Configuring VRealize Automation 7.4 V Realize 74 Configuration

User Manual: Pdf vRealize Automation - 7.4 - Configuring User Guide for VMware vRealize Software, Free Instruction Manual

Open the PDF directly: View PDF PDF.
Page Count: 621 [warning: Documents this large are best viewed by clicking the View PDF Link!]

Configuring vRealize
Automation
12 April 2018
vRealize Automation 7.4
Configuring vRealize Automation
VMware, Inc. 2
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
If you have comments about this documentation, submit your feedback to
docfeedback@vmware.com
Copyright © 2015–2018 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc.
3401 Hillview Ave.
Palo Alto, CA 94304
www.vmware.com
Contents
Configuring vRealize Automation 6
1External Preparations for Blueprint Provisioning 7
Preparing Your Environment for vRealize Automation Management 7
Checklist for Preparing NSX Network and Security Configuration 8
Checklist For Providing Third-Party IPAM Provider Support 12
Checklist for Configuring Containers for vRealize Automation 16
Preparing Your vCloud Director Environment for vRealize Automation 17
Preparing Your vCloud Air Environment for vRealize Automation 17
Preparing Your Amazon AWS Environment 18
Preparing Red Hat OpenStack Network and Security Features 24
Preparing Your SCVMM Environment 25
Configure Network-to-Azure VPC Connectivity 26
Preparing for Machine Provisioning 27
Choosing a Machine Provisioning Method to Prepare 28
Checklist for Running Visual Basic Scripts During Provisioning 30
Using vRealize Automation Guest Agent in Provisioning 31
Checklist for Preparing to Provision by Cloning 39
Preparing for vCloud Air and vCloud Director Provisioning 52
Preparing for Linux Kickstart Provisioning 53
Preparing for SCCM Provisioning 56
Preparing for WIM Provisioning 57
Preparing for Virtual Machine Image Provisioning 64
Preparing for Amazon Machine Image Provisioning 65
Scenario: Prepare vSphere Resources for Machine Provisioning in Rainpole 67
Preparing for Software Provisioning 70
Preparing to Provision Machines with Software 71
Scenario: Prepare a vSphere CentOS Template for Clone Machine and Software Component
Blueprints 74
Scenario: Prepare for Importing the Dukes Bank for vSphere Sample Application Blueprint 78
2Tenant and Resource Preparations for Blueprint Provisioning 83
Configuring Tenant Settings 83
Choosing Directories Management Configuration Options 84
Upgrading External Connectors for Directories Management 144
Scenario: Configure an Active Directory Link for a Highly Available vRealize Automation 152
Configure External Connectors for Smart Card and Third-party Identity Provider Authentication
in vRealize Automation 154
VMware, Inc. 3
Create a Multi Domain or Multi Forest Active Directory Link 161
Configuring Groups and User Roles 163
Create Additional Tenants 169
Delete a Tenant 171
Configuring Security Settings for Multi-tenancy 172
Configuring Custom Branding 172
Checklist for Configuring Notifications 174
Create a Custom RDP File to Support RDP Connections for Provisioned Machines 185
Scenario: Add Datacenter Locations for Cross Region Deployments 185
Configuring vRealize Orchestrator 187
Configuring Resources 191
Checklist for Configuring IaaS Resources 191
Configuring XaaS Resources 310
Creating and Configuring Containers 322
Installing Additional Plug-Ins on the Default vRealize Orchestrator Server 340
Working With Active Directory Policies 340
User Preferences for Notifications and Delegates 343
3Providing Service Blueprints to Users 345
Designing Blueprints 345
Building Your Design Library 347
Designing Machine Blueprints 349
Designing Software Components 435
Designing XaaS Blueprints and Resource Actions 447
Publishing a Blueprint 506
Working with Blueprints Programmatically 507
Exporting and Importing Blueprints and Content 507
Downloading and Configuring the Supplied Standalone Blueprint 513
Assembling Composite Blueprints 513
Understanding Nested Blueprint Behavior 515
Using Machine Components and Software Components When Assembling a Blueprint 518
Creating Property Bindings Between Blueprint Components 519
Creating Dependencies and Controlling the Order of Provisioning 520
Customizing Blueprint Request Forms 521
Create a Custom Request Form with Active Directory Options 524
Custom Form Designer Field Properties 532
Using vRealize Orchestrator Actions in the Custom Forms Designer 537
Using the Data Grid Element in the Custom Forms Designer 539
Using External Validation in the Custom Forms Designer 542
Managing the Service Catalog 546
Checklist for Configuring the Service Catalog 547
Creating a Service 548
Configuring vRealize Automation
VMware, Inc. 4
Working with Catalog Items and Actions 550
Creating Entitlements 553
Working with Approval Policies 560
Request Machine Provisioning By Using a Parameterized Blueprint 585
Scenario: Make the CentOS with MySQL Application Blueprint Available in the Service Catalog 586
Managing Deployed Catalog Items 590
Running Actions for Provisioned Resources 590
Specify Machine Reconfiguration Settings and Considerations for Reconfiguration 610
Reconfigure a Load Balancer in a Deployment 617
Change NAT Rules in a Deployment 618
Add or Remove Security Items in a Deployment 620
Display All NAT Rules for an Existing NSX Edge 621
Configuring vRealize Automation
VMware, Inc. 5
Configuring vRealize Automation
Configuring vRealize Automation provides information about configuring vRealize Automation and your
external environments to prepare for vRealize Automation provisioning and catalog management.
Intended Audience
This information is intended for IT professionals who are responsible for configuring vRealize Automation
environment, and for infrastructure administrators who are responsible for preparing elements in their
existing infrastructure for use in vRealize Automation provisioning. The information is written for
experienced Windows and Linux system administrators who are familiar with virtual machine technology
and datacenter operations.
VMware Technical Publications Glossary
VMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For
definitions of terms as they are used in VMware technical documentation, go to
http://www.vmware.com/support/pubs.
VMware, Inc. 6
External Preparations for
Blueprint Provisioning 1
You may need to create or prepare some elements outside of vRealize Automation to support catalog
item provisioning. For example, if you want to provide a catalog item for provisioning a clone machine,
you need to create a template on your hypervisor to clone from.
This chapter includes the following topics:
nPreparing Your Environment for vRealize Automation Management
nConfigure Network-to-Azure VPC Connectivity
nPreparing for Machine Provisioning
nPreparing for Software Provisioning
Preparing Your Environment for vRealize Automation
Management
Depending on your integration platform, you might have to make some configuration changes before you
can bring your environment under vRealize Automation management, or before you can leverage certain
features.
Table 11. Preparing Your Environment for vRealize Automation Integration
Environment Preparations
NSX
If you want to leverage NSX to manage
networking and security features of machines
provisioned with vRealize Automation, prepare
your NSX instance for integration. See
Checklist for Preparing NSX Network and
Security Configuration.
vCloud Director Install and configure your vCloud Director
instance, set up your vSphere and cloud
resources, and identify or create appropriate
credentials to provide vRealize Automation with
access to your vCloud Director environment.
See Preparing Your vCloud Director
Environment for vRealize Automation.
VMware, Inc. 7
Table 11. Preparing Your Environment for vRealize Automation Integration (Continued)
Environment Preparations
vCloud Air Register for your vCloud Air account, set up
your vCloud Air environment, and identify or
create appropriate credentials to provide
vRealize Automation with access to your
environment. See Preparing for vCloud Air and
vCloud Director Provisioning.
Amazon AWS Prepare elements and user roles in your
Amazon AWS environment for use in
vRealize Automation, and understand how
Amazon AWS features map to
vRealize Automation features. See Preparing
Your Amazon AWS Environment.
Microsoft Azure Configure networking to use VPN tunneling to
support Software components on Azure
blueprints. See Configure Network-to-Azure
VPC Connectivity.
Red Hat OpenStack If you want to leverage Red Hat OpenStack to
manage networking and security features of
machines provisioned with
vRealize Automation, prepare your
Red Hat OpenStack instance for integration.
See Preparing Red Hat OpenStack Network
and Security Features.
SCVMM Configure storage, networking, and understand
template and hardware profile naming
restrictions. See Preparing Your SCVMM
Environment.
External IPAM Providers Register an external IPAM provider package or
plug-in, run the configuration workflows, and
register the IPAM solution as a new
vRealize Automation endpoint. See Checklist
For Providing Third-Party IPAM Provider
Support.
All other environments You do not need to make changes to your
environment. You can begin preparing for
machine provisioning by creating templates,
boot environments, or machine images. See
Preparing for Machine Provisioning.
Checklist for Preparing NSX Network and Security Configuration
Before you can use NSX network and security options in vRealize Automation, you must configure the
external NSX network and security environment that you intend to use.
Configuring vRealize Automation
VMware, Inc. 8
Beginning in vRealize Automation 7.3, you no longer need to install the NSX plug-in to obtain integrated
NSX functionality. All integrated NSX functionality is now sourced directly from the NSX APIs, rather than
from the NSX plug-in. However, if you want to use XaaS to extend your vRealize Automation and NSX
integration, you must install the NSX plug-in in vRealize Orchestrator as described here.
In preparation for using NSX network, security, and load balancing capabilities in vRealize Automation,
when using NSX Manager credentials you must use the NSX Manager administrator account.
For related information about NSX, see NSX documentation at
https://www.vmware.com/support/pubs/nsx_pubs.html and public blogs and articles such as Integrating
NSX with vRealize Automation.
Much of the vRealize Automation support for network and security configuration that you specify in
blueprints and reservations is configured externally and made available to vRealize Automation after data
collection is run on the compute resources.
For more information about NSX settings that you can configure for vRealize Automation blueprints, see
Configuring Network and Security Component Settings.
Table 12. Preparing NSX Networking and Security Checklist
Task Location Details
Configure NSX
network settings,
including gateway
and transport zone
settings.
Configure network settings in NSX. See the NSX Administration Guide.
Create NSX
security policies,
tags, and groups.
Configure security settings in NSX. See the NSX Administration Guide.
Configure NSX
load balancer
settings.
Configure an NSX load balancer to work with
vRealize Automation.
See the NSX Administration Guide.
Also see Custom Properties for
Networking in Custom Properties
Reference.
For cross-virtual
center
deployments, verify
that the compute
NSX manager has
the primary NSX
manager role.
vRealize Automation provisioning requires that the compute
NSX manager for the region in which the machines reside has
the primary NSX manager role.
See Administrator Requirements for
Provisioning NSX Universal Objects.
See the NSX Installation Guide and NSX
Administration Guide for information about
cross-virtual center deployment, universal
objects, and the primary NSX manager
role.
Install the NSX Plug-In on vRealize Orchestrator
Installing the NSX plug-in requires that you download the vRealize Orchestrator installer file, use the
vRealize Orchestrator Configuration interface to upload the plug-in file, and install the plug-in on a
vRealize Orchestrator server.
For general plug-in update and troubleshooting information, see vRealize Orchestrator documentation.
Configuring vRealize Automation
VMware, Inc. 9
Prerequisites
Beginning in vRealize Automation 7.3, you no longer need to install the NSX plug-in to obtain integrated
NSX functionality. All integrated NSX functionality is now sourced directly from the NSX APIs, rather than
from the NSX plug-in. However, if you want to use XaaS to extend your vRealize Automation and NSX
integration, you must install the NSX plug-in in vRealize Orchestrator as described here.
If you are using an embedded vRealize Orchestrator that already contains an installed NSX plug-in, you
can skip this procedure.
nVerify that you are running a supported vRealize Orchestrator instance.
For information about setting up vRealize Orchestrator, see Installing and Configuring VMware
vRealize Orchestrator.
nVerify that you have credentials for an account with permission to install vRealize Orchestrator plug-
ins and to authenticate through vCenter Single Sign-On.
nVerify that you installed the vRealize Orchestrator client and that you can log in with Administrator
credentials.
nConfirm the correct version of the NSX plug-in in the vRealize Automation support matrix.
Procedure
1Download the plug-in file to a location accessible from the vRealize Orchestrator server.
The plug-in installer file name format, with appropriate version values, is o11nplugin-
nsx-1.n.n.vmoapp. Plug-in installation files for the NSX networking and security product are
available from the VMware product download site at http://vmware.com/web/vmware/downloads.
2Open a browser and start the vRealize Orchestrator configuration interface.
An example of the URL format is https://orchestrator_server.com:8283.
3Click Plug-Ins in the left pane and scroll down to the Install new plug-in section.
4In the Plug-In file text box, browse to the plug-in installer file and click Upload and install.
The file must be in .vmoapp format.
5At the prompt, accept the license agreement in the Install a plug-in pane.
6In the Enabled plug-ins installation status section, confirm that the correct NSX plug-in name is
specified.
See vRealize Automation Support Matrix for version information.
The status Plug-in will be installed at next server startup, appears.
7Restart the vRealize Orchestrator server service.
8Restart the vRealize Orchestrator configuration interface.
9Click Plug-Ins and verify that the status changed to Installation OK.
Configuring vRealize Automation
VMware, Inc. 10
10 Start the vRealize Orchestrator client application, log in, and use the Workflow tab to navigate
through the library to the NSX folder.
You can browse through the workflows that the NSX plug-in provides.
What to do next
Create a vRealize Orchestrator endpoint in vRealize Automation to use for running workflows. See Create
a vRealize Orchestrator Endpoint.
Run a vRealize Orchestrator and NSX Security Workflow
Before you use the NSX security policy features from vRealize Automation, an administrator must run the
Enable security policy support for overlapping subnets workflow in vRealize Orchestrator.
Security policy support for the overlapping subnets workflow is applicable to an NSX 6.1 and later
endpoint. Run this workflow only once to enable this support.
Prerequisites
nVerify that a vSphere endpoint is registered with an NSX endpoint. See Create a vSphere Endpoint.
nLog in to the vRealize Orchestrator client as an administrator.
nVerify that you ran the Create NSX endpoint vRO work flow.
Procedure
1Click the Workflow tab and select NSX > NSX workflows for VCAC.
2Run the Create NSX endpoint workflow and respond to prompts.
3Run the Enable security policy support for overlapping subnets workflow.
4Select the NSX endpoint as the input parameter for the workflow.
Use the IP address you specified when you created the vSphere endpoint to register an NSX
instance.
After you run this workflow, the distributed firewall rules defined in the security policy are applied only on
the vNICs of the security group members to which this security policy is applied.
What to do next
Apply the applicable security features for the blueprint.
Administrator Requirements for Provisioning NSX Universal Objects
To provision machines in a cross vCenter NSX environment when using NSX universal objects, you must
provision to a vCenter in which the NSX compute manager has the primary role.
In a cross vCenter NSX environment, you can have multiple vCenter servers, each of which must be
paired with its own NSX manager. One NSX manager is assigned the role of primary NSX manager, and
the others are assigned the role of secondary NSX manager.
Configuring vRealize Automation
VMware, Inc. 11
The primary NSX manager can create universal objects, such as universal logical switches. These
objects are synchronized to the secondary NSX managers. You can view these objects from the
secondary NSX managers, but you cannot edit them there. You must use the primary NSX manager to
manage universal objects. The primary NSX manager can be used to configure any of the secondary
NSX managers in the environment.
For more information about the NSX cross-vCenter environment, see Overview of Cross-vCenter
Networking and Security in the NSX Administration Guide in the NSX product documentation.
For a vSphere (vCenter) endpoint that is associated to the NSX endpoint of a primary NSX manager,
vRealize Automation supports NSX local objects, such as local logical switches, local edge gateways,
and local load balancers, security groups, and security tags. It also supports NAT one-to-one and one-to-
many networks with universal transport zone, routed networks with universal transport zone and universal
distributed logical routers (DLRs), and a load balancer with any type of network.
vRealize Automation does not support NSX existing and on-demand universal security groups or tags.
To provision local on-demand networks as the primary NSX manager, use a vCenter-specific local
transport zone. You can configure vRealize Automation reservations to use the local transport zone and
virtual wires for deployments in that local vCenter.
If you connect a vSphere (vCenter) endpoint to a corresponding secondary NSX manager endpoint, you
can only provision and use local objects.
You can only associate an NSX endpoint to one vSphere endpoint. This association constraint means that
you cannot provision a universal on-demand network and attach it to vSphere machines that are
provisioned on different vCenters.
vRealize Automation can consume an NSX universal logical switch as an external network. If a universal
switch exists, it is data-collected and then attached to or consumed by each machine in the deployment.
nProvisioning an on-demand network to a universal transport zone can create a new universal logical
switch.
nProvisioning an on-demand network to a universal transport zone on the primary NSX manager
creates a universal logical switch.
nProvisioning an on-demand network to a universal transport zone on a secondary NSX manager fails,
as NSX cannot create a universal logical switch on a secondary NSX manager.
See the VMware Knowledge Base article Deployment of vRealize Automation blueprints with NSX objects
fail (2147240) at http://kb.vmware.com/kb/2147240 for more information about NSX universal objects.
Checklist For Providing Third-Party IPAM Provider Support
You can obtain IP addresses and ranges for use in network profile definition from a supported third-party
IPAM provider, such as Infoblox.
Before you can create and use an external IPAM provider endpoint in a vRealize Automation network
profile, you must download or otherwise obtain a vRealize Orchestrator IPAM provider plug-in or package,
import the plug-in or package and run required workflows in vRealize Orchestrator, and register the IPAM
solution as a vRealize Automation endpoint.
Configuring vRealize Automation
VMware, Inc. 12
For an overview of the provisioning process for using an external IPAM provider to supply a range of
possible IP addresses, see Provisioning a vRealize Automation Deployment Using a Third-Party IPAM
Provider.
Table 13. Preparing for External IPAM Provider Support Checklist
Task Description Details
Obtain and
import the
supported external
IPAM Provider
vRealize
Orchestrator plug-
in.
Download the IPAM provider plug-in or package, for example
The Infoblox IPAM Plug-in for vRealize Orchestrator plug-in
and supporting documentation, from the VMware Solution
Exchange
(https://solutionexchange.vmware.com/store/category_group
s/cloud-management) and import the plug-in or package to
vRealize Orchestrator.
If the VMware Solution Exchange does not contain the IPAM
provider package that you need, you can create your own by
using a third-party IPAM Solution Provider SDK and supporting
documentation.
A vRealize Automation version-specific third-party IPAM
Solution Provider SDK, supporting documentation, and
associated starter package for vRealize Orchestrator and
vRealize Automation is available at
https://code.vmware.com/sdks or
https://code.vmware.com/samples.
See Obtain and Import a Third-Party IPAM
Provider Package in vRealize
Orchestrator.
Run the required
configuration
workflows and
register the external
IPAM solution as a
vRealize
Automation
endpoint.
Run the vRealize Orchestrator configuration workflows and
register the IPAM provider endpoint type in
vRealize Orchestrator.
See Run Workflow to Register Third-Party
IPAM Endpoint Type in vRealize
Orchestrator.
Obtain and Import a Third-Party IPAM Provider Package in
vRealize Orchestrator
To prepare to define and use an third-party IPAM provider endpoint, you must first obtain the third-party
IPAM provider package and import the package in vRealize Orchestrator.
You can download and use an existing third-party IP Address Management provider plug-in, such as
Infoblox IPAM. You can also create your own third-party IPAM plug-in or package by using a VMware-
supplied starter package and accompanying SDK documentation for use with another third-party IPAM
solution provider, such as Bluecat.
nObtain the existing Infoblox IPAM Plug-in for vRealize Orchestrator plug-in and supporting
documentation from marketplace.vmware.com. The download also contains documentation for
installing and using the plug-in.
Configuring vRealize Automation
VMware, Inc. 13
nCreate your own third-party IPAM solution by obtaining and using a third-party IPAM Solution Provider
SDK, supporting documentation, and an associated starter package for vRealize Orchestrator and
vRealize Automation from code.vmware.com/web/sdk on the vRealize Automation Third-Party IPAM
Integration SDK 7.3 page.
After you import the third-party IPAM provider plug-in or package in vRealize Orchestrator, you must run
the required workflows, and register the IPAM endpoint type in vRealize Orchestrator.
For more information about importing plug-ins and packages and running vRealize Orchestrator
workflows, see Using the VMware vRealize Orchestrator Client. For more information about extending
vRealize Automation with vRealize Orchestrator plug-ins, packages, and workflows, see Life Cycle
Extensibility.
This step sequence uses the Infoblox IPAM plug-in as an example. Your step sequence may differ
depending on your vRealize Automation or plug-in version.
Prerequisites
nDownload the package or plug-in from marketplace.vmware.com.
nLog in to vRealize Orchestrator with administrator privileges for importing, configuring, and registering
a vRealize Orchestrator plug-in or package.
Procedure
1Open the marketplace.vmware.com site.
2Locate and download the plug-in or package.
For example, import the Infoblox plug-in that supports the Infoblox third-party IPAM endpoint in
vRealize Orchestrator and vRealize Automation 7.1 and later.
a In the Publisher category, select Infoblox and click Apply.
b Select The Infoblox Plug-in for vRealize Orchestrator.
c Click Tech Specs and review the prerequisites.
d Click Try for additional information and to receive an email that contains a link to the download.
e Download the zip file as specified in the emailed instructions.
Version 4.0 and greater of the plug-in supports vRealize Automation 7.1 and greater. The zip file
also contains documentation about the plug-in.
3In vRealize Orchestrator, click the Administrator tab and click Import package.
4Select the package to import.
5Select all workflows and artifacts and click Import selected elements.
What to do next
Run Workflow to Register Third-Party IPAM Endpoint Type in vRealize Orchestrator.
Configuring vRealize Automation
VMware, Inc. 14
Run Workflow to Register Third-Party IPAM Endpoint Type in
vRealize Orchestrator
Run the registration workflow in vRealize Orchestrator to support vRealize Automation use of the third-
party IPAM provider and register the IPAM endpoint type for use in vRealize Automation.
Prerequisites
nObtain and Import a Third-Party IPAM Provider Package in vRealize Orchestrator
nVerify that you are logged in to vRealize Orchestrator with the authority to run registration workflows.
nBe prepared to enter the vRealize Automation administrator credentials when prompted by the
registration workflow. When you register IPAM endpoint types in vRealize Orchestrator, you are
prompted to enter vRealize Automation administrator credentials.
Procedure
1In vRealize Orchestrator, click the Design tab, select Administrator > Library, and select IPAM
Service Package SDK.
Each IPAM provider package is uniquely named and contains unique workflows. Each provider
supplies their own registration workflow. While the workflow names might be similar between provider
packages, the location of the workflows in vRealize Orchestrator can be different and is provider-
specific.
2For this example, run the Register IPAM Endpoint registration workflow and specify the IPAM
Infloblox endpoint type.
3At the prompt for vRealize Automation credentials, enter your vRealize Automation administrator
credentials, for example fabric administrator credentials.
You must supply the registration workflow with vRealize Automation system administrator credentials.
Even if a non-system administrator user is logged in to the vRealize Orchestrator client, if the
vRealize Automation system administrator credentials are provided to the workflow the registration
will succeed.
In this example, the package registers Infoblox as a new IPAM endpoint type in the vRealize Automation
endpoint service and makes the endpoint type available when you create or edit endpoints in
vRealize Automation.
Note If the Infoblox IPAM connection disappears from the vRealize Orchestrator Inventory tab after you
restart the vRealize Orchestrator server in the vRealize Orchestrator Control Center. To resolve this issue,
run the Create IPAM Connection workflow from the vRO admin > Library > Infoblox > vRA > Helpers
menu sequence. You can then the vRealize Orchestrator Inventory tab, select Infoblox IPAM, and
refresh the page to display the Infoblox IPAM connection.
Configuring vRealize Automation
VMware, Inc. 15
What to do next
You can now create an IPAM Infloblox type endpoint, or and endpoint for whatever third-party package or
plug-in you have just registered, in vRealize Automation. See Create a Third-Party IPAM Provider
Endpoint.
Checklist for Configuring Containers for vRealize Automation
To get started with Containers, you must configure the feature to support vRealize Automation user roles.
After you configure container definitions in Containers you can add and configure container components
in a blueprint.
Table 14. Checklist for Configuring Containers for vRealize Automation
Task Details
Assign the container administrator and container architect roles. See Container roles information in Foundations and
Concepts.
Define container definitions in the Containers tab in vRealize Automation. See Configuring vRealize Automation.
Add container components and container networking components to
blueprints in the Design tab in vRealize Automation.
See Configuring vRealize Automation.
Configuring Containers Using the vRealize Automation Appliance
Xenon service information is accessible in the vRealize Automation vRealize Automation appliance (vRA
Settings > Xenon.
It contains information about the Xenon host VM, listening port, and service status. It also displays
information about clustered Xenon nodes.
You can manage the Xenon Linux service with the following CLI commands in the vRealize Automation
appliance.
Command Description
service xenon-service status Shows the status of the service as either running or stopped.
service xenon-service start Starts the service.
service xenon-service stop Stops the service.
service xenon-service restart Restarts the service.
service xenon-service get_host Shows the hostname on which the service is running.
service xenon-service get_port Shows the service port.
service xenon-service status_cluster Shows information about all clustered nodes in JSON format.
service xenon-service reset Deletes the directory where Xenon keeps all configuration files and restarts the
service.
Clustering Containers
You can use the Xenon service in conjunction with Containers for vRealize Automation to join nodes to a
cluster. If the nodes are clustered, the Xenon service connects other nodes automatically when it starts.
Configuring vRealize Automation
VMware, Inc. 16
You can monitor the cluster status on the Xenon tab in the vRealize Automation appliance or by running
the following command in a CLI:
service xenon-service status_cluster
Xenon works on quorum-based clustering. The quorum is calculated by using the (number of nodes /
2) + 1 formula.
Preparing Your vCloud Director Environment for
vRealize Automation
Before you can integrate vCloud Director with vRealize Automation, you must install and configure your
vCloud Director instance, set up your vSphere and cloud resources, and identify or create appropriate
credentials to provide vRealize Automation with access to your vCloud Director environment.
Configure Your Environment
Configure your vSphere resources and cloud resources, including virtual datacenters and networks. For
more information, see the vCloud Director documentation.
Required Credentials for Integration
Create or identify either organization administrator or system administrator credentials that your
vRealize Automation IaaS administrators can use to bring your vCloud Director environment under
vRealize Automation management as an endpoint.
User Role Considerations
vCloud Director user roles in an organization do not need to correspond with roles in vRealize Automation
business groups. If the user account does not exist in vCloud Director, vCloud Director performs a lookup
in the associated LDAP or Active Directory and creates the user account if the user exists in the identity
store. If it cannot create the user account, it logs a warning but does not fail the provisioning process. The
provisioned machine is then assigned to the account that was used to configure the vCloud Director
endpoint.
For related information about vCloud Director user management, see the vCloud Director documentation.
Preparing Your vCloud Air Environment for vRealize Automation
Before you integrate vCloud Air with vRealize Automation, you must register for your vCloud Air account,
set up your vCloud Air environment, and identify or create appropriate credentials to provide
vRealize Automation with access to your environment.
Configure Your Environment
Configure your environment as instructed in the vCloud Air documentation.
Configuring vRealize Automation
VMware, Inc. 17
Required Credentials for Integration
Create or identify either virtual infrastructure administrator or account administrator credentials that your
vRealize Automation IaaS administrators can use to bring your vCloud Air environment under
vRealize Automation management as an endpoint.
User Role Considerations
vCloud Air user roles in an organization do not need to correspond with roles in vRealize Automation
business groups. For related information about vCloud Air user management, see the vCloud Air
documentation.
Preparing Your Amazon AWS Environment
Prepare elements and user roles in your Amazon AWS environment, prepare Amazon AWS to
communicate with the guest agent and Software bootstrap agent, and understand how Amazon AWS
features map to vRealize Automation features.
Amazon AWS User Roles and Credentials Required for vRealize Automation
You must configure credentials in Amazon AWS with the permissions required for vRealize Automation to
manage your environment.
vRealize Automation requires access keys for endpoint credentials and does not support user names and
passwords.
nRole and Permission Authorization in Amazon Web Services
While the Power User role in AWS provides an AWS Directory Service user or group with full access
to AWS services and resources, it is not required. Lower privileged user roles are also supported. The
AWS security policy that meets the needs of vRealize Automation functionality is:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImageAttribute",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeVolumeStatus",
Configuring vRealize Automation
VMware, Inc. 18
"ec2:DescribeVpnConnections",
"ec2:DescribeRegions",
"ec2:DescribeTags",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DisassociateAddress",
"ec2:GetPasswordData",
"ec2:ImportKeyPair",
"ec2:ImportVolume",
"ec2:CreateVolume",
"ec2:DeleteVolume",
"ec2:AttachVolume",
"ec2:ModifyVolumeAttribute",
"ec2:DetachVolume",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses",
"ec2:CreateKeyPair",
"ec2:DeleteKeyPair",
"ec2:CreateTags",
"ec2:AssociateAddress",
"ec2:ReportInstanceStatus",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:ModifyInstanceAttribute",
"ec2:MonitorInstances",
"ec2:RebootInstances",
"ec2:RunInstances",
"ec2:TerminateInstances",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeInstanceHealth"
],
"Resource": "*"
}
]}
nAuthentication Credentials in Amazon Web Services
For management of Amazon Identity and Access Management (IAM) users and groups, you must be
configured with AWS Full Access Administrator credentials.
Configuring vRealize Automation
VMware, Inc. 19
When you create an AWS endpoint in vRA, you're prompted to enter a key and secret key. To obtain the
access key needed to create the Amazon endpoint, the administrator must either request a key from a
user who has AWS Full Access Administrator credentials or be additionally configured with the AWS Full
Access Administrator policy. See Create an Amazon Endpoint.
For information about enabling policies and roles, see the AWS Identity and Access Management (IAM)
section of Amazon Web Services product documentation.
Allow Amazon AWS to Communicate with the Software Bootstrap Agent and
Guest Agent
If you intend to provision application blueprints that contain Software, or if you want the ability to further
customize provisioned machines by using the guest agent, you must enable connectivity between your
Amazon AWS environment, where your machines are provisioned, and your vRealize Automation
environment, where the agents download packages and receive instructions.
When you use vRealize Automation to provision Amazon AWS machines with the vRealize Automation
guest agent and Software bootstrap agent, you must set up network-to-Amazon VPC connectivity so your
provisioned machines can communicate back to vRealize Automation to customize your machines.
For more information about Amazon AWS VPC connectivity options, see the Amazon AWS
documentation.
Using Optional Amazon Features
vRealize Automation supports several Amazon features, including Amazon Virtual Private Cloud, elastic
load balancers, elastic IP addresses, and elastic block storage.
Using Amazon Security Groups
Specify at least one security group when creating an Amazon reservation. Each available region requires
at least one specified security group.
A security group acts as a firewall to control access to a machine. Every region includes at least the
default security group. Administrators can use the Amazon Web Services Management Console to create
additional security groups, configure ports for Microsoft Remote Desktop Protocol or SSH, and set up a
virtual private network for an Amazon VPN.
When you create an Amazon reservation or configure a machine component in the blueprint, you can
choose from the list of security groups that are available to the specified Amazon account region. Security
groups are imported during data collection.
For information about creating and using security groups in Amazon Web Services, see Amazon
documentation.
Understanding Amazon Web Service Regions
Each Amazon Web Services account is represented by a cloud endpoint. When you create an
Amazon Elastic Cloud Computing endpoint in vRealize Automation, regions are collected as compute
resources. After the IaaS administrator selects compute resources for a business group, inventory and
state data collections occur automatically.
Configuring vRealize Automation
VMware, Inc. 20
Inventory data collection, which occurs automatically once a day, collects data about what is on a
compute resource, such as the following data:
nElastic IP addresses
nElastic load balancers
nElastic block storage volumes
State data collection occurs automatically every 15 minutes by default. It gathers information about the
state of managed instances, which are instances that vRealize Automation creates. The following are
examples of state data:
nWindows passwords
nState of machines in load balancers
nElastic IP addresses
A fabric administrator can initiate inventory and state data collection and disable or change the frequency
of inventory and state data collection.
Using Amazon Virtual Private Cloud
Amazon Virtual Private Cloud allows you to provision Amazon machine instances in a private section of
the Amazon Web Services cloud.
Amazon Web Services users can use Amazon VPC to design a virtual network topology according to your
specifications. You can assign an Amazon VPC in vRealize Automation. However, vRealize Automation
does not track the cost of using the Amazon VPC.
When you provision using Amazon VPC, vRealize Automation expects there to be a VPC subnet from
which Amazon obtains a primary IP address. This address is static until the instance is terminated. You
can also use the elastic IP pool to also attach an elastic IP address to an instance in
vRealize Automation. That would allow the user to keep the same IP if they are continually provisioning
and tearing down an instance in Amazon Web Services.
Use the AWS Management Console to create the following elements:
nAn Amazon VPC, which includes Internet gateways, routing table, security groups and subnets, and
available IP addresses.
nAn Amazon Virtual Private Network if users need to log in to Amazon machines instances outside of
the AWS Management Console.
vRealize Automation users can perform the following tasks when working with an Amazon VPC:
nA fabric administrator can assign an Amazon VPC to a cloud reservation. See Create an Amazon
EC2 Reservation.
nA machine owner can assign an Amazon machine instance to an Amazon VPC.
For more information about creating an Amazon VPC, see Amazon Web Services documentation.
Configuring vRealize Automation
VMware, Inc. 21
Using Elastic Load Balancers for Amazon Web Services
Elastic load balancers distribute incoming application traffic across Amazon Web Services instances.
Amazon load balancing enables improved fault tolerance and performance.
Amazon makes elastic load balancing available for machines provisioned using Amazon EC2 blueprints.
The elastic load balancer must be available in the Amazon Web Services,
Amazon Virtual Private Network and at the provisioning location. For example, if a load balancer is
available in us-east1c and a machine location is us-east1b, the machine cannot use the available load
balancer.
vRealize Automation does not create, manage, or monitor the elastic load balancers.
For information about creating Amazon elastic load balancers by using the
Amazon Web Services Management Console, see Amazon Web Services documentation.
Using Elastic IP Addresses for Amazon Web Services
Using an elastic IP address allows you to rapidly fail over to another machine in a dynamic
Amazon Web Services cloud environment. In vRealize Automation, the elastic IP address is available to
all business groups that have rights to the region.
An administrator can allocate elastic IP addresses to your Amazon Web Services account by using the
AWS Management Console. There are two groups of elastic IP addresses in any given a region, one
range is allocated for non-Amazon VPC instances and another range is for Amazon VPCs. If you allocate
addresses in a non-Amazon VPC region only, the addresses are not available in an Amazon VPC. The
reverse is also true. If you allocate addresses in an Amazon VPC only, the addresses are not available in
a non-Amazon VPC region.
The elastic IP address is associated with your Amazon Web Services account, not a particular machine,
but only one machine at a time can use the address. The address remains associated with your
Amazon Web Services account until you choose to release it. You can release it to map it to a specific
machine instance.
An IaaS architect can add a custom property to a blueprint to assign an elastic IP address to machines
during provisioning. Machine owners and administrators can view the elastic IP addresses assigned to
machines, and machine owners or administrators with rights to edit machines can assign an elastic IP
addresses after provisioning. However, if the address is already associated to a machine instance, and
the instance is part of the Amazon Virtual Private Cloud deployment, Amazon does not assign the
address.
For more information about creating and using Amazon elastic IP addresses, see Amazon Web Services
documentation.
Using Elastic Block Storage for Amazon Web Services
Amazon elastic block storage provides block level storage volumes to use with an Amazon machine
instance and Amazon Virtual Private Cloud. The storage volume can persist past the life of its associated
Amazon machine instance in the Amazon Web Services cloud environment.
Configuring vRealize Automation
VMware, Inc. 22
When you use an Amazon elastic block storage volume in conjunction with vRealize Automation, the
following caveats apply:
nYou cannot attach an existing elastic block storage volume when you provision a machine instance.
However, if you create a new volume and request more than one machine at a time, the volume is
created and attached to each instance. For example, if you create one volume named volume_1 and
request three machines, a volume is created for each machine. Three volumes named volume_1 are
created and attached to each machine. Each volume has a unique volume ID. Each volume is the
same size and in the same location.
nThe volume must be of the same operating system and in the same location as the machine to which
you attach it.
nvRealize Automation does not manage the primary volume of an elastic block storage-backed
instance.
For more information about Amazon elastic block storage, and details on how to enable it by using
Amazon Web Services Management Console, see Amazon Web Services documentation.
Scenario: Configure Network-to-Amazon VPC Connectivity for a Proof of
Concept Environment
As the IT professional setting up a proof of concept environment to evaluate vRealize Automation, you
want to temporarily configure network-to-Amazon VPC connectivity to support the vRealize Automation
Software feature.
Network-to-Amazon VPC connectivity is only required if you want to use the guest agent to customize
provisioned machines, or if you want to include Software components in your blueprints. For a production
environment, you would configure this connectivity officially through Amazon Web Services, but because
you are working in a proof of concept environment, you want to create temporary network-to-Amazon
VPC connectivity. You establish the SSH tunnel and then configure an Amazon reservation in
vRealize Automation to route through your tunnel.
Prerequisites
nInstall and fully configure vRealize Automation. See Installing and Configuring vRealize Automation
for the Rainpole Scenario.
nCreate an Amazon AWS security group called TunnelGroup and configure it to allow access on port
22.
nCreate or identify a CentOS machine in your Amazon AWS TunnelGroup security group and note the
following configurations:
nAdministrative user credentials, for example root.
nPublic IP address.
nPrivate IP address.
nCreate or identify a CentOS machine on the same local network as your vRealize Automation
installation.
Configuring vRealize Automation
VMware, Inc. 23
nInstall OpenSSH SSHD Server on both tunnel machines.
Procedure
1Log in to your Amazon AWS tunnel machine as the root user or similar.
2Disable iptables.
# service iptables save
# service iptables stop
# chkconfig iptables off
3Edit /etc/ssh/sshd_config to enable AllowTCPForwarding and GatewayPorts.
4Restart the service.
/etc/init.d/sshd restart
5Log in to the CentOS machine on the same local network as your vRealize Automation installation as
the root user.
6Invoke the SSH Tunnel from the local network machine to the Amazon AWS tunnel machine.
ssh -N -v -o "ServerAliveInterval 30" -o "ServerAliveCountMax 40" -o "TCPKeepAlive yes” \
-R 1442:vRealize_automation_appliance_fqdn:5480 \
-R 1443:vRealize_automation_appliance_fqdn:443 \
-R 1444:manager_service_fqdn:443 \
User of Amazon tunnel machine@Public IP Address of Amazon tunnel machine
You configured port forwarding to allow your Amazon AWS tunnel machine to access
vRealize Automation resources, but your SSH tunnel does not function until you configure an Amazon
reservation to route through the tunnel.
What to do next
1 Install the software bootstrap agent and the guest agent on a Windows or Linux reference machine to
create an Amazon Machine Image that your IaaS architects can use to create blueprints. See
Preparing for Software Provisioning.
2 Configure your Amazon reservation in vRealize Automation to route through your SSH tunnel. See
Scenario: Create an Amazon Reservation for a Proof of Concept Environment.
Preparing Red Hat OpenStack Network and Security Features
vRealize Automation supports several features in OpenStack including security groups and floating IP
addresses. Understand how these features work with vRealize Automation and configure them in your
environment.
Using OpenStack Security Groups
Security groups allow you to specify rules to control network traffic over specific ports.
Configuring vRealize Automation
VMware, Inc. 24
You can specify security groups in a reservation when requesting a machine. You can also specify an
existing or on-demand NSX security group in the design canvas.
Security groups are imported during data collection.
Each available region requires at least one specified security group. When you create a reservation, the
available security groups that are available to you in that region are displayed. Every region includes at
least the default security group.
Additional security groups must be managed in the source resource. For more information about
managing security groups for the various machines, see the OpenStack documentation.
Using Floating IP Addresses with OpenStack
You can assign floating IP addresses to a running virtual instance in OpenStack.
To enable assignment of floating IP addresses, you must configure IP forwarding and create a floating IP
pool in Red Hat OpenStack. For more information, see the Red Hat OpenStack documentation.
You must entitle the Associate Floating IP and Disassociate Floating IP actions to machine owners. The
entitled users can then associate a floating IP address to a provisioned machine from the external
networks attached to the machine by selecting an available address from the floating IP address pool.
After a floating IP address has been associated with a machine, a vRealize Automation user can select a
Disassociate Floating IP option to view the currently assigned floating IP addresses and disassociate an
address from a machine.
Preparing Your SCVMM Environment
Before you begin creating SCVMM templates and hardware profiles for use in vRealize Automation
machine provisioning, you must understand the naming restrictions on template and hardware profile
names, and configure SCVMM network and storage settings.
For related information about preparing your environment, see SCVMM requirements information in
Installing vRealize Automation.
For related information about machine provisioning, see Create a Hyper-V (SCVMM) Endpoint.
vRealize Automation does not support a deployment environment that uses an SCVMM private cloud
configuration. vRealize Automation cannot currently collect from, allocate to, or provision based on
SCVMM private clouds.
Template and Hardware Profile Naming
Because of naming conventions that SCVMM and vRealize Automation use for templates and hardware
profiles, do not start your template or hardware profile names with the words temporary or profile. For
example, the following terms are ignored during data collection:
nTemporaryTemplate
nTemporary Template
nTemporaryProfile
Configuring vRealize Automation
VMware, Inc. 25
nTemporary Profile
nProfile
Required Network Configuration for SCVMM Clusters
SCVMM clusters only expose virtual networks to vRealize Automation, so you must have a 1:1
relationship between your virtual and logical networks. Using the SCVMM console, map each logical
network to a virtual network and configure your SCVMM cluster to access machines through the virtual
network.
Required Storage Configuration for SCVMM Clusters
On SCVMM Hyper-V clusters, vRealize Automation collects data and provisions on shared volumes only.
Using the SCVMM console, configure your clusters to use shared resource volumes for storage.
Required Storage Configuration for Standalone SCVMM Hosts
For standalone SCVMM hosts, vRealize Automation collects data and provisions on the default virtual
machine path. Using the SCVMM console, configure default virtual machine paths for your standalone
hosts.
Configure Network-to-Azure VPC Connectivity
You must configure network-to-Azure connectivity if you want to use Software components in Azure
blueprints.
Prerequisites
nInstall and fully configure vRealize Automation. See Installing and Configuring vRealize Automation
for the Rainpole Scenario.
nCreate an Azure security group called TunnelGroup and configure it to allow access on port 22.
nCreate or identify a CentOS machine in your Azure TunnelGroup security group and note the
following configurations:
nAdministrative user credentials, for example root.
nPublic IP address.
nPrivate IP address.
nCreate or identify a CentOS machine on the same local network as your vRealize Automation
installation.
nInstall OpenSSH SSHD Server on both tunnel machines.
Procedure
1Log in to your Azure tunnel machine as the root user or similar.
Configuring vRealize Automation
VMware, Inc. 26
2Disable iptables.
# service iptables save
# service iptables stop
# chkconfig iptables off
3Edit /etc/ssh/sshd_config to enable AllowTCPForwarding and GatewayPorts.
4Restart the service.
/etc/init.d/sshd restart
5Log in to the CentOS machine on the same local network as your vRealize Automation installation as
the root user.
6Invoke the SSH Tunnel from the local network machine to the Azure tunnel machine.
ssh -N -v -o "ServerAliveInterval 30" -o "ServerAliveCountMax 40" -o "TCPKeepAlive yes” \
-R 1442:vRealize_automation_appliance_fqdn:5480 \
-R 1443:vRealize_automation_appliance_fqdn:443 \
-R 1444:manager_service_fqdn:443 \
User of Azure tunnel machine@Public IP Address of Azure tunnel machine
You configured port forwarding to allow your Azure tunnel machine to access vRealize Automation
resources, but your SSH tunnel does not function until you configure an Azure reservation to route
through the tunnel.
What to do next
1 Install the software bootstrap agent and the guest agent on a Windows or Linux reference machine to
create an Azure Machine Image that your IaaS architects can use to create blueprints. See Preparing
for Software Provisioning.
2 Configure your Azure reservation in vRealize Automation to route through your SSH tunnel. See
Create a Reservation for Microsoft Azure.
Preparing for Machine Provisioning
Depending on your environment and your method of machine provisioning, you might need to configure
elements outside of vRealize Automation.
For example, you might need to configure machine templates or machine images. You might also need to
configure NSX settings or run vRealize Orchestrator workflows.
For related information about specifying ports when preparing to provision machines, see Secure
Configuration Guide and Reference Architecture at VMware vRealize Automation Information.
Configuring vRealize Automation
VMware, Inc. 27
Choosing a Machine Provisioning Method to Prepare
For most machine provisioning methods, you must prepare some elements outside of
vRealize Automation.
Table 15. Choosing a Machine Provisioning Method to Prepare
Scenario
Supported
Endpoint Agent Support Provisioning Method Pre-provisioning Preparations
Configure
vRealize Automation to run
custom Visual Basic scripts
as additional steps in the
machine life cycle, either
before or after machine
provisioning. For example,
you could use a pre-
provisioning script to
generate certificates or
security tokens before
provisioning, and then a
post-provisioning script to
use the certificates and
tokens after machine
provisioning.
You can run
Visual Basic
scripts with
any
supported
endpoint
except
Amazon
AWS.
Depends on the
provisioning
method you
choose.
Supported as an
additional step in any
provisioning method,
but you cannot use
Visual Basic scripts
with Amazon AWS
machines.
Checklist for Running Visual Basic
Scripts During Provisioning
Provision application
blueprints that automate
the installation,
configuration, and life cycle
management of
middleware and application
deployment components
such as Oracle, MySQL,
WAR, and database
Schemas.
nvSphere
nvCloud
Air
nvCloud
Director
nAmazon
AWS
n(Required)
Guest agent
n(Required)
Software
bootstrap agent
and guest
agent
nClone
nClone (for
vCloud Air or
vCloud Director)
nLinked clone
nAmazon Machine
Image
If you want the ability to use Software
components in your blueprints,
prepare a provisioning method that
supports the guest agent and
Software bootstrap agent. For more
information about preparing for
Software, see Preparing for Software
Provisioning.
Further customize
machines after provisioning
by using the guest agent.
All virtual
endpoints
and
Amazon
AWS.
n(Required)
Guest agent
n(Optional)
Software
bootstrap agent
and guest
agent
Supported for all
provisioning methods
except Virtual
Machine Image.
If you want the ability to customize
machines after provisioning, select a
provisioning method that supports
the guest agent. For more
information about the guest agent,
see Using vRealize Automation
Guest Agent in Provisioning.
Provision machines with no
guest operating system.
You can install an
operating system after
provisioning.
All virtual
machine
endpoints.
Not supported Basic No required pre-provisioning
preparations outside of
vRealize Automation.
Configuring vRealize Automation
VMware, Inc. 28
Table 15. Choosing a Machine Provisioning Method to Prepare (Continued)
Scenario
Supported
Endpoint Agent Support Provisioning Method Pre-provisioning Preparations
Provision a space-efficient
copy of a virtual machine
called a linked clone.
Linked clones are based
on a snapshot of a VM and
use a chain of delta disks
to track differences from a
parent machine.
vSphere n(Optional)
Guest agent
n(Optional)
Software
bootstrap agent
and guest
agent
Linked Clone You must have an existing vSphere
virtual machine.
If you want to support Software, you
must install the guest agent and
software bootstrap agent on the
machine you intend to clone.
The VM snapshot identified in the
blueprint should be powered off
before you provision the linked clone
VMs.
Provision a space-efficient
copy of a virtual machine
by using
Net App FlexClone
technology.
vSphere (Optional) Guest
agent
NetApp FlexClone Checklist for Preparing to Provision
by Cloning
Provision machines by
cloning from a template
object created from an
existing Windows or Linux
machine, called the
reference machine, and a
customization object.
nvSphere
nKVM
(RHEV)
nSCVMM
n(Optional)
Guest agent
n(Optional for
vSphere only)
Software
bootstrap agent
and guest
agent
Clone See Checklist for Preparing to
Provision by Cloning.
If you want to support Software, you
must install the guest agent and
software bootstrap agent on the
vSpheremachine you intend to clone.
Provision vCloud Air or
vCloud Director machines
by cloning from a template
and customization object.
nvCloud
Air
nvCloud
Director
n(Optional)
Guest agent
n(Optional)
Software
bootstrap agent
and guest
agent
vCloud Air or
vCloud Director
Cloning
See Preparing for vCloud Air and
vCloud Director Provisioning.
If you want to support Software,
create a template that contains the
guest agent and software bootstrap
agent. For vCloud Air, configure
network connectivity between your
vRealize Automation environment
and your vCloud Air environment.
Provision a machine by
booting from an ISO
image, using a kickstart or
autoYaSt configuration file
and a Linux distribution
image to install the
operating system on the
machine.
nAll
virtual
endpoint
s
nRed Hat
OpenSt
ack
Guest agent is
installed as part of
the preparation
instructions.
Linux Kickstart Preparing for Linux Kickstart
Provisioning
Configuring vRealize Automation
VMware, Inc. 29
Table 15. Choosing a Machine Provisioning Method to Prepare (Continued)
Scenario
Supported
Endpoint Agent Support Provisioning Method Pre-provisioning Preparations
Provision a machine and
pass control to an SCCM
task sequence to boot from
an ISO image, deploy a
Windows operating
system, and install the
vRealize Automation guest
agent.
All virtual
machine
endpoints.
Guest agent is
installed as part of
the preparation
instructions.
SCCM Preparing for SCCM Provisioning
Provision a machine by
booting into a WinPE
environment and installing
an operating system using
a Windows Imaging File
Format (WIM) image of an
existing Windows
reference machine.
nAll
virtual
endpoint
s
nRed Hat
OpenSt
ack
Guest agent is
required. When you
create the WinPE
image, you must
manually insert the
guest agent.
WIM Preparing for WIM Provisioning
Launch an instance from a
virtual machine image.
Red Hat
OpenStack
Not supported Virtual Machine Image See Preparing for Virtual Machine
Image Provisioning.
Launch an instance from
an Amazon Machine
Image.
Amazon
AWS
n(Optional)
Guest agent
n(Optional)
Software
bootstrap agent
and guest
agent
Amazon Machine
Image
Associate Amazon machine images
and instance types with your
Amazon AWS account.
If you want to support Software,
create an Amazon Machine Image
that contains the guest agent and
software bootstrap agent, and
configure network-to-VPC
connectivity between your
Amazon AWS and
vRealize Automation environments.
Checklist for Running Visual Basic Scripts During Provisioning
You can configure vRealize Automation to run your custom Visual Basic scripts as additional steps in the
machine life cycle, either before or after machine provisioning. For example, you could use a pre-
provisioning script to generate certificates or security tokens before provisioning, and then a post-
provisioning script to use the certificates and tokens after machine provisioning. You can run Visual Basic
scripts with any provisioning method, but you cannot use Visual Basic scripts with Amazon AWS
machines.
Configuring vRealize Automation
VMware, Inc. 30
Table 16. Running Visual Basic Scripts During Provisioning Checklist
Task Location Details
Install and configure the EPI agent for
Visual Basic scripts.
Typically the Manager Service host See Installing vRealize Automation.
Create your visual basic scripts. Machine where EPI agent is installed vRealize Automation includes a sample
Visual Basic script
PrePostProvisioningExample.vbs in
the Scripts subdirectory of the EPI agent
installation directory. This script contains a
header to load all arguments into a
dictionary, a body in which you can
include your functions, and a footer to
return updated custom properties to
vRealize Automation.
When executing a Visual Basic script, the
EPI agent passes all machine custom
properties as arguments to the script. To
return updated property values to
vRealize Automation, place these
properties in a dictionary and call a
function provided by vRealize Automation.
Gather the information required to
include your scripts in blueprints.
Capture information and transfer to your
infrastructure architects
Note A fabric administrator can create
a property group by using the property
sets ExternalPreProvisioningVbScript
and ExternalPostProvisioningVbScript to
provide this required information. Doing
so makes it easier for blueprint architects
to include this information correctly in
their blueprints.
nThe complete path to the Visual Basic
script, including the filename and
extension. For example, %System
Drive%Program Files
(x86)\VMware\vCAC
Agents\EPI_Agents\Scripts\Send
Email.vbs.
nTo run a script before provisioning,
instruct infrastructure architects to
enter the complete path to the script
as the value of the custom property
ExternalPreProvisioningVbScrip
t. To run a script after provisioning,
they need to use the custom property
ExternalPostProvisioningVbScri
pt.
Using vRealize Automation Guest Agent in Provisioning
You can install the guest agent on reference machines to further customize a machine after deployment.
You can use the reserved guest agent custom properties to perform basic customizations such as adding
and formatting disks, or you can create your own custom scripts for the guest agent to run within the
guest operating system of a provisioned machine.
After the deployment is completed and the customization specification is run (if you provided one), the
guest agent creates an XML file that contains all of the deployed machine's custom properties
c:\VRMGuestAgent\site\workitem.xml, completes any tasks assigned to it with the guest agent
custom properties, and then deletes itself from the provisioned machine.
Configuring vRealize Automation
VMware, Inc. 31
You can write your own custom scripts for the guest agent to run on deployed machines, and use custom
properties on the machine blueprint to specify the location of those scripts and the order in which to run
them. You can also use custom properties on the machine blueprint to pass custom property values to
your scripts as parameters.
For example, you could use the guest agent to make the following customizations on deployed machines:
nChange the IP address
nAdd or format drives
nRun security scripts
nInitialize another agent, for example Puppet or Chef
You can also provide an encrypted string as a custom property in a command line argument. This allows
you to store encrypted information that the guest agent can decrypt and understand as a valid command
line argument.
Note The Linux guest agent assigns static IPs during the create and cloning actions for Linux Kickstart
and PXE provisioning relative to vRealize Automation custom properties in work items. The guest agent is
unable to accommodate the newer consistent network naming scheme, such as in Ubuntu 16.x, when it
assigns static IPs.
Your custom scripts do not have to be locally installed on the machine. As long as the provisioned
machine has network access to the script location, the guest agent can access and run the scripts. This
lowers maintenance costs because you can update your scripts without having to rebuild all of your
templates.
You can configure security settings for the virtual machines to be provisioned by specifying information in
a reservation, blueprint, or guest agent script. If the machines to be provisioned requires a guest agent,
you must add a security rule that contains that requirement to the reservation or the blueprint. For
example, if you use a default security policy that denies communication between all machines, and rely
on a separate security policy to allow communication between specific machines, the guest agent might
be unable to communicate with vRealize Automation during the customization phase. To avoid this
problem during machine provisioning, use a default security policy that allows communication during the
customization phase.
If you choose to install the guest agent to run custom scripts on provisioned machines, your blueprints
must include the appropriate guest agent custom properties. For example, if you install the guest agent
on a template for cloning, create a custom script that changes the provisioned machine's IP address, and
place the script in a shared location, you need to include a number of custom properties in your blueprint.
Configuring vRealize Automation
VMware, Inc. 32
Table 17. Custom Properties for Changing IP Address of a Provisioned Machine with a Guest
Agent
Custom Property Description
VirtualMachine.Admin.UseGuestAgent Set to true to initialize the guest agent when the provisioned
machine is started.
VirtualMachine.Customize.WaitComplete Set to True to prevent the provisioning workflow from sending
work items to the guest agent until all customizations are
complete.
Configuring vRealize Automation
VMware, Inc. 33
Table 17. Custom Properties for Changing IP Address of a Provisioned Machine with a Guest
Agent (Continued)
Custom Property Description
VirtualMachine.SoftwareN.ScriptPath Specifies the full path to an application's install script. The path
must be a valid absolute path as seen by the guest operating
system and must include the name of the script filename.
You can pass custom property values as parameters to the
script by inserting {CustomPropertyName} in the path string. For
example, if you have a custom property named ActivationKey
whose value is 1234, the script path is D:\InstallApp.bat –
key {ActivationKey}. The guest agent runs the command
D:\InstallApp.bat –key 1234. Your script file can then be
programmed to accept and use this value.
Insert {Owner} to pass the machine owner name to the script.
You can also pass custom property values as parameters to the
script by inserting {YourCustomProperty} in the path string. For
example, entering the
value \\vra-
scripts.mycompany.com\scripts\changeIP.bat runs the
changeIP.bat script from a shared location, but entering the
value \\vra-
scripts.mycompany.com\scripts\changeIP.bat
{VirtualMachine.Network0.Address} runs the changeIP
script but also passes the value of the
VirtualMachine.Network0.Address property to the script as
a parameter.
VirtualMachine.ScriptPath.Decrypt Allows vRealize Automation to obtain an encrypted string that is
passed as a properly formatted
VirtualMachine.SoftwareN.ScriptPath custom property
statement to the gugent command line.
You can provide an encrypted string, such as your password, as
a custom property in a command-line argument. This allows you
to store encrypted information that the guest agent can decrypt
and understand as a valid command-line argument. For
example, the VirtualMachine.Software0.ScriptPath =
c:\dosomething.bat password custom property string is not
secure as it contains an actual password.
To encrypt the password, you can create a vRealize Automation
custom property, for example MyPassword = password, and
enable encryption by selecting the available check box. The
guest agent decrypts the [MyPassword] entry to the value in the
custom property MyPassword and runs the script as
c:\dosomething.bat password.
nCreate custom property MyPassword = password where
password is the value of your actual password. Enable
encryption by selecting the available check box.
nSet custom property
VirtualMachine.ScriptPath.Decrypt as
VirtualMachine.ScriptPath.Decrypt = true.
Configuring vRealize Automation
VMware, Inc. 34
Table 17. Custom Properties for Changing IP Address of a Provisioned Machine with a Guest
Agent (Continued)
Custom Property Description
nSet custom property
VirtualMachine.Software0.ScriptPath as
VirtualMachine.Software0.ScriptPath =
c:\dosomething.bat [MyPassword].
If you set VirtualMachine.ScriptPath.Decrypt to false, or
do not create the VirtualMachine.ScriptPath.Decrypt
custom property, then the string inside the square brackets
( [ and ]) is not decrypted.
For more information about custom properties you can use with the guest agent, see Custom Properties
Reference.
Configuring the Guest Agent to Trust a Server
Installing the public key PEM file for the vRealize Automation Manager Service Host in the correct guest
agent folder is the most secure approach to configuring the guest agent to trust a server.
Locate the guest agent folder on each template for the cert.pem PEM file for the Manager Service Host
to trust a server:
nWindows guest agent folder on each template that uses the gugent
C:\VRMGuestAgent\cert.pem
nLinux guest agent folder on each template that uses the gugent
/usr/share/gugent/cert.pem
If you do not put the cert.pem file in this location, the template reference machine cannot use the
guest agent. For example, if you try to collect the public key information after the VM is started for by
altering scripts, you break the security condition.
Additional considerations apply, depending on your configured environment:
nFor WIM installations, you must add the public key PEM file contents to the console executable and
user interface. The console flag is /cert filename.
nFor RedHat kickstart installations, you must cut and paste the public key into the sample file,
otherwise the guest agent fails to execute.
nFor SCCM installation, the cert.pem file must reside in the VRMGuestAgent folder.
Configuring vRealize Automation
VMware, Inc. 35
nFor Linux vSphere installs, the cert.pem file must reside in the /usr/share/gugent folder.
Note You can optionally install software and guest agents together by downloading the following script
from https://APPLIANCE/software/index.html. The script allows you to handle acceptance of SSL
certificate fingerprints as you create the templates.
nLinux
prepare_vra_template.sh
nWindows
prepare_vra_template.ps1
If you install the software and guest agent together, you do not need to use the instructions in Install the
Guest Agent on a Linux Reference Machine or Install the Guest Agent on a Windows Reference Machine.
Install the Guest Agent on a Linux Reference Machine
Install the Linux guest agent on your reference machines to further customize machines after deployment.
Prerequisites
nIdentify or create the reference machine.
nThe guest agent files you download contain both tar.gz and RPM package formats. If your operating
system cannot install tar.gz or RPM files, use a conversion tool to convert the installation files to your
preferred package format.
nEstablish secure trust between the guest agent and your Manager Service machine. See Configuring
the Guest Agent to Trust a Server.
Procedure
1Navigate to the vRealize Automation appliance management console page.
For example: https://va-hostname.domain.com.
2Click Guest and software agents page in the vRealize Automation component installation section of
the page.
For example: https://va-hostname.domain.com/software/index.html.
The Guest and Software Agent Installers page opens, displaying links to available downloads.
3Click Linux guest agent packages in the guest agent installers section of the page to download and
save the LinuxGuestAgentPkgs.zip file.
4Unpack the downloaded LinuxGuestAgentPkgs.zip file to create the VraLinuxGuestAgent folder.
Configuring vRealize Automation
VMware, Inc. 36
5Install the guest agent package that corresponds to the guest operating system you are deploying
during provisioning.
a Navigate to the VraLinuxGuestAgent subdirectory that corresponds to the guest operating
system to deploy during provisioning, for example rhel32.
b Locate your preferred package format or convert a package to your preferred package format.
c Install the guest agent package on your reference machine.
For example, to install the files from the RPM package, run rpm -i gugent-
gugent-7.1.0-4201531.i386.rpm.
6Configure the guest agent to communicate with the Manager Service by running installgugent.sh
Manager_Service_Hostname_fdqn:portnumber ssl platform.
The default port number for the Manager Service is 443. Accepted platform values are ec2, vcd, vca,
and vsphere.
Option Description
If you are using a load balancer Enter the fully qualified domain name and port number of your Manager Service
load balancer. For example:
cd /usr/share/gugent
./installgugent.sh load_balancer_manager_service.mycompany.com:
443 ssl ec2
With no load balancer Enter the fully qualified domain name and port number of your Manager Service
machine. For example:
cd /usr/share/gugent
./installgugent.sh manager_service_machine.mycompany.com:443
ssl vsphere
7If deployed machines are not already configured to trust the Manager Service SSL certificate, you
must install the cert.pem file on your reference machine to establish trust.
nFor the most secure approach, obtain the cert.pem certificate and manually install the file on the
reference machine.
nFor a more convenient approach, you can connect to the manager service load balancer or
manager service machine and download the cert.pem certificate.
Option Description
If you are using a load balancer As the root user on the reference machine, run the following command:
echo | openssl s_client -connect
manager_service_load_balancer.mycompany.com:443 | sed -ne '/-
BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem
With no load balancer As the root user on the reference machine, run the following command:
echo | openssl s_client -connect
manager_service_machine.mycompany.com:443 | sed -ne '/-BEGIN
CERTIFICATE-/,/-END CERTIFICATE-/p' > cert.pem
Configuring vRealize Automation
VMware, Inc. 37
8If you are installing the guest agent on a Ubuntu operating system, create symbolic links for shared
objects by running one of the following command sets.
Option Description
64-bit systems cd /lib/x86_64-linux-gnu
sudo ln -s libssl.so.1.0.0 libssl.so.10
sudo ln -s libcrypto.so.1.0.0 libcrypto.so.10
32-bit systems cd /lib/i386-linux-gnu
sudo ln -s libssl.so.1.0.0 libssl.so.10
sudo ln -s libcrypto.so.1.0.0 libcrypto.so.10
What to do next
Convert your reference machine into a template for cloning, an Amazon Machine Image, or a snapshot
that your IaaS architects can use when creating blueprints.
Install the Guest Agent on a Windows Reference Machine
Install the vRealize Automation Windows guest agent on a Windows reference machine to run as a
Windows service and enable further customization of machines.
Prerequisites
nIdentify or create the reference machine.
nEstablish secure trust between the guest agent and your Manager Service machine. See Configuring
the Guest Agent to Trust a Server.
Procedure
1Navigate to the vRealize Automation appliance Guest and Software Agent Installers page:
https://vrealize-automation-appliance-FQDN/software
2Under Guest Agent Installers, download and save the 32-bit or 64-bit executable to the root of the
C: drive.
Note There is a command-line alternative to this procedure for guest agent installation. Instead of
downloading the executables, you may go to Windows Software Installers on the Guest and
Software Agent Installers page. There, you can download and run the prepare_vra_template.ps1
PowerShell script:
PowerShell -NoProfile -ExecutionPolicy Bypass -Command prepare_vra_template.ps1
3Extract the Windows guest agent files by running the executable.
Extraction creates C:\VRMGuestAgent and adds the files.
Do not rename C:\VRMGuestAgent.
Configuring vRealize Automation
VMware, Inc. 38
4Configure the guest agent to communicate with the Manager Service.
a Open an elevated command prompt.
b Navigate to C:\VRMGuestAgent.
c Put the trusted Manager Service PEM file in the C:\VRMGuestAgent\ directory to configure the
guest agent to trust your Manager Service machine.
d Run winservice -i -h Manager_Service_Hostname_fdqn:portnumber -p ssl.
The default port number for the Manager Service is 443.
Option Description
If you are using a load balancer Enter the fully qualified domain name and port number of your Manager
Service load balancer. For example, winservice -i -h
load_balancer_manager_service.mycompany.com:443 -p ssl.
With no load balancer Enter the fully qualified domain name and port number of your Manager
Service machine. For example, winservice -i -h
manager_service_machine.mycompany.com:443 -p ssl.
If you are preparing an Amazon
machine image
You need to specify that you are using Amazon. For example, winservice -i
-h manager_service_machine.mycompany.com:443:443 -p ssl -c ec2
The name of the Windows service is VCACGuestAgentService. You can find the installation log VCAC-
GuestAgentService.log in C:\VRMGuestAgent.
What to do next
Convert your reference machine into a template for cloning, an Amazon machine image, or a snapshot so
your IaaS architects can use your template when creating blueprints.
Checklist for Preparing to Provision by Cloning
You must perform some preparation outside of vRealize Automation to create the template and the
customization objects used to clone Linux and Windows virtual machines.
Cloning requires a template to clone from, created from a reference machine.
Configuring vRealize Automation
VMware, Inc. 39
TEMPLATE
Identify or create
a reference machine.
No
Yes
No
No
Convert your reference
machine to a template.
Install the guest agent and
the software bootstrap
agent.
Install the guest agent.
Install VMware Tools.
Yes
Are you working in
vCenter Server?
Do you want
to support software
components in
your blueprints?
Do you want
the ability to
customize
machines after
deployment?
Yes
If you are provisioning a Windows machine by cloning, the only way to join the provisioned machine to an
Active Directory domain is by using the customization specification from vCenter Server or by including a
guest operating system profile with your SCVMM template. Machines provisioned by cloning cannot be
placed in an Active Directory container during provisioning. You must do this manually after provisioning.
Configuring vRealize Automation
VMware, Inc. 40
Table 18. Checklist for Preparing to Provision by Cloning
Task Location Details
Identify or create the reference machine. Hypervisor See the documentation provided by your
hypervisor.
(Optional) If you want your clone template to
support Software components, install the
vRealize Automation guest agent and software
bootstrap agent on your reference machine.
Reference machine For Windows reference machines, see Prepare
a Windows Reference Machine to Support
Software.
For Linux reference machines, see Prepare a
Linux Reference Machine to Support Software.
(Optional) If you do not need your clone template
to support Software components, but you do want
the ability to customize deployed machines, install
the vRealize Automation guest agent on your
reference machine.
Reference machine See Using vRealize Automation Guest Agent in
Provisioning.
If you are working in a vCenter Server
environment, install VMware Tools on the reference
machine.
vCenter Server See the VMware Tools documentation.
Use the reference machine to create a template
for cloning.
Hypervisor The reference machine may be powered on or
off. If you are cloning in vCenter Server, you can
use a reference machine directly without
creating a template.
See the documentation provided by your
hypervisor.
Create the customization object to configure
cloned machines by applying System Preparation
Utility information or a Linux customization.
Hypervisor If you are cloning for Linux you can install the
Linux guest agent and provide external
customization scripts instead of creating a
customization object. If you are cloning with
vCenter Server, you must provide the
customization specification as the customization
object.
See the documentation provided by your
hypervisor.
Gather the information required to create
blueprints that clone your template.
Capture information and
transfer to your IaaS
architects.
See Worksheet for Virtual Provisioning by
Cloning.
Worksheet for Virtual Provisioning by Cloning
Complete the knowledge transfer worksheet to capture information about the template, customizations,
and custom properties required to create clone blueprints for the templates you prepared in your
environment. Not all of this information is required for every implementation. Use this worksheet as a
guide, or copy and paste the worksheet tables into a word processing tool for editing.
Configuring vRealize Automation
VMware, Inc. 41
Required Template and Reservation Information
Table 19. Template and Reservation Information Worksheet
Required Information My Value Details
Template name
Reservations on which the template
is available, or reservation policy to
apply
To avoid errors during provisioning, ensure that
the template is available on all reservations or
create reservation policies that architects can
use to restrict the blueprint to reservations
where the template is available.
(vSphere only) Type of cloning
requested for this template
nClone
nLinked Clone
nNetApp FlexClone
Customization specification name
(Required for cloning with static IP
addresses)
You cannot perform customizations of Windows
machines without a customization specification
object.
(SCVMM only) ISO name
(SCVMM only) Virtual hard disk
(SCVMM only) Hardware profile to
attach to provisioned machines
Required Property Groups
You can complete the custom property information sections of the worksheet, or you can create property
groups and ask architects to add your property groups to their blueprints instead of numerous individual
custom properties.
Required vCenter Server Operating System
You must supply the guest operating system custom property for vCenter Server provisioning.
Table 110. vCenter Server Operating System
Custom Property My Value Description
VMware.VirtualCenter.OperatingSy
stem
Specifies the vCenter Server guest
operating system version
(VirtualMachineGuestOsIdentifier)
with which vCenter Server creates the
machine. This operating system version
must match the operating system version
to be installed on the provisioned machine.
Administrators can create property groups
using one of several property sets, for
example,
VMware[OS_Version]Properties, that
are predefined to include the correct
VMware.VirtualCenter.OperatingSyst
em values. This property is for virtual
provisioning.
Configuring vRealize Automation
VMware, Inc. 42
Visual Basic Script Information
If you configured vRealize Automation to run your custom Visual Basic scripts as additional steps in the
machine life cycle, you must include information about the scripts in the blueprint.
Note A fabric administrator can create a property group by using the property sets
ExternalPreProvisioningVbScript and ExternalPostProvisioningVbScript to provide this required
information. Doing so makes it easier for blueprint architects to include this information correctly in their
blueprints.
Table 111. Visual Basic Script Information
Custom Property My Value Description
ExternalPreProvisioningVbScript Run a script before provisioning. Enter the
complete path to the script including the
filename and extension. %System Drive
%Program Files (x86)\VMware\vCAC
Agents\EPI_Agents\Scripts\SendEmai
l.vbs.
ExternalPostProvisioningVbScript Run a script after provisioning. Enter the
complete path to the script including the
filename and extension. %System Drive
%Program Files (x86)\VMware\vCAC
Agents\EPI_Agents\Scripts\SendEmai
l.vbs
Linux Guest Agent Customization Script Information
If you configured your Linux template to use the guest agent for running customization scripts, you must
include information about the scripts in the blueprint.
Configuring vRealize Automation
VMware, Inc. 43
Table 112. Linux Guest Agent Customization Script Information Worksheet
Custom Property My Value Description
Linux.ExternalScript.Name Specifies the name of an optional
customization script, for example
config.sh, that the Linux guest agent
runs after the operating system is
installed. This property is available for
Linux machines cloned from templates on
which the Linux agent is installed.
If you specify an external script, you must
also define its location by using the
Linux.ExternalScript.LocationType
and Linux.ExternalScript.Path
properties.
Linux.ExternalScript.LocationTy
pe
Specifies the location type of the
customization script named in the
Linux.ExternalScript.Name property.
This can be either local or nfs.
You must also specify the script location
using the Linux.ExternalScript.Path
property. If the location type is nfs, also
use the Linux.ExternalScript.Server
property.
Linux.ExternalScript.Server Specifies the name of the NFS server, for
example lab-ad.lab.local, on which the
Linux external customization script
named in Linux.ExternalScript.Name
is located.
Linux.ExternalScript.Path Specifies the local path to the Linux
customization script or the export path to
the Linux customization on the NFS
server. The value must begin with a
forward slash and not include the file
name, for
example /scripts/linux/config.sh.
Other Guest Agent Custom Properties
If you installed the guest agent on your reference machine, you can use custom properties to further
customize machines after deployment.
Configuring vRealize Automation
VMware, Inc. 44
Table 113. Custom Properties for Customizing Cloned Machines with a Guest Agent
Worksheet
Custom Property My Value Description
VirtualMachine.Admin.AddOwnerToAd
mins
Set to True (default) to add the machine’s
owner, as specified by the
VirtualMachine.Admin.Owner property, to
the local administrators group on the
machine.
VirtualMachine.Admin.AllowLogin Set to True (default) to add the machine
owner to the local remote desktop users
group, as specified by the
VirtualMachine.Admin.Owner property.
VirtualMachine.Admin.UseGuestAgen
t
If the guest agent is installed as a service on
a template for cloning, set to True on the
machine blueprint to enable the guest agent
service on machines cloned from that
template. When the machine is started, the
guest agent service is started. Set to False
to disable the guest agent. If set to False,
the enhanced clone workfow will not use the
guest agent for guest operating system
tasks, reducing its functionality to
VMwareCloneWorkflow. If not specified or
set to anything other than False, the
enhanced clone workflow sends work items
to the guest agent.
VirtualMachine.DiskN.Active Set to True (default) to specify that the
machine's disk N is active. Set to False to
specify that the machine's disk N is not
active.
VirtualMachine.DiskN.Label Specifies the label for a machine’s disk N.
The disk label maximum is 32 characters.
Disk numbering must be sequential. When
used with a guest agent, specifies the label
of a machine's disk N inside the guest
operating system.
VirtualMachine.DiskN.Letter Specifies the drive letter or mount point of a
machine’s disk N. The default is C. For
example, to specify the letter D for Disk 1,
define the custom property as
VirtualMachine.Disk1.Letter and enter
the value D. Disk numbering must be
sequential. When used in conjunction with a
guest agent, this value specifies the drive
letter or mount point under which an
additional disk N is mounted by the guest
agent in the guest operating system.
Configuring vRealize Automation
VMware, Inc. 45
Table 113. Custom Properties for Customizing Cloned Machines with a Guest Agent
Worksheet (Continued)
Custom Property My Value Description
VirtualMachine.Admin.CustomizeGue
stOSDelay
Specifies the time to wait after customization
is complete and before starting the guest
operating system customization. The value
must be in HH:MM:SS format. If the value is
not set, the default value is one minute
(00:01:00). If you choose not to include this
custom property, provisioning can fail if the
virtual machine reboots before guest agent
work items are completed, causing
provisioning to fail.
VirtualMachine.Customize.WaitComp
lete
Set to True to prevent the provisioning
workflow from sending work items to the
guest agent until all customizations are
complete.
VirtualMachine.SoftwareN.Name Specifies the descriptive name of a software
application N or script to install or run during
provisioning. This is an optional and
information-only property. It serves no real
function for the enhanced clone workflow or
the guest agent but it is useful for a custom
software selection in a user interface or for
software use reporting.
VirtualMachine.SoftwareN.ScriptPa
th
Specifies the full path to an application's
install script. The path must be a valid
absolute path as seen by the guest
operating system and must include the
name of the script filename.
You can pass custom property values as
parameters to the script by inserting
{CustomPropertyName} in the path string.
For example, if you have a custom property
named ActivationKey whose value is
1234, the script path is
D:\InstallApp.bat –key
{ActivationKey}. The guest agent runs
the command D:\InstallApp.bat –key
1234. Your script file can then be
programmed to accept and use this value.
Configuring vRealize Automation
VMware, Inc. 46
Table 113. Custom Properties for Customizing Cloned Machines with a Guest Agent
Worksheet (Continued)
Custom Property My Value Description
VirtualMachine.SoftwareN.ISOName Specifies the path and filename of the ISO
file relative to the datastore root. The format
is /folder_name/subfolder_name/file_
name.iso. If a value is not specified, the
ISO is not mounted.
VirtualMachine.SoftwareN.ISOLocat
ion
Specifies the storage path that contains the
ISO image file to be used by the application
or script. Format the path as it appears on
the host reservation, for example
netapp-1:it_nfs_1. If a value is not
specified, the ISO is not mounted.
Networking Custom Properties
You can specify configuration for specific network devices on a machine by using custom properties.
Common networking-related custom properties are listed in the following table. For additional and related
custom properties, see Custom Properties for Clone Blueprints and Custom Properties for Networking in
Custom Properties Reference.
Table 114. Custom Properties for Networking Configuration
Custom Property My Value Description
VirtualMachine.NetworkN.Address Specifies the IP address of network
device N in a machine provisioned with a
static IP address.
VirtualMachine.NetworkN.MacAddr
essType
Indicates whether the MAC address of
network device N is generated or user-
defined (static). This property is available
for cloning.
The default value is generated. If the
value is static, you must also use
VirtualMachine.NetworkN.MacAddres
s to specify the MAC address.
VirtualMachine.NetworkN custom
properties are specific to individual
blueprints and machines. When a
machine is requested, network and IP
address allocation is performed before
the machine is assigned to a reservation.
Because blueprints are not guaranteed to
be allocated to a specific reservation, do
not use this property on a reservation.
This property is not supported for on-
demand NAT or on-demand routed
networks.
Configuring vRealize Automation
VMware, Inc. 47
Table 114. Custom Properties for Networking Configuration (Continued)
Custom Property My Value Description
VirtualMachine.NetworkN.MacAddr
ess
Specifies the MAC address of a network
device N. This property is available for
cloning.
If the value of
VirtualMachine.NetworkN.MacAddres
sType is generated, this property contains
the generated address.
If the value of
VirtualMachine.NetworkN.MacAddres
sType is static, this property specifies the
MAC address. For virtual machines
provisioned on ESX server hosts, the
address must be in the range specified by
VMware. For details, see vSphere
documentation.
VirtualMachine.NetworkN custom
properties are specific to individual
blueprints and machines. When a
machine is requested, network and IP
address allocation is performed before
the machine is assigned to a reservation.
Because blueprints are not guaranteed to
be allocated to a specific reservation, do
not use this property on a reservation.
This property is not supported for on-
demand NAT or on-demand routed
networks.
Configuring vRealize Automation
VMware, Inc. 48
Table 114. Custom Properties for Networking Configuration (Continued)
Custom Property My Value Description
VirtualMachine.NetworkN.Name Specifies the name of the network to
connect to, for example the network
device N to which a machine is attached.
This is equivalent to a network interface
card (NIC).
By default, a network is assigned from the
network paths available on the
reservation on which the machine is
provisioned. Also see
VirtualMachine.NetworkN.AddressTy
pe and
VirtualMachine.NetworkN.ProfileNa
me.
You can ensure that a network device is
connected to a specific network by setting
the value of this property to the name of a
network on an available reservation. For
example, if you give properties for N= 0
and 1, you get 2 NICs and their assigned
value, provided the network is selected in
the associated reservation.
VirtualMachine.NetworkN custom
properties are specific to blueprints and
machines. When a machine is requested,
network and IP address allocation is
performed before the machine is
assigned to a reservation. Because
blueprints are not guaranteed to be
allocated to a specific reservation, do not
use this property on a reservation. This
property is not supported for on-demand
NAT or on-demand routed networks.
For an example of how to use this custom
property to dynamically set
VirtualMachine.Network0.Name based
on a consumer's selection from a list of
predefined available networks, see the
Adding a Network Selection Drop-Down
in vRA 7 blog post.
Configuring vRealize Automation
VMware, Inc. 49
Table 114. Custom Properties for Networking Configuration (Continued)
Custom Property My Value Description
VirtualMachine.NetworkN.PortID Specifies the port ID to use for network
device N when using a dvPort group with
a vSphere distributed switch.
VirtualMachine.NetworkN custom
properties are specific to individual
blueprints and machines. When a
machine is requested, network and IP
address allocation is performed before
the machine is assigned to a reservation.
Because blueprints are not guaranteed to
be allocated to a specific reservation, do
not use this property on a reservation.
This property is not supported for on-
demand NAT or on-demand routed
networks.
VirtualMachine.NetworkN.Profile
Name and
VirtualMachine.NetworkN.Network
ProfileName
Specifies the name of a network profile
from which to assign a static IP address
to network device N or from which to
obtain the range of static IP addresses
that can be assigned to network device N
of a cloned machine, where N=0 for the
first device, 1 for the second, and so on.
nUse
VirtualMachine.NetworkN.Profil
eName to select any network from the
reservation regardless of whether it
has a corresponding network profile.
nUse
VirtualMachine.NetworkN.Networ
kProfileName to only select
networks that have a corresponding
network profile with the same name.
The network profile that the property
points to is used to allocate an IP
address. However, the provisioned
machine is attached to any network that is
selected in the reservation using a round-
robin fashion model.
Configuring vRealize Automation
VMware, Inc. 50
Table 114. Custom Properties for Networking Configuration (Continued)
Custom Property My Value Description
nVirtualMachine.NetworkN.Subn
etMask
nVirtualMachine.NetworkN.Gate
way
nVirtualMachine.NetworkN.Prim
aryDns
nVirtualMachine.NetworkN.Seco
ndaryDns
nVirtualMachine.NetworkN.Prim
aryWins
nVirtualMachine.NetworkN.Seco
ndaryWins
nVirtualMachine.NetworkN.DnsS
uffix
nVirtualMachine.NetworkN.DnsS
earchSuffixes
Appending a name allows you to create
multiple versions of a custom property.
For example, the following properties
might list load balancing pools set up for
general use and machines with high,
moderate, and low performance
requirements:
nVCNS.LoadBalancerEdgePool.Name
s
nVCNS.LoadBalancerEdgePool.Name
s.moderate
nVCNS.LoadBalancerEdgePool.Name
s.high
nVCNS.LoadBalancerEdgePool.Name
s.low
Configures attributes of the network
profile specified in
VirtualMachine.NetworkN.ProfileNa
me.
VCNS.LoadBalancerEdgePool.Names.
name
Specifies the NSX load balancing pools to
which the virtual machine is assigned
during provisioning. The virtual machine
is assigned to all service ports of all
specified pools. The value is an edge/pool
name or a list of edge/pool names
separated by commas. Names are case-
sensitive.
Appending a name allows you to create
multiple versions of a custom property.
For example, the following properties
might list load balancing pools set up for
general use and machines with high,
moderate, and low performance
requirements:
nVCNS.LoadBalancerEdgePool.Name
s
nVCNS.LoadBalancerEdgePool.Name
s.moderate
nVCNS.LoadBalancerEdgePool.Name
s.high
nVCNS.LoadBalancerEdgePool.Name
s.low
Configuring vRealize Automation
VMware, Inc. 51
Table 114. Custom Properties for Networking Configuration (Continued)
Custom Property My Value Description
VCNS.SecurityGroup.Names.name Specifies the NSX security group or
groups to which the virtual machine is
assigned during provisioning. The value is
a security group name or a list of names
separated by commas. Names are case-
sensitive.
Appending a name allows you to create
multiple versions of the property, which
can be used separately or in combination.
For example, the following properties can
list security groups intended for general
use, for the sales force, and for support:
nVCNS.SecurityGroup.Names
nVCNS.SecurityGroup.Names.sales
nVCNS.SecurityGroup.Names.suppo
rt
VCNS.SecurityTag.Names.name Specifies the NSX security tag or tags to
which the virtual machine is associated
during provisioning. The value is a
security tag name or a list of names
separated by commas. Names are case-
sensitive.
Appending a name allows you to create
multiple versions of the property, which
can be used separately or in combination.
For example, the following properties can
list security tags intended for general use,
for the sales force, and for support:
nVCNS.SecurityTag.Names
nVCNS.SecurityTag.Names.sales
nVCNS.SecurityTag.Names.support
Preparing for vCloud Air and vCloud Director Provisioning
To prepare for provisioning vCloud Air and vCloud Director machines by using vRealize Automation, you
must configure the organization virtual data center with templates and customization objects.
To provision vCloud Air and vCloud Director resources using vRealize Automation, the organization
requires a template to clone from that consists of one or more machine resources.
Configuring vRealize Automation
VMware, Inc. 52
Templates that are to be shared across organizations must be public. Only reserved templates are
available to vRealize Automation as a cloning source.
Note When you create a blueprint by cloning from a template, that template's unique identifier becomes
associated with the blueprint. When the blueprint is published to the vRealize Automation catalog and
used in the provisioning and data collection processes, the associated template is recognized. If you
delete the template in vCloud Air or vCloud Director, subsequent vRealize Automation provisioning and
data collection fails because the associated template no longer exists. Instead of deleting and recreating
a template, for example to upload an updated version, replace the template using the vCloud Air
vCloud Director template replacement process. Using vCloud Air or vCloud Director to replace the
template, rather than deleting and recreating the template, keeps the template's unique ID intact and
allows provisioning and data collection to continue functioning.
The following overview illustrates the steps you need to perform before you use vRealize Automation to
create endpoints and define reservations and blueprints. For more information about these administrative
tasks, see vCloud Air and vCloud Director product documentation.
1 In vCloud Air or vCloud Director, create a template for cloning and add it to the organization catalog.
2 In vCloud Air or vCloud Director, use the template to specify custom settings such as passwords,
domain, and scripts for the guest operating system on each machine.
You can use vRealize Automation to override some of these settings.
Customization can vary depending on the guest operating system of the resource.
3 In vCloud Air or vCloud Director, configure the catalog to be shared with everyone in the organization.
In vCloud Air or vCloud Director, configure account administrator access to applicable organizations
to allow all users and groups in the organization to have access to the catalog. Without this sharing
designation, the catalog templates are not be visible to endpoint or blueprint architects in
vRealize Automation.
4 Gather the following information so that you can include it in blueprints:
nName of the vCloud Air or vCloud Director template.
nAmount of total storage specified for the template.
Preparing for Linux Kickstart Provisioning
Linux Kickstart provisioning uses a configuration file to automate a Linux installation on a newly
provisioned machine. To prepare for provisioning you must create a bootable ISO image and a Kickstart
or autoYaST configuration file.
The following is a high-level overview of the steps required to prepare for Linux Kickstart provisioning:
1 Verify that a DHCP server is available on the network. vRealize Automation cannot provision
machines by using Linux Kickstart provisioning unless DHCP is available.
2 Prepare the configuration file. In the configuration file, you must specify the locations of the
vRealize Automation server and the Linux agent installation package. See Prepare the Linux Kickstart
Configuration Sample File.
Configuring vRealize Automation
VMware, Inc. 53
3 Edit the isolinux/isolinux.cfg or loader/isolinux.cfg to specify the name and location of the
configuration file and the appropriate Linux distribution source.
4 Create the boot ISO image and save it to the location required by your virtualization platform. See the
documentation provided by your hypervisor for information about the required location.
5 (Optional) Add customization scripts.
a To specify post-installation customization scripts in the configuration file, see Specify Custom
Scripts in a kickstart/autoYaST Configuration File.
b To call Visual Basic scripts in blueprint, see Checklist for Running Visual Basic Scripts During
Provisioning.
6 Gather the following information so that blueprint architects can include it in their blueprints:
a The name and location of the ISO image.
b For vCenter Server integrations, the vCenter Server guest operating system version with which
vCenter Server is to create the machine.
Note You can create a property group with the property set BootIsoProperties to include the required
ISO information. This makes it easier to include this information correctly on blueprints.
Prepare the Linux Kickstart Configuration Sample File
vRealize Automation provides sample configuration files that you can modify and edit to suit your needs.
There are several changes required to make the files usable.
Procedure
1Navigate to the vRealize Automation appliance management console page.
For example: https://va-hostname.domain.com.
2Click Guest and software agents page in the vRealize Automation component installation section of
the page.
For example: https://va-hostname.domain.com/software/index.html.
The Guest and Software Agent Installers page opens, displaying links to available downloads.
3Click Linux guest agent packages in the guest agent installers section of the page to download and
save the LinuxGuestAgentPkgs.zip file.
4Unpack the downloaded LinuxGuestAgentPkgs.zip file to create the VraLinuxGuestAgent folder.
5Navigate to the VraLinuxGuestAgent subdirectory that corresponds to the guest operating system to
deploy during provisioning.
For example: rhel32.
6Open a file in the samples subdirectory that corresponds to your target system.
For example, samples/sample-https-rhel6-x86.cfg.
Configuring vRealize Automation
VMware, Inc. 54
7Replace all instances of the string host=dcac.example.net with the IP address or fully qualified
domain name and port number for the Manager Service or the load balancer for the Manager Service.
Platform Required Format
vSphere ESXi IP Address, for example: --host=172.20.9.59
vSphere ESX IP Address, for example: --host=172.20.9.58
SUSE 10 IP Address, for example: --host=172.20.9.57
All others FQDN, for example: --host=mycompany-host1.mycompany.local:443
8Locate each instance of gugent.rpm or gugent.tar.gz and replace the URL rpm.example.net
with the location of the guest agent package.
For example:
rpm -i nfs:172.20.9.59/suseagent/gugent.rpm
9Save the file to a location accessible to newly provisioned machines.
Specify Custom Scripts in a kickstart/autoYaST Configuration File
You can modify the configuration file to copy or install custom scripts onto newly provisioned machines.
The Linux agent runs the scripts at the specified point in the workflow.
Your script can reference any of the ./properties.xml files in
the /usr/share/gugent/site/workitem directories.
Prerequisites
nPrepare a kickstart or autoYaST configuration file. See Prepare the Linux Kickstart Configuration
Sample File.
nYour script must return a non-zero value on failure to prevent machine provisioning failure.
Procedure
1Create or identify the script you want to use.
2Save the script as NN_scriptname.
NN is a two digit number. Scripts are executed in order from lowest to highest. If two scripts have the
same number, the order is alphabetical based on scriptname.
3Make your script executable.
4Locate the post-installation section of your kickstart or autoYaST configuration file.
In kickstart, this is indicated by %post. In autoYaST, this is indicated by post-scripts.
Configuring vRealize Automation
VMware, Inc. 55
5Modify the post-installation section of the configuration file to copy or install your script into
the /usr/share/gugent/site/workitem directory of your choice.
Custom scripts are most commonly run for virtual kickstart/autoYaST with the work items SetupOS
(for create provisioning) and CustomizeOS (for clone provisioning), but you can run scripts at any
point in the workflow.
For example, you can modify the configuration file to copy the script 11_addusers.sh to
the /usr/share/gugent/site/SetupOS directory on a newly provisioned machine by using the
following command:
cp nfs:172.20.9.59/linuxscripts/11_addusers.sh /usr/share/gugent/site/SetupOS
The Linux agent runs the script in the order specified by the work item directory and the script file name.
Preparing for SCCM Provisioning
vRealize Automation boots a newly provisioned machine from an ISO image, and then passes control to
the specified SCCM task sequence.
SCCM provisioning is supported for the deployment of Windows operating systems. Linux is not
supported. Software distribution and updates are not supported.
The following is a high-level overview of the steps required to prepare for SCCM provisioning:
1 Consult with your network administrator to ensure that the following network requirements are met:
nCommunication with SCCM requires the NetBios name of the SCCM server. At least one
Distributed Execution Manager (DEM) must be able to resolve the fully qualified name of the
SCCM server to its NetBios name.
nThe SCCM server and the vRealize Automation server must be on the same network and
available to each other.
2 Create a software package that includes the vRealize Automation guest agent. See Create a
Software Package for SCCM Provisioning.
3 In SCCM, create the desired task sequence for provisioning the machine. The final step must be to
install the software package you created that contains the vRealize Automation guest agent. For
information about creating task sequences and installing software packages, see SCCM
documentation.
4 Create a zero touch boot ISO image for the task sequence. By default, SCCM creates a light touch
boot ISO image. For information about configuring SCCM for zero touch ISO images, see SCCM
documentation.
5 Copy the ISO image to the location required by your virtualization platform. If you do not know the
appropriate location, refer to the documentation provided by your hypervisor.
6 Gather the following information so that blueprint architects can include it on blueprints:
a The name of the collection containing the task sequence.
Configuring vRealize Automation
VMware, Inc. 56
b The fully qualified domain name of the SCCM server on which the collection containing the
sequence resides.
c The site code of the SCCM server.
d Administrator-level credentials for the SCCM server.
e (Optional) For SCVMM integrations, the ISO, virtual hard disk, or hardware profile to attach to
provisioned machines.
Create a Software Package for SCCM Provisioning
The final step in your SCCM task sequence must be to install a software package that includes the
vRealize Automation guest agent.
Procedure
1Navigate to the vRealize Automation appliance management console page.
For example: https://va-hostname.domain.com.
2Click Guest and software agents page in the vRealize Automation component installation section of
the page.
For example: https://va-hostname.domain.com/software/index.html.
The Guest and Software Agent Installers page opens, displaying links to available downloads.
3Click Windows guest agent files (32-bit) or (64-bit) in the component installation section of the page
to download and save the GuestAgentInstaller.exe or GuestAgentInstaller_x64.exe file.
4Extract the Windows guest agent files to a location available to SCCM.
This produces the directory C:\VRMGuestAgent. Do not rename this directory.
5Create a software package from the definition file SCCMPackageDefinitionFile.sms.
6Make the software package available to your distribution point.
7Select the contents of the extracted Windows guest agent files as your source files.
Preparing for WIM Provisioning
Provision a machine by booting into a WinPE environment and then install an operating system using a
Windows Imaging File Format (WIM) image of an existing Windows reference machine.
The following is a high-level overview of the steps required to prepare for WIM provisioning:
1 Identify or create the staging area. The staging area should be a network directory that can be
specified as a UNC path or mounted as a network drive by
nThe reference machine.
nThe system where you build the WinPE image.
nThe virtualization host where you provision the machines.
Configuring vRealize Automation
VMware, Inc. 57
2 Ensure that the network has a DHCP server. vRealize Automation cannot provision machines with a
WIM image unless DHCP is available.
3 Identify or create the reference machine in the virtualization platform you intend to use for
provisioning. For vRealize Automation requirements, see Reference Machine Requirements for WIM
Provisioning. For information about creating a reference machine, see the documentation provided by
your hypervisor.
4 Using the System Preparation Utility for Windows, prepare the reference machine's operating system
for deployment. See SysPrep Requirements for the Reference Machine.
5 Create the WIM image of the reference machine. Do not include any spaces in the WIM image file
name or provisioning fails.
6 Create a WinPE image that contains the vRealize Automation guest agent.
n(Optional) Create any custom scripts you want to use to customize provisioned machines and
place them in the appropriate work item directory.
nIf you are using VirtIO for network or storage interfaces, you must ensure that the necessary
drivers are included in your WinPE image and WIM image. See Preparing for WIM Provisioning
with VirtIO Drivers.
When you create the WinPE image, you must manually insert the vRealize Automation guest agent.
See Manually Insert the Guest Agent into a WinPE Image.
7 Place the WinPE image in the location required by your virtualization platform. If you do not know the
location, see your hypervisor documentation.
8 Gather the following information to include in the blueprint:
a The name and location of the WinPE ISO image.
b The name of the WIM file, the UNC path to the WIM file, and the index used to extract the desired
image from the WIM file.
c The user name and password under which to map the WIM image path to a network drive on the
provisioned machine.
d (Optional) If you do not want to accept the default, K, the drive letter to which the WIM image path
is mapped on the provisioned machine.
e For vCenter Server integrations, the vCenter Server guest operating system version with which
vCenter Server is to create the machine.
f (Optional) For SCVMM integrations, the ISO, virtual hard disk, or hardware profile to attach to
provisioned machines.
Note You can create a property group to include all of this required information. Using a property
group makes it easier to include all the information correctly in blueprints.
1Reference Machine Requirements for WIM Provisioning
WIM provisioning involves creating a WIM image from a reference machine. The reference machine
must meet basic requirements for the WIM image to work for provisioning in vRealize Automation.
Configuring vRealize Automation
VMware, Inc. 58
2SysPrep Requirements for the Reference Machine
A SysPrep answer file contains several required settings that are used for WIM provisioning.
3Preparing for WIM Provisioning with VirtIO Drivers
If you are using VirtIO for network or storage interfaces, you must ensure that the necessary drivers
are included in your WinPE image and WIM image. VirtIO generally offers better performance when
provisioning with KVM (RHEV).
4Manually Insert the Guest Agent into a WinPE Image
You must manually insert the vRealize Automation guest agent into your WinPE image.
Reference Machine Requirements for WIM Provisioning
WIM provisioning involves creating a WIM image from a reference machine. The reference machine must
meet basic requirements for the WIM image to work for provisioning in vRealize Automation.
The following is a high-level overview of the steps to prepare a reference machine:
1 If the operating system on your reference machine is Windows Server 2008 R2, Windows Server
2012, Windows 7, or Windows 8, the default installation creates a small partition on the system's hard
disk in addition to the main partition. vRealize Automation does not support the use of WIM images
created on such multi-partitioned reference machines. You must delete this partition during the
installation process.
2 Install NET 4.5 and Windows Automated Installation Kit (AIK) for Windows 7 (including WinPE 3.0) on
the reference machine.
3 If the reference machine operating system is Windows Server 2003 or Windows XP, reset the
administrator password to be blank. (There is no password.)
4 (Optional) If you want to enable XenDesktop integration, install and configure a
Citrix Virtual Desktop Agent.
5 (Optional) A Windows Management Instrumentation (WMI) agent is required to collect certain data
from a Windows machine managed by vRealize Automation, for example the Active Directory status
of a machine’s owner. To ensure successful management of Windows machines, you must install a
WMI agent (typically on the Manager Service host) and enable the agent to collect data from
Windows machines. See Installing vRealize Automation.
SysPrep Requirements for the Reference Machine
A SysPrep answer file contains several required settings that are used for WIM provisioning.
Table 115. Windows Server or Windows XP reference machine SysPrep required settings
GuiUnattended Settings Value
AutoLogon Yes
AutoLogonCount 1
Configuring vRealize Automation
VMware, Inc. 59
Table 115. Windows Server or Windows XP reference machine SysPrep required settings
(Continued)
GuiUnattended Settings Value
AutoLogonUsername username
(username and password are the credentials used for auto
logon when the newly provisioned machine boots into the guest
operating system. Administrator is typically used.)
AutoLogonPassword password corresponding to the AutoLogonUsername.
Table 116. Required SysPrep Settings for reference machine that are not using Windows
Server 2003 or Windows XP:
AutoLogon Settings Value
Enabled Yes
LogonCount 1
Username username
(username and password are the credentials used for auto
logon when the newly provisioned machine boots into the guest
operating system. Administrator is typically used.)
Password password
(username andpassword are the credentials used for auto logon
when the newly provisioned machine boots into the guest
operating system. Administrator is typically used.)
Note For reference machines that use a Windows platform
newer than Windows Server 2003/Windows XP, you must set
the autologon password by using the custom property
Sysprep.GuiUnattended.AdminPassword. A convenient way
to ensure this is done is to create a property group that includes
this custom property so that tenant administrators and business
group managers can include this information correctly in their
blueprints.
Preparing for WIM Provisioning with VirtIO Drivers
If you are using VirtIO for network or storage interfaces, you must ensure that the necessary drivers are
included in your WinPE image and WIM image. VirtIO generally offers better performance when
provisioning with KVM (RHEV).
Windows drivers for VirtIO are included as part of the Red Hat Enterprise Virtualization and are located in
the /usr/share/virtio-win directory on the file system of the Red Hat Enterprise Virtualization
Manager. The drivers are also included in the Red Hat Enterprise Virtualization Guest Tools
located /usr/share/rhev-guest-tools-iso/rhev-tools-setup.iso.
The high-level process for enabling WIM-based provisioning with VirtIO drivers is as follows:
1 Create a WIM image from a Windows reference machine with the VirtIO drivers installed or insert the
drivers into an existing WIM image.
2 Copy the VirtIO driver files and insert the drivers into a WinPE image.
Configuring vRealize Automation
VMware, Inc. 60
3 Upload the WinPE image ISO to the Red Hat Enterprise Virtualization ISO storage domains using the
rhevm-iso-uploader command. For more information about managing ISO images in RHEV refer
to the Red Hat documentation.
4 Create a KVM (RHEV) blueprint for WIM provisioning and select the WinPE ISO option. The custom
property VirtualMachine.Admin.DiskInterfaceType must be included with the value VirtIO. A
fabric administrator can include this information in a property group for inclusion on blueprints.
The custom properties Image.ISO.Location and Image.ISO.Name are not used for KVM (RHEV)
blueprints.
Manually Insert the Guest Agent into a WinPE Image
You must manually insert the vRealize Automation guest agent into your WinPE image.
Prerequisites
nSelect a Windows system from which the staging area you prepared is accessible and on which .NET
4.5 and Windows Automated Installation Kit (AIK) for Windows 7 (including WinPE 3.0) are installed.
nCreate a WinPE.
Procedure
1Install the Guest Agent in a WinPE
You must manually copy the guest agent files to your WinPE image.
2Configure the doagent.bat File
You must manually configure the doagent.bat file.
3Configure the doagentc.bat File
You must manually configure the doagentc.bat file.
4Configure the Guest Agent Properties Files
You must manually configure the guest agent properties files.
Procedure
1Install the Guest Agent in a WinPE.
2Configure the doagent.bat File.
3Configure the doagentc.bat File.
4Configure the Guest Agent Properties Files.
Install the Guest Agent in a WinPE
You must manually copy the guest agent files to your WinPE image.
Prerequisites
nSelect a Windows system from which the staging area you prepared is accessible and on which .NET
4.5 and Windows Automated Installation Kit (AIK) for Windows 7 (including WinPE 3.0) are installed.
Configuring vRealize Automation
VMware, Inc. 61
nCreate a WinPE.
Procedure
uDownload and install the vRealize Automation guest agent from
https://vRealize_VA_Hostname_fqdn/software/index.html.
a Download GugentZip_version to the C drive on the reference machine.
Select either GuestAgentInstaller.exe (32-bit) or GuestAgentInstaller_x64.exe (64-bit)
depending on which is appropriate for your operating system.
b Right-click the file and select Properties.
c Click General.
d Click Unblock.
e Extract the files to C:\.
This produces the directory C:\VRMGuestAgent. Do not rename this directory.
What to do next
Configure the doagent.bat File.
Configure the doagent.bat File
You must manually configure the doagent.bat file.
Prerequisites
Install the Guest Agent in a WinPE.
Procedure
1Navigate to the VRMGuestAgent directory within your WinPE Image.
For example: C:\Program Files (x86)\VMware\Plugins\VRM Agent\VRMGuestAgent.
2Make a copy of the file doagent-template.bat and name it doagent.bat.
3Open doagent.bat in a text editor.
4Replace all instances of the string #Dcac Hostname# with the fully qualified domain name and port
number of the IaaS Manager Service host.
Option Description
If you are using a load balancer Enter the fully qualified domain name and port of the load balancer for the IaaS
Manager Service. For example,
manager_service_LB.mycompany.com:443
With no load balancer Enter the fully qualified domain name and port of the machine on which the IaaS
Manager Service is installed. For example,
manager_service.mycompany.com:443
Configuring vRealize Automation
VMware, Inc. 62
5Replace all instances of the string #Protocol# with the string /ssl.
6Replace all instances of the string #Comment# with REM (REM must be followed by a trailing space).
7(Optional) If you are using self-signed certificates, uncomment the openSSL command.
echo QUIT | c:\VRMGuestAgent\bin\openssl s_client –connect
8Save and close the file.
9Edit the Startnet.cmd script for your WinPE to include the doagent.bat as a custom script.
What to do next
Configure the doagentc.bat File.
Configure the doagentc.bat File
You must manually configure the doagentc.bat file.
Prerequisites
Configure the doagent.bat File.
Procedure
1Navigate to the VRMGuestAgent directory within your WinPE Image.
For example: C:\Program Files (x86)\VMware\Plugins\VRM Agent\VRMGuestAgent.
2Make a copy of the file doagentsvc-template.bat and name it doagentc.bat.
3Open doagentc.bat in a text editor.
4Remove all instance of the string #Comment#.
5Replace all instances of the string #Dcac Hostname# with the fully qualified domain name and port
number of the Manager Service host.
The default port for the Manager Service is 443.
Option Description
If you are using a load balancer Enter the fully qualified domain name and port of the load balancer for the
Manager Service. For example,
load_balancer_manager_service.mycompany.com:443
With no load balancer Enter the fully qualified domain name and port of the Manager Service. For
example,
manager_service.mycompany.com:443
6Replace all instances of the string #errorlevel# with the character 1.
7Replace all instances of the string #Protocol# with the string /ssl.
8Save and close the file.
Configuring vRealize Automation
VMware, Inc. 63
What to do next
Configure the Guest Agent Properties Files.
Configure the Guest Agent Properties Files
You must manually configure the guest agent properties files.
Prerequisites
Configure the doagentc.bat File.
Procedure
1Navigate to the VRMGuestAgent directory within your WinPE Image.
For example: C:\Program Files (x86)\VMware\Plugins\VRM Agent\VRMGuestAgent.
2Make a copy of the file gugent.properties and name it gugent.properties.template.
3Make a copy of the file gugent.properties.template and name it gugentc.properties.
4Open gugent.properties in a text editor.
5Replace all instances of the string GuestAgent.log the string
X:/VRMGuestAgent/GuestAgent.log.
6Save and close the file.
7Open gugentc.properties in a text editor.
8Replace all instances of the string GuestAgent.log the string
C:/VRMGuestAgent/GuestAgent.log.
9Save and close the file.
Preparing for Virtual Machine Image Provisioning
Before you provision instances with OpenStack, you must have virtual machine images and flavors
configured in the OpenStack provider.
Virtual Machine Images
You can select an virtual machine image from a list of available images when creating blueprints for
OpenStack resources.
A virtual machine image is a template that contains a software configuration, including an operating
system. Virtual machine images are managed by the OpenStack provider and are imported during data
collection.
If an image that is used in a blueprint is later deleted from the OpenStack provider, it is also removed from
the blueprint. If all the images have been removed from a blueprint, the blueprint is disabled and cannot
be used for machine requests until it is edited to add at least one image.
Configuring vRealize Automation
VMware, Inc. 64
OpenStack Flavors
You can select one or more flavors when creating OpenStack blueprints.
OpenStack flavors are virtual hardware templates that define the machine resource specifications for
instances provisioned in OpenStack. Flavors are managed by the OpenStack provider and are imported
during data collection.
vRealize Automation supports several flavors of OpenStack. For the most current information about
OpenStack flavor support, see the vRealize Automation Support Matrix at
https://www.vmware.com/support/pubs/vcac-pubs.html.
Preparing for Amazon Machine Image Provisioning
Prepare your Amazon Machine Images and instance types for provisioning in vRealize Automation.
Understanding Amazon Machine Images
You can select an Amazon machine image from a list of available images when creating Amazon
machine blueprints.
An Amazon machine image is a template that contains a software configuration, including an operating
system. They are managed by Amazon Web Services accounts. vRealize Automation manages the
instance types that are available for provisioning.
The Amazon machine image and instance type must be available in an Amazon region. Not all instance
types are available in all regions.
You can select an Amazon machine image provided by Amazon Web Services, a user community, or the
AWS Marketplace site. You can also create and optionally share your own Amazon machine images. A
single Amazon machine image can be used to launch one or many instances.
The following considerations apply to Amazon machine images in the Amazon Web Services accounts
from which you provision cloud machines:
nEach blueprint must specify an Amazon machine image.
A private Amazon machine image is available to a specific account and all its regions. A public
Amazon machine image is available to all accounts, but only to a specific region in each account.
nWhen the blueprint is created, the specified Amazon machine image is selected from regions that
have been data-collected. If multiple Amazon Web Services accounts are available, the business
group manager must have rights to any private Amazon machine images. The Amazon machine
image region and the specified user location restrict provisioning request to reservations that match
the corresponding region and location.
nUse reservations and policies to distribute Amazon machine images in your Amazon Web Services
accounts. Use policies to restrict provisioning from a blueprint to a particular set of reservations.
Configuring vRealize Automation
VMware, Inc. 65
nvRealize Automation cannot create user accounts on a cloud machine. The first time a machine
owner connects to a cloud machine, she must log in as an administrator and add her
vRealize Automation user credentials or an administrator must do that for her. She can then log in
using her vRealize Automation user credentials.
If the Amazon machine image generates the administrator password on every boot, the Edit Machine
Record page displays the password. If it does not, you can find the password in the Amazon Web
Services account. You can configure all Amazon machine images to generate the administrator
password on every boot. You can also provide administrator password information to support users
who provision machines for other users.
nTo allow remote Microsoft Windows Management Instrumentation (WMI) requests on cloud machines
provisioned in Amazon Web Services accounts, enable a Microsoft Windows Remote Management
(WinRM) agent to collect data from Windows machines managed by vRealize Automation. See
Installing vRealize Automation.
nA private Amazon machine image can be seen across tenants.
For related information, see Amazon Machine Images (AMI) topics in Amazon documentation.
Understanding Amazon Instance Types
An IaaS architect selects one or more Amazon instance types when creating Amazon EC2 blueprints. An
IaaS administrator can add or remove instance types to control the choices available to the architects.
An Amazon EC2 instance is a virtual server that can run applications in Amazon Web Services. Instances
are created from an Amazon machine image and by choosing an appropriate instance type.
To provision a machine in an Amazon Web Services account, an instance type is applied to the specified
Amazon machine image. The available instance types are listed when architects create the Amazon EC2
blueprint. Architects select one or more instance types, and those instance types become choices
available to the user when they request to provision a machine. The instance types must be supported in
the designated region.
For related information, see Selecting Instance Types and Amazon EC2 Instance Details topics in
Amazon documentation.
Add an Amazon Instance Type
Several instance types are supplied with vRealize Automation for use with Amazon blueprints. An
administrator can add and remove instance types.
The machine instance types managed by IaaS administrators are available to blueprint architects when
they create or edit an Amazon blueprint. Amazon machine images and instance types are made available
through the Amazon Web Services product.
Prerequisites
Log in to vRealize Automation as an IaaS administrator.
Configuring vRealize Automation
VMware, Inc. 66
Procedure
1Click Infrastructure > Administration > Instance Types.
2Click New.
3Add a new instance type, specifying the following parameters.
Information about the available Amazon instances types and the setting values that you can specify
for these parameters is available from Amazon Web Services documentation in EC2 Instance Types -
Amazon Web Services (AWS) at aws.amazon.com/ec2 and Instance Types at
docs.aws.amazon.com.
nName
nAPI name
nType Name
nIO Performance Name
nCPUs
nMemory (GB)
nStorage (GB)
nCompute Units
4Click the Save icon ( ).
When IaaS architects create Amazon Web Services blueprints, they can use your custom instance types.
What to do next
Add the compute resources from your endpoint to a fabric group. See Create a Fabric Group.
Scenario: Prepare vSphere Resources for Machine Provisioning in
Rainpole
As the vSphere administrator creating templates for vRealize Automation, you want to use the vSphere
Web Client to prepare for cloning CentOS machines in vRealize Automation.
Configuring vRealize Automation
VMware, Inc. 67
You want to convert an existing CentOS reference machine into a vSphere template so you and your
Rainpole architects can create blueprints for cloning CentOS machines in vRealize Automation. To
prevent any conflicts that might arise from deploying multiple virtual machines with identical settings, you
also want to create a general customization specification that you and your architects can use to create
clone blueprints for Linux templates.
Procedure
1Scenario: Convert Your CentOS Reference Machine into a Template for Rainpole
Using the vSphere Client, you convert your existing CentOS reference machine into a vSphere
template for your vRealize Automation IaaS architects to reference as the base for their clone
blueprints.
2Scenario: Create a Customization Specification for Cloning Linux Machines in Rainpole
Using the vSphere Client, you create a standard customization specification for your
vRealize Automation IaaS architects to use when they create clone blueprints for Linux machines.
Scenario: Convert Your CentOS Reference Machine into a Template for
Rainpole
Using the vSphere Client, you convert your existing CentOS reference machine into a vSphere template
for your vRealize Automation IaaS architects to reference as the base for their clone blueprints.
Procedure
1Log in to your reference machine as the root user and prepare the machine for conversion.
a Remove udev persistence rules.
/bin/rm -f /etc/udev/rules.d/70*
b Enable machines cloned from this template to have their own unique identifiers.
/bin/sed -i '/^\(HWADDR\|UUID\)=/d'
/etc/sysconfig/network-scripts/ifcfg-eth0
c Power down the machine.
shutdown -h now
2Log in to the vSphere Web Client as an administrator.
3Click the VM Options tab.
4Right-click your reference machine and select Edit Settings.
5Enter Rainpole_centos_63_x86 in the VM Name text box.
6Even though your reference machine has a CentOS guest operating system, select Red Hat
Enterprise Linux 6 (64-bit) from the Guest OS Version drop-down menu.
If you select CentOS, your template and customization specification might not work as expected.
Configuring vRealize Automation
VMware, Inc. 68
7Right-click your Rainpole_centos_63_x86 reference machine in the vSphere Web Client and select
Template > Convert to Template.
vCenter Server marks your Rainpole_centos_63_x86 reference machine as a template and displays the
task in the Recent Tasks pane.
What to do next
To prevent any conflicts that might arise from deploying multiple virtual machines with identical settings,
you create a general customization specification that you and your Rainpole architects can use to create
clone blueprints for Linux templates.
Scenario: Create a Customization Specification for Cloning Linux Machines in
Rainpole
Using the vSphere Client, you create a standard customization specification for your vRealize Automation
IaaS architects to use when they create clone blueprints for Linux machines.
Procedure
1On the home page, click Customization Specification Manager to open the wizard.
2Click the New icon.
3Specify properties.
a Select Linux from the Target VM Operating System drop-down menu.
b Enter Linux in the Customization Spec Name text box.
c Enter Rainpole Linux cloning with vRealize Automation in the Description text box.
d Click Next.
4Set computer name.
a Select Use the virtual machine name.
b Enter the domain on which cloned machines are going to be provisioned in the Domain name
text box.
For example, rainpole.local.
c Click Next.
5Configure time zone settings.
6Click Next.
7Select Use standard network settings for the guest operating system, including enabling
DHCP on all network interfaces.
8Follow the prompts to enter the remaining required information.
9On the Ready to complete page, review your selections and click Finish.
Configuring vRealize Automation
VMware, Inc. 69
You have a general customization specification that you can use to create blueprints for cloning Linux
machines.
What to do next
Log in to the vRealize Automation console as the configuration administrator you created during the
installation and request the catalog items that quickly set up your proof of concept.
Preparing for Software Provisioning
Use Software to deploy applications and middleware as part of the vRealize Automation provisioning
process for vSphere, vCloud Director,vCloud Air, and Amazon AWS machines.
You can deploy Software on machines if your blueprint supports Software and if you install the guest
agent and software bootstrap agent on your reference machines before you convert them into templates,
snapshots, or Amazon Machine Images.
For related information about specifying ports when preparing for provisioning, see Secure Configuration
Guide and Reference Architecture at VMware vRealize Automation Information.
Table 117. Provisioning Methods that Support Software
Machine Type
Provisioning
Method Required Preparation
vSphere Clone A clone blueprint provisions a complete and independent virtual machine based on a
vCenter Server virtual machine template. If you want your templates for cloning to support
Software components, install the guest agent and software bootstrap agent on your
reference machine as you prepare a template for cloning. See Checklist for Preparing to
Provision by Cloning.
vSphere Linked Clone A linked clone blueprint provisions a space-efficient copy of a vSphere machine based on a
snapshot, using a chain of delta disks to track differences from the parent machine. If you
want your linked clone blueprints to support Software components, install the guest agent
and software bootstrap agent on the machine before you take the snapshot.
If your snapshot machine was cloned from a template that supports Software, the required
agents are already installed.
vCloud Director Clone A clone blueprint provisions a complete and independent virtual machine based on a
vCenter Server virtual machine template. If you want your templates for cloning to support
Software components, install the guest agent and software bootstrap agent on your
reference machine as you prepare a template for cloning. See Checklist for Preparing to
Provision by Cloning.
Configuring vRealize Automation
VMware, Inc. 70
Table 117. Provisioning Methods that Support Software (Continued)
Machine Type
Provisioning
Method Required Preparation
vCloud Air Clone A clone blueprint provisions a complete and independent virtual machine based on a
vCenter Server virtual machine template. If you want your templates for cloning to support
Software components, install the guest agent and software bootstrap agent on your
reference machine as you prepare a template for cloning. See Checklist for Preparing to
Provision by Cloning.
Amazon AWS Amazon
Machine
Image
An Amazon machine image is a template that contains a software configuration, including
an operating system. If you want to create an Amazon machine image that supports
Software, connect to a running Amazon AWS instance that uses an EBS volume for the root
device. Install the guest agent and software bootstrap agent on the reference machine, then
create an Amazon Machine Image from your instance. For instruction on creating Amazon
EBS-backed AMIs, see the Amazon AWS documentation.
For the guest agent and Software bootstrap agent to function on provisioned machines, you
must configure network-to-VPC connectivity.
Preparing to Provision Machines with Software
To support Software components, you must install the guest agent and Software bootstrap agent on your
reference machine before you convert to a template for cloning, create an Amazon machine image, or
take a snapshot.
Prepare a Windows Reference Machine to Support Software
You use a single script to install the Java Runtime Environment, guest agent, and Software bootstrap
agent on a Windows reference machine. From the reference machine, you can create a template for
cloning, a snapshot, or an Amazon machine image that supports Software components.
Software supports scripting with Windows CMD and PowerShell 2.0.
Important The startup process must not be interrupted. Configure the virtual machine so that nothing
pauses the virtual machine startup process before reaching the login prompt. For example, verify that no
processes or scripts prompt for user interaction while the virtual machine starts.
Prerequisites
nIdentify or create a Windows reference machine.
nEstablish secure trust between the reference machine and your IaaS Manager Service host. See
Configuring the Guest Agent to Trust a Server.
nOn the reference machine, verify that the Darwin user has Log on as a service access.
nIf you plan to remotely access the machine for troubleshooting or other reasons, install Remote
Desktop Services (RDS).
nRemove network configuration artifacts from the network configuration files.
Configuring vRealize Automation
VMware, Inc. 71
Procedure
1Log in to the Windows reference server as an administrator.
2Open a browser to the software download page on the vRealize Automation appliance.
https://vrealize-automation-appliance-FQDN/software
3Save the template ZIP to the Windows server.
prepare_vra_template_windows.zip
4Extract the ZIP contents to a folder, and run the batch file.
.\prepare_vra_template.bat
5Follow the prompts.
6When finished, shut down the Windows virtual machine.
The script removes any previous guest or Software bootstrap agents, and installs the supported versions
of the Java Runtime Environment, the guest agent, and the Software bootstrap agent.
What to do next
Convert the reference machine into a template for cloning, a snapshot, or an Amazon machine image.
Each supports Software components, and infrastructure architects can use them when creating
blueprints.
Prepare a Linux Reference Machine to Support Software
You use a single script to install the Java Runtime Environment, guest agent, and Software bootstrap
agent on your Linux reference machine. From the reference machine, you can create a template for
cloning, a snapshot, or an Amazon machine image that supports Software components.
Software supports scripting with Bash.
Important The boot process must not be interrupted. Configure the virtual machine so that nothing
pauses the virtual machine boot process before reaching the login prompt. For example, verify that no
processes or scripts prompt for user interaction while the virtual machine starts.
Prerequisites
nIdentify or create a Linux reference machine.
nVerify that the following commands are available, depending on your Linux system:
nyum or apt-get
nwget or curl
npython
ndmidecode as required by cloud providers
Configuring vRealize Automation
VMware, Inc. 72
nCommon requirements such as sed, awk, perl, chkconfig, unzip, and grep depending on your
Linux distribution
You might also use an editor to inspect the downloaded prepare_vra_template.sh script, which
exposes the commands that it uses.
nIf you plan to remotely access the machine for troubleshooting or other reasons, install OpenSSH.
nRemove network configuration artifacts from the network configuration files.
Procedure
1Log in to your reference machine as root.
2Download the template tar.gz package from the vRealize Automation appliance.
wget https://vrealize-automation-appliance-
FQDN/software/download/prepare_vra_template.tar.gz
If your environment is using self-signed certificates, you might need the --no-check-certificate
option.
wget --no-check-certificate https://vrealize-automation-appliance-
FQDN/software/download/prepare_vra_template.tar.gz
3Untar the package.
tar -xvf prepare_vra_template.tar.gz
4In the untar output, find the installer script, and make it executable.
chmod +x prepare_vra_template.sh
5Run the installer script.
./prepare_vra_template.sh
If you need information about non-interactive options and expected values, see the script help.
./prepare_vra_template.sh --help
6Follow the prompts.
A confirmation appears when installation succeeds. If errors and logs appear, resolve the errors and
rerun the script.
7When finished, shut down the Linux virtual machine.
The script removes any previous guest or Software bootstrap agents, and installs the supported versions
of the Java Runtime Environment, the guest agent, and the Software bootstrap agent.
What to do next
On your hypervisor or cloud provider, turn the reference machine into a template for cloning, a snapshot,
or an Amazon machine image. Each supports Software components, and infrastructure architects can
use them when creating blueprints.
Configuring vRealize Automation
VMware, Inc. 73
Updating Existing Virtual Machine Templates in vRealize Automation
If you are updating your templates, Amazon Machine Images, or snapshots for the latest version of the
Windows Software bootstrap agent, or if you are manually updating to the latest Linux Software bootstrap
agent instead of using the prepare_vra_template.sh script, you need to remove any existing
versions and delete any logs.
Linux
For Linux reference machines, running the prepare_vra_template.sh script script resets the agent
and removes any logs for you before reinstalling. However, if you intend to manually install, you need to
log in to the reference machine as the root user and run the command to reset and remove the artifacts.
/opt/vmware-appdirector/agent-bootstrap/agent_reset.sh
Windows
For Windows reference machines, you remove the existing Software agent bootstrap and
vRealize Automation 6.0 or later guest agent, and delete any existing runtime log files. In a PowerShell
command window, run the commands to remove the agent and artifacts.
c:\opt\vmware-appdirector\agent-bootstrap\agent_bootstrap_removal.bat
c:\opt\vmware-appdirector\agent-bootstrap\agent_reset.bat
Scenario: Prepare a vSphere CentOS Template for Clone Machine
and Software Component Blueprints
As a vCenter Server administrator, you want to prepare a vSphere template that your
vRealize Automation architects can use to clone Linux CentOS machines. You want to ensure that your
template supports blueprints with software components, so you install the guest agent and the software
bootstrap agent before you turn your reference machine into a template.
Prerequisites
nIdentify or create a Linux CentOS reference machine with VMware Tools installed. Include at least
one Network Adapter to provide internet connectivity in case blueprint architects do not add this
functionality at the blueprint level. For information about creating virtual machines, see the vSphere
documentation.
nYou must be connected to a vCenter Server to convert a virtual machine to a template. You cannot
create templates if you connect the vSphere Client directly to an vSphere ESXi host.
Configuring vRealize Automation
VMware, Inc. 74
Procedure
1Scenario: Prepare Your Reference Machine for Guest Agent Customizations and Software
Components
So that your template can support software components, you install the software bootstrap agent
and its prerequisite, the guest agent, on your reference machine. The agents ensure that
vRealize Automation architects who use your template can include software components in their
blueprints.
2Scenario: Convert Your CentOS Reference Machine into a Template
After you install the guest agent and software bootstrap agent onto your reference machine, you turn
your reference machine into a template that vRealize Automation architects can use to create clone
machine blueprints.
3Scenario: Create a Customization Specification for vSphere Cloning
Create a customization specification for your blueprint architects to use with your
cpb_centos_63_x84 template.
You created a template and customization specification from your reference machine that blueprint
architects can use to create vRealize Automation blueprints that clone Linux CentOS machines. Because
you installed the Software bootstrap agent and the guest agent on your reference machine, architects can
use your template to create elaborate catalog item blueprints that include Software components or other
guest agent customizations such as running scripts or formatting disks. Because you installed
VMware Tools, architects and catalog administrators can allow users to perform actions against
machines, such as reconfigure, snapshot, and reboot.
What to do next
After you configure vRealize Automation users, groups, and resources, you can use your template and
customization specification to create a machine blueprint for cloning. See Installing and Configuring
vRealize Automation for the Rainpole Scenario.
Scenario: Prepare Your Reference Machine for Guest Agent Customizations
and Software Components
So that your template can support software components, you install the software bootstrap agent and its
prerequisite, the guest agent, on your reference machine. The agents ensure that vRealize Automation
architects who use your template can include software components in their blueprints.
To simplify the process, you download and run a vRealize Automation script that installs both agents,
instead of downloading and installing separate packages.
The script also connects to the Manager Service instance and downloads the SSL certificate, which
establishes trust between the Manager Service and machines deployed from the template. Note that
having the script download the certificate is less secure than manually obtaining the Manager Service
SSL certificate and installing it on your reference machine in /usr/share/gugent/cert.pem.
Configuring vRealize Automation
VMware, Inc. 75
Procedure
1In your Web browser, open the following URL.
https://vrealize-automation-appliance-FQDN/software/index.html
2Save the prepare_vra_template.sh script to your reference machine.
3On the reference machine, make prepare_vra_template.sh executable.
chmod +x prepare_vra_template.sh
4Run prepare_vra_template.sh.
./prepare_vra_template.sh
5Follow the prompts.
If you need non-interactive information about options and values,
enter ./prepare_vra_template.sh --help.
A confirmation message appears when installation finishes. If error messages and logs appear, correct
the issues and rerun the script.
Scenario: Convert Your CentOS Reference Machine into a Template
After you install the guest agent and software bootstrap agent onto your reference machine, you turn your
reference machine into a template that vRealize Automation architects can use to create clone machine
blueprints.
After you convert your reference machine to a template, you cannot edit or power on the template unless
you convert it back to a virtual machine.
Procedure
1Log in to your reference machine as the root user and prepare the machine for conversion.
a Remove udev persistence rules.
/bin/rm -f /etc/udev/rules.d/70*
b Enable machines cloned from this template to have their own unique identifiers.
/bin/sed -i '/^\(HWADDR\|UUID\)=/d'
/etc/sysconfig/network-scripts/ifcfg-eth0
Configuring vRealize Automation
VMware, Inc. 76
c If you rebooted or reconfigured the reference machine after installing the software bootstrap
agent, reset the agent.
/opt/vmware-appdirector/agent-bootstrap/agent_reset.sh
d Power down the machine.
shutdown -h now
2Log in to the vSphere Web Client as an administrator.
3Right-click your reference machine and select Edit Settings.
4Enter cpb_centos_63_x84 in the VM Name text box.
5Even though your reference machine has a CentOS guest operating system, select Red Hat
Enterprise Linux 6 (64-bit) from the Guest OS Version drop-down menu.
If you select CentOS, your template and customization specification might not work as expected.
6Right-click your reference machine in the vSphere Web Client and select Template > Convert to
Template.
vCenter Server marks your cpb_centos_63_x84 reference machine as a template and displays the task in
the Recent Tasks pane. If you have already brought your vSphere environment under
vRealize Automation management, your template is discovered during the next automated data
collection. If you have not configured your vRealize Automation yet, the template is collected during that
process.
Scenario: Create a Customization Specification for vSphere Cloning
Create a customization specification for your blueprint architects to use with your cpb_centos_63_x84
template.
Procedure
1Log in to the vSphere Web Client as an administrator.
2On the home page, click Customization Specification Manager to open the wizard.
3Click the New icon.
4Click the New icon.
5Specify properties.
a Select Linux from the Target VM Operating System drop-down menu.
b Enter Customspecs in the Customization Spec Name text box.
c Enter cpb_centos_63_x84 cloning with vRealize Automation in the Description text box.
d Click Next.
Configuring vRealize Automation
VMware, Inc. 77
6Set computer name.
a Select Use the virtual machine name.
b Enter the domain on which cloned machines are going to be provisioned in the Domain name
text box.
c Click Next.
7Configure time zone settings.
8Click Next.
9Select Use standard network settings for the guest operating system, including enabling
DHCP on all network interfaces.
Fabric administrators and infrastructure architects handle network settings for provisioned machine by
creating and using Network profiles in vRealize Automation.
10 Follow the prompts to enter the remaining required information.
11 On the Ready to complete page, review your selections and click Finish.
Scenario: Prepare for Importing the Dukes Bank for vSphere
Sample Application Blueprint
As a vCenter Server administrator, you want to prepare a vSphere CentOS 6.x Linux template and
customization specification that you can use to provision the vRealize Automation Dukes Bank sample
application.
You want to ensure that your template supports the sample application software components, so you
install the guest agent and the software bootstrap agent onto your Linux reference machine before you
convert it to a template and create a customization specification. You disable SELinux on your reference
machine to ensure your template supports the specific implementation of MySQL used in the Dukes Bank
sample application.
Prerequisites
nInstall and fully configure vRealize Automation. See Installing and Configuring vRealize Automation
for the Rainpole Scenario.
nIdentify or create a CentOS 6.x Linux reference machine with VMware Tools installed. For information
about creating virtual machines, see the vSphere documentation.
nYou must be connected to a vCenter Server to convert a virtual machine to a template. You cannot
create templates if you connect the vSphere Client directly to an vSphere ESXi host.
Configuring vRealize Automation
VMware, Inc. 78
Procedure
1Scenario: Prepare Your Reference Machine for the Dukes Bank vSphere Sample Application
You want your template to support the Dukes Bank sample application, so you must install both the
guest agent and the software bootstrap agent on your reference machine so vRealize Automation
can provision the software components. To simplify the process, you download and run a
vRealize Automation script that installs both the guest agent and the software bootstrap agent
instead of downloading and installing the packages separately.
2Scenario: Convert Your Reference Machine into a Template for the Dukes Bank vSphere Application
After you install the guest agent and software bootstrap agent on your reference machine, you
disable SELinux to ensure your template supports the specific implementation of MySQL used in the
Dukes Bank sample application. You turn your reference machine into a template that you can use
to provision the Dukes Bank vSphere sample application.
3Scenario: Create a Customization Specification for Cloning the Dukes Bank vSphere Sample
Application Machines
You create a customization specification to use with your Dukes Bank machine template.
You created a template and customization specification from your reference machine that supports the
vRealize Automation Dukes Bank sample application.
Scenario: Prepare Your Reference Machine for the Dukes Bank vSphere
Sample Application
You want your template to support the Dukes Bank sample application, so you must install both the guest
agent and the software bootstrap agent on your reference machine so vRealize Automation can provision
the software components. To simplify the process, you download and run a vRealize Automation script
that installs both the guest agent and the software bootstrap agent instead of downloading and installing
the packages separately.
Procedure
1Log in to your reference machine as the root user.
2Download the installation script from your vRealize Automation appliance.
wget https://vRealize_VA_Hostname_fqdn/software/download/prepare_vra_template.sh
If your environment is using self-signed certificates, you might have to use the wget option --no-
check-certificate option. For example:
wget --no-check-certificate
https://vRealize_VA_Hostname_fqdn/software/download/prepare_vra_template.sh
3Make the prepare_vra_template.sh script executable.
chmod +x prepare_vra_template.sh
Configuring vRealize Automation
VMware, Inc. 79
4Run the prepare_vra_template.sh installer script.
./prepare_vra_template.sh
You can run the help command ./prepare_vra_template.sh --help for information about non-
interactive options and expected values.
5Follow the prompts to complete the installation.
You see a confirmation message when the installation is successfully completed. If you see an error
message and logs in the console, resolve the errors and run the installer script again.
You installed both the software bootstrap agent and its prerequisite, the guest agent, to ensure the Dukes
Bank sample application successfully provisions software components. The script also connected to your
Manager Service instance and downloaded the SSL certificate to establish trust between the Manager
Service and machines deployed from your template. This is a less secure approach than obtaining the
Manager Service SSL certificate and manually installing it on your reference machine
in /usr/share/gugent/cert.pem, and you can manually replace this certificate now if security is a high
priority.
Scenario: Convert Your Reference Machine into a Template for the Dukes
Bank vSphere Application
After you install the guest agent and software bootstrap agent on your reference machine, you disable
SELinux to ensure your template supports the specific implementation of MySQL used in the Dukes Bank
sample application. You turn your reference machine into a template that you can use to provision the
Dukes Bank vSphere sample application.
After you convert your reference machine to a template, you cannot edit or power on the template unless
you convert it back to a virtual machine.
Procedure
1Log in to your reference machine as the root user.
a Edit your /etc/selinux/config file to disable SELinux.
SELINUX=disabled
If you do not disable SELinux, the MySQL software component of the Duke's Bank Sample
application might not work as expected.
b Remove udev persistence rules.
/bin/rm -f /etc/udev/rules.d/70*
c Enable machines cloned from this template to have their own unique identifiers.
/bin/sed -i '/^\(HWADDR\|UUID\)=/d'
/etc/sysconfig/network-scripts/ifcfg-eth0
Configuring vRealize Automation
VMware, Inc. 80
d If you rebooted or reconfigured the reference machine after installing the software bootstrap
agent, reset the agent.
/opt/vmware-appdirector/agent-bootstrap/agent_reset.sh
e Power down the machine.
shutdown -h now
2Log in to the vSphere Web Client as an administrator.
3Right-click your reference machine and select Edit Settings.
4Enter dukes_bank_template in the VM Name text box.
5If your reference machine has a CentOS guest operating system, select Red Hat Enterprise Linux 6
(64-bit) from the Guest OS Version drop-down menu.
If you select CentOS, your template and customization specification might not work as expected.
6Click OK.
7Right-click your reference machine in the vSphere Web Client and select Template > Convert to
Template.
vCenter Server marks your dukes_bank_template reference machine as a template and displays the task
in the Recent Tasks pane. If you have already brought your vSphere environment under
vRealize Automation management, your template is discovered during the next automated data
collection. If you have not configured your vRealize Automation yet, the template is collected during that
process.
Scenario: Create a Customization Specification for Cloning the Dukes Bank
vSphere Sample Application Machines
You create a customization specification to use with your Dukes Bank machine template.
Procedure
1Log in to the vSphere Web Client as an administrator.
2On the home page, click Customization Specification Manager to open the wizard.
3Click the New icon.
4Specify properties.
a Select Linux from the Target VM Operating System drop-down menu.
b Enter Customspecs_sample in the Customization Spec Name text box.
c Enter Dukes Bank customization spec in the Description text box.
d Click Next.
Configuring vRealize Automation
VMware, Inc. 81
5Set computer name.
a Select Use the virtual machine name.
b Enter the domain on which you want to provision the Dukes Bank sample application in the
Domain name text box.
c Click Next.
6Configure time zone settings.
7Click Next.
8Select Use standard network settings for the guest operating system, including enabling
DHCP on all network interfaces.
Fabric administrators and infrastructure architects handle network settings for provisioned machine by
creating and using Network profiles in vRealize Automation.
9Follow the prompts to enter the remaining required information.
10 On the Ready to complete page, review your selections and click Finish.
You created a template and customization specification that you can use to provision the Dukes Bank
sample application.
What to do next
1 Create an external network profile to provide a gateway and a range of IP addresses. See Create an
External Network Profile by Using A Third-Party IPAM Provider.
2 Map your external network profile to your vSphere reservation. See Create a Reservation for Hyper-V,
KVM, SCVMM, vSphere, or XenServer. The sample application cannot provision successfully without
an external network profile.
3 Import the Duke's Bank sample application into your environment. See Scenario: Importing the Dukes
Bank for vSphere Sample Application and Configuring for Your Environment.
Configuring vRealize Automation
VMware, Inc. 82
Tenant and Resource
Preparations for Blueprint
Provisioning 2
You can configure multiple tenant environments, each with their own groups of users and unique access
to resources that you bring under vRealize Automation management.
This chapter includes the following topics:
nConfiguring Tenant Settings
nConfiguring Resources
nUser Preferences for Notifications and Delegates
Configuring Tenant Settings
Tenant administrators configure tenant settings such as user authentication, and manage user roles and
business groups. System administrators and tenant administrators configure options such as email
servers to handle notifications, and branding for the vRealize Automation console.
You can use the Configuring Tenant Settings Checklist to see a high-level overview of the sequence of
steps required to configure tenant settings.
Table 21. Checklist for Configuring Tenant Settings
Task
vRealize
Automation Role Details
Create local user accounts and assign a tenant
administrator.
System
administrator
For an example of creating local user
accounts, see Installing and Configuring
vRealize Automation for the Rainpole
Scenario.
Configure Directories Management to set up tenant identity
management and access control settings.
Tenant
administrator
Choosing Directories Management
Configuration Options
Create business groups and custom groups, and grant
user access rights to the vRealize Automation console.
Tenant
administrator
Configuring Groups and User Roles
(Optional) Create additional tenants so users can access
the appropriate applications and resources they need to
complete their work assignments.
System
administrator
Create Additional Tenants
(Optional) Configure custom branding on the tenant login
and application pages of the vRealize Automation console.
nSystem
administrator
nTenant
administrator
Configuring Custom Branding
VMware, Inc. 83
Table 21. Checklist for Configuring Tenant Settings (Continued)
Task
vRealize
Automation Role Details
(Optional) Configure vRealize Automation to send users
notifications when specific events occur.
nSystem
administrator
nTenant
administrator
Checklist for Configuring Notifications
(Optional) Configure vRealize Orchestrator to support
XaaS and other extensibility.
nSystem
administrator
nTenant
administrator
Configuring vRealize Orchestrator
(Optional) Create a custom remote desktop protocol file
that IaaS architects use in blueprints to configure RDP
settings.
System
administrator
Create a Custom RDP File to Support RDP
Connections for Provisioned Machines
(Optional) Define datacenter locations that your fabric
administrators and IaaS architects can leverage to allow
users to select an appropriate location for provisioning when
they request machines.
System
administrator
For an example of adding datacenter
locations, see Scenario: Add Datacenter
Locations for Cross Region Deployments.
Choosing Directories Management Configuration Options
You can use vRealize Automation Directories Management features to configure an Active Directory link
in accordance with your user authentication requirements.
Directories Management provides many options to support a highly customized user authentication.
Table 22. Choosing Directories Management Configuration Options
Configuration Option Procedure
Configure a link to your Active Directory. 1 Configure a link to your Active Directory. See Configure an
Active Directory over LDAP/IWA Link.
2 If you configured vRealize Automation for high availability,
see Configure Directories Management for High Availability.
(Optional) Enhance security of a user ID and password based
directory link by configuring bi-directional integration with Active
Directory Federated Services.
Configure a Bi Directional Trust Relationship Between vRealize
Automation and Active Directory
(Optional) Add users and groups to an existing Active Directory
Link .
Add Users or Groups to an Active Directory Connection.
(Optional) Edit the default policy to apply custom rules for an
Active Directory link.
Manage the User Access Policy.
(Optional) Configure network ranges to restrict the IP addresses
through which users can log in to the system, manage login
restrictions (timeout, number of login attempts before lock-out).
Add or Edit a Network Range.
Directories Management Overview
Tenant administrators can configure tenant identity management and access control settings using the
Directories Management options on the vRealize Automation application console.
Configuring vRealize Automation
VMware, Inc. 84
You can manage the following settings from the Administration > Directories Management tab.
Table 23. Directories Management Settings
Setting Description
Directories The Directories page enables you to create and manage Active Directory links to support
vRealize Automation tenant user authentication and authorization. You create one or more
directories and then sync those directories with your Active Directory deployment. This page
displays the number of groups and users that are synced to the directory and the last sync time.
You can click Sync Now, to manually start the directory sync.
See Using Directories Management to Create an Active Directory Link.
When you click on a directory and then click the Sync Settings button, you can edit the sync
settings, navigate the Identity Providers page, and view the sync log.
From the directories sync settings page you can schedule the sync frequency, see the list of
domains associated with this directory, change the mapped attributes list, update the user and
groups list that syncs, and set the safeguard targets.
Connectors The Connectors page lists deployed connectors for your enterprise network. A connector syncs
user and group data between Active Directory and the Directories Management service, and when
it is used as the identity provider, authenticates users to the service. Each vRealize Automation
appliance contains a connector by default. See Managing Connectors and Connector Clusters.
User Attributes The User Attributes page lists the default user attributes that sync in the directory and you can add
other attributes that you can map to Active Directory attributes. See Select Attributes to Sync with
Directory.
Network Ranges This page lists the network ranges that are configured for your system. You configure a network
range to allow users access through those IP addresses. You can add additional network ranges
and you can edit existing ranges. See Add or Edit a Network Range.
Identity Providers The Identity Providers page lists identity providers that are available on your system.
vRealize Automation systems contain a connector that serves as the default identity provider and
that suffices for many user needs. You can add third-party identity provider instances or have a
combination of both.
See Configure a Third Party Identity Provider Connection.
Policies The Policies page lists the default access policy and any other web application access policies you
created. Policies are a set of rules that specify criteria that must be met for users to access their
application portals or to launch Web applications that are enabled for them. The default policy
should be suitable for most vRealize Automation deployments, but you can edit it if needed. See
Manage the User Access Policy.
Important Concepts Related to Active Directory
Several concepts related to Active Directory are integral to understanding how Directories Management
integrates with your Active Directory environments.
Connector
nSyncs user and group data between Active Directory and the service.
nWhen being used as an identity provider, authenticates users to the service.
Configuring vRealize Automation
VMware, Inc. 85
The connector is the default identity provider. For the authentication methods the connector supports,
see VMware Identity Manager Administration. You can also use third-party identity providers that
support the SAML 2.0 protocol. Use a third-party identity provider for an authentication type the
connector does not support or for an authentication type the connector does support, if the third-party
identity provider is preferable based on your enterprise security policy.
Directory
The Directories Management service has its own concept of a directory, which uses Active Directory
attributes and parameters to define users and groups. You create one or more directories and then sync
those directories with your Active Directory deployment. You can create the following directory types in
the service.
nActive Directory over LDAP. Create this directory type if you plan to connect to a single Active
Directory domain environment. For the Active Directory over LDAP directory type, the connector
binds to Active Directory using simple bind authentication.
nActive Directory, Integrated Windows Authentication. Create this directory type if you plan to connect
to a multi-domain or multi-forest Active Directory environment. The connector binds to Active
Directory using Integrated Windows Authentication.
The type and number of directories that you create varies depending on your Active Directory
environment, such as single domain or multi-domain, and on the type of trust used between domains. In
most environments, you create one directory.
The service does not have direct access to Active Directory. Only the connector has direct access to
Active Directory. Therefore, you associate each directory created in the service with a connector instance.
Worker
When you associate a directory with a connector instance, the connector creates a partition for the
associated directory called a worker. A connector instance can have multiple workers associated with it.
Each worker acts as an identity provider. You define and configure authentication methods per worker.
The connector syncs user and group data between Active Directory and the service through one or more
workers.
You cannot have two workers of the Integrated Windows Authentication type on the same connector
instance.
Active Directory Environments
You can integrate the service with an Active Directory environment that consists of a single Active
Directory domain, multiple domains in a single Active Directory forest, or multiple domains across multiple
Active Directory forests.
Single Active Directory Domain Environment
A single Active Directory deployment allows you to sync users and groups from a single Active Directory
domain.
Configuring vRealize Automation
VMware, Inc. 86
See Configure an Active Directory over LDAP/IWA Link. For this environment, when you add a directory
to the service, select the Active Directory over LDAP option.
Multi-Domain, Single Forest Active Directory Environment
A multi-domain, single forest Active Directory deployment allows you to sync users and groups from
multiple Active Directory domains within a single forest.
You can configure the service for this Active Directory environment as a single Active Directory, Integrated
Windows Authentication directory type or, alternatively, as an Active Directory over LDAP directory type
configured with the global catalog option.
nThe recommended option is to create a single Active Directory, Integrated Windows Authentication
directory type.
See Configure an Active Directory over LDAP/IWA Link. When you add a directory for this
environment, select the Active Directory (Integrated Windows Authentication) option.
Multi-Forest Active Directory Environment with Trust Relationships
A multi-forest Active Directory deployment with trust relationships allows you to sync users and groups
from multiple Active Directory domains across forests where two-way trust exists between the domains.
See Configure an Active Directory over LDAP/IWA Link. When you add a directory for this environment,
select the Active Directory (Integrated Windows Authentication) option.
Multi-Forest Active Directory Environment Without Trust Relationships
A multi-forest Active Directory deployment without trust relationships allows you to sync users and groups
from multiple Active Directory domains across forests without a trust relationship between the domains. In
this environment, you create multiple directories in the service, one directory for each forest.
See Configure an Active Directory over LDAP/IWA Link. The type of directories you create in the service
depends on the forest. For forests with multiple domains, select the Active Directory (Integrated Windows
Authentication) option. For a forest with a single domain, select the Active Directory over LDAP option.
Using Directories Management to Create an Active Directory Link
After you create vRealize Automation tenants, you must log in to the system console as a tenant
administrator and create an Active Directory link to support user authentication.
There are three Active Directory communication protocol options when configuring an Active Directory
connection using Directories Management.
nActive Directory over LDAP - An Active Directory over LDAP protocol supports DNS Service Location
lookup by default.
nActive Directory (Integrated Windows Authentication) - With Active Directory (Integrated Windows
Authentication), you configure the domain to join. Active Directory over LDAP is appropriate for single
domain deployments. Use Active Directory (Integrated Windows Authentication) for all multi-domain
and multi-forest deployments.
Configuring vRealize Automation
VMware, Inc. 87
nOpenLDAP - You can use the open source version of LDAP to support Directories Management user
authentication.
After you select a communication protocol and configure an Active Directory link, you can specify the
domains to use with the Active Directory configuration and then select the users and groups to sync with
the specified configuration.
Configure an Active Directory over LDAP/IWA Link
You can configure an Active Directory over LDAP/IWA link to support user authentication using the
Directories Management feature to configure a link to Active Directory to support user authentication for
all tenants and select users and groups to sync with the Directories Management directory.
For information and instructions about using OpenLDAP with Directories Management, see Configure an
OpenLDAP Directory Connection.
For Active Directory (Integrated Windows Authentication), when you have multi-forest Active Directory
configured and the Domain Local group contains members from domains in different forests, make sure
that the Bind user is added to the Administrators group of the domain in which the Domain Local group
resides. If you fail to do this, these members will be missing from the Domain Local group.
Prerequisites
nSelect the required default attributes and add additional attributes on the User Attributes page. See
Select Attributes to Sync with Directory.
nList of the Active Directory groups and users to sync from Active Directory.
nIf your Active Directory requires access over SSL or STARTTLS, the Root CA certificate of the Active
Directory domain controller is required.
nLog in to vRealize Automation as a tenant administrator.
Procedure
1Select Administration > Directories Management > Directories.
2Click Add Directory and select Add Active Directory over LDAP/IWA.
3On the Add Directory page, specify the IP address for the Active Directory server in the Directory
Name text box.
4Select the appropriate Active Directory communication protocol using the radio buttons under the
Directory Name text box.
Option Description
Windows Authentication Select Active Directory (Integrated Windows Authentication). For Active
Directory Integrated Windows Authentication, required information includes the
domain's Bind user UPN address and password.
LDAP Select Active Directory over LDAP. For Active Directory over LDAP, information
required includes the Base DN, Bind DN, and Bind DN password.
Configuring vRealize Automation
VMware, Inc. 88
5Configure the connector that synchronizes users from the Active Directory to the VMware
Directories Management directory in the Directory Sync and Authentication section.
Option Description
Sync Connector Select the appropriate connector to use for your system. Each
vRealize Automation appliance contains a default connector. Consult your system
administrator if you need help in choosing the appropriate connector.
Authentication Click the appropriate radio button to indicate whether the selected connector also
performs authentication.
If you are using Active Directory (Integrated Windows Authentication), with a third
party identity provider to authenticate users, click No. After you configure the
Active Directory connection to sync users and groups use the Identity Providers
page to add the third-party identity provider for authentication.
For information about using authentication adapters such as
PasswordIpddAdapter, SecurIDAdapter, and RadiusAuthAdapter, see the
VMware Identity Manager Administration Guide.
Directory Search Attribute Select the appropriate account attribute that contains the user name. VMware
recommends using the sAMAccount attribute rather than userPrincipleName. If
you use userPrincipleName for sync operations, integration with second and third
party software that requires a user name may not function correctly.
Note If you select sAMAccountName when using a global catalog, indicated by
selecting theThis Directory has a Global Catalog check box in the Server
Location area, users will be unable to log in.
Configuring vRealize Automation
VMware, Inc. 89
6Enter the appropriate information in the Server Location text box if you selected Active Directory over
LDAP, or enter information in the Join Domain Details text boxes if you selected Active Directory
(Integrated Windows Authentication).
Option Description
Server Location - Displayed when
Active Directory over LDAP is selected
nIf you want to use DNS Service Location to locate Active Directory domains,
leave the This Directory supports DNS Service Location check box
selected.
Note You cannot change the port assignment to 636 if you select this option.
A domain_krb.properties file, auto-populated with a list of domain
controllers, is created along with the directory. See About Domain Controller
Selection.
If the Active Directory requires STARTTLS encryption, select the This
Directory requires all connections to use STARTTLS check box in the
Certificates section and copy and paste the Active Directory Root CA
certificate in the SSL Certificate field.
nIf the specified Active Directory does not use DNS Service Location lookup,
deselect the check box beside This Directory supports DNS Service
Location in the Server Location fields and enter the Active Directory server
host name and port number in the appropriate text boxes.
Select the This Directory has a Global Catalog check box if the associated
Active Directory uses a global catalog. A global catalog contains a
representation of all objects in every domain in a multi-domain Active
Directory forest.
To configure the directory as a global catalog, see the Multi-Domain Single
Forest Active Directory Environment section in Active Directory
Environments.
If Active Directory requires access over SSL, select the This Directory
requires all connections to use SSL check box under the Certificates
heading and provide the Active Directory SSL certificate.
When you select this option, port 636 is used automatically and cannot be
changed.
Ensure that the certificate is in PEM format and includes the BEGIN
CERTIFICATE and END CERTIFICATE lines.
Join Domain Details - Displayed when
Active Directory (Integrated Windows
Authentication) is selected
Enter the appropriate credentials in the Domain Name, Domain Admin User
Name, and Domain Admin Password text boxes.
If the Active Directory requires STARTTLS encryption, select the This Directory
requires all connections to use STARTTLS check box in the Certificates
section and copy and paste the Active Directory Root CA certificate in the SSL
Certificate field.
Ensure that the certificate is in PEM format and includes the BEGIN
CERTIFICATE and END CERTIFICATE lines.
If the directory uses multiple domains, add the Root CA certificates for all
domains, one at a time.
Note If the Active Directory requires STARTTLS and you do not provide the
certificate, you cannot create the directory.
Configuring vRealize Automation
VMware, Inc. 90
7In the Bind User Details section, enter the appropriate credentials to facilitate directory
synchronization.
For Active Directory over LDAP:
Option Description
Base DN Enter the search base distinguished name. For example,
cn=users,dc=corp,dc=local.
Bind DN Enter the bind distinguished name. For example,
cn=fritz infra,cn=users,dc=corp,dc=local
For Active Directory (Integrated Windows Authentication):
Option Description
Bind User UPN Enter the User Principal Name of the user who can authenticate with the domain.
For example, UserName@example.com.
Bind DN Password Enter the Bind User password.
8Click Test Connection to test the connection to the configured directory.
This button does not appear if you selected Active Directory (Integrated Windows Authentication).
9Click Save & Next.
The Select the Domains page appears with the list of domains.
10 Review and update the domains listed for the Active Directory connection.
nFor Active Directory (Integrated Windows Authentication), select the domains that should be
associated with this Active Directory connection.
nFor Active Directory over LDAP, the available domain is listed with a checkmark.
Note If you add a trusting domain after the directory is created, the service does not
automatically detect the newly trusting domain. To enable the service to detect the domain, the
connector must leave and then rejoin the domain. When the connector rejoins the domain, the
trusting domain appears in the list.
11 Click Next.
12 Verify that the Directories Management directory attribute names are mapped to the correct Active
Directory attributes.
If the directory attribute names are not mapped correctly, select the correct Active Directory attribute
from the drop-down menu.
13 Click Next.
Configuring vRealize Automation
VMware, Inc. 91
14 Click to select the groups you want to sync from Active Directory to the directory.
When you add a group from Active Directory, if members of that group are not in the Users list, they
are added. When you sync a group, any users that lack Domain Users as their primary group in
Active Directory are not synced.
Note The Directories Management user authentication system imports data from Active Directory
when adding groups and users, and the speed of the system is limited by Active Directory
capabilities. As a result, import operations may require significant time depending on the number of
groups and users being added. To minimize the potential for delays or problems, limit the number of
groups and users to only those required for vRealize Automation operation.
If your system performance degrades or if errors occur, close any unneeded applications and ensure
that your system has appropriate memory allocated to Active Directory. If problems persist, increase
the Active Directory memory allocation as needed. For systems with a large number of users and
groups, you may need to increase the Active Directory memory allocation to as much as 24 GB.
15 Click Next.
16 Click to add additional users.
The appropriate values are as follows:
nSingle user: CN=username,CN=Users,OU=Users,DC=myCorp,DC=com
nMultiple users: OU=Users,OU=myUnit,DC=myCorp,DC=com
To exclude users, click to create a filter to exclude some types of users. You select the user
attribute to filter by, the query rule, and the value.
17 Click Next.
18 Review the page to see how many users and groups are syncing to the directory.
If you want to make changes to users and groups, click the Edit links.
Note Ensure that you specify user DNs that are under the Base DN specified previously. If the user
DN is outside of the Base DN, users from that DN are synced but will be unable to log in.
19 Click Push to Workspace to start the synchronization to the directory.
The connection to the Active Directory is complete and the selected users and groups are added to the
directory. You can now assign user and groups to the appropriate vRealize Automation roles by selecting
Administration > Users and Groups > Directory Users and Groups. See Assign Roles to Directory
Users or Groups for more information.
What to do next
If your vRealize Automation environment is configured for high availability, you must specifically configure
Directories Management for high availability. See Configure Directories Management for High Availability.
Configuring vRealize Automation
VMware, Inc. 92
Configure an OpenLDAP Directory Connection
You can configure an OpenLDAP Directory connection with Directories Management.
Though there are several different LDAP protocols, OpenLDAP is the only protocol that is tested and
approved for use with vRealize Automation Directories Management.
To integrate your LDAP directory, you create a corresponding Directories Management directory and sync
users and groups from your LDAP directory to the Directories Management directory. You can set up a
regular sync schedule for subsequent updates.
You also select the LDAP attributes that you want to sync for users and map them to
Directories Management attributes.
Your LDAP directory configuration may be based on default schemas or you may have created custom
schemas. You may also have defined custom attributes. For Directories Management to be able to query
your LDAP directory to obtain user or group objects, you need to provide the LDAP search filters and
attribute names that are applicable to your LDAP directory.
Specifically, you need to provide the following information.
nLDAP search filters for obtaining groups, users, and the bind user
nLDAP attribute names for group membership, UUID, and distinguished name
Prerequisites
nReview the configuration on the User Attributes page and add any other attributes that you want to
sync. You will map the Directories Management attributes to your LDAP directory attributes when you
create the directory. These attributes will be synced for the users in the directory.
Note When you make changes to user attributes, consider the effect on other directories in the
service. If you plan to add both Active Directory and LDAP directories, ensure that you do not mark
any attributes as required except for userName. The settings on the User Attributes page apply to all
directories in the service. If an attribute is marked required, users without that attribute are not synced
to the Directories Management service.
nA Bind DN user account. Using a Bind DN user account with a non-expiring password is
recommended.
nIn your LDAP directory, the UUID of users and groups must be in plain text format.
nIn your LDAP directory, a domain attribute must exist for all users and groups.
You map this attribute to the Directories Management domain attribute when you create the
Directories Management directory.
nUser names must not contain spaces. If a user name contains a space, the user is synced but
entitlements are not available to the user.
nIf you use certificate authentication, users must have values for userPrincipalName and email
address attributes.
Configuring vRealize Automation
VMware, Inc. 93
Procedure
1Select Administration > Directories Management > Directories.
2Click Add Directory and select Add LDAP Directory.
3Enter the required information in the Add LDAP Directory page.
Option Description
Directory Name Enter a name for the Directories Management directory.
Directory Sync and Authentication a In the Sync Connector field, select the connector you want to use to sync
users and groups from your LDAP directory to the Directories Management
directory.
A connector component is always available with the Directories Management
service by default. This connector appears in the drop-down list. If you install
multiple Directories Management appliances for high availability, the
connector component of each appears in the list.
You do not need a separate connector for an LDAP directory. A connector
can support multiple directories, regardless of whether they are Active
Directory or LDAP directories.
b In the Authentication field, if you want to use this LDAP directory to
authenticate users, select Yes.
If you want to use a third-party identity provider to authenticate users, select
No. After you add the directory connection to sync users and groups, go to
the Administration > Directories Management > Identity Providers page
to add the third-party identity provider for authentication.
c For most configurations, leave the Custom default selected in the Directory
Search Attribute text box. In the Custom Directory Search Attribute field,
specify the LDAP directory attribute to be used for user and group names.
This attribute uniquely identifies entities, such as users and groups, from the
LDAP server. For example, cn.
Server Location Enter the LDAP Directory server host and port number. For the server host, you
can specify either the fully-qualified domain name or the IP address. For example,
myLDAPserver.example.com or 100.00.00.0.
If you have a cluster of servers behind a load balancer, enter the load balancer
information instead.
Configuring vRealize Automation
VMware, Inc. 94
Option Description
LDAP Configuration Specify the LDAP search filters and attributes that Directories Management can
use to query your LDAP directory. Default values are provided based on the core
LDAP schema.
Filter Queries
nGroups: The search filter for obtaining group objects.
For example: (objectClass=group)
nBind user: The search filter for obtaining the bind user object, that is, the
user that can bind to the directory.
For example: (objectClass=person)
nUsers: The search filter for obtaining users to sync.
For example:(&(objectClass=user)(objectCategory=person))
Attributes
nMembership: The attribute that is used in your LDAP directory to define the
members of a group.
For example: member
nObject UUID: The attribute that is used in your LDAP directory to define the
UUID of a user or group.
For example: entryUUID
nDistinguished Name: The attribute that is used in your LDAP directory for
the distinguished name of a user or group.
For example: entryDN
Certificates If your LDAP directory requires access over SSL, select the This Directory
requires all connections to use SSL check box. Then copy and paste the LDAP
directory server's root CA SSL certificate into the SSL Certificate text box.
Ensure the certificate is in PEM format and include the "BEGIN CERTIFICATE"
and "END CERTIFICATE" lines.
Finally, ensure that the correct port number is specified in the Server Port field in
the Server Location section of the page.
Bind User Details Base DN: Enter the DN from which to start searches. For example,
cn=users,dc=example,dc=com
All applicable users must reside under the Base DN. If a particular user is not
located under the Base DN, that user will be unable to log in even if he is a
member of a group that is under the Base DN.
Bind DN: Enter the DN to use to bind to the LDAP directory. You can also enter
user names, but a DN is more appropriate for most deployments.
Note Using a Bind DN user account with a non-expiring password is
recommended.
Bind DN Password: Enter the password for the Bind DN user.
4To test the connection to the LDAP directory server, click Test Connection.
If the connection is not successful, check the information you entered and make the appropriate
changes.
5Click Save & Next.
6Verify the correct domain is selected on the Select the Domains page, and then click Next.
Configuring vRealize Automation
VMware, Inc. 95
7In the Map Attributes page, verify that the Directories Management attributes are mapped to the
correct LDAP attributes.
These attributes will be synced for users.
Important You must specify a mapping for the domain attribute.
You can add attributes to the list from the User Attributes page.
8Click Next.
9Click + to select the groups you want to sync from the LDAP directory to the Directories Management
directory on Select the groups (users) you want to sync page.
If you have multiple groups with the same name in your LDAP directory, you must specify unique
names for them in the groups page.
When you add a group from Active Directory, if members of that group are not in the Users list, they
are added. When you sync a group, any users that lack Domain Users as their primary group in
Active Directory are not synced.
The Sync nested group members option is enabled by default. When this option is enabled, all the
users that belong directly to the group you select as well as all the users that belong to nested groups
under it are synced. Note that the nested groups are not synced; only the users that belong to the
nested groups are synced. In the Directories Management directory, these users will appear as
members of the top-level group that you selected for sync. In effect, the hierarchy under a selected
group is flattened and users from all levels appear in Directories Management as members of the
selected group.
If this option is disabled, when you specify a group to sync, all the users that belong directly to that
group are synced. Users that belong to nested groups under it are not synced. Disabling this option is
useful for large directory configurations where traversing a group tree is resource and time intensive.
If you disable this option, ensure that you select all the groups whose users you want to sync.
Note The Directories Management user authentication system imports data from Active Directory
when adding groups and users, and the speed of the system is limited by Active Directory
capabilities. As a result, import operations may require a significant amount of time depending on the
number of groups and users being added. To minimize the potential for delays or problems, limit the
number of groups and users to only those required for vRealize Automation operation.
If your system performance degrades or if errors occur, close any unneeded applications and ensure
that your system has appropriate memory allocated to Directories Management. If problems persist,
increase the Directories Management memory allocation as needed. For systems with large numbers
of users and groups, you may need to increase the Directories Management memory allocation to as
much as 24 GB.
10 Click Next.
Configuring vRealize Automation
VMware, Inc. 96
11 Click + to add additional users. For example, enter
CN=username,CN=Users,OU=myUnit,DC=myCorp,DC=com.
You can add organizational units as well as individual users here.
You can create a filter to exclude some types of users. Select the user attribute to filter by, the query
rule, and the value.
12 Click Next.
13 Review the page to see how many users and groups will sync to the directory and to view the default
sync schedule.
To make changes to users and groups, or to the sync frequency, click the Edit links.
14 Click Sync Directory to start the directory sync.
The connection to the LDAP directory is established and users and groups are synced from the LDAP
directory to the Directories Management directory.
You can now assign user and groups to the appropriate vRealize Automation roles by selecting
Administration > Users and Groups > Directory Users and Groups. See Assign Roles to Directory
Users or Groups for more information.
Limitations of LDAP Directory Integration
There are several important limitations related to LDAP Directory integration in Directories Management.
nYou can only integrate a single-domain LDAP directory environment.
To integrate multiple domains from an LDAP directory, you need to create additional
Directories Management directories, one for each domain.
nThe following authentication methods are not supported for Directories Management directories of
type LDAP directory.
nKerberos authentication
nRSA Adaptive Authentication
nADFS as a third-party identity provider
nSecurID
nRadius authentication with Vasco and SMS Passcode server
nYou cannot join an LDAP domain.
nIntegration with View or Citrix-published resources is not supported for Directories Management
directories of type LDAP directory.
nUser names must not contain spaces. If a user name contains a space, the user is synced but
entitlements are not available to the user.
Configuring vRealize Automation
VMware, Inc. 97
nIf you plan to add both Active Directory and LDAP directories, ensure that you do not mark any
attributes required in the User Attributes page, except for userName, which can be marked required.
The settings in the User Attributes page apply to all directories in the service. If an attribute is marked
required, users without that attribute are not synced to the Directories Management service.
nIf you have multiple groups with the same name in your LDAP directory, you must specify unique
names for them in the Directories Management service. You can specify the names when you select
the groups to sync.
nThe option to allow users to reset expired passwords is not available.
nThe domain_krb.properties file is not supported.
Configure Directories Management for High Availability
You can use Directories Management to configure a high availability Active Directory connection in
vRealize Automation.
Each vRealize Automation appliance includes a connector that supports user authentication, although
only one connector is typically configured to perform directory synchronization. It does not matter which
connector you choose to serve as the sync connector. To support Directories Management high
availability, you must configure a second connector that corresponds to your second vRealize Automation
appliance, which connects to your Identity Provider and points to the same Active Directory. With this
configuration, if one appliance fails, the other takes over management of user authentication.
In a high availability environment, all nodes must serve the same set of Active Directories, users,
authentication methods, etc. The most direct method to accomplish this is to promote the Identity Provider
to the cluster by setting the load balancer host as the Identity Provider host. With this configuration, all
authentication requests are directed to the load balancer, which forwards the request to either connector
as appropriate.
Prerequisites
nConfigure your vRealize Automation deployment with at least two instance of the
vRealize Automation appliance.
nInstall vRealize Automation in Enterprise mode operating in a single domain with two instances of
thevRealize Automation appliance.
nInstall and configure an appropriate load balancer to work with your vRealize Automation deployment.
nConfigure tenants and Directories Management using one of the connectors supplied with the
installed instances of the vRealize Automation appliance. For information about tenant configuration,
see Configuring Tenant Settings.
Procedure
1Log in to the load balancer for your vRealize Automation deployment as a tenant administrator.
The load balancer URL is <load balancer address>/vcac/org/tenant_name.
2Select Administration > Directories Management > Identity Providers.
Configuring vRealize Automation
VMware, Inc. 98
3Click the Identity Provider that is currently in use for your system.
The existing directory and connector that provide basic identity management for your system
appears.
4On the Identity Provider properties page, click the Add a Connector drop-down list, and select the
connector that corresponds to your secondary vRealize Automation appliance.
5Enter the appropriate password in the Bind DN Password text box that appears when you select the
connector.
6Click Add Connector.
7The main connector appears in the IdP Hostnametext box by default. Change the host name to point
to the load balancer.
Configure a Bi Directional Trust Relationship Between vRealize Automation and Active
Directory
You can enhance system security of a basic vRealize Automation Active Directory connection by
configuring a bi directional trust relationship between your identity provider and Active Directory
Federated Services.
To configure a bi-directional trust relationship between vRealize Automation and Active Directory, you
must create a custom identity provider and add Active Directory metadata to this provider. Also, you must
modify the default policy used by your vRealize Automation deployment. Finally, you must configure
Active Directory to recognize your identity provider.
Prerequisites
nVerify that you have configured tenants for your vRealize Automation deployment set up an
appropriate Active Directory link to support basic Active Directory user ID and password
authentication.
nActive Directory is installed and configured for use on your network.
nObtain the appropriate Active Directory Federated Services (ADFS) metadata.
nLog in to vRealize Automation as a tenant administrator.
Procedure
1Obtain the Federation Metadata file.
You can download this file from
https://servername.domain/FederationMetadata/2007-06/FederationMetadata.xml
Configuring vRealize Automation
VMware, Inc. 99
2Search for the word logout, and edit the location of each instance to point to
https://servername.domain/adfs/ls/logout.aspx
For example, the following:
SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://servername.domain/adfs/ls/ "/>
Should be changed to:
SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://servername.domain/adfs/ls/logout.aspx"/>
3Create a new Identity Provider for you deployment.
a Select Administration > Directories Management > Identity Providers.
b Click Add Identity Provider and complete the fields as appropriate.
Option Description
Identity Provider Name Enter a name for the new identity provider
Identity Provider Metadata (URI or
XML)
Paste the contents of your Active Directory Federated Services metadata file
here.
Name ID Policy in SAML Request
(Optional)
If appropriate, enter a name for the identity policy SAML request.
Users Select the domains to which you want users to have access privileges.
Process IDP Metadata Click to process the metadata file that you added.
Network Select the network ranges to which you want users to have access.
Authentication Methods Enter a name for the authentication method used by this identity provider.
SAML Context Select the appropriate context for your system.
SAML Signing Certificate Click the link beside the SAML Metadata heading to download the Directories
Management metadata.
c Save the Directories Management metadata file as sp.xml.
d Click Add.
4Add a rule to the default policy.
a Select Administration > Directories Management > Policies.
b Click the default policy name.
Configuring vRealize Automation
VMware, Inc. 100
c Click the + icon under the Policy Rules heading to add a new rule.
Use the fields on the Add a Policy Rule page to create a rule that specifies the appropriate
primary and secondary authentication methods to use for a specific network range and device.
For example, if your network range is My Machine, and you need to access content from
All Device Types then, for a typical deployment, you must authenticate by using the following
method: ADFS Username and Password.
d Click Save to save your policy updates.
e On the Default Policy page, drag the new rule to the top of the table so that it takes precedence
over existing rules.
5Using the Active Directory Federated Services management console, or another appropriate tool, set
up a relying party trust relationship with the vRealize Automation identity provider.
To set up this trust, you must import the Directories Management metadata that you previously
downloaded. See the Microsoft Active Directory documentation for more information about
configuring Active Directory Federated Services for bi-directional trust relationships. As part of this
process, you must do the following:
nSet up a Relying Party Trust. When you set up this trust, you must import the VMware Identity
Provider service provider metadata XML file that you copied and saved
nCreate a claim rule that transforms the attributes retrieved from LDAP in the Get Attributes rule
into the desired SAML format. After you create the rule, edit the rule by adding the following text:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer
= c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] =
"urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] =
"vmwareidentity.domain.com");
Configure SAML Federation Between Directories Management and SSO2
You can establish SAML federation between vRealize Automation Directories Management and systems
that use SSO2 to support single sign on.
Establish federation between Directories Management and SSO2 by creating a SAML connection
between the two parties. Currently, the only supported end-to-end flow is where SSO2 acts as the Identity
Provider (IdP) and Directories Management acts as the service provider (SP).
For SSO2 user authentication, the same account must exist in both Directories Management and SSO2.
Minimally, the UserPrincipalName (UPN) of the user has to match on both ends. Other attributes can
differ as they are required to identify the SAML subject.
For local users in SSO2, such as admin@vsphere.local, corresponding accounts must also exist in
Directories Management, where at least the UPN of the user matches. Create these accounts manually
or with a script using the Directories Management local user creation APIs.
Configuring vRealize Automation
VMware, Inc. 101
Setting up SAML between SSO2 and Directories Management involves configuration on the Directories
Management and SSO components.
Table 24. SAML Federation Component Configuration
Component Configuration
Directories Management Configure SSO2 as a third-party Identity Provider on Directories Management and update the
default authentication policy. You can create an automated script to set up
Directories Management.
SSO2 component Configure Directories Management as a service provider by importing the
Directories Management sp.xml file. This file enables you to configure SSO2 to use
Directories Management as the Service Provider (SP).
Prerequisites
nConfigure tenants for your vRealize Automation deployment. See Create Additional Tenants.
nSet up an appropriate Active Directory link to support basic Active Directory user ID and password
authentication.
nLog in to vRealize Automation as a tenant administrator.
Procedure
1Download SSO2 Identity Provider metadata through the SSO2 user interface.
a Log in to vCenter as an administrator at https://<cloudvm-hostname>/ .
b Click the Log in to vSphere Web Client link.
c On the left navigation pane, select Administration > Single Sign On > Configuration.
d Click Download adjacent to the Metadata for your SAML service provider heading.
The vsphere.local.xml file should begin downloading.
e Copy the contents of the vsphere.local.xml file.
2On the vRealize Automation Directories Management Identity Providers page, create a new Identity
Provider.
a Log in to vRealize Automation as a tenant administrator.
b Select Administration > Directories Management > Identity Providers.
Configuring vRealize Automation
VMware, Inc. 102
c Click Add Identity Provider and provide the configuration information.
Option Action
Identity Provider Name Enter a name for the new Identity Provider.
Identity Provider Metadata (URI or
XML) text box
Paste the contents of your SSO2 idp.xml metadata file in the text box and
click Process IDP Metadata.
Name ID Policy in SAML Request
(Optional)
Enter http://schemas.xmlsoap.org/claims/UPN.
Users Select the domains to which you want users to have access privileges.
Network Select the network ranges from which you want users to have access
privileges.
If you want to authenticate users from an IP addresses, select All Ranges.
Authentication Methods Enter a name for the authentication method. Then, use the SAML Context
drop down menu to the right to map the authentication method to
urn:oasis:names:tc:SAML:2.0:ac:classes:Password.
SAML Signing Certificate Click the link beside the SAML Metadata heading to download the Directories
Management metadata.
d Save the Directories Management metadata file as sp.xml.
e Click Add.
3Update the relevant authentication policy using the Directories Management Policies page to redirect
authentication to the third party SSO2 identity provider.
a Select Administration > Directories Management > Policies.
b Click the default policy name.
c Click the authentication method under the Policy Rules heading to edit the existing
authentication rule.
d On the Edit a Policy Rule page, change the authentication method from password to the
appropriate method.
In this case, the method should be SSO2.
e Click Save to save your policy updates.
4On the left navigation pane, select Administration > Single Sign On > Configuration, and click
Update to upload the sp.xml file to vSphere.
Add Users or Groups to an Active Directory Connection
You can add users or groups to an existing Active Directory connection.
The Directories Management user authentication system imports data from Active Directory when adding
groups and users. The speed of the data transport is limited by Active Directory capabilities. As a result,
actions can take a long time depending on the number of groups and users that are added. To minimize
problems, limit the groups and users to only the groups and users required for a vRealize Automation
Configuring vRealize Automation
VMware, Inc. 103
action. If problems occur, close unneeded applications and verify that your deployment has appropriate
memory allocated to Active Directory. If problems continue, increase the Active Directory memory
allocation. For deployments with large numbers of users and groups, you might need to increase the
Active Directory memory allocation to as much as 24 GB.
When you sync a vRealize Automation deployment with a many users and groups, there might be a delay
before the Log details are available. The time stamp on the log file can differ from the completed time
displayed on the console.
If members of a group are not in the Users list, when you add the group from Active Directory, the
members are added to the list. When you sync a group, any users that do not have Domain Users as
their primary group in Active Directory are not synced.
Note You cannot cancel a synchronize action after you start the action.
Prerequisites
nConnector installed and the activation code activated. Select the required default attributes and add
additional attributes on the User Attributes page.
See Select Attributes to Sync with Directory in Configuring vRealize Automation.
nList of the Active Directory groups and users to sync from Active Directory.
nFor Active Directory over LDAP, information required includes the Base DN, Bind DN, and Bind DN
password.
nFor Active Directory Integrated Windows Authentication, the information required includes the
domain's Bind user UPN address and password.
nIf Active Directory is accessed over SSL, a copy of the SSL certificate is required.
nIf you have a multi-forest Active Directory integrated with Windows Authentication and the Domain
Local group contains members from different forests, do the following. Add the Bind user to the
Administrators group of the Domain Local group. If the Bind user is not added, these members are
missing from the Domain Local group.
nLog in to vRealize Automation as a tenant administrator.
Procedure
1Select Administration > Directories Management > Directories.
2Click the desired directory name.
3Click Sync Settings to open a dialog box with synchronization options.
4Click the appropriate icon depending on whether you want to change the user or group configuration.
To edit the group configuration:
nTo add groups, click the + icon to add a line for group DN definitions and enter the appropriate
group DN.
nIf you want to delete a group DN definition, click the x icon for the desired group DN.
Configuring vRealize Automation
VMware, Inc. 104
To edit the user configuration:
uTo add users, click the + icon to add a line for a user DN definition and enter the appropriate user
DN.
If you want to delete a user DN definition, click the x icon for the desired user DN.
5Click Save to save your changes without synchronizing your updates immediately. Click Save &
Sync to save your changes and synchronize your updates immediately.
Select Attributes to Sync with Directory
When you set up the Directories Management directory to sync with Active Directory, you specify the user
attributes that sync to the directory. Before you set up the directory, you can specify on the User Attributes
page which default attributes are required and, if you want, add additional attributes that you want to map
to Active Directory attributes.
When you configure the User Attributes page before the directory is created, you can change default
attributes from required to not required, mark attributes as required, and add custom attributes.
For a list of the default mapped attributes, see Managing User Attributes that Sync from Active Directory.
After the directory is created, you can change a required attribute to not be required, and you can delete
custom attributes. You cannot change an attribute to be a required attribute.
When you add other attributes to sync to the directory, after the directory is created, go to the directory's
Mapped Attributes page to map these attributes to Active Directory Attributes.
Procedure
1Log in to vRealize Automation as a system or tenant administrator.
2Click the Administration tab.
3Select Directories Management > User Attributes
4In the Default Attributes section, review the required attribute list and make appropriate changes to
reflect what attributes should be required.
5In the Attributes section, add the Directories Management directory attribute name to the list.
6Click Save.
The default attribute status is updated and attributes you added are added on the directory's Mapped
Attributes list.
7After the directory is created, go to the Identity Stores page and select the directory.
8Click Sync Settings > Mapped Attributes.
9In the drop-down menu for the attributes that you added, select the Active Directory attribute to map
to.
10 Click Save.
The directory is updated the next time the directory syncs to the Active Directory.
Configuring vRealize Automation
VMware, Inc. 105
Add Memory to Directories Management
You may need to allocate additional memory to Directories Management if you have Active Directory
connections that contain a large number of users or groups.
By default, 4 GB of memory is allocated to the Directories Management service. This is sufficient for many
small to medium sized deployments. If you have an Active Directory connection that uses a large number
of users or groups, you may need to increase this memory allocation. Increased memory allocation is
appropriate for systems with more than 100,000 users , each in 30 groups and 750 groups overall. For
these system, VMware recommends increasing the Directories Management memory allocation to 6 GB.
Directories Management memory is calculated based on the total memory allocated to the
vRealize Automation appliance The following table shows memory allocations for relevant components.
Table 25. vRealize Automation Appliance Memory Allocation
Virtual Appliance memory vRA service memory vIDM service memory
18 GB 3.3 GB 4 GB
24 GB 4.9 GB 6 GB
30 GB 7.4 GB 9.1 GB
Note These allocations assume that all default services are enabled and running on the virtual
appliance. They may change if some services are stopped.
Prerequisites
nAn appropriate Active Directory connection is configured and functioning on your
vRealize Automation deployment.
Procedure
1Stop each machine on which a vRealize Automation appliance is running.
2Increase the virtual appliance memory allocation on each machine.
If you are using the default memory allocation of 18 GB, VMware recommends increasing the
memory allocation to 24 GB.
3Restart the vRealize Automation appliance machines.
Create a Domain Host Lookup File to Override DNS Service Location (SRV) Lookup
When you enable Integrated Windows Authentication, the Directory configuration is changed to enable
the DNS Service Location field. The connector service location lookup is not site aware. If you want to
override the random DC selection, you can create a file called domain_krb.properties and add the
domain to host values that take precedence over SRV lookup.
Procedure
1From the appliance-va command line, log in as the user with root privileges.
Configuring vRealize Automation
VMware, Inc. 106
2Change directories to /usr/local/horizon/conf and create a file called
domain_krb.properties.
3Edit the domain_krb.properties file to add the list of the domain to host values. Add the information as
<AD Domain>=<host:port>, <host2:port2>, <host2:port2>.
For example, enter the list as example.com=examplehost.com:636,
examplehost2.example.com:389
4Change the owner of the domain_krb.properties file to horizon and group to www. Enter
chown horizon:www /usr/local/horizon/conf/domain_krb.properties.
5Restart the service. Enter service horizon-workspace restart.
Configure Just-in-Time User Provisioning
You can configure Just-in-Time (JIT) provisioning to support adding users without syncing from your
Active Directory.
To support Just-in-Time provisioning, you must add a third party identity provider and then configure a
connection to it within your vRealize Automation deployment to integrate Directories Management with
other SSO providers via a SAML protocol. In addition, you must create a new directory with the
appropriate name, such as JIT Directory.
When you enable Just-in-Time provisioning, you can add Just-in-Time users to a designated custom
group. To support this functionality, create a custom group with the appropriate members. See Add Just-
in-Time Users with Custom Groups and Rules.
Note As a best practice, do not configure Just-in-Time provisioning on the default vsphere.local tenant.
Prerequisites
Configure an appropriate third party identity provider for use with JIT provisioning.
Configuring vRealize Automation
VMware, Inc. 107
Procedure
1Create an identity provider for Just-in-Time provisioning.
a Select Administration > Directories management > Identity Providers
b Click Add Identity Provider and edit the identity provider instance settings as appropriate.
nFor just in time provisioning, create a third party identity provider.
nIn the Create Just-in-Time Directory section, enter names for the directory and one or more
domains.
nYou must select a network for the third party identity provider configuration.
nIf you are using an external VMware Identity Manager as your third party identity provider,
and you are using userPrincipleName to authenticate users, you must change the Name ID
mapping configuration for userPrincipleName from the default of x509SubjectName to
unspecified.
See Configure a Third Party Identity Provider Connection for more information about creating
identity providers.
2Configure SAML on the Just-in-Time identity provider.
a Copy IdP metadata from your identity provider.
b In vRealize Automation, select your identity provider and paste the IdP metadata into the Identity
Provider Metadata (URL or XML) text box.
c Click Save.
d In the Name ID policy in SAML Request (Optional) drop-down menu, select the appropriate
format.
For example, if you are using the emal address as the unique user identifier, you would select
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
e Select the appropriate directory under the Users heading.
f Select the networks for use by this identity provider under the Network heading.
g Specify an appropriate name in the Authentication Methods text box.
h In the SAML Context drop down, select urn:oasis:names:tc:SAML:
2.0:ac:classes:PasswordProtectedTransport
i Right-click the Service Provider (SP) Metadata link, and open it in a separate browser tab.
j Use this metadata to configure the SAML connection on your identity provider.
If you are using VMware Identity Manager see the VMware Identity Manager documentation for
complete instructions on configuring SAML.
3Click Add.
The new directory is created using the Directory Name provided.
Configuring vRealize Automation
VMware, Inc. 108
4Configure the vRealize Automation Access Policy.
a Select Administration > Policies.
b Click the green + icon at the top right of the policy rules table.
c Set the policy rule to apply to applicable ranges and device types.
d Select the authentication method that you created when configuring the third party identity
provider for JIT provisioning for the authentication method.
Managing User Attributes that Sync from Active Directory
The Directories Management User Attributes page lists the user attributes that sync to your Active
Directory connection.
Changes that you make and save in the User Attributes page are added to the Mapped Attributes page in
the Directories Management directory. The attributes changes are updated to the directory with the next
sync to Active Directory.
The User Attributes page lists the default directory attributes that you can map to Active Directory
attributes. You select the attributes that are required, and you can add other Active Directory attributes to
sync to the directory.
Table 26. Default Active Directory Attributes to Sync to Directory
Directory Attribute Name Default Mapping to Active Directory Attribute
userPrincipalName userPrincipalName
distinguishedName distinguishedName
employeeId employeeID
domain canonicalName. Adds the fully qualified domain name of the object.
disabled (external user disabled) userAccountControl. Flagged with UF_Account_Disable.
When an account is disabled, users cannot log in to access their
applications and resources. The resources that users were entitled
to are not removed from the account so that when the flag is
removed from the account users can log in and access their entitled
resources.
phone telephoneNumber
lastName sn
firstName givenName
email mail
userName sAMAccountName
The User Attributes page lists the default directory attributes that you can map to Active Directory
attributes. You select the attributes that are required, and you can add other Active Directory attributes to
sync to the directory.
Configuring vRealize Automation
VMware, Inc. 109
Table 27. Default Active Directory Attributes to Sync to Directory
Directory Attribute Name Default Mapping to Active Directory Attribute
userPrincipalName userPrincipalName
distinguishedName distinguishedName
employeeId employeeID
domain canonicalName. Adds the fully qualified domain name of the object.
disabled (external user disabled) userAccountControl. Flagged with UF_Account_Disable.
When an account is disabled, users cannot log in to access their
applications and resources. The resources that users were entitled
to are not removed from the account so that when the flag is
removed from the account users can log in and access their entitled
resources.
phone telephoneNumber
lastName sn
firstName givenName
email mail
userName sAMAccountName
Managing Connectors and Connector Clusters
The Connectors page lists deployed connectors for your enterprise network. A connector syncs user and
group data between Active Directory and the Directories Management service, and when it is used as the
identity provider, authenticates users to the service.
In vRealize Automation, each vRealize Automation appliance contains its own connector, and these
connectors are suitable for most deployments.
When you associate a directory with a connector instance, the connector creates a partition for the
associated directory called a worker. A connector instance can have multiple associated workers. Each
worker acts as an identity provider. The connector syncs user and group data between Active Directory
and the service through one or more workers. You define and configure authentication methods on a per
worker basis.
You can manage various aspects of an Active Directory link from the Connectors page. This page
contains a table and several buttons that enable you to complete various management tasks.
nIn the Worker column, select a worker to view the connector details and navigate to the Auth
Adapters page to see the status of the available authentication methods. For information about
authentication, see Integrating Alternative User Authentication Products with Directories
Management.
nIn the Identity Provider column, select the IdP to view, edit or disable. See Configure a Third Party
Identity Provider Connection.
nIn the Associated Directory column, access the directory associated with this worker.
Configuring vRealize Automation
VMware, Inc. 110
nClick Join Domain to join the connector to a specific Active Directory domain. For example when you
configure Kerberos authentication, you must join the Active Directory domain either containing users
or having trust relationship with the domains containing users.
nWhen you configure a directory with an Integrated Windows Authentication Active Directory, the
connector joins the domain according to the configuration details.
Connectors in a Clustered Environment
In a distributed, vRealize Automation deployment, all available connectors perform any required user
authorization, while a single designated connector handles all configuration synchronization. Typically,
synchronization would include additions, deletions, or changes to the user configuration, and
synchronization occurs automatically as long as all connectors are available. There are some specific
situations in which automatic synchronization may not occur.
For changes related to directory configuration, such as base dn, vRealize Automation attempts to
automatically push updates to all connectors in a cluster. If a connector is inoperable or unreachable for
some reason, that connector will not receive the update, even when it resumes online operation. To
implement configuration changes to connectors that may not have received them automatically, system
administrators must manually save the changes to all applicable connectors.
For directory sync profile related changes, vRealize Automation attempts to automatically push updates
to all connectors as well. If the sync connector is operational, the update is saved and pushed to all
available authorization connectors. If one or more connectors is unreachable, the system admin receives
a warning indicating that not all connectors were updated. If the sync connector is inoperable, the update
fails and an error occurs. If the system admin changes the connector designated as the sync connector,
the new sync connector receives the latest available profile information, and this information is pushed to
all applicable, and available, connectors.
Join a Connector Machine to a Domain
In some cases, you may need to join a machine containing a Directories Management connector to a
domain.
For Active Directory over LDAP directories, you can join a domain after creating the directory. For Active
Directory (Integrated Windows Authentication) directories, the connector is joined to the domain
automatically when you create the directory. In both cases, you must supply the appropriate credentials.
To join a domain, you need Active Directory credentials that have the privilege to "join computer to AD
domain". This is configured in Active Directory with the following rights:
nCreate Computer Objects
nDelete Computer Objects
When you join a domain, a computer object is created in the default location in Active Directory.
If you do not have the rights to join a domain, or if your company policy requires a custom location for the
computer object, you must ask your administrator to create the object and then join the connector
machine to the domain.
Configuring vRealize Automation
VMware, Inc. 111
Procedure
1Ask your Active Directory administrator to create the computer object in Active Directory in a location
determined by your company policy. You must provide the host name of the connector. Ensure that
you provide the fully-qualified domain name, for example server.example.com.
You can find the host name in the Host Name column on the Connectors page in the administrative
console. Select Administration > Directories Management > Connectors.
2After the computer object is created, click Join Domain on the Connectors page to join the domain
using any domain user account available in Directories Management.
About Domain Controller Selection
The domain_krb.properties file determines which domain controllers are used for directories that have
DNS Service Location (SRV records) lookup enabled. It contains a list of domain controllers for each
domain. The connector creates the file initially, and you must maintain it subsequently. The file overrides
DNS Service Location (SRV) lookup.
The following types of directories have DNS Service Location lookup enabled.
nActive Directory over LDAP with the This Directory supports DNS Service Location option
selected
nActive Directory (Integrated Windows Authentication), which always has DNS Service Location
lookup enabled
When you first create a directory that has DNS Service Location lookup enabled, a
domain_krb.properties file is created automatically in the /usr/local/horizon/conf directory of the
virtual machine and is auto-populated with domain controllers for each domain. To populate the file, the
connector attempts to find domain controllers that are at the same site as the connector and selects two
that are reachable and that respond the fastest.
When you create additional directories that have DNS Service Location enabled, or add new domains to
an Integrated Windows Authentication directory, the new domains, and a list of domain controllers for
them, are added to the file.
You can override the default selection at any time by editing the domain_krb.properties file. As a best
practice, after you create a directory, view the domain_krb.properties file and verify that the domain
controllers listed are the optimal ones for your configuration. For a global Active Directory deployment that
has multiple domain controllers across different geographical locations, using a domain controller that is
in close proximity to the connector ensures faster communication with Active Directory.
You must also update the file manually for any other changes. The following rules apply.
nThe file is created, and auto-populated with domain controllers for each domain, when you first create
a directory that has DNS Service Location lookup enabled.
nDomain controllers for each domain are listed in order of priority. To connect to Active Directory, the
connector tries the first domain controller in the list. If it is not reachable, it tries the second one in the
list, and so on.
Configuring vRealize Automation
VMware, Inc. 112
nThe file is updated only when you create a new directory that has DNS Service Location lookup
enabled or when you add a domain to an Integrated Windows Authentication directory. The new
domain and a list of domain controllers for it are added to the file.
Note that if an entry for a domain already exists in the file, it is not updated. For example, if you
created a directory, then deleted it, the original domain entry remains in the file and is not updated.
nThe file is not updated automatically in any other scenario. For example, if you delete a directory, the
domain entry is not deleted from the file.
nIf a domain controller listed in the file is not reachable, edit the file and remove it.
nIf you add or edit a domain entry manually, your changes will not be overwritten.
How Domain Controllers are Selected to Auto-Populate the domain_krb.properties File
To auto-populate the domain_krb.properties file, domain controllers are selected by first determining
the subnet on which the connector resides (based on the IP address and netmask), then using the Active
Directory configuration to identify the site of that subnet, getting the list of domain controllers for that site,
filtering the list for the appropriate domain, and picking the two domain controllers that respond the
fastest.
To detect the domain controllers that are the closest, VMware Identity Manager has the following
requirements.
nThe subnet of the connector must be present in the Active Directory configuration, or a subnet must
be specified in the runtime-config.properties file.
The subnet is used to determine the site.
nThe Active Directory configuration must be site aware.
If the subnet cannot be determined or if your Active Directory configuration is not site aware, DNS Service
Location lookup is used to find domain controllers, and the file is populated with a few domain controllers
that are reachable. Note that these domain controllers may not be at the same geographical location as
the connector, which can result in delays or timeouts while communicating with Active Directory. In this
case, edit the domain_krb.properties file manually and specify the correct domain controllers to use
for each domain.
Sample domain_krb.properties File
example.com=host1.example.com:389,host2.example.com:389
nOverride the Default Subnet Selection
To auto-populate the domain_krb.properties file, the connector attempts to find domain
controllers that are at the same site so there is minimal latency between the connector and Active
Directory.
Configuring vRealize Automation
VMware, Inc. 113
nEdit the domain_krb.properties file
The /usr/local/horizon/conf/domain_krb.properties file determines the domain controllers
to use for directories that have DNS Service Location lookup enabled. You can edit the file at any
time to modify the list of domain controllers for a domain, or to add or delete domain entries. Your
changes will not be overridden.
nTroubleshooting domain_krb.properties
Use this information to troubleshoot the domain_krb.properties file.
Override the Default Subnet Selection
To auto-populate the domain_krb.properties file, the connector attempts to find domain controllers that
are at the same site so there is minimal latency between the connector and Active Directory.
To find the site, the connector determines the subnet on which it resides, based on its IP address and
netmask, then uses the Active Directory configuration to identify the site for that subnet. If the subnet of
the virtual machine is not in Active Directory, or if you want to override the automatic subnet selection, you
can specify a subnet in the runtime-config.properties file.
Procedure
1Log in to the virtual machine as the root user.
2Edit the /usr/local/horizon/conf/runtime-config.properties file and add the following
attribute.
siteaware.subnet.override=subnet
where subnet is a subnet for the site whose domain controllers you want to use. For example:
siteaware.subnet.override=10.100.0.0/20
3Save and close the file.
4Restart the service.
service horizon-workspace restart
Edit the domain_krb.properties file
The /usr/local/horizon/conf/domain_krb.properties file determines the domain controllers to
use for directories that have DNS Service Location lookup enabled. You can edit the file at any time to
modify the list of domain controllers for a domain, or to add or delete domain entries. Your changes will
not be overridden.
The file is initially created and auto-populated by the connector. You need to update it manually in some
scenarios.
nIf the domain controllers selected by default are not the optimal ones for your configuration, edit the
file and specify the domain controllers to use.
nIf you delete a directory, delete the corresponding domain entry from the file.
nIf any domain controllers in the file are not reachable, remove them from the file.
Configuring vRealize Automation
VMware, Inc. 114
See also About Domain Controller Selection.
Procedure
1Log in to the virtual machine as the root user.
2Change directories to /usr/local/horizon/conf.
3Edit the domain_krb.properties file to add or edit the list of domain to host values.
Use the following format:
domain=host:port,host2:port,host3:port
For example:
example.com=examplehost1.example.com:389,examplehost2.example.com:389
List the domain controllers in order of priority. To connect to Active Directory, the connector tries the
first domain controller in the list. If it is not reachable, it tries the second one in the list, and so on.
Important Domain names must be in lowercase.
4Change the owner of the domain_krb.properties file to horizon and group to www using the
following command:
chown horizon:www /usr/local/horizon/conf/domain_krb.properties
5Restart the service.
service horizon-workspace restart
Troubleshooting domain_krb.properties
Use this information to troubleshoot the domain_krb.properties file.
"Error resolving domain" error
If the domain_krb.properties file already includes an entry for a domain, and you try to create a new
directory of a different type for the same domain, an "Error resolving domain" error occurs. You must edit
the domain_krb.properties file and manually remove the domain entry before creating the new
directory.
Domain controllers are unreachable
Once a domain entry is added to the domain_krb.properties file, it is not updated automatically. If any
domain controllers listed in the file become unreachable, edit the file manually and remove them.
Managing Access Policies
The Directories Management policies are a set of rules that specify criteria that must be met for users to
access their app portal or to launch specified Web applications.
Configuring vRealize Automation
VMware, Inc. 115
You create the rule as part of a policy. Each rule in a policy can specify the following information.
nThe network range, where users are allowed to log in from, such as inside or outside the enterprise
network.
nThe device type that can access through this policy.
nThe order that the enabled authentication methods are applied.
nThe number of hours the authentication is valid.
nCustom access denied message.
Note The policies do not control the length of time that a Web application session lasts. They control the
amount of time that users have to launch a Web application.
The Directories Management service includes a default policy that you can edit. This policy controls
access to the service as a whole. See Applying the Default Access Policy. To control access to specific
Web applications, you can create additional policies. If you do not apply a policy to a Web application, the
default policy applies.
Configuring Access Policy Settings
A policy contains one or more access rules. Each rule consists of settings that you can configure to
manage user access to their application portals as a whole or to specified Web applications.
Network Range
For each rule, you determine the user base by specifying a network range. A network range consists of
one or more IP ranges. You create network ranges from the Identity & Access Management tab, Setup >
Network Ranges page prior to configuring access policy sets.
Device Type
Select the type of device that the rule manages. The client types are Web Browser, Identity Manager
Client App, iOS, Android, and All device types.
Authentication Methods
Set the priority of the authentication methods for the policy rule. The authentication methods are applied
in the order they are listed. The first identity provider instances that meets the authentication method and
network range configuration in the policy is selected, and the user authentication request is forwarded to
the identity provider instance for authentication. If authentication fails, the next authentication method in
the list is selected. If Certificate authentication is used, this method must be the first authentication
method in the list.
Configuring vRealize Automation
VMware, Inc. 116
You can configure access policy rules to require users to pass credentials through two authentication
methods before they can sign in. If one or both authentication method fails and fallback methods are also
configured, users are prompted to enter their credentials for the next authentication methods that are
configured. The following two scenarios describe how authentication chaining can work.
nIn the first scenario, the access policy rule is configured to require users to authenticate with their
password and with their Kerberos credential. Fallback authentication is set up to require the password
and the RADIUS credential for authentication. A user enters the password correctly, but fails to enter
the correct Kerberos authentication credential. Since the user entered the correct password, the
fallback authentication request is only for the RADIUS credential. The user does not need to re-enter
the password.
nIn the second scenario, the access policy rule is configured to require users to authenticate with their
password and their Kerberos credential. Fallback authentication is set up to require RSA SecurID and
a RADIUS for authentication. A user enters the password correctly but fails to enter the correct
Kerberos authentication credential. The fallback authentication request is for both the RSA SecurID
credential and the RADIUS credential for authentication.
Authentication Session Length
For each rule, you set the length that this authentication is valid. The value determines the maximum
amount of time users have since their last authentication event to access their portal or to launch a
specific Web application. For example, a value of 4 in a Web application rule gives users four hours to
launch the web application unless they initiate another authentication event that extends the time.
Custom Access Denied Error Message
When users attempt to sign in and fail because of invalid credentials, incorrect configuration, or system
error, an access denied message is displayed. The default message is
Access denied as no valid authentication methods were found.
You can create a custom error message for each access policy rule that overrides the default message.
The custom message can include text and a link for a call to action message. For example, in a policy
rules for mobile devices that you want to manage, if a user tries to sign in from an unenrolled device, the
follow custom error message could appear:
Please enroll your device to access corporate resources by clicking the link at the end of this
message. If your device is already enrolled, contact support for help.
Example Default Policy
The following policy serves as an example of how you can configure the default policy to control access
to the apps portal. See Manage the User Access Policy.
The policy rules are evaluated in the order listed. You can change the order of the policy by dragging and
dropping the rule in the Policy Rules section.
In the following use case, this policy example applies to all applications.
Configuring vRealize Automation
VMware, Inc. 117
1nFor the internal network (Internal Network Range), two authentication methods are configured for
the rule, Kerberos and password authentication as the fallback method. To access the apps portal
from an internal network, the service attempts to authenticate users with Kerberos authentication
first, as it is the first authentication method listed in the rule. If that fails, users are prompted to
enter their Active Directory password. Users log in using a browser and now have access to their
user portals for an eight-hour session.
nFor access from the external network (All Ranges), only one authentication method is configured,
RSA SecurID. To access the apps portal from an external network, users are required to log in
with SecurID. Users log in using a browser and now have access to their apps portals for a four-
hour session.
2 When a user attempts to access a resource, except for Web applications covered by a Web-
application-specific policy, the default portal access policy applies.
For example, the re-authentication time for such resources matches the re-authentication time of the
default access policy rule. If the time for a user who logs in to the apps portal is eight hours according
to the default access policy rule, when the user attempts to launch a resource during the session, the
application launches without requiring the user to re-authenticate.
Managing Web-Application-Specific Policies
When you add Web applications to the catalog, you can create Web-application-specific access policies.
For example, you can create an policy with rules for a Web application that specifies which IP addresses
have access to the application, using which authentication methods, and for how long until
reauthentication is required.
The following Web-application-specific policy provides an example of a policy you can create to control
access to specified Web applications.
Example 1 Strict Web-Application-Specific Policy
In this example, a new policy is created and applied to a sensitve Web application.
Configuring vRealize Automation
VMware, Inc. 118
1 To access the service from outside the enterprise network, the user is required to log in with RSA
SecurID. The user logs in using a browser and now has access to the apps portal for a four hour
session as provided by the default access rule.
2 After four hours, the user tries to launch a Web application with the Sensitive Web Applications policy
set applied.
3 The service checks the rules in the policy and applies the policy with the ALL RANGES network
range since the user request is coming from a Web browser and from the ALL RANGES network
range.
The user logs in using the RSA SecurID authentication method, but the session just expired. The user
is redirected for reauthentication. The reauthentication provides the user with another four hour
session and the ability to launch the application. For the next four hours, the user can continue to
launch the application without having to reauthenticate.
Example 2 Stricter Web-Application-Specific Policy
For a stricter rule to apply to extra sensitve Web applications, you could require re-authentication With
SecureId on any device after 1 hour. The following is an example of how this type of policy access rule is
implemented.
1 User logs in from an inside the enterprise network using the password authentication method.
Now, the user has access to the apps portal for eight hours, as set up in Example 1.
2 The user immediately tries to launch a Web application with the Example 2 policy rule applied, which
requires RSA SecurID authentication.
3 The user is redirected to an identity provider that provides RSA SecurID authentication.
Configuring vRealize Automation
VMware, Inc. 119
4 After the user successfully logs in, the service launches the application and saves the authentication
event.
The user can continue to launch this application for up to one hour but is asked to reauthenticate after
an hour, as dictated by the policy rule.
Manage the User Access Policy
vRealize Automation is supplied with a default user access policy that you can use as is or edit as needed
to manage tenant access to applications.
vRealize Automation is supplied with a default user access policy, and you cannot add new policies. You
can edit the existing policy to add rules.
Prerequisites
nSelect or configure the appropriate identity providers for your deployment. See Configure a Third
Party Identity Provider Connection.
nConfigure the appropriate network ranges for your deployment. See Add or Edit a Network Range.
nConfigure the appropriate authentication methods for your deployment. See Integrating Alternative
User Authentication Products with Directories Management.
nIf you plan to edit the default policy (to control user access to the service as a whole), configure it
before creating Web-application-specific policy.
nAdd Web applications to the Catalog. The Web applications must be listed in the Catalog page before
you can add a policy.
nLog in to vRealize Automation as a tenant administrator.
Procedure
1Select Administration > Directories Management > Policies.
2Click Edit Policy to add a new policy.
3Add a policy name and description in the respective text boxes.
4In the Applies To section, click Select and in the page that appears, select the Web applications that
are associated with this policy.
5In the Policy Rules section, click + to add a rule.
The Add a Policy Rule page appears.
a Select the network range to apply to this rule.
b Select the type of device that can access the web applications for this rule.
c Select the authentication methods to use in the order the method should be applied.
d Specify the number of hours a Web application session open.
e Click Save.
6Configure additional rules as appropriate.
Configuring vRealize Automation
VMware, Inc. 120
7Click Save.
Configuring Additional Identity Provider Connections
You can configure additional identity provider connections as needed to support different identity
management scenarios, including additional built-in identity providers and third-party identity providers.
You can create three types of identity provider connections using Directories Management.
nCreate Third-Party IDP - Use this item to create a connection to an external third-party identity
provider. Ensure that you have following before adding a third-party identity provider instance.
nVerify that the third-party instances are SAML 2.0 compliant and that the service can reach the
third-party instance.
nObtain the appropriate third-party metadata information to add when you configure the identity
provider in the administration console. The metadata information you obtain from the third-party
instance is either the URL to the metadata or the actual metadata.
nCreate Workspace IDP - When you enable a connector to authenticate users during Directories
Management configuration, a Workspace IDP is created as the identity provider and password
authentication is enabled. You can configure additional workspace identity providers behind different
load balancers.
nCreate Built-in IDP - Built in Identity Providers use the internal Directories Management mechanisms
to support authentication. You can configure built-in identity providers to use authentication methods
that do not require the use of an on premises connector. When you configure the built-in provider, you
associate the authentication methods to use with the provider.
nConfigure a Third Party Identity Provider Connection
vRealize Automation is supplied with a default identity provider connection instance. Users may
want to create additional identity provider connections to support just-in-time user provisioning or
other custom configurations.
nConfigure Additional Workspace Identity Providers
When you configure a Directories Management connector to authenticate users, a Workspace IDP is
created and password authentication is enabled.
nConfigure a Built-in Identity Provider Connection
You can configure multiple built-in identity providers and associate authentication methods with
them.
Configure a Third Party Identity Provider Connection
vRealize Automation is supplied with a default identity provider connection instance. Users may want to
create additional identity provider connections to support just-in-time user provisioning or other custom
configurations.
vRealize Automation is supplied with an default identity provider. In most cases, the default provider is
sufficient for customer needs. If you use an existing enterprise identity management solution, you can set
up a custom identity provider to redirect users to your existing identity solution.
Configuring vRealize Automation
VMware, Inc. 121
When using a custom identity provider, Directories Management uses SAML metadata from that provider
to establish a trust relationship with the provider. After this relationship is established, Directories
Management maps the users from the SAML assertion to the list of internal vRealize Automation users
based the subject name ID.
Prerequisites
nConfigure the network ranges that you want to direct to this identity provider instance for
authentication. See Add or Edit a Network Range.
nAccess to the third-party metadata document. This can be either the URL to the metadata or the
actual metadata.
nLog in to vRealize Automation as a tenant administrator.
Procedure
1Select Administration > Directories Management > Identity Providers.
This page displays all configured Identity Providers.
2Click Add Identity Provider.
A menu appears with Identity Provider options.
3Select Create Third Party IDP.
4Enter the appropriate information to configure the identity provider.
Option Description
Identity Provider Name Enter a name for this identity provider instance.
SAML Metadata Add the third party IdPs XML-based metadata document to establish trust with the identity
provider.
1 Enter the SAML metadata URL or the xml content into the text box.
2 Click Process IdP Metadata. The NameID formats supported by the IdP are extracted from
the metadata and added to the Name ID Format table.
3 In the Name ID value column, select the user attribute in the service to map to the ID formats
displayed. You can add custom third-party name ID formats and map them to the user
attribute values in the service.
4 (Optional) Select the NameIDPolicy response identifier string format.
Users Select the Directories Management directories of the users that can authenticate using this
identity provider.
Just-in-Time User
Provisioning
Select the appropriate options to support just-in-time provisioning using an appropriate third party
identity provider.
Enter the Directory Name to use for just-in-time provisioning.
Enter one or more Domains that exist within the external identity provider that you will use for
just-in-time provisioning.
Network The existing network ranges configured in the service are listed.
Select the network ranges for the users, based on their IP addresses, that you want to direct to
this identity provider instance for authentication.
Configuring vRealize Automation
VMware, Inc. 122
Option Description
Authentication Methods Add the authentication methods supported by the third-party identity provider. Select the SAML
authentication context class that supports the authentication method.
SAML Signing Certificate Click Service Provider (SP) Metadata to see URL to Directories Management SAML service
provider metadata URL . Copy and save the URL. This URL is configured when you edit the
SAML assertion in the third-party identity provider to map Directories Management users.
Hostname If the Hostname field displays, enter the hostname where the identity provider is redirected to for
authentication. If you are using a non-standard port other than 443, you can set this as
Hostname:Port. For example, myco.example.com:8443.
5Click Add.
What to do next
nCopy and save the Directories Management service provider metadata that is required to configure
the third-party identity provider instance. This metadata is available either in the SAML Signing
Certificate section of the Identity Provider page.
nAdd the authentication method of the identity provider to the services default policy.
See the Setting Up Resources in Directories Management guide for information about adding and
customizing resources that you add to the catalog.
Configure Additional Workspace Identity Providers
When you configure a Directories Management connector to authenticate users, a Workspace IDP is
created and password authentication is enabled.
You can configure additional connectors to operate behind multiple load balancers. When your
deployment includes more than one load balancer, you can configure additional Workspace identity
providers for authentication in each load balancer configuration.
Procedure
1Select Administration > Directories Management > Identity Providers.
This page displays all configured Identity Providers.
2Click Add Identity Provider.
A menu appears with Identity Provider options.
3Select Create Workspace IDP.
4Enter the appropriate information to configure the identity provider.
Option Description
Identity Provider Name Enter the name for this built-in identity provider instance.
Users Select the users to authenticate. The configured directories are listed.
Users Select the group of users who can authenticate using this Workspace identity provider.
Configuring vRealize Automation
VMware, Inc. 123
Option Description
Network The existing network ranges configured in the service are listed. Select the network range
for the users based on the IP addresses that you want to direct to this identity provider
instance for authentication.
Authentication Methods Authentication methods that are configured for the service are displayed. Select the check
box for the authentication methods to associate with this identity provider.
For device compliance and Password, with AirWatch and AirWatch Connector, ensure that
the option is enabled on the AirWatch configuration page.
5Click Add.
Configure a Built-in Identity Provider Connection
You can configure multiple built-in identity providers and associate authentication methods with them.
Prerequisites
If you are using Built-in Keberos authentication, download the KDC issuer certificate to use in the
AirWatch configuration of the iOS device management profile.
Procedure
1Select Administration > Directories Management > Identity Providers.
This page displays all configured Identity Providers.
2Click Add Identity Provider.
A menu appears with Identity Provider options.
3Select Create Built-in IDP.
4Enter the appropriate information to configure the identity provider.
Option Description
Identity Provider Name Enter the name for this built-in identity provider instance.
Users Select the users to authenticate. The configured directories are listed.
Network The existing network ranges configured in the service are listed. Select the network range
for the users based on the IP addresses that you want to direct to this identity provider
instance for authentication.
Authentication Methods The authentication methods that are configured for the service are displayed. Select the
check box for the authentication methods to associate with this identity provider.
For device compliance and Password, with AirWatch and AirWatch Connector, ensure that
the appropriate option is enabled on the AIrWatch configuration page.
5Click Add.
Configuring vRealize Automation
VMware, Inc. 124
Integrating Alternative User Authentication Products with Directories
Management
Typically, when you initially configure Directories Management, you use the connectors supplied with your
existing vRealize Automation infrastructure to create an Active Directory connection for user ID and
password based authentication and management. Alternatively, you can integrate Directories
Management with other authentication solutions such as Kerberos or RSA SecurID.
The identity provider instance can be the Directories Management connector instance, third-party identity
provider instances, or a combination of both.
The identity provider instance that you use with the Directories Management service creates an in-
network federation authority that communicates with the service using SAML 2.0 assertions.
When you initially deploy the Directories Management service, the connector is the initial identity provider
for the service. Your existing Active Directory infrastructure is used for user authentication and
management.
The following authentication methods are supported. You configure these authentication methods from
the administration console.
Table 28. User Authentication Types Supported by Directories Management
Authentication Types Description
Password (on-premise deployment) Without any configuration after Active Directory is configured, Directories Management
supports Active Directory password authentication. This method authenticates users
directly against Active Directory.
Kerberos for desktops Kerberos authentication provides domain users with single sign-in access to their apps
portal. Users do not need to sign in again after they sign in to the network.
Certificate (on-premise deployment) Certificate-based authentication can be configured to allow clients to authenticate with
certificates on their desktop and mobile devices or to use a smart card adapter for
authentication.
Certificate-based authentication is based on what the user has and what the person
knows. An X.509 certificate uses the public key infrastructure standard to verify that a
public key contained within the certificate belongs to the user.
RSA SecurID (on-premise deployment) When RSA SecurID authentication is configured, Directories Management is configured
as the authentication agent in the RSA SecurID server. RSA SecurID authentication
requires users to use a token-based authentication system. RSA SecurID is an
authentication method for users accessing Directories Management from outside the
enterprise network.
RADIUS (on-premise deployment) RADIUS authentication provides two-factor authentication options. You set up the
RADIUS server that is accessible to the Directories Management service. When users
sign in with their user name and passcode, an access request is submitted to the RADIUS
server for authentication.
RSA Adaptive Authentication (on-
premise deployment)
RSA authentication provides a stronger multi-factor authentication than only user name
and password authentication against Active Directory. When RSA Adaptive Authentication
is enabled, the risk indicators specified in the risk policy set up in the RSA Policy
Management application. The Directories Management service configuration of adaptive
authentication is used to determine the required authentication prompts.
Configuring vRealize Automation
VMware, Inc. 125
Table 28. User Authentication Types Supported by Directories Management (Continued)
Authentication Types Description
Mobile SSO (for iOS) Mobile SSO for iOS authentication is used for single sign-on authentication for AirWatch-
managed iOS devices. Mobile SSO (for iOS) authentication uses a Key Distribution
Center (KDC) that is part of the Directories Management service. You must initiate the
KDC service in the VMware Identity Manager service before you enable this
authentication method.
Mobile SSO (for Android) Mobile SSO for Android authentication is used for single sign-on authentication for
AirWatch-managed Android devices. A proxy service is set up between the
Directories Management service and AirWatch to retrieve the certificate from AirWatch for
authentication.
Password (AirWatch Connector) The AirWatch Cloud Connector can be integrated with the Directories Management
service for user password authentication. You configure the
Directories Managementservice to sync users from the AirWatch directory.
Users are authenticated based on the authentication methods, the default access policy rules, network
ranges, and the identity provider instance you configure. After the authentication methods are configured,
you create access policy rules that specify the authentication methods to be used by device type.
Configuring SecurID for Directories Management
When you configure RSA SecurID server, you must add the service information as the authentication
agent on the RSA SecurID server and configure the RSA SecurID server information on the service.
When you configure SecurID to provide additional security, you must ensure that your network is properly
configured for your Directories Management deployment. For SecurID specifically, you must ensure that
the appropriate port is open to enable SecurID to authenticate users outside your network.
After you run the Setup wizard and configured your Active Directory connection, you have the information
necessary to prepare the RSA SecurID server. After you prepare the RSA SecurID server for
Directories Management, you enable SecurID in the administration console.
nPrepare the RSA SecurID Server
The RSA SecurID server must be configured with information about the appliance as the
authentication agent. The information required is the host name and the IP addresses for network
interfaces.
nConfigure RSA SecurID Authentication
After Directories Management is configured as the authentication agent in the RSA SecurID server,
you must add the RSA SecurID configuration information to the connector.
Prepare the RSA SecurID Server
The RSA SecurID server must be configured with information about the appliance as the authentication
agent. The information required is the host name and the IP addresses for network interfaces.
Configuring vRealize Automation
VMware, Inc. 126
Prerequisites
nVerify that one of the following RSA Authentication Manager versions is installed and functioning on
the enterprise network: RSA AM 6.1.2, 7.1 SP2 and later, and 8.0 and later. The server uses
AuthSDK_Java_v8.1.1.312.06_03_11_03_16_51 (Agent API 8.1 SP1), which only supports the
preceding versions of RSA Authentication Manager (the RSA SecurID server). For information about
installing and configuring RSA Authentication Manager (RSA SecurID server), see RSA
documentation.
Procedure
1On a supported version of the RSA SecurID server, add the connector as an authentication agent.
Enter the following information.
Option Description
Hostname The host name of .
IP address The IP address of .
Alternate IP address If traffic from the connector passes through a network address translation (NAT)
device to reach the RSA SecurID server, enter the private IP address of the
appliance.
2Download the compressed configuration file and extract the sdconf.rec file.
Be prepared to upload this file later when you configure RSA SecurID in Directories Management.
What to do next
Go to the administration console and in the Identity & Access Management tab Setup pages, select the
connector and in the AuthAdapters page configure SecurID.
Configure RSA SecurID Authentication
After Directories Management is configured as the authentication agent in the RSA SecurID server, you
must add the RSA SecurID configuration information to the connector.
Prerequisites
nVerify that RSA Authentication Manager (the RSA SecurID server) is installed and properly
configured.
nDownload the compressed file from the RSA SecurID server and extract the server configuration file.
Procedure
1As a tenant administrator, navigate to Administration > Directories Management > Connectors
2On the Connectors page, select the Worker link for the connector that is being configured with RSA
SecurID.
3Click Auth Adapters and then click SecurIDldpAdapter.
You are redirected to the identity manager sign in page.
Configuring vRealize Automation
VMware, Inc. 127
4In the Authentication Adapters page SecurIDldpAdapter row, click Edit.
5Configure the SecurID Authentication Adapter page.
Information used and files generated on the RSA SecurID server are required when you configure the
SecurID page.
Option Action
Name A name is required. The default name is SecurIDldpAdapter. You can change this.
Enable SecurID Select this box to enable SecurID authentication.
Number of
authentication
attempts
allowed
Enter the maximum number of failed login attempts when using the RSA SecurID token. The default is five
attempts.
Connector
Address
Enter the IP address of the connector instance. The value you enter must match the value you used when
you added the connector appliance as an authentication agent to the RSA SecurID server. If your RSA
SecurID server has a value assigned to the Alternate IP address prompt, enter that value as the connector
IP address. If no alternate IP address is assigned, enter the value assigned to the IP address prompt.
Agent IP
Address
Enter the value assigned to the IP address prompt in the RSA SecurID server.
Server
Configuration
Upload the RSA SecurID server configuration file. First, you must download the compressed file from the
RSA SecurID server and extract the server configuration file, which by default is named sdconf.rec.
Node Secret Leaving the node secret field blank allows the node secret to auto generate. It is recommended that you
clear the node secret file on the RSA SecurID server and intentionally do not upload the node secret file.
Ensure that the node secret file on the RSA SecurID server and on the server connector instance always
match. If you change the node secret at one location, change it at the other location.
6Click Save.
What to do next
Add the authentication method to the default access policy. Navigate to Administration > Directories
Management > Policies and click Edit Default Policy to edit the default policy rules to add the SecurID
authentication method to the rule in the correct authentication order.
Configuring RADIUS for Directories Management
You can configure Directories Management so that users are required to use RADIUS (Remote
Authentication Dial-In User Service) authentication. You configure the RADIUS server information on the
Directories Management service.
RADIUS support offers a wide range of alternative two-factor token-based authentication options.
Because two-factor authentication solutions, such as RADIUS, work with authentication managers
installed on separate servers, you must have the RADIUS server configured and accessible to the identity
manager service.
Configuring vRealize Automation
VMware, Inc. 128
When users sign in to their My Apps portal and RADIUS authentication is enabled, a special login dialog
box appears in the browser. Users enter their RADUS authentication user name and passcode in the
login dialog box. If the RADIUS server issues an access challenge, the identity manager service displays
a dialog box prompting for a second passcode. Currently support for RADIUS challenges is limited to
prompting for text input.
After a user enters credentials in the dialog box, the RADIUS server can send an SMS text message or
email, or text using some other out-of-band mechanism to the user's cell phone with a code. The user can
enter this text and code into the login dialog box to complete the authentication.
If the RADIUS server provides the ability to import users from Active Directory, end users might first be
prompted to supply Active Directory credentials before being prompted for a RADIUS authentication
username and passcode.
Prepare the RADIUS Server
Set up the RADIUS server and then configure it to accept RADIUS requests from the
Directories Management service.
Refer to your RADIUS vendor's setup guides for information about setting up the RADIUS server. Note
your RADIUS configuration information as you use this information when you configure RADIUS in the
service. To view the type of RADIUS information required to configure Directories Management see
Configure RADIUS Authentication in Directories Management.
You can set up a secondary Radius authentication server to be used for high availability. If the primary
RADIUS server does not respond within the server timeout configured for RADIUS authentication, the
request is routed to the secondary server. When the primary server does not respond, the secondary
server receives all future authentication requests.
Configure RADIUS Authentication in Directories Management
You enable RADIUS software on an authentication manager server. For RADIUS authentication, follow
the vendor's configuration documentation.
Prerequisites
Install and configure the RADIUS software on an authentication manager server. For RADIUS
authentication, follow the vendor's configuration documentation.
You need to know the following RADIUS server information to configure RADIUS on the service.
nIP address or DNS name of the RADIUS server.
nAuthentication port numbers. Authentication port is usually 1812.
nAuthentication type. The authentication types include PAP (Password Authentication Protocol), CHAP
(Challenge Handshake Authentication Protocol), MSCHAP1, MSCHAP2 (Microsoft Challenge
Handshake Authentication Protocol, versions 1 and 2).
nRADIUS shared secret that is used for encryption and decryption in RADIUS protocol messages.
nSpecific timeout and retry values needed for RADIUS authentication.
nLog in to vRealize Automation as a tenant administrator.
Configuring vRealize Automation
VMware, Inc. 129
Procedure
1Select Administration > Directories Management > Connectors.
2On the Connectors page, select the Worker link for the connector that is being configured for RADIUS
authentication.
3Click Auth Adapters and then click RadiusAuthAdapter.
You are redirected to the identity manager sign-in page.
4Click Edit to configure these fields on the Authentication Adapter page.
Option Action
Name A name is required. The default name is RadiusAuthAdapter. You can change this.
Enable Radius
Adapter
Select this box to enable RADIUS authentication.
Number of
authentication
attempts
allowed
Enter the maximum number of failed login attempts when using RADIUS to log in. The default is five
attempts.
Number of
attempts to
Radius server
Specify the total number of retry attempts. If the primary server does not respond, the service waits for the
configured time before retrying again.
Radius server
hostname/addr
ess
Enter the host name or the IP address of the RADIUS server.
Authentication
port
Enter the Radius authentication port number. This is usually 1812.
Accounting port Enter 0 for the port number. The accounting port is not used at this time.
Authentication
type
Enter the authentication protocol that is supported by the RADIUS server. Either PAP, CHAP, MSCHAP1,
OR MSCHAP2.
Shared secret Enter the shared secret that is used between the RADIUS server and the VMware Identity Manager service.
Server timeout
in seconds
Enter the RADIUS server timeout in seconds, after which a retry is sent if the RADIUS server does not
respond.
Realm Prefix (Optional) The user account location is called the realm.
If you specify a realm prefix string, the string is placed at the beginning of the user name when the name is
sent to the RADIUS server. For example, if the user name is entered as jdoe and the realm prefix DOMAIN-
A\ is specified, the user name DOMAIN-A\jdoe is sent to the RADIUS server. If you do not configure these
fields, only the user name that is entered is sent.
Realm Suffix (Optional) If you specify a realm suffix, the string is placed at end of the user name. For example, if the suffix
is @myco.com, the username jdoe@myco.com is sent to the RADIUS server.
Login page
passphrase
hint
Enter the text string to display in the message on the user login page to direct users to enter the correct
Radius passcode. For example, if this field is configured with AD password first and then SMS passcode,
the login page message would read Enter your AD password first and then SMS passcode. The default
text string is RADIUS Passcode.
Configuring vRealize Automation
VMware, Inc. 130
5You can enable a secondary RADIUS server for high availability.
Configure the secondary server as described in step 4.
6Click Save.
What to do next
Add the RADIUS authentication method to the default access policy. Select Administration >
Directories Management > Policies and click Edit Default Policy to edit the default policy rules to add
the RADIUS authentication method to the rule in the correct authentication order.
Configuring a Certificate or Smart Card Adapter for Use with Directories Management
You can configure x509 certificate authentication to allow clients to authenticate with certificates on their
desktop and mobile devices or to use a smart card adapter for authentication. Certificate-based
authentication is based on what the user has (the private key or smart card), and what the person knows
(the password to the private key or the smart-card PIN.) An X.509 certificate uses the public key
infrastructure (PKI) standard to verify that a public key contained within the certificate belongs to the user.
With smart card authentication, users connect the smart card with the computer and enter a PIN.
The smart card certificates are copied to the local certificate store on the user's computer. The certificates
in the local certificate store are available to all the browsers running on this user's computer, with some
exceptions, and therefore, are available to a Directories Management instance in the browser.
nUsing User Principal Name for Certificate Authentication
You can use certificate mapping in Active Directory. Certificate and smart card logins uses the user
principal name (UPN) from Active Directory to validate user accounts. The Active Directory accounts
of users attempting to authenticate in the Directories Management service must have a valid UPN
that corresponds to the UPN in the certificate.
nCertificate Authority Required for Authentication
To enable logging in using certificate authentication, root certificates and intermediate certificates
must be uploaded to the .
nUsing Certificate Revocation Checking
You can configure certificate revocation checking to prevent users who have their user certificates
revoked from authenticating. Certificates are often revoked when a user leaves an organization,
loses a smart card, or moves from one department to another.
nConfigure Certificate Authentication for Directories Management
You enable and configure certificate authentication from the vRealize Automation administration
console Directories Management feature.
Using User Principal Name for Certificate Authentication
You can use certificate mapping in Active Directory. Certificate and smart card logins uses the user
principal name (UPN) from Active Directory to validate user accounts. The Active Directory accounts of
users attempting to authenticate in the Directories Management service must have a valid UPN that
corresponds to the UPN in the certificate.
Configuring vRealize Automation
VMware, Inc. 131
You can configure the to use an email address to validate the user account if the UPN does not exist in
the certificate.
You can also enable an alternate UPN type to be used.
Certificate Authority Required for Authentication
To enable logging in using certificate authentication, root certificates and intermediate certificates must be
uploaded to the .
The certificates are copied to the local certificate store on the user's computer. The certificates in the local
certificate store are available to all the browsers running on this user's computer, with some exceptions,
and therefore, are available to a Directories Management instance in the browser.
For smart-card authentication, when a user initiates a connection to a the Directories Management
instance, the Directories Management service sends a list of trusted certificate authorities (CA) to the
browser. The browser checks the list of trusted CAs against the available user certificates, selects a
suitable certificate, and then prompts the user to enter a smart card PIN. If multiple valid user certificates
are available, the browser prompts the user to select a certificate.
If a user cannot authenticate, the root CA and intermediate CA might not be set up correctly, or the
service has not been restarted after the root and intermediate CAs were uploaded to the server. In these
cases, the browser cannot show the installed certificates, the user cannot select the correct certificate,
and certificate authentication fails.
Using Certificate Revocation Checking
You can configure certificate revocation checking to prevent users who have their user certificates
revoked from authenticating. Certificates are often revoked when a user leaves an organization, loses a
smart card, or moves from one department to another.
Certificate revocation checking with certificate revocation lists (CRLs) and with the Online Certificate
Status Protocol (OCSP) is supported. A CRL is a list of revoked certificates published by the CA that
issued the certificates. OCSP is a certificate validation protocol that is used to get the revocation status of
a certificate.
You can configure certificate revocation checking in the administration console Connectors > Auth
Adapters > CertificateAuthAdapter page when you configure certificate authentication.
You can configure both CRL and OCSP in the same certificate authentication adapter configuration.
When you configure both types of certificate revocation checking and the Use CRL in case of OCSP
failure checkbox is enabled, OCSP is checked first and if OCSP fails, revocation checking falls back to
CRL. Revocation checking does not fall back to OCSP if CRL fails.
Logging in with CRL Checking
When you enable certificate revocation, the server reads a CRL to determine the revocation status of a
user certificate.
If a certificate is revoked, authentication through the certificate fails.
Configuring vRealize Automation
VMware, Inc. 132
Logging in with OCSP Certificate Checking
When you configure Certificate Status Protocol (OCSP) revocation checking, sends a request to an
OCSP responder to determine the revocation status of a specific user certificate. The server uses the
OCSP signing certificate to verify that the responses it receives from the OCSP responder are genuine.
If the certificate is revoked, authentication fails.
You can configure authentication to fall back to CRL checking if it does not receive a response from the
OSCP responder or if the response is invalid.
Configure Certificate Authentication for Directories Management
You enable and configure certificate authentication from the vRealize Automation administration console
Directories Management feature.
Prerequisites
nObtain the Root certificate and intermediate certificates from the CA that signed the certificates
presented by your users.
n(Optional) List of Object Identifier (OID)s of valid certificate policies for certificate authentication.
nFor revocation checking, the file location of the CRL, the URL of the OCSP server.
n(Optional) OCSP Response Signing certificate file location.
nConsent form content, if enabling a consent form to display before authentication.
Procedure
1As a tenant administrator, navigate to Administration > Directories Management > Connectors
2On the Connectors page, select the Worker link for the connector that is being configured.
3Click Auth Adapters and then click CertificateAuthAdapter.
You are redirected to the identity manager sign in page.
4In the CertificateAuthAdapter row, click Edit.
5Configure the Certificate Authentication Adapter page.
Note An asterisk indicates a required field. All other fields are optional.
Option Description
*Name A name is required. The default name is CertificateAuthAdapter. You can change
this name.
Enable certificate adapter Select the check box to enable certificate authentication.
*Root and intermediate CA certificates Select the certificate files to upload. You can select multiple root CA and
intermediate CA certificates that are encoded as DER or PEM.
Configuring vRealize Automation
VMware, Inc. 133
Option Description
Uploaded CA certificates The uploaded certificate files are listed in the Uploaded Ca Certificates section of
the form.
You must restart the service before the new certificates are made available.
Click Restart Web Service to restart the service and add the certificates to the
trusted service.
Note Restarting the service does not enable certificate authentication. After the
service is restarted, continue configuring this page. Clicking Save at the end of
the page enables certificate authentication on the service.
Use email if no UPN in certificate If the user principal name (UPN) does not exist in the certificate, select this
checkbox to use the emailAddress attribute as the Subject Alternative Name
extension to validate user accounts.
Certificate policies accepted Create a list of object identifiers that are accepted in the certificate policies
extensions.
Enter the object ID numbers (OID) for the Certificate Issuing Policy. Click Add
another value to add additional OIDs.
Enable cert revocation Select the check box to enable certificate revocation checking. This prevents
users who have revoked user certificates from authenticating.
Use CRL from certificates Select the check box to use the certificate revocation list (CRL) published by the
CA that issued the certificates to validate a certificate's status, revoked or not
revoked.
CRL Location Enter the server file path or the local file path from which to retrieve the CRL.
Enable OCSP Revocation Select the check box to use the Online Certificate Status Protocol (OCSP)
certificate validation protocol to get the revocation status of a certificate.
Use CRL in case of OCSP failure If you configure both CRL and OCSP, you can check this box to fall back to using
CRL if OCSP checking is not available.
Send OCSP Nonce Select this check box if you want the unique identifier of the OCSP request to be
sent in the response.
OCSP URL If you enabled OCSP revocation, enter the OCSP server address for revocation
checking.
OCSP responder's signing certificate Enter the path to the OCSP certificate for the responder, /path/to/file.cer.
Enable consent form before
authentication
Select this check box to include a consent form page to appear before users log
in to their My Apps portal using certificate authentication.
Consent form content Type the text that displays in the consent form in this text box.
6Click Save.
What to do next
nAdd the certificate authentication method to the default access policy.Navigate to Administration >
Directories Management > Policies and click Edit Default Policy to edit the default policy rules and
add Certificate and make it the first authentication method for the default policy. Certificate must be
first authentication method listed in the policy rule, otherwise certificate authentication fails.
Configuring vRealize Automation
VMware, Inc. 134
nWhen Certificate Authentication is configured, and the service appliance is set up behind a load
balancer, make sure that the Directories Management connector is configured with SSL pass-through
at the load balancer and not configured to terminate SSL at the load balancer. This configuration
ensures that the SSL handshake is between the connector and the client in order to pass the
certificate to the connector.
Configuring a Third-Party Identity Provider Instance to Authenticate Users
You can configure a third-party identity provider to be used to authenticate users in the
Directories Management service.
Complete the following tasks prior to using the administration console to add the third-party identity
provider instance.
nVerify that the third-party instances are SAML 2.0 compliant and that the service can reach the third-
party instance.
nObtain the appropriate third-party metadata information to add when you configure the identity
provider in the administration console. The metadata information you obtain from the third-party
instance is either the URL to the metadata or the actual metadata.
Configure a Third Party Identity Provider Connection
vRealize Automation is supplied with a default identity provider connection instance. Users may want to
create additional identity provider connections to support just-in-time user provisioning or other custom
configurations.
vRealize Automation is supplied with an default identity provider. In most cases, the default provider is
sufficient for customer needs. If you use an existing enterprise identity management solution, you can set
up a custom identity provider to redirect users to your existing identity solution.
When using a custom identity provider, Directories Management uses SAML metadata from that provider
to establish a trust relationship with the provider. After this relationship is established, Directories
Management maps the users from the SAML assertion to the list of internal vRealize Automation users
based the subject name ID.
Prerequisites
nConfigure the network ranges that you want to direct to this identity provider instance for
authentication. See Add or Edit a Network Range.
nAccess to the third-party metadata document. This can be either the URL to the metadata or the
actual metadata.
nLog in to vRealize Automation as a tenant administrator.
Procedure
1Select Administration > Directories Management > Identity Providers.
This page displays all configured Identity Providers.
Configuring vRealize Automation
VMware, Inc. 135
2Click Add Identity Provider.
A menu appears with Identity Provider options.
3Select Create Third Party IDP.
4Enter the appropriate information to configure the identity provider.
Option Description
Identity Provider Name Enter a name for this identity provider instance.
SAML Metadata Add the third party IdPs XML-based metadata document to establish trust with the identity
provider.
1 Enter the SAML metadata URL or the xml content into the text box.
2 Click Process IdP Metadata. The NameID formats supported by the IdP are extracted from
the metadata and added to the Name ID Format table.
3 In the Name ID value column, select the user attribute in the service to map to the ID formats
displayed. You can add custom third-party name ID formats and map them to the user
attribute values in the service.
4 (Optional) Select the NameIDPolicy response identifier string format.
Users Select the Directories Management directories of the users that can authenticate using this
identity provider.
Just-in-Time User
Provisioning
Select the appropriate options to support just-in-time provisioning using an appropriate third party
identity provider.
Enter the Directory Name to use for just-in-time provisioning.
Enter one or more Domains that exist within the external identity provider that you will use for
just-in-time provisioning.
Network The existing network ranges configured in the service are listed.
Select the network ranges for the users, based on their IP addresses, that you want to direct to
this identity provider instance for authentication.
Authentication Methods Add the authentication methods supported by the third-party identity provider. Select the SAML
authentication context class that supports the authentication method.
SAML Signing Certificate Click Service Provider (SP) Metadata to see URL to Directories Management SAML service
provider metadata URL . Copy and save the URL. This URL is configured when you edit the
SAML assertion in the third-party identity provider to map Directories Management users.
Hostname If the Hostname field displays, enter the hostname where the identity provider is redirected to for
authentication. If you are using a non-standard port other than 443, you can set this as
Hostname:Port. For example, myco.example.com:8443.
5Click Add.
What to do next
nCopy and save the Directories Management service provider metadata that is required to configure
the third-party identity provider instance. This metadata is available either in the SAML Signing
Certificate section of the Identity Provider page.
nAdd the authentication method of the identity provider to the services default policy.
See the Setting Up Resources in Directories Management guide for information about adding and
customizing resources that you add to the catalog.
Configuring vRealize Automation
VMware, Inc. 136
Managing Authentication Methods to Apply to Users
The Directories Management service attempts to authenticate users based on the authentication
methods, the default access policy, network ranges, and the identity provider instances you configure.
When users attempt to log in, the service evaluates the default access policy rules to select which rule in
the policy to apply. The authentication methods are applied in the order they are listed in the rule. The first
identity provider instance that meets the authentication method and network range requirements of the
rule is selected and the user authentication request is forwarded to the identity provider instance for
authentication. If authentication fails, the next authentication method configured in the rule is applied.
You can add rules that specify the authentication methods to be used by device type or by device type
and from a specific network range. For example, you could configure a rule requiring users that sign in
using iOS devices from a specific network to authenticate using RSA SecurID and another rule that
specifies all device types signing in from the internal network IP address to authenticate using their
password.
Add or Edit a Network Range
You can manage the network ranges to define the IP addresses from which users can log in via an Active
Directory link. You add the network ranges you create to specific identity provider instances and to access
policy rules.
Define network ranges for your Directories Management deployment based on your network topology.
One network range, called ALL RANGES, is created as the default. This network range includes every IP
address available on the Internet, 0.0.0.0 to 255.255.255.255. Even if your deployment has a single
identity provider instance, you can change the IP address range and add other ranges to exclude or
include specific IP addresses to the default network range. You can create other network ranges with
specific IP addresses that you can apply for specific purpose.
Note The default network range, ALL RANGES, and its description, "a network for all ranges," are
editable. You can edit the name and description, including changing the text to a different language, by
clicking the network range name on the Network Ranges page.
Prerequisites
nYou have configured tenants for your vRealize Automation deployment set up an appropriate Active
Directory link to support basic Active Directory user ID and password authentication.
nActive Directory is installed and configured for use on your network.
nLog in to vRealize Automation as a tenant administrator.
Procedure
1Select Administration > Directories Management > Network Ranges.
Configuring vRealize Automation
VMware, Inc. 137
2Edit an existing network range or add a new network range.
Option Description
Edit an existing range Click the network range name to edit.
Add a range Click Add Network Range to add a new range.
3Complete the form.
Form Item Description
Name Enter a name for the network range.
Description Enter a description for the Network Range.
IP Ranges Edit or add IP ranges until all desired and no undesired IP addresses are included.
What to do next
nAssociate each network range with an identity provider instance.
nAssociate network ranges with access policy rule as appropriate. See Configuring Access Policy
Settings.
Select Attributes to Sync with Directory
When you set up the Directories Management directory to sync with Active Directory, you specify the user
attributes that sync to the directory. Before you set up the directory, you can specify on the User Attributes
page which default attributes are required and, if you want, add additional attributes that you want to map
to Active Directory attributes.
When you configure the User Attributes page before the directory is created, you can change default
attributes from required to not required, mark attributes as required, and add custom attributes.
For a list of the default mapped attributes, see Managing User Attributes that Sync from Active Directory.
After the directory is created, you can change a required attribute to not be required, and you can delete
custom attributes. You cannot change an attribute to be a required attribute.
When you add other attributes to sync to the directory, after the directory is created, go to the directory's
Mapped Attributes page to map these attributes to Active Directory Attributes.
Procedure
1Log in to vRealize Automation as a system or tenant administrator.
2Click the Administration tab.
3Select Directories Management > User Attributes
4In the Default Attributes section, review the required attribute list and make appropriate changes to
reflect what attributes should be required.
5In the Attributes section, add the Directories Management directory attribute name to the list.
Configuring vRealize Automation
VMware, Inc. 138
6Click Save.
The default attribute status is updated and attributes you added are added on the directory's Mapped
Attributes list.
7After the directory is created, go to the Identity Stores page and select the directory.
8Click Sync Settings > Mapped Attributes.
9In the drop-down menu for the attributes that you added, select the Active Directory attribute to map
to.
10 Click Save.
The directory is updated the next time the directory syncs to the Active Directory.
Applying the Default Access Policy
The Directories Management service includes a default access policy that controls user access to their
apps portals. You can edit the policy to change the policy rules as necessary.
When you enable authentication methods other than password authentication, you must edit the default
policy to add the enabled authentication method to the policy rules.
Each rule in the default access policy requires that a set of criteria be met in order to allow user access to
the apps portal. You apply a network range, select which type of user can access content and select the
authentication methods to use. See Managing Access Policies.
The number of attempts the service makes to login a user using a given authentication method varies.
The services only makes one attempt at authentication for Kerberos or certificate authentication. If the
attempt is not successful in logging in a user, the next authentication method in the rule is attempted. The
maximum number of failed login attempts for Active Directory password and RSA SecurID authentication
is set to five by default. When a user has five failed login attempts, the service attempts to log in the user
with the next authentication method on the list. When all authentication methods are exhausted, the
service issues an error message.
Apply Authentication Methods to Policy Rules
Only the password authentication method is configured in the default policy rules. You must edit the policy
rules to select the other authentication methods you configured and set the order in which the
authentication methods are used for authentication.
Prerequisites
Enable and configure the authentication methods that your organization supports. See Integrating
Alternative User Authentication Products with Directories Management
Procedure
1Select Administration > Directories Management > Policies
2Click the default access policy to edit.
Configuring vRealize Automation
VMware, Inc. 139
3To edit a policy rule, click the authentication method to edit in the Policy Rules, Authentication Method
column.
The add a new policy rule, click the + icon.
4Click Save and click Save again on the Policy page.
5Click Save and click Save again on the Policy page.
Configuring Kerberos for Directories Management
Kerberos authentication provides users who are successfully signed in to their Active Directory domain to
access their apps portal without additional credential prompts. You enable Windows authentication to
allow the Kerberos protocol to secure interactions between users' browsers and the
Directories Management service. You do not need to directly configure Active Directory to make Kerberos
function with your deployment.
Currently, interactions between a user's browser and the service are authenticated by Kerberos on the
Windows operating systems only. Accessing the service from other operating systems does not take
advantage of Kerberos authentication.
nConfigure Kerberos Authentication
To configure the Directories Management service to provide Kerberos authentication, you must join
to the domain and enable Kerberos authentication on the connector.
nConfigure Internet Explorer to Access the Web Interface
You must configure the Internet Explorer browser if Kerberos is configured for your deployment and
if you want to grant users access to the Web interface using Internet Explorer.
nConfigure Firefox to Access the Web Interface
You must configure the Firefox browser if Kerberos is configured for your deployment and you want
to grant users access to the Web interface using Firefox.
nConfigure the Chrome Browser to Access the Web Interface
You must configure the Chrome browser if Kerberos is configured for your deployment and if you
want to grant users access to the Web interface using the Chrome browser.
Configuring vRealize Automation
VMware, Inc. 140
Configure Kerberos Authentication
To configure the Directories Management service to provide Kerberos authentication, you must join to the
domain and enable Kerberos authentication on the connector.
Procedure
1As a tenant administrator, navigate to Administration > Directories Management > Connectors
2On the Connectors page, for the connector that is being configured for Kerberos authentication, click
Join Domain.
3On the Join Domain page, enter the information for the Active Directory domain.
Option Description
Domain Enter the fully qualified domain name of the Active Directory. The domain name you enter must be the same
Windows domain as the connector server.
Domain User Enter the user name of an account in the Active Directory that has permissions to join systems to that Active
Directory domain.
Domain
Password
Enter the password associated with the AD Username. This password is not stored by
Directories Management
.
Click Save.
The Join Domain page is refreshed and displays a message that you are currently joined to the
domain.
4In the Worker column for the connector click Auth Adapters.
5Click KerberosIdpAdapter
You are redirected to the identity manager sign in page.
6Click Edit in the KerberosldpAdapter row and configure the Kerberos authentication page.
Option Description
Name A name is required. The default name is KerberosIdpAdapter. You can change this.
Directory UID
Attribute
Enter the account attribute that contains the user name.
Enable
Windows
Authentication
Select this to extend authentication interactions between users' browsers and Directories Management.
Enable NTLM Select this to enable NT LAN Manager (NTLM) protocol-based authentication only if your Active Directory
infrastructure relies on NTLM authentication.
Enable
Redirect
Select this if round-robin DNS and load balancers do not have Kerberos support. Authentication requests
are redirected to Redirect Host Name. If this is selected, enter the redirect host name in Redirect Host
Name text box. This is usually the hostname of the service.
7Click Save.
Configuring vRealize Automation
VMware, Inc. 141
What to do next
Add the authentication method to the default access policy. Navigate to Administration > Directories
Management > Policies and click Edit Default Policy to edit the default policy rules to add the Kerberos
authentication method to the rule in the correct authentication order.
Configure Internet Explorer to Access the Web Interface
You must configure the Internet Explorer browser if Kerberos is configured for your deployment and if you
want to grant users access to the Web interface using Internet Explorer.
Kerberos authentication works in conjunction with Directories Management on Windows operating
systems.
Note Do not implement these Kerberos-related steps on other operating systems.
Prerequisites
Configure the Internet Explorer browser for each user or provide users with the instructions after you
configure Kerberos.
Procedure
1Verify that you are logged into Windows as a user in the domain.
2In Internet Explorer, enable automatic log in.
a Select Tools > Internet Options > Security.
b Click Custom level.
c Select Automatic login only in Intranet zone.
d Click OK.
3Verify that this instance of the connector virtual appliance is part of the local intranet zone.
a Use Internet Explorer to access the sign in URL at https://myconnectorhost.domain/authenticate/.
b Locate the zone in the bottom right corner on the status bar of the browser window.
If the zone is Local intranet, Internet Explorer configuration is complete.
4If the zone is not Local intranet, add the sign in URL to the intranet zone.
a Select Tools > Internet Options > Security > Local intranet > Sites.
b Select Automatically detect intranet network.
If this option was not selected, selecting it might be sufficient for adding the to the intranet zone.
c (Optional) If you selected Automatically detect intranet network, click OK until all dialog boxes
are closed.
d In the Local Intranet dialog box, click Advanced.
A second dialog box named Local intranet appears.
Configuring vRealize Automation
VMware, Inc. 142
e Enter the URL in the Add this Web site to the zone text box.
https://myconnectorhost.domain/authenticate/
f Click Add > Close > OK.
5Verify that Internet Explorer is allowed to pass the Windows authentication to the trusted site.
a In the Internet Options dialog box, click the Advanced tab.
b Select Enable Integrated Windows Authentication.
This option takes effect only after you restart Internet Explorer.
c Click OK.
6Log in to the Web interface to check access.
If Kerberos authentication is successful, the test URL goes to the Web interface.
The Kerberos protocol secures all interactions between this Internet Explorer browser instance and
Directories Management. Now, users can use single sign-on to access their My Apps portal.
Configure Firefox to Access the W