VMware vRealize Automation - 7.2 Installation Manual
Installing vRealize Automation
vRealize Automation 7.2
This document supports the version of each product listed and
supports all subsequent versions until the document is
replaced by a new edition. To check for more recent editions of
this document, see http://www.vmware.com/support/pubs.
EN-002325-02
Installing vRealize Automation
You can find the most up-to-date technical documentation on the VMware Web site at:
hp://www.vmware.com/support/
The VMware Web site also provides the latest product updates.
If you have comments about this documentation, submit your feedback to:
docfeedback@vmware.com
Copyright © 2017 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
2 VMware, Inc.
Contents
vRealize Automation Installation 7
Updated Information 9
vRealize Automation Installation Overview 11
1
vRealize Automation Installation Components 11
The vRealize Automation Appliance 12
Infrastructure as a Service 12
Deployment Type 14
Minimal vRealize Automation Deployments 15
Distributed vRealize Automation Deployments 16
Choosing Your Installation Method 17
Preparing for vRealize Automation Installation 19
2
Host Names and IP Addresses 19
Hardware and Virtual Machine Requirements 20
Browser Considerations 20
Password Considerations 21
Windows Server Requirements 21
IaaS Database Server Requirements 21
IaaS Web Service and Model Manager Server Requirements 22
IaaS Manager Service 23
Distributed Execution Manager Requirements 23
vRealize Automation Port Requirements 26
User Accounts and Credentials Required for Installation 28
Security 30
Certicates 30
Extracting Certicates and Private Keys 30
Security Passphrase 31
Third-Party Software 31
Time Synchronization 31
VMware, Inc.
Installing vRealize Automation with the Installation Wizard 33
3
Deploy the vRealize Automation Appliance 33
Using the Installation Wizard for Minimal Deployments 35
Run the Installation Wizard for a Minimal Deployment 35
Installing the Management Agent 35
Synchronize Server Times 38
Run the Prerequisite Checker 38
Specify Minimal Deployment Parameters 39
Create Snapshots Before You Begin the Installation 39
Finish the Installation 39
3
Installing vRealize Automation
Address Installation Failures 40
Set Up Credentials for Initial Content Conguration 40
Using the Installation Wizard for Enterprise Deployments 41
Run the Installation Wizard for an Enterprise Deployment 41
Installing the Management Agent 42
Synchronize Server Times 44
Run the Prerequisite Checker 45
Specify Enterprise Deployment Parameters 46
Create Snapshots Before You Begin the Installation 46
Finish the Installation 46
Address Installation Failures 47
Set Up Credentials for Initial Content Conguration 48
The Standard vRealize Automation Installation Interfaces 49
4
Using the Standard Interfaces for Minimal Deployments 49
Minimal Deployment Checklist 49
Deploy and Congure the vRealize Automation Appliance 50
Installing IaaS Components 55
Using the Standard Interfaces for Distributed Deployments 60
Distributed Deployment Checklist 60
Distributed Installation Components 61
Disabling Load Balancer Health Checks 62
Certicate Trust Requirements in a Distributed Deployment 63
Congure Web Component, Manager Service and DEM Host Certicate Trust 63
Installation Worksheets 64
Deploy the vRealize Automation Appliance 66
Conguring Your Load Balancer 68
Conguring Appliances for vRealize Automation 68
Install the IaaS Components in a Distributed Conguration 74
Installing vRealize Automation Agents 97
Set the PowerShell Execution Policy to RemoteSigned 98
Choosing the Agent Installation Scenario 98
Agent Installation Location and Requirements 99
Installing and Conguring the Proxy Agent for vSphere 99
Installing the Proxy Agent for Hyper-V or XenServer 104
Installing the VDI Agent for XenDesktop 108
Installing the EPI Agent for Citrix 111
Installing the EPI Agent for Visual Basic Scripting 114
Installing the WMI Agent for Remote WMI Requests 117
vRealize Automation Post-Installation Tasks 121
5
Congure Federal Information Processing Standard Compliant Encryption 121
Replacing Self-Signed Certicates with Certicates Provided by an Authority 122
Change the Master vRealize Automation Appliance Host Name 122
Change a Replica vRealize Automation Appliance Host Name 123
Installing the vRealize Log Insight Agent on IaaS Servers 124
Congure Access to the Default Tenant 124
4 VMware, Inc.
Troubleshooting a vRealize Automation Installation 127
6
Default Log Locations 127
Rolling Back a Failed Installation 128
Roll Back a Minimal Installation 128
Roll Back a Distributed Installation 129
Create a vRealize Automation Support Bundle 130
General Installation Troubleshooting 130
Installation or Upgrade Fails with a Load Balancer Timeout Error 130
Server Times Are Not Synchronized 131
Blank Pages May Appear When Using Internet Explorer 9 or 10 on Windows 7 131
Cannot Establish Trust Relationship for the SSL/TLS Secure Channel 132
Connect to the Network Through a Proxy Server 132
Console Steps for Initial Content Conguration 133
Cannot Downgrade vRealize Automation Licenses 134
Troubleshooting the vRealize Automation Appliance 134
Installers Fail to Download 134
Encryption.key File has Incorrect Permissions 134
Identity Manager Fails to Start After Horizon-Workspace Restart 135
Incorrect Appliance Role Assignments After Failover 136
Failures After Promotion of Replica and Master Nodes 136
Incorrect vRealize Automation Component Service Registrations 137
Troubleshooting IaaS Components 138
Validating Server Certicates for IaaS 138
Credentials Error When Running the IaaS Installer 138
Save Seings Warning Appears During IaaS Installation 139
Website Server and Distributed Execution Managers Fail to Install 139
IaaS Authentication Fails During IaaS Web and Model Management Installation 139
Failed to Install Model Manager Data and Web Components 140
IaaS Windows Servers Do Not Support FIPS 141
Adding an XaaS Endpoint Causes an Internal Error 141
Uninstalling a Proxy Agent Fails 142
Machine Requests Fail When Remote Transactions Are Disabled 142
Error in Manager Service Communication 143
Email Customization Behavior Has Changed 143
Troubleshooting Log-In Errors 144
Aempts to Log In as the IaaS Administrator with Incorrect UPN Format Credentials Fails with
No Explanation 144
Log In Fails with High Availability 144
Proxy Prevents VMware Identity Manager User Log In 145
Contents
Silent vRealize Automation Installation 147
7
Perform a Silent vRealize Automation Installation 147
Perform a Silent vRealize Automation Management Agent Installation 148
Silent vRealize Automation Installation Answer File 149
The vRealize Automation Installation Command Line 149
vRealize Automation Installation Command Line Basics 150
vRealize Automation Installation Command Names 150
The vRealize Automation Installation API 151
Convert Between vRealize Automation Silent Properties and JSON 152
VMware, Inc. 5
Installing vRealize Automation
Index 153
6 VMware, Inc.
vRealize Automation Installation
vRealize Automation Installation explains how to install VMware vRealize ™ Automation.
N Not all features and capabilities of vRealize Automation are available in all editions. For a
comparison of feature sets in each edition, see hps://www.vmware.com/products/vrealize-automation/.
Intended Audience
This information is intended for experienced Windows or Linux system administrators who are familiar
with virtual machine technology and data center operations.
VMware Technical Publications Glossary
VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For denitions
of terms as they are used in VMware technical documentation, go to
hp://www.vmware.com/support/pubs.
VMware, Inc.
7
Installing vRealize Automation
8 VMware, Inc.
Updated Information
The following table lists the changes to Installing vRealize Automation for this product release.
Revision Description
EN-002325-02
EN-002325-01 Added Congure a Datastore Cluster permission to “vSphere Agent Requirements,” on page 99.
EN-002325-00 Initial document release.
Added another restart in “Change the Master vRealize Automation Appliance Host Name,” on
n
page 122 and “Change a Replica vRealize Automation Appliance Host Name,” on page 123.
Added “Cannot Downgrade vRealize Automation Licenses,” on page 134.
n
VMware, Inc. 9
Installing vRealize Automation
10 VMware, Inc.
vRealize Automation Installation
Overview 1
You can install vRealize Automation through dierent means, each with varying levels of interactivity.
To install, you deploy a vRealize Automation appliance and then complete the bulk of the installation using
one of the following options:
A consolidated, browser-based Installation Wizard
n
Separate browser-based appliance conguration, and separate Windows installations for IaaS server
n
components
A command line based, silent installer that accepts input from an answer properties le
n
An installation REST API that accepts JSON formaed input
n
After installation, you start using vRealize Automation by customizing the environment and conguring
one or more tenants, which sets up access to self-service provisioning and life-cycle management of cloud
services.
If you installed earlier versions of vRealize Automation, note the following changes before you begin.
This release of vRealize Automation introduces an installation API that uses a JSON formaed version
n
of the silent installation seings.
See “The vRealize Automation Installation API,” on page 151.
This release supports the changing of vRealize Automation appliance host names.
n
See “Change the Master vRealize Automation Appliance Host Name,” on page 122.
This release of the vRealize Automation Installation Wizard introduces a post-installation option to
n
migrate data from an older deployment.
This chapter includes the following topics:
“vRealize Automation Installation Components,” on page 11
n
“Deployment Type,” on page 14
n
“Choosing Your Installation Method,” on page 17
n
vRealize Automation Installation Components
A typical vRealize Automation installation consists of a vRealize Automation appliance and one or more
Windows servers that, taken together, provide vRealize Automation Infrastructure as a Service (IaaS).
VMware, Inc.
11
Installing vRealize Automation
The vRealize Automation Appliance
The vRealize Automation appliance is a precongured Linux virtual appliance. The vRealize Automation
appliance is delivered as an open virtualization le that you deploy on existing virtualized infrastructure
such as vSphere.
The vRealize Automation appliance performs several functions central to vRealize Automation.
The appliance contains the server that hosts the vRealize Automation product portal, where users log in
n
to access self-service provisioning and management of cloud services.
The appliance manages single sign-on (SSO) for user authorization and authentication.
n
The appliance server hosts a management interface for vRealize Automation appliance seings.
n
The appliance includes a precongured PostgreSQL database used for internal vRealize Automation
n
appliance operations.
In large deployments with redundant appliances, the secondary appliance databases serve as replicas to
provide high availability.
The appliance includes a precongured instance of vRealize Orchestrator. vRealize Automation uses
n
vRealize Orchestrator workows and actions to extend its capabilities.
The embedded instance of vRealize Orchestrator is now recommended. In older deployments or special
cases, however, users might connect vRealize Automation to an external vRealize Orchestrator instead.
The appliance contains the downloadable Management Agent installer. All Windows servers that make
n
up your vRealize Automation IaaS must install the Management Agent.
The Management Agent registers IaaS Windows servers with the vRealize Automation appliance,
automates the installation and management of IaaS components, and collects support and telemetry
information.
Infrastructure as a Service
vRealize Automation IaaS consists of one or more Windows servers that work together to model and
provision systems in private, public, or hybrid cloud infrastructures.
You install vRealize Automation IaaS components on one or more virtual or physical Windows servers.
After installation, IaaS operations appear under the Infrastructure tab in the product interface.
IaaS consists of the following components, which can be installed together or separately, depending on
deployment size.
Web Server
The IaaS Web server provides infrastructure administration and service authoring to the
vRealize Automation product interface. The Web server component communicates with the Manager
Service, which provides updates from the Distributed Execution Manager (DEM), SQL Server database, and
agents.
Model Manager
vRealize Automation uses models to facilitate integration with external systems and databases. The models
implement business logic used by the DEM.
The Model Manager provides services and utilities for persisting, versioning, securing, and distributing
model elements. Model Manager is hosted on one of the IaaS Web servers and communicates with DEMs,
the SQL Server database, and the product interface Web site.
12 VMware, Inc.
Chapter 1 vRealize Automation Installation Overview
Manager Service
The Manager Service is a Windows service that coordinates communication between IaaS DEMs, the SQL
Server database, agents, and SMTP.
IaaS requires that only one Windows machine actively run the Manager Service. For backup or high
availability, you may deploy additional Windows machines where you manually start the Manager Service
if the active service stops.
I Simultaneously running an active Manager Service on multiple IaaS Windows servers makes
vRealize Automation unusable.
The Manager Service communicates with the Web server through the Model Manager and must be run
under a domain account with administrator privileges on all IaaS Windows servers.
SQL Server Database
IaaS uses a Microsoft SQL Server database to maintain information about the machines it manages, plus its
own elements and policies. Most users allow vRealize Automation to create the database during installation.
Alternatively, you may create the database separately if site policies require it.
Distributed Execution Manager
The IaaS DEM component runs the business logic of custom models, interacting with the IaaS SQL Server
database, and with external databases and systems. A common approach is to install DEMs on the IaaS
Windows server that hosts the active Manager Service, but it is not required.
Each DEM instance acts as a worker or orchestrator. The roles can be installed on the same or separate
servers.
DEM Worker—A DEM worker has one function, to run workows. Multiple DEM workers increase capacity
and can be installed on the same or separate servers.
DEM Orchestrator—A DEM orchestrator performs the following oversight functions.
Monitors DEM workers. If a worker stops or loses its connection to Model Manager, the DEM
n
orchestrator moves the workows to another DEM worker.
Schedules workows by creating new workow instances at the scheduled time.
n
Ensures that only one instance of a scheduled workow is running at a given time.
n
Preprocesses workows before they run. Preprocessing includes checking preconditions for workows
n
and creating the workow execution history.
The active DEM orchestrator needs a strong network connection to the Model Manager host. In large
deployments with multiple DEM orchestrators on separate servers, the secondary orchestrators serve as
backups by monitoring the active DEM orchestrator, and provide redundancy and failover if a problem
occurs with the active DEM orchestrator. For this kind of failover conguration, you might consider
installing the active DEM orchestrator with the active Manager Service host, and secondary DEM
orchestrators with the standby Manager Service hosts.
Agents
vRealize Automation IaaS uses agents to integrate with external systems and to manage information among
vRealize Automation components.
A common approach is to install vRealize Automation agents on the IaaS Windows server that hosts the
active Manager Service, but it is not required. Multiple agents increase capacity and can be installed on the
same or separate servers.
VMware, Inc. 13
Installing vRealize Automation
Virtualization Proxy Agents
vRealize Automation creates and manages virtual machines on virtualization hosts. Virtualization proxy
agents send commands to, and collect data from, vSphere ESX Server, XenServer, and Hyper-V hosts, and
the virtual machines provisioned on them.
A virtualization proxy agent has the following characteristics.
Typically requires administrator privileges on the virtualization platform that it manages.
n
Communicates with the IaaS Manager Service.
n
Is installed separately and has its own conguration le.
n
Most vRealize Automation deployments install the vSphere proxy agent. You might install other proxy
agents depending on the virtualization resources in use at your site.
Virtual Desktop Integration Agents
Virtual desktop integration (VDI) PowerShell agents allow vRealize Automation to integrate with external
virtual desktop systems. VDI agents require administrator privileges on the external systems.
You can register virtual machines provisioned by vRealize Automation with XenDesktop on a Citrix
Desktop Delivery Controller (DDC), which allows the user to access the XenDesktop Web interface from
vRealize Automation.
External Provisioning Integration Agents
External provisioning integration (EPI) PowerShell agents allow vRealize Automation to integrate external
systems into the machine provisioning process.
For example, integration with Citrix Provisioning Server enables provisioning of machines by on-demand
disk streaming, and an EPI agent allows you to run Visual Basic scripts as extra steps during the
provisioning process.
EPI agents require administrator privileges on the external systems with which they interact.
Windows Management Instrumentation Agent
The vRealize Automation Windows Management Instrumentation (WMI) agent enhances your ability to
monitor and control Windows system information, and allows you to manage remote Windows servers
from a central location. The WMI agent also enables collection of data from Windows servers that
vRealize Automation manages.
Deployment Type
You can install vRealize Automation as a minimal deployment for proof of concept or development work, or
in a distributed conguration suitable for medium to large production workloads.
14 VMware, Inc.
Chapter 1 vRealize Automation Installation Overview
Minimal vRealize Automation Deployments
Minimal deployments include one vRealize Automation appliance and one Windows server that hosts the
IaaS components. In a minimal deployment, the vRealize Automation SQL Server database can be on the
same IaaS Windows server with the IaaS components, or on a separate Windows server.
Figure 1‑1. Minimal vRealize Automation Deployment
N The vRealize Automation documentation includes a complete, sample minimal deployment scenario
that walks you through installation and how to start using the product for proof of concept. See Installing
and Conguring vRealize Automation for the Rainpole Scenario.
VMware, Inc. 15
Installing vRealize Automation
Distributed vRealize Automation Deployments
Distributed, enterprise deployments can be of varying size. A basic distributed deployment might improve
vRealize Automation simply by hosting IaaS components on separate Windows servers as shown in the
following gure.
Figure 1‑2. Distributed vRealize Automation Deployment
Many production deployments go even further, with redundant appliances, redundant servers, and load
balancing for even more capacity. Large, distributed deployments provide for beer scale, high availability,
and disaster recovery. Note that the embedded instance of vRealize Orchestrator is now recommended, but
you might see vRealize Automation connected to an external vRealize Orchestrator in older deployments.
16 VMware, Inc.
Chapter 1 vRealize Automation Installation Overview
Figure 1‑3. Large Distributed and Load Balanced vRealize Automation Deployment
For more information about scalability and high availability, see the vRealize Automation Reference
Architecture guide.
Choosing Your Installation Method
The consolidated vRealize Automation Installation Wizard is your primary tool for new
vRealize Automation installations. Alternatively, you might want to perform the manual, separate
installation processes in some cases.
The Installation Wizard provides a simple and fast way to install, from minimal deployments to
n
distributed enterprise deployments with or without load balancers. Most users run the Installation
Wizard.
VMware, Inc. 17
Installing vRealize Automation
You need the manual installation steps if you want to expand a vRealize Automation deployment or if
n
the Installation Wizard stopped for any reason.
Once you begin a manual installation, you cannot go back and run the Installation Wizard.
18 VMware, Inc.
Preparing for vRealize Automation
Installation 2
System Administrators install vRealize Automation into their existing virtualization environments. Before
you begin an installation, prepare the deployment environment to meet system requirements.
This chapter includes the following topics:
“Host Names and IP Addresses,” on page 19
n
“Hardware and Virtual Machine Requirements,” on page 20
n
“Browser Considerations,” on page 20
n
“Password Considerations,” on page 21
n
“Windows Server Requirements,” on page 21
n
“vRealize Automation Port Requirements,” on page 26
n
“User Accounts and Credentials Required for Installation,” on page 28
n
“Security,” on page 30
n
“Time Synchronization,” on page 31
n
Host Names and IP Addresses
vRealize Automation requires that you name the hosts in your installation according to certain
requirements.
All vRealize Automation machines in your installation must be able to resolve each other by fully
n
qualied domain name (FQDN).
While performing the installation, always enter the FQDN when identifying or selecting a machine. Do
not enter IP addresses.
In addition to the FQDN requirement, Windows machines that host the Model Manager Web service,
n
Manager Service, and Microsoft SQL Server database must be able to resolve each other by Windows
Internet Name Service (WINS) name.
Congure your Domain Name System (DNS) to resolve these short WINS host names.
Preplan domain and machine naming so that vRealize Automation machines will begin and end with
n
alphabet (a-z) or digit (0-9) characters, and will only contain alphabet, digit, or hyphen (-) characters.
The underscore character (_) must not appear in the host name or anywhere in the FQDN.
For more information about allowable names, review the host name specications from the Internet
Engineering Task Force. See www.ietf.org.
VMware, Inc.
19
Installing vRealize Automation
In general, you should expect to keep the host names and FQDNs that you planned for
n
vRealize Automation systems. You can change a vRealize Automation appliance host name after
installation, but changing other vRealize Automation host names makes vRealize Automation
unusable.
A best practice is to reserve and use static IP addresses for all vRealize Automation appliances and IaaS
n
Windows servers. vRealize Automation supports DHCP, but static IP addresses are recommended for
long-term deployments such as production environments.
You apply an IP address to the vRealize Automation appliance during OVF or OVA deployment.
n
For the IaaS Windows servers, you follow the usual operating system process. Set the IP address
n
before installing vRealize Automation IaaS.
Hardware and Virtual Machine Requirements
Your deployment must meet minimum system resources to install virtual appliances and minimum
hardware requirements to install IaaS components on the Windows Server.
For operating system and high-level environment requirements, including information about supported
browsers and operating systems, see the vRealize Automation Support Matrix.
The Hardware Requirements table shows the minimum conguration requirements for deployment of
virtual appliances and installation of IaaS components. Appliances are pre-congured virtual machines that
you add to your vCenter Server or ESXi inventory. IaaS components are installed on physical or virtual
Windows 2008 R2 SP1, or Windows 2012 R2 servers.
An Active Directory is considered small when there are up to 25,000 users in the OU to be synced in the ID
Store conguration. An Active Directory is considered large when there are more than 25,000 users in the
OU.
Table 2‑1. Hardware Requirements
vRealize Automation appliance
for Small Active Directories
4 CPUs
n
18 GB memory
n
60 GB disk storage
n
Browser Considerations
Some restrictions exist for browser use with vRealize Automation.
Multiple browser windows and tabs are not supported. vRealize Automation supports one session per
n
user.
VMware Remote Consoles provisioned on vSphere support a subset of vRealize Automation-supported
n
browsers.
For operating system and high-level environment requirements, including information about supported
browsers and operating systems, see the vRealize Automation Support Matrix.
vRealize Automation appliance for Large
Active Directories
4 CPUs
n
22 GB memory
n
60 GB disk storage
n
IaaS Components (Windows
Server).
2 CPUs
n
8 GB memory
n
30 GB disk storage
n
Additional resources are
required when you are include
an SQL Server on a Windows
host.
20 VMware, Inc.
Password Considerations
Character restrictions apply to some passwords.
The VMware vRealize ™ Automation administrator password cannot contain a trailing "=" character. Such
passwords are accepted when you assign them, but result in errors when you perform operations such as
saving endpoints.
Windows Server Requirements
The virtual or physical Windows machine that hosts the IaaS components must meet conguration
requirements for the IaaS database, the IaaS server components, the IaaS Manager Service, and Distributed
Execution Managers.
The Installation Wizard runs a vRealize Automation prerequisite checker on all IaaS Windows servers to
ensure that they meet the conguration necessary for installation. In addition to the prerequisite checker,
address the following prerequisites separately.
As a best practice, place all IaaS Windows servers in the same domain.
n
Create or identify a domain account to use for installation, one that has administrator privileges on all
n
IaaS Windows servers.
Chapter 2 Preparing for vRealize Automation Installation
IaaS Database Server Requirements
The Windows server that hosts the vRealize Automation IaaS SQL Server database must meet certain
prerequisites.
The requirements apply whether you run the Installation Wizard or the legacy setup_vrealize-automation-
appliance-URL.exe installer and select the database role for installation. The prerequisites also apply if you
separately create an empty SQL Server database for use with IaaS.
Use a supported SQL Server version from the vRealize Automation Support Matrix.
n
Enable TCP/IP protocol for SQL Server.
n
Enable the Distributed Transaction Coordinator (DTC) service on all IaaS Windows servers and the
n
machine that hosts SQL Server. IaaS uses DTC for database transactions and actions such as workow
creation.
N If you clone a machine to make an IaaS Windows server, install DTC on the clone after cloning.
If you clone a machine that already has DTC, its unique identier is copied to the clone, which causes
communication to fail. See “Error in Manager Service Communication,” on page 143.
For more about DTC enablement, see VMware Knowledge Base article 2038943.
Open ports between all IaaS Windows servers and the machine that hosts SQL Server. See “vRealize
n
Automation Port Requirements,” on page 26.
Alternatively, if site policies allow, you may disable rewalls between IaaS Windows servers and SQL
Server.
This release of vRealize Automation does not support SQL Server 2016 130 compatibility mode. If you
n
separately create an empty SQL Server 2016 database for use with IaaS, use 100 or 120 compatibility
mode.
If you create the database through a vRealize Automation installer, compatibility is already congured.
AlwaysOn Availability Group (AAG) is only supported with SQL Server 2016.
n
VMware, Inc. 21
Installing vRealize Automation
IaaS Web Service and Model Manager Server Requirements
Your environment must meet software and conguration prerequisites that support installation of the IaaS
server components.
Environment and Database Requirements for IaaS
Your host conguration and MS SQL database must meet the following requirements.
Table 2‑2. IaaS Requirements
Area Requirements
Host Conguration The following components must be installed on the host before installing
IaaS:
Microsoft .NET Framework 4.5.2 or later.
n
Microsoft PowerShell 2.0 (included with Windows Server 2008 R2 SP1
n
and later) or Microsoft PowerShell 3.0 on Windows Server 2012 R2.
Microsoft Internet Information Services 7.5.
n
Java must be installed on the machine running the primary Web
n
component to support deployment of the MS SQL database during
installation.
Microsoft SQL Database Requirements The SQL database can reside on one of your IaaS Windows servers, or a
separate host.
If the SQL database is on one of your IaaS Windows servers, congure the
following Java requirements.
Install 64-bit Java 1.8 or later. Do not use 32-bit.
n
Set the JAVA_HOME environment variable to the Java installation folder.
n
Verify that %JAVA_HOME%\bin\java.exe is available.
n
Microsoft Internet Information Services Requirements
Congure Internet Information Services (IIS) to meet the following requirements.
In addition to the conguration seings, avoid hosting additional Web sites in IIS on the IaaS Web server
host. vRealize Automation sets the binding on its communication port to all unassigned IP addresses,
making no additional bindings possible. The default vRealize Automation communication port is 443.
22 VMware, Inc.
Chapter 2 Preparing for vRealize Automation Installation
Table 2‑3. Required Configuration for Microsoft Internet Information Services
IIS Component Setting
Internet Information Services (IIS)
modules installed
IIS Authentication seings
IIS Windows Process Activation Service
roles
WindowsAuthentication
n
StaticContent
n
DefaultDocument
n
ASPNET 4.5
n
ISAPIExtensions
n
ISAPIFilter
n
Windows Authentication enabled
n
AnonymousAuthentication disabled
n
Negotiate Provider enabled
n
NTLM Provider enabled
n
Windows Authentication Kernel Mode enabled
n
Windows Authentication Extended Protection disabled
n
For certicates using SHA512, TLS1.2 must be disabled on Windows
n
2012 or Windows 2012 R2 servers
CongurationApi
n
NetEnvironment
n
ProcessModel
n
WcfActivation (Windows 2008 only)
n
HpActivation
n
NonHpActivation
n
IaaS Manager Service
Your environment must meet some general requirements that support the installation of the IaaS Manager
Service.
Microsoft .NET Framework 4.5.2 is installed.
n
Microsoft PowerShell 2.0, 3.0, or 4.0. Some vRealize Automation upgrades or migrations might require
n
you to install an older or newer PowerShell version, in addition to the one that you are currently
running.
SecondaryLogOnService is running.
n
No rewalls can exist between DEM host and Windows Server. For port information, see “vRealize
n
Automation Port Requirements,” on page 26.
IIS is installed and congured.
n
Distributed Execution Manager Requirements
Your environment must meet some general requirements that support the installation of Distributed
Execution Managers (DEMs).
Microsoft .NET Framework 4.5.2 is installed.
n
Microsoft PowerShell 2.0, 3.0, or 4.0. Some vRealize Automation upgrades or migrations might require
n
you to install an older or newer PowerShell version, in addition to the one that you are currently
running.
SecondaryLogOnService is running.
n
VMware, Inc. 23
Installing vRealize Automation
No rewalls between DEM host and the Windows server, or ports opened as described in “vRealize
n
Automation Port Requirements,” on page 26.
Servers that host DEM Worker instances might have additional requirements depending on the provisioning
resources that they interact with.
Amazon Web Services EC2 Requirements
A vRealize Automation IaaS Windows server communicates with and collects data from an Amazon EC2
account.
When you use Amazon Web Services (AWS) for provisioning, the IaaS Windows servers that host the DEM
workers must meet the following requirements.
DEM worker hosts must have Internet access.
n
If the DEM worker hosts are behind a rewall, HTTPS trac must be allowed to and from
n
aws.amazon.com as well as the URLs for EC2 regions that your AWS accounts have access to, such as
ec2.us-east-1.amazonaws.com for the US East region.
Each URL resolves to a range of IP addresses, so you might need to use a tool, such as the one available
from the Network Solutions Web site, to list and congure these IP addresses.
If the DEM worker hosts reach the Internet through a proxy server, the DEM service must be running
n
under credentials that can authenticate to the proxy server.
24 VMware, Inc.
Chapter 2 Preparing for vRealize Automation Installation
Openstack and PowerVC Requirements
The machines on which you install your DEMs must meet certain requirements to communicate with and
collect data from your Openstack or PowerVC instance.
Table 2‑4. DEM Host Requirements
Your Installation Requirements
All In Windows Registry, enable TLS v1.2 support for .NET
framework. For example:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFram
ework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Micros
oft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
Windows 2008 DEM Host In Windows Registry, enable TLS v1.2 protocol. For
example:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Co
ntrol\SecurityProviders\SCHANNEL\Protocols\TLS
1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Co
ntrol\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Co
ntrol\SecurityProviders\SCHANNEL\Protocols\TLS
1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
Self-signed certicates on your infrastructure endpoint host If your PowerVC or Openstack instance is not using trusted
certicates, import the SSL certicate from your PowerVC
or Openstack instance into the Trusted Root Certicate
Authorities store on each IaaS Windows server where you
intend to install a vRealize Automation DEM.
Red Hat Enterprise Virtualization KVM (RHEV) Requirements
When you use Red Hat Enterprise Virtualization for provisioning the IaaS Windows server communicates
with and collects data from that account.
Your environment must meet the following Red Hat Enterprise requirements.
Each KVM (RHEV) environment must be joined to the domain containing the IaaS server.
n
The credentials used to manage the endpoint representing a KVM (RHEV) environment must have
n
Administrator privileges on the RHEV environment. These credentials must also have sucient
privileges to create objects on the hosts within the environment.
SCVMM Requirements
A DEM Worker that manages virtual machines through SCVMM must be installed on a host where the
SCVMM console is already installed.
A best practice is to install the SCVMM console on a separate DEM Worker machine. In addition, verify that
the following requirements have been met.
The DEM worker must have access to the SCVMM PowerShell module installed with the console.
n
VMware, Inc. 25
Installing vRealize Automation
The PowerShell Execution Policy must be set to RemoteSigned or Unrestricted.
n
To verify the PowerShell Execution Policy, enter one of the following commands at the PowerShell
command prompt.
help about_signing
help Set-ExecutionPolicy
If all DEM Workers within the instance are not on machines that meet these requirements, use Skill
n
commands to direct SCVMM-related workows to DEM Workers that are.
The following additional requirements apply to SCVMM.
This release supports SCVMM 2012 R2, which requires PowerShell 3 or later.
n
Install the SCVMM console before you install vRealize Automation DEM Workers that consume
n
SCVMM work items.
If you install the DEM Worker before the SCVMM console, you see log errors similar to the following
example.
Workflow 'ScvmmEndpointDataCollection' failed with the following exception: The term 'Get-
VMMServer' is not recognized as the name of a cmdlet, function, script file, or operable
program. Check the spelling of the name, or if a path was included, verify that the path is
correct and try again.
To correct the problem, verify that the SCVMM console is installed, and restart the DEM Worker
service.
Each SCVMM instance must be joined to the domain containing the server.
n
The credentials used to manage the endpoint representing an SCVMM instance must have
n
administrator privileges on the SCVMM server.
The credentials must also have administrator privileges on the Hyper-V servers within the instance.
Hyper-V servers within an SCVMM instance to be managed must be Windows 2008 R2 SP1 Servers
n
with Hyper-V installed. The processor must be equipped with the necessary virtualization
extensions .NET Framework 4.5.2 or later must be installed and Windows Management
Instrumentation (WMI) must be enabled.
To provision machines on an SCVMM resource, you must add a user in at least one security role within
n
the SCVMM instance.
To provision a Generation-2 machine on an SCVMM 2012 R2 resource, you must add the following
n
properties in the blueprint.
Scvmm.Generation2 = true
Hyperv.Network.Type = synthetic
Generation-2 blueprints should have an existing data-collected virtualHardDisk (vHDX) in the
blueprint build information page. Having it blank causes Generation-2 provisioning to fail.
For more information, see “Congure the DEM to Connect to SCVMM at a Dierent Installation Path,” on
page 94.
For additional information about preparing your SCVMM environment, see Conguring vRealize Automation.
vRealize Automation Port Requirements
vRealize Automation uses designated ports for communication and data access.
Although vRealize Automation uses only port 443 for communication, there might be other ports to open on
the system. Because open, unsecured ports might present security vulnerabilities, verify that only ports
required by your business applications are open.
26 VMware, Inc.
Chapter 2 Preparing for vRealize Automation Installation
vRealize Automation Appliance
The following ports are used by the vRealize Automation appliance.
Table 2‑5. Incoming Ports for the vRealize Automation appliance
Port Protocol Comments
22 TCP Optional. Access for SSH sessions
80 TCP Optional. Redirects to 443
111 TCP, UDP RPC
443 TCP Access to the vRealize Automation console and API calls
443 TCP Access for machines to download the guest agent and software bootstrap agent
5480 TCP Access to the virtual appliance Web management interface
5480 TCP Used by the Management Agent
5488, 5489 TCP Internally used by the vRealize Automation appliance for updates
4369,
25672,5671,5672
8230, 8280, 8281 TCP Internal vRealize Orchestrator instance.
8444 TCP Console proxy communication for vSphere VMware Remote Console
TCP RabbitMQ messaging
connections.
Table 2‑6. Outgoing Ports for the vRealize Automation appliance
Port Protocol Comments
25, 587 TCP, UDP SMTP for sending outbound notication emails
53 TCP, UDP DNS
67, 68, 546, 547 TCP, UDP DHCP
80 TCP Optional. For fetching software updates. Updates can be downloaded
separately and applied
110, 995 TCP, UDP POP for receiving inbound notication emails
143, 993 TCP, UDP IMAP for receiving inbound notication emails
123 TCP, UDP Optional. For connecting directly to NTP instead of using host time
443 TCP Communication with IaaS Manager Service and infrastructure endpoint hosts
over HTTPS
443 TCP Communication with the software bootstrap agent over HTTPS
902 TCP ESXi network le copy operations and VMware Remote Console connections.
5050 TCP Optional. For communicating with vRealize Business.
5432 TCP, UDP Optional. For communicating with an Appliance Database
8281 TCP Optional. For communicating with an external vRealize Orchestrator instance
Other ports might be required by specic vRealize Orchestrator plug-ins that communicate with external
systems. See the documentation for the vRealize Orchestrator plug-in.
Infrastructure as a Service
The ports in the tables Incoming Ports for Infrastructure as a Service Components and Outgoing Ports for
Infrastructure as a Service must be available for use by the IaaS Windows Server.
VMware, Inc. 27
Installing vRealize Automation
Table 2‑7. Incoming Ports for Infrastructure as a Service Components
Component Port Protocol Comments
Manager Service 443 TCP Communication with IaaS components and vRealize
vRealize Automation
appliance
Infrastructure Endpoint
Hosts
SQL Server instance 1433 TCP MSSQL
Table 2‑8. Outgoing Ports for Infrastructure as a Service Components
Component Port Protocol Comments
All 53 TCP, UDP DNS
All 67, 68, 546,
All 123 TCP, UDP Optional. NTP
Manager Service 443 TCP Communication with vRealize Automation appliance over
Distributed Execution
Managers
Proxy agents 443 TCP Communication with Manager Service and infrastructure
Management Agent 443 TCP Communication with the vRealize Automation appliance
Guest agent
Software bootstrap agent
Manager Service
Website
All 5480 TCP Communication with the vRealize Automation appliance.
Automation appliance over HTTPS
443 TCP Communication with IaaS components and vRealize
Automation appliance over HTTPS
443 TCP Communication with IaaS components and vRealize
Automation appliance over HTTPS. Typically, 443 is the
default communication port for virtual and cloud
infrastructure endpoint hosts, but refer to the
documentation provided by your infrastructure hosts for a
full list of default and required ports
TCP, UDP DHCP
547
HTTPS
443 TCP Communication with Manager Service over HTTPS
endpoint hosts over HTTPS
443 TCP Communication with Manager Service over HTTPS
1433 TCP MSSQL
Microsoft Distributed Transaction Coordinator Service
In addition to verifying that the ports listed in the previous tables are free for use, you must enable
Microsoft Distributed Transaction Coordinator Service (MS DTC) communication between all servers in the
deployment. MS DTC requires the use of port 135 over TCP and a random port between 1024 and 65535.
The Prerequisite Checker validates whether MS DTC is running and that the required ports are open.
User Accounts and Credentials Required for Installation
You must verify that you have the roles and credentials to install vRealize Automation components.
vCenter Service Account
If you plan to use a vSphere endpoint, you need a domain or local account that has the appropriate level of
access congured in vCenter.
28 VMware, Inc.
Chapter 2 Preparing for vRealize Automation Installation
Virtual Appliance Installation
To deploy the vRealize Automation appliance, you must have the appropriate privileges on the deployment
platform (for example, vSphere administrator credentials).
During the deployment process, you specify the password for the virtual appliance administrator account.
This account provides access to the vRealize Automation appliance management console from which you
congure and administer the virtual appliances.
IaaS Installation
Before installing IaaS components, add the user under which you plan to execute the IaaS installation
programs to the Administrator group on the installation host.
IaaS Database Credentials
You can create the database during product installation or create it manually in the SQL server.
When you create or populate an MS SQL database through vRealize Automation, either with the Installation
Wizard or through the management console, the following requirements apply:
If you use the Use Windows Authentication option, the sysadmin role in SQL Server must be granted
n
to the user executing the Management Agent on the primary IaaS web server to create and alter the size
of the database.
If you do not select Use Windows Authentication, the sysadmin role in SQL Server must be also be
n
granted to the user executing the Management Agent on the primary IaaS web server. The credentials
are used at runtime.
If you populate a pre-created database through vRealize Automation, the user credentials you provide
n
(either the current Windows user or the specied SQL user) need only dbo privileges for the IaaS
database.
N vRealize Automation users also require the correct level of Windows authentication access to log in
and use vRealize Automation.
IaaS Service User Credentials
IaaS installs several Windows services that share a single service user.
The following requirements apply to the service user for IaaS services:
The user must be a domain user.
n
The user must have local Administrator privileges on all hosts on which the Manager Service or Web
n
site component is installed. Do not do a workgroup installation.
The user is congured with Log on as a service privileges. This privilege ensures that the Manager
n
Service starts and generates log les.
The user must have dbo privileges for the IaaS database. If you use the installer to create the database,
n
ensure that the service user login is added to SQL Server prior to running the installer. The installer
grants the service user dbo privileges after creating the database.
The installer is run under the account that runs the Management Agent on the primary Web server. If
n
you want to use the installer to create an MS SQL database during installation, you must have the
sysadmin role enabled under MS SQL. This is not a requirement if you choose to use a pre-created
empty database.
The domain user account that you plan to use as the IIS application pool identity for the Model
n
Manager Web Service is congured with Log on as batch job privileges.
VMware, Inc. 29
Installing vRealize Automation
Model Manager Server Specifications
Specify the Model Manager server name by using a fully qualied domain name (FQDN). Do not use an IP
address to specify the server.
Security
vRealize Automation uses SSL to ensure secure communication among components. Passphrases are used
for secure database storage.
For more information see “Certicate Trust Requirements in a Distributed Deployment,” on page 63.
Certificates
vRealize Automation uses SSL certicates for secure communication among IaaS components and instances
of the vRealize Automation appliance. The appliances and the Windows installation machines exchange
these certicates to establish a trusted connection. You can obtain certicates from an internal or external
certicate authority, or generate self-signed certicates during the deployment process for each component.
For important information about troubleshooting, support, and trust requirements for certicates, see
VMware Knowledge Base article 2106583.
You can update or replace certicates after deployment. For example, a certicate may expire or you may
choose to use self-signed certicates during your initial deployment, but then obtain certicates from a
trusted authority before going live with your vRealize Automation implementation.
Table 2‑9. Certificate Implementations
Minimal Deployment (non-
Component
vRealize
Automation
Appliance
IaaS Components During installation, accept the
production) Distributed Deployment (production-ready)
Generate a self-signed certicate
during appliance conguration.
generated self-signed certicates or
select certicate suppression.
For each appliance cluster, you can use a certicate from an
internal or external certicate authority. Multi-use and
wildcard certicates are supported.
Obtain a multi-use certicate, such as a Subject Alternative
Name (SAN) certicate, from an internal or external certicate
authority that your Web client trusts.
Certificate Chains
If you use certicate chains, specify the certicates in the following order.
Client/server certicate signed by the intermediate CA certicate
n
One or more intermediate certicates
n
A root CA certicate
n
Include the BEGIN CERTIFICATE header and END CERTIFICATE footer for each certicate when you
import certicates.
Extracting Certificates and Private Keys
Certicates that you use with the virtual appliances must be in the PEM le format.
The examples in the following table use Gnu openssl commands to extract the certicate information you
need to congure the virtual appliances.
30 VMware, Inc.
Loading...