VMware vRealize Automation - 7.4 Installation Manual
Installing vRealize
Automation
12 April 2018
vRealize Automation 7.4
Installing vRealize Automation
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
docfeedback@vmware.com
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Copyright © 2014–2018 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 2
Contents
vRealize Automation Installation 7
vRealize Automation Installation Overview 8
1
About vRealize Automation Installation 8
New in this vRealize Automation Installation 8
vRealize Automation Installation Components 9
The vRealize Automation Appliance 9
Infrastructure as a Service 10
Deployment Type 12
Minimal vRealize Automation Deployments 12
Distributed vRealize Automation Deployments 13
Choosing Your Installation Method 16
Preparing for vRealize Automation Installation 17
2
General Preparation 17
Accounts and Passwords 18
Host Names and IP Addresses 20
Latency and Bandwidth 20
vRealize Automation Appliance 21
vRealize Automation Appliance Ports 21
IaaS Windows Servers 23
IaaS Windows Server Ports 24
IaaS Web Server 25
IaaS Manager Service Host 26
IaaS SQL Server Host 27
IaaS Distributed Execution Manager Host 28
DEM Workers with Amazon Web Services 28
DEM Workers with Openstack or PowerVC 29
DEM Workers with Red Hat Enterprise Virtualization 29
DEM Workers with SCVMM 30
Certificates 31
vRealize Automation Certificate Requirements 32
Extracting Certificates and Private Keys 33
VMware, Inc.
Deploying the vRealize Automation Appliance 35
3
About vRealize Automation Appliance Deployment 35
Deploy the vRealize Automation Appliance 35
Add Network Interface Controllers Before Running the Installer 38
3
Installing vRealize Automation
Installing vRealize Automation with the Installation Wizard 41
4
Using the Installation Wizard for Minimal Deployments 41
Start the Installation Wizard for a Minimal Deployment 41
Install the vRealize Automation Management Agent 42
Completing the Installation Wizard 44
Using the Installation Wizard for Enterprise Deployments 44
Start the Installation Wizard for an Enterprise Deployment 44
Install the vRealize Automation Management Agent 45
Completing the Installation Wizard 46
The Standard vRealize Automation Installation Interfaces 48
5
Using the Standard Interfaces for Minimal Deployments 48
Minimal Deployment Checklist 49
Configure the vRealize Automation Appliance 49
Installing IaaS Components 53
Using the Standard Interfaces for Distributed Deployments 59
Distributed Deployment Checklist 59
Disabling Load Balancer Health Checks 60
Certificate Trust Requirements in a Distributed Deployment 60
Configure Web Component, Manager Service and DEM Host Certificate Trust 62
Installation Worksheets 62
Configuring Your Load Balancer 65
Configuring Appliances for vRealize Automation 66
Install the IaaS Components in a Distributed Configuration 72
Installing vRealize Automation Agents 98
Set the PowerShell Execution Policy to RemoteSigned 99
Choosing the Agent Installation Scenario 99
Agent Installation Location and Requirements 100
Installing and Configuring the Proxy Agent for vSphere 100
Installing the Proxy Agent for Hyper-V or XenServer 106
Installing the VDI Agent for XenDesktop 110
Installing the EPI Agent for Citrix 114
Installing the EPI Agent for Visual Basic Scripting 117
Installing the WMI Agent for Remote WMI Requests 121
Silent vRealize Automation Installation 124
6
About Silent vRealize Automation Installation 124
Perform a Silent vRealize Automation Installation 124
Perform a Silent vRealize Automation Management Agent Installation 125
Silent vRealize Automation Installation Answer File 126
VMware, Inc. 4
Installing vRealize Automation
The vRealize Automation Installation Command Line 127
vRealize Automation Installation Command-Line Basics 127
vRealize Automation Installation Command Names 128
The vRealize Automation Installation API 129
Convert Between vRealize Automation Silent Properties and JSON 130
vRealize Automation Post-Installation Tasks 132
7
Configure Federal Information Processing Standard Compliant Encryption 132
Enable Automatic Manager Service Failover 133
About Automatic Manager Service Failover 133
Automatic vRealize Automation PostgreSQL Database Failover 134
Replacing Self-Signed Certificates with Certificates Provided by an Authority 135
Changing Host Names and IP Addresses 135
Change the vRealize Automation Appliance Host Name 135
Change the vRealize Automation Appliance IP Address 136
Adjusting the SQL Database for a Changed Host Name 138
Change an IaaS Server IP Address 138
Change an IaaS Server Host Name 139
Set the vRealize Automation Login URL to a Custom Name 141
Licensing vRealize Code Stream 142
Installing the vRealize Log Insight Agent on IaaS Servers 142
Change the VMware Remote Console Proxy Port 142
Change a vRealize Automation Appliance FQDN Back to the Original FQDN 143
Configure SQL AlwaysOn Availability Group 144
Add Network Interface Controllers After Installing vRealize Automation 144
Configure Static Routes 145
Access Patch Management 146
Install a New Patch 147
Install the Current Patch on New Nodes 148
Remove the Current Patch 148
Configure Access to the Default Tenant 149
Troubleshooting a vRealize Automation Installation 151
8
Default Log Locations 151
Rolling Back a Failed Installation 152
Roll Back a Minimal Installation 153
Roll Back a Distributed Installation 153
Create a vRealize Automation Support Bundle 154
General Installation Troubleshooting 155
Installation or Upgrade Fails with a Load Balancer Timeout Error 155
Server Times Are Not Synchronized 155
Blank Pages May Appear When Using Internet Explorer 9 or 10 on Windows 7 156
VMware, Inc. 5
Installing vRealize Automation
Cannot Establish Trust Relationship for the SSL/TLS Secure Channel 156
Connect to the Network Through a Proxy Server 157
Console Steps for Initial Content Configuration 158
Cannot Downgrade vRealize Automation Licenses 159
Troubleshooting the vRealize Automation Appliance 159
Installers Fail to Download 159
Encryption.key File has Incorrect Permissions 160
Directories Management Identity Manager Fails to Start After Horizon-Workspace Restart 160
Incorrect Appliance Role Assignments After Failover 162
Failures After Promotion of Replica and Master Nodes 162
Incorrect vRealize Automation Component Service Registrations 163
Additional NIC Causes Management Interface Errors 165
Cannot Promote a Secondary Virtual Appliance to Master 166
Active Directory Sync Log Retention Time Is Too Short 166
RabbitMQ Cannot Resolve Host Names 167
Troubleshooting IaaS Components 168
Prerequisite Fixer Cannot Install .NET Features 168
Validating Server Certificates for IaaS 169
Credentials Error When Running the IaaS Installer 169
Save Settings Warning Appears During IaaS Installation 170
Website Server and Distributed Execution Managers Fail to Install 170
IaaS Authentication Fails During IaaS Web and Model Management Installation 170
Failed to Install Model Manager Data and Web Components 171
IaaS Windows Servers Do Not Support FIPS 172
Adding an XaaS Endpoint Causes an Internal Error 173
Uninstalling a Proxy Agent Fails 173
Machine Requests Fail When Remote Transactions Are Disabled 174
Error in Manager Service Communication 175
Email Customization Behavior Has Changed 175
Troubleshooting Log-In Errors 176
Attempts to Log In as the IaaS Administrator with Incorrect UPN Format Credentials Fails with
No Explanation 176
Log In Fails with High Availability 177
Proxy Prevents VMware Identity Manager User Log In 178
VMware, Inc. 6
vRealize Automation Installation
This vRealize Automation Installation guide contains wizard, manual, and silent installation instructions for
VMware vRealize ™ Automation.
Note Not all features and capabilities of vRealize Automation are available in all editions. For a
comparison of feature sets in each edition, see https://www.vmware.com/products/vrealize-automation/.
Intended Audience
This information is intended for experienced Windows or Linux system administrators who are familiar
with virtual machine technology and data center operations.
VMware Technical Publications Glossary
VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For
definitions of terms as they are used in VMware technical documentation, go to
http://www.vmware.com/support/pubs.
VMware, Inc.
7
vRealize Automation Installation
Overview 1
You can install vRealize Automation to support minimal, proof of concept environments, or in different
sizes of distributed, enterprise configurations that are capable of handling production workloads.
Installation can be interactive or silent.
After installation, you start using vRealize Automation by customizing your setup and configuring tenants,
which provides users with access to self-service provisioning and life-cycle management of cloud
services.
This chapter includes the following topics:
n
About vRealize Automation Installation
n
New in this vRealize Automation Installation
n
vRealize Automation Installation Components
n
Deployment Type
n
Choosing Your Installation Method
About vRealize Automation Installation
You can install vRealize Automation through different means, each with varying levels of interactivity.
To install, you deploy a vRealize Automation appliance and then complete the actual installation using
one of the following options:
n
A consolidated, browser-based Installation Wizard
n
Separate browser-based appliance configuration, and separate Windows installations for IaaS server
components
n
A command line based, silent installer that accepts input from an answer properties file
n
An installation REST API that accepts JSON formatted input
New in this vRealize Automation Installation
If you installed earlier versions of vRealize Automation, be aware of changes in the installation for this
release before you begin.
n
This release simplifies the vRealize Automation appliance renaming process. See Change the
vRealize Automation Appliance Host Name.
VMware, Inc.
8
Installing vRealize Automation
n
In this release, the vRealize Automation appliance uses TLS 1.2 by default. The administration
interface includes an option to temporarily enable TLS 1.0 and 1.1, which is needed for updating
existing agents to this release.
n
The vRealize Automation appliance administration interface now includes a page for installing and
managing patches. See Access Patch Management.
n
This release describes how to change the default proxy port for VMware Remote Console. See
Change the VMware Remote Console Proxy Port.
n
This release fixes some broken Help links in the installation wizard.
vRealize Automation Installation Components
A typical vRealize Automation installation consists of a vRealize Automation appliance and one or more
Windows servers that, taken together, provide vRealize Automation Infrastructure as a Service (IaaS).
The vRealize Automation Appliance
The vRealize Automation appliance is a preconfigured Linux virtual appliance. The vRealize Automation
appliance is delivered as an open virtualization file that you deploy on existing virtualized infrastructure
such as vSphere.
The vRealize Automation appliance performs several functions central to vRealize Automation.
n
The appliance contains the server that hosts the vRealize Automation product portal, where users log
in to access self-service provisioning and management of cloud services.
n
The appliance manages single sign-on (SSO) for user authorization and authentication.
n
The appliance server hosts a management interface for vRealize Automation appliance settings.
n
The appliance includes a preconfigured PostgreSQL database used for internal vRealize Automation
appliance operations.
In large deployments with redundant appliances, the secondary appliance databases serve as
replicas to provide high availability.
n
The appliance includes a preconfigured instance of vRealize Orchestrator. vRealize Automation uses
vRealize Orchestrator workflows and actions to extend its capabilities.
The embedded instance of vRealize Orchestrator is now recommended. In older deployments or
special cases, however, users might connect vRealize Automation to an external
vRealize Orchestrator instead.
n
The appliance contains the downloadable Management Agent installer. All Windows servers that
make up your vRealize Automation IaaS must install the Management Agent.
The Management Agent registers IaaS Windows servers with the vRealize Automation appliance,
automates the installation and management of IaaS components, and collects support and telemetry
information.
VMware, Inc. 9
Installing vRealize Automation
Infrastructure as a Service
vRealize Automation IaaS consists of one or more Windows servers that work together to model and
provision systems in private, public, or hybrid cloud infrastructures.
You install vRealize Automation IaaS components on one or more virtual or physical Windows servers.
After installation, IaaS operations appear under the Infrastructure tab in the product interface.
IaaS consists of the following components, which can be installed together or separately, depending on
deployment size.
Web Server
The IaaS Web server provides infrastructure administration and service authoring to the
vRealize Automation product interface. The Web server component communicates with the Manager
Service, which provides updates from the Distributed Execution Manager (DEM), SQL Server database,
and agents.
Model Manager
vRealize Automation uses models to facilitate integration with external systems and databases. The
models implement business logic used by the DEM.
The Model Manager provides services and utilities for persisting, versioning, securing, and distributing
model elements. Model Manager is hosted on one of the IaaS Web servers and communicates with
DEMs, the SQL Server database, and the product interface website.
Manager Service
The Manager Service is a Windows service that coordinates communication between IaaS DEMs, the
SQL Server database, agents, and SMTP. In addition, the Manager Service communicates with the Web
server through the Model Manager and must be run under a domain account with local administrator
privileges on all IaaS Windows servers.
Unless you enable automatic Manager Service failover, IaaS requires that only one Windows machine
actively runs the Manager Service at a time. For backup or high availability, you may deploy additional
Manager Service machines, but the manual failover approach requires that backup machines have the
service stopped and configured to start manually.
For more information, see About Automatic Manager Service Failover.
SQL Server Database
IaaS uses a Microsoft SQL Server database to maintain information about the machines it manages, plus
its own elements and policies. Most users allow vRealize Automation to create the database during
installation. Alternatively, you may create the database separately according to your site policies.
VMware, Inc. 10
Installing vRealize Automation
Distributed Execution Manager
The IaaS DEM component runs the business logic of custom models, interacting with the IaaS SQL
Server database, and with external databases and systems. A common approach is to install DEMs on
the IaaS Windows server that hosts the active Manager Service, but it is not required.
Each DEM instance acts as a worker or orchestrator. The roles can be installed on the same or separate
servers.
DEM Worker—A DEM worker has one function, to run workflows. Multiple DEM workers increase
capacity and can be installed on the same or separate servers.
DEM Orchestrator—A DEM orchestrator performs the following oversight functions.
n
Monitors DEM workers. If a worker stops or loses its connection to Model Manager, the DEM
orchestrator moves the workflows to another DEM worker.
n
Schedules workflows by creating workflow instances at the scheduled time.
n
Ensures that only one instance of a scheduled workflow is running at a given time.
n
Preprocesses workflows before they run. Preprocessing includes checking preconditions for
workflows and creating the workflow execution history.
The active DEM orchestrator needs a strong network connection to the Model Manager host. In large
deployments with multiple DEM orchestrators on separate servers, the secondary orchestrators serve as
backups. The secondary DEM orchestrators monitor the active DEM orchestrator, and provide
redundancy and failover when a problem occurs with the active DEM orchestrator. For this kind of failover
configuration, you might consider installing the active DEM orchestrator with the active Manager Service
host, and secondary DEM orchestrators with the standby Manager Service hosts.
Agents
vRealize Automation IaaS uses agents to integrate with external systems and to manage information
among vRealize Automation components.
A common approach is to install vRealize Automation agents on the IaaS Windows server that hosts the
active Manager Service, but it is not required. Multiple agents increase capacity and can be installed on
the same or separate servers.
Virtualization Proxy Agents
vRealize Automation creates and manages virtual machines on virtualization hosts. Virtualization proxy
agents send commands to, and collect data from, vSphere ESX Server, XenServer, and Hyper-V hosts,
and the virtual machines provisioned on them.
A virtualization proxy agent has the following characteristics.
n
Typically requires administrator privileges on the virtualization platform that it manages.
n
Communicates with the IaaS Manager Service.
VMware, Inc. 11
Installing vRealize Automation
n
Is installed separately and has its own configuration file.
Most vRealize Automation deployments install the vSphere proxy agent. You might install other proxy
agents depending on the virtualization resources in use at your site.
Virtual Desktop Integration Agents
Virtual desktop integration (VDI) PowerShell agents allow vRealize Automation to integrate with external
virtual desktop systems. VDI agents require administrator privileges on the external systems.
You can register virtual machines provisioned by vRealize Automation with XenDesktop on a Citrix
Desktop Delivery Controller (DDC), which allows the user to access the XenDesktop Web interface from
vRealize Automation.
External Provisioning Integration Agents
External provisioning integration (EPI) PowerShell agents allow vRealize Automation to integrate external
systems into the machine provisioning process.
For example, integration with Citrix Provisioning Server enables provisioning of machines by on-demand
disk streaming, and an EPI agent allows you to run Visual Basic scripts as extra steps during the
provisioning process.
EPI agents require administrator privileges on the external systems with which they interact.
Windows Management Instrumentation Agent
The vRealize Automation Windows Management Instrumentation (WMI) agent enhances your ability to
monitor and control Windows system information, and allows you to manage remote Windows servers
from a central location. The WMI agent also enables collection of data from Windows servers that
vRealize Automation manages.
Deployment Type
You can install vRealize Automation as a minimal deployment for proof of concept or development work,
or in a distributed configuration suitable for medium to large production workloads.
Minimal vRealize Automation Deployments
Minimal deployments include one vRealize Automation appliance and one Windows server that hosts the
IaaS components. In a minimal deployment, the vRealize Automation SQL Server database can be on
the same IaaS Windows server with the IaaS components, or on a separate Windows server.
VMware, Inc. 12
Appliance
Postgres DB
vRealize
Orchestrator
IIS
vRealize Automation
Appliance
vRealize Automation
Infrastructure
as a Service (IaaS)
IaaS
SQL Server
Database
• Web Server
• Model Manager Host
• Manager Service Host
• Distributed Execution
Manager (DEM)
• Agent
Virtualization Resources
Users
Installing vRealize Automation
Figure 1‑1. Minimal vRealize Automation Deployment
You cannot convert a minimal deployment to an enterprise deployment. To scale a deployment up, start
with a small enterprise deployment, and add components to that. Starting with a minimal deployment is
not supported.
Note The vRealize Automation documentation includes a complete, sample minimal deployment
scenario that walks you through installation and how to start using the product for proof of concept. See
Installing and Configuring vRealize Automation for the Rainpole Scenario.
Distributed vRealize Automation Deployments
Distributed, enterprise deployments can be of varying size. A basic distributed deployment might improve
vRealize Automation simply by hosting IaaS components on separate Windows servers as shown in the
following figure.
VMware, Inc. 13
Appliance
Postgres DB
vRealize Automation Infrastructure as a Service (IaaS)
vRealize
Orchestrator
vRealize Automation
Appliance
IaaS
SQL Server
Database
IaaS
Agent(s)
IaaS
DEM(s)
IaaS
Web Server
and
Model Manager Host
Virtualization Resources
Users
IIS
IaaS
Manager Service
Host
Installing vRealize Automation
Figure 1‑2. Distributed vRealize Automation Deployment
Many production deployments go even further, with redundant appliances, redundant servers, and load
balancing for even more capacity. Large, distributed deployments provide for better scale, high
availability, and disaster recovery. Note that the embedded instance of vRealize Orchestrator is now
recommended, but you might see vRealize Automation connected to an external vRealize Orchestrator in
older deployments.
VMware, Inc. 14
Appliance Postgres DB
vRealize Automation Infrastructure as a Service (IaaS)
Primary vRealize
Automation Appliance
Additional vRealize
Automation Appliances
vRealize
Orchestrator
Load
Balancer
Additional
vRealize
Orchestrators
vRealize Automation Appliance Optional
Load Balancer
IaaS Web Server
and
Model Manager Host
Additional IaaS
Web Servers without
Model Manager
IaaS Web Server
Load Balancer
IaaS
SQL Server
Database
IaaS
Agent(s)
IaaS
DEM
Orchestrator(s)
IaaS
DEM
Worker(s)
Virtualization Resources
Users
IIS IIS
Active IaaS
Manager Service
Host
Passive IaaS
Manager Service
Hosts
IaaS Manager Service
Load Balancer
vRealize
Orchestrator
vRealize
Orchestrator
Installing vRealize Automation
Figure 1‑3. Large Distributed and Load Balanced vRealize Automation Deployment
For more information about scalability and high availability, see the vRealize Automation Reference
Architecture guide.
VMware, Inc. 15
Installing vRealize Automation
Choosing Your Installation Method
The consolidated vRealize Automation Installation Wizard is your primary tool for new
vRealize Automation installations. Alternatively, you might want to perform the manual, separate
installation processes or a silent installation.
n
The Installation Wizard provides a simple and fast way to install, from minimal deployments to
distributed enterprise deployments with or without load balancers. Most users run the Installation
Wizard.
n
If you want to expand a vRealize Automation deployment or if the Installation Wizard stopped for any
reason, you need the manual installation steps. After you begin a manual installation, you cannot go
back and run the Installation Wizard.
n
Depending on your site needs, you might also take advantage of silent, command line or API-based
installation.
VMware, Inc. 16
Preparing for
vRealize Automation Installation 2
You install vRealize Automation into existing virtualization infrastructure. Before you begin an installation,
you need to address certain environmental and system requirements.
This chapter includes the following topics:
n
General Preparation
n
Accounts and Passwords
n
Host Names and IP Addresses
n
Latency and Bandwidth
n
vRealize Automation Appliance
n
IaaS Windows Servers
n
IaaS Web Server
n
IaaS Manager Service Host
n
IaaS SQL Server Host
n
IaaS Distributed Execution Manager Host
n
Certificates
General Preparation
There are several deployment-wide considerations to be aware of before installing vRealize Automation.
For more about high-level environment requirements, including supported operating system and browser
versions, see the vRealize Automation Support Matrix.
User Web Browsers
Multiple browser windows and tabs are not supported. vRealize Automation supports one session per
user.
VMware Remote Consoles provisioned on vSphere support only a subset of vRealize Automation
supported browsers.
VMware, Inc.
17
Installing vRealize Automation
Third Party Software
All third-party software should have the latest vendor patches. Third party software includes Microsoft
Windows and SQL Server.
Time Synchronization
All vRealize Automation appliances and IaaS Windows servers must synchronize to the same time
source. You may use only one of the following sources. Do not mix time sources.
n
The vRealize Automation appliance host
n
One external network time protocol (NTP) server
To use the vRealize Automation appliance host, you must run NTP on the ESXi host. For more about
timekeeping, see VMware Knowledge Base article 1318.
You select the time source on the Installation Prerequisites page of the Installation Wizard.
Accounts and Passwords
There are several user accounts and passwords that you might need to create or plan settings for, before
installing vRealize Automation.
IaaS Service Account
IaaS installs several Windows services that must run under a single user account.
n
The account must be a domain user.
n
The account does not need to be a domain administrator, but must have local administrator
permission, before installation, on all IaaS Windows servers.
n
The account password cannot contain a double quotation mark ( " ) character.
n
The Management Agent installer for IaaS Windows servers prompts you for the account credentials.
n
The account must have Log on as a service permission, which lets the Manager Service start and
generate log files.
n
The account must have dbo permission on the IaaS database.
If you use the installer to create the database, add the account login to SQL Server before
installation. The installer grants the dbo permission after it creates the database.
n
If you use the installer to create the database, in SQL, add the sysadmin role to the account before
installation.
The sysadmin role is not required if you choose to use a pre-existing empty database.
VMware, Inc. 18
Installing vRealize Automation
IIS Application Pool Identity
The account you use as the IIS application pool identity for the Model Manager Web service must have
Log on as batch job permission.
IaaS Database Credentials
You can let the vRealize Automation installer create the database, or you can create it separately using
SQL Server. When the vRealize Automation installer creates the database, the following requirements
apply.
n
For the vRealize Automation installer, if you select Windows Authentication, the account that runs the
Management Agent on the primary IaaS Web server must have the sysadmin role in SQL to create
and alter the size of the database.
n
For the vRealize Automation installer, even if you do not select Windows Authentication, the account
that runs the Management Agent on the primary IaaS Web server must have the sysadmin role in
SQL because the credentials are used at runtime.
n
If you separately create the database, the Windows user or SQL user credentials that you provide
only need dbo permission on the database.
IaaS Database Security Passphrase
The database security passphrase generates an encryption key that protects data in the IaaS SQL
database. You specify the security passphrase on the IaaS Host page of the Installation Wizard.
n
Plan to use the same database security passphrase across the entire installation so that each
component has the same encryption key.
n
Record the passphrase, because you need the passphrase to restore the database if there is a failure
or to add components after initial installation.
n
The database security passphrase cannot contain a double quotation mark ( " ) character. The
passphrase is accepted when you create it but causes the installation to fail.
vSphere Endpoints
If you plan to provision to a vSphere endpoint, you need a domain or local account with enough
permission to perform operations on the target. The account also needs the appropriate level of
permission configured in vRealize Orchestrator.
vRealize Automation Administrator Password
After installation, the vRealize Automation administrator password logs you in to the default tenant. You
specify the administrator password on the Single Sign-On page of the Installation Wizard.
VMware, Inc. 19
Installing vRealize Automation
The vRealize Automation administrator password cannot contain a trailing equals ( = ) character. The
password is accepted when you create it but results in errors later, when you perform operations such as
saving endpoints.
Host Names and IP Addresses
vRealize Automation requires that you name the hosts in your installation according to certain
requirements.
n
All vRealize Automation machines in your installation must be able to resolve each other by fully
qualified domain name (FQDN).
While performing the installation, always enter the complete FQDN when identifying or selecting a
vRealize Automation machine. Do not enter IP addresses or short machine names.
n
In addition to the FQDN requirement, Windows machines that host the Model Manager Web service,
Manager Service, and Microsoft SQL Server database must be able to resolve each other by
Windows Internet Name Service (WINS) name.
Configure your Domain Name System (DNS) to resolve these short WINS host names.
n
Preplan domain and machine naming so that vRealize Automation machine names begin with letters
(a–z, A–Z), end with letters or digits (0–9), and have only letters, digits, or hyphens ( - ) in the middle.
The underscore character ( _ ) must not appear in the host name or anywhere in the FQDN.
For more information about allowable names, review the host name specifications from the Internet
Engineering Task Force. See www.ietf.org.
n
In general, you should expect to keep the host names and FQDNs that you planned for
vRealize Automation systems. Changing a host name is not always possible. When a change is
possible, it might be a complicated procedure.
n
A best practice is to reserve and use static IP addresses for all vRealize Automation appliances and
IaaS Windows servers. vRealize Automation supports DHCP, but static IP addresses are
recommended for long-term deployments such as production environments.
n
You apply an IP address to the vRealize Automation appliance during OVF or OVA deployment.
n
For the IaaS Windows servers, you follow the usual operating system process. Set the IP address
before installing vRealize Automation IaaS.
Latency and Bandwidth
vRealize Automation supports multiple site, distributed installation, but data transmission speed and
volume must meet minimum prerequisites.
vRealize Automation needs an environment of 5 ms or lower network latency, and 1 GB or higher
bandwidth, among the following components.
n
vRealize Automation appliance
n
IaaS Web server
VMware, Inc. 20
Installing vRealize Automation
n
IaaS Model Manager host
n
IaaS Manager Service host
n
IaaS SQL Server database
n
IaaS DEM Orchestrator
The following component might work at a higher latency site, but the practice is not recommended.
n
IaaS DEM Worker
You may install the following component at the site of the endpoint with which it communicates.
n
IaaS Proxy Agent
vRealize Automation Appliance
Most vRealize Automation appliance requirements are preconfigured in the OVF or OVA that you deploy.
The same requirements apply to standalone, master, or replica vRealize Automation appliances.
The minimum virtual machine hardware on which you can deploy is Version 7, or ESX/ESXi 4.x or later.
See VMware Knowledge Base article 2007240. Because of the hardware resource demand, do not
deploy on VMware Workstation.
After deployment, you might use vSphere to adjust vRealize Automation appliance hardware settings to
meet Active Directory requirements. See the following table.
Table 2‑1. vRealize Automation Appliance Hardware Requirements for Active Directory
vRealize Automation Appliance for Small Active Directories vRealize Automation Appliance for Large Active Directories
n
4 CPUs
n
18 GB memory
n
60 GB disk storage
n
4 CPUs
n
22 GB memory
n
60 GB disk storage
A small Active Directory has up to 25,000 users in the organizational unit (OU) to be synced in the ID
Store configuration. A large Active Directory has more than 25,000 users in the OU.
vRealize Automation Appliance Ports
Ports on the vRealize Automation appliance are usually preconfigured in the OVF or OVA that you deploy.
The following ports are used by the vRealize Automation appliance.
Table 2‑2. Incoming Ports
Port Protocol Comments
22 TCP Optional. Access for SSH sessions.
80 TCP Optional. Redirects to 443.
88 TCP (UDP
optional)
443 TCP Access to the vRealize Automation console and API calls.
VMware, Inc. 21
Cloud KDC Kerberos authentication from external mobile devices.
Installing vRealize Automation
Table 2‑2. Incoming Ports (Continued)
Port Protocol Comments
Access for machines to download the guest agent and software bootstrap agent.
Access for load balancer, browser.
4369, 5671,
5672, 25672
5480 TCP Access to the virtual appliance management interface.
5488, 5489 TCP Internally used by the vRealize Automation appliance for updates.
8230, 8280,
8281, 8283
8443 TCP Access for browser. Identity Manager administrator port over HTTPS.
8444 TCP Console proxy communication for vSphere VMware Remote Console connections.
9300–9400 TCP Access for Identity Manager audits.
54328 UDP
TCP RabbitMQ messaging.
Used by the Management Agent.
TCP Internal vRealize Orchestrator instance.
Table 2‑3. Outgoing Ports
Port Protocol Comments
25, 587 TCP, UDP SMTP for sending outbound notification email.
53 TCP, UDP DNS server.
67, 68, 546, 547 TCP, UDP DHCP.
80 TCP Optional. For fetching software updates. Updates can be downloaded separately and
applied.
88, 464, 135 TCP, UDP Domain controller.
110, 995 TCP, UDP POP for receiving inbound notification email.
143, 993 TCP, UDP IMAP for receiving inbound notification email.
123 TCP, UDP Optional. For connecting directly to NTP instead of using host time.
389 TCP Access to View Connection Server.
389, 636, 3268,
3269
443 TCP Communication with IaaS Manager Service and infrastructure endpoint hosts over HTTPS.
445 TCP Access to ThinApp repository for Identity Manager.
902 TCP ESXi network file copy operations and VMware Remote Console connections.
5050 TCP Optional. For communicating with vRealize Business for Cloud.
5432 TCP, UDP Optional. For communicating with another appliance PostgreSQL database.
TCP Active Directory. Default ports shown, but are configurable.
Communication with the vRealize Automation software service over HTTPS.
Access to the Identity Manager upgrade server.
Access to View Connection Server.
VMware, Inc. 22
Installing vRealize Automation
Table 2‑3. Outgoing Ports (Continued)
Port Protocol Comments
5500 TCP RSA SecurID system. Default port shown, but is configurable.
8281 TCP Optional. For communicating with an external vRealize Orchestrator instance.
9300–9400 TCP Access for Identity Manager audits.
54328 UDP
Other ports might be required by specific vRealize Orchestrator plug-ins that communicate with external
systems. See the documentation for the vRealize Orchestrator plug-in.
IaaS Windows Servers
All Windows servers that host IaaS components must meet certain requirements. Address requirements
before you run the vRealize Automation Installation Wizard or the standard Windows-based installer.
n
Place all IaaS Windows servers on the same domain. Do not use Workgroups.
n
Each server needs the following minimum hardware.
n
2 CPUs
n
8 GB memory
n
40 GB disk storage
A server that hosts the SQL database together with IaaS components might need additional
hardware.
n
Because of the hardware resource demand, do not deploy on VMware Workstation.
n
Install Microsoft .NET Framework 4.5.2 or later.
A copy of .NET is available from any vRealize Automation appliance:
https://vrealize-automation-appliance-fqdn:5480/installer/
If you use Internet Explorer for the download, verify that Enhanced Security Configuration is disabled.
Navigate to res://iesetup.dll/SoftAdmin.htm on the Windows server.
n
Install Microsoft PowerShell 2.0, 3.0, or 4.0, based on your version of Windows.
Note that some vRealize Automation upgrades or migrations might require an older or newer
PowerShell version, in addition to the one that you are currently running.
n
If you install more than one IaaS component on the same Windows server, plan to install them to the
same installation folder. Do not use different paths.
n
IaaS servers use TLS for authentication, which is enabled by default on some Windows servers.
Some sites disable TLS for security reasons, but you must leave at least one TLS protocol enabled.
This version of vRealize Automation supports TLS 1.2.
VMware, Inc. 23
Installing vRealize Automation
n
Enable the Distributed Transaction Coordinator (DTC) service. IaaS uses DTC for database
transactions and actions such as workflow creation.
Note If you clone a machine to make an IaaS Windows server, install DTC on the clone after
cloning. If you clone a machine that already has DTC, its unique identifier is copied to the clone,
which causes communication to fail. See Error in Manager Service Communication.
Also enable DTC on the server that hosts the SQL database, if it is separate from IaaS. For more
about DTC enablement, see VMware Knowledge Base article 2038943.
n
Verify that the Secondary Log On service is running. If desired, you may stop the service after
installation is complete.
IaaS Windows Server Ports
Ports on the IaaS Windows servers must be configured before vRealize Automation installation.
Open ports between all IaaS Windows servers according to the following tables. Include the server that
hosts the SQL database, if it is separate from IaaS. Alternatively, if site policies allow, you may disable
firewalls between IaaS Windows servers and SQL Server.
Table 2‑4. Incoming Ports
Port Protocol Component Comments
443 TCP Manager Service Communication with IaaS components and vRealize Automation
appliance over HTTPS
443 TCP vRealize Automation
appliance
443 TCP Infrastructure Endpoint Hosts Communication with IaaS components and vRealize Automation
443 TCP Guest agent
Software bootstrap agent
443 TCP DEM Worker Communication with NSX Manager
1433 TCP SQL Server instance MSSQL
Communication with IaaS components and vRealize Automation
appliance over HTTPS
appliance over HTTPS. Typically, 443 is the default
communication port for virtual and cloud infrastructure endpoint
hosts, but refer to the documentation provided by your
infrastructure hosts for a full list of default and required ports
Communication with Manager Service over HTTPS
Table 2‑5. Outgoing Ports
Port Protocol Component Comments
53 TCP, UDP All DNS
67, 68, 546,
547
123 TCP, UDP All Optional. NTP
443 TCP Manager Service Communication with vRealize Automation appliance over
VMware, Inc. 24
TCP, UDP All DHCP
HTTPS
Installing vRealize Automation
Table 2‑5. Outgoing Ports (Continued)
Port Protocol Component Comments
443 TCP Distributed Execution
Managers
443 TCP Proxy agents Communication with Manager Service and infrastructure
443 TCP Management Agent Communication with the vRealize Automation appliance
443 TCP Guest agent
Software bootstrap agent
1433 TCP Manager Service
Website
5480 TCP All Communication with the vRealize Automation appliance.
Communication with Manager Service over HTTPS
endpoint hosts over HTTPS
Communication with Manager Service over HTTPS
MSSQL
Also, because you enable DTC between all servers, DTC requires port 135 over TCP and a random port
between 1024 and 65535. Note that the Prerequisite Checker validates that DTC is running and the
required ports are open.
IaaS Web Server
A Windows server that hosts the Web component must meet additional requirements, in addition to those
for all IaaS Windows servers.
The requirements are the same, whether or not the Web component hosts the Model Manager.
n
Configure Java.
n
Install 64-bit Java 1.8 or later. Do not use 32-bit.
The JRE is enough. You do not need the full JDK.
n
Set the JAVA_HOME environment variable to the Java installation folder.
n
Verify that %JAVA_HOME%\bin\java.exe is available.
n
Configure Internet Information Services (IIS) according to the following table.
VMware, Inc. 25
Installing vRealize Automation
You need IIS 7.5 for Windows 2008 variants, IIS 8 for Windows 2012, and IIS 8.5 for Windows 2012
R2.
In addition to the configuration settings, avoid hosting additional Web sites in IIS.
vRealize Automation sets the binding on its communication port to all unassigned IP addresses,
making no additional bindings possible. The default vRealize Automation communication port is 443.
Table 2‑6. IaaS Manager Service Host Internet Information Services
IIS Component Setting
Internet Information Services (IIS) roles
IIS Windows Process Activation Service
roles
n
Windows Authentication
n
Static Content
n
Default Document
n
ASPNET 3.5 and ASPNET 4.5
n
ISAPI Extensions
n
ISAPI Filter
n
Configuration API
n
Net Environment
n
Process Model
n
WCF Activation (Windows 2008 variants only)
n
HTTP Activation
n
Non-HTTP Activation (Windows 2008 variants only)
(Windows 2012 variants: Go to Features > .Net Framework 3.5 Features >
Non-HTTP Activation)
IIS Authentication settings Set the following non-defaults.
n
Windows Authentication enabled
n
Anonymous Authentication disabled
Do not change the following defaults.
n
Negotiate Provider enabled
n
NTLM Provider enabled
n
Windows Authentication Kernel Mode enabled
n
Windows Authentication Extended Protection disabled
n
For certificates using SHA512, TLS1.2 must be disabled on Windows 2012
variants
IaaS Manager Service Host
A Windows server that hosts the Manager Service component must meet additional requirements, in
addition to those for all IaaS Windows servers.
The requirements are the same, whether the Manager Service host is a primary or backup.
n
No firewalls can exist between a Manager Service host and DEM host. For port information, see IaaS
Windows Server Ports.
n
The Manager Service host must be able to resolve the NETBIOS name of the SQL Server database
host. If it cannot resolve the NETBIOS name, add the SQL Server NETBIOS name to the Manager
Service machine /etc/hosts file.
VMware, Inc. 26
Installing vRealize Automation
n
Configure Internet Information Services (IIS) according to the following table.
You need IIS 7.5 for Windows 2008 variants, IIS 8 for Windows 2012, and IIS 8.5 for Windows 2012
R2.
In addition to the configuration settings, avoid hosting additional Web sites in IIS.
vRealize Automation sets the binding on its communication port to all unassigned IP addresses,
making no additional bindings possible. The default vRealize Automation communication port is 443.
Table 2‑7. IaaS Manager Service Host Internet Information Services
IIS Component Setting
Internet Information Services (IIS) roles
IIS Windows Process Activation Service
roles
n
Windows Authentication
n
Static Content
n
Default Document
n
ASPNET 3.5 and ASPNET 4.5
n
ISAPI Extensions
n
ISAPI Filter
n
Configuration API
n
Net Environment
n
Process Model
n
WCF Activation (Windows 2008 variants only)
n
HTTP Activation
n
Non-HTTP Activation (Windows 2008 variants only)
(Windows 2012 variants: Go to Features > .Net Framework 3.5 Features >
Non-HTTP Activation)
IIS Authentication settings Set the following non-defaults.
n
Windows Authentication enabled
n
Anonymous Authentication disabled
Do not change the following defaults.
n
Negotiate Provider enabled
n
NTLM Provider enabled
n
Windows Authentication Kernel Mode enabled
n
Windows Authentication Extended Protection disabled
n
For certificates using SHA512, TLS1.2 must be disabled on Windows 2012
variants
IaaS SQL Server Host
A Windows server that hosts the IaaS SQL database must meet certain requirements.
VMware, Inc. 27
Installing vRealize Automation
Your SQL Server can reside on one of your IaaS Windows servers, or on a separate host. When hosted
together with IaaS components, these requirements are in addition to those for all IaaS Windows servers.
n
This release of vRealize Automation does not support the default SQL Server 2016 130 compatibility
mode. If you separately create an empty SQL Server 2016 database for use with IaaS, use 100 or
120 compatibility mode.
If you create the database through the vRealize Automation installer, compatibility is already
configured.
n
AlwaysOn Availability Group (AAG) is only supported with SQL Server 2016 Enterprise. When you
use AAG, you specify the AAG listener FQDN as the SQL Server host.
n
When hosted together with IaaS components, configure Java.
n
Install 64-bit Java 1.8 or later. Do not use 32-bit.
The JRE is enough. You do not need the full JDK.
n
Set the JAVA_HOME environment variable to the Java installation folder.
n
Verify that %JAVA_HOME%\bin\java.exe is available.
n
Use a supported SQL Server version from the vRealize Automation Support Matrix.
n
Enable TCP/IP protocol for SQL Server.
n
SQL Server includes a model database that is the template for all databases created on the SQL
instance. For IaaS to install correctly, do not change the model database size.
n
Usually, the server needs more hardware than the minimums described in IaaS Windows Servers.
n
Before running the vRealize Automation installer, you need to identify accounts and add permissions
in SQL. See Accounts and Passwords.
IaaS Distributed Execution Manager Host
A Windows server that hosts the Distributed Execution Manager (DEM) Orchestrator or Worker
component must meet additional requirements, in addition to those for all IaaS Windows servers.
No firewalls can exist between a DEM host and Manager Service host. For port information, see IaaS
Windows Server Ports.
DEM Workers might have additional requirements depending on the provisioning resources with which
they interact.
DEM Workers with Amazon Web Services
A vRealize Automation IaaS DEM Worker that communicates with Amazon Web Services (AWS) must
meet additional requirements, in addition to those for all IaaS Windows servers and DEMs in general.
A DEM Worker can communicate with AWS for provisioning. The DEM Worker communicates with, and
collects data from, an Amazon EC2 account.
n
The DEM Worker must have Internet access.
VMware, Inc. 28
Installing vRealize Automation
n
If the DEM Worker is behind a firewall, HTTPS traffic must be allowed to and from aws.amazon.com
as well as the URLs for EC2 regions that your AWS accounts have access to, such as ec2.us-
east-1.amazonaws.com for the US East region.
Each URL resolves to a range of IP addresses, so you might need to use a tool, such as the one
available from the Network Solutions Web site, to list and configure these IP addresses.
n
If the DEM Worker reaches the Internet through a proxy server, the DEM service must be running
under credentials that can authenticate to the proxy server.
DEM Workers with Openstack or PowerVC
A vRealize Automation IaaS DEM Worker that communicates with and collects data from Openstack or
PowerVC must meet additional requirements, in addition to those for all IaaS Windows servers and DEMs
in general.
Table 2‑8. DEM Worker Openstack and PowerVC Requirements
Your Installation Requirements
All In Windows Registry, enable TLS v1.2 support for .NET framework. For example:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]
"SchUseStrongCrypto"=dword:00000001
Windows 2008 DEM Host In Windows Registry, enable TLS v1.2 protocol. For example:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHAN
NEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHAN
NEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHAN
NEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
Self-signed certificates on your
infrastructure endpoint host
If your PowerVC or Openstack instance is not using trusted certificates, import the SSL certificate
from your PowerVC or Openstack instance into the Trusted Root Certificate Authorities store on
each IaaS Windows server where you intend to install a vRealize Automation DEM.
DEM Workers with Red Hat Enterprise Virtualization
A vRealize Automation IaaS DEM Worker that communicates with and collects data from Red Hat
Enterprise Virtualization (RHEV) must meet additional requirements, in addition to those for all IaaS
Windows servers and DEMs in general.
n
You must join each RHEV environment to the domain containing the DEM Worker server.
VMware, Inc. 29
Installing vRealize Automation
n
The credentials used to manage the endpoint representing an RHEV environment must have
administrator privileges on the RHEV environment. When you use RHEV for provisioning, the DEM
Worker communicates with and collects data from that account.
n
The credentials must also have enough privileges to create objects on the hosts within the
environment.
DEM Workers with SCVMM
A vRealize Automation IaaS DEM Worker that manages virtual machines through System Center Virtual
Machine Manager (SCVMM) must meet additional requirements, in addition to those for all IaaS Windows
servers and DEMs in general.
n
Install the DEM Worker on the same machine with the SCVMM console.
A best practice is to install the SCVMM console on a separate DEM Worker.
n
The DEM worker must have access to the SCVMM PowerShell module installed with the console.
n
The PowerShell Execution Policy must be set to RemoteSigned or Unrestricted.
To verify the PowerShell Execution Policy, enter one of the following commands at the PowerShell
command prompt.
help about_signing
help Set-ExecutionPolicy
n
If all DEM Workers within the instance are not on machines that meet these requirements, use Skill
commands to direct SCVMM-related workflows to DEM Workers that are.
vRealize Automation does not support a deployment environment that uses an SCVMM private cloud
configuration. vRealize Automation cannot currently collect from, allocate to, or provision based on
SCVMM private clouds.
The following additional requirements apply to SCVMM.
n
vRealize Automation supports SCVMM 2012 R2, which requires PowerShell 3 or later.
n
Install the SCVMM console before you install vRealize Automation DEM Workers that consume
SCVMM work items.
If you install the DEM Worker before the SCVMM console, you see log errors similar to the following
example.
Workflow 'ScvmmEndpointDataCollection' failed with the following exception: The
term 'Get-VMMServer' is not recognized as the name of a cmdlet, function, script
file, or operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again.
To correct the problem, verify that the SCVMM console is installed, and restart the DEM Worker
service.
n
Each SCVMM instance must be joined to the domain containing the server.
VMware, Inc. 30
Loading...