_group

s/cloud-management) does not contain the IPAM provider

package that you need, you can create your own using the

IPAM Solution Provider SDK and supporting documentation.

Run the vRealize Orchestrator configuration workflows and

register the IPAM provider endpoint type in

vRealize Orchestrator.

See Obtain and Import the External IPAM

Provider Package in vRealize

Orchestrator.

See Run Workflow to Register Third-Party

IPAM Endpoint Type in vRealize

Orchestrator.

Obtain and Import the External IPAM Provider Package in vRealize Orchestrator

To prepare to define and use an external IPAM provider endpoint, you must first obtain the external IPAM

provider package and import the package in vRealize Orchestrator.

You can download and use an existing third-party IP Address Management provider plug-in, such as

Infoblox IPAM. You can also create your own plug-in or package by using a VMware-supplied starter

package and accompanying SDK documentation for use with another third-party IPAM solution provider

such as Bluecat.

After you import the external IPAM provider plug-in or package in vRealize Orchestrator, run the required

workflows and register the IPAM endpoint type.

For more information about importing plug-ins and packages and running vRealize Orchestrator

workflows, see Using the VMware vRealize Orchestrator Client. For more information about extending

vRealize Automation with vRealize Orchestrator plug-ins, packages, and workflows, see Life Cycle

Extensibility.

VMware, Inc. 14

Configuring vRealize Automation

Prerequisites

n

Log in to vRealize Orchestrator with administrator privileges for importing, configuring, and registering

a vRealize Orchestrator plug-in or package.

Procedure

1 Open the VMware Solution Exchange site at https://solutionexchange.vmware.com/store.

2 Select Cloud Management Marketplace.

3 Locate and download the plug-in or package.

For example, import the Infoblox plug-in that supports the Infoblox third-party IPAM endpoint in

vRealize Automation.

4 In vRealize Orchestrator, click the Administrator tab and click Import package.

5 For example, select the vRealize Orchestrator third-party IPAM package.

Select com.vmware.vra.ipam.service.sdk from source\vcac\components\ipam\vro-

sdk\target\ipam-package-sdk-7.1.0-SNAPSHOT.package.

6 Select all workflows and artifacts and click Import selected elements.

What to do next

Run Workflow to Register Third-Party IPAM Endpoint Type in vRealize Orchestrator.

Run Workflow to Register Third-Party IPAM Endpoint Type in
vRealize Orchestrator

Run the registration workflow in vRealize Orchestrator to support vRealize Automation use of the third-

party IPAM provider and register the IPAM endpoint type for use in vRealize Automation.

To register IPAM endpoint types in vRealize Orchestrator, you are prompted to supply

vRealize Automation vRA Administrator credentials.

For more information about importing packages and running vRealize Orchestrator workflows, see Using

the VMware vRealize Orchestrator Client. For more information about extending vRealize Automation

with vRealize Orchestrator packages and workflows, see Life Cycle Extensibility.

Prerequisites

n

Obtain and Import the External IPAM Provider Package in vRealize Orchestrator

n

Verify that you are logged in to vRealize Orchestrator with vRealize Automation with authority to run

workflows.

n

Be prepared to supply vRealize Automation vRealize Automation administrator credentials when

prompted.

VMware, Inc. 15

Configuring vRealize Automation

Procedure

1 In vRealize Orchestrator, click the Design tab, select Administrator > Library, and select IPAM

Service Package SDK.

Each IPAM provider package is uniquely named and contains unique workflows. Each provider

supplies their own registration workflow. While the workflow names might be similar between provider

packages, the location of the workflows in vRealize Orchestrator can be different and is provider-

specific.

2 For this example, run the Register IPAM Endpoint registration workflow and specify the IPAM

Infloblox endpoint type.

3 At the prompt for vRealize Automation credentials, enter your vRealize Automation vRA administrator

credentials.

The package registers Infoblox as a new IPAM endpoint type in the vRealize Automation endpoint service

and makes the endpoint type available when you define endpoints in vRealize Automation.

Note If the Infoblox IPAM connection disappears from the vRealize Orchestrator Inventory tab after you

restart the vRealize Orchestrator server in the vRealize Orchestrator Control Center. To resolve this issue,

run the Create IPAM Connection workflow from the vRO admin > Library > Infoblox > vRA > Helpers

menu sequence. You can then the vRealize Orchestrator Inventory tab, select Infoblox IPAM, and

refresh the page to display the Infoblox IPAM connection.

What to do next

You can now create an IPAM Infloblox type endpoint, or and endpoint for whatever third-party package or

plug-in you have just registered, in vRealize Automation. See Create a Third-Party IPAM Provider

Endpoint.

Checklist for Configuring Containers for vRealize Automation

To get started with Containers, you must configure the feature to support vRealize Automation user roles.

After you configure container definitions in Containers you can add and configure container components

in a blueprint.

Table 1‑4. Checklist for Configuring Containers for vRealize Automation

Task Details

Assign the container administrator and container architect roles. See Container roles information in Foundations and

Concepts.

Display the Containers context-sensitive help system. See Containers help information in Foundations and

Concepts.

Define container definitions in the Containers tab in vRealize Automation. See Configuring vRealize Automation.

Add container components and container networking components to

blueprints in the Design tab in vRealize Automation.

See Configuring vRealize Automation.

VMware, Inc. 16

Configuring vRealize Automation

Configuring Containers Using the vRealize Automation Automation
Appliance

Xenon service information is accessible in the vRealize Automation vRealize Automation appliance (vRA

Settings > Xenon.

It contains information about the Xenon host VM, listening port, and service status. It also displays

information about clustered Xenon nodes.

You can manage the Xenon Linux service with the following CLI commands in the vRealize Automation

appliance.

Command Description

service xenon-service status

service xenon-service start

service xenon-service stop

service xenon-service restart

service xenon-service get_host

service xenon-service get_port

service xenon-service status_cluster

service xenon-service reset

Shows the status of the service as either running or stopped.

Starts the service.

Stops the service.

Restarts the service.

Shows the hostname on which the service is running.

Shows the service port.

Shows information about all clustered nodes in JSON format.

Deletes the directory where Xenon keeps all configuration files and restarts the

service.

Clustering Containers

You can use the Xenon service in conjunction with Containers for vRealize Automation to join nodes to a

cluster. If the nodes are clustered, the Xenon service connects other nodes automatically when it starts.

You can monitor the cluster status on the Xenon tab in the vRealize Automation appliance or by running

the following command in a CLI:

service xenon-service status_cluster

Xenon works on quorum-based clustering. The quorum is calculated by using the (number of nodes /

2) + 1 formula.

Preparing Your vCloud Director Environment for vRealize Automation

Before you can integrate vCloud Director with vRealize Automation, you must install and configure your

vCloud Director instance, set up your vSphere and cloud resources, and identify or create appropriate

credentials to provide vRealize Automation with access to your vCloud Director environment.

VMware, Inc. 17

Configuring vRealize Automation

Configure Your Environment

Configure your vSphere resources and cloud resources, including virtual datacenters and networks. For

more information, see the vCloud Director documentation.

Required Credentials for Integration

Create or identify either organization administrator or system administrator credentials that your

vRealize Automation IaaS administrators can use to bring your vCloud Director environment under

vRealize Automation management as an endpoint.

User Role Considerations

vCloud Director user roles in an organization do not need to correspond with roles in vRealize Automation

business groups. If the user account does not exist in vCloud Director, vCloud Director performs a lookup

in the associated LDAP or Active Directory and creates the user account if the user exists in the identity

store. If it cannot create the user account, it logs a warning but does not fail the provisioning process. The

provisioned machine is then assigned to the account that was used to configure the vCloud Director

endpoint.

For related information about vCloud Director user management, see the vCloud Director documentation.

Preparing Your vCloud Air Environment for vRealize Automation

Before you integrate vCloud Air with vRealize Automation, you must register for your vCloud Air account,

set up your vCloud Air environment, and identify or create appropriate credentials to provide

vRealize Automation with access to your environment.

Configure Your Environment

Configure your environment as instructed in the vCloud Air documentation.

Required Credentials for Integration

Create or identify either virtual infrastructure administrator or account administrator credentials that your

vRealize Automation IaaS administrators can use to bring your vCloud Air environment under

vRealize Automation management as an endpoint.

User Role Considerations

vCloud Air user roles in an organization do not need to correspond with roles in vRealize Automation

business groups. For related information about vCloud Air user management, see the vCloud Air

documentation.

Preparing Your Amazon AWS Environment

Prepare elements and user roles in your Amazon AWS environment, prepare Amazon AWS to

communicate with the guest agent and Software bootstrap agent, and understand how Amazon AWS

features map to vRealize Automation features.

VMware, Inc. 18

Configuring vRealize Automation

Amazon AWS User Roles and Credentials Required for vRealize Automation

You must configure credentials in Amazon AWS with the permissions required for vRealize Automation to

manage your environment.

You must have certain Amazon access rights to successfully provision machines by using

vRealize Automation.

n

Role and Permission Authorization in Amazon Web Services

The Power User role in AWS provides an AWS Directory Service user or group with full access to

AWS services and resources.

You do not need any AWS credentials to create an AWS endpoint in vRealize Automation. However,

the AWS user who creates an Amazon machine image is expected by vRealize Automation to have

the Power User role.

n

Authentication Credentials in Amazon Web Services

The AWS Power User role does not allow management of AWS Identity and Access Management

(IAM) users and groups. For management of IAM users and groups, you must be configured with

AWS Full Access Administrator credentials.

vRealize Automation requires access keys for endpoint credentials and does not support user names

and passwords. To obtain the access key needed to create the Amazon endpoint, the Power User

must either request a key from a user who has AWS Full Access Administrator credentials or be

additionally configured with the AWS Full Access Administrator policy.

For information about enabling policies and roles, see the AWS Identity and Access Management (IAM)

section of Amazon Web Services product documentation.

Allow Amazon AWS to Communicate with the Software Bootstrap Agent and Guest Agent

If you intend to provision application blueprints that contain Software, or if you want the ability to further

customize provisioned machines by using the guest agent, you must enable connectivity between your

Amazon AWS environment, where your machines are provisioned, and your vRealize Automation

environment, where the agents download packages and receive instructions.

When you use vRealize Automation to provision Amazon AWS machines with the vRealize Automation

guest agent and Software bootstrap agent, you must set up network-to-Amazon VPC connectivity so your

provisioned machines can communicate back to vRealize Automation to customize your machines.

For more information about Amazon AWS VPC connectivity options, see the Amazon AWS

documentation.

Using Optional Amazon Features

vRealize Automation supports several Amazon features, including Amazon Virtual Private Cloud, elastic

load balancers, elastic IP addresses, and elastic block storage.

VMware, Inc. 19

Configuring vRealize Automation

Using Amazon Security Groups

Specify at least one security group when creating an Amazon reservation. Each available region requires

at least one specified security group.

A security group acts as a firewall to control access to a machine. Every region includes at least the

default security group. Administrators can use the Amazon Web Services Management Console to create

additional security groups, configure ports for Microsoft Remote Desktop Protocol or SSH, and set up a

virtual private network for an Amazon VPN.

When you create an Amazon reservation or configure a machine component in the blueprint, you can

choose from the list of security groups that are available to the specified Amazon account region. Security

groups are imported during data collection.

For information about creating and using security groups in Amazon Web Services, see Amazon

documentation.

Understanding Amazon Web Service Regions

Each Amazon Web Services account is represented by a cloud endpoint. When you create an

Amazon Elastic Cloud Computing endpoint in vRealize Automation, regions are collected as compute

resources. After the IaaS administrator selects compute resources for a business group, inventory and

state data collections occur automatically.

Inventory data collection, which occurs automatically once a day, collects data about what is on a

compute resource, such as the following data:

n

Elastic IP addresses

n

Elastic load balancers

n

Elastic block storage volumes

State data collection occurs automatically every 15 minutes by default. It gathers information about the

state of managed instances, which are instances that vRealize Automation creates. The following are

examples of state data:

n

Windows passwords

n

State of machines in load balancers

n

Elastic IP addresses

A fabric administrator can initiate inventory and state data collection and disable or change the frequency

of inventory and state data collection.

Using Amazon Virtual Private Cloud

Amazon Virtual Private Cloud allows you to provision Amazon machine instances in a private section of

the Amazon Web Services cloud.

Amazon Web Services users can use Amazon VPC to design a virtual network topology according to your

specifications. You can assign an Amazon VPC in vRealize Automation. However, vRealize Automation

does not track the cost of using the Amazon VPC.

VMware, Inc. 20

Configuring vRealize Automation

When you provision using Amazon VPC, vRealize Automation expects there to be a VPC subnet from

which Amazon obtains a primary IP address. This address is static until the instance is terminated. You

can also use the elastic IP pool to also attach an elastic IP address to an instance in

vRealize Automation. That would allow the user to keep the same IP if they are continually provisioning

and tearing down an instance in Amazon Web Services.

Use the AWS Management Console to create the following elements:

n

An Amazon VPC, which includes Internet gateways, routing table, security groups and subnets, and

available IP addresses.

n

An Amazon Virtual Private Network if users need to log in to Amazon machines instances outside of

the AWS Management Console.

vRealize Automation users can perform the following tasks when working with an Amazon VPC:

n

A fabric administrator can assign an Amazon VPC to a cloud reservation. See Create an Amazon

Reservation.

n

A machine owner can assign an Amazon machine instance to an Amazon VPC.

For more information about creating an Amazon VPC, see Amazon Web Services documentation.

Using Elastic Load Balancers for Amazon Web Services

Elastic load balancers distribute incoming application traffic across Amazon Web Services instances.

Amazon load balancing enables improved fault tolerance and performance.

Amazon makes elastic load balancing available for machines provisioned using Amazon EC2 blueprints.

The elastic load balancer must be available in the Amazon Web Services,

Amazon Virtual Private Network and at the provisioning location. For example, if a load balancer is

available in us-east1c and a machine location is us-east1b, the machine cannot use the available load

balancer.

vRealize Automation does not create, manage, or monitor the elastic load balancers.

For information about creating Amazon elastic load balancers by using the

Amazon Web Services Management Console, see Amazon Web Services documentation.

Using Elastic IP Addresses for Amazon Web Services

Using an elastic IP address allows you to rapidly fail over to another machine in a dynamic

Amazon Web Services cloud environment. In vRealize Automation, the elastic IP address is available to

all business groups that have rights to the region.

An administrator can allocate elastic IP addresses to your Amazon Web Services account by using the

AWS Management Console. There are two groups of elastic IP addresses in any given a region, one

range is allocated for non-Amazon VPC instances and another range is for Amazon VPCs. If you allocate

addresses in a non-Amazon VPC region only, the addresses are not available in an Amazon VPC. The

reverse is also true. If you allocate addresses in an Amazon VPC only, the addresses are not available in

a non-Amazon VPC region.

VMware, Inc. 21

Configuring vRealize Automation

The elastic IP address is associated with your Amazon Web Services account, not a particular machine,

but only one machine at a time can use the address. The address remains associated with your

Amazon Web Services account until you choose to release it. You can release it to map it to a specific

machine instance.

An IaaS architect can add a custom property to a blueprint to assign an elastic IP address to machines

during provisioning. Machine owners and administrators can view the elastic IP addresses assigned to

machines, and machine owners or administrators with rights to edit machines can assign an elastic IP

addresses after provisioning. However, if the address is already associated to a machine instance, and

the instance is part of the Amazon Virtual Private Cloud deployment, Amazon does not assign the

address.

For more information about creating and using Amazon elastic IP addresses, see Amazon Web Services

documentation.

Using Elastic Block Storage for Amazon Web Services

Amazon elastic block storage provides block level storage volumes to use with an Amazon machine

instance and Amazon Virtual Private Cloud. The storage volume can persist past the life of its associated

Amazon machine instance in the Amazon Web Services cloud environment.

When you use an Amazon elastic block storage volume in conjunction with vRealize Automation, the

following caveats apply:

n

You cannot attach an existing elastic block storage volume when you provision a machine instance.

However, if you create a new volume and request more than one machine at a time, the volume is

created and attached to each instance. For example, if you create one volume named volume_1 and

request three machines, a volume is created for each machine. Three volumes named volume_1 are

created and attached to each machine. Each volume has a unique volume ID. Each volume is the

same size and in the same location.

n

The volume must be of the same operating system and in the same location as the machine to which

you attach it.

n

vRealize Automation does not manage the primary volume of an elastic block storage-backed

instance.

For more information about Amazon elastic block storage, and details on how to enable it by using

Amazon Web Services Management Console, see Amazon Web Services documentation.

Scenario: Configure Network-to-Amazon VPC Connectivity for a Proof of
Concept Environment

As the IT professional setting up a proof of concept environment to evaluate vRealize Automation, you

want to temporarily configure network-to-Amazon VPC connectivity to support the vRealize Automation

Software feature.

VMware, Inc. 22

Configuring vRealize Automation

Network-to-Amazon VPC connectivity is only required if you want to use the guest agent to customize

provisioned machines, or if you want to include Software components in your blueprints. For a production

environment, you would configure this connectivity officially through Amazon Web Services, but because

you are working in a proof of concept environment, you want to create temporary network-to-Amazon

VPC connectivity. You establish the SSH tunnel and then configure an Amazon reservation in

vRealize Automation to route through your tunnel.

Prerequisites

n

Install and fully configure vRealize Automation. See Installing and Configuring vRealize Automation

for the Rainpole Scenario.

n

Create an Amazon AWS security group called TunnelGroup and configure it to allow access on port

22.

n

Create or identify a CentOS machine in your Amazon AWS TunnelGroup security group and note the

following configurations:

n

Administrative user credentials, for example root.

n

Public IP address.

n

Private IP address.

n

Create or identify a CentOS machine on the same local network as your vRealize Automation

installation.

n

Install OpenSSH SSHD Server on both tunnel machines.

Procedure

1 Log in to your Amazon AWS tunnel machine as the root user or similar.

2 Disable iptables.

# service iptables save

# service iptables stop

# chkconfig iptables off

3 Edit /etc/ssh/sshd_config to enable AllowTCPForwarding and GatewayPorts.

4 Restart the service.

/etc/init.d/sshd restart

5 Log in to the CentOS machine on the same local network as your vRealize Automation installation as

the root user.

VMware, Inc. 23

Configuring vRealize Automation

6 Invoke the SSH Tunnel from the local network machine to the Amazon AWS tunnel machine.

ssh -N -v -o "ServerAliveInterval 30" -o "ServerAliveCountMax 40" -o "TCPKeepAlive yes” \

-R 1442:vRealize_automation_appliance_fqdn:5480 \

-R 1443:vRealize_automation_appliance_fqdn:443 \

-R 1444:manager_service_fqdn:443 \

User of Amazon tunnel machine@Public IP Address of Amazon tunnel machine

You configured port forwarding to allow your Amazon AWS tunnel machine to access

vRealize Automation resources, but your SSH tunnel does not function until you configure an Amazon

reservation to route through the tunnel.

What to do next

1 Install the software bootstrap agent and the guest agent on a Windows or Linux reference machine to

create an Amazon Machine Image that your IaaS architects can use to create blueprints. See

Preparing for Software Provisioning.

2 Configure your Amazon reservation in vRealize Automation to route through your SSH tunnel. See

Scenario: Create an Amazon Reservation for a Proof of Concept Environment.

Preparing Red Hat OpenStack Network and Security Features

vRealize Automation supports several features in OpenStack including security groups and floating IP

addresses. Understand how these features work with vRealize Automation and configure them in your

environment.

Using OpenStack Security Groups

Security groups allow you to specify rules to control network traffic over specific ports.

You can specify security groups in a reservation when requesting a machine. You can also specify an

existing or on-demand NSX security group in the design canvas.

Security groups are imported during data collection.

Each available region requires at least one specified security group. When you create a reservation, the

available security groups that are available to you in that region are displayed. Every region includes at

least the default security group.

Additional security groups must be managed in the source resource. For more information about

managing security groups for the various machines, see the OpenStack documentation.

Using Floating IP Addresses with OpenStack

You can assign floating IP addresses to a running virtual instance in OpenStack.

To enable assignment of floating IP addresses, you must configure IP forwarding and create a floating IP

pool in Red Hat OpenStack. For more information, see the Red Hat OpenStack documentation.

VMware, Inc. 24

Configuring vRealize Automation

You must entitle the Associate Floating IP and Disassociate Floating IP actions to machine owners. The

entitled users can then associate a floating IP address to a provisioned machine from the external

networks attached to the machine by selecting an available address from the floating IP address pool.

After a floating IP address has been associated with a machine, a vRealize Automation user can select a

Disassociate Floating IP option to view the currently assigned floating IP addresses and disassociate an

address from a machine.

Preparing Your SCVMM Environment

Before you begin creating SCVMM templates and hardware profiles for use in vRealize Automation

machine provisioning, you must understand the naming restrictions on template and hardware profile

names, and configure SCVMM network and storage settings.

For related information about preparing your environment, see SCVMM requirements information in

Installing vRealize Automation 7.2.

For related information about machine provisioning, see Create a Hyper-V (SCVMM) Endpoint.

Template and Hardware Profile Naming

Because of naming conventions that SCVMM and vRealize Automation use for templates and hardware

profiles, do not start your template or hardware profile names with the words temporary or profile. For

example, the following words are ignored during data collection:

n

TemporaryTemplate

n

Temporary Template

n

TemporaryProfile

n

Temporary Profile

n

Profile

Required Network Configuration for SCVMM Clusters

SCVMM clusters only expose virtual networks to vRealize Automation, so you must have a 1:1

relationship between your virtual and logical networks. Using the SCVMM console, map each logical

network to a virtual network and configure your SCVMM cluster to access machines through the virtual

network.

Required Storage Configuration for SCVMM Clusters

On SCVMM Hyper-V clusters, vRealize Automation collects data and provisions on shared volumes only.

Using the SCVMM console, configure your clusters to use shared resource volumes for storage.

Required Storage Configuration for Standalone SCVMM Hosts

For standalone SCVMM hosts, vRealize Automation collects data and provisions on the default virtual

machine path. Using the SCVMM console, configure default virtual machine paths for your standalone

hosts.

VMware, Inc. 25

Configuring vRealize Automation

Preparing for Machine Provisioning

Depending on your environment and your method of machine provisioning, you might need to configure

elements outside of vRealize Automation. For example, you might need to configure machine templates

or machine images. You might also need to configure NSX settings or run vRealize Orchestrator

workflows.

Choosing a Machine Provisioning Method to Prepare

For most machine provisioning methods, you must prepare some elements outside of

vRealize Automation.

Table 1‑5. Choosing a Machine Provisioning Method to Prepare

Supported

Scenario

Endpoint Agent Support Provisioning Method Pre-provisioning Preparations

Configure

vRealize Automation to run

custom Visual Basic scripts

as additional steps in the

machine life cycle, either

before or after machine

provisioning. For example,

you could use a pre-

provisioning script to

generate certificates or

security tokens before

provisioning, and then a

post-provisioning script to

use the certificates and

tokens after machine

provisioning.

Provision application

blueprints that automate

the installation,

configuration, and life cycle

management of

middleware and application

deployment components

such as Oracle, MySQL,

WAR, and database

Schemas.

You can run

Visual Basic

scripts with

any

supported

endpoint

except

Amazon

AWS.

n

vSphere

n

vCloud

Air

n

vCloud

Director

n

Amazon

AWS

Depends on the

provisioning

method you

choose.

n

(Required)

Guest agent

n

(Required)

Software

bootstrap agent

and guest

agent

Supported as an

additional step in any

provisioning method,

but you cannot use

Visual Basic scripts

with Amazon AWS

machines.

n

Clone

n

Clone (for

vCloud Air or

vCloud Director)

n

Linked clone

n

Amazon Machine

Image

Checklist for Running Visual Basic

Scripts During Provisioning

If you want the ability to use Software

components in your blueprints,

prepare a provisioning method that

supports the guest agent and

Software bootstrap agent. For more

information about preparing for

Software, see Preparing for Software

Provisioning.

Further customize

machines after provisioning

by using the guest agent.

VMware, Inc. 26

All virtual

endpoints

and

Amazon

AWS.

n

(Required)

Guest agent

n

(Optional)

Software

bootstrap agent

and guest

agent

Supported for all

provisioning methods

except Virtual

Machine Image.

If you want the ability to customize

machines after provisioning, select a

provisioning method that supports

the guest agent. For more

information about the guest agent,

see Using vRealize Automation

Guest Agent in Provisioning.

Configuring vRealize Automation

Table 1‑5. Choosing a Machine Provisioning Method to Prepare (Continued)

Supported

Scenario

Endpoint Agent Support Provisioning Method Pre-provisioning Preparations

Provision machines with no

guest operating system.

You can install an

operating system after

provisioning.

Provision a space-efficient

copy of a virtual machine

called a linked clone.

Linked clones are based

on a snapshot of a VM and

use a chain of delta disks

to track differences from a

parent machine.

Provision a space-efficient

copy of a virtual machine

by using

Net App FlexClone

technology.

Provision machines by

cloning from a template

object created from an

existing Windows or Linux

machine, called the

reference machine, and a

customization object.

All virtual

Not supported Basic No required pre-provisioning

machine

endpoints.

vSphere

n

(Optional)

Guest agent

n

(Optional)

Software

bootstrap agent

and guest

agent

vSphere (Optional) Guest

agent

n

n

n

vSphere

KVM

(RHEV)

SCVMM

n

(Optional)

Guest agent

n

(Optional for

vSphere only)

Software

bootstrap agent

and guest

agent

preparations outside of

vRealize Automation.

Linked Clone You must have an existing vSphere

virtual machine.

If you want to support Software, you

must install the guest agent and

software bootstrap agent on the

machine you intend to clone.

The VM snapshot identified in the

blueprint should be powered off

before you provision the linked clone

VMs.

NetApp FlexClone Checklist for Preparing to Provision

by Cloning

Clone See Checklist for Preparing to

Provision by Cloning.

If you want to support Software, you

must install the guest agent and

software bootstrap agent on the

vSpheremachine you intend to clone.

Provision vCloud Air or

vCloud Director machines

by cloning from a template

and customization object.

n

n

vCloud

Air

vCloud

Director

n

(Optional)

Guest agent

n

(Optional)

Software

bootstrap agent

and guest

agent

vCloud Air or

vCloud Director

Cloning

See Preparing for vCloud Air and

vCloud Director Provisioning.

If you want to support Software,

create a template that contains the

guest agent and software bootstrap

agent. For vCloud Air, configure

network connectivity between your

vRealize Automation environment

and your vCloud Air environment.

Provision a machine by

booting from an ISO

image, using a kickstart or

autoYaSt configuration file

and a Linux distribution

image to install the

operating system on the

n

n

All

virtual

endpoint

s

Red Hat

OpenSt

ack

Guest agent is

installed as part of

the preparation

instructions.

Linux Kickstart Preparing for Linux Kickstart

Provisioning

machine.

VMware, Inc. 27

Configuring vRealize Automation

Table 1‑5. Choosing a Machine Provisioning Method to Prepare (Continued)

Supported

Scenario

Endpoint Agent Support Provisioning Method Pre-provisioning Preparations

Provision a machine and

pass control to an SCCM

task sequence to boot from

an ISO image, deploy a

Windows operating

system, and install the

vRealize Automation guest

agent.

Provision a machine by

booting into a WinPE

environment and installing

an operating system using

a Windows Imaging File

Format (WIM) image of an

existing Windows

reference machine.

Launch an instance from a

virtual machine image.

All virtual

machine

endpoints.

n

All

virtual

endpoint

s

n

Red Hat

OpenSt

ack

Red Hat

OpenStack

Guest agent is

installed as part of

the preparation

instructions.

Guest agent is

required. You can

use PEBuilder to

create a WinPE

image that includes

the guest agent.

You can create the

WinPE image by

using another

method, but you

must manually

insert the guest

agent.

Not supported Virtual Machine Image See Preparing for Virtual Machine

SCCM Preparing for SCCM Provisioning

WIM Preparing for WIM Provisioning

Image Provisioning.

Launch an instance from

an Amazon Machine

Image.

Amazon

AWS

n

(Optional)

Guest agent

n

(Optional)

Software

bootstrap agent

and guest

agent

Amazon Machine

Image

Associate Amazon machine images

and instance types with your

Amazon AWS account.

If you want to support Software,

create an Amazon Machine Image

that contains the guest agent and

software bootstrap agent, and

configure network-to-VPC

connectivity between your

Amazon AWS and

vRealize Automation environments.

Checklist for Running Visual Basic Scripts During Provisioning

You can configure vRealize Automation to run your custom Visual Basic scripts as additional steps in the

machine life cycle, either before or after machine provisioning. For example, you could use a pre-

provisioning script to generate certificates or security tokens before provisioning, and then a post-

provisioning script to use the certificates and tokens after machine provisioning. You can run Visual Basic

scripts with any provisioning method, but you cannot use Visual Basic scripts with Amazon AWS

machines.

VMware, Inc. 28

Configuring vRealize Automation

Table 1‑6. Running Visual Basic Scripts During Provisioning Checklist

Task Location Details

Install and configure the EPI agent for

Visual Basic scripts.

Create your visual basic scripts.

Gather the information required to

include your scripts in blueprints.

Typically the Manager Service host See Installing vRealize Automation 7.2.

Machine where EPI agent is installed vRealize Automation includes a sample

Visual Basic script

PrePostProvisioningExample.vbs in

the Scripts subdirectory of the EPI agent

installation directory. This script contains a

header to load all arguments into a

dictionary, a body in which you can

include your functions, and a footer to

return updated custom properties to

vRealize Automation.

When executing a Visual Basic script, the

EPI agent passes all machine custom

properties as arguments to the script. To

return updated property values to

vRealize Automation, place these

properties in a dictionary and call a

function provided by vRealize Automation.

Capture information and transfer to your

infrastructure architects

Note A fabric administrator can create

a property group by using the property

sets ExternalPreProvisioningVbScript

and ExternalPostProvisioningVbScript to

provide this required information. Doing

so makes it easier for blueprint architects

to include this information correctly in

their blueprints.

n

The complete path to the Visual Basic

script, including the filename and

extension. For example, %System

Drive%Program Files

(x86)\VMware\vCAC

Agents\EPI_Agents\Scripts\Send

Email.vbs.

n

To run a script before provisioning,

instruct infrastructure architects to

enter the complete path to the script

as the value of the custom property

ExternalPreProvisioningVbScrip

t. To run a script after provisioning,

they need to use the custom property

ExternalPostProvisioningVbScri

pt.

Using vRealize Automation Guest Agent in Provisioning

You can install the guest agent on reference machines to further customize a machine after deployment.

You can use the reserved guest agent custom properties to perform basic customizations such as adding

and formatting disks, or you can create your own custom scripts for the guest agent to run within the

guest operating system of a provisioned machine.

After the deployment is completed and the customization specification is run (if you provided one), the

guest agent creates an XML file that contains all of the deployed machine's custom properties

c:\VRMGuestAgent\site\workitem.xml, completes any tasks assigned to it with the guest agent

custom properties, and then deletes itself from the provisioned machine.

VMware, Inc. 29

Configuring vRealize Automation

You can write your own custom scripts for the guest agent to run on deployed machines, and use custom

properties on the machine blueprint to specify the location of those scripts and the order in which to run

them. You can also use custom properties on the machine blueprint to pass custom property values to

your scripts as parameters.

For example, you could use the guest agent to make the following customizations on deployed machines:

n

Change the IP address

n

Add or format drives

n

Run security scripts

n

Initialize another agent, for example Puppet or Chef

You can also provide an encrypted string as a custom property in a command line argument. This allows

you to store encrypted information that the guest agent can decrypt and understand as a valid command

line argument.

Your custom scripts do not have to be locally installed on the machine. As long as the provisioned

machine has network access to the script location, the guest agent can access and run the scripts. This

lowers maintenance costs because you can update your scripts without having to rebuild all of your

templates.

You can configure security settings for the virtual machines to be provisioned by specifying information in

a reservation, blueprint, or guest agent script. If the machines to be provisioned requires a guest agent,

you must add a security rule that contains that requirement to the reservation or the blueprint. For

example, if you use a default security policy that denies communication between all machines, and rely

on a separate security policy to allow communication between specific machines, the guest agent might

be unable to communicate with vRealize Automation during the customization phase. To avoid this

problem during machine provisioning, use a default security policy that allows communication during the

customization phase.

If you choose to install the guest agent to run custom scripts on provisioned machines, your blueprints

must include the appropriate guest agent custom properties. For example, if you install the guest agent

on a template for cloning, create a custom script that changes the provisioned machine's IP address, and

place the script in a shared location, you need to include a number of custom properties in your blueprint.

Table 1‑7. Custom Properties for Changing IP Address of a Provisioned Machine with a Guest
Agent

Custom Property Description

VirtualMachine.Admin.UseGuestAgent

VirtualMachine.Customize.WaitComplete

Set to true to initialize the guest agent when the provisioned

machine is started.

Set to True to prevent the provisioning workflow from sending

work items to the guest agent until all customizations are

complete.

VMware, Inc. 30