VMware vRealize Automation - 7.2 Installation Manual

Installing vRealize Automation

vRealize Automation 7.2

This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.

EN-002325-02

Installing vRealize Automation

You can ﬁnd the most up-to-date technical documentation on the VMware Web site at:

hp://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@vmware.com

VMware, Inc.

3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

2 VMware, Inc.

vRealize Automation Installation 7

Updated Information 9

vRealize Automation Installation Overview 11

vRealize Automation Installation Components 11

The vRealize Automation Appliance 12

Infrastructure as a Service 12

Deployment Type 14

Minimal vRealize Automation Deployments 15

Distributed vRealize Automation Deployments 16

Choosing Your Installation Method 17

Preparing for vRealize Automation Installation 19

Host Names and IP Addresses 19

Hardware and Virtual Machine Requirements 20

Browser Considerations 20

Password Considerations 21

Windows Server Requirements 21

IaaS Database Server Requirements 21

IaaS Web Service and Model Manager Server Requirements 22

IaaS Manager Service 23

Distributed Execution Manager Requirements 23

vRealize Automation Port Requirements 26

User Accounts and Credentials Required for Installation 28

Security 30

Certicates 30

Extracting Certicates and Private Keys 30

Security Passphrase 31

Third-Party Software 31

Time Synchronization 31

VMware, Inc.

Installing vRealize Automation with the Installation Wizard 33

Deploy the vRealize Automation Appliance 33

Using the Installation Wizard for Minimal Deployments 35

Run the Installation Wizard for a Minimal Deployment 35

Installing the Management Agent 35

Synchronize Server Times 38

Run the Prerequisite Checker 38

Specify Minimal Deployment Parameters 39

Create Snapshots Before You Begin the Installation 39

Finish the Installation 39

Installing vRealize Automation

Address Installation Failures 40

Set Up Credentials for Initial Content Conguration 40

Using the Installation Wizard for Enterprise Deployments 41

Run the Installation Wizard for an Enterprise Deployment 41

Installing the Management Agent 42

Synchronize Server Times 44

Run the Prerequisite Checker 45

Specify Enterprise Deployment Parameters 46

Create Snapshots Before You Begin the Installation 46

Finish the Installation 46

Address Installation Failures 47

Set Up Credentials for Initial Content Conguration 48

The Standard vRealize Automation Installation Interfaces 49

Using the Standard Interfaces for Minimal Deployments 49

Minimal Deployment Checklist 49

Deploy and Congure the vRealize Automation Appliance 50

Installing IaaS Components 55

Using the Standard Interfaces for Distributed Deployments 60

Distributed Deployment Checklist 60

Distributed Installation Components 61

Disabling Load Balancer Health Checks 62

Certicate Trust Requirements in a Distributed Deployment 63

Congure Web Component, Manager Service and DEM Host Certicate Trust 63

Installation Worksheets 64

Deploy the vRealize Automation Appliance 66

Conguring Your Load Balancer 68

Conguring Appliances for vRealize Automation 68

Install the IaaS Components in a Distributed Conguration 74

Installing vRealize Automation Agents 97

Set the PowerShell Execution Policy to RemoteSigned 98

Choosing the Agent Installation Scenario 98

Agent Installation Location and Requirements 99

Installing and Conguring the Proxy Agent for vSphere 99

Installing the Proxy Agent for Hyper-V or XenServer 104

Installing the VDI Agent for XenDesktop 108

Installing the EPI Agent for Citrix 111

Installing the EPI Agent for Visual Basic Scripting 114

Installing the WMI Agent for Remote WMI Requests 117

vRealize Automation Post-Installation Tasks 121

Congure Federal Information Processing Standard Compliant Encryption 121

Replacing Self-Signed Certicates with Certicates Provided by an Authority 122

Change the Master vRealize Automation Appliance Host Name 122

Change a Replica vRealize Automation Appliance Host Name 123

Installing the vRealize Log Insight Agent on IaaS Servers 124

Congure Access to the Default Tenant 124

4 VMware, Inc.

Troubleshooting a vRealize Automation Installation 127

Default Log Locations 127

Rolling Back a Failed Installation 128

Roll Back a Minimal Installation 128

Roll Back a Distributed Installation 129

Create a vRealize Automation Support Bundle 130

General Installation Troubleshooting 130

Installation or Upgrade Fails with a Load Balancer Timeout Error 130

Server Times Are Not Synchronized 131

Blank Pages May Appear When Using Internet Explorer 9 or 10 on Windows 7 131

Cannot Establish Trust Relationship for the SSL/TLS Secure Channel 132

Connect to the Network Through a Proxy Server 132

Console Steps for Initial Content Conguration 133

Cannot Downgrade vRealize Automation Licenses 134

Troubleshooting the vRealize Automation Appliance 134

Installers Fail to Download 134

Encryption.key File has Incorrect Permissions 134

Identity Manager Fails to Start After Horizon-Workspace Restart 135

Incorrect Appliance Role Assignments After Failover 136

Failures After Promotion of Replica and Master Nodes 136

Incorrect vRealize Automation Component Service Registrations 137

Troubleshooting IaaS Components 138

Validating Server Certicates for IaaS 138

Credentials Error When Running the IaaS Installer 138

Save Seings Warning Appears During IaaS Installation 139

Website Server and Distributed Execution Managers Fail to Install 139

IaaS Authentication Fails During IaaS Web and Model Management Installation 139

Failed to Install Model Manager Data and Web Components 140

IaaS Windows Servers Do Not Support FIPS 141

Adding an XaaS Endpoint Causes an Internal Error 141

Uninstalling a Proxy Agent Fails 142

Machine Requests Fail When Remote Transactions Are Disabled 142

Error in Manager Service Communication 143

Email Customization Behavior Has Changed 143

Troubleshooting Log-In Errors 144

Aempts to Log In as the IaaS Administrator with Incorrect UPN Format Credentials Fails with

No Explanation 144

Proxy Prevents VMware Identity Manager User Log In 145

Contents

Silent vRealize Automation Installation 147

Perform a Silent vRealize Automation Installation 147

Perform a Silent vRealize Automation Management Agent Installation 148

Silent vRealize Automation Installation Answer File 149

The vRealize Automation Installation Command Line 149

vRealize Automation Installation Command Line Basics 150

vRealize Automation Installation Command Names 150

The vRealize Automation Installation API 151

Convert Between vRealize Automation Silent Properties and JSON 152

VMware, Inc. 5

Installing vRealize Automation

Index 153

6 VMware, Inc.

vRealize Automation Installation

vRealize Automation Installation explains how to install VMware vRealize ™ Automation.

N Not all features and capabilities of vRealize Automation are available in all editions. For a comparison of feature sets in each edition, see hps://www.vmware.com/products/vrealize-automation/.

Intended Audience

This information is intended for experienced Windows or Linux system administrators who are familiar with virtual machine technology and data center operations.

VMware Technical Publications Glossary

VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For denitions of terms as they are used in VMware technical documentation, go to

hp://www.vmware.com/support/pubs.

VMware, Inc.

Installing vRealize Automation

8 VMware, Inc.

Updated Information

The following table lists the changes to Installing vRealize Automation for this product release.

Revision Description

EN-002325-02

EN-002325-01 Added Congure a Datastore Cluster permission to “vSphere Agent Requirements,” on page 99.

EN-002325-00 Initial document release.

Added another restart in “Change the Master vRealize Automation Appliance Host Name,” on

page 122 and “Change a Replica vRealize Automation Appliance Host Name,” on page 123.

Added “Cannot Downgrade vRealize Automation Licenses,” on page 134.

VMware, Inc. 9

Installing vRealize Automation

10 VMware, Inc.

vRealize Automation Installation

Overview 1

You can install vRealize Automation through dierent means, each with varying levels of interactivity.

To install, you deploy a vRealize Automation appliance and then complete the bulk of the installation using one of the following options:

A consolidated, browser-based Installation Wizard

Separate browser-based appliance conguration, and separate Windows installations for IaaS server

components

A command line based, silent installer that accepts input from an answer properties le

An installation REST API that accepts JSON formaed input

After installation, you start using vRealize Automation by customizing the environment and conguring one or more tenants, which sets up access to self-service provisioning and life-cycle management of cloud services.

If you installed earlier versions of vRealize Automation, note the following changes before you begin.

This release of vRealize Automation introduces an installation API that uses a JSON formaed version

of the silent installation seings.

See “The vRealize Automation Installation API,” on page 151.

This release supports the changing of vRealize Automation appliance host names.

See “Change the Master vRealize Automation Appliance Host Name,” on page 122.

This release of the vRealize Automation Installation Wizard introduces a post-installation option to

migrate data from an older deployment.

This chapter includes the following topics:

“vRealize Automation Installation Components,” on page 11

“Deployment Type,” on page 14

“Choosing Your Installation Method,” on page 17

vRealize Automation Installation Components

A typical vRealize Automation installation consists of a vRealize Automation appliance and one or more Windows servers that, taken together, provide vRealize Automation Infrastructure as a Service (IaaS).

VMware, Inc.

Installing vRealize Automation

The vRealize Automation Appliance

The vRealize Automation appliance is a precongured Linux virtual appliance. The vRealize Automation appliance is delivered as an open virtualization le that you deploy on existing virtualized infrastructure such as vSphere.

The vRealize Automation appliance performs several functions central to vRealize Automation.

The appliance contains the server that hosts the vRealize Automation product portal, where users log in

to access self-service provisioning and management of cloud services.

The appliance manages single sign-on (SSO) for user authorization and authentication.

The appliance server hosts a management interface for vRealize Automation appliance seings.

The appliance includes a precongured PostgreSQL database used for internal vRealize Automation

appliance operations.

In large deployments with redundant appliances, the secondary appliance databases serve as replicas to provide high availability.

The appliance includes a precongured instance of vRealize Orchestrator. vRealize Automation uses

vRealize Orchestrator workows and actions to extend its capabilities.

The embedded instance of vRealize Orchestrator is now recommended. In older deployments or special cases, however, users might connect vRealize Automation to an external vRealize Orchestrator instead.

The appliance contains the downloadable Management Agent installer. All Windows servers that make

up your vRealize Automation IaaS must install the Management Agent.

The Management Agent registers IaaS Windows servers with the vRealize Automation appliance, automates the installation and management of IaaS components, and collects support and telemetry information.

Infrastructure as a Service

vRealize Automation IaaS consists of one or more Windows servers that work together to model and provision systems in private, public, or hybrid cloud infrastructures.

You install vRealize Automation IaaS components on one or more virtual or physical Windows servers. After installation, IaaS operations appear under the Infrastructure tab in the product interface.

IaaS consists of the following components, which can be installed together or separately, depending on deployment size.

Web Server

The IaaS Web server provides infrastructure administration and service authoring to the vRealize Automation product interface. The Web server component communicates with the Manager Service, which provides updates from the Distributed Execution Manager (DEM), SQL Server database, and agents.

Model Manager

vRealize Automation uses models to facilitate integration with external systems and databases. The models implement business logic used by the DEM.

The Model Manager provides services and utilities for persisting, versioning, securing, and distributing model elements. Model Manager is hosted on one of the IaaS Web servers and communicates with DEMs, the SQL Server database, and the product interface Web site.

12 VMware, Inc.

Chapter 1 vRealize Automation Installation Overview

Manager Service

The Manager Service is a Windows service that coordinates communication between IaaS DEMs, the SQL Server database, agents, and SMTP.

IaaS requires that only one Windows machine actively run the Manager Service. For backup or high availability, you may deploy additional Windows machines where you manually start the Manager Service if the active service stops.

I Simultaneously running an active Manager Service on multiple IaaS Windows servers makes vRealize Automation unusable.

The Manager Service communicates with the Web server through the Model Manager and must be run under a domain account with administrator privileges on all IaaS Windows servers.

SQL Server Database

IaaS uses a Microsoft SQL Server database to maintain information about the machines it manages, plus its own elements and policies. Most users allow vRealize Automation to create the database during installation. Alternatively, you may create the database separately if site policies require it.

Distributed Execution Manager

The IaaS DEM component runs the business logic of custom models, interacting with the IaaS SQL Server database, and with external databases and systems. A common approach is to install DEMs on the IaaS Windows server that hosts the active Manager Service, but it is not required.

Each DEM instance acts as a worker or orchestrator. The roles can be installed on the same or separate servers.

DEM Worker—A DEM worker has one function, to run workows. Multiple DEM workers increase capacity and can be installed on the same or separate servers.

DEM Orchestrator—A DEM orchestrator performs the following oversight functions.

Monitors DEM workers. If a worker stops or loses its connection to Model Manager, the DEM

orchestrator moves the workows to another DEM worker.

Schedules workows by creating new workow instances at the scheduled time.

Ensures that only one instance of a scheduled workow is running at a given time.

Preprocesses workows before they run. Preprocessing includes checking preconditions for workows

and creating the workow execution history.

The active DEM orchestrator needs a strong network connection to the Model Manager host. In large deployments with multiple DEM orchestrators on separate servers, the secondary orchestrators serve as backups by monitoring the active DEM orchestrator, and provide redundancy and failover if a problem occurs with the active DEM orchestrator. For this kind of failover conguration, you might consider installing the active DEM orchestrator with the active Manager Service host, and secondary DEM orchestrators with the standby Manager Service hosts.

Agents

vRealize Automation IaaS uses agents to integrate with external systems and to manage information among vRealize Automation components.

A common approach is to install vRealize Automation agents on the IaaS Windows server that hosts the active Manager Service, but it is not required. Multiple agents increase capacity and can be installed on the same or separate servers.

VMware, Inc. 13

Installing vRealize Automation

Virtualization Proxy Agents

vRealize Automation creates and manages virtual machines on virtualization hosts. Virtualization proxy agents send commands to, and collect data from, vSphere ESX Server, XenServer, and Hyper-V hosts, and the virtual machines provisioned on them.

A virtualization proxy agent has the following characteristics.

Typically requires administrator privileges on the virtualization platform that it manages.

Communicates with the IaaS Manager Service.

Is installed separately and has its own conguration le.

Most vRealize Automation deployments install the vSphere proxy agent. You might install other proxy agents depending on the virtualization resources in use at your site.

Virtual Desktop Integration Agents

Virtual desktop integration (VDI) PowerShell agents allow vRealize Automation to integrate with external virtual desktop systems. VDI agents require administrator privileges on the external systems.

You can register virtual machines provisioned by vRealize Automation with XenDesktop on a Citrix Desktop Delivery Controller (DDC), which allows the user to access the XenDesktop Web interface from vRealize Automation.

External Provisioning Integration Agents

External provisioning integration (EPI) PowerShell agents allow vRealize Automation to integrate external systems into the machine provisioning process.

For example, integration with Citrix Provisioning Server enables provisioning of machines by on-demand disk streaming, and an EPI agent allows you to run Visual Basic scripts as extra steps during the provisioning process.

EPI agents require administrator privileges on the external systems with which they interact.

Windows Management Instrumentation Agent

The vRealize Automation Windows Management Instrumentation (WMI) agent enhances your ability to monitor and control Windows system information, and allows you to manage remote Windows servers from a central location. The WMI agent also enables collection of data from Windows servers that vRealize Automation manages.

Deployment Type

You can install vRealize Automation as a minimal deployment for proof of concept or development work, or in a distributed conguration suitable for medium to large production workloads.

14 VMware, Inc.

Chapter 1 vRealize Automation Installation Overview

Minimal vRealize Automation Deployments

Minimal deployments include one vRealize Automation appliance and one Windows server that hosts the IaaS components. In a minimal deployment, the vRealize Automation SQL Server database can be on the same IaaS Windows server with the IaaS components, or on a separate Windows server.

Figure 1‑1. Minimal vRealize Automation Deployment

N The vRealize Automation documentation includes a complete, sample minimal deployment scenario that walks you through installation and how to start using the product for proof of concept. See Installing and Conguring vRealize Automation for the Rainpole Scenario.

VMware, Inc. 15

Installing vRealize Automation

Distributed vRealize Automation Deployments

Distributed, enterprise deployments can be of varying size. A basic distributed deployment might improve vRealize Automation simply by hosting IaaS components on separate Windows servers as shown in the following gure.

Figure 1‑2. Distributed vRealize Automation Deployment

Many production deployments go even further, with redundant appliances, redundant servers, and load balancing for even more capacity. Large, distributed deployments provide for beer scale, high availability, and disaster recovery. Note that the embedded instance of vRealize Orchestrator is now recommended, but you might see vRealize Automation connected to an external vRealize Orchestrator in older deployments.

16 VMware, Inc.

Chapter 1 vRealize Automation Installation Overview

Figure 1‑3. Large Distributed and Load Balanced vRealize Automation Deployment

For more information about scalability and high availability, see the vRealize Automation Reference Architecture guide.

Choosing Your Installation Method

The consolidated vRealize Automation Installation Wizard is your primary tool for new vRealize Automation installations. Alternatively, you might want to perform the manual, separate installation processes in some cases.

The Installation Wizard provides a simple and fast way to install, from minimal deployments to

distributed enterprise deployments with or without load balancers. Most users run the Installation Wizard.

VMware, Inc. 17

Installing vRealize Automation

You need the manual installation steps if you want to expand a vRealize Automation deployment or if

the Installation Wizard stopped for any reason.

Once you begin a manual installation, you cannot go back and run the Installation Wizard.

18 VMware, Inc.

Preparing for vRealize Automation

Installation 2

System Administrators install vRealize Automation into their existing virtualization environments. Before you begin an installation, prepare the deployment environment to meet system requirements.

This chapter includes the following topics:

“Host Names and IP Addresses,” on page 19

“Hardware and Virtual Machine Requirements,” on page 20

“Browser Considerations,” on page 20

“Password Considerations,” on page 21

“Windows Server Requirements,” on page 21

“vRealize Automation Port Requirements,” on page 26

“User Accounts and Credentials Required for Installation,” on page 28

“Security,” on page 30

“Time Synchronization,” on page 31

Host Names and IP Addresses

vRealize Automation requires that you name the hosts in your installation according to certain requirements.

All vRealize Automation machines in your installation must be able to resolve each other by fully

qualied domain name (FQDN).

While performing the installation, always enter the FQDN when identifying or selecting a machine. Do not enter IP addresses.

In addition to the FQDN requirement, Windows machines that host the Model Manager Web service,

Manager Service, and Microsoft SQL Server database must be able to resolve each other by Windows Internet Name Service (WINS) name.

Congure your Domain Name System (DNS) to resolve these short WINS host names.

Preplan domain and machine naming so that vRealize Automation machines will begin and end with

alphabet (a-z) or digit (0-9) characters, and will only contain alphabet, digit, or hyphen (-) characters. The underscore character (_) must not appear in the host name or anywhere in the FQDN.

For more information about allowable names, review the host name specications from the Internet Engineering Task Force. See www.ietf.org.

VMware, Inc.

Installing vRealize Automation

In general, you should expect to keep the host names and FQDNs that you planned for

vRealize Automation systems. You can change a vRealize Automation appliance host name after installation, but changing other vRealize Automation host names makes vRealize Automation unusable.

A best practice is to reserve and use static IP addresses for all vRealize Automation appliances and IaaS

Windows servers. vRealize Automation supports DHCP, but static IP addresses are recommended for long-term deployments such as production environments.

You apply an IP address to the vRealize Automation appliance during OVF or OVA deployment.

For the IaaS Windows servers, you follow the usual operating system process. Set the IP address

before installing vRealize Automation IaaS.

Hardware and Virtual Machine Requirements

Your deployment must meet minimum system resources to install virtual appliances and minimum hardware requirements to install IaaS components on the Windows Server.

For operating system and high-level environment requirements, including information about supported browsers and operating systems, see the vRealize Automation Support Matrix.

The Hardware Requirements table shows the minimum conguration requirements for deployment of virtual appliances and installation of IaaS components. Appliances are pre-congured virtual machines that you add to your vCenter Server or ESXi inventory. IaaS components are installed on physical or virtual Windows 2008 R2 SP1, or Windows 2012 R2 servers.

An Active Directory is considered small when there are up to 25,000 users in the OU to be synced in the ID Store conguration. An Active Directory is considered large when there are more than 25,000 users in the OU.

Table 2‑1. Hardware Requirements

vRealize Automation appliance for Small Active Directories

4 CPUs

18 GB memory

60 GB disk storage

Browser Considerations

Some restrictions exist for browser use with vRealize Automation.

Multiple browser windows and tabs are not supported. vRealize Automation supports one session per

user.

VMware Remote Consoles provisioned on vSphere support a subset of vRealize Automation-supported

browsers.

For operating system and high-level environment requirements, including information about supported browsers and operating systems, see the vRealize Automation Support Matrix.

vRealize Automation appliance for Large Active Directories

4 CPUs

22 GB memory

60 GB disk storage

IaaS Components (Windows Server).

2 CPUs

8 GB memory

30 GB disk storage

Additional resources are required when you are include an SQL Server on a Windows host.

20 VMware, Inc.

Password Considerations

Character restrictions apply to some passwords.

The VMware vRealize ™ Automation administrator password cannot contain a trailing "=" character. Such passwords are accepted when you assign them, but result in errors when you perform operations such as saving endpoints.

Windows Server Requirements

The virtual or physical Windows machine that hosts the IaaS components must meet conguration requirements for the IaaS database, the IaaS server components, the IaaS Manager Service, and Distributed Execution Managers.

The Installation Wizard runs a vRealize Automation prerequisite checker on all IaaS Windows servers to ensure that they meet the conguration necessary for installation. In addition to the prerequisite checker, address the following prerequisites separately.

As a best practice, place all IaaS Windows servers in the same domain.

Create or identify a domain account to use for installation, one that has administrator privileges on all

IaaS Windows servers.

Chapter 2 Preparing for vRealize Automation Installation

IaaS Database Server Requirements

The Windows server that hosts the vRealize Automation IaaS SQL Server database must meet certain prerequisites.

The requirements apply whether you run the Installation Wizard or the legacy setup_vrealize-automation-

appliance-URL.exe installer and select the database role for installation. The prerequisites also apply if you

separately create an empty SQL Server database for use with IaaS.

Use a supported SQL Server version from the vRealize Automation Support Matrix.

Enable TCP/IP protocol for SQL Server.

Enable the Distributed Transaction Coordinator (DTC) service on all IaaS Windows servers and the

machine that hosts SQL Server. IaaS uses DTC for database transactions and actions such as workow creation.

N If you clone a machine to make an IaaS Windows server, install DTC on the clone after cloning. If you clone a machine that already has DTC, its unique identier is copied to the clone, which causes communication to fail. See “Error in Manager Service Communication,” on page 143.

For more about DTC enablement, see VMware Knowledge Base article 2038943.

Open ports between all IaaS Windows servers and the machine that hosts SQL Server. See “vRealize

Automation Port Requirements,” on page 26.

Alternatively, if site policies allow, you may disable rewalls between IaaS Windows servers and SQL Server.

This release of vRealize Automation does not support SQL Server 2016 130 compatibility mode. If you

separately create an empty SQL Server 2016 database for use with IaaS, use 100 or 120 compatibility mode.

If you create the database through a vRealize Automation installer, compatibility is already congured.

AlwaysOn Availability Group (AAG) is only supported with SQL Server 2016.

VMware, Inc. 21

Installing vRealize Automation

IaaS Web Service and Model Manager Server Requirements

Your environment must meet software and conguration prerequisites that support installation of the IaaS server components.

Environment and Database Requirements for IaaS

Your host conguration and MS SQL database must meet the following requirements.

Table 2‑2. IaaS Requirements

Area Requirements

Host Conguration The following components must be installed on the host before installing

IaaS:

Microsoft .NET Framework 4.5.2 or later.

Microsoft PowerShell 2.0 (included with Windows Server 2008 R2 SP1

and later) or Microsoft PowerShell 3.0 on Windows Server 2012 R2.

Microsoft Internet Information Services 7.5.

Java must be installed on the machine running the primary Web

component to support deployment of the MS SQL database during installation.

Microsoft SQL Database Requirements The SQL database can reside on one of your IaaS Windows servers, or a

separate host.

If the SQL database is on one of your IaaS Windows servers, congure the following Java requirements.

Install 64-bit Java 1.8 or later. Do not use 32-bit.

Set the JAVA_HOME environment variable to the Java installation folder.

Verify that %JAVA_HOME%\bin\java.exe is available.

Microsoft Internet Information Services Requirements

Congure Internet Information Services (IIS) to meet the following requirements.

In addition to the conguration seings, avoid hosting additional Web sites in IIS on the IaaS Web server host. vRealize Automation sets the binding on its communication port to all unassigned IP addresses, making no additional bindings possible. The default vRealize Automation communication port is 443.

22 VMware, Inc.

Chapter 2 Preparing for vRealize Automation Installation

Table 2‑3. Required Configuration for Microsoft Internet Information Services

IIS Component Setting

Internet Information Services (IIS) modules installed

IIS Authentication seings

IIS Windows Process Activation Service roles

WindowsAuthentication

StaticContent

DefaultDocument

ASPNET 4.5

ISAPIExtensions

ISAPIFilter

Windows Authentication enabled

AnonymousAuthentication disabled

Negotiate Provider enabled

NTLM Provider enabled

Windows Authentication Kernel Mode enabled

Windows Authentication Extended Protection disabled

For certicates using SHA512, TLS1.2 must be disabled on Windows

2012 or Windows 2012 R2 servers

CongurationApi

NetEnvironment

ProcessModel

WcfActivation (Windows 2008 only)

HpActivation

NonHpActivation

IaaS Manager Service

Your environment must meet some general requirements that support the installation of the IaaS Manager Service.

Microsoft .NET Framework 4.5.2 is installed.

Microsoft PowerShell 2.0, 3.0, or 4.0. Some vRealize Automation upgrades or migrations might require

you to install an older or newer PowerShell version, in addition to the one that you are currently running.

SecondaryLogOnService is running.

No rewalls can exist between DEM host and Windows Server. For port information, see “vRealize

Automation Port Requirements,” on page 26.

IIS is installed and congured.

Distributed Execution Manager Requirements

Your environment must meet some general requirements that support the installation of Distributed Execution Managers (DEMs).

Microsoft .NET Framework 4.5.2 is installed.

Microsoft PowerShell 2.0, 3.0, or 4.0. Some vRealize Automation upgrades or migrations might require

you to install an older or newer PowerShell version, in addition to the one that you are currently running.

SecondaryLogOnService is running.

VMware, Inc. 23

Installing vRealize Automation

No rewalls between DEM host and the Windows server, or ports opened as described in “vRealize

Automation Port Requirements,” on page 26.

Servers that host DEM Worker instances might have additional requirements depending on the provisioning resources that they interact with.

Amazon Web Services EC2 Requirements

A vRealize Automation IaaS Windows server communicates with and collects data from an Amazon EC2 account.

When you use Amazon Web Services (AWS) for provisioning, the IaaS Windows servers that host the DEM workers must meet the following requirements.

DEM worker hosts must have Internet access.

If the DEM worker hosts are behind a rewall, HTTPS trac must be allowed to and from

aws.amazon.com as well as the URLs for EC2 regions that your AWS accounts have access to, such as ec2.us-east-1.amazonaws.com for the US East region.

Each URL resolves to a range of IP addresses, so you might need to use a tool, such as the one available from the Network Solutions Web site, to list and congure these IP addresses.

If the DEM worker hosts reach the Internet through a proxy server, the DEM service must be running

under credentials that can authenticate to the proxy server.

24 VMware, Inc.

Chapter 2 Preparing for vRealize Automation Installation

Openstack and PowerVC Requirements

The machines on which you install your DEMs must meet certain requirements to communicate with and collect data from your Openstack or PowerVC instance.

Table 2‑4. DEM Host Requirements

Your Installation Requirements

All In Windows Registry, enable TLS v1.2 support for .NET

framework. For example:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFram ework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Micros oft\.NETFramework\v4.0.30319] "SchUseStrongCrypto"=dword:00000001

Windows 2008 DEM Host In Windows Registry, enable TLS v1.2 protocol. For

example:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Co ntrol\SecurityProviders\SCHANNEL\Protocols\TLS

1.2] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Co ntrol\SecurityProviders\SCHANNEL\Protocols\TLS

1.2\Client] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Co ntrol\SecurityProviders\SCHANNEL\Protocols\TLS

1.2\Server] "DisabledByDefault"=dword:00000000 "Enabled"=dword:00000001

Self-signed certicates on your infrastructure endpoint host If your PowerVC or Openstack instance is not using trusted

certicates, import the SSL certicate from your PowerVC

or Openstack instance into the Trusted Root Certicate Authorities store on each IaaS Windows server where you intend to install a vRealize Automation DEM.

Red Hat Enterprise Virtualization KVM (RHEV) Requirements

When you use Red Hat Enterprise Virtualization for provisioning the IaaS Windows server communicates with and collects data from that account.

Your environment must meet the following Red Hat Enterprise requirements.

Each KVM (RHEV) environment must be joined to the domain containing the IaaS server.

The credentials used to manage the endpoint representing a KVM (RHEV) environment must have

Administrator privileges on the RHEV environment. These credentials must also have sucient privileges to create objects on the hosts within the environment.

SCVMM Requirements

A DEM Worker that manages virtual machines through SCVMM must be installed on a host where the SCVMM console is already installed.

A best practice is to install the SCVMM console on a separate DEM Worker machine. In addition, verify that the following requirements have been met.

The DEM worker must have access to the SCVMM PowerShell module installed with the console.

VMware, Inc. 25

Installing vRealize Automation

The PowerShell Execution Policy must be set to RemoteSigned or Unrestricted.

To verify the PowerShell Execution Policy, enter one of the following commands at the PowerShell command prompt.

help about_signing

help Set-ExecutionPolicy

If all DEM Workers within the instance are not on machines that meet these requirements, use Skill

commands to direct SCVMM-related workows to DEM Workers that are.

The following additional requirements apply to SCVMM.

This release supports SCVMM 2012 R2, which requires PowerShell 3 or later.

Install the SCVMM console before you install vRealize Automation DEM Workers that consume

SCVMM work items.

If you install the DEM Worker before the SCVMM console, you see log errors similar to the following example.

Workflow 'ScvmmEndpointDataCollection' failed with the following exception: The term 'Get-

VMMServer' is not recognized as the name of a cmdlet, function, script file, or operable

program. Check the spelling of the name, or if a path was included, verify that the path is

correct and try again.

To correct the problem, verify that the SCVMM console is installed, and restart the DEM Worker service.

Each SCVMM instance must be joined to the domain containing the server.

The credentials used to manage the endpoint representing an SCVMM instance must have

administrator privileges on the SCVMM server.

The credentials must also have administrator privileges on the Hyper-V servers within the instance.

Hyper-V servers within an SCVMM instance to be managed must be Windows 2008 R2 SP1 Servers

with Hyper-V installed. The processor must be equipped with the necessary virtualization extensions .NET Framework 4.5.2 or later must be installed and Windows Management Instrumentation (WMI) must be enabled.

To provision machines on an SCVMM resource, you must add a user in at least one security role within

the SCVMM instance.

To provision a Generation-2 machine on an SCVMM 2012 R2 resource, you must add the following

properties in the blueprint.

Scvmm.Generation2 = true

Hyperv.Network.Type = synthetic

Generation-2 blueprints should have an existing data-collected virtualHardDisk (vHDX) in the blueprint build information page. Having it blank causes Generation-2 provisioning to fail.

For more information, see “Congure the DEM to Connect to SCVMM at a Dierent Installation Path,” on page 94.

For additional information about preparing your SCVMM environment, see Conguring vRealize Automation.

vRealize Automation Port Requirements

vRealize Automation uses designated ports for communication and data access.

Although vRealize Automation uses only port 443 for communication, there might be other ports to open on the system. Because open, unsecured ports might present security vulnerabilities, verify that only ports required by your business applications are open.

26 VMware, Inc.

Chapter 2 Preparing for vRealize Automation Installation

vRealize Automation Appliance

The following ports are used by the vRealize Automation appliance.

Table 2‑5. Incoming Ports for the vRealize Automation appliance

Port Protocol Comments

22 TCP Optional. Access for SSH sessions

80 TCP Optional. Redirects to 443

111 TCP, UDP RPC

443 TCP Access to the vRealize Automation console and API calls

443 TCP Access for machines to download the guest agent and software bootstrap agent

5480 TCP Access to the virtual appliance Web management interface

5480 TCP Used by the Management Agent

5488, 5489 TCP Internally used by the vRealize Automation appliance for updates

4369, 25672,5671,5672

8230, 8280, 8281 TCP Internal vRealize Orchestrator instance.

8444 TCP Console proxy communication for vSphere VMware Remote Console

TCP RabbitMQ messaging

connections.

Table 2‑6. Outgoing Ports for the vRealize Automation appliance

Port Protocol Comments

25, 587 TCP, UDP SMTP for sending outbound notication emails

53 TCP, UDP DNS

67, 68, 546, 547 TCP, UDP DHCP

80 TCP Optional. For fetching software updates. Updates can be downloaded

separately and applied

110, 995 TCP, UDP POP for receiving inbound notication emails

143, 993 TCP, UDP IMAP for receiving inbound notication emails

123 TCP, UDP Optional. For connecting directly to NTP instead of using host time

443 TCP Communication with IaaS Manager Service and infrastructure endpoint hosts

over HTTPS

443 TCP Communication with the software bootstrap agent over HTTPS

902 TCP ESXi network le copy operations and VMware Remote Console connections.

5050 TCP Optional. For communicating with vRealize Business.

5432 TCP, UDP Optional. For communicating with an Appliance Database

8281 TCP Optional. For communicating with an external vRealize Orchestrator instance

Other ports might be required by specic vRealize Orchestrator plug-ins that communicate with external systems. See the documentation for the vRealize Orchestrator plug-in.

Infrastructure as a Service

The ports in the tables Incoming Ports for Infrastructure as a Service Components and Outgoing Ports for Infrastructure as a Service must be available for use by the IaaS Windows Server.

VMware, Inc. 27

Installing vRealize Automation

Table 2‑7. Incoming Ports for Infrastructure as a Service Components

Component Port Protocol Comments

Manager Service 443 TCP Communication with IaaS components and vRealize

vRealize Automation appliance

Infrastructure Endpoint Hosts

SQL Server instance 1433 TCP MSSQL

Table 2‑8. Outgoing Ports for Infrastructure as a Service Components

Component Port Protocol Comments

All 53 TCP, UDP DNS

All 67, 68, 546,

All 123 TCP, UDP Optional. NTP

Manager Service 443 TCP Communication with vRealize Automation appliance over

Distributed Execution Managers

Proxy agents 443 TCP Communication with Manager Service and infrastructure

Management Agent 443 TCP Communication with the vRealize Automation appliance

Guest agent

Software bootstrap agent

Manager Service

Website

All 5480 TCP Communication with the vRealize Automation appliance.

Automation appliance over HTTPS

443 TCP Communication with IaaS components and vRealize

Automation appliance over HTTPS

443 TCP Communication with IaaS components and vRealize

Automation appliance over HTTPS. Typically, 443 is the default communication port for virtual and cloud infrastructure endpoint hosts, but refer to the documentation provided by your infrastructure hosts for a full list of default and required ports

TCP, UDP DHCP

547

HTTPS

443 TCP Communication with Manager Service over HTTPS

endpoint hosts over HTTPS

443 TCP Communication with Manager Service over HTTPS

1433 TCP MSSQL

Microsoft Distributed Transaction Coordinator Service

In addition to verifying that the ports listed in the previous tables are free for use, you must enable Microsoft Distributed Transaction Coordinator Service (MS DTC) communication between all servers in the deployment. MS DTC requires the use of port 135 over TCP and a random port between 1024 and 65535.

The Prerequisite Checker validates whether MS DTC is running and that the required ports are open.

User Accounts and Credentials Required for Installation

You must verify that you have the roles and credentials to install vRealize Automation components.

vCenter Service Account

If you plan to use a vSphere endpoint, you need a domain or local account that has the appropriate level of access congured in vCenter.

28 VMware, Inc.

Chapter 2 Preparing for vRealize Automation Installation

Virtual Appliance Installation

To deploy the vRealize Automation appliance, you must have the appropriate privileges on the deployment platform (for example, vSphere administrator credentials).

During the deployment process, you specify the password for the virtual appliance administrator account. This account provides access to the vRealize Automation appliance management console from which you congure and administer the virtual appliances.

IaaS Installation

Before installing IaaS components, add the user under which you plan to execute the IaaS installation programs to the Administrator group on the installation host.

IaaS Database Credentials

You can create the database during product installation or create it manually in the SQL server.

When you create or populate an MS SQL database through vRealize Automation, either with the Installation Wizard or through the management console, the following requirements apply:

If you use the Use Windows Authentication option, the sysadmin role in SQL Server must be granted

to the user executing the Management Agent on the primary IaaS web server to create and alter the size of the database.

If you do not select Use Windows Authentication, the sysadmin role in SQL Server must be also be

granted to the user executing the Management Agent on the primary IaaS web server. The credentials are used at runtime.

If you populate a pre-created database through vRealize Automation, the user credentials you provide

(either the current Windows user or the specied SQL user) need only dbo privileges for the IaaS database.

N vRealize Automation users also require the correct level of Windows authentication access to log in and use vRealize Automation.

IaaS Service User Credentials

IaaS installs several Windows services that share a single service user.

The following requirements apply to the service user for IaaS services:

The user must be a domain user.

The user must have local Administrator privileges on all hosts on which the Manager Service or Web

site component is installed. Do not do a workgroup installation.

The user is congured with Log on as a service privileges. This privilege ensures that the Manager

Service starts and generates log les.

The user must have dbo privileges for the IaaS database. If you use the installer to create the database,

ensure that the service user login is added to SQL Server prior to running the installer. The installer grants the service user dbo privileges after creating the database.

The installer is run under the account that runs the Management Agent on the primary Web server. If

you want to use the installer to create an MS SQL database during installation, you must have the sysadmin role enabled under MS SQL. This is not a requirement if you choose to use a pre-created empty database.

The domain user account that you plan to use as the IIS application pool identity for the Model

Manager Web Service is congured with Log on as batch job privileges.

VMware, Inc. 29

Installing vRealize Automation

Model Manager Server Specifications

Specify the Model Manager server name by using a fully qualied domain name (FQDN). Do not use an IP address to specify the server.

Security

vRealize Automation uses SSL to ensure secure communication among components. Passphrases are used for secure database storage.

For more information see “Certicate Trust Requirements in a Distributed Deployment,” on page 63.

Certificates

vRealize Automation uses SSL certicates for secure communication among IaaS components and instances of the vRealize Automation appliance. The appliances and the Windows installation machines exchange these certicates to establish a trusted connection. You can obtain certicates from an internal or external certicate authority, or generate self-signed certicates during the deployment process for each component.

For important information about troubleshooting, support, and trust requirements for certicates, see

VMware Knowledge Base article 2106583.

You can update or replace certicates after deployment. For example, a certicate may expire or you may choose to use self-signed certicates during your initial deployment, but then obtain certicates from a trusted authority before going live with your vRealize Automation implementation.

Table 2‑9. Certificate Implementations

Minimal Deployment (non-

Component

vRealize Automation Appliance

IaaS Components During installation, accept the

production) Distributed Deployment (production-ready)

Generate a self-signed certicate during appliance conguration.

generated self-signed certicates or select certicate suppression.

For each appliance cluster, you can use a certicate from an internal or external certicate authority. Multi-use and wildcard certicates are supported.

Obtain a multi-use certicate, such as a Subject Alternative Name (SAN) certicate, from an internal or external certicate authority that your Web client trusts.

Certificate Chains

If you use certicate chains, specify the certicates in the following order.

Client/server certicate signed by the intermediate CA certicate

One or more intermediate certicates

A root CA certicate

Include the BEGIN CERTIFICATE header and END CERTIFICATE footer for each certicate when you import certicates.

Extracting Certificates and Private Keys

Certicates that you use with the virtual appliances must be in the PEM le format.

The examples in the following table use Gnu openssl commands to extract the certicate information you need to congure the virtual appliances.

30 VMware, Inc.

+ 126 hidden pages