virtuallyGhetto

vRealize Automation

New SDDC Certificate Replacement Fling

by 9 Comments

Certificate lifecycle management is not something anyone looks forward to, it is time consuming and usually not automated. However, it is a necessity for many of our customers. The process gets even more challenging when needing replace certificates across multiple VMware products, not only careful orchestration but also properly reestablishing trust between product just adds another layer of operational complexity. Within the Integrated System Business Unit (ISBU) at VMware, which produces both the VMware Validated Design (VVD) and VMware Cloud Foundation (VCF), the team has been working on a way to simplify certificate management, not only for individual products (working with product teams) but also holistically at the VMware SDDC level.

This initially started with the development of a tool called Certificate Generation Utility (CertGen), which helps customers generate new certificates for various products within the VMware SDDC. Although it was developed for the VVD, any VMware customer who consumed products within the VVD, could also leverage this tool. We all know certificate generation can be a pain, but it is not as challenging or as complex as the actual certificate replacement process itself which is also fully documented by the VVD team here.

This is where the new Fling comes in, the SDDC Certificate Tool, which automates the manual steps outlined by the VVD and helps customers easily replace certificates that they have created (CertGen or another process) and automatically orchestrates this across the different products within the SDDC. The tool is command-line driven and uses a JSON configuration file which can contain all or a subset of the VMware SDDC products, which is great for supporting different environments and allows for easy source control. Extensive pre-checks are also built into the tool to validate the certificates themselves (e.g. expiry, chain validation, etc) also also preventing miss-match of information (e.g. SAN entries, number of nodes, etc) which then get compared against your actual environment before any changes are applied. The JSON also contains a section referred to as Service Accounts, which is merely other VMware product accounts that the tool supports to reestablish trust after replacing the certificate for given product. 

[Read more...] about New SDDC Certificate Replacement Fling

Automating vRealize stack based on VVD using new vRealize Suite Lifecycle Management

by 1 Comment

Our Cloud Management Business Unit (CMBU) at VMware just GA'ed the highly anticipated vRealize Suite Lifecycle Management or vRSLCM for short. As the name suggests, this new solution provides customers a simple and consistent mechanism for managing the entire lifecycle management (Day 0 to Day N) for all VMware vRealize Products including but not limited to Install, Upgrade, Configuration Management, Drift Remediation and Health Monitoring. vRSLCM is delivered as a Virtual Appliance which can be used in either a greenfield and/or existing brownfield environment. You can also manage multiple environments that consists of different vRealize products that have been deployed giving customers 100% visibility into all their different vRealize environments using a single interface. For more information, be sure to check out this blog post here.


One specific feature that I think is worth calling out and not because our team was involved with it is the ability to deploy what vRSLCM calls "Solutions". These Solutions not only correspond to the specific vRealize products being deployed but they also align to the three VMware Validated Design 4.1 Use Cases: IT Automating IT, Micro-Segmentation and Intelligent Operations as shown in the screenshot below.


This means for customers who wish to deploy the vRealize stack based on the VMware Validated Designs can now easily do so by simply selecting one of these solutions and providing their environment specific information such as DNS, NTP, etc. and vRSLCM will deploy and configure the vRealize products as prescribed in the VVD. Customers no longer have to manually read through pages and pages of documentation to get the desired outcome. [Read more...] about Automating vRealize stack based on VVD using new vRealize Suite Lifecycle Management

Configure vRealize Automation to use Platform Services Controller as External Identity Provider

by 2 Comments

I was doing some research on an inquiry that I had received from a customer who was interested in configuring their vRealize Automation (vRA) instance to use vCenter's Platform Services Controller (PSC) as an External Identity Provider (IDP) rather than the default VMware Identity Manager (vIDM) which vRA supports natively out of the box. vIDM already supports a large number of websso applications as seen here and it itself can also be used as an External IDP to integrate with things like Active Directory Federation Services (ADFS) for example.

For some customers who are more familiar with the PSC, this is a convenient way to unify their authentication between the different vRealize products which support vIDM and integrating that directly with PSC. Since both solutions spoke SAML, it was merely figuring out process on setting up the External IDP using the PSC. In reading some of our internal Wikis and working with one of the vIDM Engineers, since I was stuck on a particular step, I was able to finally get this to work which I have outlined the steps below. I also learned that we had officially supported this since vRA 7.0 which was great to hear as well.

I know there are number of customers who would also like to see the reverse of this configuration, where PSC can use vIDM as an External IDP. I know this is something the PSC team is currently looking into for External IDP support. If this is something that you are interested in or would like to see specific External IDP setup/configuration, feel free to leave a comment.

Pre-Requisite: 

  • Join Platform Services Controller (PSC) to Active Directory (instructions here & here)
  • Join vRealize Automation (vRA) Appliance to Active Directory (instructions here)

In my lab environment, I have deployed an Embedded VCSA 6.5 (this also works with an External PSC) and vRealize Automation 7.2 (this was prior to 7.3 getting released but should work as well).

[Read more...] about Configure vRealize Automation to use Platform Services Controller as External Identity Provider

Automating vRealize Automation 7 Minimal Install: Part 4 – vRA IaaS Configuration

by 14 Comments

If you have been following the blog series thus far, we have covered deploying the vRA 7 Virtual Appliance, installing the vRA IaaS Management Agent on a Microsoft Windows system which will run the various IaaS components and then finally configuring the vRA Virtual Appliance which includes setting up the VMware Identity Manager (Horizon SSO). Before proceeding to the vRA IaaS installation, you will need to make sure that you have completed all three of steps above.

In addition, there are some other prerequisites (more details here) that are required on the Microsoft Windows system in which you plan to install the vRA IaaS components, namely an instance of Microsoft SQL Server running and various Windows configuration tweaks required by the installers. I will not be covering the installation of the DB, so this will be something you will need to either manually install or automate using a silent installer for SQL Server. For the pre-checks, although this is also not covered in the script, I will show you how you can run the same tool on the Windows system like you would using the new vRA 7 Guided Wizard. The tool will identify any configuration issues found and then also allow you to easily remediate them within the tool, which is an awesome feature in my opinion.

You can find the vRA IaaS Pre-req Checker tool on the vRA Appliance under the following path:

/opt/vmware/share/htdocs/service/iaas/download/PrereqChecker.zip

You will then need to SCP the PrereqChecker.zip file onto your Windows system that you plan to run the vRA IaaS components. Next, extract the contents of the zip and launch the PrereqChecker.exe. Before clicking on the "Run Checker" button, make sure you have enabled the IIS role, else the tool can not run all prechecks. The instructions are located to the right of the screen and once that has been completed, you can then run the precheck tool. For any issues that have been identified, you can remediate by clicking on the "Fix Issue" button. Once all prechecks have passed, you can then move onto the vRA IaaS installation.

automate-vrealize-automation-7-iaas-comonents
Note: I was a bit surprised to see that the PrereqChecker.zip could not be downloaded directly from the vRA Appliance like the other installers by simply opening a browser to the following URL:

https://[VRA-HOSTNAME]:5480/installer/PrereqChecker.zip

It turns out there an index.py script which defines which files can be downloaded without authentication. If you wish to change this behavior, you can run the following snippet on the vRA Appliance and then you can download the zip file directly from the browser which can be useful from an automation standpoint.

sed -i "s/'DBUpgrade.zip'/'DBUpgrade.zip','PrereqChecker.zip'/g" /opt/vmware/share/htdocs/service/iaas/index.py

If you have made it to this point, we are now ready to get our automation on! We will be installing the following vRA IaaS components which are listed below onto the Windows system which has the vRA IaaS Management Agent running.

  • SSL Certificate for Web and Manager Service
  • Database
  • Web API (WAPI) Service
  • Manager Service
  • DEM Orchestrator
  • DEM Worker
  • vSphere Agent

The automation will be completely driven from within the vRA Virtual Appliance using the configurevRA-IaaS.sh shell script. This is possible because we had deployed the vRA IaaS Management Agent earlier which will act as a proxy for all component installations. There are 9 variables that you will need to edit prior to running the script and you can find their descriptions below.

Variable Description
HORIZON_SSO_PASSWORD SSO Password that you had configured earlier
VRA_IAAS_HOSTNAME Hostname of the Windows system running vRA IaaS Components
VRA_IAAS_USERNAME Username for the Windows system
VRA_IAAS_PASSWORD Password for the Windows system (e.g. vra-iaas\administrator)
VRA_DATABASE_HOSTNAME Hostname of the Windows system running SQL Server (should be same as vRA IaaS system)
VRA_DATABASE_NAME Database name
VRA_DATABASE_USERNAME Database username (assumes Windows Auth)
VRA_DATABASE_PASSWORD Database password (assumes Windows Auth)
VRA_DATABASE_SECURITY_PASSPHRASE Security passphrase

Once you have saved your changes, you can then run the script on the vRA Appliance as shown in the screenshot below. All verbose output is stored in /var/log/vra-iaas-configuration.log and you will be able to see the high level operations displayed in the console. The entire process can take anywhere from 10-20 minutes depending on your environment and what you will looking for are the "INSTALLED SUCCESSFULLY" messages which I have highlighted in green below. If you have met all prereqs, you should not run into any issues but if you do, the script will output the specific errors from each of the installers.

automate-configuration-vra-iaas
Once the script has completed, you will now have a fully functional vRA 7 deployment which includes both the vRA Appliance as well as the vRA IaaS components! I would also like to give a big thanks to both Kim Delgado for connecting me with some of the vRA Engineering folks as well as a huge thanks to Dora L. from the vRA Engineering for assisting me with parts of the IaaS installation.

Automating vRealize Automation 7 Minimal Install: Part 3 – vRA Appliance Configuration

by 3 Comments

In Part 3 of this blog series, we will now move onto configuring the vRA Appliance which includes setting up the VMware Identity Manager (Horizon SSO). There are two mandatory variables that you will need to edit prior to executing the configurevRA-Appliance.sh shell script. In addition, there are few optional variables that you can also configure which includes specifying a license key for vRA.

Variable Description Required
HORIZON_SSO_PASSWORD SSO Password Yes
NTP_SERVER NTP Server Yes
VRA_LICENSE_KEY vRA license key No
VRA_SSL_CERT_COUNTRY SSL cert No
VRA_SSL_CERT_STATE SSL cert State No
VRA_SSL_CERT_ORG SSL cert Org No
VRA_SSL_CERT_ORG_UNIT SSL cert OU No

Once you have saved the changes to the script, you will need to run the script directly on the vRA Appliance. You can do so by uploading the script (SCP) to the vRA Appliance and then running it locally. If you prefer to run it remotely, you can leverage any existing SSH tools or if you prefer a Windows solution, something like plink or leveraging the vSphere Guest Operations API by using PowerCLI's Invoke-Guest cmdlet. By default, the script outputs all the verbose logging into /var/log/vra-appliance-configuration.log if you would like to get more details or perform some troubleshooting.

Here is an example of running the script locally on the vRA Appliance:

automate-vra7-appliance-configuration-3
The script can take up to several minutes to configure and the high level steps are outputted to the screen console. Once the script has successfully completed, you can verify that everything is properly configured by logging into the Horizon SSO interface by opening a browser to the following URL: https://[VRA-APPLIANCE]/vcac which is also displayed in the output. You will login using "administrator" and the SSO password you had selected earlier. If you get a 404 when getting to the /vcac URL, you may just need to give it another 30 seconds and then refresh the page.

automate-vra7-appliance-configuration-0
If you did not specify a vRA license, once logged in, you should see an "Invalid License" message. If you did specify a license, then you should see the vRA web interface as shown in the screenshot below. In case you get some strange errors after successfully logging in, you may need to wait a few minutes while the system finish initializing and then re-log back in.

automate-vra7-appliance-configuration-2
In our fourth and final part of the blog series, we will tackle automating the the vRA IaaS Windows components from the vRA Appliance itself. This will include setting up the SSL certificates for both the Web/Manager Service and the installation of Web/Manager Service, Database, DEM Orchestrator, DEM Worker and vSphere Agent. Stay tuned!

Automating vRealize Automation 7 Minimal Install: Part 2 – vRA IaaS Agent Deployment

by 2 Comments

In Part 2 of this blog series, we will be looking at automating the installation of the vRA IaaS Management Agent which needs run on a Microsoft Windows system. The IaaS Management Agent installer is provided through the vRA Appliance which you can downloaded by opening a browser to the following URL:

https://[VRA_APPLIANCE_HOSTNAME]:5480/installer/download/vCAC-IaaSManagementAgent-Setup.msi

When installing the agent, you will need to provide information about the vRA Appliance that you wish to register the IaaS Management Agent with. The following Powershell script called installvRAIaaSAgent.ps1 will automatically download the vRA Iaas Management Agent from the vRA Appliance and then perform a silent installation. There are 5 mandatory variables that you will need to edit before running the script and the table below describes each of their functions:

Variable Description
VRA_APPLIANCE_HOSTNAME  Hostname or IP of vRA Appliance
VRA_APPLIANCE_USERNAME  Username of vRA Appliance (default: root)
VRA_APPLIANCE_PASSWORD  Password of vRA Appliance
VRA_APPLIANCE_AGENT_DOWNLOAD_PATH  Path to store vRA Agent (optional)
VRA_APPLIANCE_AGENT_INSTALL_LOG  Path to store vRA Agent install logs (optional)
VRA_IAAS_SERVICE_USERNAME OS username to the vRA IaaS Windows System
VRA_IAAS_SERVICE_PASSWORD OS password to the vRA IaaS Windows System

Here is an example of running the script on my vRA IaaS Windows system:

automating-vrealize-automation-7-iaas-agent
In the final part of this series we will take a look at automating the configuration of both the vRA Appliance which includes Horizon SSO and the vRA IaaS Windows system which includes the various IaaS components.