VMware vRealize Automation - 7.3 User’s Manual

Managing vRealize Automation

15 March 2018 vRealize Automation 7.3

Managing vRealize Automation

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

If you have comments about this documentation, submit your feedback to

docfeedback@vmware.com

VMware, Inc.

3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com

VMware, Inc. 2

Managing vRealize Automation 5

Updated Information 6

Maintaining and Customizing vRealize Automation Components and Options 7

Broadcast a Message on the Message Board Portlet 7

Starting Up and Shutting Down vRealize Automation 9

Start Up vRealize Automation 9

Restart vRealize Automation 10

Shut Down vRealize Automation 11

Updating vRealize Automation Certificates 12

Extracting Certificates and Private Keys 13

Replace Certificates in the vRealize Automation Appliance 14

Replace the Infrastructure as a Service Certificate 16

Replace the IaaS Manager Service Certificate 18

Update Embedded vRealize Orchestrator to Trust vRealize Automation Certificates 19

Update External vRealize Orchestrator to Trust vRealize Automation Certificates 21

Updating the vRealize Automation Appliance Management Site Certificate 22

Replace a Management Agent Certificate 26

Change the Polling Method for Certificates 29

Managing the vRealize Automation Postgres Appliance Database 29

Three Node Appliance Database Automatic Failover Scenarios 31

Configure the Appliance Database 33

Scenario: Perform Manual vRealize Automation Appliance Database Failover 35

Scenario: Perform a Maintenance Database Failover 36

Manually Recover Appliance Database from Catastrophic Failure 37

Backup and Recovery for vRealize Automation Installations 39

The Customer Experience Improvement Program 39

Join or Leave the Customer Experience Improvement Program for vRealize Automation 40

Configure Data Collection Time 40

Adjusting System Settings 41

Modify the All Services Icon in the Service Catalog 41

Customize Data Rollover Settings 42

Adjusting Settings in the Manager Service Configuration File 44

Monitoring vRealize Automation 49

Monitoring Workflows and Viewing Logs 49

Monitoring Event Logs and Services 50

Using vRealize Automation Audit Logging 51

VMware, Inc.

Managing vRealize Automation

Viewing Host Information for Clusters in Distributed Deployments 52

Monitoring vRealize Automation Health 55

Run System Tests For vRealize Automation 55

Run Tenant Tests For vRealize Automation 57

Run Tests For vRealize Orchestrator 58

View the vRealize Automation Health Service Test Suite Results 59

Troubleshooting the Health Service 60

Monitoring and Managing Resources 61

Choosing a Resource Monitoring Scenario 61

Resource Usage Terminology 65

Connecting to a Cloud Machine 65

Reducing Reservation Usage by Attrition 68

Decommissioning a Storage Path 68

Data Collection 69

Understanding vSwap Allocation Checking for vCenter Server Endpoints 72

Removing Datacenter Locations 73

Monitoring Containers 74

Bulk Import, Update, or Migrate Virtual Machines 74

Import a Virtual Machine to a vRealize Automation Environment 74

Update a Virtual Machine in a vRealize Automation Environment 78

Migrate a Virtual Machine to a Different vRealize Automation Environment 81

VMware, Inc. 4

Managing vRealize Automation 1

Managing vRealize Automation provides information about maintaining VMware vRealize ™ Automation,

including how to start and stop a deployment, as well as manage certificates and the appliance database.

In addition, it contains information on backing up and restoring vRealize Automation.

Intended Audience

This information is intended for anyone who wants to manage a vRealize Automation deployment. The

information is written for experienced Windows or Linux system administrators who are familiar with

virtual machine technology and datacenter operations.

VMware Technical Publications Glossary

VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For

definitions of terms as they are used in VMware technical documentation, go to

http://www.vmware.com/support/pubs.

VMware, Inc.

Updated Information 2

The following table lists the changes to Managing vRealize Automation for this product release.

Revision Description

15 MAR 2018

Updated Replace the vRealize Automation Appliance Management Site Certificate to clarify prerequisites.

Updated Managing the vRealize Automation Postgres Appliance Database

Added Three Node Appliance Database Automatic Failover Scenarios

Updated Update Embedded vRealize Orchestrator to Trust vRealize Automation Certificates

Added Using vRealize Automation Audit Logging and Configure vRealize Automation for Log Insight Audit

Logging

18 JAN 2018

Updated Start Up vRealize Automation.

Updated Restart vRealize Automation.

4 DEC 2017 Updated Bulk Import, Update, or Migrate Virtual Machines

20 SEP 2017 Updated the following topics, which have since moved to the suite documentation.

Backing Up vRealize Automation

Backing Up the vRealize Automation Appliance

Backing Up IaaS Components

12 SEP 2017 Updated Scenario: Perform Manual vRealize Automation Appliance Database Failover.

30 AUG 2017

Added topics for re-registering vRealize Orchestrator for vRealize Automation certificates: Update Embedded

vRealize Orchestrator to Trust vRealize Automation Certificates and Update External vRealize Orchestrator to

Trust vRealize Automation Certificates.

EN-002419-02

Updated Manually Recover Appliance Database from Catastrophic Failure.

Updated Replace Certificates in the vRealize Automation Appliance.

Updated Start Up vRealize Automation.

EN-002419-01 Added Manually Recover Appliance Database from Catastrophic Failure.

EN-002419-00 Initial document release.

VMware, Inc. 6

Maintaining and Customizing vRealize Automation

Components and Options 3

You can manage provisioned machines and other aspects of your vRealize Automation deployment.

This chapter includes the following topics:

Broadcast a Message on the Message Board Portlet

Starting Up and Shutting Down vRealize Automation

Updating vRealize Automation Certificates

Managing the vRealize Automation Postgres Appliance Database

Backup and Recovery for vRealize Automation Installations

The Customer Experience Improvement Program

Adjusting System Settings

Monitoring vRealize Automation

Monitoring vRealize Automation Health

Monitoring and Managing Resources

Monitoring Containers

Bulk Import, Update, or Migrate Virtual Machines

Broadcast a Message on the Message Board Portlet

As the tenant administrator, you use the message board portlet to broadcast a message to all the users

who have the portlet on their Home tab.

Any new users that you add to vRealize Automation has the portlet on their Home tab by default. Existing

users must add the portlet to receive your messages.

You use the message board portlet to broadcast a text message or a Web page. Depending on the Web

page, your users can navigate through the Web site in the message board.

The message board has the following limitations.

VMware, Inc.

Managing vRealize Automation

Table 3‑1. Message Board Portlet Limitations

Option Limitations

URL message limitations

Custom message limitations

Prerequisites

You can only publish content that is hosted on an https site.

You cannot use self-signed certificates. The option to accept

the certificate does not appear in the message board.

The message board URL is embedded in an iframe. Some

Web sites do not work in iframe and an error appears. One

cause of the failure is the X-Frame-Options DENY or

SAMEORIGIN in the header on the target Web site. If your

target Web site is one that you control, you can set the X-

Frame-Options header to X-Frame-Options: ALLOW-FROM

https://<vRealizeAutomationApplicanceURL>.

Some Web sites have a redirect to a top-level page that

might refresh entire vRealize Automation page. This type of

Web site does not work in the message board. The refresh

is suppressed and a Loading... message appears on the

message board.

If you display an internal HTML page, the page cannot have

the vRealize Automation host as the URL.

To maintain security, the Custom Message does not support

HTML code. For example, you cannot use <href> to link to a

Web site. You must use the URL message option.

Procedure

1 Select the Home tab.

Click the Edit icon ( ) in the upper right corner.

3 Select Add Portlets.

4 Locate Message Board and click Add.

5 Click Close.

The portlet is added to the top of the Home tab. If you are a user and a message is broadcast, you

see the message until the tenant administrator changes it or removes it. If you are the tenant

administrator, you configure the message.

6 To configure the message as a tenant administrator, click Add New Message.

7 Configure one of the following options.

Option Description

URL Enter the page URL.

Custom Message Enter the plain text message.

8 Click Publish.

VMware, Inc. 8

Managing vRealize Automation

The message is broadcast to any tenant users who added the message board portlet to their Home tab.

To change or remove the message, you must be logged in as the tenant administrator. To change the

message, repeat the same steps. To remove the message, remove the URL or text and publish the blank

message.

Starting Up and Shutting Down vRealize Automation

A system administrator performs a controlled shutdown or startup of vRealize Automation to preserve

system and data integrity.

You can also use a controlled shutdown and startup to resolve performance or product behavior issues

that can result from an incorrect initial startup. Use the restart procedure when only some components of

your deployment fail.

Start Up vRealize Automation

When you start vRealize Automation from the beginning, such as after a power outage, a controlled

shutdown or after recovery, you must start its components in a specified order.

Prerequisites

Verify that the load balancers that your deployment uses are running.

Procedure

1 Start the MS SQL database machine. If you are using a legacy PostgreSQL standalone database,

start that machine as well.

2 (Optional) If you are running a deployment that uses load balancers with health checks, disable the

health check before you start the vRealize Automation appliance. Only ping health check should be

enabled.

3 In vSphere, start the master vRealize Automation appliance.

4 Wait until the licensing service is running and REGISTERED in the master appliance management

interface.

5 Start the remaining vRealize Automation appliances at the same time.

6 Wait for the appliances to start, and verify that services are running and listed as REGISTERED in the

appliance management interface.

It might take 15 or more minutes for appliances to start.

7 Start the primary Web node and wait for the startup to finish.

8 (Optional) If you are running a distributed deployment, start all secondary Web nodes and wait 5

minutes.

9 Start the primary Manager Service machine and wait for 2 to 5 minutes, depending on your site

configuration.

VMware, Inc. 9

Managing vRealize Automation

10 (Optional) If you are running a distributed deployment, start secondary Manager Service machines

and wait 2 to 5 minutes.

On secondary machines, do not start or run the Windows service unless you are configured for

automatic Manager Service failover.

11 Start the Distributed Execution Manager Orchestrator and Workers and all vRealize Automation proxy

agents.

You can start these components in any order and you do not need to wait for one startup to finish

before you start another.

12 If you disabled health checks for your load balancers, reenable them.

13 Verify that the startup succeeded.

a Open a Web browser to the vRealize Automation appliance management interface URL.

b Click the Services tab.

c Click the Refresh tab to monitor the progress of service startup.

When all services are listed as registered, the system is ready to use.

Restart vRealize Automation

When you restart more than one vRealize Automation component, you must restart the components in a

specified order.

You might need to restart some components in your deployment to resolve anomalous product behavior.

If you are using vCenter Server to manage your virtual machines, use the Guest OS restart command

to restart vRealize Automation.

If you cannot restart a component or service, follow the instructions in Shut Down vRealize Automation

and Start Up vRealize Automation.

Prerequisites

Verify that load balancers that your deployment uses are running.

Ensure that your vRealize Automation appliance database is operating in asynchronous mode. If it is

operating in synchronous mode, use the Virtual Appliance Management Interface to change it to

asynchronous mode. See Managing the vRealize Automation Postgres Appliance Database for more

information.

If applicable, be sure to return the appliance database to synchronous mode after you complete the

procedure.

Procedure

1 In vSphere, start the master vRealize Automation appliance.

2 Wait until the licensing service is running and REGISTERED in the master appliance management

interface.

VMware, Inc. 10

Managing vRealize Automation

3 Start the remaining vRealize Automation appliances at the same time.

4 Wait for the appliances to start, and verify that services are running and listed as REGISTERED in the

appliance management interface.

It might take 15 or more minutes for appliances to start.

5 Restart the primary Web node and wait for startup to finish.

6 If you are running a distributed deployment, restart secondary Web nodes and wait for startup to

finish.

7 Restart Manager Service nodes and wait for startup to finish.

If running automatic Manager Service failover, and you want to keep the active and passive nodes the

same, restart in the following order:

a Stop the passive Manager Service nodes without restarting them.

b Completely restart the active Manager Service node.

c Start the passive Manager Service nodes.

8 Restart the Distributed Execution Manager Orchestrator and Workers and all vRealize Automation

agents, and wait for startup to finish for all components.

You can restart these components in any order.

9 Verify that the service you restarted is registered.

a Open a Web browser to the vRealize Automation appliance management interface URL.

b Click the Services tab.

c Click the Refresh tab to monitor the progress of service startup.

When all services are listed as registered, the system is ready to use.

Shut Down vRealize Automation

To preserve data integrity, you must shut down vRealize Automation in a specified order.

If you are using vCenter Server to manage your virtual machines, use the guest shutdown command to

shut down vRealize Automation.

Procedure

1 Shut down the Distributed Execution Manager Orchestrator and Workers and all vRealize Automation

agents in any order and wait for all components to finish shutting down.

2 Shut down virtual machines that are running the Manager Service and wait for the shutdown to finish.

3 (Optional) For distributed deployments, shut down all secondary Web nodes and wait for the

shutdown to finish.

4 Shut down the primary Web node, and wait for the shutdown to finish.

VMware, Inc. 11

Managing vRealize Automation

5 (Optional) For distributed deployments, shut down all secondary vRealize Automation appliance

instances and wait for the shutdown to finish.

6 Shut down the primary vRealize Automation appliance and wait for the shutdown to finish.

If applicable, the primary vRealize Automation appliance is the one that contains the master, or

writeable, appliance database. Make a note of the name of the primary vRealize Automation

appliance. You use this information when you restart vRealize Automation.

7 Shut down the MSSQL virtual machines in any order and wait for the shutdown to finish.

8 If you are using a legacy standalone PostgreSQL database, also shut down that machine.

You shut down your vRealize Automation deployment.

Updating vRealize Automation Certiﬁcates

A system administrator can update or replace certificates for vRealize Automation components.

vRealize Automation contains three main components that use SSL certificates in order to facilitate

secure communication with each other. These components are as follows:

vRealize Automation appliance

IaaS website component

IaaS manager service component

In addition, your deployment can have certificates for the vRealize Automation appliance management

site. Also, each IaaS machine runs a Management Agent that uses a certificate.

With one exception, changes to later components in this list do not affect earlier ones. The exception is

that an updated certificate for IaaS components must be registered with vRealize Automation appliance.

Typically, self-signed certificates are generated and applied to these components during product

installation. You might need to replace a certificate to switch from self-signed certificates to certificates

provided by a certificate authority or when a certificate expires. When you replace a certificate for a

vRealize Automation component, trust relationships for other vRealize Automation components are

updated automatically.

For instance, in a distributed system with multiple instances of a vRealize Automation appliance, if you

update a certificate for one vRealize Automation appliance all other related certificates are updated

automatically.

Note vRealize Automation supports SHA2 certificates. The self-signed certificates generated by the

system use SHA-256 With RSA Encryption. You may need to update to SHA2 certificates due to

operating system or browser requirements.

The vRealize Automation virtual appliance management console provides three options for updating or

replacing certificates for existing deployments:

Generate certificate - Use this option to have the system generate a self-signed certificate.

Import certificate - Use this option if you have a certificate that you want to use.

VMware, Inc. 12

Managing vRealize Automation

Provide certificate thumbprint - Use this option if you want to provide a certificate thumb print to

use a certificate that is already deployed in the certificate store on the IaaS servers. Using this option

will not transmit the certificate from the virtual appliance to the IaaS servers. It enables users to

deploy existing certificates on IaaS servers without uploading them in the vRealize Automation

management console.

Also, you can select the Keep Existing option to keep your existing certificate.

Note In a clustered deployment, you must initiate certificate changes from the virtual appliance

management interface on the master node.

Certificates for the vRealize Automation appliance management site do not have registration

requirements.

Note If your certificate uses a passphrase for encryption and you fail to enter it when replacing your

certificate on the virtual appliance, the certificate replacement fails and the message Unable to load

private key appears.

The vRealize Orchestrator component that is associated with your vRealize Automation deployment has

its own certificates, and it must also trust the vRealize Automation certificates. By default, the

vRealize Orchestrator component is embedded in vRealize Automation, but you can elect to use an

external vRealize Orchestrator. In either case, see the vRealize Orchestrator documentation for

information about updating vRealize Orchestrator certificates. If you update or replace the

vRealize Automation certificates, you must update vRealize Orchestrator to trust the new certificates.

Note If you use a multi-node vRealize Orchestrator deployment that is behind a load balancer, all

vRealize Orchestrator nodes must use the same certificate.

For important information about troubleshooting, supportability, and trust requirements for certificates, see

the VMware knowledge base article at http://kb.vmware.com/kb/2106583.

Extracting Certiﬁcates and Private Keys

Certificates that you use with the virtual appliances must be in the PEM file format.

The examples in the following table use Gnu openssl commands to extract the certificate information you

need to configure the virtual appliances.

Table 3‑2. Sample Certiﬁcate Values and Commands (openssl)

Certificate Authority Provides Command Virtual Appliance Entries

RSA Private Key openssl pkcs12 -in path _to_.pfx

certificate_file -nocerts -out key.pem

PEM File openssl pkcs12 -in path _to_.pfx

certificate_file -clcerts -nokeys -out

cert.pem

(Optional) Pass Phrase n/a Pass Phrase

RSA Private Key

Certificate Chain

VMware, Inc. 13

Managing vRealize Automation

Replace Certiﬁcates in the vRealize Automation Appliance

The system administrator can update or replace a self-signed certificate with a trusted one from a

certificate authority. You can use Subject Alternative Name (SAN) certificates, wildcard certificates, or any

other method of multi-use certification appropriate for your environment as long as you satisfy the trust

requirements.

When you update or replace the vRealize Automation appliance certificate, trust with other related

components is re-initiated automatically. See Updating vRealize Automation Certificates for more

information about updating certificates.

Procedure

1 Open a Web browser to the vRealize Automation appliance management interface URL.

2 Log in with user name root and the password you specified when deploying the vRealize Automation

appliance.

3 Select vRA Settings > Host Settings.

4 Select the certificate type from the Certificate Action menu.

If you are using a PEM-encoded certificate, for example for a distributed environment, select Import.

Certificates that you import must be trusted and must also be applicable to all instances of

vRealize Automation appliance and any load balancer through the use of Subject Alternative Name

(SAN) certificates.

If you want to generate a CSR request for a new certificate that you can submit to a certificate

authority, select Generate Signing Request. A CSR helps your CA create a certificate with the

correct values for you to import.

Note If you use certificate chains, specify the certificates in the following order:

a Client/server certificate signed by the intermediate CA certificate

b One or more intermediate certificates

c A root CA certificate

Option Action

Keep Existing Leave the current SSL configuration. Select this option to cancel your changes.

Generate Certificate a The value displayed in the Common Name text box is the Host Name as it

appears on the upper part of the page. If any additional instances of the

vRealize Automation appliance available, their FQDNs are included in the

SAN attribute of the certificate.

b Enter your organization name, such as your company name, in the

Organization text box.

c Enter your organizational unit, such as your department name or location, in

the Organizational Unit text box.

d Enter a two-letter ISO 3166 country code, such as US, in the Country text

box.

VMware, Inc. 14

Managing vRealize Automation

Option Action

Generate Signing Request a Select Generate Signing Request.

b Review the entries in the Organization, Organization Unit, Country Code,

and Common Name text boxes. These entries are populated from the

existing certificate. You can edit these entries if needed.

c Click Generate CSR to generate a certificate signing request, and then click

the Download the generated CSR here link to open a dialog that enables

you to save the CSR to a location where you can send it to a certificate

authority.

d When you receive the prepared certificate, click Import and follow

instructions for importing a certificate into vRealize Automation.

Import a Copy the certificate values from BEGIN PRIVATE KEY to END PRIVATE KEY,

including the header and footer, and paste them in the RSA Private Key text

box.

b Copy the certificate values from BEGIN CERTIFICATE to END

CERTIFICATE, including the header and footer, and paste them in the

Certificate Chain text box. For multiple certificate values, include a BEGIN

CERTIFICATE header and END CERTIFICATE footer for each certificate.

Note In the case of chained certificates, additional attributes may be

available.

c (Optional) If your certificate uses a pass phrase to encrypt the certificate key,

copy the pass phrase and paste it in the Passphrase text box.

5 Click Save Settings.

After a few minutes, the certificate details for all applicable instances of the vRealize Automation

appliance appear on the page.

6 If required by your network or load balancer, copy the imported or newly created certificate to the

virtual appliance load balancer.

You might need to enable root SSH access in order to export the certificate.

a If not already logged in, log in to the vRealize Automation appliance Management Console as

root.

b Click the Admin tab.

c Click the Admin sub menu.

d Select the SSH service enabled check box.

Deselect the check box to disable SSH when finished.

e Select the Administrator SSH login check box.

Deselect the check box to disable SSH when finished.

f Click Save Settings.

VMware, Inc. 15

Managing vRealize Automation

7 Confirm that you can log in to vRealize Automation console.

a Open a browser and navigate to https://vcac-hostname.domain.name/vcac/.

If you are using a load balancer, the host name must be the fully qualified domain name of the

load balancer.

b If prompted, continue past the certificate warnings.

c Log in with administrator@vsphere.local and the password you specified when configuring

Directories Management.

The console opens to the Tenants page on the Administration tab. A single tenant named

vsphere.local appears in the list.

8 If you are using a load balancer, configure and enable any applicable health checks.

The certificate is updated.

Replace the Infrastructure as a Service Certiﬁcate

The system administrator can replace an expired certificate or a self-signed certificate with one from a

certificate authority to ensure security in a distributed deployment environment.

You can use a Subject Alternative Name (SAN) certificate on multiple machines. Certificates used for the

IaaS components (Website and Manager Service) must be issued with SAN values including FQDNs of

all Windows hosts on which the corresponding component is installed and with the Load Balancer FQDN

for the same component.

There are three options for replacing a certificate:

Generate certificate - Use this option to have the system generate a self-signed certificate.

Import certificate - Use this option if you have a certificate that you want to use.

Provide certificate thumbprint - If you accept a certificate that is signed by a CA but that certificate is

not trusted by your system, you must determine whether to accept the certificate thumbprint. The

thumbprint is used to quickly determine if a presented certificate is the same as another certificate,

such as the certificate that was accepted previously.

Also, you can use Keep Existing to keep your existing certificate.

Procedure

1 Open a Web browser to the vRealize Automation appliance management interface URL.

2 Log in with user name root and the password you specified when deploying the vRealize Automation

appliance.

3 Select vRA Settings > Certificates.

4 Click IaaS Web on the Component Type menu.

5 Go to the IaaS Web Certificate pane.

VMware, Inc. 16

Managing vRealize Automation

6 Select the certificate replacement option from the Certificate Action menu.

If you are using a PEM-encoded certificate, for example for a distributed environment, select Import.

Certificates that you import must be trusted and must also be applicable to all instances of

vRealize Automation appliance and any load balancer through the use of Subject Alternative Name

(SAN) certificates.

Note If you use certificate chains, specify the certificates in the following order:

a Client/server certificate signed by the intermediate CA certificate

b One or more intermediate certificates

c A root CA certificate

Option Description

Keep Existing Leave the current SSL configuration. Choose this option to cancel your changes.

Generate Certificate a The value displayed in the Common Name text box is the Host Name as it

appears on the upper part of the page. If any additional instances of the

vRealize Automation appliance available, their FQDNs are included in the

SAN attribute of the certificate.

b Enter your organization name, such as your company name, in the

Organization text box.

c Enter your organizational unit, such as your department name or location, in

the Organizational Unit text box.

d Enter a two-letter ISO 3166 country code, such as US, in the Country text

box.

Import a Copy the certificate values from BEGIN PRIVATE KEY to END PRIVATE KEY,

including the header and footer, and paste them in the RSA Private Key text

box.

b Copy the certificate values from BEGIN CERTIFICATE to END

CERTIFICATE, including the header and footer, and paste them in the

Certificate Chain text box. For multiple certificate values, include a BEGIN

CERTIFICATE header and END CERTIFICATE footer for each certificate.

Note In the case of chained certificates, additional attributes may be

available.

c (Optional) If your certificate uses a pass phrase to encrypt the certificate key,

copy the pass phrase and paste it in the Passphrase text box.

Provide Certificate Thumbprint Use this option if you want to provide a certificate thumbprint to use a certificate

that is already deployed in the certificate store on the IaaS servers. Using this

option will not transmit the certificate from the virtual appliance to the IaaS

servers. It enables users to deploy existing certificates on IaaS servers without

uploading them in the management interface.

7 Click Save Settings.

After a few minutes, the certificate details appear on the page.

VMware, Inc. 17

Managing vRealize Automation

Replace the IaaS Manager Service Certiﬁcate

A system administrator can replace an expired certificate or a self-signed certificate with one from a

certificate authority to ensure security in a distributed deployment environment.

You can use a Subject Alternative Name (SAN) certificate on multiple machines. Certificates used for the

IaaS components (Website and Manager Service) must be issued with SAN values including FQDNs of

all Windows hosts on which the corresponding component is installed and with the Load Balancer FQDN

for the same component.

The IaaS Manager Service and the IaaS Web Service share a single certificate.

Procedure

1 Open a Web browser to the vRealize Automation appliance management interface URL.

2 Log in with user name root and the password you specified when deploying the vRealize Automation

appliance.

3 Select vRA Settings > Certificates.

4 Click Manager Service from the Certificate Type menu.

5 Select the certificate type from the Certificate Action menu.

If you are using a PEM-encoded certificate, for example for a distributed environment, select Import.

Certificates that you import must be trusted and must also be applicable to all instances of

vRealize Automation appliance and any load balancer through the use of Subject Alternative Name

(SAN) certificates.

Note If you use certificate chains, specify the certificates in the following order:

a Client/server certificate signed by the intermediate CA certificate

b One or more intermediate certificates

c A root CA certificate

Option Description

Keep Existing Leave the current SSL configuration. Choose this option to cancel your changes.

Generate Certificate a The value displayed in the Common Name text box is the Host Name as it

appears on the upper part of the page. If any additional instances of the

vRealize Automation appliance available, their FQDNs are included in the

SAN attribute of the certificate.

b Enter your organization name, such as your company name, in the

Organization text box.

c Enter your organizational unit, such as your department name or location, in

the Organizational Unit text box.

d Enter a two-letter ISO 3166 country code, such as US, in the Country text

box.

VMware, Inc. 18

Managing vRealize Automation

Option Description

Import a Copy the certificate values from BEGIN PRIVATE KEY to END PRIVATE KEY,

including the header and footer, and paste them in the RSA Private Key text

box.

b Copy the certificate values from BEGIN CERTIFICATE to END

CERTIFICATE, including the header and footer, and paste them in the

Certificate Chain text box. For multiple certificate values, include a BEGIN

CERTIFICATE header and END CERTIFICATE footer for each certificate.

Note In the case of chained certificates, additional attributes may be

available.

c (Optional) If your certificate uses a pass phrase to encrypt the certificate key,

copy the pass phrase and paste it in the Passphrase text box.

Provide Certificate Thumbprint Use this option if you want to provide a certificate thumbprint to use a certificate

that is already deployed in the certificate store on the IaaS servers. Using this

option will not transmit the certificate from the virtual appliance to the IaaS

servers. It enables users to deploy existing certificates on IaaS servers without

uploading them in the management interface.

6 Click Save Settings.

After a few minutes, the certificate details appear on the page.

7 If required by your network or load balancer, copy the imported or newly created certificate to the load

balancer.

8 Open a browser and navigate to https://managerServiceAdddress/vmpsProvision/ from a

server that this running a DEM worker or agent.

If you are using a load balancer, the host name must be the fully qualified domain name of the load

balancer.

9 If prompted, continue past the certificate warnings.

10 Validate that the new certificate is provided and is trusted.

11 If you are using a load balancer, configure and enable any applicable health checks.

Update Embedded vRealize Orchestrator to Trust vRealize Automation Certiﬁcates

If you update or change vRealize Automation appliance or IaaS certificates, you must update

vRealize Orchestrator to trust the new or updated certificates.

This procedure applies to all vRealize Automation deployments that use an embedded

vRealize Orchestrator instance. If you use an external vRealize Orchestrator instance, see Update

External vRealize Orchestrator to Trust vRealize Automation Certificates.

Note This procedure resets tenant and group authentication back to the default settings. If you have

customized your authentication configuration, note your changes so that you can re-configure

authentication after completing the procedure.

VMware, Inc. 19

Managing vRealize Automation

See the vRealize Orchestrator documentation for information about updating and replacing

vRealize Orchestrator certificates.

If you replace or update vRealize Automation certificates without completing this procedure, the

vRealize Orchestrator Control Center may be inaccessible, and errors may appear in the vco-server and

vco-configurator log files.

Problems with updating certificates can also occur if vRealize Orchestrator is configured to authenticate

against a different tenant and group than vRealize Automation. See

https://kb.vmware.com/selfservice/microsites/search.do?

language=en_US&cmd=displayKC&externalId=2147612.

Procedure

1 Stop the vRealize Orchestrator server and Control Center services.

service vco-server stop

service vco-configuration stop

2 Reset the vRealize Orchestrator authentication provider by running the following command.

/var/lib/vco/tools/configuration-cli/bin/vro-configure.sh reset-authentication

ls -l /etc/vco/app-server/

mv /etc/vco/app-server/vco-registration-id /etc/vco/app-server/vco-registration-id.old

vcac-vami vco-service-reconfigure

3 Check the trusted certificate for the vRealize Orchestrator trust store using the command line

interface utility located at /var/lib/vco/tools/configuration-cli/bin with the following

command:

/var/lib/vco/tools/configuration-cli/bin/vro-configure.sh list-trust

Check for the certificate with the following alias: vco.cafe.component-registry.ssl.certificate. This

should be the vRealize Automation certificate that the vRealize Orchestrator instance uses as an

authentication provider.

This certificate must match the newly configured vRealize Automation certificate. If it does not

match, it can be changed as follows

1 Copy your vRealize Automation signed appliance certificate PEM file to the /tmp folder on

the appliance.

2 Run the following command adding the appropriate certificate path:

./vro-configure.sh trust --registry-certificate path-to-the-certificate-file-in-PEM-format

See the following example command:

/var/lib/vco/tools/configuration-cli/bin/vro-configure.sh trust --registry-

certificate /tmp/certs/vra.pem

VMware, Inc. 20

Managing vRealize Automation

4 You may need to run the following commands to trust the certificate:

/var/lib/vco/tools/configuration-cli/bin/vro-configure.sh trust --uri https://vra.domain.com

/var/lib/vco/tools/configuration-cli/bin/vro-configure.sh trust --registry-certificate --uri

https://vra.domain.com

5 Ensure that the vRealize Automation certificate is now injected into the vRealize Orchestrator trust

store using the following command:

/var/lib/vco/tools/configuration-cli/bin/vro-configure.sh list-trust

6 Start the vRealize Orchestrator server and control center services.

service vco-server start

service vco-configurator start

Update External vRealize Orchestrator to Trust vRealize Automation Certiﬁcates

If you update or change vRealize Automation appliance or IaaS certificates, you must update

vRealize Orchestrator to trust the new or updated certificates.

This procedure applies to vRealize Automation deployments that use an external vRealize Orchestrator

instance.

Note This procedure resets tenant and group authentication back to the default settings. If you have

customized your authentication configuration, note your changes so that you can re-configure

authentication after completing the procedure.

See the vRealize Orchestrator documentation for information about updating and replacing

vRealize Orchestrator certificates.

If you replace or update vRealize Automation certificates without completing this procedure, the

vRealize Orchestrator Control Center may be inaccessible, and errors may appear in the vco-server and

vco-configurator log files.

Problems with updating certificates can also occur if vRealize Orchestrator is configured to authenticate

against a different tenant and group than vRealize Automation. See

https://kb.vmware.com/selfservice/microsites/search.do?

language=en_US&cmd=displayKC&externalId=2147612.

Procedure

1 Stop the vRealize Orchestrator server and Control Center services.

service vco-configuration stop

VMware, Inc. 21

Managing vRealize Automation

2 Reset the vRealize Orchestrator authentication provider.

/var/lib/vco/tools/configuration-cli/bin/vro-configure.sh reset-authentication

3 Start the vRealize Orchestrator Control Center service.

service vco-configurator start

4 Log in to the Control Center using virtual appliance management interface root credentials.

5 Unregister and re-register the authentication provider.

Updating the vRealize Automation Appliance Management Site

Certiﬁcate

The system administrator can replace the SSL certificate of the management site service when it expires

or to replace a self-signed certificate with one issued by a certificate authority. You secure the

management site service on port 5480.

The vRealize Automation appliance uses lighttpd to run its own management site. When you replace a

management site certificate, you must also configure all Management Agents to recognize the new

certificate.

If you are running a distributed deployment, you can update management agents automatically or

manually. If you are running a minimal deployment, you must update the management agent manually.

See Manually Update Management Agent Certificate Recognition for more information.

Procedure

1 Find the Management Agent Identifier

You use the Management Agent identifier when you create and register a new management site

server certificate.

2 Replace the vRealize Automation Appliance Management Site Certificate

If the SSL certificate of the management site service expires, or you started with a self-signed

certificate and site policies require a different one, you can replace the certificate.

3 Update Management Agent Certificate Recognition

After replacing a vRealize Automation appliance management site certificate, you must update all

management agents to recognize the new certificate and to reestablish trusted communications

between the virtual appliance management site and management agents on IaaS hosts.

Find the Management Agent Identiﬁer

You use the Management Agent identifier when you create and register a new management site server

certificate.

Procedure

1 Open the Management Agent configuration file located at <vra-installation-dir>\Management

Agent\VMware.IaaS.Management.Agent.exe.config.

VMware, Inc. 22

Managing vRealize Automation

2 Record the value from the id attribute of the agentConfiguration element.

Replace the vRealize Automation Appliance Management Site Certiﬁcate

If the SSL certificate of the management site service expires, or you started with a self-signed certificate

and site policies require a different one, you can replace the certificate.

You are allowed to reuse the certificate used by the vRealize Automation service on port 443, or use a

different one. If you are requesting a new CA-issued certificate to update an existing certificate, a best

practice is to reuse the Common Name from the existing certificate.

Note The vRealize Automation appliance uses lighttpd to run its own management site. You secure the

management site service on port 5480.

Prerequisites

The certificate must be in PEM format.

The certificate must include both of the following, in order, together in one file:

a RSA private key

b Certificate chain

The private key cannot be encrypted.

The default location and file name is /opt/vmware/etc/lighttpd/server.pem.

See Extracting Certificates and Private Keys for more information about exporting a certificate and private

key from a Java keystore to a PEM file.

Procedure

1 Log in by using the appliance console or SSH.

2 Back up your current certificate file.

cp /opt/vmware/etc/lighttpd/server.pem /opt/vmware/etc/lighttpd/server.pem-bak

3 Copy the new certificate to your appliance by replacing the content of the

file /opt/vmware/etc/lighttpd/server.pem with the new certificate information.

4 Run the following command to restart the lighttpd server.

service vami-lighttp restart

5 Run the following command to restart the haproxy service.

service haproxy restart

6 Log in to the management console and validate that the certificate is replaced. You might need to

restart your browser.

VMware, Inc. 23

Managing vRealize Automation

What to do next

Update all management agents to recognize the new certificate.

For distributed deployments, you can update management agents manually or automatically. For minimal

installations, you must update agents manually.

For information about automatic update, see Automatically Update Management Agents in a

Distributed Environment to Recognize a vRealize Automation Appliance Management Site Certificate.

For information about manual update, see Manually Update Management Agent Certificate

Recognition.

Update Management Agent Certiﬁcate Recognition

After replacing a vRealize Automation appliance management site certificate, you must update all

management agents to recognize the new certificate and to reestablish trusted communications between

the virtual appliance management site and management agents on IaaS hosts.

Each IaaS host runs a management agent and each management agent must be updated. Minimal

deployments must be updated manually, while distributed deployments can be updated manually or by

using an automated process.

Manually Update Management Agent Certificate Recognition

After replacing a vRealize Automation appliance management site certificate, you must update

Management Agents manually to recognize the new certificate to reestablish trusted

communications between the virtual appliance management site and Management Agents on IaaS

hosts.

Automatically Update Management Agents in a Distributed Environment to Recognize a vRealize

Automation Appliance Management Site Certificate

After the management site certificate is updated in a high-availability deployment, the management

agent configuration must also be updated to recognize the new certificate and reestablish trusted

communication.

Manually Update Management Agent Certiﬁcate Recognition

After replacing a vRealize Automation appliance management site certificate, you must update

Management Agents manually to recognize the new certificate to reestablish trusted communications

between the virtual appliance management site and Management Agents on IaaS hosts.

Perform these steps for each Management Agent in your deployment after you replace a certificate for

the vRealize Automation appliance management site.

For distributed deployments, you can update Management Agents manually or automatically. For

information about automatic update, see Automatically Update Management Agents in a Distributed

Environment to Recognize a vRealize Automation Appliance Management Site Certificate.

Prerequisites

Obtain the SHA1 thumbprints of the new vRealize Automation appliance management site certificate.

VMware, Inc. 24

Managing vRealize Automation

Procedure

1 Stop the VMware vCloud Automation Center Management Agent service.

2 Navigate to the Management Agent configuration file located at

[vcac_installation_folder]\Management

Agent\VMware.IaaS.Management.Agent.exe.Config, typically C:\Program Files

(x86)\VMware\vCAC\Management Agent\VMware.IaaS.Management.Agent.exe.Config.

3 Open the file for editing and locate the endpoint configuration setting for the old management site

certificate. which you can identify by the endpoint address.

For example:

<endpoint address="https://vra-va.local:5480"

thumbprint="D1542471C30A9CE694A512C5F0F19E45E6FA32E6" />

</managementEndpoints>

</agentConfiguration>

4 Change the thumbprint to the SHA1 thumbprint of the new certificate.

For example:

<endpoint address="https://vra-va.local:5480"

thumbprint="8598B073359BAE7597F04D988AD2F083259F1201" />

</managementEndpoints>

</agentConfiguration>

5 Start the VMware vCloud Automation Center Management Agent service.

6 Login to the virtual appliance management site and go to vRA Settings > Cluster.

7 Check the Distributed Deployment Information table to verify that the IaaS server has contacted the

virtual appliance recently, which confirms that the update is successful.

Automatically Update Management Agents in a Distributed Environment to Recognize a vRealize Automation Appliance Management Site Certiﬁcate

After the management site certificate is updated in a high-availability deployment, the management agent

configuration must also be updated to recognize the new certificate and reestablish trusted

communication.

You can update vRealize Automation appliance management site certificate information for distributed

systems manually or automatically. For information about manually updating management agents, see

Manually Update Management Agent Certificate Recognition.

Use this procedure to update the certificate information automatically.

VMware, Inc. 25

Managing vRealize Automation

Procedure

1 When Management Agents are running, replace the certificate on a single vRealize Automation

appliance management site in your deployment.

2 Wait fifteen minutes for the management agent to synchronize with the new vRealize Automation

appliance management site certificate.

3 Replace certificates on other vRealize Automation appliance management sites in your deployment.

Management agents are automatically updated with the new certificate information.

Replace a Management Agent Certiﬁcate

The system administrator can replace the Management Agent certificate when it expires or replace a self-

signed certificate with one issued by a certificate authority.

Each IaaS host runs its own Management Agent. Repeat this procedure on each IaaS node whose

Management Agent you want to update.

Prerequisites

Copy the Management Agent identifier in the Node ID column before you remove the record. You use

this identifier when you create the new Management Agent certificate and when you register it.

When you request a new certificate, ensure that the Common Name (CN) attribute in the certificate

subject field for the new certificate is typed in the following format:

VMware Management Agent 00000000-0000-0000-0000-000000000000

Use the string VMware Management Agent, followed by a single space and the GUID for the

Management Agent in the numerical format shown.

Procedure

1 Stop the Management Agent service from your Windows Services snap-in.

a From your Windows machine, click Start.

b In the Windows Start Search box, enter services.msc and press Enter.

c Right-click VMware vCloud Automation Center Management Agent service and click Stop to

stop the service.

2 Remove the current certificate from the machine. For information about managing certificates on

Windows Server 2008 R2, see the Microsoft Knowledge Base article at

http://technet.microsoft.com/en-us/library/cc772354.aspx or the Microsoft wiki article at

http://social.technet.microsoft.com/wiki/contents/articles/2167.how-to-use-the-certificates-

console.aspx.

a Open the Microsoft Management Console by entering the command mmc.exe.

b Press Ctrl + M to add a new snap-in to the console or select the option from the File drop-down

menu.

VMware, Inc. 26

+ 59 hidden pages

VMware vRealize Automation - 7.3 User’s Manual

Contents

Managing vRealize Automation provides information about maintaining VMware vRealize ™ Automation,

Updated Information 2

Broadcast a Message on the Message Board Portlet

Starting Up and Shutting Down vRealize Automation

Start Up vRealize Automation

Restart vRealize Automation

Shut Down vRealize Automation

1 Find the Management Agent Identifier

Manually Update Management Agent Certificate Recognition