VCP6-CMA Section 1: Install, Configure and Upgrade vRealize Suite Components

Contents

Objective 1.1: Explain vRealize Suite Editions and Features

Identify available features and third party integrations for different vRealize Suite editions.

  • vRealize Suite offers the following features:
    • Automation
      • Delivery & life cycle management of infrastructure, applications and custom services via self service portals
      • vRealize Automation – Advanced / Enterprise editions
      • vRealize Orchestrator – Advanced / Enterprise editions
        • Used for custom services
        • Can be integrated in vRA appliance or standalone
      • Application services only available in enterprise
      • Release management only available in enterprise
    • Operations
      • Predictive analytics
      • Integrated approach to performance, capacity log and config management
      • vROPS, Log Insight, Infrastructure Navigator
      • Application Monitoring enterprise only
      • OS level change & compliance enterprise only
    • Business
      • vRealize Business Standard
      • vRealize Business Advanced / Enterprise Editions
      • Service Level management only available in enterprise edition
    • VMware vRealize Suite Components
      • vRealuze Automation – Advanced / Enterprise
      • vRealize Operations
      • vRealize Log Insite
      • vRealize Business – Standard
      • vRealize Business – Advanced / Enterprise
    • Third party extensions are available from VMware Solution Exchange

Differentiate vCloud Air Soliutions

  • vCloud Air is a cloud solution provided by VMware
  • Workloads sit in datacenters owned by VMware
  • Connectivity between on premise datacenters and vCloud Air can be made by using:
    • VPNS
    • NSX Edge devices
  • Services consist of:
    • Dedicated Cloud – Dedicated physical infrastructure compute service
    • Virtual Private Cloud – Logically Isolated, multi-tenant compute service
    • Disaster Recovery – Business continuity for on-premise
    • On Demand – Pay as you go service

Identify vRealize Automation / vCloud Air integration options

  • Can be integrated with vRA by configuring a vApp (vCloud) endpoint to consume resources
  • A separate endpoint is required for each organisation
  • IaaS Admin role is required to set up the endpoint
  • Information needed:
    • vDC Name
    • vCloud Directory URL
    • Networking information
  • Endpoint creation:
    • Name: vCloud Air
    • Address: firs part of API url: https://xyz-vchs.vmware.com:443
    • Credentials
    • Organisation name
  • Limitations:
    • Creating vApp Templates
    • Defining vApp and vApp component blueprints without specifying a vApp template
    • Can’t move vApps between vDCs
    • Moving VMs between reservations
    • Adding or removing components from a vApp
    • Creating or using vApp snapshots
    • Using a static UP

Identify vRealize Business Standard key capabilities

  • Allow users to gain visibility in to their infrastructure
  • Service costing data
  • Showback capabilities
  • chargeback capabilities
  • Cost benchmarking against known public clouds
  • Can be integrated with vRA

Identify available vRealize Suite Editions

  • Available in Advanced or Enterprise
  • Can be licensed per CPU or by OS Instance (OSI)

Explain vRealize Application Services functionality

  • Automation and manage the life cycle of deployments for multi-tier enterprise applications
  • Standardise, deploy, configure, update, scale complex applications
  • Can deploy applications without regard to physical locations
  • Application architects use drag and drop interfaces to create visual blueprints
  • Can also use pre-populated and extensible library of standard logical templates, application infrastructure services, components and scripts
  • Differentiate deployments by using deployment profiles
  • Publish deployment profiles as catalog items in vRA

Explain vRealize Orchestrator functionality

  • Process automation tool that provides a library of workflows
  • Can be used to manage vSphere as well as third party environments (AD / F5 / REST / SOAP)
  • Uses extensible plugin-in architecture to provide additional functionality
  • Exposes vCenter API
  • Can integrate with vRA ASD
    • Service Architects can the create XaaS and publish to vRA catalog

Determine the appropriate vRealize Suite Edition based on customer requirements

  • Advanced
    • Rapid, self-service infrastructure provisioning
    • Infrastructure health, performance and capacity monitoring across physical, virtual and hybrid cloud environments
    • Rapid creation of rate cards and automatic pricing of service catalog blueprints for use in a self service portal
    • OOTB benchmarks, usage metering and public cloud comparison
    • Plan, control and recover costs expended in providing full stack IT, implementing cost transparency, cost optimisation and demand management
    • Visibility into application dependencies and hypervisor change and config management
  • Enterprise
    • All of the above
    • Application provisioning
    • Automated config and deployment of multi-tier cloud applications
    • Application performance
    • Regulatory compliance, OS-Level change and configuration management
    • SLA Management
    • Transparency into IT performance and value measurements for all service and vendors, enabling IT to govern contractual commitments

Objective 1.2: Install and Upgrade vRealize Suite Components

Deploy and configure appliances for a distributed vRealize Deployment

  • Single Sign On
    • Obtain SSL Certificates (SAN)
    • Deploy and configure the single sign on appliance
      • Log in to VAMI port 5480 as root
      • Configure time settings
      • Import SSL Certificate
      • Configure SSO (SSO Tab) – Default domain is vsphere.local
      • Join to Native AD Domain
        • Optional unless you are using the migration tool
      • Identity appliance cannot be load balanced. It should be protected by cluster level HA
      • vSphere SSO deployed in a HA pair, load balanced with an external load balancer is supported
        • vRA 6.2 supports vSphere SSO 5.5 U1b, U1c, U2, U2a, U2b
        • U2b is the recommended version
        • PSC v1.0 is also supported
          • The default tenant must remain as vsphere.local
  • vRealize Automation Appliances
    • Obtain SSL certificates
    • Download and configure the primary appliance
    • Log in to to VAMI port 5480 as root
    • Configure time settings]
  • Configure the load balancer for vRA traffic
    • Enable sticky sessions / session affinity
    • Set timeout to at least 100 seconds
    • Forward port 5480 if needed
    • Active Active configuration
    • Configure health monitors
  • Configure the load balancer for database traffic
    • Port 5432 TCP must be load balanced
    • Register a DNS A record against the LB VIP
    • Only the master node can be active ( Active/Passive configuration)
  • Configure the postgres database on the primary appliance
    • Download 2108923_dbCluster.zip
    • Extract the .rat and upload to vRA appliance
    • Follow the steps in KB2108932 to enable replication on the master node
  • Complete the configuration of the primary vRA appliance
    • Configure the hostname:
      • vRA Settings > Host Settings
      • If using a load balancer select update and enter the FQDN of the vRA Appliance VIP
    • Import SSL certificates
    • Configure SSO
      • Apply branding is optional
    • Configure licensing
      • vRA Settings > Licensing
    • Verify RabbitMQ settings
      • vRA Settings > Messaging
    • Verify Telemetry Settings
  • Configure Additional instanced of vRealize Automation
    • Configure time settings & time zone
  • Configure the postgres database on the secondary appliance
    • Download 2108923_dbCluster.zip
    • Extract the .tar file and upload to vRA appliance
    • Configure the database replication as per KB2108923
  • Join the secondary appliance to the cluster
    • This is performed on every appliance except the leading node
    • vRA Settings  > Cluster
  • Verify services are running
  • Disable unused services
    • Disable the embedded vRO services
      • service vco-server stop
      • chkconfig vco-server off

Install IaaS Components

  • Obtain and Install IaaS Certificates
  • Verify that the IaaS hosts meet the required prerequisites
    • IaaS host requirements:
      • .Net Framework 4.5.1 or later
      • PowerShell 2.0 or later
      • IIS 7.5
      • java 1.7 64-bit
    • Website Component
      • IIS modules:
        • WindowsAuthentication
        • StaticContent
        • DefaultDocument
        • ASPNET 4.5
        • ISAPIExtensions
        • ISAPIIFilter
      • IIS Authentication
        • Windows Authentication – Enabled
        • Anonymous Authentication – Disabled
        • Negotiate Provider – Enabled
        • NTLM Provider – Enabled
        • Windows Authentication Kernel Mode – Enabled
        • Windows Authentication Extended Protection – Disabled
      • IIS Process Activation
        • ConfigurationAPI
        • NetEnvironment
        • ProcessModel
        • WcfActivation – 2008 Only
        • HttpActivation
        • NonHttpActivation
      • IaaS Manager Server
        • .Net 4.5.1 or later
        • PowerShell 2.0 or later
        • SecondaryLogOnService – Running
        • IIS must be enabled
      • DEMs
        • .Net 4.5.1 or later
        • PowerShell 2.0 or later
        • SecondaryLogonService – Running
    • Ensure that JAVA_HOME is configured
    • Enable and test MSDTC on ALL IaaS NODES
      • Port 135 TCP
      • Random port between 1024 – 65535 TCP
    • IaaS Utilises an MSSQL database
      • This can be standalone or clustered
      • Port 1433 is required
      • MSDTC needs to be configured and working
    • Only one model manager can exist at one time
    • IaaS components can also be installed in simple mode – All on one server
    • IaaS Service account
      • Must be a domain user
      • Must have local administrator privileges on all hosts that have the model manager service or website component installed
      • The user is configured with Log On as a Service rights. This allows the service to start and generate logs
      • The user must have DBO privileges for the IaaS DB

Configure a default tenant and any additional tenants

  • Default tenant is configured when you configure SSO
  • An identity store will need to be added to the tenant
    • The default tenant supports
      • Native Active Directory
      • OpenLDAP
      • Active Directory (LDAP)
  • Provide the infrastructure license
    • Log in to the default tenant as an IaaS Administrator
    • Infrastructure Tab > Administration > Licensing
  • Additional tenants can be configured
    • Additional tenants can be congigured
      • Created by the System Administrator (administrator@vsphere.local)
      • Additional tenants do not support native active directory authentication
      • Each tenant has its own dedicated configuration
        • Login URL will be /vcac/org/tenentUrl
        • Identity stores
        • Branding
        • Notification providers
        • Business Policies
        • Service Catalog Offerings
        • Infrastructure resources

Appoint Administrators

  • Tenant Administrators
    • Responsible for: Branding, Identity stores, users, groups, entitlements and shared blueprints
  • IaaS Administrators
    • Responsible for: Configuring endpoints, appointing Fabric Administrators, monitoring IaaS logs
    • Cannot be created until IaaS components have been installed and licensed

Configuring the Load Balancer

  • Enable sticky sessions / session affinity
  • Set timeout to at least 100 seconds
  • Import SSL certificates where needed
  • Forward port 5480 if needed
  • Active Active Configuration
  • Configure health monitors

Integrate vRealize with External System

  • Agents can be used to integrate with external systems
    • vSphere agent allows vRA to consume vSphere resources
    • Other agents include:
      • VDI PowerShell Agents
      • EPI PowerShell Agents
      • WMI Agent
    • vRealize Orchestrator can be used to extend the provisioning life cycle
      • Third party plugins can be used to extend vRO
    • vRA has a public REST API that user can consume to further automate their processes

Manage SSL Certificates

  • Certificates should contain the Subject Alternative Names for each component in the deployment
    • vRA Appliances
      • vra.company.com
      • vra-app-01.company.com
      • vra-app-02.company.com
    • IaaS Hosts
      • iaas.company.com
      • iaas-mgr.company.com
      • iaas-webman-01.company.com
      • iaas-webman-02.company.com
    • Chains should be specified in the following order
      • Client /Server Certificate
      • Intermediates
      • Root CA Cert
    • Updating Certificates
      • Update in the following order > Identity Appliance > vRealize Appliance > IaaS components
      • “With one exception, changes to later components in this list do not affect earlier ones. For example, if you import a new certificate to a vRealize Appliance, you must register this change with the IaaS server, but not with the Identity appliance. The exception is that an update certificate for IaaS components must be registered with the vRealize Appliance.”
      • Update the identity appliance certificate
        • SSO Tab > Import new SSL Certificate > Apply Settings
      • Update the vRA Appliance with the ID Appliance Certificate
        • /usr/sbin/vcac-config import-certificate –alias websso –url https://ida.company.com:7444
        • Restart the appliance
        • Verify Services
      • Update the vRA Appliance Certificate
        • vRA Settings Host Settings
        • Import the SSL Certificate
        • Save settings
      • Update the identity appliance with the vRA certificate
        • These steps are carried out if the vRA appliance hostname has changed
        • vRA Settings > SSO
        • Enter SSO host & password
        • Save Settings
      • Update the IaaS Servers with the vRA Certificate
        • Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Cafe
        • vcac-config.exe UpdateServerCertificates -d vcac_db -s sql-server.company.com -v
        • IISRESET
      • Update the IaaS Certificate]
        • IIS > Server Certificates > Import
        • Mark as Exportable
        • Updare IIS bindings
        • IISRESET
      • Update the vRealize Appliance with the IaaS certificate
      • Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Cafe
        • Register the endpoint address for the UI
          • vcac-config RegisterEndpoint –EndpointAddress https://iaas/vcac –Endpoint ui -v
        • Register the endpoint address for the model manager web server
          • vcac-config RegisterEndpoint –EndpointAddress https://iaas/Repository –Endpoint repo -v
        • Register the endpoint address for the WAPI server
          • vcac config RegisterEndpoint –EndppintAddress https://iaas/WAPI –Endpoint wapi -v
        • Register the endpoint address for the status endpoint
          • vcac-config RegisterEndpoint –EndpointAddress  https://iaas/WAPI/status
        • Restart Services
          • VMware vCloud Automation Center Service
      • Update vRA Appliance Management Site Certificate
        • VAMI uses lighttpd
        • When this certificate is change you must also configure all management agents to recognise the new certificate
        • In a distributed deployment this can be done automatically or manually
        • Minimal deployments require the management agent to be updated manually
        • VAMI runs on port 5480. You can either install a new certificate or reuse the main vRA certificate on port 443
        • Server certificate and private key are located at
          • /opt/vmware/etc/lighttpd/server.pem
        • When replacing certificates make a back up server.pem
        • cp /opt/vmware/etc/lighttpd/server.pem
        • Install the new certificate by replacing the contents of server.pem with the new certificate
        • Restart the service
          • service vami-lighttpd restart
        • The management agents will pickup the new VAMI certificate within 15 minutes of the change
        • To manually update the Management Agent with the ew certificate, the following needs to be edited:
          • Program Files (x86)\VMware\vCAC\Management Agent\VMware/Iaas.Management.Agent.exe.Config
          • Locate the CAMI endpoint address and update the thumbprint to the thumbprint of the new certificate

Resolve Deployment and configuration issues

  • IaaS Installation Log locations
    • Program Files (x86)\VMware\vCAC\Server\Website\Logs
    • Program Files (x86)\VMware\vCAC\WebAPI\ConfigTool\Log
  • IaaS Logs
    • Program Files (x86)\VMware\vCAC\Server\Website\Logs
    • Program Files (x86)\VMware\vCAC\Server\Model Manager Web\Logs
    • Program Files (x86)\VMware\vCAC\Server\Logs
    • Program Files (x86)\VMware\vCAC\Distributed Execution Manager\DEO\Logs
    • Program Files (x86)\VMware\vCAC\Agents\<agent_name>\Logs
  • A log bundle can be created from the cluster tab in the VAMI
  • Identity appliance logs can be collected by generating a support bundle
  • vRealize Automation Framework logs can be found
    • /var/log/vmware
  • Roll back failed installations
    • Uninstall Agents, DEM-Workers, DEM- Orchestrators, vRealize Automation Server, vRealize Automation WAPI
    • Revert the database
    • Remove https bindings in ISS
    • Check that folders in the vCAC directory have been deleted
    • check that application pools have also been deleted
  • Creating support bundles
    • Can be created in the VAMI
      • Admin > Logs
      • Download to your system and submit to VMware support if needed

Upgrading from vCAC 6.1

  • Before upgrading:
    • Verify the age of the root passwords on virtual appliances
      • chage -l
      • change the root password if the Last Change field is more than 365 days ago
    • Shut down services for the current deployment
      • Disable vco-service
        • service vco-server stop
        • chkconfig vco-server off
      • Stop vRA services
        • service vcac-server stop
        • service apache2 stop
        • service rabbitmq-server stop
        • Do not perform these steps on the first node to be updated
      • Shutdown vRA services on the IaaS hosts in the following order
        • All vRA Agents
        • All DEM Workers
        • All DEM Orchestrators
        • vRA Manager Service
      • Download the Appliance updates
        • Download from a VMware repository
        • Download from an Internal repository
        • Update from an ISO
  • Update the identity appliance
    • Log in to VAMI port 5480 as root
    • Update tab > Check for updates
    • Install updates
    • Once the task has finished reboot the appliance
  • Update the vRA Appliances
    • Apply the update to each appliance in your environment
    • If health monitors are used on the load balancer, disable al but one appliance
    • The first appliance that is upgraded must be connected to the load balancer
    • All other instances must be disabled for load balancer traffic when you upgrade them
    • Log in to VAMI > Update Tab
    • Check Updates > Install Updates
    • Once the task has finished reboot the appliance
    • Verify that all services start before continuing
    • Repeat the upgrade steps foe each appliance
    • Re enable all appliances in the load balancer once complete
  • Upgrade the IaaS hosts
    • Download DBUpgrade from the IaaS installation page of the appliance
      • Run DBUpgrade -S dbserver -d dbname -E (windows auth)
      • Must only be ran once during the upgrade
    • Download the IaaS installer
      • .Net 4.5.1 is required
      • Turn off IE Enhanced Security
      • Run as local admin
      • Must be at least version 6.0.1 to upgrade
      • https://vra:5480/installer
      • Upgrade order
        • Websites – Ensure that LB traffic is disabled on all websites except the one where the model manager is running
        • Manager services
        • DEM Orchestrators and Workers
        • Agents
    • Apply branding
      • Log in to VAMI as root
      • Click the SSO tab
      • Rejoin to SSO
    • Ensure that port 8444 is added to the LB VIP for VMRC
    • To enable VMRC
      • Configure entitlement
      • Ensure that the option is selected in the blueprint

Objective 1.3: Configure and Administer vCloud Connector

Identify the components of vCloud Connector

  • vCloud Connector consists of three components
    • vCloud Connecter User Interface
      • Plugin in the vSphere Client
      • Icon appears in the vSphere Client Homepage under solutions and applications
    • vCloud Connector Server
      • Coordinates the activity of vCloud connector
      • Controls vCloud connector Nodes
      • Creates the vCloud Connector interface
      • Only one is needed
    • vCloud Connector Nodes
      • Handle transferring content between clouds
      • One node must be installed in every vSphere or cloud director cloud
      • Can be installed as a multi tenant node in cloud director based clouds
      • Installed by default in vCloud Air

Explain the vApp Copy Process

  • vCloud Connector uses a streaming copy mechanism which provides higher copy speeds and lower storage requirements
  • Uses a path optimisation framework to export/transfer/import data in parallel
  • Data streamed in small chunks
  • Files are not written to the staging area on vCloud Connector nodes
    • Unless the transfer or import is slower than the export
    • Ensure that you have adequate storage on the nodes
  • Copy options include:
    • Data transfer protocol
      • HTTPS
      • UDT
        • Protocol based on UDP
        • High speeds over high latency high bandwidth networks
        • data is sent in plain text by default
      • Encryption
  • 5 concurrent copy tasks for on premise nodes
    • Tasks over the limit are queued
    • Limit does not apply to public nodes
    • Does not apply to the content sync copy

Identify the Virtual Machine State

  • In the UI go to the inventory panel and click the Virtual Machines or vApps tab
    • From here you can view the current state of the virtual machine or vApp in the status column

Identify the configurations necessary for Data Center Extension

  • Stretch Deploy
  • Requires the following products to be present
    • vSphere – 5.1 or higher
    • ESXi Server 5.1 or higher
    • vCloud Director 5.1 or higher
    • vSphere on which vCloud is based – 5.1 or higher
    • vShield Manager – 5.1.2 or higher
    • vSphere Distributed Switch 5.1 or higher
  • Storage requirements
    • Depends on the size of the VM being deployed
    • Stretch deploy from a vSphere Cloud
      • Storage in the destination VDC needs to be double the size of the machine or vApp being copied
      • The process creates a temp vApp which is deleted once finished
    • Stretch deploy from a vCloud Director Cloud
      • Storage in both the source and destination need to be double the size of the machine or vApp that is being copied
      • The process creates a temp vApp in both source and destination datacenter which is deleted once finished
  • Networking requirements (vSphere)
    • vShield edge must be able to reach the internet
    • vShield edge is only connected to one external network
    • vShield edge has an internal interface configured
      • Interface can’t be connected to a standard switch
      • Can be connected to a vSphere distributed switch
    • vShield edge appliance can be compact, large or x-large
    • vShield edge IP allocation should be DHCP or Manual static
      • Dynamic DHCP binding is not supported
    • VM must be connected to a port group (VLAN or VXLAN based)
    • VM cannot be connected to multiple networks
    • Unsupported networks include
      • Cascaded networks (Network in network)
      • Edge with multiple NICs connected to multiple networks. In this can only flat networks are supported
    • Networking Requirements (vCloud Director)
      • VMs must be deployed in a routed vApp
        • Can be connected to a Direct Org VDC or a Routed Org VDC network
      • Routed vApp requirements
        • A vApp network must be created
        • All VMs in the vApp must be connected to this network
        • The external network in the vDC must be associated with a port group on a vSphere distributed switch
        • IP allocation must be DHCP or Manual static. Static pools are not supported
        • If connected to a routed Org CDC network, external IPs must be configured in the edge gateway sub allocation pool for the Org VDC
        • vApp network cannot be connected to an isolated Organisation network
  • Supported networks
    • Direct Org VDC
    • Routed Org VDC
  • Unsupported networks
    • Direct vApp
    • Fenced vApp
    • Isolated vApp

Configure and Administer vCloud Connector

  • Use VAMI 5480 to configure
    • System tab – Information and Time zones
    • Network tab – Network and proxy settings
    • Update tab – Check for an instal updates
    • Server tab – Log files, ssl config and register vCloud connector with vCenter
    • Nodes tab – Manage nodes

Differentiate between functionality of components of vCloud Connector

  • User Interface
    • Used to manage vCloud connector Server from vSphere Client
    • Not available for the web client
  • vCloud Connector Server
    • Controls vCloud Connector and Nodes
    • Only one needed
  • vCloud Connector Nodes
    • Transfer content between clouds
    • One node must be installed in every cloud that connector manages
    • Can be installed as a multi tenant node
    • Installed by default in vCloud Air
  • vCloud Connector also provides the following key features
    • Content Sync
    • Datacenter Extension (stretch deploy)
    • Offline Data transfer

Implement required network and security settings

  • Required Ports
    • 443
      • SSL port used for communication between server and nodes & between nodes
      • Also used for the local content directory node
    • 80
      • Port used for communication between server and nodes & between nodes
      • Also used for the local content directory node
    • 8190
      • Required on the destination node for UDT based transfer
    • 5480
      • Used for communication with vCloud Connector Server and node admin web consoles
  • If there is a load balancer between a node and the cloud it is associated with, sticky sessions should be enabled

Determine storage requirements and add storage for vCloud Connector Node

  • Default Storage for a node is 40GB
  • Space must be increased if:
    • You will be copying large VMs, vApps or templates
    • You will be copying many items simultaneously
    • You increase the max number of concurrent copies allowed
    • To add space to a node edit hard disk 2 via the vSphere Client and increase the disk size according to the situation
      • Once complete log in to the console
      • User: admin
      • password: vmware
      • Run the following command
      • sudo /opt/vmware/hcagent/scripts/resize_disk.sh
    • To add space to a node dunning on vCloud director
      • Click My Cloud tab
      • Select VMs and find the vCloud Connector Nodes
      • Power off
      • Right click properties
      • Under hard disk select add
      • Size the new disk accordingly
      • power on
      • Log in to the console as:
        • User: admin
        • Password: vmware
      • type ls /dev/sd*
      • run the following command to add the disk
      • sudo /opt/vmware/hcagent/scripts/add_disk.sh <diskname>

Register the vCloud Connecter UI with vCenter Server

  • Log in to VAMI port 5480
    • Select the server tab
    • Select the vSphere Client tab
    • Type in the IP of the vCenter server
    • Enter the username and password for the vCenter Server
    • Select Overwrite Existing Registration to re-register
    • Enter proxy settings if needed
    • Click register
    • Select unregister to unregister a previous registration
    • Select update to update an existing registration

Register vCloud Networking and Security Manager with the vCloud Connector Server

  • For every vSphere cloud that you want to use with the Stretch deploy command, you must register the vShield Manager that is associated with the vSphere in the Cloud Connector Server Admin web console
    • Log in to the Cloud Connector VAM port 5480
    • Click the nodes tab
    • Locate the appropriate node and click the gears icon
    • Select stretch deploy settings
    • Specify the following information
      • vShield manager Url
      • User and Password
      • Proxy
      • Ignore SSL Certificate

Troubleshoot common vCloud Connector Installation and operation issues

  • Use curl to pinpoint connectivity problems between vCloud Connector components
    • vCD
      • curl -k https://vcd/api/versions
    • vCenter
      • curl -k https://vcenter/mobjlij
    • vCC node
      • curl -k https://vccnode/agent/api/v2/org/org/version
    • Logs can be download via VAMI
      • Server: Server Tab > General Tab > Download Logs
      • Node: Node Tab > General Tab > Download Logs
    • Log locations
      • opt/vmware/hcserver/logs/hcs.log
      • opt/vmware/hcagent/logs/hca.log
    • Node logs are divided by organization
    • To modify the size of log files or the number of files retained:
      • Server: /usr/loca/tcserver/vfabric-tc-server-standard/server/webapps/hcserver/WEB-INF/classes/logback.xml
      • Server: /usr/loca/tcserver/vfabric-tc-server-standard/agent/webapps/agent/WEB-INF/classes/logback.xml
      • For retention, change rollingPolicy/MaxIndex
      • For size change triggerPolicy/maxFileSize

Create a vCloud Connector Content Library

  • It looks like the content library is created by default when you install vCloud Connector
  • Library of published folders or catalogs of templates to which users can subscribe
  • Templates can be:
    • VM templates from vSphere
    • vApp templates from vCloud Director
  • Any user can publish a folder or catalog of templates to the content library and any user can subscribe

Publish vSphere folders and vCloud catalogs to a vCloud Connector Content Library

  • Click the clouds tree and find the folder or catalog to publish
  • Right click and select Publish to Content Library
    • If disabled ensure that you are clicking on a folder or a catalog. The option is disabled for objects like datacenters and organisations
  • Click Publish
  • Select Content Library from the browser panel
  • Users can subscribe to the published items

Subscribe/Unsubscribe to a published folder or catalog

  • Select Content Library
  • Select the folder or catalog in the Catalogs table
  • Click the Subscribe icon at the top of the inventory panel
  • Select Remove entities if deleted at publisher to remove items if they are removed at source
  • Select the cloud to copy templates to
  • For vSphere Clouds:
    • Select an empty folder to copy the templates to
    • Select a cluster, host or resource pool
    • Select a synchronisation frequency
    • Click finish
  • For vCloud Director Clouds
    • Select an empty catalog to copy the templates to
    • Select a virtual datacenter
    • Select the synchronisation frequency
    • Select Finish
  • Once subscribed vCloud Connector keeps templates synchronised
  • Can Sync any time with the Sync Now command
  • Items deleted from the source will not be deleted in the subscription folder
    • Select Remove entities if deleted at publisher when subscribing for this to happen
  • To unsubscribe
    • Select Content Library
    • In the catalogs table, select the folder or catalog from which you would like to unsubscribe
    • Click the unsubscribe icon
    • Select your subscription folder in the confirm dialog and click unsubscribe
  • Existing templates in your subscription are not deleted. To delete the template:
    • Select the parent cloud
    • Select the template from the templates tab
    • Click the delete icon

Stretch Deploy a VM or vAPP using Data Center Extension

  • Expand the clouds tree and select a vSphere Cloud
  • In the inventory panel, click the virtual machine tab or vApps tab
  • Select the VM or vApp
  • Ensure that the VM or vApp is powered off
  • Click the stretch deploy icon
  • Select the destination
  • Specify a name for the stretched vApp (Stretched_ prefix is added to the name)
  • Select a catalog
  • Cloud Connector will upload the vApp as a template
  • Select a virtual data center
  • Select an Org vDC network, either routed org or direct org
  • For routed org you must also select an external IP address
  • Select proxy settings
  • Select Power on Deployed entity to power on after the move
  • Click next then finish
  • If the stretch deployed VM has a Manual Static IP mode:
    • Log in to the public vCloud
    • Right click the VM and power off
    • Right click the VM and select properties > hardware tab
    • Change IP mode from DHCP to manual static
    • Click OK and power on the VM

Objective 1.4: Configuring vRealize Automation Settings

Configure vRealize System Settings to handle system notifications and appearance

  • System Administrators can configure system settings to change appearance of the vRA console and configure inbound and outbound email servers.
  • Configure branding:
    • System Administrators control the default branding for tenants
    • Tenant Administrators can use the default or reconfigure branding for each tenant
    • To configure branding, log in to the vRA web interface as a System Administrator or a Tenant Administrator
    • Select Administrator > Branding
    • Clear the use default check box
    • Upload a file to use as a banner
    • Add copyright information in the Copyright notice text box
    • Add the url to your privacy policy link text box
    • Add the url to your contact page in the contact link text box
    • Click update to complete
  • Configure a global email server for notifications
    • System Administrators can create global inbound and outbound email servers
    • Tenant administrators can use the default or add their own for each tenant
  • For inbound servers:
    • Select Administration  > Email Servers
    • Click the Add icon
    • Select Email – Inbound
    • Ener a name
    • Enter a description
    • Select SSL if required
    • Chose a protocol
    • Enter a server name
    • Enter a server port
    • Enter the folder name for emails
      • Only required if you are using IMAP
    • Enter a username
    • Enter a password
    • Enter an email address that users can reply to
    • Select delete from server to delete all processed emails if required
    • Chose whether vRA can accept self-signed certificates
    • Click test connection
    • Click Add
  • For outbound Servers
  • Select Administration > Email Servers
  • Click the Add Icon
  • Select Email – Outbound
  • Enter a name
  • Enter a description if required
  • Enter the Server Name
  • Chose an encryption method
    • Use SSL
    • Use TLS
    • None
  • Enter the server port
  • Configure authentication if required
  • Enter a sender email address
  • Chose whether vRA can accept self-signed certs
  • Click test connection
  • Click Add

Enable connections and set concurrency limits on IaaS Server

  • vRA limits concurrent virtual provisioning activities for hypervisors that use proxy agents to two per agent
  • Data collection activities are limited to two per agent
  • To change concurrency limits and time-out intervals:
    • Log in to the IaaS server hosting the manager service
    • Edit Program Files (x86)\VMware\vCAC\Server\ManagerService.exe.config
      • use format hh:mm:ss
    • Locate the workflowTimeoutConfigurationSection section
    • Update the following variables where needed
MaxOutstandingResourceIntensiveWorkItems Concurrent Provisioning Limit (default:2)
CloneExecutionTimeout Virtual Provisioning execution timeout interval
SetupOSExecutionTimeout Virtual provisioning execution timeout interval
CloneTimeout Virtual Provisioning setup OS delivery timeout interval
CloudInitializeProvisioning Cloud provisioning initialisation timeout interval
MaxOutstandingDataCollectionWorkItems Concurrent data collection limit
InventoryTimeout Inventory data collection execution timeout interval
PerformanceTimeout Performance data collection execution timeout interval
StateTimeout State data colection execution timeout interval
  • Save and close the file
  • Restart the vRA service
  • If running in HA mode, this change must be made on both primary and secondary manager servers
  • To change the Execution frequency of machine callbacks
    • Edit ManagerService.exe.config on the IaaS Manager host
    • Values are in milliseconds
RepositoryWorkflowTimerCallbackMiliSeconds Checks the repository service, or model manager web service for activity. Default value is: 10000
ProcessLeaseWOrkflowTimerCallbackIntervalMiliSeconds Checks for expired machine leases. Default value is: 3600000
BulkRequestWorkflowTimerCallbackMiliSeconds Checks for bulk requests. Default value is: 10000
MachineRequestTimerCallbackMiliSeconds Checks for machine requests. Default value is: 10000
MachineWorkflowCreationTimerCallbackMiliSeconds Checks for new machines. Default value is: 10000

Configure Datacenter locations

  • To configure datacenter locations, log on to the IaaS website host and edit the following file:
    • Program Files (x86)\VMware\vCAC\Server\Website\XmlData\DataCenterLocations.xml
    • For each location create a new Data Name entry in the CustomDataType section
  • Save and close the file
  • Restart the Manager Service
  • Make changes to HA Servers
  • Once the change has been made, a Fabric Administrator edits a compute resource to associate it with a location
  • A tenant Administrator or Business Group Administrator then creates a blueprint that prompts users to chose a datacenter location when making the request
    • Display Location On Request

Objective 1.5: Integrate vRealize Automation with vCloud Air

Provision with vCloud Air or vCloud Director vApps

  • vCloud Air endpoint requires an account, address & organisational unit
  • vCloud Director requires Org Administrator or System Administrator credentials for the endpoint
    • Also required for running data collection
  • vCloud Air requires the infrastructure administrator or account administrator role for endpoint credentials
  • The following tasks are required before provisioning:
    • Configure cloud resources, including datacenters and networks
    • Create vApp Templates

Configure IaaS for vApps

Store credentials and create endpoints to bring resources under vRA management IaaS Administrator
Configure the machine prefixes used to create names for machines provisioned through vRA Fabric Administrator
Create at least one business group of users who need to request machines Tenant Administrator
Create at least one reservation to allocate resources to a business group Fabric Administrator
Configure optional policies and settings Fabric Administrator
Prepare vCD resources required to provision vRA Blueprints. e.g vApp templates and customisation objects Outside of vRA
Create and publish vRA blueprints Tenant Administrator
Business group manager

Create vApp and vApp Component Blueprints

  • Can be configured by Tenant Administrators or Business Group Managers
  • The vApp that you select as the vApp blueprint is the primary source of information for provisioning vApps from vRA
  • vApp blueprints determine
    • How many machines to provision per vApp
    • Which properties to apply to the machine being provisioned
  • vApp Component Blueprints determine
    • Additional Storage Volumes
    • Additional machine resources
    • Maximum number of volumes
    • Maximum number of network adapters
  • When you assign a vApp component blueprint to a vApp blueprint, the machine properties from the vApp template are displayed as machine resources in the component blueprint and become the minimum values for provisioning
  • To create a vApp Component Blueprint
    • Specify vApp Component Blueprint information
    • Add vApp Component blueprint custom properties
    • Configure vApp Component blueprint actions
  • To create a vApp blueprint
    • Specify a vApp blueprint information
    • Specify vApp build information
    • Add vApp blueprint custom properties
    • Configure vApp blueprint actions
  • Publish the new vApp Blueprint

Configure advanced blueprint settings

  • Tenant Administrators and Business Group Managers can use custom properties and optional policies to configure advanced blueprint settings such as reservation policies, vBScripts and Active Directory cleanup
  • Configuring Network Settings
    • vRA uses DHCP by default
    • Possible to assign static ip address to clone kickstart/autoYaST provisioned machines
    • Static assignment can be configured either at the reservation evel or at the blueprint level
    • Network assignments are performed during machine allocation
    • Can use VirtualMachine.NetworkN.x custom properties
    • Numbering must be sequential
  • Reservation Policies
    • Policies can be applied to a blueprint t restrict the machines provisioned to a subset of reservations
    • Policies can be used to collect resources in to groups from different SLAs or assign specific resources for a particular purpose
    • Multiple reservations can be part of a reservation policy but a reservation can only be long to one policy
    • A single reservation can be assigned to more than one blueprint but a blueprint can only have one policy
    • A reservation policy can include reservations of different types, but only reservations that match the blueprint are considered when selecting a reservation for a request.
    • Assigning Datastores to Machine Volumes
      • You can specify single datastores for a volume or use storage policies to represent a group of volumes
        • OS can deploy to slower storage & application drives to faster storage etc
      • Storage reservation policies are applied to datastores by Fabric Administrators & are used to group datastores that have similar characteristics
      • A datastore can be assigned to only one storage reservation policy at one time, but a storage reservation policy can have many datastores
      • Tenant Administrators or Business Group Managers assign the storage reservation policy to a volume in a blueprint
      • When you add or edit a volume in a virtual blueprint you can:
        • Assign a single datastore to the volume
        • Assign a storage reservation policy to the volume
        • Assign a storage reservation policy to the volume and include the custom property VirtualMachine.DiskN.StorageReservationPolicyMode = NonExact
          • Allows you to assign a datastore that is not included in the policy
        • Do not assign a datastore or storage policy to a volume
      • Avoid specifying a storage oath and storage reservation policy for the same volume
        • The Storage path takes precedence over the storage reservation policy
  • Enabling Remote Desktop Connections
    • A System Administrator can create custom RDP files that the Tenant Administrators and Business Group Managers can use in blueprints
      • System Administrator creates an RDP file in Website\RDP directory on the IaaS website hosts
      • Fabric Administrators can create a build profile using the property set RemoveDesktopProtocolProperties
      • Tenant Administrators or Business Group Managers Add the RDP custom properties to a blueprint to configure RDP settings for machines deployed
      • Tenant Administrators or Business Group Managers enable the Connect using RDP or SSH option in the blueprint
      • Tenant Administrators or Business Group Managers add entitlements for users or groups to use the Connect Using RDP or SSH option
  • Enable Connections using SSH
    • Add the action to the blueprint as above
    • Entitle users and groups as above
    • Use the Machine.SSH = true custom property in the blueprint
    • May also need to use the VirtualMachine.Admin.NameCompletion property
  • Cloning an identical Copy from a vApp Template
    • VCloud.Template.MakeIdenticalCopy instructs vRA to ignore the customization specified in the vApp Blueprint and it’s component blueprint
    • The default setting is False
    • Tenant or Business Group Administrators add the property to the vApp blueprint or build profile
    • The property can also reside in the business group, although this will affect all vApp blueprints in the business group
    • vApps provisioned as Identical copies can use networks and storage profiles that are not available in the vRA Reservation
      • Network settings and storage settings are used without their allocation being accounted for in the reservation
      • To avoid this verify that the storage profile or network specified in the template is available in the reservation
  • Add the active directory clean up properties to a blueprint
    • Add the property set to a blueprint or build profile and configure with a service account that has the appropriate permissions to manage the computer objects

Monitoring Workflows and viewing Logs

Actions that have occured. E.g. Action type, date & time IaaS Administrator Infrastructure > Monitoring > Audit Logs

  • AWS machine provisioning
  • Multi-machine
  • VCNS
  • Reclamation
  • Reconfigure
Status of scheduled & available DEM workflows IaaS Administrator Infastructure > Monitoring > Distributed Execution Status

  • Workflow Status
  • Workflow details
View and Export log data IaaS Administrator Infrastructure > Monitoring > Log
Status and History of executed DEM workflows IaaS Administrator Infrastructure > Monitoring > Workflow History
List events. E.g. Type, Time, User Id System Administrator Administration > Event Logs
Monitor & view requests Tenant Administrator / Business Group Manager Click the requests Tab

Manage machine life cycle and workflow states

Master Workflow

Workflow State Work Item Description
Requested
  • New Request
  • Machine is created or registered
AwaitingApproval
  • Build is on hold until it is approved
RegisterMachine RegisterVM
  • Existing Machine is registered
  • Attributes are set in the hypervisor
BuildingMachine
  • Machine build is about to start
  • Provisioning blueprint specified in the blueprint is being created
MachineProvisioned SetMachineOperations
  • Build completed successfully
  • Operations are being carried out on the machine before it is made available for use
MachineActivated Machine is activated
InstallTools InstallTools Tools are installed by the Hypervisor
Expired
  • Machine expires and is turned off
  • Machine is deleted after number of archive days elapses
  • Can only be reactivated or disposed of
DeactivateMachine Disposal process has started
UnprovisionMachine Unprovisioning process has started
Disposing DisposeVM Hypervisor disposes of the machine
Finalised Machine has been disposed and is about to be removed from management

vAppCloneWorkflow

 Workflow State Work Item Description
CloneMachine CloneVM Hypervisor clones the VM
CustomizeMachine CustomizeVM Hypervisor configures the machine
InitialPowerOn PowerOn Machine is powered on for the first time
BuildComplete Build process is finished

Configure an Endpoint in vRealize Automation

  • IaaS Administrators are responsible for creating endpoints
  • Credentials need to be created (Infrastructure > Endpoints > Credentials)
  • Create an endpoint:
    • Infrastructure > Endpoints > Endpoints
    • New Endpoint
  • The following endpoints can be created
    • Cloud
    • Orchestration
    • Virtual

Configure vCloud Air OnDemand and Subscription Endpoints

  • IaaS Administrators are responsible for creating endpoints
  • vCloud endpoints required to connect to a vCloud Director or vCloud Air instance
  • Procedure for vCloud Air OnDemand:
    • Infrastructure > Endpoints > Endpoints
    • New Endpoint > Cloud > vApp (vCloud)
    • Enter a name and description
    • Enter the Url in the following format
      • https://region-name.vchs.mycompany.com/api/compute
    • Select the credentials to connect to the endpoint
      • Must be vCloud Air OnDemand account admin
    • Enter the vCD Organisation
      • Unique id found at the end of the url when you log in to vCloud Air OnDemand
    • Configure proxy settings
    • Add custom properties
    • Right click the new endpoint
      • Data Collection > Start
  • Procedure for vCloud Air Subscription
    • Similar procedure to above with the following exceptions
    • The url is the vCloud Director Server that is used to manage a specific VDC
      • https://p2v5-vcd-vchs.mycompany.com:443
    • Credentials
      • Use organisation administrator credentials to only access the associated organisation VDCs
      • You can add endpoints for additional VDCs
      • Use the System Administrator credentials and leave the organisation text box empty to access all organisation VDCs
    • The Organisation name matches the vCD org name
      • If using Virtual Private Cloud it is a unique identifier
        • M123456789-12345
      • If using a dedicated cloud it is the given name of the target virtual data center
    • The Organisation name can be found in the last part of the vCloud Director API Url
      • https://p2v5-vdd-vchs.mycompany.com:443/cloud/org/vCloudAutomation

Synchronize Environment data from vCloud Air

  • Once the endpoint has been set up you will need to perform a data collection to pull information from vCloud Air
  • To do this, right click on the new endpoint and select Data Collection > Start

Deploy Virtual Machines

  • TBA