Deployment of VMware vRealize Suite 2019 on VMware Cloud … · 2021. 4. 20. · Connect vRealize...
Transcript of Deployment of VMware vRealize Suite 2019 on VMware Cloud … · 2021. 4. 20. · Connect vRealize...
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
Modified on 20 APR 2021VMware Validated DesignVMware Cloud Foundation 3.10vRealize Suite 2019
You can find the most up-to-date technical documentation on the VMware website at:
https://docs.vmware.com/
VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com
Copyright ©
2020-2021, VMware, Inc. All rights reserved. Copyright and trademark information.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 2
Contents
About Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10 9
Planning and Preparation for Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10 15Software Requirements 15
VMware Scripts and Tools 15
Third-Party Software 16
External Services 16
IP Subnets for the Application Virtual Networks 17
Host Names and IP Addresses 17
Time Synchronization 19
User Accounts and Groups 21
Active Directory Computer Objects 29
Additional Storage Requirements 30
My VMware Account Requirements 30
1 Prepare the Environment for Deployment of Cloud Operations and Automation in Region A 32Remove the Default vRealize Log Insight Cluster in Region A 32
Create the Virtual Machine and Template Folders in Region A 33
Deploy the NSX Data Center for vSphere Load Balancer in Region A 34
2 vRealize Suite Lifecycle Manager Implementation in Region A 38Prerequisites for Deploying vRealize Suite Lifecycle Manager in Region A 39
Configure User Access in vSphere for Integration with vRealize Suite Lifecycle Manager in Region A 40
Define a User Role in vSphere for vRealize Suite Lifecycle Manager in Region A 40
Configure Service Account Permissions in vSphere for Integration with vRealize Suite Lifecycle Manager in Region A. 41
Deploy the vRealize Suite Lifecycle Manager Appliance in Region A 42
Post-Deployment Configuration of the vRealize Suite Lifecycle Manager Instance in Region A44
Configure the vRealize Suite Lifecycle Manager Instance in Region A 45
Replace the Certificate of the vRealize Suite Lifecycle Manager Instance in Region A 46
Register the vRealize Suite Lifecycle Manager Instance with My VMware 47
Upload and Map Product Binaries to the vRealize Suite Lifecycle Manager Instance in Region A48
Configure Data Centers and vCenter Server in vRealize Suite Lifecycle Manager in Region A50
VMware, Inc. 3
Add the Cross-Region Environment Password to vRealize Suite Lifecycle Manager 51
3 Cross-Region Workspace ONE Access Implementation in Region A 53Prerequisites for Deploying Cross-Region Workspace ONE Access 53
Configure the Load Balancer for the Cross-Region Workspace ONE Access Cluster in Region A54
Import the Load Balancer Certificate of the Cross-Region Workspace ONE Access Cluster55
Configure the Virtual IP Address for Load Balancing the Cross-Region Workspace ONE Access Cluster in Region A 56
Create a Service Monitor for the Cross-Region Workspace ONE Access Cluster in Region A56
Create a Server Pool for the Cross-Region Workspace ONE Access Cluster in Region A 57
Create Application Profiles for the Cross-Region Workspace ONE Access Cluster in Region A59
Create Virtual Servers for the Cross-Region Workspace ONE Access Cluster in in Region A60
Deploy the Cross-Region Workspace ONE Access Cluster in Region A 61
Import the Cross-Region Workspace ONE Access Cluster Certificate to vRealize Suite Lifecycle Manager in Region A 62
Add the Passwords for the Cross-Region Workspace ONE Access Deployment to vRealize Suite Lifecycle Manager in Region A 62
Deploy the Cross-Region Workspace ONE Access Cluster Using vRealize Suite Lifecycle Manager in Region A 63
Resize the Cross-Region Workspace ONE Access Cluster Nodes in Region A 66
Configure the Cross-Region Workspace ONE Access Cluster in Region A 68
Configure an Anti-Affinity Rule and a Virtual Machine Group for the Cross-Region Workspace ONE Access Cluster in Region A 69
Configure NTP on the Cross-Region Workspace ONE Access Cluster in Region A 70
Configure Custom Branding for the Cross-Region Workspace ONE Access Deployment in Region A 71
Configure Identity Sources for the Cross-Region Workspace ONE Access Cluster in Region A72
Add the Cross-Region Workspace ONE Access Nodes as Identity Provider Connectors in Region A 74
Assign Roles to User Groups in Cross-Region Workspace ONE Access 75
Assign Roles to User Groups in vRealize Suite Lifecycle Manager 76
4 Region-Specific Workspace ONE Access Implementation in Region A 78Prerequisites for Deploying Region-Specific Workspace ONE Access in Region A 78
Deploy the Region-Specific Workspace ONE Access Instance in Region A 79
Complete the Initial Configuration of the Region-Specific Workspace ONE Access Instance in Region A 81
Configure Region-Specific Workspace ONE Access for the Management Domain in Region A82
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 4
Replace the Certificate of the Region-Specific Workspace ONE Access Instance in Region A82
Configure Preferences and Custom Branding for the Region-Specific Workspace ONE Access Instance in Region A 83
Configure NTP of the Region-Specific Workspace ONE Access Instance in Region A 84
Configure Identity Source of the Region-Specific Workspace ONE Access Instance in Region A 85
Assign Roles in the Region-Specific Workspace ONE Access Instance in Region A 87
Integrate NSX-T Data Center with the Region-Specific Workspace ONE Access Instance in Region A 88
Obtain the Certificate Thumbprint from the Region-Specific Workspace ONE Access Instance in Region A 89
Integrate NSX-T Data Center with the Region-Specific Workspace ONE Access Instance in Region A 89
Configure Role-Based Access Control for NSX-T Data Center in Region A 91
5 vRealize Operations Manager Implementation in Region A 92Configure the Load Balancer for vRealize Operations Manager in Region A 94
Configure the Virtual IP Address for Load Balancing the Analytics Cluster in Region A 94
Create a Service Monitor for vRealize Operations Manager in Region A 95
Create a Server Pool for vRealize Operations Manager in Region A 96
Create the Application Profiles for vRealize Operations Manager in Region A 97
Create Virtual Servers for vRealize Operations in Region A 98
Deploy vRealize Operations Manager in Region A 99
Prerequisites for Deploying vRealize Operations Manager in Region A 99
Add the vRealize Operations Manager Multi-SAN Certificate to vRealize Suite Lifecycle Manager 101
Add the vRealize Operations Manager Password to vRealize Suite Lifecycle Manager 102
Create the Cross-Region Environment in vRealize Suite Lifecycle Manager in Region A 102
Deploy vRealize Operations Manager Using vRealize Suite Lifecycle Manager in Region A104
Update vRealize Operations Manager Authentication Source 109
Configure vSphere DRS Anti-Affinity Rules for vRealize Operations Manager in Region A 110
Create a VM Group and Define the Startup Order of the Analytics Cluster in Region A 111
Group the Remote Collector Nodes in Region A 112
Configure User Access in vRealize Operations Manager in Region A 113
Configure User Access in vSphere for Integration with vRealize Operations Manager in Region A114
Define a User Role in vSphere for vCenter Adapters in vRealize Operations Manager in Region A 114
Define a User Role in vSphere for Storage Devices Adapters in vRealize Operations Manager in Region A 116
Configure User Privileges in vSphere for Integration with vRealize Operations Manager in Region A 116
Add vCenter Server Cloud Accounts to vRealize Operations Manager in Region A 117
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 5
Enable vSAN Monitoring in vRealize Operations Manager in Region A 119
Connect vRealize Operations Manager to NSX Data Center for vSphere in Region A 121
Install the vRealize Operations Manager Management Pack for NSX for vSphere in Region A121
Configure User Privileges in NSX Manager for Integration with vRealize Operations Manager in Region A 122
Enable NSX Data Center for vSphere Monitoring in vRealize Operations Manager in Region A124
Enable NSX-T Data Center Monitoring in vRealize Operations Manager in Region A 125
Enable Storage Device Monitoring in vRealize Operations Manager in Region A 126
Install the vRealize Operations Manager Management Pack for Storage Devices in Region A126
Add Storage Devices Adapters in vRealize Operations Manager in Region A 127
Connect vRealize Operations Manager to the Workspace ONE Access Instances in Region A129
Install the vRealize Operations Manager Management Pack for VMware Identity Manager in Region A 129
Add VMware Identity Manager Adapter Instances to vRealize Operations Manager in Region A 130
Set the Currency for Cost Calculation in vRealize Operations Manager 131
Configure Email Alerts in vRealize Operations Manager in Region A 132
6 vRealize Log Insight Implementation in Region A 134Deploy vRealize Log Insight in Region A 135
Prerequisites for Deploying vRealize Log Insight in Region A 136
Add the vRealize Log Insight Multi-SAN Certificate to vRealize Suite Lifecycle Manager 138
Add the vRealize Log Insight Password to vRealize Suite Lifecycle Manager 138
Deploy vRealize Log Insight Using vRealize Suite Lifecycle Manager in Region A 139
Configure a vSphere DRS Anti-Affinity Rule for vRealize Log Insight 142
Create a VM Group and Define the Startup Order of the vRealize Log Insight Cluster in Region A 143
Configure SMTP for vRealize Log Insight in Region A 144
Disable the SSL Connection Requirement in vRealize Log Insight in Region A 145
Integrate vRealize Log Insight with the Region-Specific Workspace ONE Access in Region A146
Enable Region-Specific Workspace ONE Access Integration with vRealize Log Insightin Region A 146
Configure Identity and Access Management for vRealize Log Insight in Region A 147
Connect vRealize Log Insight to the vSphere Environment in Region A 148
Configure User Privileges in vSphere for Integration with vRealize Log Insight in Region A148
Connect vRealize Log Insight to vSphere in Region A 150
Configure vCenter Server to Forward Log Events to vRealize Log Insight in Region A 151
Connect vRealize Log Insight to vRealize Operations Manager in Region A 152
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 6
Configure User Privileges in vRealize Operations Manager for Integration with vRealize Log Insight in Region A 153
Enable the vRealize Log Insight Integration with vRealize Operations Manager in Region A154
Connect vRealize Operations Manager to vRealize Log Insight in Region A 154
Configure the vRealize Log Insight Agent on the Analytics Cluster to Forward Log Events to vRealize Log Insight in Region A 155
Connect vRealize Log Insight to NSX Data Center for vSphere in Region A 156
Install the vRealize Log Insight Content Pack for NSX Data Center for vSphere in Region A156
Update the NSX Manager Log Forwarding Protocol in Region A 157
Configure the NSX Controller Nodes to Forward Log Events to vRealize Log Insight in Region A 158
Update the Log Forwarding Protocol on the NSX Edge Instances in Region A 160
Connect vRealize Log Insight to NSX-T Data Center in Region A 161
Install the vRealize Log Insight Content Pack for NSX-T Data Center in Region A 162
Configure the Workload Domain NSX-T Managers to Forward Log Events to vRealize Log Insight in Region A 162
Configure the NSX-T Edges to Forward Log Events to vRealize Log Insight in Region A 165
Download the vRealize Log Insight Agent 168
Install and Configure the vRealize Log Insight Agent on the Workspace ONE Access Nodes169
Configure Log Forwarding for vRealize Suite Lifecycle Manager in Region A 171
Validate Log Forwarding for SDDC Manager in Region A 171
Collect Operating System Logs from the Management Virtual Appliances in vRealize Log Insight in Region A 173
Install the vRealize Log Insight Content Pack for Linux for the Management Virtual Appliances in Region A 173
Configure a Log Insight Agent Group for the Management Virtual Appliances in Region A174
Install the vRealize Log Insight Content Pack for Linux for Workspace One Access in Region A 175
Configure a Log Insight Agent Group for the Management Virtual Appliances of Workspace One Access in Region A 176
Configure Log Retention and Archiving for vRealize Log Insight in Region A 177
7 vRealize Automation Implementation in Region A 178Configure the Load Balancer for vRealize Automation in Region A 178
Configure the Virtual IP Address for Load Balancing the vRealize Automation Cluster in Region A 179
Create a Service Monitor for vRealize Automation in Region A 180
Create a Server Pool for vRealize Automation in Region A 180
Create the Application Profiles for vRealize Automation in Region A 182
Create Virtual Servers for vRealize Automation in Region A 182
Deploy vRealize Automation in Region A 183
Prerequisites for Deploying vRealize Automation in Region A 184
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 7
Import the vRealize Automation Multi-SAN Certificate to vRealize Suite Lifecycle Manager in Region A 185
Add the vRealize Automation Password to vRealize Suite Lifecycle Manager in Region A186
Deploy vRealize Automation Using vRealize Suite Lifecycle Manager in Region A 186
Post-Deployment vRealize Automation Configuration in Region A 189
Configure NTP on the vRealize Automation Cluster 189
Create a Folder and a Resource Pool for vRealize Automation Workloads on the Workload Domain vCenter Server in Region A 190
Configure Service Account Privileges in Region A 191
Configure the vSphere DRS Anti-Affinity Rule and Startup Order for vRealize Automation in Region A 196
Configure Organization Settings for vRealize Automation in Region A 197
Configure Cloud Assembly in Region A 200
Configure the Embedded vRealize Orchestrator Instance in Region A 204
Configure Email Alerts for vRealize Automation in Region A 206
Post-Deployment Operations Management Integration with vRealize Automation in Region A207
Connect vRealize Automation to vRealize Operations Manager in Region A 208
Connect vRealize Operations Manager to vRealize Automation in Region A 210
Connect vRealize Log Insight to vRealize Automation in Region A 212
Configure vRealize Automation for a Sample Project Implementation in Region A 212
Content Library Configuration in Region A 214
Customization Specifications for vRealize Automation Configuration in Region A 216
Configure vRealize Automation Mappings for Region A 219
Configure vRealize Automation Profiles for Region A 221
Configure a Sample Project in vRealize Automation for Region A 229
Configure Sample Blueprint in Region A 230
Service Broker Configuration in Region A 233
Deploy Sample Blueprint in Region A 235
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 8
About Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
The Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10 document contains prescriptive guidance for deploying and configuring the vRealize® Suite 2019 products to a Software-Defined Data Center (SDDC) deployment of VMware Cloud Foundation™ 3.10.
The bill of materials of VMware Cloud Foundation 3.10 includes vRealize Suite products of earlier versions than the product versions in vRealize Suite 2019. This document provides a supported guidance to substitute the vRealize Suite products in the bill of materials with the vRealize Suite 2019 products.
This guidance is developed with design objectives that included multi-region and disaster recovery use cases. At the time of this release, the guidance is provided only for single-region.
Intended Audience
This design is intended for cloud architects and administrators who want to deploy and use vRealize Suite 2019 on an SDDC that is deployed by using VMware Cloud Foundation 3.10.
Required VMware Software
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10 is compliant and validated with specific vRealize Suite 2019 products and adjacent components. Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10 is also compatible with specific later vRealize Suite 2019 product versions.
The procedures in this guidance are prescriptive for the validated product versions. For the compatible product versions, you can use this guidance by replacing the corresponding product versions. If there are differences between the user interfaces of the validated and compatible versions, refer to the product documentation.
VMware, Inc. 9
Table 1-1. vRealize Suite 2019 Products and Components
Product Group and Edition Product Compatible Versions
Validated Guidance Version
VMware vRealize®
Suite Lifecycle Manager™
vRealize Suite Lifecycle Manager
8.4 8.3 8.2 8.1 Patch 1 with 8.1 Product Support Pack 1
VMware Workspace ONE®
Access™
VMware Workspace ONE Access
3.3.4 3.3.4 3.3.2 3.3.2
VMware vRealize®
Operations Manager™
Advanced or higher
vRealize Operations Manager
8.4 8.3 8.2 8.1
VMware vRealize®
Operations Management Pack for NSX™
for vSphere®
3.6.1* 3.6.1* 3.6.1* 3.6.1*
VMware vRealize®
Operations Management Pack for VMware Identity Manager™
(Workspace ONE Access)
1.1* 1.1* 1.1* 1.1*
VMware vRealize®
Operations Management Pack for Storage Devices
8.0* 8.0* 8.0* 8.0*
VMware vRealize®
Log Insight™vRealize Log Insight
8.4 8.3 8.2 8.1.1
VMware vRealize® Log Insight™ Content Pack for NSX Data Center for vSphere
4.2.1* 4.2.1* 4.2.1* 4.0*
VMware vRealize® Log Insight™ Content Pack for NSX-T Data Center
4.0.2* 4.0.2* 4.0.2* 3.9*
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 10
Table 1-1. vRealize Suite 2019 Products and Components (continued)
Product Group and Edition Product Compatible Versions
Validated Guidance Version
VMware vRealize® Log Insight™ Content Pack for Linux
-** -** 2.1* 2.1*
VMware vRealize® Log Insight Content Pack for Linux - Systemd
1.0* 1.0* 1.0* 1.0*
VMware vRealize® Log Insight Content Pack for vRealize Automation 8.3+
1.0** 1.0** - -
VMware vRealize® Log Insight Content Pack for vRealize Suite Lifecycle Manager 8.0.1+
1.0.2*** 1.0.2*** 1.0.2***
VMware vRealize®
Automation™
Advanced or higher
vRealize Automation
8.4 8.3 8.2 8.1 Patch 1
* VMware Marketplace and in-product marketplace provide only the latest versions of the management packs for vRealize Operations Manager and the content packs for vRealize Log Insight. The software components table contains the latest versions of the packs that were available at the time this guidance was published or validated. When you deploy the components, it is possible that the version of a management or content pack on VMware Marketplace and in-product marketplace is newer than the one provided.
** Workspace ONE Access 3.3.4 is based on Photon OS and must transition to use the vRealize Log Insight Content Pack for Linux – Systemd.
*** Recommended compatible component.
VMware makes available patches and releases to address critical security and functional issues for several products. After deploying using this guidance, verify that you are using the latest security and express patches or hotfixes for a given component available.
n For applying patches and hotfixes to ESXi, vCenter Server, and NSX, use update bundles in SDDC Manager.
n For applying patches and hotfixes to vRealize Suite Lifecycle Manager, Workspace ONE Access, vRealize Operations Manager, vRealize Log Insight, or vRealize Automation, use vRealize Suite Lifecycle Manager.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 11
If a patch must be applied to your environment, follow the VMware published practices and VMware Knowledge Base articles for the specific patch. If an issue occurs during or after the process of applying a patch, contact VMware Technical Support.
Before You Apply This Guidance
To use Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10, you must have a VMware Cloud Foundation 3.10 SDDC deployment with the following requirements:
n A newly deployed single-region SDDC
n A standard architecture - management domain and at least one virtual infrastructure workload domain
n During the VMware Cloud Foundation 3.10 bring-up, VXLAN-based overlay networks are created in the management domain. VMware Cloud Foundation 3.10 uses NSX Data Center for vSphere to create VXLAN-based overlay networks, called application virtual networks (AVNs). vRealize Suite products are deployed using these AVNs.
n vCenter Server instances in the management and workload domains are joined to Active Directory
Table 1-2. SDDC Virtual Infrastructure Components
Product Management Domain VI Workload Domain
SDDC Manager ✓ x
VMware vSphere®✓ ✓
VMware vSAN™ ✓ Optional. Supports also NFS and FC.
VMware NSX® Data Center for vSphere®
✓ ✓
VMware NSX-T™ Data Center x ✓
For information about the versions of the SDDC virtual infrastructure components, see the VMware Cloud Foundation 3.10 Release Notes.
For information about deploying an SDDC by using VMware Cloud Foundation 3.10, see VMware Cloud Foundation Architecture and Deployment Guide at VMware Cloud Foundation Documentation.
Update History
This Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10 is updated with each release of the product or when necessary.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 12
Revision Description
20 APR 2021 n This guidance is compatible with the 8.3 and 8.4 versions of the vRealize Suite 2019 products. You can replace the corresponding validated product versions with the compatible versions. If there are differences between the user interfaces of the validated and compatible versions, refer to the product documentation. See Table 1-1. vRealize Suite 2019 Products and Components.
n For vRealize Log Insight 8.2, the compatible content packs for NSX Data Center for vSphere, for NSX-T Data Center, and for vRealize Suite Lifecycle Manager are now the latest versions. See Table 1-1. vRealize Suite 2019 Products and Components.
03 DEC 2020 n This guidance is compatible with the 8.2 versions of the vRealize Suite 2019 products. You can replace the corresponding validated product versions with the compatible versions. If there are differences between the user interfaces of the validated and compatible versions, refer to the product documentation. See Table 1-1. vRealize Suite 2019 Products and Components.
n To disassociate the default vRealize Log Insight deployment from SDDC Manager, you use a supported script from KB article https://kb.vmware.com/kb/81718. See the prerequisite in Remove the Default vRealize Log Insight Cluster in Region A.
01 OCT 2020 n The vRealize Automation to vSphere Integration role now includes privileges for vSphere tagging, datastore low level file operations, and vApp application configuration. See Define Custom User Roles in vSphere for vRealize Automation in Region A.
n At VMware, we value inclusion. To foster this principle within our customer, partner, and internal community, we are replacing some of the terminology in our content. We have updated this guide to remove instances of non-inclusive language.
17 AUG 2020 The vRealize Automation implementation now includes a reference to a KB article for use if the deployment fails while connecting to Workspace ONE Access. See Deploy vRealize Automation Using vRealize Suite Lifecycle Manager in Region A.
13 AUG 2020 The vRealize Suite Lifecycle Manager implementation now includes updating the management domain vCenter Server in the region-specific data center to use the dedicated service account for the deployment of the region-specific components. See Configure Data Centers and vCenter Server in vRealize Suite Lifecycle Manager in Region A.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 13
Revision Description
08 JUL 2020 The vRealize Automation implementation now includes an NTP configuration. See Configure NTP on the vRealize Automation Cluster.
25 JUN 2020 Initial release.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 14
Planning and Preparation for Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
Before you deploy and configure the vRealize Suite components and Workspace ONE Access, you must prepare the prerequsites.
Software Requirements
To prepare for implementing the vRealize Suite components and Workspace ONE Access, you must download and license the VMware products, scripts, and tools, as well as the third-party software required for building the SDDC.
Download the software for building the SDDC to a host machine that you allocated for SDDC access, which has connectivity to the VMware ESXi™ management network in the management cluster.
n VMware Scripts and Tools
Download the following scripts and tools required for the deployment of vRealize Suite 2019 on VMware Cloud Foundation 3.10.
n Third-Party Software
Download and license the following third-party software products.
VMware Scripts and Tools
Download the following scripts and tools required for the deployment of vRealize Suite 2019 on VMware Cloud Foundation 3.10.
Table 1-1. VMware Scripts and Tools Required for vRealize Suite 2019 deployment
SDDC LayerProduct or Product Group
Software or Script or Tool Download Location Description
SDDC VMware Validated Design certificate generation utility
CertGenVVD 6.0 VMware Knowledge Base article 78246
Use this tool to generate Certificate Signing Request (CSR), OpenSSL CA-signed certificates, and Microsoft CA-signed certificates for the products included in this guide.
VMware, Inc. 15
Third-Party Software
Download and license the following third-party software products.
Table 1-2. Third-Party Software Required for the vRealize Suite 2019 deployment
SDDC LayerRequired by VMware Component Vendor Product Item Product Version
Virtual Infrastructure A host machine in the data center that has access to the ESXi management network.
Any Supported Any Supported Any supported operating system and browser for the VMware vSphere®
Client.
Operations Management
vRealize Operations Manager and vRealize Log Insight
Postman Postman App https://www.postman.com/
External Services
You must provide a set of external services before you deploy the vRealize Suite 2019 and Workspace ONE Access components for this guidance.
n IP Subnets for the Application Virtual Networks
You must allocate an IP subnet to each application virtual network and the management applications that are in this network.
n Host Names and IP Addresses
Before you deploy vRealize Suite 2019 and Workspace ONE Access, you must define the host names and IP addresses for each of the components. These host names must also be configured in DNS with fully qualified domain names (FQDN) that map the hosts to their IP addresses.
n Time Synchronization
Synchronized systems over NTP are essential. Consistent system clocks are important for the proper operation of the components in the SDDC.
n User Accounts and Groups
Before you deploy and configure vRealize Suite 2019 and Workspace ONE Access on VMware Cloud Foundation, you must provide a specific configuration of Active Directory users and groups. You use these users and Active Directory groups for application login, for assigning roles, and for application-to-application authentication.
n Active Directory Computer Objects
You must create Active Directory computer objects for the Workspace ONE Access virtual appliances, so that they can join the Active Directory domain for connector operations.
n Additional Storage Requirements
For vRealize Log Insight log archiving, you must provide supplemental storage.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 16
IP Subnets for the Application Virtual Networks
You must allocate an IP subnet to each application virtual network and the management applications that are in this network.
Table 1-3. IP Subnets for the Application Virtual Networks
Application Virtual Network Subnet
Mgmt-xRegion01-VXLAN 192.168.11.0/24
Mgmt-RegionA01-VXLAN 192.168.31.0/24
Note Use these IP subnets as examples. Configure the actual IP subnets according to your environment.
Host Names and IP Addresses
Before you deploy vRealize Suite 2019 and Workspace ONE Access, you must define the host names and IP addresses for each of the components. These host names must also be configured in DNS with fully qualified domain names (FQDN) that map the hosts to their IP addresses.
n Host Names and IP Addresses for the Virtual Infrastructure Layer
Allocate host names and IP addresses to components you deploy for the virtual infrastructure layer of the SDDC.
n Host Names and IP Addresses for vRealize Suite 2019 and Workspace ONE Access
Allocate host names and IP addresses to all components you deploy for the vRealize Suite 2019 and Workspace ONE Access in the SDDC.
Host Names and IP Addresses for the Virtual Infrastructure Layer
Allocate host names and IP addresses to components you deploy for the virtual infrastructure layer of the SDDC.
Table 1-4. Host Names and IP Addresses for the Virtual Infrastructure Layer in Region A
Component Group Host Name DNS Zone IP Address Description
NSX® Data Center for vSphere
sfo01m01nsx01 sfo01.rainpole.local 172.16.11.65 NSX Manager for the management domain
sfo01m01lb01 - 192.168.11.2 NSX Edge device for load balancing management applications
Host Names and IP Addresses for vRealize Suite 2019 and Workspace ONE Access
Allocate host names and IP addresses to all components you deploy for the vRealize Suite 2019 and Workspace ONE Access in the SDDC.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 17
Table 1-5. Host Names and IP Addresses for Cloud Operations and Cloud Automation
Component Group Host Name DNS Zone IP Address Description
Cross-Region Workspace ONE Access
wsa01svr01 rainpole.local 192.168.11.60 External load balancer virtual server VIP for the Workspace ONE Access cluster
wsa01svr01a rainpole.local 192.168.11.61 Primary node of the cross-region Workspace ONE Access cluster
wsa01svr01b rainpole.local 192.168.11.62 Secondary node 1 of the cross-region Workspace ONE Access cluster
wsa01svr01c rainpole.local 192.168.11.63 Secondary node 2 of the cross-region Workspace ONE Access cluster
n/a n/a 192.168.11.64 Postgres Database IP of the cross-region Workspave ONE access cluster
Region-Specific Workspace ONE Access
sfo01wsa01 sfo01.rainpole.local 192.168.31.60 Standalone node of the regional Workspace ONE Access instance
vRealize® Suite Lifecycle Manager
vrslcm01svr01 rainpole.local 192.168.11.20 vRealize Suite Lifecycle Manager appliance
vRealize®Operations Manager
vrops01svr01 rainpole.local 192.168.11.30 External load balancer virtual server VIP for the vRealize Operations Manager analytics cluster
vrops01svr01a rainpole.local 192.168.11.31 Primary node of vRealize Operations Manager
vrops01svr01b rainpole.local 192.168.11.32 Primary replica node of vRealize Operations Manager
vrops01svr01c rainpole.local 192.168.11.33 Data node 1 of vRealize Operations Manager
sfo01vropsc01a sfo01.rainpole.local 192.168.31.31 Remote Collector 1 of vRealize Operations Manager
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 18
Table 1-5. Host Names and IP Addresses for Cloud Operations and Cloud Automation (continued)
Component Group Host Name DNS Zone IP Address Description
sfo01vropsc01b sfo01.rainpole.local 192.168.31.32 Remote Collector 2 of vRealize Operations Manager
vRealize® Log Insight sfo01vrli01 sfo01.rainpole.local 192.168.31.10 Integrated load balancer VIP of vRealize Log Insight cluster
sfo01vrli01a sfo01.rainpole.local 192.168.31.11 Primary node of the vRealize Log Insight cluster
sfo01vrli01b sfo01.rainpole.local 192.168.31.12 Worker node 1 of the vRealize Log Insight cluster
sfo01vrli01c sfo01.rainpole.local 192.168.31.13 Worker node 2 of the vRealize Log Insight cluster
VMware vRealize®
Automationvra01svr01 rainpole.local 192.168.11.50 External load balancer
virtual server VIP of vRealize Automation cluster
vra01svr01a rainpole.local 192.168.11.51 Node 1 of vRealize Automation cluster
vra01svr01b rainpole.local 192.168.11.52 Node 2 of vRealize Automation cluster
vra01svr01c rainpole.local 192.168.11.53 Node 3 of the vRealize Automation cluster
Time Synchronization
Synchronized systems over NTP are essential. Consistent system clocks are important for the proper operation of the components in the SDDC.
Using NTP also makes it easier to correlate log files from multiple sources during troubleshooting, auditing, or inspection of log files to detect attacks.
n Requirements for Time Synchronization
All vRealize Suite 2019 and Workspace ONE Access components must be configured to use NTP for time synchronization.
Requirements for Time Synchronization
All vRealize Suite 2019 and Workspace ONE Access components must be configured to use NTP for time synchronization.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 19
NTP Server Configuration
n Configure two time sources per region that are external to the SDDC. These sources can be physical radio or GPS time servers, or even NTP servers running on physical routers or servers.
n Ensure that the external time servers are synchronized to different time sources to ensure desirable NTP dispersion.
DNS Configuration
Configure a DNS Canonical Name (CNAME) record that maps the two time sources to one DNS name.
Table 1-6. NTP Server FQDN and IP Configuration in Region A
NTP Server FQDN Mapped IP Address
ntp.sfo01.rainpole.local n 172.16.11.251
n 172.16.11.252
0.ntp.sfo01.rainpole.local 172.16.11.251
1.ntp.sfo01.rainpole.local 172.16.11.252
Time Synchronization on the SDDC Nodes
n Synchronize time with NTP on the following SDDC components:
n Active Directory domain controllers
n SDDC Manager
n vCenter Server instances
n ESXi hosts
n NSX Managers, Edges, and Controllers, as applicable
n Workspace ONE Access instance and cluster appliances
n vRealize Suite Lifecycle Manager appliance
n vRealize Log Insight cluster appliances
n vRealize Operations Manager cluster appliances
n vRealize Automation cluster appliances
n Configure each system with one or more NTP server aliases.
Time Synchronization for Virtual Machines
As a best practice, for time synchronization on virtual machines, enable NTP-based time synchronization instead of the VMware Tools periodic time synchronization. NTP is an industry standard and ensures accurate timekeeping in the guest operating system.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 20
User Accounts and Groups
Before you deploy and configure vRealize Suite 2019 and Workspace ONE Access on VMware Cloud Foundation, you must provide a specific configuration of Active Directory users and groups. You use these users and Active Directory groups for application login, for assigning roles, and for application-to-application authentication.
Active Directory Service Accounts
In an environment that has parent and child domains in a single forest, store service accounts in the parent domain and user accounts in each of the child domains. By using the group scope attribute of Active Directory groups, you manage resource access across domains.
Active Directory Administrator Account
Some installation and configuration tasks require a domain account with elevated permissions to add computer objects to the Active Directory domains.
n Active Directory Groups
To grant user and service accounts the access that is required to perform their task, create Active Directory groups according to certain rules.
n Active Directory User Accounts
A service account provides non-interactive and non-human access to services and APIs to the components of the SDDC. You must create service accounts for accessing functionality on the SDDC nodes, and user accounts for operations and tenant administration.
n Local Application User Accounts
Local application user accounts enable you to perform system and application administration. To deploy vRealize Suite and Workspace ONE Access components, you must follow the required password complexity to set the passwords for local root and administrative accounts.
n Password Complexity for Application and Service Accounts
You must consider the requirements for password complexity. Provide the default passwords for the products according to the requirements before you run the deployment operation.
Active Directory Groups
To grant user and service accounts the access that is required to perform their task, create Active Directory groups according to certain rules.
Create Active Directory groups according to the following rules:
1 Add user and service accounts to universal groups in the parent domain.
2 Add the global groups in each child domain to the universal groups.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 21
3 Where applicable, assign access rights and permissions to the global groups located in the child domains, and to the universal groups located in the parent domain, rainpole.local, to specific products according to their role.
Universal Groups in the Parent Domain
In the parent domain, rainpole.local, create the following universal groups:
Table 1-7. Universal Groups in the Parent Domain
Group Name Group Scope Description
ug-wsa-admins Universal Group for Workspace ONE Access administrators
ug-wsa-directory-admins Universal Group for Workspace ONE Access directory administrators
ug-wsa-read-only Universal Group for Workspace ONE Access read-only user
ug-vrslcm-admins Universal Group for vRealize Suite Lifecycle Manager administrators
ug-vrslcm-content-admins Universal Group for vRealize Suite Lifecycle Manager content administrators
ug-vrslcm-content-developers Universal Group for vRealize Suite Lifecycle Manager content developers
ug-vrops-admins Universal Group for vRealize Operations administrators
ug-vrops-content-admins Universal Group for vRealize Operations content administrators
ug-vrops-read-only Universal Group for vRealize Operations read-only users
ug-vrli-admins Universal Group for vRealize Log Insight super administrators
ug-vrli-users Universal Group for vRealize Log Insight dashboard users
ug-vrli-viewers Universal Group for vRealize Log Insight view-only users
ug-vra-org-owners Universal Group for vRealize Automation organization owners
ug-vra-cloud-assembly-admins Universal Group for vRealize Automation organization member and Cloud Assembly administrators
ug-vra-cloud-assembly-users Universal Group for vRealize Automation organization member and Cloud Assembly users
ug-vra-service-broker-admins Universal Group for vRealize Automation organization member and Service Broker administrators
ug-vra-service-broker-users Universal Group for vRealize Automation organization member and Service Broker users
ug-vra-orchestrator-admins Universal Group for vRealize Automation organization member and vRealize Orchestrator administrators
ug-vra-orchestrator-designers Universal Group for vRealize Automation organization member and vRealize Orchestrator workflow designers
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 22
Table 1-7. Universal Groups in the Parent Domain (continued)
Group Name Group Scope Description
ug-vra-project-admins-
sample
Universal Group for vRealize Automation organization member and project administrators for the sample project
ug-vra-project-admins-x Universal Group for vRealize Automation organization member and project administrators for a specific project
ug-vra-project-users-
sample
Universal Group for vRealize Automation organization member and project member for the sample project
ug-vra-project-users-x Universal Group for vRealize Automation organization member and project member for a specific project
Global Groups in the Child Domains
In each child domain, add the relevant role-specific global group in the child domain to the role-specific universal group in the parent domain.
Table 1-8. Global Groups in the Child Domains
Group Name Group Scope Description Member of Groups
gg-vrslcm-admins Global Global group in a child domain for vRealize Suite Lifecycle Manager administrators
RAINPOLE\ug-vrslcm-admins
gg-vrslcm-content-admins Global Global group in a child domain for vRealize Suite Lifecycle Manager content administrators
RAINPOLE\ug-vrslcm-content-admins
gg-vrslcm-content-developers
Global Global group in a child domain for vRealize Suite Lifecycle Manager content developers
RAINPOLE\ug-vrslcm-content-developers
gg-vrops-admins Global Global group in a child domain for vRealize Operations Manager administrators
RAINPOLE\ug-vrops-admins
gg-vrops-content-admins Global Global group in a child domain for vRealize Operations Manager content administrators
RAINPOLE\ug-vrops-content-admins
gg-vrops-read-only Global Global group in a child domain for vRealize Operations Manager read-only users
RAINPOLE\ug-vrops-read-only
gg-vrli-admins Global Global group in a child domain for vRealize Log Insight super administrators
RAINPOLE\ug-vrli-admins
gg-vrli-users Global Global group in a child domain for vRealize Log Insight dashboard users
RAINPOLE\ug-vrli-users
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 23
Table 1-8. Global Groups in the Child Domains (continued)
Group Name Group Scope Description Member of Groups
gg-vrli-viewers Global Global group in a child domain for vRealize Log Insight view-only users
RAINPOLE\ug-vrli-viewers
gg-vra-org-owners Global Global group in a child domain for vRealize Automation organization owners
RAINPOLE\ug-vra-org-owners
gg-vra-cloud-assembly-admins
Global Global group in a child domain for vRealize Automation organization member and Cloud Assembly administrators
RAINPOLE\ug-vra-cloud-assembly-admins
gg-vra-cloud-assembly-users
Global Global group in a child domain for vRealize Automation organization member and Cloud Assembly users
RAINPOLE\ug-vra-cloud-assembly-users
gg-vra-service-broker-admins
Global Global group in a child domain for vRealize Automation organization member and Service Broker administrators
RAINPOLE\ug-vra-service-broker-admins
gg-vra-service-broker-users Global Global group in a child domain for vRealize Automation organization member and Service Broker users
RAINPOLE\ug-vra-service-broker-users
gg-vra-orchestrator-admins Global Global group in a child domain for vRealize Automation organization member and Orchestrator administrators
RAINPOLE\ug-vra-orchestrator-admins
gg-vra-orchestrator-designers
Global Global group in a child domain for vRealize Automation organization member and Orchestrator workflow designers
RAINPOLE\ug-vra-orchestrator-designers
gg-vra-project-admins-sample
Global Global group in a child domain for vRealize Automation organization member and Project Administrators for the sample project
RAINPOLE\ug-vra-project-admins-sample
gg-vra-project-admins-x Global Global group in a child domain for vRealize Automation organization member and project administrators for the specific project
RAINPOLE\ug-vra-project-admins-x
gg-vra-project-users-sample Global Global group in a child domain for vRealize Automation organization member and project member for the sample project
RAINPOLE\ug-vra-project-users-sample
gg-vra-project-users-x Global Global group in a child domain for vRealize Automation organization member and project member for the specific project
RAINPOLE\ug-vra-project-users-x
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 24
Active Directory User Accounts
A service account provides non-interactive and non-human access to services and APIs to the components of the SDDC. You must create service accounts for accessing functionality on the SDDC nodes, and user accounts for operations and tenant administration.
Service Accounts
A service account is a standard Active Directory account that you configure in the following way:
n The password never expires.
n The user cannot change the password.
In addition, a special service account is also required to perform domain join operations if a component registers itself in Active Directory as a computer object. This account must have the right to join computers to the Active Directory domain.
Service Accounts for vRealize Suite 2019 and VMware Workspace ONE Access
This design introduces a set of service accounts that are used in a one- or bidirectional fashion to enable secure application communication. You use custom roles to ensure that these accounts have only the least permissions that are required for authentication and data exchange.
Table 1-9. Application-to-Application or Application Service Accounts in vRealize Suite and VMware Workspace ONE Access
User Name Description Source Destination
Required Role on the Destination
Password Complexity Category
svc-domain-join
Service account for performing domain-join operations for Workspace ONE Access connectors
Workspace ONE Access
Active Directory n Account Operators Group
n Delegation to Join Computers to Domain for both the parent and child domains
Standard
svc-wsa-ad Service account used for performing Active Directory bind operations in the Workspace ONE Access directory
Workspace ONE Access
Active Directory - Standard
svc-vrslcm-vsphere
A service account for deploying and managing the lifecycle of vRealize Suite components on the Software-Defined Data Center
vRealize Suite Lifecycle Manager
Management domain vCenter Server
vRealize Suite Lifecycle Manager User (Custom)
Standard
Workload domain vCenter Server
No Access Standard
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 25
Table 1-9. Application-to-Application or Application Service Accounts in vRealize Suite and VMware Workspace ONE Access (continued)
User Name Description Source Destination
Required Role on the Destination
Password Complexity Category
svc-vrli-vsphere
Service account for connecting vRealize Log Insight to vCenter Server and ESXi for forwarding log information
vRealize Log Insight
vCenter Server Log Insight User (Custom)
Standard
svc-vrli-vrops
Service account for connecting vRealize Log Insight to vRealize Operations Manager for log forwarding, alerts, and for Launch in Context integration
vRealize Log Insight
vRealize Operations Manager
Administrator Standard
svc-vrops-vsphere
Service account for monitoring and collecting general metrics about vSphere objects, including infrastructure and virtual machines, from vCenter Server into vRealize Operations Manager. Also to perform some actions or tasks on the objects it manages in vCenter Server
vRealize Operations Manager
vCenter Server vSphere Actions User
Standard
svc-vrops-nsx
Service account that is available in the Active Directory domain and locally on NSX Manager for collecting data in vRealize Operations Manager from the NSX Manager instances about virtual networking.
Important Only applicable to NSX Data Center for vSphere.
vRealize Operations Manager
vCenter Server Read-Only Standard
NSX Data Center for vSphere
Security Administrator
Standard
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 26
Table 1-9. Application-to-Application or Application Service Accounts in vRealize Suite and VMware Workspace ONE Access (continued)
User Name Description Source Destination
Required Role on the Destination
Password Complexity Category
svc-vrops-vsan
Service account for monitoring and collecting metrics about vSAN datastores from vCenter Server in vRealize Operations Manager
vRealize Operations Manager
vCenter Server MPSD Metrics User
Standard
svc-vrops-mpsd
Service account for monitoring storage devices from vCenter Server in vRealize Operations Manager
vRealize Operations Manager
vCenter Server MPSD Metrics User
Standard
svc-vrops-vra
Service account for monitoring vRealize Automation in vRealize Operations Manager
vRealize Operations Manager
vRealize Automation
n Organization Owner
n Cloud Assembly
n Cloud Assembly Administrator
Standard
svc-vra-vrops
Service account for retrieving statistics from vRealize Operations Manager in vRealize Automation for workload placement and costs
vRealize Automation
vRealize Operations Manager
Read-Only Standard
svc-vra-vsphere
Service account for access from vRealize Automation to vCenter Server.
vRealize Automation
Management domain vCenter Server
No Access Standard
Workload domain vCenter Server
vRealize Automation to vSphere Integration (Custom)
Standard
svc-vro-vsphere
Service account for access from vRealize Orchestrator to vCenter Server
vRealize Orchestrator
Management domain vCenter Server
No Access Standard
Workload domain vCenter Server
vRealize Orchestrator to vSphere Integration (Custom)
Standard
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 27
Local Application User Accounts
Local application user accounts enable you to perform system and application administration. To deploy vRealize Suite and Workspace ONE Access components, you must follow the required password complexity to set the passwords for local root and administrative accounts.
All passwords must meet the specific requirements for their complexity category. See Password Complexity for Application and Service Accounts. Passwords can be the same or different across components.
Table 1-10. Local Application Accounts
SDDC Layer Component User Account DescriptionPassword Complexity Category
Security and Compliance
Workspace ONE Access
root Appliance operating system account
Standard
sshuser Appliance operating system account
Standard
admin Default application administrator account
Standard
configadmin Bootstrapped application user account
Standard
Cloud Operations
vRealize Suite Lifecycle Manager
root Appliance operating system account
Standard
admin@local Default application administrator account
Standard
vRealize Operations Manager
root Appliance operating system account
Standard
admin Default application administrator account
Standard
vRealize Log Insight
root Appliance operating system account
vRealize Log Insight
admin Default application administrator account
Standard
Cloud Automation
vRealize Automation
root Appliance operating system account
Standard
Password Complexity for Application and Service Accounts
You must consider the requirements for password complexity. Provide the default passwords for the products according to the requirements before you run the deployment operation.
Passwords can be different per account or common across multiple accounts.
You set passwords for both the required local accounts and Active Directory users. For information on the use, names, and required roles for the accounts, see Active Directory User Accounts and Local Application User Accounts.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 28
Table 1-11. Categories of Password Complexity Requirements
Password Category Type Password Property Requirements for Complexity
Standard Length 8-125 characters
Characters n Must include the following characters:
n A mix of upper-case and lower-case letters
n A number
n A special character such as @ ! # $ % ^ ?
n Must not include characters such as { } [ ] ( ) / \ ' " ` ~ , ; : . < >
ESG Length 12-255 characters
Characters n Must include the following characters:
n A mix of upper-case and lower-case letters
n A number
n A special character such as @ ! # $ % ^ ?
n Must not include the following characters:
n Characters such as { } [ ] ( ) / \ ' " ` ~ , ; : . < >
n Words, for example, admin
n Characters repeated subsequently more than three times
vRealize Log Insight Length 8-12 characters
Characters n Must include the following types of characters:
n A mix of upper-case and lower-case letters
n A number
n A special character such as @ ! # $ % ^ ?
n Must not include a character repeated subsequently more than four times
Active Directory Computer Objects
You must create Active Directory computer objects for the Workspace ONE Access virtual appliances, so that they can join the Active Directory domain for connector operations.
Computer Objects in the Parent Domain
In the parent domain, rainpole.local, create the following computer objects.
Table 1-12. Computer Objects in the Parent Domain
Computer Name User or Group Description
wsa01svr01a rainpole.local\svc-domain-join Workspace ONE Access connectors
wsa01svr01b
wsa01svr01c
Computer Objects in the Child Domains
In the child domain, sfo01.rainpole.local, create the following computer objects.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 29
Table 1-13. Computer Objects in the Child Domain
Computer Name User or Group Description
sfo01wsa01 sfo01.rainpole.local\svc-domain-join Workspace ONE Access connectors
Additional Storage Requirements
For vRealize Log Insight log archiving, you must provide supplemental storage.
Table 1-14. NFS Export Configuration for vRealize Log Insight
Server Export Size Description
nfs_server_address /sfo01vrli01_archive 400 GB NFS datastore for log archiving in vRealize Log Insight
My VMware Account Requirements
You register vRealize Suite Lifecycle Manager with My VMware to download product binaries to the local repository used during some post-deployment and upgrade operations. With the My VMware account, you can also download content from the VMware Marketplace API service through the vRealize Suite Lifecycle Manager integration.
You use the My VMware integration to simplify, automate, organize, and update the repository. If your organization restricts outbound traffic from the management components of the SDDC, you can download the product binaries from My VMware and discover them in the vRealize Suite Lifecycle Manager user interface for inclusion in the repository.
To register vRealize Suite Lifecycle Manager with My VMware, invite a designated user to the entitlement account and limit the folder level permissions for the user.
n For information about inviting a user to a My VMware account, see KB 2070555.
n For information about assigning user permissions in a My VMware account, see KB 2006977.
You can structure the folders, user, and permissions in a My VMware entitlement account in any way that best serves the asset management and operations support needs of your business. The minimum requirements and permissions for the My VMware account used by vRealize Suite Lifecycle Manager include:
n A folder with the vRealize Suite product entitlements
n View License Keys & User Permissions
n Download Products
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 30
Table 1-15. My VMware Account for vRealize Suite Lifecycle Manager
First Name Last Name User EmailMinimum Folder Permissions Folder
Product Entitlement in Folder
vRealize Suite Lifecycle Manager User
at Rainpole [email protected]
n View License Keys & User Permissions
n Download Products
n Home folder
n Child folder
vRealize Suite
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 31
Prepare the Environment for Deployment of Cloud Operations and Automation in Region A
1Before you begin the deployment of vRealize Suite 2019 and Workspace ONE Access in Region A, your environment must meet target prerequisites and be in a specific starting state. Prepare the SDDC by configuring the necessary infrastructure, operational, and management components.
Prerequisites
You have a newly deployed VMware Cloud Foundation 3.10 SDDC.
Procedure
1 Remove the Default vRealize Log Insight Cluster in Region A
You first disassociate the default vRealize Log Insight deployment from SDDC Manager, then you power off and delete the vRealize Log Insight nodes from the management domain vCenter Server.
2 Create the Virtual Machine and Template Folders in Region A
Create folders in which to group the vRealize Suite and Workspace ONE Access components for easier management.
3 Deploy the NSX Data Center for vSphere Load Balancer in Region A
You deploy a load balancer for use by the cross-region Workspace ONE Access, vRealize Operations Manager, and vRealize Automation components, which are connected to the Mgmt-xRegion01-VXLAN application virtual network.
Remove the Default vRealize Log Insight Cluster in Region A
You first disassociate the default vRealize Log Insight deployment from SDDC Manager, then you power off and delete the vRealize Log Insight nodes from the management domain vCenter Server.
VMware, Inc. 32
Table 1-1. vRealize Log Insight Nodes
vRealize Log Insight Node VM Name
Primary node sfo01vrli01a
Worker node 1 sfo01vrli01b
Worker node 2 sfo01vrli01c
Prerequisites
Disassociate the default vRealize Log Insight deployment from SDDC Manager by using a supported script on the SDDC Manager appliance. See https://kb.vmware.com/kb/81718.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 From the Hosts and clusters inventory, select the sfo01-m01-mgmt01 cluster.
3 Click the VMs tab.
4 In the Filter text box, enter sfo01vrli01 and press Enter.
5 Right click each vRealize Log Insight virtual machine and select Power -> Power off.
6 Wait for the virtual machines to power off.
7 Right click each vRealize Log Insight virtual machine and select Delete from Disk.
Create the Virtual Machine and Template Folders in Region A
Create folders in which to group the vRealize Suite and Workspace ONE Access components for easier management.
You create folders to group application components.
Application Folder
vRealize Suite Lifecycle Manager sfo01-m01fd-vrslcm
Cross-region and region-specific Workspace ONE Access sfo01-m01fd-wsa
vRealize Operations Manager sfo01-m01fd-vrops
vRealize Operations Manager remote collectors sfo01-m01fd-vropsrc
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 33
Application Folder
vRealize Log Insight sfo01-m01fd-vrli
vRealize Automation sfo01-m01fd-vra
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the VMs and templates inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree.
3 Right-click the sfo01-m01dc data center, and select New folder > New VM and template folder.
4 In the New folder dialog box, enter sfo01-m01fd-vrslcm as the folder name, and click OK.
5 Repeat this procedure to create the remaining folders for the applications components.
Deploy the NSX Data Center for vSphere Load Balancer in Region A
You deploy a load balancer for use by the cross-region Workspace ONE Access, vRealize Operations Manager, and vRealize Automation components, which are connected to the Mgmt-xRegion01-VXLAN application virtual network.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
3 From the NSX Manager drop-down menu, select 172.16.11.65.
4 Click Add and select Edge services gateway.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 34
5 On the Basic details page of the New edge services gateway wizard, enter these values and click Next.
Setting Value
Name sfo01m01lb01
Hostname sfo01m01lb01.sfo01.rainpole.local
Tenant -
Description Load Balancer for vRealize Suite
Deploy NSX Edge Selected
Enable high availability Selected
6 On the Settings page, enter these values and click Next.
Setting Value
User name admin
Password edge_admin_password
Enable SSH access Selected
Enable FIPS mode Deselected
Enable auto rule generation Selected
Edge control level logging Info
7 On the Deployment configuration page, perform the following configuration steps, and click Next.
a From the Datacenter drop-down menu, select sfo01-m01dc.
b Under Appliance size, select Large.
c Click Add edge appliance VM, enter these values, and click OK.
Setting Value
Resource pool sfo01-m01-mgmt01
Datastore sfo01-m01-vsan01
Folder sfo01-m01fd-nsx
Resource reservation System Managed
d Repeat Step 7.c to create a second appliance.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 35
8 On the Configure interfaces page, configure the OneArmLB interface.
a Click Add.
b On Basic tab, enter these values.
Setting Value
Name OneArmLB
Type Internal
Connected to Mgmt-xRegion01-VXLAN
Connectivity status Connected
c On Basic tab, under Configure subnets, click Add and enter these values.
Setting Value
Primary IP address 192.168.11.2
Subnet prefix length 24
d Click the Advanced tab and enter these values.
Setting Value
MAC address -
MTU 9000
Proxy ARP Disabled
Send ICMP redirect Selected
Reverse path filter Enable Strict
Fence parameters -
e Click OK and click Next.
9 On the Default gateway page, turn off the Configure default gateway toggle to disable the default gateway and click Next.
10 On the Firewall default policy page, configure these settings and click Next.
Setting Value
Firewall default policy Enabled
Default traffic policy Accept
Logging Disabled
11 On the High availability page, configure these settings and click Next.
Setting Value
vNIC any
Declare dead time 15
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 36
Setting Value
Management IPS -
HA logging Disabled
12 On the Review page, review the configuration settings that you entered and click Finish.
13 Enable HA logging.
a On the NSX Edges page, click the ID of the sfo01m01lb01 edge services gateway to open its network settings.
b Click the Configure tab and click High availability.
c Click Edit.
d Turn on the Logging toggle and click Save.
14 Configure the default gateway.
a On the NSX Edges page, click the ID of the sfo01m01lb01 edge services gateway to open its network settings.
b Click the Routing tab and click Global configuration.
c Next to Default Gateway, click Edit.
d In the Gateway IP text box, enter 192.168.11.1 and click Save.
e Click Publish changes.
15 Enable the Load Balancer and Acceleration mode.
a On the NSX Edges page, click the ID of the sfo01m01lb01 edge services gateway to open its network settings.
b Click the Load balancer tab, click Global configuration.
c Click Edit and turn on the Load balancer and Acceleration toggles.
d Click Save.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 37
vRealize Suite Lifecycle Manager Implementation in Region A 2You deploy the vRealize Suite Lifecycle Manager appliance by using the vRealize Easy Installer, configure common settings, upload and configure product binaries.
Procedure
1 Prerequisites for Deploying vRealize Suite Lifecycle Manager in Region A
Before you deploy vRealize Suite Lifecycle Manager in Region A, verify that your environment fulfills the requirements for this deployment.
2 Configure User Access in vSphere for Integration with vRealize Suite Lifecycle Manager in Region A
Configure an operations service account with the required permissions to enable the vRealize Suite Lifecycle Manager instance to deploy and manage the vRealize Suite components of the Software-Defined Data Center (SDDC) on the Management domain vCenter Server.
3 Deploy the vRealize Suite Lifecycle Manager Appliance in Region A
You deploy the vRealize Suite Lifecycle Manager appliance by using VMware vRealize Suite Lifecycle Manager 8.1 Easy Installer, configure storage, networking, and other appliance attributes.
4 Post-Deployment Configuration of the vRealize Suite Lifecycle Manager Instance in Region A
You configure the vRealize Suite Lifecycle Manager appliance system settings and replace the appliance certificate.
5 Register the vRealize Suite Lifecycle Manager Instance with My VMware
You can integrate vRealize Suite Lifecycle Manager directly with a My VMware account to access vRealize Suite licenses within an entitlement account and manage the download of product OVA files for install, patch, and upgrade. You can also use the My VMware account registration to download content from the VMware Marketplace.
6 Upload and Map Product Binaries to the vRealize Suite Lifecycle Manager Instance in Region A
You upload product binaries to the vRealize Suite Lifecycle Manager repository and map the binaries by using vRealize Suite Lifecycle Manager UI.
VMware, Inc. 38
7 Configure Data Centers and vCenter Server in vRealize Suite Lifecycle Manager in Region A
Before you can create a local environment for product deployments, you must update the credentials for the Management domain vCenter Server that is associated with the region-specific data center in vRealize Suite Lifecycle Manager. Before you can create a cross-region environment for product deployments, you must add a cross-region data center and the associated Management domain vCenter Server to vRealize Suite Lifecycle Manager.
8 Add the Cross-Region Environment Password to vRealize Suite Lifecycle Manager
To enable vRealize Suite Lifecycle Manager to deploy cross-region solution products, you must add the cross-region environment administrator account to the vRealize Suite Lifecycle Manager Locker.
Prerequisites for Deploying vRealize Suite Lifecycle Manager in Region A
Before you deploy vRealize Suite Lifecycle Manager in Region A, verify that your environment fulfills the requirements for this deployment.
Verify that your environment satisfies the following prerequisites for the deployment of vRealize Suite Lifecycle Manager.
Prerequisite Value
Storage n Virtual disk provisioning: Thin
n Required storage: 254 GB
Software Features n Verify that vCenter Server is operational.
n Verify that vCenter Server is joined to Active Directory
n Verify that the application virtual networks are available.
n Verify that you have a VMware Cloud Foundation edition that covers the products in the vRealize Suite.
n Verify that static IP address and FQDN for the vRealize Suite Lifecycle Manager deployment. See Host Names and IP Addresses for vRealize Suite 2019 and Workspace ONE Access.
Installation packages Verify that you downloaded the VMware vRealize Suite Lifecycle Manager 8.1 Easy Installer OVA file from My VMware.
Software Entitlement Verify that you obtained a vRealize Suite edition satisfies the requirements of this design.
My VMware Account Verify that you have a My VMware account with permissions to view licenses and download products.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 39
Prerequisite Value
Active Directory Verify that you have a parent Active Directory with the SDDC user roles configured for the domain.
n svc-vrslcm-vsphere (User)
Certificate Authority Verify that you have a validated SSL certificate. You can generate the certificate using the CertGenVVD utility. See Certificate Generation Utility for VMware Validated Design for Software-Defined Data Center 6.x (78246).
Configure User Access in vSphere for Integration with vRealize Suite Lifecycle Manager in Region A
Configure an operations service account with the required permissions to enable the vRealize Suite Lifecycle Manager instance to deploy and manage the vRealize Suite components of the Software-Defined Data Center (SDDC) on the Management domain vCenter Server.
Procedure
1 Define a User Role in vSphere for vRealize Suite Lifecycle Manager in Region A
Create a user role in the vSphere Client with the required privileges to enable the vRealize Suite Lifecycle Manager instance to deploy and manage the vRealize Suite components.
2 Configure Service Account Permissions in vSphere for Integration with vRealize Suite Lifecycle Manager in Region A.
To allow deploying and managing SDDC components on the Management domain vCenter Server inventory, you assign account permissions to the service account for communication from vRealize Suite Lifecycle Manager to vSphere.
Define a User Role in vSphere for vRealize Suite Lifecycle Manager in Region A
Create a user role in the vSphere Client with the required privileges to enable the vRealize Suite Lifecycle Manager instance to deploy and manage the vRealize Suite components.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 Select Menu > Administration.
3 In the left pane, select Access control > Roles.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 40
4 From the Roles provider drop-down menu, select sfo01m01vc01.sfo01.rainpole.local.
5 Click the Create role action icon, select these privileges, and click Next.
Category Privilege
Content library All content library privileges
Datastore All datastore privileges
Host Inventory.Modify cluster
Local Operations.Add host to vCenter
Local Operations.Create virtual machine
Local Operations.Delete virtual machine
Local Operations.Reconfigure virtual machine
Network Assign network
Resource Assign vApp to resource pool
Assign virtual machine to resource pool
Virtual machine All virtual machine privileges
vApp All vApp privileges
6 In the Role name text box, enter vRealize Suite Lifecycle Manager to vSphere Integration and click Finish.
Configure Service Account Permissions in vSphere for Integration with vRealize Suite Lifecycle Manager in Region A.
To allow deploying and managing SDDC components on the Management domain vCenter Server inventory, you assign account permissions to the service account for communication from vRealize Suite Lifecycle Manager to vSphere.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 41
2 Assign global permissions to the service account.
a Select Menu > Administration.
b In the left pane, select Access control > Global permissions.
c Click the Add permission icon, enter these values, and click OK.
Setting Value
Domain rainpole.local
User/Group svc-vrslcm-vsphere
Role vRealize Suite Lifecycle Manager to vSphere Integration
Propagate to children Selected
3 Restrict access to the workload domain in Region A for the svc-vrslcm-vsphere service account.
a In the Global inventory lists inventory, under Resources, click vCenter Servers.
b Select the Workload domain vCenter Server, sfo01w01vc01.sfo01.rainpole.local, and click the Permissions tab.
c In the User/Group column, click the RAINPOLE\svc-vrslcm-vsphere service account, and click the Change role icon.
d From the Role drop-down menu, select No access, leave the Propagate to children check-box selected, and click OK.
4 If there are other workload domains that are added to the SDDC, repeat Step 3 for each additional Workload domain vCenter Server.
Deploy the vRealize Suite Lifecycle Manager Appliance in Region A
You deploy the vRealize Suite Lifecycle Manager appliance by using VMware vRealize Suite Lifecycle Manager 8.1 Easy Installer, configure storage, networking, and other appliance attributes.
Procedure
1 Mount the vRealize Suite Lifecycle Manager 8.1 Easy Installer ISO file on the host machine that has access to your data center by using a virtual CD-ROM emulator program.
2 Open the vRealize Suite Lifecycle Manager Easy Installer ISO file and navigate to the vrlcm-ui-installer\workstation_OS folder for the OS of your host machine.
For a Windows host machine, navigate to the cdrom:\vrlcm-ui-installer\win32\ folder.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 42
3 Run the installer executable in the folder.
For a Windows host machine, double-click the installer.exe file.
The vRealize Suite Lifecycle Manager Easy Installer wizard opens.
4 Click Install.
5 On the Introduction page, click Next.
6 On the End user license agreement page, read and accept the terms of the license agreement.
7 Select Join the VMware customer experience improvement program and click Next
8 On the Appliance deployment target page, enter these values and click Next.
Setting Value
vCenter Server hostname sfo01m01vc01.sfo01.rainpole.local
HTTPS port 443
Username [email protected]
Password svc-vrslcm-vsphere_password
9 If a Certificate warning dialog box appears, verify that the SSL certificate thumbprint matches the sfo01m01vc01.sfo01.rainpole.local appliance and click Accept.
10 On the Select a location page, expand sfo01m01vc01.sfo01.rainpole.local, expand sfo01-m01dc, select sfo01-m01fd-vrslcm and click Next.
11 On the Select a compute resource page, select the sfo01-m01-mgmt01 cluster and click Next.
12 On the Select a storage location page, select the sfo01-m01-vsan01 datastore, select Enable thin disk mode, and click Next.
13 On the Network configuration page, enter these values and click Next.
Setting Value
Network Distributed port group that ends with Mgmt-xRegion01-VXLAN.
IP assignment static
Subnet mask 255.255.255.0
Default gateway 192.168.11.1
DNS servers 172.16.11.4,172.16.11.5
Domain name rainpole.local
Provide NTP server for the appliance ntp.sfo01.rainpole.local
14 On the Password configuration page, configure the password for the vRealize Suite Lifecycle Manager root and admin users, and click Next.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 43
15 On the Lifecycle Manager configuration page, enter these values and click Next.
Setting Value
Virtual machine name vrslcm01svr01
IP address 192.168.11.20
Hostname vrslcm01svr01.rainpole.local
Data center name sfo01-m01dc
vCenter name sfo01m01vc01.sfo01.rainpole.local
Increase disk size in GB 100
16 On the Identity Manager configuration page, turn on the Skip vIDM installation and import toggle and click Next.
17 On the vRealize Automation configuration page, click Next.
18 On the Summary page, review the installation configuration settings and click Submit.
An installation progress bar appears.
19 When the installation finishes, in the Installation process dialog box, click Close.
What to do next
Install vRealize Suite Lifecycle Manager 8.1 Patch 1 with product support pack 1 to support vRealize Log Insight 8.1.1:
1 Install vRealize Suite Lifecycle Manager 8.1 Patch 1.
See Download and Installation in the VMware vRealize Suite Lifecycle Manager 8.1 Patch 1 Release Notes.
2 Install the vRealize Suite Lifecycle Manager 8.1 product support pack 1 for vRealize Log Insight 8.1.1.
See vRealize Suite Lifecycle Manager 8.1 Product Support Pack 1 for vRealize Log Insight 8.1.1 in the VMware vRealize Suite Lifecycle Manager 8.1 Release Notes.
Post-Deployment Configuration of the vRealize Suite Lifecycle Manager Instance in Region A
You configure the vRealize Suite Lifecycle Manager appliance system settings and replace the appliance certificate.
Procedure
1 Configure the vRealize Suite Lifecycle Manager Instance in Region A
Add the password of the svc-vrslcm-vsphere service account to Locker. If the access to My VMware, VMware Marketplace, and VMware Updates requires a proxy server, configure a proxy for vRealize Suite Lifecycle Manager.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 44
2 Replace the Certificate of the vRealize Suite Lifecycle Manager Instance in Region A
To establish a trusted connection to vRealize Suite Lifecycle Manager, you replace the SSL certificate on the appliance.
Configure the vRealize Suite Lifecycle Manager Instance in Region A
Add the password of the svc-vrslcm-vsphere service account to Locker. If the access to My VMware, VMware Marketplace, and VMware Updates requires a proxy server, configure a proxy for vRealize Suite Lifecycle Manager.
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 Add the password of the svc-vrslcm-vsphere service account to Locker.
a On the My services page, click Locker.
b In the navigation pane, click Password.
c Click Add, enter these values, and click Add.
Setting Value
Password alias svc-vrslcm-vsphere
Password svc-vrslcm-vsphere_password
Confirm password svc-vrslcm-vsphere_password
Password description Password for [email protected]
User name [email protected]
3 Return to the My services page by clicking the vRealize Suite Lifecycle Manager icon on the top left corner.
4 If required, configure a proxy server for vRealize Suite Lifecycle Manager.
a On the My services page, click Lifecycle operations.
b In the navigation pane, click Settings.
c Under System administration, click Proxy.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 45
d Select the Configure proxy check box, enter these values, and click Save.
Setting Value
Server proxy_server_fqdn_or_ipaddress
Port proxy_server_port
Credential proxy_server_user
e Create the password alias for the proxy user by using Step 2.
Replace the Certificate of the vRealize Suite Lifecycle Manager Instance in Region A
To establish a trusted connection to vRealize Suite Lifecycle Manager, you replace the SSL certificate on the appliance.
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 Add the certificate of the vRealize Suite Lifecycle Manager appliance to Locker.
a On the My services page, click Locker.
b In the navigation pane, click Certificate.
c On the Certificate page, click Import.
d On the Import certificate page, enter these values and click Import.
Setting Value
Name vrslcm01svr01-certificate
Pass phrase vrslcm01svr01_certificate_password
Select certificate file Navigate to vrslcm01svr01.2.chain.pem
3 Return to the My services page by clicking the vRealize Suite Lifecycle Manager icon on the top-left corner.
4 On the My services page, click Lifecycle operations.
5 In the navigation pane, click Settings.
6 Under System administration, click Change certificate.
7 On the Change certificate page, click Replace certificate.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 46
8 On the Current certificate page, click Next.
9 On the Select certificate page, from the drop-down menu, select vrslcm01svr01-certificate, and click Next.
10 On the Precheck page, click Run.
11 Wait for all validations to pass and click Finish.
12 Log out, restart the browser, and log back in to vRealize Suite Lifecycle Manager by using the administration interface.
Register the vRealize Suite Lifecycle Manager Instance with My VMware
You can integrate vRealize Suite Lifecycle Manager directly with a My VMware account to access vRealize Suite licenses within an entitlement account and manage the download of product OVA files for install, patch, and upgrade. You can also use the My VMware account registration to download content from the VMware Marketplace.
As an alternative to using a My VMware account integration, you can directly upload product binaries to the vRealize Suite Lifecycle Manager repository. See Upload and Map Product Binaries to the vRealize Suite Lifecycle Manager Instance in Region A.
Prerequisites
If your organization restricts outbound access, configure a proxy server for the vRealize Suite Lifecycle Manager appliance. See Configure the vRealize Suite Lifecycle Manager Instance in Region A.
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 On the My services page, click Locker.
3 In the navigation pane, click Password.
4 Click Add, enter these values, and click Add.
Setting Value
Password alias svc-vrslcm-myvmware
Password svc-vrslcm-myvmware_password
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 47
Setting Value
Confirm password svc-vrslcm-myvmware_password
Password description [email protected]
User name [email protected]
5 Return to the My services page by clicking the vRealize Suite Lifecycle Manager icon on the top left corner.
6 On the My services page, click Lifecycle operations.
7 In the navigation pane, click Settings.
8 Under Servers & accounts, click My VMware.
9 Click Add My VMware account, enter these values, and click Validate.
Setting Value
Username [email protected]
Password svc-vrslcm-myvmware_password
10 After the successful validation of the My VMware details, click Add .
Upload and Map Product Binaries to the vRealize Suite Lifecycle Manager Instance in Region A
You upload product binaries to the vRealize Suite Lifecycle Manager repository and map the binaries by using vRealize Suite Lifecycle Manager UI.
During the vRealize Suite Lifecycle Manager deployment, the vRealize Suite Lifecycle Manager Easy Installer uploads and maps the binary files for vRealize Automation and Workspace ONE Access. After the vRealize Suite Lifecycle Manager deployment, you upload and map the product binary files for vRealize Operations Manager and vRealize Log Insight.
If your organization restricts external access on the vRealize Suite Lifecycle Manager appliance, you obtain the necessary product binaries from the My VMware repository. After that, you upload and discover the product binaries to the vRealize Suite Lifecycle Manager appliance directly.
Table 2-1. Product Binary Files
Product Binary File Name
VMware vRealize Operations Manager 8.1 vRealize-Operations-Manager-
Appliance-8.1.0.build_number_OVF10.ova
VMware vRealize Log Insight 8.1.1 VMware-vRealize-Log-Insight-8.1.1.0-
build_number_OVF10.ova
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 48
Alternatively, if your organization does not restrict external access on the vRealize Suite Lifecycle Manager appliance, you can download the product binaries for install and upgrade by using a registration of vRealize Suite Lifecycle Manager with a My VMware account. See Register the vRealize Suite Lifecycle Manager Instance with My VMware.
Procedure
1 Download the vRealize Operations Manager and vRealize Log Insight product binary files to your host machine.
2 Use an SCP client, such as WinSCP, to transfer the .ova files to the vRealize Suite Lifecycle Manager appliance by using these values.
Settings Values
Host name vrslcm01svr01.rainpole.local
User name root
Password vrslcm_root_password
Upload folder location /data
3 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
4 On the My services page, click Lifecycle operations.
5 In the navigation pane, click Settings.
6 Under Servers & accounts, click Binary mapping.
7 On the Product binaries tab, click Add binaries.
8 For the Location type menu item, select the Local radio button.
9 In the Base location text box, enter /data and click Discover.
You can see a list of the supported products and versions for which you uploaded the binary files to the /data folder.
10 For each product, select the Install type of binary and click Add.
You submitted a product source mapping request for each product binary.
11 In the navigation pane, click Requests and monitor the Product source mapping request for each product.
The status of each product source mapping request transitions from Inprogress to Completed.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 49
Configure Data Centers and vCenter Server in vRealize Suite Lifecycle Manager in Region A
Before you can create a local environment for product deployments, you must update the credentials for the Management domain vCenter Server that is associated with the region-specific data center in vRealize Suite Lifecycle Manager. Before you can create a cross-region environment for product deployments, you must add a cross-region data center and the associated Management domain vCenter Server to vRealize Suite Lifecycle Manager.
During the vRealize Suite Lifecycle Manager deployment, vRealize Easy Installer adds the region-specific data center, sfo01-m01dc, to vRealize Suite Lifecycle Manager. SDDC Manager associates the region-specific data center with the Management domain vCenter Server by using the administrator@local account. You update the Management domain vCenter Server in the region-specific data center to use the svc-vrslcm-vsphere account for the deployment of the region-specific components, such as vRealize Log Insight.
Also, you add the cross-region data center, cross-region-dc, and the associated Management domain vCenter Server for the deployment of the cross-region components, such as the Workspace ONE Access cluster, the vRealize Operations Manager analytics cluster, and the vRealize Automation cluster.
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 On the My services page, click Lifecycle operations.
3 In the navigation pane, click Datacenters.
4 Update the Management domain vCenter Server in the region-specific data center to use the svc-vrslcm-vsphere account.
a On the Datacenters page, expand the sfo-m01-dc01 data center.
b In the row for sfo01m01vc01.sfo01.rainpole.local, click Edit vCenter.
c Update these values and click Validate.
Setting Value
vCenter credentials svc-vrslcm-vsphere
vCenter type Management
d After the successful vCenter Server validation, click Save.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 50
5 Click Add datacenter, enter the values for the cross-region data center, and click Add.
Setting Value
Name cross-region-dc
Use custom location Disabled
Location San Francisco, California, US
6 Add the Management domain vCenter Server to the cross-region data center.
a On the Datacenters page, expand the cross-region-dc data center and click Add vCenter.
b Enter the vCenter Server information and click Validate.
Setting Value for the cross-region-dc Data Center
vCenter name sfo01m01vc01.sfo01.rainpole.local
vCenter FQDN sfo01m01vc01.sfo01.rainpole.local
vCenter credentials svc-vrslcm-vsphere
vCenter type Management
7 After the successful vCenter Server validation, click Save.
8 In the navigation pane, click Requests and verify that the state of the vCenter data collection request shows Completed.
Add the Cross-Region Environment Password to vRealize Suite Lifecycle Manager
To enable vRealize Suite Lifecycle Manager to deploy cross-region solution products, you must add the cross-region environment administrator account to the vRealize Suite Lifecycle Manager Locker.
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 On the My services page, click Locker.
3 In the navigation pane, click the Password.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 51
4 Click Add, enter these values, and click Add.
Setting Value
Password alias xregion-env-admin
Password xregion-env-admin_password
Confirm password xregion-env-admin_password
Password description Cross-region environment admin user
User Name admin
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 52
Cross-Region Workspace ONE Access Implementation in Region A
3Identity and access management services in the SDDC are provided by VMware Workspace ONE Access. You use vRealize Suite Lifecycle Manager to deploy a cross-region Workspace ONE Access cluster. After that, you perform the necessary post-deployment configurations and customization.
Procedure
1 Prerequisites for Deploying Cross-Region Workspace ONE Access
Before you deploy the cross-region Workspace ONE Access cluster, verify that your environment fulfills the requirements for this deployment.
2 Configure the Load Balancer for the Cross-Region Workspace ONE Access Cluster in Region A
You configure load balancing for the cross-region Workspace ONE Access cluster services by using the dedicated NSX Data Center for vSphere edge services gateway.
3 Deploy the Cross-Region Workspace ONE Access Cluster in Region A
You configure deployment details and deploy the cross-region Workspace ONE Access cluster by using vRealize Suite Lifecycle Manager.
4 Configure the Cross-Region Workspace ONE Access Cluster in Region A
Perform the necessary post-deployment configuration steps for the cross-region Workspace ONE Access cluster to enable identity management for the SDDC.
Prerequisites for Deploying Cross-Region Workspace ONE Access
Before you deploy the cross-region Workspace ONE Access cluster, verify that your environment fulfills the requirements for this deployment.
Deployment Prerequisites
Verify that your environment satisfies the following prerequisites for the deployment of cross-region Workspace ONE Access.
VMware, Inc. 53
Prerequisite Value
Storage n Virtual disk provisioning: Thin
n Required storage per node: 4.8 GB
Software Features n Verify that Management domain vCenter Server is operational.
n Verify that the application virtual networks are available.
n Verify that the NSX Data Center for vSphere is operational.
n Verify that static IP address and FQDN for the application virtual networks are available for the cross-region Workspace ONE Access deployment. See Host Names and IP Addresses for vRealize Suite 2019 and Workspace ONE Access.
Active Directory n Verify that you have a parent active directory with the SDDC user roles configured for the rainpole.local domain.
n Verify that required Active Directory service accounts are created. See Active Directory User Accounts.
n Verify that required Active Directory security groups are created. See Active Directory Groups.
Certificate Authority Verify that you have a validate SSL certificate. You can generate the certificate using the CertGenVVD utility. See Certificate Generation Utility for VMware Validated Design for Software-Defined Data Center 6.x (78246).
Configure the Load Balancer for the Cross-Region Workspace ONE Access Cluster in Region A
You configure load balancing for the cross-region Workspace ONE Access cluster services by using the dedicated NSX Data Center for vSphere edge services gateway.
Procedure
1 Import the Load Balancer Certificate of the Cross-Region Workspace ONE Access Cluster
To allow secure connection to the cross-region Workspace ONE Access cluster, import the certificate for the virtual IP address in the Management domain NSX Manager.
2 Configure the Virtual IP Address for Load Balancing the Cross-Region Workspace ONE Access Cluster in Region A
Configure the VIP address for load balancing the cross-region Workspace ONE Access cluster in Region A.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 54
3 Create a Service Monitor for the Cross-Region Workspace ONE Access Cluster in Region A
You set up health check monitoring in NSX Data Center for vSphere for the cross-region Workspace ONE Access cluster to monitor the server pool. Servers that fail to respond to the health checks within a specified time period are excluded from future connection handling.
4 Create a Server Pool for the Cross-Region Workspace ONE Access Cluster in Region A
You create a server pool in NSX Data Center for vSphere for the cross-region Workspace ONE Access cluster nodes. The server pool determines the load-balancing algorithm and combines resources from the pool members.
5 Create Application Profiles for the Cross-Region Workspace ONE Access Cluster in Region A
You create an application profile in NSX Data Center for vSphere and associate it with a virtual server to define the behavior of a particular type of network traffic. The virtual server processes traffic according to the values specified in the profile.
6 Create Virtual Servers for the Cross-Region Workspace ONE Access Cluster in in Region A
You create two virtual servers in NSX Data Center for vSphere for the cross-region Workspace ONE Access cluster. These virtual servers are associated with the configured application profile and server pool, and distribute client connections among the server pool members.
Import the Load Balancer Certificate of the Cross-Region Workspace ONE Access Cluster
To allow secure connection to the cross-region Workspace ONE Access cluster, import the certificate for the virtual IP address in the Management domain NSX Manager.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
3 From the NSX Manager drop-down menu, select 172.16.11.65.
4 Click the ID of the sfo01m01lb01 edge services gateway to open its network settings.
5 Click the Configure tab and click Certificates.
6 Click Add and select Certificate.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 55
7 In the New certificate dialog box, enter these settings, and click Add.
Setting Value
Certificate contents Paste the content of the wsa01svr01.2.chain.pem file without the private key.
Private key Paste the content of the wsa01svr01.key file.
Password -
Description Certificate for the cross-region Workspace ONE Access cluster.
Configure the Virtual IP Address for Load Balancing the Cross-Region Workspace ONE Access Cluster in Region A
Configure the VIP address for load balancing the cross-region Workspace ONE Access cluster in Region A.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
3 From the NSX Manager drop-down menu, select 172.16.11.65.
4 Click the ID of the sfo01m01lb01 edge services gateway to open its network settings.
5 Click the Configure tab and click Interfaces.
6 Select the OneArmLB interface and click Edit.
7 On the Basic tab, under Configure subnets, in the row for primary IP address 192.168.11.2, in the Secondary IP addresses cell, add the cross-region Workspace ONE Access cluster IP address, 192.168.11.60.
8 Click Save.
Create a Service Monitor for the Cross-Region Workspace ONE Access Cluster in Region A
You set up health check monitoring in NSX Data Center for vSphere for the cross-region Workspace ONE Access cluster to monitor the server pool. Servers that fail to respond to the health checks within a specified time period are excluded from future connection handling.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 56
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
3 From the NSX Manager drop-down menu, select 172.16.11.65.
4 Click the ID of the sfo01m01lb01 edge service gateway to open its network settings.
5 Click the Load balancer tab and click Service monitoring.
6 Click Add, enter these values to configure the health check parameters, and click Add.
Setting Value
Name wsa-https-monitor
Interval 3
Timeout 10
Max retries 3
Type HTTPS
Expected 200
Method GET
URL /SAAS/API/1.0/REST/system/health/heartbeat
Receive ok
Create a Server Pool for the Cross-Region Workspace ONE Access Cluster in Region A
You create a server pool in NSX Data Center for vSphere for the cross-region Workspace ONE Access cluster nodes. The server pool determines the load-balancing algorithm and combines resources from the pool members.
You add the three cross-region Workspace ONE Access cluster nodes as members of the server pool.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 57
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
3 From the NSX Manager drop-down menu, select 172.16.11.65.
4 Click the ID of the sfo01m01lb01 edge service gateway to open its network settings.
5 Click the Load balancer tab and click Pools.
6 Click Add and, on the General tab of the New pool dialog box, enter these values to configure the load-balancing profile.
Setting Value
Name wsa-server-pool
Description Cross-Region Workspace ONE Access Server Pool
Algorithm LEASTCONN
Monitors wsa-https-monitor
IP filter Any
Transparent Turned off
7 Click the Members tab of the New pool dialog box.
8 To add each cross-region Workspace ONE Access cluster node to the pool, click Add, enter the values for the node, and click OK.
Setting Value for wsa01svr01a Value for wsa01svr01b Value for wsa01svr01c
Name wsa01svr01a wsa01svr01b wsa01svr01c
IP address 192.168.11.61 192.168.11.62 192.168.11.63
State Enable Enable Enable
Port 443 443 443
Monitor port 443 443 443
Weight 1 1 1
Max connections - - -
Min connections - - -
9 On New pool dialog box, click Add.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 58
Create Application Profiles for the Cross-Region Workspace ONE Access Cluster in Region A
You create an application profile in NSX Data Center for vSphere and associate it with a virtual server to define the behavior of a particular type of network traffic. The virtual server processes traffic according to the values specified in the profile.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
3 From the NSX Manager drop-down menu, select 172.16.11.65.
4 Click the ID of the sfo01m01lb01 edge services gateway to open its network settings.
5 Click the Load balancer tab and click Application profiles.
6 Create each application profile for the cross-region Workspace ONE Access cluster.
a Click Add.
b In the New application profile dialog box, on the General tab, enter these values.
Setting Value for wsa-https-app-profile Value for wsa-http-redirect
Application profile type HTTPS End-to-End HTTP
Name wsa-https-app-profile wsa-http-redirect
HTTP redirect URL - https://wsa01svr01.rainpole.local/
Persistence Cookie Source IP
Cookie name wsa-cookie-persistence -
Mode Insert -
Expires in (seconds) 3600 1800
Insert X-Forwarded-For HTTP header
Enabled Disabled
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 59
c In the New application profile dialog box, click the Client SSL tab and enter these values.
Setting Value for wsa-https-app-profile Value for wsa-http-redirect
Client authentication Ignore -
Service certificates Certificate for the cross-region Workspace ONE Access instance, wsa01svr01.rainpole.local
-
CA certificates Certificate for the Certificate Authority, rainpole-ca
-
d In the New application profile dialog box, click the Server SSL tab and enter these values.
Setting Value for wsa-https-app-profile Value for wsa-http-redirect
Service certificates Certificate for the cross-region Workspace ONE Access instance, wsa01svr01.rainpole.local
-
e Click Add to save the application profile.
Create Virtual Servers for the Cross-Region Workspace ONE Access Cluster in in Region A
You create two virtual servers in NSX Data Center for vSphere for the cross-region Workspace ONE Access cluster. These virtual servers are associated with the configured application profile and server pool, and distribute client connections among the server pool members.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
3 From the NSX Manager drop-down menu, select 172.16.11.65.
4 Click the ID of the sfo01m01lb01 edge services gateway to open its network settings.
5 Click the Load balancer tab and click Virtual servers.
6 Click Add.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 60
7 To create each virtual server, click Add and, on the General tab, enter these values and click Add.
Setting Value for wsa-https Value for wsa-http-redirect
Virtual server Enabled Enabled
Acceleration Disabled Disabled
Application profile wsa-https-app-profile wsa-http-redirect
Name wsa-https wsa-http
Description Cross-Region Workspace ONE Access
Cross-Region Workspace ONE Access Cluster HTTPS Redirect
IP address 192.168.11.60 192.168.11.60
Protocol HTTPS HTTP
Port/Port range 443 80
Default pool wsa-server-pool NONE
Connection limit 0 0
Connection rate limit 0 0
Deploy the Cross-Region Workspace ONE Access Cluster in Region A
You configure deployment details and deploy the cross-region Workspace ONE Access cluster by using vRealize Suite Lifecycle Manager.
Procedure
1 Import the Cross-Region Workspace ONE Access Cluster Certificate to vRealize Suite Lifecycle Manager in Region A
In vRealize Suite Lifecycle Manager, import the cross-region Workspace ONE Access cluster certificate, that you generated using the CertGenVVD utility.
2 Add the Passwords for the Cross-Region Workspace ONE Access Deployment to vRealize Suite Lifecycle Manager in Region A
To allow life cycle management and configuration management, you set the passwords for the vRealize Suite Lifecycle Manager global environment administrator, the cross-region Workspace ONE Access administrator, and the cross-region Workspace ONE Access configuration administrator accounts.
3 Deploy the Cross-Region Workspace ONE Access Cluster Using vRealize Suite Lifecycle Manager in Region A
To provide identity and access management services to the cross-region SDDC components, you create a cross-region environment in vRealize Suite Lifecycle Manager in which you deploy the three nodes of the cross-region Workspace ONE Access cluster.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 61
4 Resize the Cross-Region Workspace ONE Access Cluster Nodes in Region A
To ensure the proper operation of the cross-region Workspace ONE Access cluster, increase the CPU and memory resources available to each appliance.
Import the Cross-Region Workspace ONE Access Cluster Certificate to vRealize Suite Lifecycle Manager in Region A
In vRealize Suite Lifecycle Manager, import the cross-region Workspace ONE Access cluster certificate, that you generated using the CertGenVVD utility.
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 On the My Services page, click Locker.
3 In the left pane, click Certificate.
4 On the Certificate page, click Import.
5 On the Import certificate page, configure the settings and click Import.
Setting Value
Name wsa01svr01-certificate
Pass Phrase -
Select Certificate File wsa01svr01.2.chain.pem
Add the Passwords for the Cross-Region Workspace ONE Access Deployment to vRealize Suite Lifecycle Manager in Region A
To allow life cycle management and configuration management, you set the passwords for the vRealize Suite Lifecycle Manager global environment administrator, the cross-region Workspace ONE Access administrator, and the cross-region Workspace ONE Access configuration administrator accounts.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 62
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 On the My services page, click Locker.
3 In the navigation pane, click Password.
4 For each password, click Add, configure these settings, and click Add.
Setting
Value for Global Environment Administrator
Value for Local Administrator
Value for Local Configuration Administrator
Password alias global-env-admin wsa01svr01-admin wsa01svr01-configadmin
Password global_env_admin_password
wsa01svr01_admin_password
wsa01svr01_configadmin_password
Confirm password global_env_admin_password
wsa01svr01_admin_password
wsa01svr01_configadmin_password
Password description vRealize Suite Lifecycle Manager global environment administrator password
Cross-region Workspace ONE Access administrator
Cross-region Workspace ONE Access configuration administrator
User name admin admin configadmin
Deploy the Cross-Region Workspace ONE Access Cluster Using vRealize Suite Lifecycle Manager in Region A
To provide identity and access management services to the cross-region SDDC components, you create a cross-region environment in vRealize Suite Lifecycle Manager in which you deploy the three nodes of the cross-region Workspace ONE Access cluster.
During the deployment by using vRealize Suite Lifecycle Manager, you configure the cross-region Workspace ONE Access instance to synchronize group members to the directory when adding a group.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 63
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 On the My services page, click Lifecycle operations.
3 On the Dashboard page, click Create environment.
4 Configure these settings and click Next.
Setting Value
Environment name globalenvironment
Administrator email wsa01svr01_configadmin_email
Default password global-env-admin
Data center cross-region-dc
JSON configuration Deselected
Join the VMware customer experience improvement program
Selected
5 On the Select product page, select the check box for VMware Identity Manager, configure these settings, and click Next.
Setting Value
Installation type New Install
Version 3.3.2
Deployment type Cluster
6 On the Accept license agreements page, accept the license agreement and click Next.
7 On the Certificate page, from the Select certificate drop-down menu, select wsa01svr01-certificate, and click Next.
8 On the Infrastructure page, configure these settings and click Next.
Setting Value
vCenter Server sfo01m01vc01.sfo01.rainpole.local
Cluster sfo01-m01dc#sfo01-m01-mgmt01
Folder sfo01-m01fd-wsa
Resource pool sfo01-m01-sddc-mgmt
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 64
Setting Value
Network Distributed port group that ends with Mgmt-xRegion01-VXLAN
Datastore sfo01-m01-vsan01
Disk mode Thin
Use content library Deselected
9 On the Network page, configure these settings and Next.
Setting Value
Default gateway 192.168.11.1
Netmask 255.255.255.0
Domain name rainpole.local
Domain Search Path rainpole.local
DNS Servers Click Edit server selection, select 172.16.11.4 and 172.16.11.5, and click Next and Finish.
Time Sync Mode Use NTP Server
NTP Servers Click Edit server selection, select ntp.sfo01.rainpole.local, click Next and Finish.
10 On the Products page, configure the deployment properties for the cross-region Workspace ONE Access instance and click Next.
a In the Product properties section, configure the following.
Setting Value
Certificate wsa01svr01-certificate
Admin password wsa01svr01-admin
Default configuration admin user name configadmin
Default configuration admin password wsa01svr01-configadmin
Sync group members Selected
b In the Cluster VIP FQDN section, configure these settings.
Setting Value
FQDN wsa01svr01.rainpole.local
Database IP Address 192.168.11.64
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 65
c In the Components section, configure the primary cluster node.
Setting Value
VM Name wsa01svr01a
FQDN wsa01svr01a.rainpole.local
IP Address 192.168.11.61
d In the Components section, configure the second cluster node.
Setting Value
VM name wsa01svr01b
FQDN wsa01svr01b.rainpole.local
IP address 192.168.11.62
e In the Components section, configure the third cluster node.
Setting Value
VM name wsa01svr01c
FQDN wsa01svr01c.rainpole.local
IP address 192.168.11.63
11 On the Manual validation page, review the manual checks, select I have taken care of the manual steps above and ready to proceed, and click Run precheck.
12 Review the validation report and, after a successful validation, click Next.
13 On the Summary page, review the deployment specification, disable Run prechecks on submit, and click Submit.
Resize the Cross-Region Workspace ONE Access Cluster Nodes in Region A
To ensure the proper operation of the cross-region Workspace ONE Access cluster, increase the CPU and memory resources available to each appliance.
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 66
2 Perform a graceful shutdown of the Workspace ONE Access cluster.
a On the My services page, click Lifecycle operations.
b On the Dashboard page, click Manage environments.
c In the globalenvironment card, click View details.
d In the VMware Identity Manager section, click the ellipsis icon and, from the drop-down menu, select Trigger cluster health.
e On the Trigger health collection dialog box, click Submit.
On the Request details page, the health collection status becomes Successful.
f In the left pane, click Dashboard and click Manage environments.
g In the globalenvironment card, click View details.
h In the VMware Identity Manager section, click the ellipsis icon and, from the drop-down menu, select Power off.
i On the Power off VMware Identity Manager dialog box, click Submit.
On the Request details page, the power off operation status becomes Successful.
3 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
4 In the Hosts and clusters inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree and expand the sfo01-m01dc data center.
5 Expand the sfo01-m01-mgmt01 cluster, right-click the wsa01svr01a virtual machine, and select Edit settings.
6 On the Edit settings dialog box, configure these settings and click OK
Setting Value
CPU 8
Memory 16 GB
7 Repeat Step 5 and Step 6 to increase the CPU and memory resources for the wsa01svr01b and wsa01svr01c virtual machines.
8 Power on the Workspace ONE Access cluster.
a Back in the vRealize Suite Lifecycle Manager user interface, on the My services page, click Lifecycle operations.
b On the Dashboard page, click Manage environments.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 67
c In the globalenvironment card, click View details.
d In the VMware Identity Manager section, click the ellipsis icon and, from the drop-down menu, select Power on.
e On the Power on VMware Identity Manager dialog box, click Submit.
On the Request details page, the power on operation status becomes Successful.
Configure the Cross-Region Workspace ONE Access Cluster in Region A
Perform the necessary post-deployment configuration steps for the cross-region Workspace ONE Access cluster to enable identity management for the SDDC.
Procedure
1 Configure an Anti-Affinity Rule and a Virtual Machine Group for the Cross-Region Workspace ONE Access Cluster in Region A
To protect the cross-region Workspace ONE Access nodes from a host-level failure, configure an affinity rule to run the virtual machines on different hosts in the first vSphere cluster of the Management domain. After that, you configure a VM group to define the startup order to ensure the vSphere High Availability powers on the cross-region Workspace ONE Access cluster members in the correct order.
2 Configure NTP on the Cross-Region Workspace ONE Access Cluster in Region A
To keep the cross-region Workspace ONE Access cluster nodes synchronized with the other SDDC components, configure the time synchronization on each node in the cross-region Workspace ONE Access cluster.
3 Configure Custom Branding for the Cross-Region Workspace ONE Access Deployment in Region A
To personalize the sign-in screen for your organization, you configure the branding of the cross-region Workspace ONE Access deployment.
4 Configure Identity Sources for the Cross-Region Workspace ONE Access Cluster in Region A
You integrate your Active Directory with Workspace ONE Access and configure attributes to synchronize users and groups to enable identity and access management in the SDDC.
5 Add the Cross-Region Workspace ONE Access Nodes as Identity Provider Connectors in Region A
To provide high availability for the identity and access management services of the cross-region Workspace ONE cluster, you join the cluster nodes to the rainpole.local domain and add them as directory connectors.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 68
6 Assign Roles to User Groups in Cross-Region Workspace ONE Access
Workspace ONE Access uses role-based access control to manage administrator roles. You assign the Super Admin, Directory Admin, and ReadOnly roles to directory user groups to manage administrative access to the cross-region Workspace ONE Access cluster.
7 Assign Roles to User Groups in vRealize Suite Lifecycle Manager
To enable identity and access management for vRealize Suite Lifecycle Manager, you integrate the component with the cross-region Workspace ONE Access deployment.
Configure an Anti-Affinity Rule and a Virtual Machine Group for the Cross-Region Workspace ONE Access Cluster in Region A
To protect the cross-region Workspace ONE Access nodes from a host-level failure, configure an affinity rule to run the virtual machines on different hosts in the first vSphere cluster of the Management domain. After that, you configure a VM group to define the startup order to ensure the vSphere High Availability powers on the cross-region Workspace ONE Access cluster members in the correct order.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Hosts and clusters inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree and expand the sfo01-m01dc data center.
3 Select the sfo01-m01-mgmt01 cluster and click the Configure tab.
4 Create the anti-affinity rule for the cross-region Workspace ONE Access virtual machines.
a In the left pane, select Configuration > VM/Host rules and click Add.
b In the Create VM/Host rule dialog box, configure these settings and click OK.
Setting Value
Name anti-affinity-rule-wsa
Enable rule Selected
Type Separate Virtual Machines
Members n wsa01svr01a
n wsa01svr01b
n wsa01svr01c
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 69
5 Create a virtual machine group for the cross-region Workspace ONE Access cluster nodes.
a In the left pane, select Configuration > VM/Host groups and click Add.
b In the Create VM/Host group dialog box, configure these settings and click OK.
Setting Value
Name Cross-Region Workspace ONE Access Virtual Appliances
Type VM Group
Members n wsa01svr01a
n wsa01svr01b
n wsa01svr01c
Configure NTP on the Cross-Region Workspace ONE Access Cluster in Region A
To keep the cross-region Workspace ONE Access cluster nodes synchronized with the other SDDC components, configure the time synchronization on each node in the cross-region Workspace ONE Access cluster.
Table 3-1. Cross-Region Workspace ONE Access Cluster Nodes and NTP Servers
FQDN NTP Servers
wsa01svr01a.rainpole.local ntp.sfo01.rainpole.local
wsa01svr01b.rainpole.local
wsa01svr01c.rainpole.local
Procedure
1 Log in to the cross-region Workspace ONE Access instance by using a Secure Shell (SSH) client.
Setting Value
FQDN wsa01svr01a.rainpole.local
User name sshuser
Password wsa01svr01_sshuser_password
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 70
2 Configure the NTP source of the Workspace ONE Access appliance.
a Switch to the super user.
su
b Edit the /etc/ntp.conf file.
vi /etc/ntp.conf
c Edit the server entries and enter :wq! to save the file.
server ntp.sfo01.rainpole.local
3 Enable the NTP service.
a To disable time synchronization with the ESXi host, run the command.
vmware-toolbox-cmd timesync disable
b To enable and start the NTP service, run the commands.
chkconfig ntp on
service ntp start
c To verify the status of the NTP service, run the command.
service ntp status
4 Repeat this procedure to configure the NTP service on the wsa01svr01b.rainpole.local and wsa01svr01c.rainpole.local nodes.
Configure Custom Branding for the Cross-Region Workspace ONE Access Deployment in Region A
To personalize the sign-in screen for your organization, you configure the branding of the cross-region Workspace ONE Access deployment.
Procedure
1 In a Web browser, log in to the Workspace ONE Access cross-region cluster by using the administration interface.
Setting Value
URL https://wsa01svr01.rainpole.local/admin
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Identity and access management.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 71
3 Click Setup and click the Custom branding tab.
4 On the Custom branding page, click Names and logos, configure these settings, and click Save.
Setting Value
Company Name Rainpole
Product Name Cloud
Favicon Upload a 16px by 16px transparent .png image.
5 On the Custom branding page, click Sign-in screen, configure these settings, and click Save.
Setting Value
Logo Upload a 100px height transparent .png image.
Image Upload a 1400px width and 900px height .png or .jpg image.
Configure Identity Sources for the Cross-Region Workspace ONE Access Cluster in Region A
You integrate your Active Directory with Workspace ONE Access and configure attributes to synchronize users and groups to enable identity and access management in the SDDC.
Procedure
1 In a Web browser, log in to the Workspace ONE Access cross-region cluster by using the administration interface.
Setting Value
URL https://wsa01svr01.rainpole.local/admin
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Identity and access management.
3 Click the Directories tab, and from the Add directory drop-down menu, select Add Active Directory over LDAP/IWA.
4 On the Add directory page, configure these settings, and click Save and next.
Setting Value
Directory name rainpole.local
Active Directory (integrated Windows authentication) Selected
Sync connector wsa01svr01a.rainpole.local
Do you want this connector also perform authentication Yes
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 72
Setting Value
Directory search attribute sAMAccountName
Domain name rainpole.local
Domain admin user name svc-domain-join
Domain admin password svc-domain-join_password
Bind user name svc-wsa-ad
Bind user password svc-wsa-ad_password
5 On the Select the domains page, configure these settings and click Next.
Setting Value
rainpole.local (RAINPOLE) Selected
sfo01.rainpole.local (SFO01) Selected
6 On the Map user attributes page, review the attribute mappings and click Next.
7 On the Select the groups you want to sync page, configure these settings.
Setting Value
Sync nested group members Selected
Specify the group DN Click the plus icon and enter OU=Security Groups,DC=rainpole,DC=local.
8 For each group DN, click Select, select the group to use by the cross-region Workspace ONE Access cluster, click Save, and click Next.
Product Value
Workspace ONE Access ug-wsa-admins
ug-wsa-directory-admins
ug-wsa-read-only
vRealize Suite Lifecycle Manager ug-vrslcm-admins
ug-vrslcm-content-admins
ug-vrslcm-content-developers
vRealize Operations ug-vrops-admins
ug-vrops-content-admins
ug-vrops-read-only
vRealize Automation ug-vra-org-owners
ug-vra-cloud-assembly-admins
ug-vra-cloud-assembly-users
ug-vra-service-broker-admins
ug-vra-service-broker-users
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 73
Product Value
ug-vra-orchestrator-admins
ug-vra-orchestrator-designers
ug-vra-project-admins-sample
ug-vra-project-users-sample
9 On the Select the users you want to sync page, configure these settings and click Next.
Setting Value
Specify the user DN Click the plus icon and enter OU=Security Users,DC=rainpole,DC=local.
10 On the Review page, click Edit, from the Sync frequency drop-down menu, select Every 15 minutes, and click Save.
11 To initialize the directory import, click Sync directory.
Add the Cross-Region Workspace ONE Access Nodes as Identity Provider Connectors in Region A
To provide high availability for the identity and access management services of the cross-region Workspace ONE cluster, you join the cluster nodes to the rainpole.local domain and add them as directory connectors.
Procedure
1 In a Web browser, log in to the Workspace ONE Access cross-region cluster by using the administration interface.
Setting Value
URL https://wsa01svr01.rainpole.local/admin
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 Join the wsa01svr01b.rainpole.local and wsa01svr01c.rainpole.local connectors to the rainpole.local domain.
a On the main navigation bar, click Identity and access management.
b Click Setup and click the Connectors tab.
c On the Connectors page, next to the wsa01svr01b.rainpole.local connector, click Join domain.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 74
d In the Join domain dialog box, configure these settings and click Join domain.
Setting Value
Domain Custom Domain
Custom Domain rainpole.local
Domain User svc-domain-join
Domain Password svc-domain-join_password
Organizational unit (OU) of domain to join CN=Computers,DC=rainpole,DC=local
e Repeat these steps to join the wsa01svr01c.rainpole.local connector to the rainpole.local domain.
3 Add the wsa01svr01b.rainpole.local and wsa01svr01c.rainpole.local connectors as identity providers.
a On the main navigation bar, click Identity and access management.
b Click Manage and click the Identity providers tab.
c Click the WorkspaceIDP__1 identity provider.
d On the WorkspaceIDP__1 details page, from the Add a connector drop-down menu, select wsa01svr01b.rainpole.local, configure these settings, and click Add connector.
Setting Value
Connector wsa01svr01b.rainpole.local
Bind to AD Checked
Bind user password svc-wsa-ad_password
Domain admin user name svc-domain-join
Domain admin password svc-domain-join-password
e Repeat this step for the wsa01svr01c.rainpole.local connector.
f In the IdP Hostname text box, enter wsa01svr01.rainpole.local.
g Click Save.
Assign Roles to User Groups in Cross-Region Workspace ONE Access
Workspace ONE Access uses role-based access control to manage administrator roles. You assign the Super Admin, Directory Admin, and ReadOnly roles to directory user groups to manage administrative access to the cross-region Workspace ONE Access cluster.
You assign the Workspace ONE Access roles to the Workspace ONE Access user groups.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 75
Table 3-2. Workspace ONE Access Roles and Groups
Role Group
Super Admin [email protected]
Directory Admin [email protected]
ReadOnly Admin [email protected]
Procedure
1 In a Web browser, log in to the Workspace ONE Access cross-region cluster by using the administration interface.
Setting Value
URL https://wsa01svr01.rainpole.local/admin
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Roles.
3 Select the Super Admin role and click Assign.
4 In the Users / groups search box, enter [email protected], select the group, and click Save.
5 Repeat these steps to configure the Directory Admin and the ReadOnly Admin roles.
Assign Roles to User Groups in vRealize Suite Lifecycle Manager
To enable identity and access management for vRealize Suite Lifecycle Manager, you integrate the component with the cross-region Workspace ONE Access deployment.
You assign the vRealize Suite Lifecycle Manager roles to the vRealize Suite Lifecycle Manager user groups.
Table 3-3. vRealize Suite Lifecycle Manager User Groups and Roles
User Group Role
[email protected] LCM Cloud Admin
[email protected] Content Release Manager
[email protected] Content Developer
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 76
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 On the My Services page, click Identity and tenant management.
3 In the navigation pane, click User management and click Add user / group.
The Assign roles wizard opens.
4 On the Select users / groups page, in the search box, enter [email protected], select the user group from the organization directory, and click Next.
5 On the Select roles page, select the LCM cloud admin role and click Next.
6 On the Summary page, click Submit.
7 Repeat these steps to assign roles to the ug-vrslcm-content-admins and ug-vrslcm-content-developers user groups.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 77
Region-Specific Workspace ONE Access Implementation in Region A
4To provide identity and access management services to the region-specific SDDC components, you deploy the Workspace ONE Access instance in the management domain cluster, configure storage, network, and other appliance attributes in Region A.
Procedure
1 Prerequisites for Deploying Region-Specific Workspace ONE Access in Region A
Before you deploy the region-specific Workspace ONE Access instance, verify that your environment fulfills the requirements for this deployment.
2 Deploy the Region-Specific Workspace ONE Access Instance in Region A
Deploy and configure the region-specific Workspace ONE Access instance in Region A.
3 Complete the Initial Configuration of the Region-Specific Workspace ONE Access Instance in Region A
Complete the initial configuration of the region-specific Workspace ONE Access instance by setting the root, administrator, and remote user account passwords, and initializing the application database.
4 Configure Region-Specific Workspace ONE Access for the Management Domain in Region A
To ensure the operation of the region-specific Workspace ONE Access instance in the SDDC, you replace the default certificate, configure time synchronization, integrate and synchronize the instance with Active Directory, and assign role based access.
5 Integrate NSX-T Data Center with the Region-Specific Workspace ONE Access Instance in Region A
To provide a role-based access for the NSX-T Data Center instance for the workload domain, integrate it with the region-specific Workspace One Access instance.
Prerequisites for Deploying Region-Specific Workspace ONE Access in Region A
Before you deploy the region-specific Workspace ONE Access instance, verify that your environment fulfills the requirements for this deployment.
VMware, Inc. 78
Deployment Prerequisites
Verify that your environment satisfies the following prerequisites for the deployment of region-specific Workspace ONE Access instance.
Prerequisite Value
Storage n Virtual disk provisioning: Thin
n Required storage: 4.8 GB
Installation packages Verify that you downloaded the VMware Workspace ONE Access OVA file from My VMware.
Software Features n Verify that the Management domain vCenter Server is operational.
n Verify that the application virtual networks are available.
n Verify that the Management domain NSX Data Center for vSphere is operational.
n Verify that static IP address and FQDN for the application virtual networks are available for the region-specific Workspace ONE Access deployment. See Host Names and IP Addresses for vRealize Suite 2019 and Workspace ONE Access.
Active Directory n Verify that you have a parent active directory with the SDDC user roles configured for the rainpole.local domain.
n Verify that required Active Directory service accounts are created. See Active Directory User Accounts.
n Verify that required Active Directory security groups are created. See Active Directory Groups.
Certificate Authority Verify that you have a validate SSL certificate. You can generate the certificate using the CertGenVVD utility. See Certificate Generation Utility for VMware Validated Design for Software-Defined Data Center 6.x (78246).
Deploy the Region-Specific Workspace ONE Access Instance in Region A
Deploy and configure the region-specific Workspace ONE Access instance in Region A.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 79
2 In the Hosts and clusters inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree and expand the sfo01-m01dc data center.
3 Right-click the sfo01-m01-sddc-mgmt resource pool and select Deploy OVF template.
4 On the Select an OVF template page, select Local file, click Choose files, browse to the location of the Workspace ONE Access OVA file, and click Next.
5 On the Select a name and folder page, configure these settings, and click Next.
Setting Value
Virtual machine name sfo01wsa01
Virtual machine location sfo01-m01fd-wsa
6 On the Select a compute resource page, select the sfo01-m01-sddc-mgmt resource pool and click Next.
7 On the Review details page, review the settings and click Next.
8 On the License agreements page, accept the license agreement and click Next.
9 On the Select storage page, configure these settings and click Next.
Setting Value
Select virtual disk format Thin provision
VM storage policy vSAN default storage policy
Datastores sfo01-m01-vsan01
10 On the Select networks page, from the Destination network drop-down menu, select the distributed port group that ends with Mgmt-RegionA01-VXLAN and click Next.
11 On the Customize template page, configure these settings and click Next.
Setting Value
Timezone setting US/Pacific
Join the VMware customer experience improvement program
Selected
Hostname sfo01wsa01.sfo01.rainpole.local
Default gateway 192.168.31.1
Domain name sfo01.rainpole.local
Domain search path sfo01.rainpole.local,rainpole.local
Domain name servers 172.16.11.4,172.16.11.5
Network 1 IP address 192.168.31.60
Network 1 netmask 255.255.255.0
12 On the Ready to complete page, click Finish and wait for the process to complete.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 80
13 Power on the region-specific Workspace ONE Access virtual machine.
a In the VMs and templates inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree, expand the sfo01-m01dc data center, and expand the sfo01-m01fd-wsa folder.
b Right-click the sfo01wsa01 virtual machine and, from the Actions menu, select Power > Power on.
It takes time for the virtual machine to complete the power on process.
Complete the Initial Configuration of the Region-Specific Workspace ONE Access Instance in Region A
Complete the initial configuration of the region-specific Workspace ONE Access instance by setting the root, administrator, and remote user account passwords, and initializing the application database.
Procedure
1 In a Web browser, log in to the region-specific Workspace ONE Access instance in Region A by using the administration interface, https://sfo01wsa01.sfo01.rainpole.local.
2 On the Get started page, click Continue.
3 On the Set passwords page, configure the settings and click Continue.
User Value
Appliance administrator account sfo01wsa01_admin_password
Appliance root account sfo01wsa01_root_password
Remote user account sfo01wsa01_sshuser_password
4 On the Select database page, configure Database type as Internal database and click Continue.
The internal database initializes.
5 On the Setup review page, ensure that the Setup is Complete message is displayed.
6 Click Log out.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 81
Configure Region-Specific Workspace ONE Access for the Management Domain in Region A
To ensure the operation of the region-specific Workspace ONE Access instance in the SDDC, you replace the default certificate, configure time synchronization, integrate and synchronize the instance with Active Directory, and assign role based access.
Procedure
1 Replace the Certificate of the Region-Specific Workspace ONE Access Instance in Region A
You replace the default self-signed certificate of the region-specific Workspace ONE Access instance in Region A with a signed certificate from the Microsoft Certificate Authority generated by using the CertGenVVD utility.
2 Configure Preferences and Custom Branding for the Region-Specific Workspace ONE Access Instance in Region A
To synchronize group members to the directory when adding a group, you configure the preferences of the region-specific Workspace ONE Access instance. To personalize the sign-in screen for your organization, you configure the branding of the region-specific Workspace ONE Access instance.
3 Configure NTP of the Region-Specific Workspace ONE Access Instance in Region A
To keep the region-specific Workspace ONE Access appliance time synchronized with the other SDDC components, configure the NTP source on the appliance.
4 Configure Identity Source of the Region-Specific Workspace ONE Access Instance in Region A
You integrate your Active Directory with Workspace ONE Access and configure attributes to synchronize users and groups to enable identity and access management in the SDDC.
5 Assign Roles in the Region-Specific Workspace ONE Access Instance in Region A
Workspace ONE Access uses role-based access control to manage administrator roles. You assign the Super Admin, Directory Admin, and ReadOnly roles to directory user groups to manage administrative access to the region-specific Workspace ONE Access instance.
Replace the Certificate of the Region-Specific Workspace ONE Access Instance in Region A
You replace the default self-signed certificate of the region-specific Workspace ONE Access instance in Region A with a signed certificate from the Microsoft Certificate Authority generated by using the CertGenVVD utility.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 82
Procedure
1 In a Web browser, log in to the region-specific Workspace ONE Access instance in Region A by using the administration interface.
Setting Value
URL https://sfo01wsa01.sfo01.rainpole.local/admin
User name admin
Password sfo01wsa01_admin_password
Domain System Domain
2 On the main navigation bar, click the Appliance settings tab.
3 In the left pane, click VA configuration and click Manage configuration.
4 In the left pane, click Install SSL certificates.
5 Click the Server certificate tab, configure these settings, and click Save.
Setting Value
SSL certificate Custom Certificate
SSL certificate chain Paste the content of the sfo01wsa01.2.chain.pem file generated by the CertGenVVD utility.
PrivatekKey Paste the content of the sfo01wsa01.key file generated by the CertGenVVD utility.
Subject alternative names sfo01wsa01.sfo01.rainpole.local
6 In the Updating certificate dialog box, click OK.
It takes time for the certificate installation to complete and the services to restart.
7 After the services are restarted, close all Web browsers, open a new Web browser, log in back to the region-specific Workspace ONE Access instance, and verify that the certificate is replaced.
Configure Preferences and Custom Branding for the Region-Specific Workspace ONE Access Instance in Region A
To synchronize group members to the directory when adding a group, you configure the preferences of the region-specific Workspace ONE Access instance. To personalize the sign-in screen for your organization, you configure the branding of the region-specific Workspace ONE Access instance.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 83
Procedure
1 In a Web browser, log in to the region-specific Workspace ONE Access instance in Region A by using the administration interface.
Setting Value
URL https://sfo01wsa01.sfo01.rainpole.local/admin
User name admin
Password sfo01wsa01_admin_password
Domain System Domain
2 On the main navigation bar, click Identity and access management.
3 Click Setup and click the Preferences tab.
4 On the Preferences page, next to Sync group members to the directory when adding group, select the Enable check box, and click Save.
5 Click the Custom branding tab.
6 Click Names and logos, configure these settings, and click Save.
Setting Value
Company Name Rainpole
Product Name Cloud
Favicon Upload a 16px by 16px transparent .png image.
7 On the Custom branding page, click Sign-in screen, configure these settings, and click Save.
Setting Example Value
Logo Upload a 100px height transparent .png image.
Image Upload a 1400px width and 900px height .png or .jpg image.
Configure NTP of the Region-Specific Workspace ONE Access Instance in Region A
To keep the region-specific Workspace ONE Access appliance time synchronized with the other SDDC components, configure the NTP source on the appliance.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 84
Procedure
1 Log in to the region-specific Workspace ONE Access instance in Region A by using a Secure Shell (SSH) client.
Setting Value
FQDN sfo01wsa01.sfo01.rainpole.local
User name sshuser
Password sfo01wsa01_sshuser_password
2 Configure the NTP source of the Workspace ONE Access appliance.
a Switch to the super user.
su
b Edit the /etc/ntp.conf file.
vi /etc/ntp.conf
c Edit the server entries and save the file.
server ntp.sfo01.rainpole.local
3 Enable the NTP service.
a To disable time synchronization with the ESXi host, run the command.
vmware-toolbox-cmd timesync disable
b To enable and start the NTP service, run the commands.
chkconfig ntp on
service ntp start
c To verify the status of the NTP service, run the command.
service ntp status
Configure Identity Source of the Region-Specific Workspace ONE Access Instance in Region A
You integrate your Active Directory with Workspace ONE Access and configure attributes to synchronize users and groups to enable identity and access management in the SDDC.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 85
Procedure
1 In a Web browser, log in to the region-specific Workspace ONE Access instance in Region A by using the administration interface.
Setting Value
URL https://sfo01wsa01.sfo01.rainpole.local/admin
User name admin
Password sfo01wsa01_admin_password
Domain System Domain
2 On the main navigation bar, click Identity and access management.
3 Click the Directories tab, and from the Add directory drop-down menu, select Add Active Directory over LDAP/IWA.
The Add directory wizard opens.
4 On the Add directory page, configure these settings and click Save and next.
Setting Value
Directory name rainpole.local
Active Directory (Integrated Windows authentication) Selected
Sync connector sfo01wsa01.sfo01.rainpole.local
Do you want this connector also perform authentication Yes
Directory search attribute sAMAccountName
Domain name sfo01.rainpole.local
Domain admin user name svc-domain-join
Domain admin password svc-domain-join_password
Bind user name svc-wsa-ad
Bind user password svc-wsa-ad_password
5 On the Select the domains page, configure these settings and click Next.
Setting Value
Selected rainpole.local (RAINPOLE)
Selected sfo01.rainpole.local (SFO01)
6 On the Map user attributes page, review the attribute mappings and click Next.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 86
7 On the Select the groups you want to sync page, configure the settings and click Find groups.
Setting Value
Sync nested group members Selected
Specify the group DN Click the plus icon and enter OU=Security Groups,DC=rainpole,DC=local
8 For each group DN, click Select, select the group to use by the region-specific Workspace ONE Access instance in Region A, click Save, and click Next.
Product Value
NSX Data Center ug-nsx-enterprise-admins
Workspace One Access ug-wsa-admins
ug-wsa-directory-admins
ug-wsa-read-only
vRealize Log Insight ug-vrli-admins
ug-vrli-users
ug-vrli-viewers
9 On the Select the users you want to sync page, configure these settings and click Next.
Setting Value
Specify the user DN Click the plus icon and enter OU=Security Users,DC=rainpole,DC=local
10 On the Review page, click Edit, from the Sync frequency drop-down menu, select Every 15 minutes, and click Save.
11 To initialize the directory import, click Sync directory.
This process might take a some time to complete.
Assign Roles in the Region-Specific Workspace ONE Access Instance in Region A
Workspace ONE Access uses role-based access control to manage administrator roles. You assign the Super Admin, Directory Admin, and ReadOnly roles to directory user groups to manage administrative access to the region-specific Workspace ONE Access instance.
You assign the Workspace ONE Access roles to the Workspace ONE Access user groups.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 87
Table 4-1. Workspace ONE Access Roles and Groups
Role Group
Super Admin [email protected]
Directory Admin [email protected]
ReadOnly Admin [email protected]
Procedure
1 In a Web browser, log in to the region-specific Workspace ONE Access instance in Region A by using the administration interface.
Setting Value
URL https://sfo01wsa01.sfo01.rainpole.local/admin
User name admin
Password sfo01wsa01_admin_password
Domain System Domain
2 On the main navigation bar, click Roles.
3 Select the Super Admin role and click Assign.
4 In the Users / groups search box, enter [email protected], select the group, and click Save.
5 Repeat these steps to configure the Directory Admin and the ReadOnly Admin roles.
Integrate NSX-T Data Center with the Region-Specific Workspace ONE Access Instance in Region A
To provide a role-based access for the NSX-T Data Center instance for the workload domain, integrate it with the region-specific Workspace One Access instance.
Procedure
1 Obtain the Certificate Thumbprint from the Region-Specific Workspace ONE Access Instance in Region A
Before you configure the integration of Workspace ONE Access with NSX-T Data Center in the workload domain, you must obtain the certificate thumbprint from the region-specific Workspace ONE Access instance.
2 Integrate NSX-T Data Center with the Region-Specific Workspace ONE Access Instance in Region A
First, you create a remote app access client in the region-specific Workspace ONE Access for the integration with NSX-T Data Center. Then, you use the certificate thumbprint, ClientID, and shared secret, to register NSX-T Data Center to identify it as a trusted consumer of the Workspace ONE Access identity and authentication services.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 88
3 Configure Role-Based Access Control for NSX-T Data Center in Region A
After you integrate the region-specific Workspace ONE Access instance with NSX-T Data Center, you configure role-based access controls to manage access to NSX-T Data Center in the workload domain.
Obtain the Certificate Thumbprint from the Region-Specific Workspace ONE Access Instance in Region A
Before you configure the integration of Workspace ONE Access with NSX-T Data Center in the workload domain, you must obtain the certificate thumbprint from the region-specific Workspace ONE Access instance.
Procedure
1 Log in to vCenter Server by using a Secure Shell (SSH) client.
Setting Value
FQDN sfo01m01vc01.sfo01.rainpole.local
User name root
Password vcenter_server_root_password
2 To switch to the bash shell, run the shell command.
3 To retrieve the SHA-256 thumbprint of the Workspace ONE Access certificate, run the command.
openssl s_client -connect sfo01wsa01.sfo01.rainpole.local:443 < /dev/null 2> /dev/null | openssl
x509 -sha256 -fingerprint -noout -in /dev/stdin
4 Save the fingerprint to later integrate NSX-T Data Center with Workspace ONE Access.
Integrate NSX-T Data Center with the Region-Specific Workspace ONE Access Instance in Region A
First, you create a remote app access client in the region-specific Workspace ONE Access for the integration with NSX-T Data Center. Then, you use the certificate thumbprint, ClientID, and shared secret, to register NSX-T Data Center to identify it as a trusted consumer of the Workspace ONE Access identity and authentication services.
Procedure
1 In a Web browser, log in to the region-specific Workspace ONE Access instance in Region A by using the administration interface.
Setting Value
URL https://sfo01wsa01.sfo01.rainpole.local/admin
User name admin
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 89
Setting Value
Password sfo01wsa01_admin_password
Domain System Domain
2 On the main navigation bar, from the Catalog drop-down menu, select Settings.
3 In the left pane, click Remote app access.
4 Click Clients and click Create client.
5 In the Create client dialog box, configure these settings, and click Add.
Setting Value
Access type Service Client Token
Client ID sfo01w01nsx01-oauth
Scope admin
Shared secret Generate and save a shared secret
Issue Refresh Token Selected
Token type Bearer
Access Token Time-To-Live (TTL) 8 hours
Refresh Token Time-To-Live (TTL) 1 month
Idle Token Time-to-Live (TTL) 4 days
6 In a Web browser, log in to the NSX-T Manager for the workload domain by using the user interface.
Setting Value
URL https://sfo01w01nsx01.sfo01.rainpole.local
User name admin
Password nsx-t_admin_password
7 On the main navigation bar, click System.
8 In the left pane, click Users, click the Configuration tab, and click Edit.
9 In the Edit VMware Identity Manager configuration dialog box, configure these settings and click Save.
Setting Value
External load balancer Disabled
Integration VMware Identity Manager Enabled
VMware Identity Manager Appliance sfo01wsa01.sfo01.rainpole.local
OAuth Client ID sfo01w01nsx01-oauth
OAuth Client Secret Generated_Shared_Secret
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 90
Setting Value
SSL Thumbprint Certificate_SHA-256_Thumbprint
NSX Appliance sfo01w01nsx01.sfo01.rainpole.local
Results
Important After you configure Workspace ONE Access as an identity provider, the NSX-T Manager URL for a local account login is appended by /login.jsp?local=true, that is, https://sfo01w01nsx01.sfo01.rainpole.local/login.jsp?local=true.
Configure Role-Based Access Control for NSX-T Data Center in Region A
After you integrate the region-specific Workspace ONE Access instance with NSX-T Data Center, you configure role-based access controls to manage access to NSX-T Data Center in the workload domain.
Procedure
1 In a Web browser, log in to the NSX-T Manager for the workload domain by using the user interface.
Setting Value
URL https://sfo01w01nsx01.sfo01.rainpole.local
User name admin
Password nsx-t_admin_password
2 On the main navigation bar, click System.
3 In the left pane, click Users and click the Roles assignments tab.
4 From the Add drop-down menu, select Role assignment, configure these settings, and click Save.
Setting Value
User / User Group Name [email protected]
Roles Enterprise Admins
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 91
vRealize Operations Manager Implementation in Region A 5Deploy vRealize Operations Manager components to monitor the resources in your SDDC.
Deploy the vRealize Operations Manager analytics cluster with three nodes to monitor the resources in your SDDC. Deploy also the remote collector group with two nodes to collect data from the management components in the SDDC.
Procedure
1 Configure the Load Balancer for vRealize Operations Manager in Region A
Configure load balancing for the analytics cluster on the dedicated NSX Edge services gateway. The remote collector group in Region A does not require load balancing.
2 Deploy vRealize Operations Manager in Region A
Deploy the vRealize Operations Manager analytics cluster nodes and the remote collector nodes by using vRealize Suite Lifecycle Manager.
3 Update vRealize Operations Manager Authentication Source
To ensure that users are redirected to the load balancer address when authenticating to vRealize Operations Manager with a cross-region Workspace ONE Access user account, you update the vRealize Operations Manager authentication source. You set the redirect FQDN to the load balancer VIP FQDN and rename the authentication source.
4 Configure vSphere DRS Anti-Affinity Rules for vRealize Operations Manager in Region A
To protect the vRealize Operations Manager virtual machines from a host-level failure, configure vSphere DRS to run the virtual machines of the analytics cluster and the remote collectors on different hosts in the first cluster in the management domain.
5 Create a VM Group and Define the Startup Order of the Analytics Cluster in Region A
VM groups allow you to define the startup order of virtual machines. The startup order you define ensures that vSphere HA powers on virtual machines in the correct order.
6 Group the Remote Collector Nodes in Region A
Join the remote collectors in a group for adapter resiliency in case the collector experiences network interruption or becomes unavailable.
VMware, Inc. 92
7 Configure User Access in vRealize Operations Manager in Region A
To enable enterprise users to log in with required role based access controls, you configure the enterprise identity source user groups that are synced in Workspace ONE Access for vRealize Operations Manager.
8 Configure User Access in vSphere for Integration with vRealize Operations Manager in Region A
Configure operations service accounts with the required permissions to enable vRealize Operations Manager access to monitoring data on the vCenter Server instances.
9 Add vCenter Server Cloud Accounts to vRealize Operations Manager in Region A
After you deploy the analytics cluster and the remote collector nodes of vRealize Operations Manager and start vRealize Operations Manager, create a vCenter Server cloud account for each vCenter Server instance in the region.
10 Enable vSAN Monitoring in vRealize Operations Manager in Region A
Configure the vSAN adapter to collect monitoring data about vSAN usage in the SDDC.
11 Connect vRealize Operations Manager to NSX Data Center for vSphere in Region A
Install and configure the vRealize Operations Management Pack for NSX for vSphere to monitor the NSX networking services deployed in the management domain and view the vSphere hosts in the NSX transport zones.
12 Enable NSX-T Data Center Monitoring in vRealize Operations Manager in Region A
Configure the vRealize Operations Management Pack for NSX-T to monitor the NSX-T networking services deployed in the workload domain and view the vSphere hosts in the NSX-T transport zones.
13 Enable Storage Device Monitoring in vRealize Operations Manager in Region A
Install and configure the vRealize Operations Management Pack for Storage Devices to view the storage topology in the SDDC and to monitor the capacity and problems on storage components.
14 Connect vRealize Operations Manager to the Workspace ONE Access Instances in Region A
Install and configure the vRealize Operations Management Pack for VMware Identity Manager to monitor Workspace ONE Access cluster node, certificates, storage space, database connections, RabbitMQ and other resource kinds.
15 Set the Currency for Cost Calculation in vRealize Operations Manager
Set the currency used for cost calculations in vRealize Operations Manager.
16 Configure Email Alerts in vRealize Operations Manager in Region A
Configure email notifications in vRealize Operations Manager so that users and applications receive the administrative alerts from vRealize Operations Manager about certain situations in the data center.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 93
Configure the Load Balancer for vRealize Operations Manager in Region A
Configure load balancing for the analytics cluster on the dedicated NSX Edge services gateway. The remote collector group in Region A does not require load balancing.
Procedure
1 Configure the Virtual IP Address for Load Balancing the Analytics Cluster in Region A
Configure the virtual IP address for load balancing the analytics cluster of vRealize Operations Manager in Region A.
2 Create a Service Monitor for vRealize Operations Manager in Region A
The service monitor defines health check parameters for each member in the server pool.
3 Create a Server Pool for vRealize Operations Manager in Region A
A server pool consists of one or more servers that are configured and running the same application. After you create a server pool, you associate a service monitor with the pool to manage and share the back-end servers flexibly and efficiently.
4 Create the Application Profiles for vRealize Operations Manager in Region A
To define the behavior of a particular type of network traffic, you create an application profile. The virtual server then processes traffic according to the values specified in the profile. Using profiles enhances your control over managing network traffic, and makes traffic-management tasks easier and more efficient.
5 Create Virtual Servers for vRealize Operations in Region A
Create virtual servers for the configured server pool. When a virtual server receives a request, it selects the appropriate pool to which to send traffic. Each pool consists of one or more members.
Configure the Virtual IP Address for Load Balancing the Analytics Cluster in Region A
Configure the virtual IP address for load balancing the analytics cluster of vRealize Operations Manager in Region A.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 94
3 From the NSX Manager drop-down menu, select 172.16.11.65.
4 Click the ID of the sfo01m01lb01 edge services gateway to open its network settings.
5 Click the Configure tab and click Interfaces.
6 Select the OneArmLB interface and click Edit.
7 On the Basic tab, under Configure subnets, in the row for primary IP address 192.168.11.2, in the Secondary IP addresses cell, add the vRealize Operations Manager analytics cluster IP address, 192.168.11.30.
8 Click Save.
Create a Service Monitor for vRealize Operations Manager in Region A
The service monitor defines health check parameters for each member in the server pool.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
3 From the NSX Manager drop-down menu, select 172.16.11.65.
4 Click the ID of the sfo01m01lb01 edge service gateway to open its network settings.
5 Click the Load balancer tab and click Service monitoring.
6 Click Add, enter these values to configure the health check parameters, and click Add.
Setting Value
Name vrops-https-monitor
Interval 5
Timeout 16
Max retries 2
Type HTTPS
Expected -
Method GET
URL /suite-api/api/deployment/node/status?service=api&service=admin&service=ui
Recieve ONLINE
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 95
Create a Server Pool for vRealize Operations Manager in Region A
A server pool consists of one or more servers that are configured and running the same application. After you create a server pool, you associate a service monitor with the pool to manage and share the back-end servers flexibly and efficiently.
You add the three vRealize Operations Manager analytics cluster nodes as a member of the server pool.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
3 From the NSX Manager drop-down menu, select 172.16.11.65.
4 Click the ID of the sfo01m01lb01 edge service gateway to open its network settings.
5 Click the Load Balancer tab and click Pools.
6 Click Add and, on the General tab of the New pool dialog box, enter these values to configure the load-balancing profile.
Setting Value
Name vrops-server-pool
Description vRealize Operations Manager analytics cluster server pool
Algorithm LEASTCONN
Monitors vrops-https-monitor
IP filter Any
Transparent Turned off
7 Click the Members tab of the New pool dialog box.
8 To add each analytics cluster node to the pool, click Add, enter the values for the node, and click OK.
Setting Value for vrops01svr01a Value for vrops01svr01b Value for vrops01svr01c
Name vrops01svr01a vrops01svr01b vrops01svr01c
IP address 192.168.11.31 192.168.11.32 192.168.11.33
State Enabled Enabled Enabled
Port 443 443 443
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 96
Setting Value for vrops01svr01a Value for vrops01svr01b Value for vrops01svr01c
Monitor Port 443 443 443
Weight 1 1 1
Max connections - - -
Min connections - - -
9 On New pool dialog box, click Add.
Create the Application Profiles for vRealize Operations Manager in Region A
To define the behavior of a particular type of network traffic, you create an application profile. The virtual server then processes traffic according to the values specified in the profile. Using profiles enhances your control over managing network traffic, and makes traffic-management tasks easier and more efficient.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
3 From the NSX Manager drop-down menu, select 172.16.11.65.
4 Click the ID of the sfo01m01lb01 edge service gateway to open its network settings.
5 Click the Load balancer tab and click Application profiles.
6 To create each application profile, click Add and, on the General tab of the New application profile dialog box, enter the values for the profile and click Add.
Setting Value for vrops-https-app-profile Value for vrops-http-redirect
Application Profile Type SSL passthrough HTTP
Name vrops-https-app-profile vrops-http-redirect
HTTP Redirect URL - https://vrops01svr01.rainpole.local/vcops-web-ent/login.action
Persistence Source IP Source IP
Expires in (Seconds) 1800 1800
Insert X-Forwarded-For HTTP header Disabled Disabled
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 97
Create Virtual Servers for vRealize Operations in Region A
Create virtual servers for the configured server pool. When a virtual server receives a request, it selects the appropriate pool to which to send traffic. Each pool consists of one or more members.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
3 From the NSX Manager drop-down menu, select 172.16.11.65.
4 Click the ID of the sfo01m01lb01 edge server gateway to open its network settings.
5 Click the Load balancer tab and click Virtual servers.
6 To create each virtual server, click Add and, on the General tab, enter the values and click Add.
Setting Value for vrops-https Value for vrops-http-redirect
Virtual server Enabled Enabled
Acceleration Enabled Disabled
Application profile vrops-https-app-profile vrops-http-redirect
Name vrops-https vrops-http-redirect
Description vRealize Operations Manager analytics cluster UI
vRealize Operations Manager analytics cluster HTTP to HTTPS Redirect
IP address 192.168.11.30 192.168.11.30
Protocol HTTPS HTTP
Port/Port range 443 80
Default pool vrops-server-pool None
Connection limit 0 0
Connection rate limit 0 0
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 98
Deploy vRealize Operations Manager in Region A
Deploy the vRealize Operations Manager analytics cluster nodes and the remote collector nodes by using vRealize Suite Lifecycle Manager.
Procedure
1 Prerequisites for Deploying vRealize Operations Manager in Region A
Before you deploy vRealize Operations Manager, verify that your environment fulfills the requirements for this deployment.
2 Add the vRealize Operations Manager Multi-SAN Certificate to vRealize Suite Lifecycle Manager
To enable vRealize Suite Lifecycle Manager to deploy vRealize Operations Manager, you must add the vRealize Operations Manager SSL certificate to the vRealize Suite Lifecycle Manager Locker.
3 Add the vRealize Operations Manager Password to vRealize Suite Lifecycle Manager
To enable vRealize Suite Lifecycle Manager to deploy vRealize Operations Manager, you must add the vRealize Operations Manager password to the vRealize Suite Lifecycle Manager Locker.
4 Create the Cross-Region Environment in vRealize Suite Lifecycle Manager in Region A
Before you deploy vRealize Operations Manager by using vRealize Suite Lifecycle Manager, you create a cross-region environment in vRealize Suite Lifecycle Manager. You configure network, storage, and other environment parameters required for the deployment.
5 Deploy vRealize Operations Manager Using vRealize Suite Lifecycle Manager in Region A
In the vRealize Suite Lifecycle Manager Create environment wizard, after the environment configuration, you configure the deployment details for vRealize Operations Manager. You configure advanced settings for the required VMs that are part of the vRealize Operations Manager deployment.
Prerequisites for Deploying vRealize Operations Manager in Region A
Before you deploy vRealize Operations Manager, verify that your environment fulfills the requirements for this deployment.
Verify that your environment fulfills the prerequisites for the deployment of vRealize Operations Manager.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 99
Prerequisite Value
Storage n Virtual disk provisioning: Thin
n Required storage per analytics cluster node.
n Initial storage for the analytics cluster node: 274 GB
n Additional storage for monitoring data per analytics cluster node: 1 TB
Software Features n Verify that vCenter Server is operational.
n Verify that the vSphere cluster has vSphere DRS and HA enabled.
n Verify that the NSX Manager is operational.Verify that the application virtual networks are available.
n Verify that the Postman application is installed.
n Verify that the load balancer service is enabled on the NSX Edge service gateway.
n Verify that vRealize Suite Lifecycle Manager is operational and data collection from the Management vCenter Server instance has run successfully.
n Verify that static IP addresses and FQDNs for the application virtual networks are available for the vRealize Operations Manager deployment. See Host Names and IP Addresses for vRealize Suite 2019 and Workspace ONE Access.
Installation Package n Download the .pak file for the vRealize Operations Manager Management Pack for NSX for vSphere from VMware Solutions Exchange.
n Download the .pak file for the vRealize Operations Manager Management Pack for Storage Devices from VMware Solutions Exchange.
n Download the .pak file for the vRealize Operations Management Pack for VMware Identity Manager from VMware Solutions Exchange.
License Verify that you obtained the vRealize Suite or vCloud Suite license with a quantity that fulfills the requirements of this design.
Workspace ONE Access n Verify that required Active Directory users are synchronized to the cross-region Workspace ONE Access. See Active Directory User Accounts.
n Verify that required Active Directory security groups users are synchronized to the cross-region Workspace ONE Access. See Active Directory Groups.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 100
Prerequisite Value
Certificate Authority Verify that you have a validate SSL certificate. You can generate the certificate using the CertGenVVD utility. See Certificate Generation Utility for VMware Validated Design for Software-Defined Data Center 6.x (78246).
External Services n Verify that you have access to an SMTP server.
n Verify that SNMP is enabled in your network environment, to monitor network devices.
n Verify that Link Layer Discovery Protocol (LLDP) or Cisco Discovery Protocol (CDP) is enabled on each network device for complete monitoring of your environment.
n Verify that central NTP services are available.
n Verify that all DNS addresses resolve both forward and reverse.
Add the vRealize Operations Manager Multi-SAN Certificate to vRealize Suite Lifecycle Manager
To enable vRealize Suite Lifecycle Manager to deploy vRealize Operations Manager, you must add the vRealize Operations Manager SSL certificate to the vRealize Suite Lifecycle Manager Locker.
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 On the My services page, click Locker.
3 On the Certificate page, click Import, enter these values, and click Import.
Setting Value
Name vrops01svr01-certificate
Pass phrase PEM_pass_phrase
Select certificate file Navigate to the vRealize Operations Manager certificate PEM file, vrops01svr01.2.chain.pem.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 101
Add the vRealize Operations Manager Password to vRealize Suite Lifecycle Manager
To enable vRealize Suite Lifecycle Manager to deploy vRealize Operations Manager, you must add the vRealize Operations Manager password to the vRealize Suite Lifecycle Manager Locker.
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 On the My services page, click Locker.
3 In the navigation pane, click Password.
4 Click Add, enter these values, and click Add.
Setting Value
Password alias xregion-vrops-root
Password xregion-vrops-root_password
Confirm password xregion-vrops-root_password
Password description Cross-region vRealize Operations Manager root user
User name root
Create the Cross-Region Environment in vRealize Suite Lifecycle Manager in Region A
Before you deploy vRealize Operations Manager by using vRealize Suite Lifecycle Manager, you create a cross-region environment in vRealize Suite Lifecycle Manager. You configure network, storage, and other environment parameters required for the deployment.
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 On the My services page, click Lifecycle operations.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 102
3 On the Dashboard page, click Create environment, enter these values, and click Next.
Setting Value
Environment name Cross-Region-Env
Administrator email xregion-env-admin_email
Default password Click Select default password and select xregion-env-admin.
Select datacenter cross-region-dc
JSON configuration Disabled
Join the VMware customer experience improvement program
Selected
4 On the Select product page, select the check box for vRealize Operations, configure these values, and click Next.
Setting Value
Installation type New install
Version 8.1.0
Deployment type Medium
Node count 3
Enable HA Enabled
5 On the End user license agreement page, read the EULA, select the I agree to the terms and conditions check box, and click Next.
6 On the License page, add or select the vRealize Suite license.
n To select a license by using the My VMware product entitlement, click Select, select the license, and click Update.
n To add the license manually, click Add, enter the vRealize Suite or vCloud Suite License alias and key, click Validate, and then click Add.
7 To validate the license, click Validate association and click Next.
8 On the Certificate page, from the Select certificate drop-down menu, select the vRealize Operations Manager certificate and click Next.
9 On the Infrastructure page, enter these values, and click Next.
Setting Value
Select vCenter Server sfo01m01vc01.sfo01.rainpole.local
Select cluster sfo01-m01dc#sfo01-m01-mgmt01
Select folder sfo01-m01fd-vrops
Select resource pool sfo01-m01-sddc-mgmt
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 103
Setting Value
Select network Distributed port group that ends with Mgmt-xRegion01-VXLAN.
Select datastore sfo01-m01-vsan01
Select disk mode Thin
Integrate with Identity Manager Enabled
10 On the Network page, enter these values and click Next.
Setting Value
Default gateway 192.168.11.1
Netmask 255.255.255.0
Domain name rainpole.local
Domain search path rainpole.local,sfo01.rainpole.local
DNS servers Click Edit server selection, select 172.16.11.4 and 172.16.11.5, and click Next and Finish.
Time sync mode Use NTP Server
NTP servers Click Edit server selection, select ntp.sfo01.rainpole.local, click Next and Finish.
Results
You are redirected to the Products page of the Create Environment wizard to deploy vRealize Operation Manager.
Deploy vRealize Operations Manager Using vRealize Suite Lifecycle Manager in Region A
In the vRealize Suite Lifecycle Manager Create environment wizard, after the environment configuration, you configure the deployment details for vRealize Operations Manager. You configure advanced settings for the required VMs that are part of the vRealize Operations Manager deployment.
Procedure
1 On the Products page of the Create environment wizard, under Install vRealize Operations, in the Product properties panel, enter these values.
Setting Value
Disable TLS version TLSv1,TLSv1.1
Certificate vrops01svr01-certificate
Anti-affinity / affinity rule Deselected
Product password xregion-vrops-root
Integrate with Identity Manager Selected
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 104
Setting Value
Time sync mode Use NTP Server
NTP servers ntp.sfo01.rainpole.local
2 Add the nodes for the vRealize Operations Manager deployment configuration.
a In the Components panel, click the Add component icon and select Remote collector.
b Repeat Step 2.a to add the second Remote collector node.
3 Configure the vRealize Operations Manager primary node.
a In the master panel, enter these values and click the Advanced Settings icon.
Setting Value
VM name vrops01svr01a
FQDN vrops01svr01a.rainpole.local
IP address 192.168.11.31
b On the Advanced configuration page, enter these values and click Save.
Setting Value
Storage extension
Extended storage sfo01-m01-vsan01
Default properties
Time zone UTC
4 Configure the vRealize Operations Manager replica node.
a In the replica panel, enter these values and click the Advanced settings icon.
Setting Value
VM name vrops01svr01b
FQDN vrops01svr01b.rainpole.local
IP address 192.168.11.32
b On the Advanced configuration page, enter these values and click Save.
Setting Value
Storage extension
Extended storage sfo01-m01-vsan01
Default properties
Time zone UTC
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 105
5 Configure the vRealize Operations Manager data node.
a In the data panel, enter these values and click the Advanced settings icon.
Setting Value
VM name vrops01svr01c
FQDN vrops01svr01c.rainpole.local
IP address 192.168.11.33
b On the Advanced configuration page, enter these values and click Save.
Setting Value
Storage extension
Extended storage sfo01-m01-vsan01
Default properties
Time zone UTC
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 106
6 Configure the vRealize Operations Manager vrops-remotecollector node.
a In the vrops-remotecollector panel, enter these values and click the Advanced settings icon.
Setting Value
VM name sfo01vropsc01a
FQDN sfo01vropsc01a.sfo01.rainpole.local
IP address 192.168.31.31
Node size Standard
b On the Advanced configuration page, enter these values and click Save.
Setting Value
Infrastructure
Select vCenter Server sfo01m01vc01.sfo01.rainpole.local
Select cluster sfo01-m01dc#sfo01-m01-mgmt01
Select folder sfo01-m01fd-vropsrc
Select resource pool sfo01-m01-sddc-mgmt
Select network Distributed port group that ends with Mgmt-RegionA01-VXLAN
Select datastore sfo01-m01-vsan01
Network
Gateway 192.168.31.1
Domain sfo01.rainpole.local
DNS search domain sfo01.rainpole.local,rainpole.local
DNS 172.16.11.5,172.16.11.4
Netmask 255.255.255.0
NTP Settings
NTP Click Edit server selection, select ntp.sfo01.rainpole.local, click Next and Finish.
Default properties
Time zone UTC
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 107
7 Configure the vRealize Operations Manager vrops-remotecollector-2 node.
a In the vrops-remotecollector-2 panel, enter these values and click the Advanced settings icon.
Setting Value
VM name sfo01vropsc01b
FQDN sfo01vropsc01b.sfo01.rainpole.local
IP address 192.168.31.32
Node size Standard
b On the Advanced configuration page, enter these values and click Save.
Setting Value
Infrastructure
Select vCenter Server sfo01m01vc01.sfo01.rainpole.local
Select cluster sfo01-m01dc#sfo01-m01-mgmt01
Select folder sfo01-m01fd-vropsrc
Select resource pool sfo01-m01-sddc-mgmt
Select network Distributed port group that ends with Mgmt-RegionA01-VXLAN
Select datastore sfo01-m01-vsan01
Network
Gateway 192.168.31.1
Domain sfo01.rainpole.local
DNS search domain sfo01.rainpole.local,rainpole.local
DNS 172.16.11.5,172.16.11.4
Netmask 255.255.255.0
NTP Settings
NTP Click Edit server selection, select ntp.sfo01.rainpole.local, click Next and Finish.
Default properties
Time zone UTC
8 On the Products page, click Next.
9 On the Precheck page, clilck Run precheck.
10 Wait for all Pre validation successful messages and click Next.
11 On the Summary page, review the configuration details.
12 (Optional) To back up the deployment configuration, click Export configuration.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 108
13 Click Submit to start the deployment.
The Request details page displays the progress of deployment.
14 Monitor the steps of the deployment graph until all stages are marked as COMPLETED.
Update vRealize Operations Manager Authentication Source
To ensure that users are redirected to the load balancer address when authenticating to vRealize Operations Manager with a cross-region Workspace ONE Access user account, you update the vRealize Operations Manager authentication source. You set the redirect FQDN to the load balancer VIP FQDN and rename the authentication source.
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left pane, select Access > Authentication sources.
4 On the Authentication sources page, click the vIDMAuthSource vertical ellipsis and click Edit.
5 In the Edit source for user and group import dialog box, rename the source name and configure these values.
Setting Value
Source display name WorkspaceONE
Username configadmin
Password wsa01svr01_configadmin_password
Redirect FQDN/IP vrops01svr01.rainpole.local
6 Click Test.
7 In the Info dialog box, click OK.
8 In the Edit source for user and group import dialog box, click OK.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 109
Configure vSphere DRS Anti-Affinity Rules for vRealize Operations Manager in Region A
To protect the vRealize Operations Manager virtual machines from a host-level failure, configure vSphere DRS to run the virtual machines of the analytics cluster and the remote collectors on different hosts in the first cluster in the management domain.
Use two anti-affinity rules for the vRealize Operations Manager virtual machines. One anti-affinity rule is for the analytics nodes and another anti-affinity rule is for the remote collector nodes. This rule configuration also accommodates the case when you place a host from the management cluster in maintenance mode.
Table 5-1. Anti-Affinity Rules for vRealize Operations Manager
Rule Name Members Description
anti-affinity-rule-vropsm n vrops01svr01a
n vrops01svr01b
n vrops01svr01c
Anti-affinity rule for the analytics nodes.
anti-affinity-rule-vropsr n sfo01vropsc01a
n sfo01vropsc01b
Anti-affinity rule for the remote collector nodes.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Hosts and clusters inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree and expand the sfo01-m01dc data center.
3 Select the sfo01-m01-mgmt01 cluster and click the Configure tab.
4 In the left pane, select Configuration > VM/Host rules.
5 Click Add VM/host rule, enter the values for the analytics cluster rule, and click OK.
Setting Value
Name anti-affinity-rule-vropsm
Enable rule Selected
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 110
Setting Value
Type Separate Virtual Machines
Members Click Add VM/host rule member, select the analytics cluster nodes, and click OK.
n vrops01svr01a
n vrops01svr01b
n vrops01svr01c
6 Repeat Step 5 for the remote collectors rule.
Create a VM Group and Define the Startup Order of the Analytics Cluster in Region A
VM groups allow you to define the startup order of virtual machines. The startup order you define ensures that vSphere HA powers on virtual machines in the correct order.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Hosts and clusters inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree and expand the sfo01-m01dc data center.
3 Select the sfo01-m01-mgmt01 cluster and click the Configure tab.
4 In the left pane, select Configuration > VM/Host groups.
5 Click Add VM/host group and enter these values.
Setting Value
Name vRealize Operations Manager Virtual Appliances
Type VM Group
Members Click Add VM/host group members, select the analytics cluster nodes, and click OK.
n vrops01svr01a
n vrops01svr01b
n vrops01svr01c
6 Click OK.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 111
7 Create a rule to power on the cross-region Workspace ONE Access nodes before the vRealize Operations Manager nodes.
a Select the sfo01-m01-mgmt01 cluster and click the Configure tab.
b In the left pane, select Configuration > VM/Host rules.
c Click Add VM/host rule, enter these values, and click OK.
Setting Value
Name SDDC Cloud Operations
Enable rule Selected
Type Virtual Machines to Virtual Machines
The VM dependency restart condition must be met before continuing to
Cross-Region Workspace ONE Access Virtual Appliances
On restart for VM group vRealize Operations Manager Virtual Appliances
Group the Remote Collector Nodes in Region A
Join the remote collectors in a group for adapter resiliency in case the collector experiences network interruption or becomes unavailable.
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left pane, select Management > Collector groups.
4 Click Add, configure these settings, and click Save.
Setting Value
Name sfo01-remote-collectors
Description Remote collector group for sfo01
sfo01vropsc01a Selected
sfo01vropsc01b Selected
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 112
Results
In the vRealize Operations Manager user interface, the sfo01-remote-collectors group appears on the Collector groups page of the Administration view.
Configure User Access in vRealize Operations Manager in Region A
To enable enterprise users to log in with required role based access controls, you configure the enterprise identity source user groups that are synced in Workspace ONE Access for vRealize Operations Manager.
User Groups Role
[email protected] Administrator
[email protected] ContentAdmin
[email protected] ReadOnly
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left pane, select Access > Access control.
4 Click the User groups tab.
5 Click the horizontal ellipsis and click Import.
6 Import the [email protected] user group.
a From the Import from drop-down menu, select WorkspaceONE.
b In the Domain name text box, enter rainpole.local.
c In the Search prefix text box, enter [email protected] and click Search.
d Select [email protected] and click Next.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 113
7 On the Roles and objects page, configure these values, and click Finish.
Setting Value
Select role Administrator
Assign this role to the group Selected
Allow access to all objects in the system Selected
8 To allow access to all objects in the system, in the confirmation dialog box, click Yes.
9 Repeat the steps to import and assign roles to the remaining user groups.
Configure User Access in vSphere for Integration with vRealize Operations Manager in Region A
Configure operations service accounts with the required permissions to enable vRealize Operations Manager access to monitoring data on the vCenter Server instances.
You associate the svc-vrops-solution service accounts in Active Directory with user roles that have certain privileges and you assign the users to the vCenter Server instances in the inventory by using global permissions.
Procedure
1 Define a User Role in vSphere for vCenter Adapters in vRealize Operations Manager in Region A
In vSphere, create a user role with the required privileges to query information from vCenter Server and receive metric data in vRealize Operations Manager. In vRealize Operations Manager, you can also run actions or tasks on the objects it manages in vCenter Server.
2 Define a User Role in vSphere for Storage Devices Adapters in vRealize Operations Manager in Region A
In vSphere, create a user role with privileges that are required for collecting data about storage devices in vRealize Operations Manager.
3 Configure User Privileges in vSphere for Integration with vRealize Operations Manager in Region A
Assign global permissions to the operations service accounts to access monitoring data from vCenter Server in vRealize Operations Manager.
Define a User Role in vSphere for vCenter Adapters in vRealize Operations Manager in Region A
In vSphere, create a user role with the required privileges to query information from vCenter Server and receive metric data in vRealize Operations Manager. In vRealize Operations Manager, you can also run actions or tasks on the objects it manages in vCenter Server.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 114
Add the privileges to the role that are required for typical virtual machine life cycle operations, such as snapshot management and virtual machine resource configuration.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 Select Menu > Administration.
3 In the left pane, select Access control > Roles.
4 From the Roles provider drop-down menu, select sfo01m01vc01.sfo01.rainpole.local.
5 Create a role for collecting data from and performing actions on vCenter Server.
a Click the Create role action icon, configure these privileges, and click Next.
Category Privilege
Virtual machine Change Configuration.Change CPU count
Change Configuration.Change resource
Change Configuration.Change memory
Edit Inventory.Remove
Interaction.Power on
Interaction.Power off
Snapshot Management.Create snapshot
Snapshot Management.Remove snapshot
Resource Assign virtual machine to resource pool
Migrate powered off virtual machine
Migrate powered on virtual machine
Datastore Allocate space
b In the Role name text box, enter vRealize Operations to vSphere Integration (Actions) and click Finish.
This role inherits the System.Anonymous, System.View, and System.Read privileges.
The Management domain vCenter Server in Region A propagates the role to the other linked vCenter Server instances.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 115
Define a User Role in vSphere for Storage Devices Adapters in vRealize Operations Manager in Region A
In vSphere, create a user role with privileges that are required for collecting data about storage devices in vRealize Operations Manager.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 Select Menu > Administration.
3 In the left pane, select Access control > Roles.
4 From the Roles provider drop-down menu, select sfo01m01vc01.sfo01.rainpole.local.
5 Create a role for collecting storage device data.
a Click the Create role action icon, configure these privileges, and click Next.
Category Privilege
Host CIM.CIM interaction
Configuration.Storage partition configuration
Profile-driven storage Profile-driven storage view
Storage views View
b In the Role name text box, enter vRealize Operations to vSphere Integration (Metrics) and click Finish.
This role inherits the System.Anonymous, System.View, and System.Read privileges.
The Management domain vCenter Server in Region A propagates the role to the other linked vCenter Server instances.
Configure User Privileges in vSphere for Integration with vRealize Operations Manager in Region A
Assign global permissions to the operations service accounts to access monitoring data from vCenter Server in vRealize Operations Manager.
n The svc-vrops-vsphere user has the privileges to collect data from and perform actions on vCenter Server from vRealize Operations Manager.
n The svc-vrops-nsx user has read-only access on all objects in vCenter Server.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 116
n The svc-vrops-mpsd and svc-vrops-vsan users have privileges for access to storage device and vSAN information, respectively, in vRealize Operations Manager on all objects in vCenter Server.
You assign global permissions that are based on the following roles to these service accounts:
Service Account Role
[email protected] vRealize Operations to vSphere Integration (Actions)
[email protected] Read-only
[email protected] vRealize Operations to vSphere Integration (Metrics)
[email protected] vRealize Operations to vSphere Integration (Metrics)
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 Select Menu > Administration.
3 In the left pane, select Access control > Global permissions.
4 Click the Add permission icon, enter these values, and click OK.
Setting Value
Domain rainpole.local
User / Group svc-vrops-vsphere
Role vRealize Operations to vSphere Integration (Actions)
Propagate to children Selected
5 Repeat the steps to assign global permissions to the remaining service accounts.
Add vCenter Server Cloud Accounts to vRealize Operations Manager in Region A
After you deploy the analytics cluster and the remote collector nodes of vRealize Operations Manager and start vRealize Operations Manager, create a vCenter Server cloud account for each vCenter Server instance in the region.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 117
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left pane, select Solutions > Cloud accounts.
4 Click Add account, and click vCenter.
5 Enter the values for the Management domain vCenter Server.
Setting Value
Name vCenter Cloud Account - sfo01m01vc01
Description Management domain vCenter Server for sfo01
vCenter Server sfo01m01vc01.sfo01.rainpole.local
Credential Click the Add new icon, enter the following values, and click OK.
Credential name vCenter Cloud Account Credentials - sfo01m01vc01
User name [email protected]
Password svc-vrops-vsphere_password
Collector/Group sfo01-remote-collectors
6 Click Validate connection.
The vCenter Server certificate appears.
7 In the Review and accept certificate dialog box, verify the certificate information, and click Accept.
8 In the Info dialog box, click OK .
9 Leave the Operational actions set to Enable so that vCenter Adapter can run actions on objects in vCenter Server from vRealize Operations Manager.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 118
10 Expand Advanced settings and configure the user account with administrator privileges to register vRealize Operations Manager with the vCenter Server instance.
Setting Value
Registration user [email protected]
Registration password vsphere_admin-password
11 Click Define monitoring goals.
12 Under Enable vSphere security configuration guide alerts?, select Yes, leave the default configuration for the other options, and click Save.
13 In the Success dialog box, click OK.
14 Click Add.
15 On the Cloud accounts page, verify that the collection status of the cloud account is OK.
16 Repeat the procedure for the Workload domain vCenter Server by using these values.
Setting Value
Name vCenter Cloud Account - sfo01w01vc01
Description Workload domain vCenter Server for sfo01
vCenter Server sfo01w01vc01.sfo01.rainpole.local
Credential Click the Add new icon, enter the following values, and click OK.
Credential name vCenter Cloud Account Credentials - sfo01w01vc01
User name [email protected]
Password svc-vrops-vsphere_password
Collector/Group sfo01-remote-collectors
17 If there are other workload domains that are added to the SDDC, repeat the procedure for each additional Workload domain vCenter Server.
Enable vSAN Monitoring in vRealize Operations Manager in Region A
Configure the vSAN adapter to collect monitoring data about vSAN usage in the SDDC.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 119
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left pane, select Solutions > Cloud accounts.
4 Click the cloud account for the Management domain vCenter Server, vCenter Cloud Account -sfo01m01vc01.
5 Click the vSAN tab and turn on the vSAN Configuration toggle switch.
6 Select the Use alternate credentials check box.
7 To configure the credential, click the Add new icon, enter these values, and click OK.
Setting Value
Credential name vSAN Adapter Credentials - sfo01m01vc01
vCenter user name [email protected]
vCenter password svc-vrops-vsan_password
8 Click Validate connection.
9 In the Info dialog box, click OK.
10 Click Save.
11 On the Cloud accounts page, verify that the collection status of the cloud account is OK.
12 If you have a vSAN datastore configured in the Workload domain, repeat this procedure by clicking the vCenter Cloud Account -sfo01w01vc01 cloud account and adding the following credential.
Setting Value
Credential name vSAN Adapter Credentials - sfo01w01vc01
vCenter user name [email protected]
vCenter password svc-vrops-vsan_password
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 120
Connect vRealize Operations Manager to NSX Data Center for vSphere in Region A
Install and configure the vRealize Operations Management Pack for NSX for vSphere to monitor the NSX networking services deployed in the management domain and view the vSphere hosts in the NSX transport zones.
Install the vRealize Operations Manager Management Pack for NSX for vSphere in Region A
Install the .pak file of the management pack for NSX for vSphere to add the management pack as a solution to vRealize Operations Manager.
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left pane, select Solutions > Repository.
4 Under the Native management packs list, click Add/Upgrade.
5 On the Select a solution to install page, navigate to the .pak file of the vRealize Operations Manager Management Pack for NSX for vSphere and click Upload.
When the management pack file for NSX-vSphere is uploaded, you see details about the management pack.
6 When the upload finishes, click Next.
7 On the End user license agreement page, accept the license agreement and click Next.
The installation of the management pack starts. You see the progress on the Install solution page.
8 When the installation finishes, on the Install solution page, click Finish.
Results
The Management Pack for NSX-vSphere solution appears on the Repository page in the Other management packs list.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 121
Configure User Privileges in NSX Manager for Integration with vRealize Operations Manager in Region A
Assign the permissions to the service account svc-vrops-nsx that are required to access monitoring data from the NSX Manager instance for the management domain in vRealize Operations Manager.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the VMs and templates inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree and expand the sfo01-m01dc data center.
3 Expand Management VMs folder, right-click the NSX Manager virtual machine, sfo01m01nsx01, and select Open remote console.
4 At the command prompt, log in by using the following credentials.
Setting Value
User name admin
Password nsx_admin_password
5 Create the svc-vrops-nsx local service account on the NSX Manager instance.
a Run the command to switch to Privileged mode of NSX Manager.
enable
b When prompted, enter the admin password and press Enter.
c Switch to Configuration mode.
configure terminal
d Create the svc-vrops-nsx service account.
user svc-vrops-nsx password plaintext svc-vrops-nsx_password
e Assign the svc-vrops-nsx service account user access to NSX Manager from the vSphere Web Client.
user svc-vrops-nsx privilege web-interface
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 122
f Commit these updates to the NSX Manager.
write memory
g Exit Configuration mode.
exit
6 Assign the security_admin role to the svc-vrops-nsx service account.
a Log in to the host machine that has access to your data center.
b Run the Postman application and log in.
c In the request pane, provide the URL query for the Management domain NSX Manager.
Setting Value
HTTP request method POST
Request URL https://sfo01m01nsx01.sfo01.rainpole.local/api/2.0/services/usermgmt/role/svc-vrops-nsx?isCli=true
d On the Authorization tab, enter the authorization details.
Setting Value
Type Basic Auth
User name admin
Password nsx_admin_password
e On the Headers tab, enter the header details.
Setting Value
Key Content-Type
Key value text/xml
f On the Body tab, select the Raw radio-button, and from the Text drop-down menu, select XML (Application/XML).
g In the Body text box, enter the following request body and click Send.
<accessControlEntry>
<role>security_admin</role>
<resource>
<resourceId>globalroot-0</resourceId>
</resource>
</accessControlEntry>
The Status changes to 204 No Content.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 123
7 If there are workload domains with NSX Data Center for vSphere that are added to the SDDC, repeat the procedure for each Workload domain NSX Manager.
Enable NSX Data Center for vSphere Monitoring in vRealize Operations Manager in Region A
After you install the management pack and assign the permissions, configure an NSX-vSphere adapter for the NSX Manager instance for the management domain.
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left pane, select Solutions > Other accounts.
4 Click Add account and click NSX-vSphere adapter.
5 Enter the values for the NSX Manager instance for the management domain.
Setting Value
Name NSX-v Adapter - sfo01m01nsx01
Description Management Domain NSX-v Adapter for sfo01
NSX Manager host sfo01m01nsx01.sfo01.rainpole.local
VC host sfo01m01vc01.sfo01.rainpole.local
Enable Log Insight integration if configured false
Credential Click the Add new icon, enter the following values, and click OK.
Credential name NSX-v Adapter Credentials - sfo01m01nsx01
NSX Manager user name svc-vrops-nsx
NSX Manager password svc-vrops-nsx_password
vCenter user name [email protected]
vCenter password svc-vrops-nsx_password
Collector/Group sfo01-remote-collectors
6 Click Validate connection.
7 In the Info dialog box, click OK.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 124
8 Click Add.
9 On the Other accounts page, verify that the collection status of the adapter is OK.
10 If there are workload domains with NSX Data Center for vSphere that are added to the SDDC, repeat the procedure for each Workload domain NSX Manager.
Enable NSX-T Data Center Monitoring in vRealize Operations Manager in Region A
Configure the vRealize Operations Management Pack for NSX-T to monitor the NSX-T networking services deployed in the workload domain and view the vSphere hosts in the NSX-T transport zones.
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left pane, select Solutions > Other accounts.
4 Click Add account and click NSX-T adapter.
5 Enter the values for the Workload domain NSX-T Manager.
Setting Value
Name NSX-T Adapter - sfo01w01nsx01
Description Workload Domain NSX-T Adapter for sfo01
Virtual IP / NSX-T Manager sfo01w01nsx01.sfo01.rainpole.local
Credential Click the Add new icon, enter the following values, and click OK.
Credential name NSX-T Adapter Credentials - sfo01w01nsx01
User name admin
Password nsx-t_admin_password
Collector/Group sfo01-remote-collectors
6 Click Validate connection.
7 In the Info dialog box, click OK.
8 Click Add.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 125
9 On the Other accounts page, verify that the collection status of the adapter is OK.
10 If there are other workload domains with NSX-T Data Center that are added to the SDDC, repeat the procedure for each Workload domain NSX-T Manager.
Enable Storage Device Monitoring in vRealize Operations Manager in Region A
Install and configure the vRealize Operations Management Pack for Storage Devices to view the storage topology in the SDDC and to monitor the capacity and problems on storage components.
Procedure
1 Install the vRealize Operations Manager Management Pack for Storage Devices in Region A
Install the .pak file of the management pack for storage devices to add the management pack as a solution to vRealize Operations Manager.
2 Add Storage Devices Adapters in vRealize Operations Manager in Region A
After you install the management pack, configure a storage devices adapter to collect monitoring data about the storage devices in the SDDC. Each adapter communicates with a vCenter Server instance to retrieve data about the storage devices from the vCenter Server inventory.
Install the vRealize Operations Manager Management Pack for Storage Devices in Region A
Install the .pak file of the management pack for storage devices to add the management pack as a solution to vRealize Operations Manager.
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left pane, select Solutions > Repository.
4 Under the Native management packs list, click Add/Upgrade.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 126
5 On the Select a solution to install page, navigate to the .pak file of the vRealize Operations Manager Management Pack for Storage Devices and click Upload.
When the Storage Devices management pack file is uploaded, you see details about the management pack.
6 When the upload finishes, click Next.
7 On the End user license agreement page, accept the license agreement and click Next.
The installation of the management pack starts. You see the progress on the Install solution page.
8 When the installation finishes, on the Install solution page, click Finish.
Results
The Management pack for storage devices solution appears on the Repository page in the Other management packs list.
Add Storage Devices Adapters in vRealize Operations Manager in Region A
After you install the management pack, configure a storage devices adapter to collect monitoring data about the storage devices in the SDDC. Each adapter communicates with a vCenter Server instance to retrieve data about the storage devices from the vCenter Server inventory.
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left pane, select Solutions > Other accounts.
4 Click Add account and click Physical storage devices adapter.
5 Enter the values for the connection to the Management domain vCenter Server.
Setting Value
Name Storage Devices Adapter - sfo01m01vc01
Description Storage Devices in Management Domain vCenter for sfo01
vCenter Server sfo01m01vc01.sfo01.rainpole.local
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 127
Setting Value
Credential Click the Add new icon, enter the following values, and click OK.
Credential name Storage Devices Credentials - sfo01m01vc01
vCenter user name [email protected]
vCenter password svc-vrops-mpsd_password
Collector/Group sfo01-remote-collectors
6 Click Validate connection.
The vCenter Server certificate appears.
7 In the Review and accept certificate dialog box, verify the vCenter Server certificate information, and click Accept.
8 In the Info dialog box, click OK.
9 Click Add.
10 On the Other accounts page, verify that the collection status of the account is OK.
11 Repeat this procedure for the Workload domain vCenter Server by entering these values.
Setting Value
Name Storage Devices Adapter - sfo01w01vc01
Description Storage Devices in Workload Domain vCenter for sfo01
vCenter Server sfo01w01vc01.sfo01.rainpole.local
Credential Click the Add new icon, enter the following values, and click OK.
Credential name Storage Devices Credentials - sfo01w01vc01
vCenter user name [email protected]
vCenter password svc-vrops-mpsd_password
Collector/Group sfo01-remote-collectors
12 If there are other workload domains that are added to the SDDC, repeat the procedure for each additional Workload domain vCenter Server.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 128
Connect vRealize Operations Manager to the Workspace ONE Access Instances in Region A
Install and configure the vRealize Operations Management Pack for VMware Identity Manager to monitor Workspace ONE Access cluster node, certificates, storage space, database connections, RabbitMQ and other resource kinds.
Procedure
1 Install the vRealize Operations Manager Management Pack for VMware Identity Manager in Region A
Install the .pak file of the management pack for VMware Identity Manager to add the management pack as a solution to vRealize Operations Manager.
2 Add VMware Identity Manager Adapter Instances to vRealize Operations Manager in Region A
After you install the management pack, configure a VMware Identity Manager Adapter for the region-specific and the cross-region Workspace ONE Access deployments.
Install the vRealize Operations Manager Management Pack for VMware Identity Manager in Region A
Install the .pak file of the management pack for VMware Identity Manager to add the management pack as a solution to vRealize Operations Manager.
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left pane, select Solutions > Repository.
4 Under the Native management packs list, click Add/Upgrade.
5 On the Select a solution to install page, navigate to the .pak file of the vRealize Operations Manager Management Pack for VMware Identity Manager and click Upload.
When the VMware Identity Manager management pack file is uploaded, you see details about the management pack.
6 When the upload finishes, click Next.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 129
7 On the End user license agreement page, accept the license agreement and click Next.
The installation of the management pack starts. You see its progress on the Install solution page.
8 When the installation finishes, on the Install solution page, click Finish.
Results
The VMware identity manager management pack solution appears on the Repository page in the Other management packs list.
Add VMware Identity Manager Adapter Instances to vRealize Operations Manager in Region A
After you install the management pack, configure a VMware Identity Manager Adapter for the region-specific and the cross-region Workspace ONE Access deployments.
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left pane, select Solutions > Other accounts.
4 Click Add account and click VMware identity manager adapter.
5 Enter the values for the region-specific Workspace ONE Access instance.
Setting Value
Name Region-specific WSA Adapter - sfo01wsa01
Description WSA Adapter for sfo01
VIDM host sfo01wsa01.sfo01.rainpole.local
Credential Click the Add new icon, enter the following values, and click OK.
Credential name Region-specific WSA Adapter Credentials - sfo01wsa01
User name admin
Password sfo01wsa01_admin_password
Collector/Group sfo01-remote-collectors
6 Click Validate connection.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 130
7 In the Info dialog box, click OK.
8 Click Add.
9 On the Other accounts page, verify that the collection status of the adapter is OK.
10 Repeat this procedure to create an adapter for the cross-region Workspace ONE access deployment by using these values.
Setting Value
Name X-region WSA Adapter - wsa01svr01
Description WSA Adapter for X-Region
VIDM host wsa01svr01.rainpole.local
Credential Click the Add new icon, enter the following values, and click OK.
Credential name X-Region WSA Adapter Credentials - wsa01svr01
User name admin
Password wsa01svr01_admin_password
Collector/Group Default collector group
Set the Currency for Cost Calculation in vRealize Operations Manager
Set the currency used for cost calculations in vRealize Operations Manager.
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left pane, select Management > Global settings.
4 Set the currency for cost calculation.
a Select Currency and click the Edit icon.
b On the Set currency dialog box, select the target currency.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 131
c At the bottom of the Set currency dialog box, select the I understand that once my currency is set it can NOT be changed again for this installation check box and click Set currency.
d In the Info dialog box, click OK.
Configure Email Alerts in vRealize Operations Manager in Region A
Configure email notifications in vRealize Operations Manager so that users and applications receive the administrative alerts from vRealize Operations Manager about certain situations in the data center.
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left pane, select Management > Outbound settings.
4 Click Add to create an outbound alert instance.
5 In the Add/Edit outbound instance dialog box, configure the settings for the Standard Email Plug-In.
Setting Value
Plugin type Standard Email Plugin
Instance name Alert Mail Relay
Use secure connection Selected
SMTP host FQDN_of_the_SMTP_server
SMTP port Server_port_for_SMTP_requests
Secure connection type TLS
Sender email address Address_that_appears_as_the_sender_of_the_email
Sender name Name_that_appears_as_the_sender_of_the_email
Receiver email address Address_that_appears_as_the_receiver_of_the_email
This address is used for testing purpose only, and is not be kept after the configuration.
6 Click Test to verify the connection with the SMTP server and click OK.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 132
7 Click Save.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 133
vRealize Log Insight Implementation in Region A 6Deploy vRealize Log Insight in a cluster configuration of three nodes. This configuration is set up with an integrated load balancer and uses one primary and two worker nodes.
Procedure
1 Deploy vRealize Log Insight in Region A
Start the deployment of vRealize Log Insight in Region A by deploying the primary and worker nodes and forming the vRealize Log Insight cluster.
2 Integrate vRealize Log Insight with the Region-Specific Workspace ONE Access in Region A
To propagate user roles in vRealize Log Insight that are maintained centrally and are inline with the other solutions in the SDDC, configure vRealize Log Insight to use the region-specific Workspace ONE Access instance as an authentication source.
3 Connect vRealize Log Insight to the vSphere Environment in Region A
Start collecting log information about the ESXi and vCenter Server instances in the SDDC.
4 Connect vRealize Log Insight to vRealize Operations Manager in Region A
Connect vRealize Log Insight to vRealize Operations Manager so that you can use the Launch in Context functionality between the two applications to troubleshoot management nodes and vRealize Operations Manager by using dashboards and alerts in the vRealize Log Insight user interface.
5 Connect vRealize Log Insight to NSX Data Center for vSphere in Region A
Install and configure the vRealize Log Insight content pack for log visualization and alerting of the NSX Data Center for vSphere real-time operation. You can use the NSX-vSphere dashboards to monitor logs about installation and configuration, and about virtual networking services in the management and workload domains.
6 Connect vRealize Log Insight to NSX-T Data Center in Region A
If you deployed NSX-T Data Center in the workload domain, you connect vRealize Log Insight to the NSX-T Data Center components to start collecting log information.
7 Download the vRealize Log Insight Agent
You download the vRealize Log Insight agent, so that later you install this agent on the Workspace ONE Access nodes.
VMware, Inc. 134
8 Install and Configure the vRealize Log Insight Agent on the Workspace ONE Access Nodes
Install and configure the vRealize Log Insight agent on each Workspace ONE Access node to send audit logs and system events to vRealize Log Insight.
9 Configure Log Forwarding for vRealize Suite Lifecycle Manager in Region A
You configure vRealize Suite Lifecycle Manager to forward logs to vRealize Log Insight.
10 Validate Log Forwarding for SDDC Manager in Region A
The VMware Cloud Foundation 3.10 bring-up process installs and configures the vRealize Log Insight agent in the SDDC Manager appliance. Validate that the vRealize Log Insight аgent in the SDDC Manager appliance is configured to forward logs to the newly deployed vRealize Suite 2019 vRealize Log Insight.
11 Collect Operating System Logs from the Management Virtual Appliances in vRealize Log Insight in Region A
To visualize and analyze operating system logs from the management virtual appliances, you install and configure the vRealize Log Insight content packs for Linux. For the Workspace ONE Access appliance, you install and configure the general content pack for Linux. For the remaining management appliances, you install and configure the content pack that is designed for Photon OS.
12 Configure Log Retention and Archiving for vRealize Log Insight in Region A
Set the retention notification threshold to one week. Enable data archiving, so that you can manually archive logs for 90 days and selectively clean the datastore when free space is required.
Deploy vRealize Log Insight in Region A
Start the deployment of vRealize Log Insight in Region A by deploying the primary and worker nodes and forming the vRealize Log Insight cluster.
Procedure
1 Prerequisites for Deploying vRealize Log Insight in Region A
Before you use vRealize Suite Lifecycle Manager to deploy vRealize Log Insight, verify that your environment fulfills the requirements for this deployment.
2 Add the vRealize Log Insight Multi-SAN Certificate to vRealize Suite Lifecycle Manager
To enable vRealize Suite Lifecycle Manager to deploy vRealize Log Insight, you must first add the vRealize Log Insight SSL certificate to the vRealize Suite Lifecycle Manager Locker.
3 Add the vRealize Log Insight Password to vRealize Suite Lifecycle Manager
To enable vRealize Suite Lifecycle Manager to deploy vRealize Log Insight, you must add the vRealize Log Insight password to the vRealize Suite Lifecycle Manager Locker.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 135
4 Deploy vRealize Log Insight Using vRealize Suite Lifecycle Manager in Region A
You first create a local environment in vRealize Suite Lifecycle Manager, then you deploy vRealize Log Insight by using vRealize Suite Lifecycle Manager.
5 Configure a vSphere DRS Anti-Affinity Rule for vRealize Log Insight
To protect the vRealize Log Insight virtual machines from a host-level failure, configure vSphere DRS to run the virtual machines on different hosts in the first cluster in the management domain.
6 Create a VM Group and Define the Startup Order of the vRealize Log Insight Cluster in Region A
VM groups allow you to define the startup order of virtual machines. The startup order you define ensures that vSphere HA powers on virtual machines in the correct order.
7 Configure SMTP for vRealize Log Insight in Region A
After the vRealize Log Insight cluster is successfully deployed, you configure the SMTP setting by using the vRealize Log Insight user interface.
8 Disable the SSL Connection Requirement in vRealize Log Insight in Region A
The syslog clients communicate by using the TCP protocol, therefore you must disable the SSL connection requirement in vRealize Log Insight.
Prerequisites for Deploying vRealize Log Insight in Region A
Before you use vRealize Suite Lifecycle Manager to deploy vRealize Log Insight, verify that your environment fulfills the requirements for this deployment.
Verify that your environment satisfies the following prerequisites for deploying vRealize Log Insight.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 136
Prerequisite Value
Storage n Virtual disk provisioning: Thin
n Required initial storage per node: 510 GB
n Required initial cluster storage for archiving: 400 GB
n Verify the following NFS datastore requirements:
n Create an NFS share of 400 GB and export it as /sfo01vrli01_archive
n Verify that the NFS server supports NFS v3.
n Verify that the NFS partition allows read and write operations for guest accounts.
n Verify that the mount does not require authentication.
n Verify that the NFS share is directly accessible to vRealize Log Insight.
n If using a Windows NFS server, allow unmapped user UNIX access (by UID/GID).
Software Features n Verify that the vCenter Server instances are operational.
n Verify that the vSphere cluster has DRS and HA enabled.
n Verify that the NSX Manager is operational.
n Verify that vRealize Operations Manager is operational.
n Verify that the application virtual networks are available.
n Verify that the Postman application is installed.
n Verify that vRealize Suite Lifecycle Manager is operational and data collection from the Management vCenter Server instance has run successfully.
n Verify that static IP addresses and FQDNs for the application virtual networks are available for the vRealize Log Insight deployment. See Host Names and IP Addresses for vRealize Suite 2019 and Workspace ONE Access.
License Verify that you have obtained a vRealize Suite or vCloud Suite license with a quantity that fulfills the requirements of this design.
Workspace ONE Access n Verify that required Active Directory users are synchronized to the region-specific Workspace ONE Access. See Active Directory User Accounts.
n Verify that required Active Directory security groups are synchronized to the region-specific Workspace ONE Access. See Active Directory Groups.
Active Directory Verify that you have a parent and child Active Directory domain controllers configured with the role-specific SDDC users and groups for the rainpole.local domain.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 137
Prerequisite Value
Certificate Authority Verify that you have a validate SSL certificate. You can generate the certificate using the CertGenVVD utility. See Certificate Generation Utility for VMware Validated Design for Software-Defined Data Center 6.x (78246).
Email account Provide an email account to send vRealize Log Insight notifications.
Add the vRealize Log Insight Multi-SAN Certificate to vRealize Suite Lifecycle Manager
To enable vRealize Suite Lifecycle Manager to deploy vRealize Log Insight, you must first add the vRealize Log Insight SSL certificate to the vRealize Suite Lifecycle Manager Locker.
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 On the My services page, click Locker.
3 On the Certificate page, click Import, enter these values, and click Import.
Setting Value
Name sfo01vrli01-certificate
Pass phrase PEM_pass_phrase
Select certificate file Navigate to the vRealize Log Insight certificate PEM file, sfo01vrli01.2.chain.pem.
Add the vRealize Log Insight Password to vRealize Suite Lifecycle Manager
To enable vRealize Suite Lifecycle Manager to deploy vRealize Log Insight, you must add the vRealize Log Insight password to the vRealize Suite Lifecycle Manager Locker.
You add the password of the admin user to be used for deploying the vRealize Log Insight components in Region A.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 138
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 On the My services page, click Locker.
3 In the navigation, click Password.
4 On Password page click Add, enter these values, and click Add.
Setting Value
Password alias sfo01vrli01-admin
Password sfo01vrli01-admin_password
Confirm password sfo01vrli01-admin_password
Password description Log Insight Region A admin user
User name admin
Deploy vRealize Log Insight Using vRealize Suite Lifecycle Manager in Region A
You first create a local environment in vRealize Suite Lifecycle Manager, then you deploy vRealize Log Insight by using vRealize Suite Lifecycle Manager.
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 On the My services page, click Lifecycle operations.
3 On the Dashboard page, click Create environment, enter these values, and click Next.
Setting Value
Environment name SFO-Region-Env
Administrator email sfo-vrli-admin_email
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 139
Setting Value
Default password Click Select default password and select the vRealize Log Insight password, sfo01vrli01-admin.
Select Datacenter sfo01-m01dc
Join the VMware customer experience improvement program
Selected
4 On the Select Product page, select the check box for vRealize Log Insight, configure these values, and click Next.
Setting Value
Installation type New Install
Version 8.1.1
Deployment type Cluster
5 On the End user license agreement page, read the EULA, select the I agree to the terms and conditions check box, and click Next.
6 On the License page, add or select the vRealize Suite license.
n To select a license by using the My VMware product entitlement, click Select, select the license, and click Update.
n To add the license manually, click Add, enter the vRealize Suite or vCloud Suite License alias and key, click Validate, and then click Add.
7 To validate the license, click Validate association and click Next.
8 On the Certificate page, from the Select certificate drop-down menu, select the vRealize Log Insight certificate and click Next.
9 On the Infrastructure page, enter these values, and click Next.
Setting Value
Select vCenter Server sfo01m01vc01.sfo01.rainpole.local
Select cluster sfo01-m01dc#sfo01-m01-mgmt01
Select folder sfo01-m01fd-vrli
Select resource pool sfo01-m01-sddc-mgmt
Select network Distributed port group that ends with Mgmt-RegionA01-VXLAN.
Select datastore sfo01-m01-vsan01
Select disk mode Thin
Integrate with Identity Manager Deselected
Use content library Deselected
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 140
10 On the Network page, enter these values and click Next.
Setting Value
Default gateway 192.168.31.1
Netmask 255.255.255.0
Domain name sfo01.rainpole.local
Domain search path sfo01.rainpole.local,rainpole.local
DNS servers Click Edit server selection, select 172.16.11.5 and 172.16.11.4, click Next. Change server priority and Finish.
Time sync mode Use NTP Server
NTP servers Click Edit server selection, select ntp.sfo01.rainpole.local, click Next and Finish.
11 In the Product properties panel, enter these values, leaving the other settings to their default values.
Setting Value
Node size Medium
Certificate sfo01vrli01-certificate
Configure cluster VIP Yes
Anti-affinity / affinity rule Deselected
Upgrade VM compatibility Deselected
Always use English Deselected
Product password sfo01vrli01-admin
Integrate with Identity Manager Deselected
Time sync mode Use NTP server
12 In the Cluster virtual IP panel, enter these values.
Option Value
FQDN sfo01vrli01.sfo01.rainpole.local
IP Address 192.168.31.10
13 In the vrli-master panel, enter the values for the primary node.
Setting Value
VM Name sfo01vrli01a
FQDN sfo01vrli01a.sfo01.rainpole.local
IP Address 192.168.31.11
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 141
14 In the vrli-worker-1 panel, enter these values.
Setting Value
VM Name sfo01vrli01b
FQDN sfo01vrli01b.sfo01.rainpole.local
IP Address 192.168.31.12
15 In the vrli-worker-2 panel, enter these values.
Setting Value
VM Name sfo01vrli01c
FQDN sfo01vrli01c.sfo01.rainpole.local
IP Address 192.168.31.13
16 On the Products page, click Next.
17 On the Precheck page, click Run precheck.
18 Wait for all Pre Validation successful messages and click Next.
19 On the Summary page, review the configuration details.
20 (Optional) To back up the deployment configuration, click Export configuration.
21 Click Submit to start the deployment.
The Request details page displays the progress of deployment.
22 Monitor the steps of the deployment graph until all stages are marked as COMPLETED.
Configure a vSphere DRS Anti-Affinity Rule for vRealize Log Insight
To protect the vRealize Log Insight virtual machines from a host-level failure, configure vSphere DRS to run the virtual machines on different hosts in the first cluster in the management domain.
Use an anti-affinity rule for the vRealize Log Insight virtual machines. This rule configuration accommodates the case when you place a host from the management cluster in maintenance mode.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Hosts and clusters inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree and expand the sfo01-m01dc data center.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 142
3 Select the sfo01-m01-mgmt01 cluster and click the Configure tab.
4 In the left pane, select Configuration > VM/Host rules.
5 Click Add VM/host rule, enter the values for the anti-affinity rule, and click OK.
Setting Value
Name anti-affinity-rule-vrli
Enable rule Selected
Type Separate Virtual Machines
Members Click Add VM/host rule member, select the vRealize Log Insight nodes, and click OK.
n sfo01vrli01a
n sfo01vrli01b
n sfo01vrli01c
Create a VM Group and Define the Startup Order of the vRealize Log Insight Cluster in Region A
VM groups allow you to define the startup order of virtual machines. The startup order you define ensures that vSphere HA powers on virtual machines in the correct order.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Hosts and clusters inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree and expand the sfo01-m01dc data center.
3 Select the sfo01-m01-mgmt01 cluster and click the Configure tab.
4 In the left pane, select Configuration > VM/Host groups.
5 Click Add VM/host group and enter these values.
Setting Value
Name vRealize Log Insight Virtual Appliances
Type VM Group
Members Click Add VM/host group members, select the vRealize Log Insight nodes, and click OK.
n sfo01vrli01a
n sf01vrli01b
n sfo01vrli01c
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 143
6 Click OK.
7 On the VM/host groups page click Add VM/host group again and enter these values.
Setting Value
Name Region-specific Workspace ONE Access Virtual Appliances
Type VM Group
Members Click Add VM/host group members, select the region-specific Workspace ONE Access node, sfo01wsa01, and click OK.
8 Click OK.
9 Create a rule to power on the region-specific Workspace ONE Access node before the vRealize Log Insight nodes.
a Select the sfo01-m01-mgmt01 cluster and click the Configure tab.
b In the left pane, select Configuration > VM/Host rules.
c Click Add VM/host rule, enter these values, and click OK.
Setting Value
Name SDDC Cloud Logging
Enable rule Selected
Type Virtual Machines to Virtual Machines
The VM dependency restart condition must be met before continuing to
region-specific Workspace ONE Access Virtual Appliances
On restart for VM group vRealize Log Insight Virtual Appliances
Configure SMTP for vRealize Log Insight in Region A
After the vRealize Log Insight cluster is successfully deployed, you configure the SMTP setting by using the vRealize Log Insight user interface.
Procedure
1 In a Web browser, log in to vRealize Log Insight by using the user interface.
Setting Value
URL https://sfo01vrli01.sfo01.rainpole.local
User name admin
Password vrli_admin_password
2 In the vRealize Log Insight user interface, click Administration.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 144
3 In the left navigation pane, under Configuration, click SMTP and enter these values.
Settings Values
SMTP server FQDN_of_the_SMTP_server
Port Server_port_for_SMTP_requests
SSL(SMTPS) Enable or disable encryption for the SMTP transport option connection.
STARTTLS encryption Enable or disable the STARTTLS encryption.
Sender Address_for_the_email_sender
User name User_name_on_the_SMTP_server
Password Password_for_the_SMTP_user_name
4 To verify that the SMTP configuration is correct, enter a valid email address and click Send test email.
vRealize Log Insight sends a test email to the address that you provided.
5 Click Save.
Disable the SSL Connection Requirement in vRealize Log Insight in Region A
The syslog clients communicate by using the TCP protocol, therefore you must disable the SSL connection requirement in vRealize Log Insight.
Procedure
1 In a Web browser, log in to vRealize Log Insight by using the user interface.
Setting Value
URL https://sfo01vrli01.sfo01.rainpole.local
User name admin
Password vrli_admin_password
2 In the vRealize Log Insight user interface, click Administration.
3 In the left navigation pane, under Configuration, click SSL.
4 Turn off the Require SSL Connection toggle.
5 Click Save.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 145
Integrate vRealize Log Insight with the Region-Specific Workspace ONE Access in Region A
To propagate user roles in vRealize Log Insight that are maintained centrally and are inline with the other solutions in the SDDC, configure vRealize Log Insight to use the region-specific Workspace ONE Access instance as an authentication source.
Procedure
1 Enable Region-Specific Workspace ONE Access Integration with vRealize Log Insightin Region A
Configure vRealize Log Insight integration with the region-specific Workspace ONE Access instance.
2 Configure Identity and Access Management for vRealize Log Insight in Region A
Configure enterprise identity source user groups in vRealize Log Insight to enable enterprise users to log in with required role based access control.
Enable Region-Specific Workspace ONE Access Integration with vRealize Log Insightin Region A
Configure vRealize Log Insight integration with the region-specific Workspace ONE Access instance.
Procedure
1 In a Web browser, log in to vRealize Log Insight by using the user interface.
Setting Value
URL https://sfo01vrli01.sfo01.rainpole.local
User name admin
Password vrli_admin_password
2 In the vRealize Log Insight user interface, click Administration.
3 In the left navigation pane, under Configuration, click Authentication.
4 On the Authentication configuration page, click the VMware Identity Manager tab.
5 Configure the region-specific Workspace ONE Access connection settings.
Setting Value
Enable Single Sign-On Turned on
Host sfo01wsa01.sfo01.rainpole.local
API port 443
Username admin
Password sfo01wsa01_admin_password
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 146
Setting Value
Redirect URL host sfo01vrli01.sfo01.rainpole.local
Allow Active Directory users login Disabled
6 To verify the connection, click Test connection.
7 On the Untrusted SSL certificate dialog box, click Accept.
8 On the Authentication configuration page, click Save.
Configure Identity and Access Management for vRealize Log Insight in Region A
Configure enterprise identity source user groups in vRealize Log Insight to enable enterprise users to log in with required role based access control.
Table 6-1. Groups and Roles in vRealize Log Insight
Group Role
ug-vrli-admins Super Admin
ug-vrli-users User
ug-vrli-viewers View Only Admin
Procedure
1 In a Web browser, log in to vRealize Log Insight by using the user interface.
Setting Value
URL https://sfo01vrli01.sfo01.rainpole.local
User name admin
Password vrli_admin_password
2 In the vRealize Log Insight user interface, click Administration.
3 In the left navigation pane, under Management, click Access control.
4 On the Access control page, click the Users and groups tab.
5 Under Directory groups, click New group.
6 Configure the vRealize Log Insight role for the ug-vrli-admins group, and click Save.
Setting Value
Domain rainpole.local
Name Enter ug-vrli-admins and, from the drop-down list, select [email protected].
Roles Super Admin
7 Repeat these steps for the remaining groups.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 147
Connect vRealize Log Insight to the vSphere Environment in Region A
Start collecting log information about the ESXi and vCenter Server instances in the SDDC.
Procedure
1 Configure User Privileges in vSphere for Integration with vRealize Log Insight in Region A
Assign global permissions to the svc-vrli-vsphere service account to collect log information from the vCenter Server instances and ESXi hosts with vRealize Log Insight. The svc-vrli-vsphere user account is dedicated for collecting log information from vCenter Server and ESXi.
2 Connect vRealize Log Insight to vSphere in Region A
After you configure the svc-vrli-vsphere user with the vSphere privileges that are necessary for retrieving log information from the vCenter Server instances and ESXi hosts, connect vRealize Log Insight to vSphere by using the vRealize Log Insight user interface.
3 Configure vCenter Server to Forward Log Events to vRealize Log Insight in Region A
Configure each vCenter Server instance to forward system logs and events to vRealize Log Insight. After that, you can view and analyze all syslog information in the vRealize Log Insight user interface.
Configure User Privileges in vSphere for Integration with vRealize Log Insight in Region A
Assign global permissions to the svc-vrli-vsphere service account to collect log information from the vCenter Server instances and ESXi hosts with vRealize Log Insight. The svc-vrli-vsphere user account is dedicated for collecting log information from vCenter Server and ESXi.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 Select Menu > Administration.
3 In the left pane, select Access control > Roles.
4 From the Roles provider drop-down menu, select sfo01m01vc01.sfo01.rainpole.local.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 148
5 Create a role for vRealize Log Insight.
a Select the Read-only role and click the Clone role action icon.
You clone the Read-only role because it includes the System.Anonymous, System.View, and System.Read privileges. vRealize Log Insight requires those privileges for accessing log information related to the vCenter Server instances.
b In the Clone Role dialog box, in the Role name text box, enter vRealize Log Insight to vSphere Integration and click OK.
c Select the vRealize Log Insight to vSphere Integration role and click the Edit role action icon.
d In the Edit role dialog box, configure these privileges and click Next.
Category Privilege
Host Configuration.Advanced settings
Configuration.Change settings
Configuration.Network configuration
Configuration.Security profile and firewall
These host privileges allow vRealize Log Insight to configure the syslog service on the ESXi hosts.
e Click Finish.
The vRealize Log Insight to vSphere Integration role is propagated to the other linked vCenter Server instances.
6 Associate the service account with the role and assign global permissions to the [email protected] service account.
a In the left pane, select Access control > Global permissions.
b Click the Add permission icon, enter these values, and click OK.
Setting Value
Domain rainpole.local
User/Group svc-vrli-vsphere
Role vRealize Log Insight to vSphere Integration
Propagate to children Selected
The global permissions of the [email protected] user propagate to all vCenter Server instances.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 149
Connect vRealize Log Insight to vSphere in Region A
After you configure the svc-vrli-vsphere user with the vSphere privileges that are necessary for retrieving log information from the vCenter Server instances and ESXi hosts, connect vRealize Log Insight to vSphere by using the vRealize Log Insight user interface.
Procedure
1 In a Web browser, log in to vRealize Log Insight by using the user interface.
Setting Value
URL https://sfo01vrli01.sfo01.rainpole.local
User name admin
Password vrli_admin_password
2 In the vRealize Log Insight user interface, click Administration.
3 In the left navigation pane, under Integration, click vSphere.
4 In the vCenter pane, enter the connection settings for the Management domain vCenter Server in the region.
Setting Value
Hostname sfo01m01vc01.sfo01.rainpole.local
Username [email protected]
Password svc-vrli-vsphere_user_password
Collect vCenter Server events, tasks and alarms Selected
Configure ESXi hosts to send logs to Log Insight Selected
Target sfo01vrli01.sfo01.rainpole.local
5 Click Test connection.
The vCenter Server certificate appears.
6 In the Untrusted SSL certificate dialog box, verify the vCenter Server certificate information, and click Accept.
7 To verify that you connected to the correct vCenter Server instance, click Advanced options.
8 In the sfo01m01vc01.sfo01.rainpole.local configuration window, select Configure all ESXi hosts.
9 Under Syslog protocol, select TCP and click OK.
10 Click Save.
A progress dialog box appears.
11 When vRealize Log Insight contacts the vCenter Server instance, in the confirmation dialog box, click OK.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 150
12 Repeat these steps to add the Workload domain vCenter Server, sfo01w01vc01.sfo01.rainpole.local.
Results
The vSphere dashboards appear on the vRealize Log Insight Dashboards page, under the VMware - vSphere content pack dashboard category.
Configure vCenter Server to Forward Log Events to vRealize Log Insight in Region A
Configure each vCenter Server instance to forward system logs and events to vRealize Log Insight. After that, you can view and analyze all syslog information in the vRealize Log Insight user interface.
Table 6-2. vCenter Server Instances in Region A
Domain Virtual Appliance Management Interface URL
Management https://sfo01m01vc01.sfo01.rainpole.local:5480
Workload https://sfo01w01vc01.sfo01.rainpole.local:5480
Procedure
1 Redirect the log events from the vCenter Server instances to vRealize Log Insight.
a In a Web browser, log in to vCenter Server by using the Virtual Appliance Management Interface (VAMI).
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local:5480
User name root
Password vcenter_server_root_password
b In the navigation pane, click Syslog.
c On the Forwarding configuration page, click Configure.
d In the Create forwarding configuration dialog box, enter these values and click Save.
Table 6-3.
Setting Value
Server address sfo01vrli01.sfo01.rainpole.local
Protocol TCP
Port 514
e Repeat these steps for the other vCenter Server instance by logging in to https://sfo01w01vc01.sfo01.rainpole.local:5480.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 151
2 Verify that the vCenter Server instances are forwarding their syslog traffic to vRealize Log Insight.
a In a Web browser, log in to vRealize Log Insight by using the user interface.
b In the vRealize Log Insight user interface, click Dashboards.
c In the left navigation pane, under Content pack dashboards, click VMware - vSphere > General Overview .
d Verify that the vCenter Server instances are presented on the All vSphere events by hostname widget.
Connect vRealize Log Insight to vRealize Operations Manager in Region A
Connect vRealize Log Insight to vRealize Operations Manager so that you can use the Launch in Context functionality between the two applications to troubleshoot management nodes and vRealize Operations Manager by using dashboards and alerts in the vRealize Log Insight user interface.
Procedure
1 Configure User Privileges in vRealize Operations Manager for Integration with vRealize Log Insight in Region A
To configure vRealize Operations Manager to use the launch in context functionality of vRealize Log Insight and display menu items related to vRealize Log Insight, you import the [email protected] service account and assign it the Administrator role.
2 Enable the vRealize Log Insight Integration with vRealize Operations Manager in Region A
In VMware vRealize Log Insight, you enable the launch in context feature for vRealize Operations Manager. This feature enables vRealize Operations Manager to launch vRealize Log Insight with an object-specific query.
3 Connect vRealize Operations Manager to vRealize Log Insight in Region A
Configure a vRealize Log Insight adapter to integrate vRealize Log Insight with vRealize Operations Manager in your environment. You can access unstructured log data about any object in your environment by using Launch in Context in vRealize Operations Manager.
4 Configure the vRealize Log Insight Agent on the Analytics Cluster to Forward Log Events to vRealize Log Insight in Region A
After you connect vRealize Operations Manager to vRealize Log Insight for launch in context, configure the vRealize Log Insight agent on the vRealize Operations Manager analytics cluster to send audit logs and system events to vRealize Log Insight.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 152
Configure User Privileges in vRealize Operations Manager for Integration with vRealize Log Insight in Region A
To configure vRealize Operations Manager to use the launch in context functionality of vRealize Log Insight and display menu items related to vRealize Log Insight, you import the [email protected] service account and assign it the Administrator role.
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left pane, select Access > Access control.
4 Click the User accounts tab.
5 Click the horizontal ellipsis and select Import.
6 Import the [email protected] service account.
a From the Import from drop-down menu, select WorkspaceONE.
b In the Domain Name text box, enter rainpole.local.
c In the Search Prefix text box, enter svc-vrli-vrops and click Search.
d Select svc-vrli-vrops and click Next.
7 On the Assign groups and permissions page, click the Objects tab, enter these values, and click Finish.
Setting Value
Select role Administrator
Assign this role to the user Selected
Allow access to all objects in the system Selected
8 When prompted with the warning about allowing access to all objects on the system, click Yes.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 153
Enable the vRealize Log Insight Integration with vRealize Operations Manager in Region A
In VMware vRealize Log Insight, you enable the launch in context feature for vRealize Operations Manager. This feature enables vRealize Operations Manager to launch vRealize Log Insight with an object-specific query.
Procedure
1 In a Web browser, log in to vRealize Log Insight by using the user interface.
Setting Value
URL https://sfo01vrli01.sfo01.rainpole.local
User name admin
Password vrli_admin_password
2 In the vRealize Log Insight user interface, click Administration.
3 In the left pane, under Integration, click vRealize Operations.
4 On the vRealize Operations integration page, configure these integration setting for vRealize Operations Manager.
Setting Value
Hostname vrops01svr01.rainpole.local
Username [email protected]@WorkspaceONE
Password svc-vrli-vrops_root_password
Enable alerts integration Selected
Enable launch in context Selected
Enable metric calculation Selected
Target sfo01vrli01.sfo01.rainpole.local
5 To validate the connection, click Test.
6 In the Untrusted SSL certificate dialog box, click Accept.
7 Click Save and in the progress dialog box, click OK.
Connect vRealize Operations Manager to vRealize Log Insight in Region A
Configure a vRealize Log Insight adapter to integrate vRealize Log Insight with vRealize Operations Manager in your environment. You can access unstructured log data about any object in your environment by using Launch in Context in vRealize Operations Manager.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 154
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left navigation pane, select Management > Integrations.
4 On the Integrations page, click the VMware vRealize Log Insight vertical ellipsis and select Configure.
The VMware vRealize Log Insight dialog box appears.
5 Under Connect information, enter these values for connection to vRealize Log Insight.
Setting Value
Log Insight server sfo01vrli01.sfo01.rainpole.local
Collector/Group sfo01-remote-collectors
6 To validate the connection to vRealize Log Insight, click Validate connection.
7 In the Info dialog box, click OK.
8 Click Save.
9 On the Integrations page, verify that the collection status is OK.
Configure the vRealize Log Insight Agent on the Analytics Cluster to Forward Log Events to vRealize Log Insight in Region A
After you connect vRealize Operations Manager to vRealize Log Insight for launch in context, configure the vRealize Log Insight agent on the vRealize Operations Manager analytics cluster to send audit logs and system events to vRealize Log Insight.
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 155
2 On the main navigation bar, click Administration.
3 In the left navigation pane, select Management > Log forwarding.
4 On the Log Forwarding page, enter these values and click Apply changes.
Table 6-4.
Setting Value
Output logs to external log server Selected
Forwarded logs Selected
Log Insight servers sfo01vrli01.sfo01.rainpole.local
Host sfo01vrli01.sfo01.rainpole.local
Protocol cfapi
Port 9000
Use SSL Deselected
Path to certificate authority file N/A
Cluster name vrops01svr01
Connect vRealize Log Insight to NSX Data Center for vSphere in Region A
Install and configure the vRealize Log Insight content pack for log visualization and alerting of the NSX Data Center for vSphere real-time operation. You can use the NSX-vSphere dashboards to monitor logs about installation and configuration, and about virtual networking services in the management and workload domains.
Install the vRealize Log Insight Content Pack for NSX Data Center for vSphere in Region A
To add dashboards to vRealize Log Insight for viewing log details on the NSX Data Center for vSphere operation, install the NSX-vSphere content pack.
Procedure
1 In a Web browser, log in to vRealize Log Insight by using the user interface.
Setting Value
URL https://sfo01vrli01.sfo01.rainpole.local
User name admin
Password vrli_admin_password
2 In the vRealize Log Insight user interface, click Content packs.
3 In the left pane, under Content pack marketplace, click Marketplace.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 156
4 On the Log Insight content pack marketplace page, locate and click the VMware - NSX-vSphere content pack to start the installation.
The Install content pack dialog box appears.
5 Accept the license agreement and click Install.
6 To proceed with installation, click OK.
When the installation finishes, the newly installed content pack appears in the left navigation pane, under Installed content packs.
Update the NSX Manager Log Forwarding Protocol in Region A
The VMware Cloud Foundation 3.10 bring-up process configures the NSX Manager for the management domain to forward logs to the earlier version of vRealize Log Insight that you disassociated. Update the NSX Manager to send audit logs and system events to the newly deployed vRealize Suite 2019 vRealize Log Insight by using TCP protocol.
Procedure
1 In a Web browser, log in to the NSX Manager for the management domain by using the user interface.
Setting Value
URL https://sfo01m01nsx01.sfo01.rainpole.local
User name admin
Password nsx_admin_password
2 Click Manage appliance settings.
3 Under Settings, click General.
4 In the Syslog server pane, click Edit.
5 In the Syslog server dialog box, verify the syslog server host name and port, configure the protocol, and click OK.
Setting Value
Syslog server sfo01vrli01.sfo01.rainpole.local
Port 514
Protocol TCP
6 If there are workload domains with NSX Data Center for vSphere that are added to the SDDC, repeat the procedure for each Workload domain NSX Manager.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 157
Configure the NSX Controller Nodes to Forward Log Events to vRealize Log Insight in Region A
Configure the NSX Controller nodes to forward log information to vRealize Log Insight by using the NSX REST API. To enable log forwarding, you can use a REST client, such as the Postman application.
First, you retrieve the IDs of the NSX Controller nodes, controller-1, controller-2, and controller-3. Then, you send a request to each NSX Controller node to configure vRealize Log Insight as a remote syslog server.
Table 6-5. Management Domain NSX Controller Nodes
NSX ManagerNSX Controller in the Controller Cluster
Request URL for the NSX Controller Syslog Service
sfo01m01nsx01.sfo01.rainpole.local NSX Controller 1 https://sfo01m01nsx01.sfo01.rainpole.local/api/2.0/vdn/controller/controller-1/syslog
NSX Controller 2 https://sfo01m01nsx01.sfo01.rainpole.local/api/2.0/vdn/controller/controller-2/syslog
NSX Controller 3 https://sfo01m01nsx01.sfo01.rainpole.local/api/2.0/vdn/controller/controller-3/syslog
Procedure
1 Log in to the host machine that has access to your data center.
2 Start the Postman application and log in.
3 Configure the headers for requests to the NSX Manager.
a On the Authorization tab, enter the authorization details.
Setting Value
Type Basic Auth
User name admin
Password nsx_admin_password
b On the Headers tab, enter the header details.
Setting Value
Key Content-Type
Key value application/xml
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 158
4 Retrieve the IDs of the NSX Controller nodes associated with the Management domain NSX Manager.
a In the request pane, provide the URL query for the NSX Manager and click Send.
Setting Value
HTTP request method GET
Request URL https://sfo01m01nsx01.sfo01.rainpole.local/api/2.0/vdn/controller
Body None
The Postman application sends a query to the NSX Manager about the installed NSX Controller nodes.
b When the NSX Manager sends a response back, click the Body tab in the response pane.
The response body contains a root <controllers> XML element that groups the details about the three controllers that form the controller cluster.
c Within the <controllers> element, locate the <controller> element for each NSX Controller node and write down the content of the <id> element.
NSX Controller IDs have the controller-id format where id represents the sequence number of the controller in the cluster, for example, controller-1, controller-2, and controller-3.
You can form the request URLs for the NSX Controller nodes.
5 For each NSX Controller, send a request to configure vRealize Log Insight as a remote syslog server.
a In the request pane, provide the URL query for the first NSX Controller and click Send.
Setting Value
HTTP request method POST
Request URL https://sfo01m01nsx01.sfo01.rainpole.local/api/2.0/vdn/controller/controller-1/syslog
b On the Body tab, select the Raw radio-button, and from the Text drop-down menu, select XML (Application/XML).
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 159
c In the Body text box, enter the following request body for configuring vRealize Log Insight as a remote syslog server, and click Send.
<controllerSyslogServer>
<syslogServer>192.168.31.10</syslogServer>
<port>514</port>
<protocol>TCP</protocol>
<level>INFO</level>
</controllerSyslogServer>
d Repeat these steps for the remaining NSX Controllers.
6 Verify the syslog configuration on each NSX Controller.
a In the request pane, provide the URL query for the first NSX Controller and click Send.
Setting Value
HTTP request method GET
Request URL https://sfo01m01nsx01.sfo01.rainpole.local/api/2.0/vdn/controller/controller-1/syslog
Body None
b When the NSX Controller sends a response back, click the Body tab in the response pane.
The response body contains a root <controllerSyslogServer> element, which represents the settings for the remote syslog server on the NSX Controller.
c Verify that the value of the <syslogServer> element is 192.168.31.10.
d Repeat these steps for the remaining NSX Controllers.
7 If there are workload domains with NSX Data Center for vSphere that are added to the SDDC, repeat the procedure for each Workload domain NSX Manager.
Update the Log Forwarding Protocol on the NSX Edge Instances in Region A
Update the log forwarding protocol on the edge services gateways, universal distributed logical router, and load balancer.
Table 6-6. Management Domain NSX Edges
Traffic Type NSX Edge Name NSX Edge Type
North-South Routing sfo01m01esg01 Edge Services Gateway
North-South Routing sfo01m01esg02 Edge Services Gateway
East-West Routing sfo01m01udlr01 Universal Distributed Logical Router
Load Balancer sfo01m01lb01 Edge Services Gateway
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 160
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
3 From the NSX Manager drop-down menu, select 172.16.11.65.
The NSX Edge devices associated with the Management domain NSX Manager appear.
4 Update the log forwarding protocol on each NSX Edge device.
a Click the ID of the NSX Edge device to open its network settings.
b Click the Configure tab and click Appliance Settings.
c Next to Configuration, click the cog icon and select Change syslog configuration.
d In the Change syslog servers dialog box, update the protocol and click OK.
Setting Value
Syslog server 1 192.168.31.10
Protocol TCP
e Repeat these steps for the remaining NSX Edge devices for the management domain.
5 If there are workload domains with NSX Data Center for vSphere that are added to the SDDC, repeat the procedure for each Workload domain NSX Manager.
Results
The vRealize Log Insight user interface starts showing log data under the VMware - NSX-vSphere group of content pack dashboards, in the NSX-vSphere - Overview dashboard.
Connect vRealize Log Insight to NSX-T Data Center in Region A
If you deployed NSX-T Data Center in the workload domain, you connect vRealize Log Insight to the NSX-T Data Center components to start collecting log information.
Procedure
1 Install the vRealize Log Insight Content Pack for NSX-T Data Center in Region A
To add dashboards to vRealize Log Insight for viewing log details on the NSX-T Data Center operation, install the NSX-T content pack.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 161
2 Configure the Workload Domain NSX-T Managers to Forward Log Events to vRealize Log Insight in Region A
Configure the NSX-T Managers to send audit logs and system events to vRealize Log Insight.
3 Configure the NSX-T Edges to Forward Log Events to vRealize Log Insight in Region A
Configure the NSX-T Edge nodes to send audit logs and system events to vRealize Log Insight.
Install the vRealize Log Insight Content Pack for NSX-T Data Center in Region A
To add dashboards to vRealize Log Insight for viewing log details on the NSX-T Data Center operation, install the NSX-T content pack.
Procedure
1 In a Web browser, log in to vRealize Log Insight by using the user interface.
Setting Value
URL https://sfo01vrli01.sfo01.rainpole.local
User name admin
Password vrli_admin_password
2 In the vRealize Log Insight user interface, click Content packs .
3 In the left pane, under Content pack marketplace, click Marketplace.
4 On the Log Insight content pack marketplace page, locate and click the VMware - NSX-T content pack to start the installation.
The Install content pack dialog box appears.
5 Accept the license agreement and click Install.
6 To proceed with installation, click OK .
When the installation finishes, the newly installed content pack appears in the left navigation pane, under Installed content packs.
Configure the Workload Domain NSX-T Managers to Forward Log Events to vRealize Log Insight in Region A
Configure the NSX-T Managers to send audit logs and system events to vRealize Log Insight.
Use the Postman application to configure log forwarding for all NSX-T Managers in the region by sending a post request to each NSX-T Manager.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 162
Table 6-7. Workload domain NSX-T Managers in Region A
NSX Manager Host NameRequest URL for the NSX Manager Syslog Service
sfo01w01nsx01a.sfo01.rainpole.local https://sfo01w01nsx01a.sfo01.rainpole.local/api/v1/node/services/syslog/exporters
sfo01w01nsx01b.sfo01.rainpole.local https://sfo01w01nsx01b.sfo01.rainpole.local/api/v1/node/services/syslog/exporters
sfo01w01nsx01c.sfo01.rainpole.local https:/sfo01w01nsx01c.sfo01.rainpole.local/api/v1/node/services/syslog/exporters
Procedure
1 Log in to the host machine that has access to your data center.
2 Start the Postman application and log in.
3 Configure the request headers and body.
a On the Authorization tab, enter the authorization details.
Setting Value
Type Basic Auth
User name admin
Password nsx-t_admin_password
b On the Headers tab, enter the header details.
Setting Value
Key Content-Type
Key value application/json
c On the Body tab, select the Raw radio-button, and from the Text drop-down menu, select JSON.
d In the Body text box, enter the following request body for configuring vRealize Log Insight as a remote syslog server.
{
"exporter_name": "syslog1",
"level": "INFO",
"port": 514,
"protocol": "TCP",
"server": "sfo01vrli01.sfo01.rainpole.local"
}
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 163
4 Send the request to each NSX-T Manager.
a In the request pane, provide the URL query for the Workload domain NSX-T Manager and click Send.
Setting Value
HTTP request method POST
Request URL https://sfo01w01nsx01a.sfo01.rainpole.local/api/v1/node/services/syslog/exporters
b Repeat this step by sending the log configuration request to the request URL of each of the remaining Workload domain NSX-T Managers.
The log data appears on the vRealize Log Insight Dashboards page, under Content pack dashboards, on the VMware - NSX-T > NSX-Infrastructure page.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 164
5 Verify the syslog configuration on each NSX-T Manager.
a In the request pane, configure the following settings and click Send.
Setting Value
HTTP request method GET
Request URL https://sfo01w01nsx01a.sfo01.rainpole.local/api/v1/node/services/syslog/exporters
Body None
When the NSX-T Manager appliance sends a response back, on the Body tab, you see the following message.
{
"_schema": "NodeSyslogExporterPropertiesListResult",
"_self": {
"href": "/node/services/syslog/exporters",
"rel": "self"
},
"result_count": 1,
"results": [
{
"_schema": "NodeSyslogExporterProperties",
"_self": {
"href": "/node/services/syslog/exporters/syslog1",
"rel": "self"
},
"exporter_name": "syslog1",
"level": "INFO",
"port": 514,
"protocol": "TCP",
"server": "sfo01vrli01.sfo01.rainpole.local"
}
]
}
b Verify that the value of the server element is sfo01vrli01.sfo01.rainpole.local.
c Repeat this step by sending the log verification request to the request URL of each of the remaining Workload domain NSX-T Managers.
6 If there are other workload domains with NSX-T Data Center that are added to the SDDC, repeat the procedure for each additional Workload domain NSX-T Manager.
Configure the NSX-T Edges to Forward Log Events to vRealize Log Insight in Region A
Configure the NSX-T Edge nodes to send audit logs and system events to vRealize Log Insight.
First, you retrieve the ID of each edge transport node by using the NSX-T Manager user interface. Then, you use the Postman application to configure log forwarding for all edge transport nodes in the region by sending a post request to each NSX-T Edge node.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 165
Table 6-8. Management Domain NSX-T Edges in Region A
Type NSX-T Edge Host NameRequest URL for the NSX-T Edge Syslog Service NSX-T Manager URL
Workload sfo01w01en01.sfo01.rainpole.local
https://sfo01w01nsx01.sfo01.rainpole.local/api/v1/transport-nodes/node_id_of_sfo01w01en01/node/services/syslog/exporters
https://sfo01w01nsx01.sfo01.rainpole.local
sfo01w01en02.sfo01.rainpole.local
https://sfo01w01nsx01.sfo01.rainpole.local/api/v1/transport-nodes/node_id_of_sfo01w01en02/node/services/syslog/exporters
Procedure
1 In a Web browser, log in to the NSX-T Manager for the workload domain by using the user interface.
Setting Value
URL https://sfo01w01nsx01.sfo01.rainpole.local
User name admin
Password nsx-t_admin_password
2 Retrieve the IDs of the edge transport nodes.
a Click System.
b In the left navigation pane, under Configuration, click Fabric > Nodes.
c Click the Edge transport nodes tab.
d On the row for the sfo01w01en01 edge transport node, click the ID value.
A text box appears showing the transport edge node ID.
e Copy the node ID value, node_id_of_sfo01w01en01.
f Repeat these steps to retrieve the IDs of the remaining NSX-T Edge nodes.
3 Start the Postman application and log in.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 166
4 Configure the request headers and body.
a On the Authorization tab, enter the authorization details.
Setting Value
Type Basic Auth
User name admin
Password nsx-t_admin_password
b On the Headers tab, enter the header details.
Setting Value
Key Content-Type
Key value application/json
c On the Body tab, select the Raw radio-button, and from the Text drop-down menu, select JSON.
d In the Body text box, enter the following request body for configuring vRealize Log Insight as a remote syslog server.
{
"exporter_name": "syslog1",
"level": "INFO",
"port": 514,
"protocol": "TCP",
"server": "sfo01vrli01.sfo01.rainpole.local"
}
5 Send the request to each NSX-T Edge node.
a In the request pane, provide the URL query for the first Management domain NSX-T Edge and click Send.
Setting Value
HTTP request method POST
Request URL https://sfo01w01nsx01.sfo01.rainpole.local/api/v1/transport-nodes/node_id_of_sfo01w01en01/node/services/syslog/exporters
b Repeat this step by sending the log configuration request to the API URL of each of the remaining Workload domain NSX-T Edge nodes.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 167
6 Verify the syslog configuration on each NSX-T Edge node.
a In the request pane, configure the following settings and click Send.
Setting Value
HTTP request method GET
Request URL https://https://sfo01w01nsx01.sfo01.rainpole.local/api/v1/transport-nodes/node_id_of_sfo01m01en01/node/services/syslog/exporters
Body None
When the NSX-T Edge sends a response back, on the Body tab, you see the following message.
{
"_schema": "NodeSyslogExporterPropertiesListResult",
"_self": {
"href": "/transport-nodes/0d8b168d-44ae-4fba-905a-bf5f7c927d8b/node/services/syslog/
exporters",
"rel": "self"
},
"result_count": 1,
"results": [
{
"_schema": "NodeSyslogExporterProperties",
"_self": {
"href": "/node/services/syslog/exporters/syslog1",
"rel": "self"
},
"exporter_name": "syslog1",
"level": "INFO",
"port": 514,
"protocol": "TCP",
"server": "sfo01vrli01.sfo01.rainpole.local"
}
]
}
b Verify that the value of the server element is sfo01vrli01.sfo01.rainpole.local.
c Repeat this step by sending the log verification request to the request URL of each of the remaining Workload domain NSX-T Edge nodes.
7 If there are other workload domains with NSX-T Manager that are added to the SDDC, repeat the procedure for each additional Workload domain NSX-T Edge nodes.
Download the vRealize Log Insight Agent
You download the vRealize Log Insight agent, so that later you install this agent on the Workspace ONE Access nodes.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 168
Procedure
1 In a Web browser, log in to vRealize Log Insight by using the user interface.
Setting Value
URL https://sfo01vrli01.sfo01.rainpole.local
User name admin
Password vrli_admin_password
2 In the vRealize Log Insight user interface, click Administration.
3 In the left pane, under Management, click Agents.
4 On the Agents page, click Download Log Insight agent version at the bottom of the page.
5 In the Download Log Insight agent version dialog box, click Linux RPM (32-bit/64-bit) and save the .rpm file on your computer.
Install and Configure the vRealize Log Insight Agent on the Workspace ONE Access Nodes
Install and configure the vRealize Log Insight agent on each Workspace ONE Access node to send audit logs and system events to vRealize Log Insight.
To install the vRealize Log Insight agent, you use the .rpm file that you previously downloaded. See Download the vRealize Log Insight Agent.
Table 6-9. Workspace ONE Access Nodesregion-specific
Type FQDN
Region-specific sfo01wsa01.sfo01.rainpole.local
Cross-region wsa01svr01a.rainpole.local
wsa01svr01b.rainpole.local
wsa01svr01c.rainpole.local
Procedure
1 Log in to the region-specific Workspace ONE Access instance in Region A by using a Secure Shell (SSH) client.
Setting Value
FQDN sfo01wsa01.sfo01.rainpole.local
User name sshuser
Password sfo01wsa01_sshuser_password
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 169
2 Change to root user and provide the password at the prompt.
su -
3 Copy the .rpm file of the vRealize Log Insight Linux agent to the /tmp folder on the Workspace ONE Access appliance.
You can use SCP, FileZilla, or WinSCP.
4 Run the command to install the agent.
rpm -i /tmp/VMware-Log-Insight-Agent-version-build.noarch_192.168.31.10.rpm
5 Configure the vRealize Log Insight agent on the Workspace ONE Access node.
a Edit the liagent.ini file on the Workspace ONE Access node by using a text editor such as vi.
vi /var/lib/loginsight-agent/liagent.ini
b Locate the [server] section, remove the comments for the following parameters, and insert the following values.
[server]
; Log Insight server hostname or ip address
; If omitted the default value is LOGINSIGHT
hostname=sfo01vrli01.sfo01.rainpole.local
; Set protocol to use:
; cfapi - Log Insight REST API
; syslog - Syslog protocol
; If omitted the default value is cfapi
;
proto=cfapi
; Log Insight server port to connect to. If omitted the default value is:
; for syslog: 512
; for cfapi without ssl: 9000
; for cfapi with ssl: 9543
port=9000
;ssl - enable/disable SSL. Applies to cfapi protocol only.
; Possible values are yes or no. If omitted the default value is no.
ssl=no
c Press Escape and enter :wq! to save the file.
d Run the command to restart the vRealize Log Insight agent on the node.
/etc/init.d/liagentd restart
e Run the command to verify that the vRelize Log Insight agent is running.
/etc/init.d/liagentd status
6 Repeat the procedure for each cross-region Workspace ONE Access node.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 170
Configure Log Forwarding for vRealize Suite Lifecycle Manager in Region A
You configure vRealize Suite Lifecycle Manager to forward logs to vRealize Log Insight.
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 On the My services page, click Lifecycle operations.
3 In the navigation pane, click Settings.
4 Under System Administration, click Logs.
5 In the Log Insight agent configuration pane, enter these values and click Save.
Setting Value
Hostname sfo01vrli01.sfo01.rainpole.local
Port 9000
Server protocol vRealize Log Insight (CFAPI)
Secure Communication (SSL) Deselected
Accept Any Selected
Accept Any Trusted Selected
Common name -
Reconnection time 30
Buffer size 2000
Validate Log Forwarding for SDDC Manager in Region A
The VMware Cloud Foundation 3.10 bring-up process installs and configures the vRealize Log Insight agent in the SDDC Manager appliance. Validate that the vRealize Log Insight аgent in the SDDC Manager appliance is configured to forward logs to the newly deployed vRealize Suite 2019 vRealize Log Insight.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 171
Procedure
1 Log in to SDDC Manager by using a Secure Shell (SSH) client.
Setting Value
FQDN sfo01mgr01.sfo01.rainpole.local
User name vcf
Password vcf_password
2 Validate the vRealize Log Insight agent configuration on SDDC Manager appliance.
a View the liagent.ini file on SDDC Manager node.
cat /var/lib/loginsight-agent/liagent.ini
a Locate the [server] section and verify that the value of the hostname parameter is sfo01vrli01.sfo01.rainpole.local, and that the values for protocol, port, and ssl are set as follows.
[server]
; Log Insight server hostname or ip address
; If omitted the default value is LOGINSIGHT
hostname=sfo01vrli01.sfo01.rainpole.local
; Set protocol to use:
; cfapi - Log Insight REST API
; syslog - Syslog protocol
; If omitted the default value is cfapi
;
proto=cfapi
; Log Insight server port to connect to. If omitted the default value is:
; for syslog: 512
; for cfapi without ssl: 9000
; for cfapi with ssl: 9543
port=9000
;ssl - enable/disable SSL. Applies to cfapi protocol only.
; Possible values are yes or no. If omitted the default value is no.
ssl=no
; Time in minutes to force reconnection to the server
; If omitted the default value is 30
;reconnect=30
b If you made changes in the liagent.ini file, run the command to restart the vRealize Log Insight agent on the node.
/etc/init.d/liagentd restart
a Run the command to verify that the vRealize Log Insight agent is running.
/etc/init.d/liagentd status
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 172
Collect Operating System Logs from the Management Virtual Appliances in vRealize Log Insight in Region A
To visualize and analyze operating system logs from the management virtual appliances, you install and configure the vRealize Log Insight content packs for Linux. For the Workspace ONE Access appliance, you install and configure the general content pack for Linux. For the remaining management appliances, you install and configure the content pack that is designed for Photon OS.
Procedure
1 Install the vRealize Log Insight Content Pack for Linux for the Management Virtual Appliances in Region A
To visualize and analyze operating system logs from most of the management virtual appliances, install and configure the vRealize Log Insight Content Pack for Linux that is designed for Photon OS.
2 Configure a Log Insight Agent Group for the Management Virtual Appliances in Region A
After you install the content pack for Linux that is designed for Photon OS, configure an agent group to apply common settings to the agents on the appliances in the region.
3 Install the vRealize Log Insight Content Pack for Linux for Workspace One Access in Region A
To visualize and analyze operating system logs from the Workspace One Access nodes, install and configure the general vRealize Log Insight content pack for Linux.
4 Configure a Log Insight Agent Group for the Management Virtual Appliances of Workspace One Access in Region A
After you install the general content pack for Linux, configure an agent group to apply common settings to the agents on the Workspace One Access nodes in the region.
Install the vRealize Log Insight Content Pack for Linux for the Management Virtual Appliances in Region A
To visualize and analyze operating system logs from most of the management virtual appliances, install and configure the vRealize Log Insight Content Pack for Linux that is designed for Photon OS.
Procedure
1 In a Web browser, log in to vRealize Log Insight by using the user interface.
Setting Value
URL https://sfo01vrli01.sfo01.rainpole.local
User name admin
Password vrli_admin_password
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 173
2 In the vRealize Log Insight user interface, click Content packs.
3 In the left pane, under Content pack marketplace, click Marketplace.
4 On the Log Insight content pack marketplace page, locate and click the Linux - Systemd content pack to start the installation.
The Install content pack dialog box appears.
5 Accept the license agreement and click Install.
6 To proceed with the installation, click OK.
When the installation finishes, the content pack appears in the left navigation pane, under Installed content packs.
Configure a Log Insight Agent Group for the Management Virtual Appliances in Region A
After you install the content pack for Linux that is designed for Photon OS, configure an agent group to apply common settings to the agents on the appliances in the region.
Procedure
1 In a Web browser, log in to vRealize Log Insight by using the user interface.
Setting Value
URL https://sfo01vrli01.sfo01.rainpole.local
User name admin
Password vrli_admin_password
2 In the vRealize Log Insight user interface, click Administration.
3 In the left pane, under Management, click Agents.
4 From the drop-down at the top, select Linux - Systemd.
5 Click Copy template.
The Copy agent group dialog box appears.
6 In the Name text box, enter SDDC - Photon OS and click Copy.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 174
7 From the agent filter drop-down menus, select the object type and operator and, in the agent filter text box, enter the host names by pressing Enter to separate the values.
Object Type Operator Values
Hostname matches n sfo01mgr01.sfo01.rainpole.local
n vrslcm01svr01.rainpole.local
n vrops01svr01a.rainpole.local
n vrops01svr01b.rainpole.local
n vrops01svr01c.rainpole.local
n sfo01vropsc01a.sfo01.rainpole.local
n sfo01vropsc01b.sfo01.rainpole.local
8 Click the Refresh data icon at the top of the page and verify that all the agents listed in the filter appear in the Agents list.
9 Click Save new group at the bottom of the page.
10 Verify that log data is showing up on the Linux dashboards.
a On the main navigation menu, click Dashboards.
b In the left pane, under Content pack dashboards, click the Linux - Systemd content pack.
You see events that occurred over the past 48 hours.
Install the vRealize Log Insight Content Pack for Linux for Workspace One Access in Region A
To visualize and analyze operating system logs from the Workspace One Access nodes, install and configure the general vRealize Log Insight content pack for Linux.
Procedure
1 In a Web browser, log in to vRealize Log Insight by using the user interface.
Setting Value
URL https://sfo01vrli01.sfo01.rainpole.local
User name admin
Password vrli_admin_password
2 In the vRealize Log Insight user interface, click Content packs .
3 In the left pane, under Content pack marketplace, click Marketplace.
4 On the Log Insight content pack marketplace page, locate and click the Linux content pack to start the installation.
The Install content pack dialog box appears.
5 Accept the license agreement and click Install.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 175
6 To proceed with the installation, click OK.
When the installation finishes, the content pack appears in the left navigation pane, under Installed content packs.
Configure a Log Insight Agent Group for the Management Virtual Appliances of Workspace One Access in Region A
After you install the general content pack for Linux, configure an agent group to apply common settings to the agents on the Workspace One Access nodes in the region.
Procedure
1 In a Web browser, log in to vRealize Log Insight by using the user interface.
Setting Value
URL https://sfo01vrli01.sfo01.rainpole.local
User name admin
Password vrli_admin_password
2 In the vRealize Log Insight user interface, click Administration.
3 In the left pane, under Management, click Agents.
4 From the drop-down at the top, select Linux.
5 Click Copy template.
The Copy agent group dialog box appears.
6 In the Name text box, enter SDDC - Linux OS and click Copy.
7 From the agent filter drop-down menus, select the object type and operator and, in the agent filter text box, enter the host names by pressing Enter to separate the values.
Object Type Operator Values
Hostname matches n sfo01wsa01.sfo01.rainpole.local
n wsa01svr01a.rainpole.local
n wsa01svr01b.rainpole.local
n wsa01svr01c.rainpole.local
8 Click the Refresh data icon at the top of the page and verify that all the agents listed in the filter appear in the Agents list.
9 Click Save new group at the bottom of the page.
10 Verify that log data is showing up on the Linux dashboards.
a On the main navigation bar, click Dashboards.
b In the left pane, under Content pack dashboards, click the Linux content pack.
You see events that occurred over the past 48 hours.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 176
Configure Log Retention and Archiving for vRealize Log Insight in Region A
Set the retention notification threshold to one week. Enable data archiving, so that you can manually archive logs for 90 days and selectively clean the datastore when free space is required.
Procedure
1 In a Web browser, log in to vRealize Log Insight by using the user interface.
Setting Value
URL https://sfo01vrli01.sfo01.rainpole.local
User name admin
Password vrli_admin_password
2 In the vRealize Log Insight user interface, click Administration.
3 Configure notification about reaching a retention threshold of one week.
a In the left pane, under Configuration, click General.
b On the General configuration page, in the Alerts panel, enter these values.
Setting Value
Email system notifications to [email protected]
Retention notification threshold Select Send a notification when capacity drops below
Set 1 week(s) of data in the system
c Click Save.
vRealize Log Insight continuously estimates how long data can be retained with the currently available pool of storage.
If the estimation drops below the retention threshold of one week, vRealize Log Insight immediately notifies the administrator that the amount of searchable log data is likely to drop.
4 Configure data archiving.
a In the left pane, under Configuration, click Archiving.
b Turn on the Enable data archiving toggle switch.
c In the Archive location text box, enter the path in the form of nfs://nfs_server_address/sfo01vrli01_archive to an NFS partition where logs are to be archived.
d Click Test to verify that the share is accessible.
e Click Save.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 177
vRealize Automation Implementation in Region A 7The cloud automation layer consists of integrated products that support the management of public, private, and hybrid cloud environments. These products are vRealize Automation and an embedded vRealize Orchestrator.
This chapter includes the following topics:
n Configure the Load Balancer for vRealize Automation in Region A
n Deploy vRealize Automation in Region A
n Post-Deployment vRealize Automation Configuration in Region A
n Post-Deployment Operations Management Integration with vRealize Automation in Region A
n Configure vRealize Automation for a Sample Project Implementation in Region A
Configure the Load Balancer for vRealize Automation in Region A
You configure load balancing for the vRealize Automation cluster nodes by using an NSX Data Center for vSphere load balancer.
You configure the load balancer before you deploy vRealize Automation to use the FQDN of the virtual IP address.
Procedure
1 Configure the Virtual IP Address for Load Balancing the vRealize Automation Cluster in Region A
You begin the load balancing configuration by adding the virtual IP address for load balancing the vRealize Automation cluster to the edge interface.
2 Create a Service Monitor for vRealize Automation in Region A
You set up health check monitoring for vRealize Automation to monitor the server pool that you later create. Servers that fail to respond to the health checks within a specified time period are excluded from future connection handling.
VMware, Inc. 178
3 Create a Server Pool for vRealize Automation in Region A
You create a server pool for vRealize Automation in NSX Data Center for vSphere. The server pool determines the load balancing algorithm and combines resources from the pool members.
4 Create the Application Profiles for vRealize Automation in Region A
You create an application profile and associate it with a virtual server to define the behavior of a particular type of network traffic. The virtual server processes traffic according to the values specified in the profile.
5 Create Virtual Servers for vRealize Automation in Region A
You create two virtual servers for vRealize Automation, one is used for load balancer and the other one is for http redirect to https. These virtual servers are associated with the configured application profile and server pool and distribute client connections among the server pool members.
Configure the Virtual IP Address for Load Balancing the vRealize Automation Cluster in Region A
You begin the load balancing configuration by adding the virtual IP address for load balancing the vRealize Automation cluster to the edge interface.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
3 From the NSX Manager drop-down menu, select 172.16.11.65.
4 Click the ID of the sfo01m01lb01 edge service gateway to open its network settings.
5 Click the Configure tab and click Interfaces.
6 Select the OneArmLB interface and click Edit.
7 On the Basic tab, under Configure subnets, in the row for primary IP address 192.168.11.2, in the Secondary IP addresses cell, add the vRealize Automation cluster IP address, 192.168.11.50.
8 Click Save.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 179
Create a Service Monitor for vRealize Automation in Region A
You set up health check monitoring for vRealize Automation to monitor the server pool that you later create. Servers that fail to respond to the health checks within a specified time period are excluded from future connection handling.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
3 From the NSX Manager drop-down menu, select 172.16.11.65.
4 Click the ID of the sfo01m01lb01 edge service gateway to open its network settings.
5 Click the Load balancer tab and click Service monitoring.
6 Click Add, enter these values to configure the health check parameters, and click Add.
Setting Value
Name vra-http-monitor
Interval 3
Timeout 10
Max retries 3
Type HTTP
Expected 200
Method GET
URL /health
Send -
Receive -
Extension -
Create a Server Pool for vRealize Automation in Region A
You create a server pool for vRealize Automation in NSX Data Center for vSphere. The server pool determines the load balancing algorithm and combines resources from the pool members.
You add the three vRealize Automation nodes as members of the server pool.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 180
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
3 From the NSX Manager drop-down menu, select 172.16.11.65.
4 Click the ID of the sfo01m01lb01 edge service gateway to open its network settings.
5 Click the Load Balancer tab and click Pools.
6 Click Add and, on the General tab of the New pool dialog box, enter these values to configure the load-balancing profile.
Setting Value
Name vra-server-pool
Description vRealize Automation server pool
Algorithm LEASTCONN
Monitors vra-http-monitor
IP Filter Any
Transparent Disable
7 Click the Members tab of the New pool dialog box.
8 To add each vRealize Automation cluster node to the pool, click Add, enter the values for the node, and click OK.
Setting Value for vra01svr01a Value for vra01svr01b Value for vra01svr01c
Name vra01svr01a vra01svr01b vra01svr01c
IP 192.168.11.51 192.168.11.52 192.168.11.53
State Enable Enable Enable
Port 443 443 443
Monitor Port 8008 8008 8008
Weight 1 1 1
Max Connections - - -
Min Connections - - -
9 On New pool dialog box, click Add.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 181
Create the Application Profiles for vRealize Automation in Region A
You create an application profile and associate it with a virtual server to define the behavior of a particular type of network traffic. The virtual server processes traffic according to the values specified in the profile.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
3 From the NSX Manager drop-down menu, select 172.16.11.65.
4 Click the ID of the sfo01m01lb01 edge service gateway to open its network settings.
5 Click the Load balancer tab and click Application profiles.
6 To create each application profile, click Add and, on the General tab of the New application profile dialog box, enter the values for the profile and click Add.
Setting Value for vra-https-app-profile Value for vra-http-redirect-profile
Application Profile Type SSL Passthrough HTTP
Name vra-https-app-profile vra-http-redirect-profile
HTTP Redirect URL - https://vra01svr01.rainpole.local/csp/gateway/portal/
Persistence None None
Insert X-Forwarded-For HTTP header - Disable
Create Virtual Servers for vRealize Automation in Region A
You create two virtual servers for vRealize Automation, one is used for load balancer and the other one is for http redirect to https. These virtual servers are associated with the configured application profile and server pool and distribute client connections among the server pool members.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 182
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click NSX Edges.
3 From the NSX Manager drop-down menu, select 172.16.11.65.
4 Click the ID of the sfo01m01lb01 edge server gateway to open its network settings.
5 Click the Load balancer tab and click Virtual servers.
6 To create each virtual server, click Add and, on the General tab, enter the values and click Add.
Setting Value for vra-https Value for http-redirect
Virtual server Enable Enable
Acceleration Enable Disable
Application profile vra-https-app-profile vra-https-redirect-profile
Name vra-https vra-http-redirect
Description vRealize Automation Cluster UI vRealize Automation HTTP to HTTPS Redirect
IP address 192.168.11.50 192.168.11.50
Protocol HTTPS HTTP
Port/Port range 443 80
Server pool vra-server-pool vra-server-pool
Deploy vRealize Automation in Region A
You configure deployment details and deploy vRealize Automation by using vRealize Suite Lifecycle Manager.
Procedure
1 Prerequisites for Deploying vRealize Automation in Region A
Before you deploy vRealize Automation verify that your environment fulfills the requirements for this deployment.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 183
2 Import the vRealize Automation Multi-SAN Certificate to vRealize Suite Lifecycle Manager in Region A
In vRealize Suite Lifecycle Manager, import the vRealize Automation certificate that you generated using the CertGenVVD utility.
3 Add the vRealize Automation Password to vRealize Suite Lifecycle Manager in Region A
To allow life cycle management and configuration management, you set the password for the vRealize Automation root user in vRealize Suite Lifecycle Manager.
4 Deploy vRealize Automation Using vRealize Suite Lifecycle Manager in Region A
You configure the deployment details and deploy vRealize Automation in the cross-region environment in vRealize Suite Lifecycle Manager.
Prerequisites for Deploying vRealize Automation in Region A
Before you deploy vRealize Automation verify that your environment fulfills the requirements for this deployment.
Verify that your environment satisfies the following prerequisites for the deployment of vRealize Automation.
Prerequisite Value
Storage n Virtual disk provisioning: Thin
n Required storage: 670 GB
Software Features n Verify that Management domain vCenter Server is operational.
n Verify that the Workload domain NSX or NSX-T Manager is operational.
n Verify that the application virtual networks are available.
n Verify that the load balancer service is enabled on the NSX Edge service gateway.
n Verify that vRealize Suite Lifecycle Manager is operational and data collection from the Management vCenter Server instance has run successfully.
n Verify that static IP addresses and FQDNs for the application virtual networks are available for the vRealize Automation deployment. See Host Names and IP Addresses for vRealize Suite 2019 and Workspace ONE Access.
License Verify that you obtained a vRealize Suite or vCloud Suite license that satisfies the requirements of this design.
Active Directory n Verify that the required Active Directory service accounts are created. See Active Directory User Accounts.
n Verify that the required Active Directory security groups are created. See Active Directory Groups.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 184
Prerequisite Value
Workspace ONE Access n Verify that the required Active Directory users are synchronized to the cross-region Workspace ONE Access.
n Verify that the required Active Directory security groups users synchronized to the cross-region Workspace ONE Access.
Certification Authority Verify that you have a validate SSL certificate. You can generate the certificate using the CertGenVVD utility. See Certificate Generation Utility for VMware Validated Design for Software-Defined Data Center 6.x (78246).
External Services n Verify that you have access to an SMTP server.
n Verify that SNMP is enabled in your network environment, to monitor network devices.
n Verify that central NTP services are available.
n Verify that all DNS addresses resolve both forward and reverse.
Import the vRealize Automation Multi-SAN Certificate to vRealize Suite Lifecycle Manager in Region A
In vRealize Suite Lifecycle Manager, import the vRealize Automation certificate that you generated using the CertGenVVD utility.
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 On the My services page, click Locker.
3 In the left pane, click Certificate.
4 On the Certificate page, click Import.
5 On the Import certificate page, configure these settings and click Import.
Setting Value
Name vra01svr01-certificate
Pass phrase vra01svr01_certificate_password
Select certificate file Navigate to the vRealize Automation certificate PEM file, vra01svr01.2.chain.pem
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 185
Add the vRealize Automation Password to vRealize Suite Lifecycle Manager in Region A
To allow life cycle management and configuration management, you set the password for the vRealize Automation root user in vRealize Suite Lifecycle Manager.
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 On the My services page, click Locker.
3 In the navigation pane, click Password.
4 Click Add, enter these values, and click Add.
Setting Value
Password alias vra01svr01-root
Password vra01svr01_root_password
Confirm password vra01svr01_root_password
Password description vRealize Automation root user password
User name root
Deploy vRealize Automation Using vRealize Suite Lifecycle Manager in Region A
You configure the deployment details and deploy vRealize Automation in the cross-region environment in vRealize Suite Lifecycle Manager.
Procedure
1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.
Setting Value
URL https://vrslcm01svr01.rainpole.local
User name admin@local
Password vrslcm_admin_password
2 On the My services page, click Lifecycle operations.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 186
3 On the Dashboard page, click Manage environments.
4 On the Environments page, in the Cross-Region-Env card, click the ellipsis and select Add product.
5 On the Organic growth page, select the vRealize Automation check box, configure these settings, and click Next.
Setting Value
Installation type New install
Version 8.1.0
Deployment type Cluster
6 On the End user license agreement page, accept the agreement and click Next.
7 On the License page, select and apply the product license.
a Click Select, in the Select applicable licenses dialog box, select the license check box, and click Update.
b Click Validate association and click Next.
8 On the Certificate page, from the Select certificate drop-down menu, select vra01svr01-certificate, and click Next.
9 On the Infrastructure page, configure these settings and click Next.
Setting Value
vCenter Server sfo01m01vc01.sfo01.rainpole.local
Cluster sfo01-m01dc#sfo01-m01-mgmt01
Folder sfo01-m01fd-vra
Resource Pool sfo01-m01-sddc-mgmt
Network Distributed port group that ends with Mgmt-xRegion01-VXLAN
Datastore sfo01-m01-vsan01
Disk Mode Thin
Integrate with Identity Manager Selected
Use content library Deselected
10 On the Network page, enter these values and click Next.
Settings Value
Default gateway 192.168.11.1
Netmask 255.255.255.0
Domain name rainpole.local
Domain search path rainpole.local
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 187
Settings Value
Domain name servers 172.16.11.4,172.16.11.5
Time sync mode Use NTP server
NTP servers ntp.sfo01.rainpole.local
11 On the Products page, configure the deployment properties of vRealize Automation and click Next.
a In the Product properties section, configure these settings.
Setting Value
Monitor vRA with vROps Deselected
Workload Placement and Reclamation Deselected
Certificate vra01svr01-certificate
Product Password vra01svr01-root
b In the Cluster Virtual IP section, configure these setting.
Setting Value
FQDN vra01svr01.rainpole.local
Load-Balancer SSL Termination Deselected
c In the Components section, configure these settings for the three vRealize Automation nodes and click Next.
Setting Value for vra01svr01a Value for vra01svr01b Value for vra01svr01c
VM Name vra01svr01a vra01svr01b vra01svr01c
FQDN vra01svr01a.rainpole.local vra01svr01b.rainpole.local
vra01svr01c.rainpole.local
IP Address 192.168.11.51 192.168.11.52 192.168.11.53
12 On the Precheck page, click Run precheck.
13 Review the validation report and, after successful validation, click Next.
14 On the Summary page, review the deployment specification and click Submit.
What to do next
1 If the vRealize Automation deployment fails while connecting to Workspace ONE Access, follow the resolution in https://kb.vmware.com/kb/79609 to set the HTTP-keep-alive timeout to 300s, and retry the deployment request in the vRealize Suite Lifecycle Manager user interface.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 188
2 After the vRealize Automation deployment finishes, verify that each node meets the vRealize Automation 8.1 Patch 1 storage requirements.
Table 7-1. vRealize Automation 8.1 Patch 1 Storage Requirements
Setting Value for Disk 1 Value for Disk 2
Partition System Data
Mounted on / /data
Filesystem /dev/sda4 /dev/mapper/data_vg-data
Minimum available space 20 GB 48 GB
3 Install the vRealize Automation 8.1 Patch 1.
See Cumulative Update for vRealize Automation 8.1 (79170).
Post-Deployment vRealize Automation Configuration in Region A
After you deploy vRealize Automation, perform the necessary configuration tasks to enable the vRealize Automation services for the SDDC in Region A.
Configure NTP on the vRealize Automation Cluster
Configure NTP on the vRealize Automation cluster nodes to keep them synchronized with the other SDDC components.
Procedure
1 Log in to the vRealize Automation appliance by using a Secure Shell (SSH) client.
Setting Value
FQDN vra01svr01a.rainpole.local
User name root
Password vra_appA_root_password
2 Run the command to configure the NTP source.
vracli ntp systemd --set ntp.sfo01.rainpole.local
3 Run the command to apply the NTP settings to the vRealize Automation cluster nodes.
vracli ntp apply
4 Run the command to validate the new NTP configuration.
vracli ntp status
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 189
For each vRealize Automation cluster node, the command output contains the following configurations:
n Network time on: yes
n NTP synchronized: yes
n ESXi time sync configuration: Disabled
Create a Folder and a Resource Pool for vRealize Automation Workloads on the Workload Domain vCenter Server in Region A
You create a virtual machine folder and a resource pool on the Workload domain vCenter Server to group and manage vRealize Automation provisioned workloads in Region A.
Procedure
1 In a Web browser, log in to the Workload domain vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01w01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 Create a folder for the vRealize Automation provisioned workload virtual machines.
a In the VMs and templates inventory, expand the sfo01w01vc01.sfo01.rainpole.local tree.
b Right-click the sfo01-w01dc data center, and select New folder > New VM and template folder.
c In the New folder dialog box, enter sfo01-w01fd-workload as the folder name, and click OK.
3 Create a resource pool for the vRealize Automation provisioned workload virtual machines.
a In the Hosts and clusters inventory, expand the sfo01w01vc01.sfo01.rainpole.local tree.
b Right-click the sfo01-w01-comp01 cluster, and select New resource pool .
c In the New resource pool dialog box, enter sfo01-w01rp-user-vm as the resource pool name, and click OK.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 190
Configure Service Account Privileges in Region A
To provision virtual machines and network services, configure privileges for vRealize Automation on both the Workload domain vCenter Server instance and the Workload domain NSX-T Manager.
Procedure
1 Define Custom User Roles in vSphere for vRealize Automation in Region A
Create a custom user role in the vSphere Client with the required privileges to enable vRealize Automation integration with vSphere.
2 Configure Service Account Privileges for the vRealize Automation and vRealize Orchestrator Integration to vSphere in Region A
Assign global permissions in vSphere for the service accounts used for the vRealize Automation and vRealize Orchestrator to vSphere integration.
3 Configure Service Account Privileges for the vRealize Automation to NSX Data Center for vSphere Integration on the Workload Domain in Region A
To provide the necessary privileges and permissions to the service account for the vRealize Automation to NSX Data Center for vSphere integration, you assign the Enterprise Administrator role in the Workload domain NSX Manager to the service account.
Define Custom User Roles in vSphere for vRealize Automation in Region A
Create a custom user role in the vSphere Client with the required privileges to enable vRealize Automation integration with vSphere.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 Select Menu > Administration.
3 In the left pane, select Access control > Roles.
4 From the Roles provider drop-down menu, select sfo01m01vc01.sfo01.rainpole.local.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 191
5 Create a role for vRealize Automation in vSphere.
a Click the Create role action icon, configure the privileges, and click Next.
Category Privilege
Content Library Add library item
Create local library
Create subscribed library
Delete library item
Delete local library
Delete subscribed library
Download files
Evict library item
Evict subscribed library
Probe subscription information
Read storage
Sync library item
Sync subscribed library
Type introspection
Update configuration settings
Update files
Update library
Update library item
Update local library
Update subscribed library
View configuration settings
Datastore Allocate space
Browse datastore
Low level file operations
Datastore Cluster Configure a datastore cluster
Folder Create folder
Delete folder
Global Manage custom attributes
Set custom attribute
Network Assign network
Permissions Modify permission
Resource Assign virtual machine to resource pool
Migrate powered off virtual machine
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 192
Category Privilege
Migrate powered on virtual machine
Tags Assign or unassign vSphere tag
Create a vSphere tag
Create a vSphere tag category
Delete vSphere tag
Delete vSphere tag category
Edit vSphere tag
Edit vSphere tag category
Modify UsedBy field for category
Modify UsedBy field for tag
Virtual Machine Change Configuration.Add existing disk
Change Configuration.Add new disk
Change Configuration.Add or remove device
Change Configuration.Advanced configuration
Change Configuration.Change CPU count
Change Configuration.Change Memory
Change Configuration.Change Settings
Change Configuration.Change Swapfile placement
Change Configuration.Change resource
Change Configuration.Extend virtual disk
Change Configuration.Modify device settings
Change Configuration.Remove Disk
Change Configuration.Rename
Change Configuration.Set annotation
Change Configuration.Toggle disk change tracking
Edit Inventory.Create from existing
Edit Inventory.Create new
Edit Inventory.Move
Edit Inventory.Remove
Interaction.Configure CD media
Interaction.Connect devices
Interaction.Console interaction
Interaction.Install VMware Tools
Interaction.Power off
Interaction.Power on
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 193
Category Privilege
Interaction.Reset
Interaction.Suspend
Provisioning.Clone template
Provisioning.Clone virtual machine
Provisioning.Customize guest
Provisioning.Deploy template
Provisioning.Read customization specifications
Snapshot management.Create snapshot
Snapshot management.Remove snapshot
Snapshot management.Revert to snapshot
vApp Import
vApp application configuration
b In the Role name text box, enter vRealize Automation to vSphere Integration and click Finish.
6 Create a role for vRealize Orchestrator in vSphere.
a Select the Administrator role and click the Clone role action icon.
b In the Clone role dialog box, set the role name to vRealize Orchestrator to vSphere Integration and click OK.
Configure Service Account Privileges for the vRealize Automation and vRealize Orchestrator Integration to vSphere in Region A
Assign global permissions in vSphere for the service accounts used for the vRealize Automation and vRealize Orchestrator to vSphere integration.
You assign global permissions and restrict access to the management domain for the svc-vra-vsphere and svc-vro-vsphere service accounts.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 Select Menu > Administration.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 194
3 For each service account, assign global permissions.
a In the left pane, select Access control > Global permissions.
b Click the Add permission icon, configure these settings, and click OK.
Setting Value for svc-vra-vsphere Value for svc-vro-vsphere
Domain rainpole.local rainpole.local
User / group svc-vra-vsphere svc-vro-vsphere
Role vRealize Automation to vSphere Integration
vRealize Orchestrator to vSphere Integration
Propagate to children Selected Selected
4 Restrict access of the vRealize Automation to vSphere Integration service account to the management domain in Region A.
a Select Menu > Global Inventory lists.
b In the Global inventory lists inventory, select Resources > vCenter Servers.
c In the left pane, select sfo01m01vc01.sfo01.rainpole.local and click the Permissions tab.
d Select the svc-vra-vsphere service account with the vRealize Automation to vSphere Integration role and click the Change role icon.
e In the Change role dialog box, from the Role drop-down menu, select No access, select Propagate to children, and click OK.
f Repeat this step for the svc-vro-vsphere service account.
Configure Service Account Privileges for the vRealize Automation to NSX Data Center for vSphere Integration on the Workload Domain in Region A
To provide the necessary privileges and permissions to the service account for the vRealize Automation to NSX Data Center for vSphere integration, you assign the Enterprise Administrator role in the Workload domain NSX Manager to the service account.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click System > Users and domains.
3 From NSX Manager drop-down menu, select 172.16.11.66.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 195
4 Click Add, configure the user, and click Next.
Setting Value
User [email protected]
5 Select the Enterprise Administrator role and click Finish.
Configure the vSphere DRS Anti-Affinity Rule and Startup Order for vRealize Automation in Region A
To protect the vRealize Automation nodes from a host-level failure, configure vSphere DRS to run the virtual machines of vRealize Automation on different hosts in the first vSphere cluster of the management domain. After that, you configure a VM group to define the startup order to ensure the vSphere High Availability powers on the vRealize Automation virtual machines in the correct order.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Hosts and clusters inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree and expand the sfo01-m01dc data center.
3 Select the sfo01-m01-mgmt01 cluster and click the Configure tab.
4 Create the anti-affinity rule for the vRealize Automation virtual machines.
a In the left pane, select Configuration > VM/Host rules and click Add.
b In the Create VM/Host rule dialog box, configure these settings and click OK.
Setting Value
Name anti-affinity-rule-vra
Enable rule Selected
Type Separate Virtual Machines
Members n vra01svr01a
n vra01svr01b
n vra01svr01c
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 196
5 Create a virtual machine group for the vRealize Automation cluster nodes.
a In the left pane, select Configuration > VM/Host groups and click Add.
b In the Create VM/Host group dialog box, configure these settings and click OK.
Setting Value
Name vRealize Automation Virtual Appliances
Type VM Group
Members n vra01svr01a
n vra01svr01b
n vra01svr01c
6 Create a rule to power on the cross-region Workspace ONE Access nodes before the vRealize Automation nodes.
a Select the sfo01-m01-mgmt01 cluster and click the Configure tab.
b In the left pane, select Configuration > VM/Host rules.
c Click Add VM/host rule, enter these values, and click OK.
Setting Value
Name SDDC Cloud Automation
Enable rule Selected
Type Virtual Machines to Virtual Machines
The VM dependency restart condition must be met before continuing to
Cross-Region Workspace ONE Access Virtual Appliances
On restart for VM group vRealize Automation Virtual Appliances
Configure Organization Settings for vRealize Automation in Region A
You configure organization name and branding, and set organization and service roles for the Active Directory service accounts to enable identity and access management for vRealize Automation.
Procedure
1 Configure the Organization Name and Branding for vRealize Automation in Region A
As an organization owner, you set the organization name and apply custom branding to the organization in Region A.
2 Assign Organization and Service Roles to User Groups for vRealize Automation in Region A
To manage access to services provided by vRealize Automation, you assign global organization roles and service roles to Active Directory user groups.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 197
Configure the Organization Name and Branding for vRealize Automation in Region A
As an organization owner, you set the organization name and apply custom branding to the organization in Region A.
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 Set the organization name.
a In the top-right corner, click the logged in user drop-down menu, and select View organization.
b On the Organization page, click Edit.
c In the Display name text box, enter Rainpole, and click Save.
3 Customize the organization branding.
a On the main navigation bar, click Branding.
b On the Header tab, configure these settings.
Setting Value
Company logo Upload a 100px height transparent .png image.
Product name Rainpole Cloud
c Click the Help panel tab, in the Community link text box, enter a link for information or support, and click Apply..
Assign Organization and Service Roles to User Groups for vRealize Automation in Region A
To manage access to services provided by vRealize Automation, you assign global organization roles and service roles to Active Directory user groups.
You assign organization and service roles to the following user groups.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 198
Table 7-2. vRealize Automation User Groups and Roles
Group Name Description Organization Role Service Service Role
The universal group in a parent domain for vRealize Automation organization owners
Organization Owner None None
The universal group in a parent domain for vRealize Automation organization member and Cloud Assembly administrators.
Organization Member Cloud Assembly Cloud Assembly Administrator
The universal group in a parent domain for vRealize Automation organization member and Cloud Assembly users.
Organization Member Cloud Assembly Cloud Assembly User
The universal group in a parent domain for vRealize Automation organization member and Service Broker administrators.
Organization Member Service Broker Service Broker Administrator
The universal group in a parent domain for vRealize Automation organization member and Service Broker users.
Organization Member Service Broker Service Broker User
The universal group in a parent domain for vRealize Automation organization member and Orchestrator administrators.
Organization Member Orchestrator Orchestrator Administrator
The universal group in a parent domain for vRealize Automation organization member and Orchestrator workflow designers.
Organization Member Orchestrator Orchestrator Workflow Designer
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 199
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Identity and access management.
3 Click the Enterprise groups tab and click Assign roles.
4 For each enterprise group, assign an organization role and add a service access by assigning a service with a service role.
Configure Cloud Assembly in Region A
You create and link vCenter Server and NSX-T Data Center cloud accounts to Active Directory service users with the necessary privileges to enable blueprint provisioning through vRealize Automation in Region A.
Procedure
1 Add Cloud Accounts in vRealize Automation for Region A
You create vCenter Server and NSX-T Data Center cloud accounts, assign them to Active Directory service accounts, link them to cloud zones, and apply capabilities tags to provide the service accounts with the necessary privileged and access to the SDDC resources in the workload domain.
2 Integrate vRealize Automation with My VMware in Region A
To be able to download and provision blueprints from VMware Marketplace, configure the integration to My VMware in vRealize Automation in Region A.
3 Configure the Workload Domain Cloud Zone for vRealize Automation in Region A
Cloud zones are specific to Cloud Assembly projects and correspond to set of resources within a cloud account. You reconfigure the initial cloud zone, created during the configuration of the NSX and vCenter Server cloud accounts, to assign the appropriate resources to the cloud zone through the use of resource pools, placement policy, and capability tags.
Add Cloud Accounts in vRealize Automation for Region A
You create vCenter Server and NSX-T Data Center cloud accounts, assign them to Active Directory service accounts, link them to cloud zones, and apply capabilities tags to provide the service accounts with the necessary privileged and access to the SDDC resources in the workload domain.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 200
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Services.
3 In the My services section, click Cloud Assembly.
4 Click the Infrastructure tab, and select Connections > Cloud accounts.
5 Add a cloud account for vSphere.
a On the Cloud accounts page, click Add cloud account.
b On the Cloud account types page, click vCenter.
c On the New cloud account page, configure these settings and click Validate.
Setting Value
Name sfo01w01vc01
Description Region A - Workload Domain 01
vCenter IP address / FQDN sfo01w01vc01.sfo01.rainpole.local
User name [email protected]
Password svc-vra-vsphere_password
Capability tags n cloud:private
n region:sfo
d In the Configuration section, configure the settings and click Add.
Setting Value
Allow provisioning to these datacenters sfo01-w01dc
Create a cloud zone for the selected datacenters Selected
e On the You have successfully added this vCenter account dialog box, click Add another account.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 201
6 Add a cloud account for NSX Data Center for vSphere or NSX-T Data Center.
a On the Cloud accounts page, click Add cloud accountconfigure these settings and click Validate.
Setting Value for NSX-T Data CenterValue for NSX Data Center for vSphere
Cloud account type NSX-T NSX-V
Name sfo01w01nsxt01 sfo01w01nsxv01
Description Region A - NSX-T Workload Domain 01
Region A - NSX-V Workload Domain 01
NSX IP address / FQDN sfo01w01nsx01.sfo01.rainpole.local sfo01w01nsx01.sfo01.rainpole.local
User name admin [email protected]
Password nsx-t_admin_password svc-vra-nsx_password
Capability tags n cloud:private
n region:sfo
n cloud:private
n region:sfo
b In the Configuration section, select the following and click Add.
Setting Value
vSphere endpoint sfo01w01vc01
c On the You have successfully added this vCenter account dialog box, click Continue.
Integrate vRealize Automation with My VMware in Region A
To be able to download and provision blueprints from VMware Marketplace, configure the integration to My VMware in vRealize Automation in Region A.
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Services.
3 In the My services section, click Cloud Assembly.
4 Click the Infrastructure tab, and select Connections > Integrations.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 202
5 Configure the My VMware integration.
a On the Integrations page, click Add integration.
b On the Integration types page, select My VMware.
c On the New integration page, configurese the settings, click Validate, and click Add.
Setting Value
Name My VMware
Description vRealize Automation to My VMware Integration
User name [email protected]
Password svc-vra-myvmware_password
Configure the Workload Domain Cloud Zone for vRealize Automation in Region A
Cloud zones are specific to Cloud Assembly projects and correspond to set of resources within a cloud account. You reconfigure the initial cloud zone, created during the configuration of the NSX and vCenter Server cloud accounts, to assign the appropriate resources to the cloud zone through the use of resource pools, placement policy, and capability tags.
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Services.
3 In the My services section, click Cloud Assembly.
4 Click the Infrastructure tab, and select Configure > Cloud zones.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 203
5 Configure the workload domain cloud zone.
a On the Cloud zones page, click the sfo01w01vc01/sfo01-w01dc cloud zone card.
b On the Summary tab, configure these settings.
Setting Value
Description Region A - Workload Domain 01
Placement policy Default
Folder sfo01-w01fd-workload
Capability tags n cloud:private
n region:sfo
c Click the Compute tab, select the sfo01-w01-comp01 / sfo01-w01rp-user-vm resource pool and click Tags.
d In the Tags dialog box, add the cloud:private and region:sfo tags, and click Save.
e On the Compute tab, click Save.
Configure the Embedded vRealize Orchestrator Instance in Region A
vRealize Orchestrator is a platform that provides a library of extensible workflows to allow you to create and run automated, configurable processes to manage the vSphere infrastructure and other VMware and third-party technologies.
vRealize Orchestrator is composed of three distinct layers: an orchestration platform that provides the common features required for an orchestration tool, a plug-in architecture to integrate control of subsystems, and a library of workflows. vRealize Orchestrator is an open platform that can be extended with new plug-ins and libraries and can be integrated into larger architectures through a REST API.
Procedure
1 Import the Root Certificate of the Certificate Authority to vRealize Orchestrator in Region A
Import the root certificate of your Certificate Authority to vRealize Orchestrator to create the trust chain for connecting to the SDDC components.
2 Add the Workload Domain vCenter Server Instance to vRealize Orchestrator in Region A
To enable orchestration, management, and provisioning of workloads, you configure the connection to the Workload domain vCenter Server instance in Region A by running the necessary workflows in vRealize Orchestrator.
Import the Root Certificate of the Certificate Authority to vRealize Orchestrator in Region A
Import the root certificate of your Certificate Authority to vRealize Orchestrator to create the trust chain for connecting to the SDDC components.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 204
Procedure
1 In a Web browser, log in to vRealize Orchestrator by using the Control Center interface.
Setting Value
URL https://vra01svr01.rainpole.local/vco-controlcenter
User name root
Password vra01svr01_root_password
2 Click Certificates.
3 Click the Trusted certificates tab and, from the Import drop-down menu, select Import from PEM-encoded file.
4 Click Browse, navigate to the Root64.cer Certificate Authority root certificate file, and click Import.
5 Review the Root CA's certificate and click Import.
Add the Workload Domain vCenter Server Instance to vRealize Orchestrator in Region A
To enable orchestration, management, and provisioning of workloads, you configure the connection to the Workload domain vCenter Server instance in Region A by running the necessary workflows in vRealize Orchestrator.
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Services.
3 In the My services section, click Orchestrator.
4 On the Orchestrator page, on the main navigation bar, click the default Embedded-vRO instance.
5 In the left pane, select Library > Workflows.
6 Add the Workload domain vCenter Server instance.
a In the Workflows page, in the filter text box, enter Add a vCenter Server instance.
b Select the Add a vCenter Server instance workflow card and click Run.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 205
c On the Set the vCenter Server instance properties tab, configure the settings.
Setting Value
IP or hostname of the vCenter Server instance to add sfo01w01vc01.sfo01.rainpole.local
HTTPS port of the vCenter Server instance 443
Location of SDK that you use to connect /sdk
Will you orchestrate this instance Selected
Do you want to ignore certificate warnings Deselected
d On the Set connection properties tab, configure the settings and click Run.
Setting Value
Do you want to use a session per user method to manage user access to the vCenter Server system?
Deselected
User name of the user that Orchestrator will use to connect to the vCenter Server instance.
rainpole.local\svc-vro-vsphere
Do you want to use a session per user method to manage user access to the vCenter Server system?
svc-vro-vsphere_password
e On the Add a vCenter Server instance page, on the Waiting for input banner, click Answer.
f On the Input request dialog box, click Answer.
Configure Email Alerts for vRealize Automation in Region A
Configure email notifications in vRealize Automation to alert users and applications about certain situations in the SDDC.
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Services.
3 In the My services section, click Service Broker.
4 On the Service Broker page, click the Content and policies tab.
5 In the left pane, select Notifications > Email server.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 206
6 Configure the settings, click Test connection and click Create.
Setting Value
Name SMTP_server_hostname
Description Emails for notifications
Server name FQDN_of_the_SMTP_server
Sender Name Name_that_appears_as_the_sender_of_the_email
Sender Address Address_that_appears_as_the_sender_of_the_email
Authentication Depends on organization requirement
Connection Security SSL/TLS
Server Port Server port for SMTP requests
Trust certificates presented by the host Yes
Post-Deployment Operations Management Integration with vRealize Automation in Region A
After you deploy and configure vRealize Automation, configure its integration with the operations management SDDC components. You can monitor and receive alerts and logs about the cloud management platform to a central location by using vRealize Operations Manager and vRealize Log Insight.
n Connect vRealize Automation to vRealize Operations Manager in Region A
Configure the integration from vRealize Automation to vRealize Operations to view workload performance and usage data.
n Connect vRealize Operations Manager to vRealize Automation in Region A
Configure the integration from vRealize Operations Manager to vRealize Automation to monitor the health and resource capacity in your cloud infrastructure.
n Connect vRealize Log Insight to vRealize Automation in Region A
To collect syslog data from all components of vRealize Automation, you connect vRealize Automation to vRealize Log Insight. You perform this procedure on one of the vRealize Automation nodes, the configuration is then automatically disseminated to the remaining cluster nodes.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 207
Connect vRealize Automation to vRealize Operations Manager in Region A
Configure the integration from vRealize Automation to vRealize Operations to view workload performance and usage data.
Procedure
1 Configure Service Account Privileges for the vRealize Automation Integration in vRealize Operations Manager in Region A
Import the service account and assign the necessary permissions in vRealize Operations Manager to enable vRealize Automation to view metrics from vRealize Operations Manager.
2 Integrate vRealize Automation with vRealize Operations Manager in Region A
Configure the integration parameters from vRealize Automation to vRealize Operations Manager.
Configure Service Account Privileges for the vRealize Automation Integration in vRealize Operations Manager in Region A
Import the service account and assign the necessary permissions in vRealize Operations Manager to enable vRealize Automation to view metrics from vRealize Operations Manager.
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left pane, select Access > Access control.
4 Click the User accounts tab and, from the ellipsis drop-down menu, select Import.
The Import users wizard opens.
5 On the Import users page, configure these settings, select the svc-vra-vrops account and click Next.
Setting Value
Import from WorkspaceONE
Domain name rainpole.local
Search prefix svc-vra-vrops
User name svc-vra-vrops
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 208
6 On the Assign groups and permissions page, click the Objects tab, configure the settings, and click Finish.
Setting Value
Select Role ReadOnly
Assign this role to the user Selected
Select Object vCenter Adapter > vCenter Cloud Account > sfo-w01-vc01
Integrate vRealize Automation with vRealize Operations Manager in Region A
Configure the integration parameters from vRealize Automation to vRealize Operations Manager.
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Services.
3 In the My services section, click Cloud Assembly.
4 Click the Infrastructure tab, and select Connections > Integrations.
5 Configure the vRealize Operations Manager integration.
a On the Integrations page, click Add integration.
b On the Integration types page, select vRealize Operations Manager.
c On the New Integration page, configure the settings, click Validate, and click Add.
Setting Value
Name vRealize Operations Manager
Description vRealize Automation to vRealize Operations Manager Integration
IP Address / FQDN https://vrops01svr01.rainpole.local/suite-api
User name [email protected]@WorkspaceONE
Password svc-vra-vrops_password
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 209
Connect vRealize Operations Manager to vRealize Automation in Region A
Configure the integration from vRealize Operations Manager to vRealize Automation to monitor the health and resource capacity in your cloud infrastructure.
Procedure
1 Assign Organization and Service Roles to the vRealize Operations Manager Service Account in vRealize Automation in Region A
To manage access to services provided by vRealize Automation, you assign global organization roles and services roles to the service account for vRealize Automation to vRealize Operations Manager integration.
2 Configure the vRealize Automation Integration in vRealize Operations Manager in Region A
To configure the necessary permissions to monitor the health and resource capacity, configure the credentials and endpoint for the vRealize Automation integration in vRealize Operations Manager in Region A.
Assign Organization and Service Roles to the vRealize Operations Manager Service Account in vRealize Automation in Region A
To manage access to services provided by vRealize Automation, you assign global organization roles and services roles to the service account for vRealize Automation to vRealize Operations Manager integration.
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Identity and access management.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 210
3 Assign an organization role and a service role to the [email protected] service account.
a On the Active users tab, select svc-vrops-vra and click Edit roles.
b On the Edit roles page, click Add service access, configure these settings, and click Save.
Settings Value
Assign organization roles Organization Owner
Service Cloud Assembly
Service role Cloud Assembly Administrator
Configure the vRealize Automation Integration in vRealize Operations Manager in Region A
To configure the necessary permissions to monitor the health and resource capacity, configure the credentials and endpoint for the vRealize Automation integration in vRealize Operations Manager in Region A.
Procedure
1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.
Settings Value
URL https://vrops01svr01.rainpole.local
User name admin
Password vrops_admin_password
2 On the main navigation bar, click Administration.
3 In the left pane, select Management > Integrations.
4 On the Integrations page, click the ellipsis icon for VMware vRealize Automation 8.x and click Configure.
5 On the VMware vRealize Automation 8.x page, in the Credentials section, click the Add new icon, configure these settings, and click OK.
Setting Value
Credential name vra01svr01-adapter-credentials
User name svc-vrops-vra
Password svc-vrops-vra_password
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 211
6 On the VMware vRealize Automation 8.x page, configure the settings.
Setting Value
IP address / FQDN vra01svr01.rainpole.local
Auto discovery true
Credential vra01svr01-adapter-credentials
Collector/Group Default collector group
7 Click Validate connection, accept the certificate, and click Save.
Connect vRealize Log Insight to vRealize Automation in Region A
To collect syslog data from all components of vRealize Automation, you connect vRealize Automation to vRealize Log Insight. You perform this procedure on one of the vRealize Automation nodes, the configuration is then automatically disseminated to the remaining cluster nodes.
Procedure
1 Log in to the vRealize Automation appliance by using a Secure Shell (SSH) client.
Setting Value
FQDN vra01svr01a.rainpole.local
User name root
Password vra_appA_root_password
2 To send logs to vRealize Log Insight, run the command.
vracli vrli set -k -e cross-region http://sfo01vrli01.sfo01.rainpole.local:9000
3 Validate the configuration change by running the command.
vracli vrli
The command outputs the following.
root@xreg-vra01a [ ~ ]# vracli vrli { "agentId": "0", "environment": "cross-region-production",
"host": "sfo01vrli01.sfo01.rainpole.local", "port": 9000, "scheme": "http", "sslVerify": false
Configure vRealize Automation for a Sample Project Implementation in Region A
After completing the vRealize Automation implementation, you can optionally deploy a sample project scenario to test workload provisioning.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 212
You prepare for workload provisioning by allocating the necessary infrastructure resources through the use of flavor mappings, image mappings, network profiles, and storage profiles. You configure a sample project, content library, and a sample virtual machine blueprint to test the sharing of workload provisioning capabilities with the cloud infrastructure consumers in your organization.
n Content Library Configuration in Region A
Content libraries are containers for VM templates, vApp templates, and other resources used for vRealize Automation deployment of virtual machines and vApps. Sharing templates and files across multiple vCenter Server instances brings out consistency, compliance, efficiency, and automation in deploying workloads at scale.
n Customization Specifications for vRealize Automation Configuration in Region A
Create customization specifications, one for Linux and one for Windows, for use by the virtual machines images you deploy. Customization specifications are XML files that contain system configuration settings for the guest operating systems used in the virtual machines. You can use the customization specifications, as needed when you create blueprints in vRealize Automation.
n Configure vRealize Automation Mappings for Region A
You define deployment sizing and deployment parameters for workloads by using flavor and image mappings in Cloud Assembly.
n Configure vRealize Automation Profiles for Region A
You define target networks and datastores for workload provisioning by using network and storage profiles in Cloud Assembly.
n Configure a Sample Project in vRealize Automation for Region A
You configure a project in vRealize Automation to define the users that can provision workloads, the priority and cloud zone of deployments, as well as the maximum allowed deployment instances.
n Configure Sample Blueprint in Region A
You configure a sample blueprint to deploy to your organization's cloud providers. Blueprints determine the specifications, such as target cloud region, resources, guest operating systems, and others, for the services or applications that consumers of this blueprint can deploy.
n Service Broker Configuration in Region A
To enable users to deploy workloads, you import blueprints, create a content source and share these blueprints within a project in vRealize Automation Service Broker.
n Deploy Sample Blueprint in Region A
After you import the Cloud Assembly blueprint and share it with members of your project, you test the provisioning by requesting a deployment.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 213
Content Library Configuration in Region A
Content libraries are containers for VM templates, vApp templates, and other resources used for vRealize Automation deployment of virtual machines and vApps. Sharing templates and files across multiple vCenter Server instances brings out consistency, compliance, efficiency, and automation in deploying workloads at scale.
You create and manage a content library from a single vCenter Server instance, but you can share the library items with other vCenter Server instances if HTTP(S) traffic is allowed between them.
Procedure
1 Configure a Content Library in the Workload Domain vCenter Server Instance in Region A
Create a content library and populate it with images that you can use to deploy virtual machines in your environment. Content libraries let you synchronize images among workload domain vCenter Server instances so that all images in your environment are consistent.
2 Import OVA Images to the Content Library in the Workload Domain vCenter Server Instance in Region A
You can import OVA files prepared to use as virtual machine images. The images that you add to the content library are used in vRealize Automation blueprints. You repeat this procedure to import all OVA images
Configure a Content Library in the Workload Domain vCenter Server Instance in Region A
Create a content library and populate it with images that you can use to deploy virtual machines in your environment. Content libraries let you synchronize images among workload domain vCenter Server instances so that all images in your environment are consistent.
As you deploy additional workload domains, you can create subscriber content libraries from this publishing content library.
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Content libraries inventory, click Create.
The New content library wizard opens.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 214
3 On the Name and location page, configure the settings and click Next.
Setting Value
Name sfo01-w01cl-vra01
vCenter Server sfo01w01vc01.sfo01.rainpole.local
4 On the Configure content library page, configure the settings and click Next.
Setting Value
Local content library Selected
Enable publishing Selected
Enable authentication Selected
Password sfo01-w01cl-vra01_password
Confirm password sfo01-w01cl-vra01_password
5 On the Add storage page, select sfo01-w01-vsan01 and click Next.
6 On the Ready to complete page, click Finish.
Import OVA Images to the Content Library in the Workload Domain vCenter Server Instance in Region A
You can import OVA files prepared to use as virtual machine images. The images that you add to the content library are used in vRealize Automation blueprints. You repeat this procedure to import all OVA images
Table 7-3. Virtual Machine Templates in Region A
Operating System Type OVA Name Local File Name
Windows Server 2019 Standard img-windows-server-2019-standard windows-server-2019-standard.ova
Windows Server 2016 Standard img-windows-server-2016-standard windows-server-2016-standard.ova
Ubuntu Server 19.10 img-ubuntu-server-1910 ubuntu-server-1910.ova
Ubuntu Server 18.04 LTS img-ubuntu-server-1804-lts ubuntu-server-1804-lts.ova
Procedure
1 In a Web browser, log in to vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01m01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Content libraries inventory, select the sfo01-w01cl-vra01 content library.
3 On the sfo01-w01cl-vra01 page, click the Actions drop-down menu and select Import item.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 215
4 In the Import library item dialog box, specify the settings for the first OVA image and click Import.
Setting Value
Source file windows-server-2019-standard.ova
Item name img-windows-server-2019-standard
Notes Windows Server 2019 Standard
5 Repeat the procedure to import the remaining OVA images.
Customization Specifications for vRealize Automation Configuration in Region A
Create customization specifications, one for Linux and one for Windows, for use by the virtual machines images you deploy. Customization specifications are XML files that contain system configuration settings for the guest operating systems used in the virtual machines. You can use the customization specifications, as needed when you create blueprints in vRealize Automation.
Create a Customization Specification for Windows Guest Operating Systems in Region A
Create a Windows guest operating system specification that you can apply when you create blueprints for use with vRealize Automation. This customization specification can be used to customize virtual machine guest operating systems when provisioning new virtual machines from vRealize Automation.
You configure two customization specifications.
Customization Specification Name Description Operating System Type
windows-server-2019-standard Windows Server 2019 Standard Windows
windows-server-2016-standard Windows Server 2016 Standard Windows
Procedure
1 In a Web browser, log in to the Workload domain vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01w01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Policies and profiles inventory, select VM customization specifications.
3 On the VM customization specifications page, click the Create a new specification icon.
The New VM guest customization wizard opens.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 216
4 On the Name and target OS page, configure the settings and click Next.
Setting Value
Name windows-server-2019-standard
Description Windows Server 2019 Standard
vCenter Server sfo01w01vc01.sfo01.rainpole.local
Target Guest OS Windows
Generate New Security ID (SID) Selected
5 On the Registration information page, configure the settings and click Next.
Setting Value
Name Rainpole
Organization Rainpole
6 On the Computer name page, select Use the virtual machine name, and click Next.
7 On the Windows license page, provide licensing information for the Windows operating system, and click Next.
8 On the Administrator password page, enter the default administrator password to set on the virtual machine, and click Next.
9 On the Time zone page, select the time zone, and click Next.
Setting Value
Time Zone (UTC-08:00) Pacific Time(US & Canada)
10 On the Commands to run once page, click Next.
11 On the Network page, click Next.
12 On the Workgroup or domain page, select Windows Server Domain, configure the settings, and click Next.
Setting Example Value
Windows Server Domain sfo01.rainpole.local
User name [email protected]
Password svc-domain-join_password
13 On the Ready to complete page, review the settings and click Finish to save your changes.
14 Repeat the procedure to create the second Windows customization specification.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 217
Create a Customization Specification for Linux Guest Operating Systems in Region A
Create a Linux guest operating system specification that you can apply when you create blueprints for use with vRealize Automation. This customization specification can be used to customize virtual machine guest operating systems when provisioning new virtual machines from vRealize Automation.
You configure two customization specifications.
Customization Specification Name Description Operating System Type
ubuntu-server-1910 Ubuntu Server 19.10 Linux
ubuntu-server-1804-lts Ubuntu Server 18.04 LTS Linux
Procedure
1 In a Web browser, log in to the Workload domain vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01w01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Policies and profiles inventory, select VM customization specifications.
3 On the VM customization specifications page, click the Create a new specification icon.
The New VM guest customization wizard opens.
4 On the Name and target OS page, configure the settings and click Next.
Setting Value
Name ubuntu-server-1910
Description Ubuntu Server 19.10
vCenter Server sfo01w01vc01.sfo01.rainpole.local
Target Guest OS Linux
5 On the Computer name page, select Use the virtual machine name, enter sfo01.rainpole.local for the domain name, and click Next.
6 On the Time zone page, configure the settings, and click Next.
Setting Value
Area America
Location Los Angeles
Hardware clock set to Local time
7 On the Customization script page, click Next.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 218
8 On the Network page, click Next.
9 On the DNS settings page, leave the default settings, and click Next.
10 On the Ready to complete page, review the settings and click Finish to save your changes.
11 Repeat the procedure to create the second Linux customization specifications.
Configure vRealize Automation Mappings for Region A
You define deployment sizing and deployment parameters for workloads by using flavor and image mappings in Cloud Assembly.
Procedure
1 Add Flavor Mappings for Region A
You configure flavor mappings for the vSphere-based cloud accounts in Region A to define and group a set of target deployment sizings.
2 Add Image Mappings for Region A
You configure image mappings for the vSphere-based cloud accounts in Region A to define target deployment operating system and related configuration settings.
Add Flavor Mappings for Region A
You configure flavor mappings for the vSphere-based cloud accounts in Region A to define and group a set of target deployment sizings.
You configure five flavor mappings to define the deployment sizings.
Name Region CPU Count Memory Size
x-small sfo01w01vc01 / sfo01-w01dc
1 512 MB
small sfo01w01vc01 / sfo01-w01dc
2 2 GB
medium sfo01w01vc01 / sfo01-w01dc
8 4 GB
large sfo01w01vc01 / sfo01-w01dc
8 16 GB
x-large sfo01w01vc01 / sfo01-w01dc
16 32 GB
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 219
Setting Value
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Services.
3 In the My services section, click Cloud Assembly.
4 Click the Infrastructure tab, and select Configure > Flavor mappings.
5 On the New flavor mapping page, configure the settings and click Create.
Setting Value
Name x-small
Account / region sfo01w01vc01 / sfo01-w01dc
Number of CPUs 1
Memory (MB) 512
6 Repeat this procedure to create the remaining flavor mappings.
Add Image Mappings for Region A
You configure image mappings for the vSphere-based cloud accounts in Region A to define target deployment operating system and related configuration settings.
You configure four image mappings for the previously configured customization specifications.
Name Region Image Source Type
windows-server-2019-standard
sfo01w01vc01 / sfo01-w01dc
img-windows-server-2019-standard
Content Library OVA
windows-server-2016-standard
sfo01w01vc01 / sfo01-w01dc
img-windows-server-2016-standard
Content Library OVA
ubuntu-server-1910 sfo01w01vc01 / sfo01-w01dc
img-ubuntu-server-1910
Content Library OVA
ubuntu-server-1804-lts sfo01w01vc01 / sfo01-w01dc
img-ubuntu-server-1804-lts
Content Library OVA
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 220
2 On the main navigation bar, click Services.
3 In the My services section, click Cloud Assembly.
4 Click the Infrastructure tab, and select Configure > Image mappings.
5 On the New image mapping page, configure the settings and click Create.
Setting Value
Image name windows-server-2019-standard
Account / region sfo01w01vc01 / sfo01-w01dc
Image img-windows-server-2019-standard
Constraints -
Cloud configuration -
6 Repeat this procedure to create the remaining image mappings.
Configure vRealize Automation Profiles for Region A
You define target networks and datastores for workload provisioning by using network and storage profiles in Cloud Assembly.
Procedure
1 Add Networks for vRealize Automation for Region A
Before project members can request workloads, you must create networks to connect the network profiles defined in vRealize Automation.
2 Configure Network Profiles for Region A
Before project members can request workloads, you must create network profiles to define the subnet and routing configuration for virtual machines. Each network profile is configured for a specific network port group or virtual network segment to specify the IP address and the routing configuration for virtual machines provisioned to that network
3 Configure Storage Profiles in Region A
You configure disk customizations and type of storage for the provisioned workloads by defining a storage profile in Cloud Assembly for the specific cloud account and region.
Add Networks for vRealize Automation for Region A
Before project members can request workloads, you must create networks to connect the network profiles defined in vRealize Automation.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 221
For a workload domain with NSX-T Data Center, you create the network segments on the NSX-T Manager for the workload domain. For a workload domain with NSX Data Center for vSphere, you create the logical switches on the NSX Manager for the workload domain.
n Add Network Segments for vRealize Automation on the Workload Domain NSX-T Manager for Region A
If the workload domain uses NSX-T Data Center, you create network segments on the Workload domain NSX-T Manager to connect the network profiles defined in vRealize Automation.
n Add Logical Switches for vRealize Automation on the Workload Domain NSX Manager for Region A
If the workload domain uses NSX Data Center for vSphere, you create logical switches on the Workload domain NSX Manager to connect the network profiles defined in vRealize Automation.
Add Network Segments for vRealize Automation on the Workload Domain NSX-T Manager for Region A
If the workload domain uses NSX-T Data Center, you create network segments on the Workload domain NSX-T Manager to connect the network profiles defined in vRealize Automation.
You configure separate segments for the business tiers.
Table 7-4. Production Segments
Setting Value for production-webValue for sfo-production-db
Value for sfo-production-app
Segment name sfo-production-web-192-168-91-0–24
sfo-production-db-192-168-92–24
sfo-production-app-192-168-93-0–24
Connectivity sfo01-w02-tier-1-01 sfo01-w02-tier-1-01 sfo01-w02-tier-1-01
Transport zone sfo01-w-overlay sfo01-w-overlay sfo01-w-overlay
Subnets 192.168.91.1/24 192.168.92.1/24 192.168.93.1/24
Table 7-5. Development Segments
SettingValue for sfo-development-web
Value for sfo-development-db
Value for sfo-development-app
Segment name sfo-development-web-192-168-95-0–24
sfo-development-db-192-168-96–24
sfo-development-app-192-168-97–24
Connectivity sfo01-w02-tier-1-01 sfo01-w02-tier-1-01 sfo01-w02-tier-1-01
Transport zone sfo01-w-overlay sfo01-w-overlay sfo01-w-overlay
Subnets 192.168.95.1/24 192.168.96.1/24 192.168.97.1/24
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 222
Procedure
1 In a Web browser, log in to the NSX-T Manager for the workload domain by using the user interface.
Setting Value
URL https://sfo01w01nsx01.sfo01.rainpole.local
User name admin
Password nsx-t_admin_password
2 On the main navigation bar, click Networking.
3 On the Configuration tab of the Network overview page, click Segments.
4 On the Segments tab, click Add segment, configure these settings, and click Save.
Setting Value
Segment name sfo-production-web-192-168-91-0–24
Connectivity sfo01-w02-tier-1-01
Transport zone sfo01-w-overlay
Subnets Click Set subnets, click Add subnet, in the Gateway IP/Prefix length, enter 192.168.91.1/24, click Add, and click Apply.
5 In the Want to continue configuring this Segment? dialog box, click No.
6 Repeat this procedure to create the remaining segments.
Add Logical Switches for vRealize Automation on the Workload Domain NSX Manager for Region A
If the workload domain uses NSX Data Center for vSphere, you create logical switches on the Workload domain NSX Manager to connect the network profiles defined in vRealize Automation.
You configure separate logical switches for the business tiers.
Table 7-6. Production Logical Switch
Setting Value for production-webValue for sfo-production-db
Value for sfo-production-app
Name sfo-production-web-192-168-91-0–24
sfo-production-db-192-168-92–24
sfo-production-app-192-168-93-0–24
Transport zone Comp Universal Transport Zone
Comp Universal Transport Zone
Comp Universal Transport Zone
Connected to sfo-production-web-192-168-91-0–24
sfo-production-db-192-168-92–24
sfo-production-app-192-168-93-0–24
Prmary IP address 192.168.91.1 192.168.92.1 192.168.93.1
Subnet prefix length 24 24 24
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 223
Table 7-7. Development Logical Switch
SettingValue for sfo-development-web
Value for sfo-development-db
Value for sfo-development-app
Name sfo-development-web-192-168-95-0–24
sfo-development-db-192-168-96–24
sfo-development-app-192-168-97–24
Transport zone Comp Universal Transport Zone
Comp Universal Transport Zone
Comp Universal Transport Zone
Connected to sfo-development-web-192-168-95-0–24
sfo-development-db-192-168-96–24
sfo-development-app-192-168-97–24
Prmary IP address 192.168.95.1 192.168.96.1 192.168.97.1
Subnet prefix length 24 24 24
Procedure
1 In a Web browser, log in to the Workload domain vCenter Server by using the vSphere Client.
Setting Value
URL https://sfo01w01vc01.sfo01.rainpole.local/ui
User name [email protected]
Password vsphere_admin_password
2 In the Networking and security inventory, click Logical Switches.
3 From NSX Manager drop-down menu, select 172.16.11.66.
4 Click Add, configure these settings, and click Save.
Setting Value
Name sfo-production-web-192-168-91-0–24
Transport zone Comp Universal Transport Zone
Replication mode Hybrid
MAC learning Disabled
5 Repeat Step 4 to create the remaining logical switches.
6 Add logical switches gateways to the universal distributed logical router.
a In the Networking and security inventory, click NSX Edges.
b Click the ID of the sfo01w01udlr01 universal distributed logical router to open its network settings.
c Click the Configure tab and click Interfaces.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 224
d Click Add, configure these settings, and click Add.
Setting Value
Name sfo-production-web-192-168-91-0–24
Type Internal
Connected to sfo-production-web-192-168-91-0–24
Configure subnets Click Add, in the Primary IP address, enter 192.168.91.1, and, in the Subnet prefix length, enter 24.
e Repeat this step to create the remaining interfaces.
Configure Network Profiles for Region A
Before project members can request workloads, you must create network profiles to define the subnet and routing configuration for virtual machines. Each network profile is configured for a specific network port group or virtual network segment to specify the IP address and the routing configuration for virtual machines provisioned to that network
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Services.
3 In the My services section, click Cloud Assembly.
4 Click the Infrastructure tab, select Configure > Network profiles.
5 Configure the network profile.
a Click New network profile.
The New network profile page opens.
b On the Summary tab, configure the settings.
Setting Value
Account / Region sfo01w01vc01 / sfo01-w01dc
Name net-existing-sfo-w01
Description Existing Networks in Region A - Workload Domain 01
c Click the Networks tab and click Add network.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 225
d In the Add network dialog box, select VIEW NSX NETWORKS.
e Select the following segments and click OK.
Segment Description
sfo-production-web-192-168-91-0–24 Production Web Tier Network
sfo-production-db-192-168-92-0–24 Production Database Tier Network
sfo-production-app-192-168-93-0–24 Production Application Tier Network
sfo-development-web-192-168-95-0–24 Development Web Tier Network
sfo-development-db-192-168-96-0–24 Development Database Tier Network
sfo-development-app-192-168-97-0–24 Development Application Tier Network
f On the Networks tab, select the check box for a segment, click Tags, configure the corresponding capability tags, and click Save.
Segment Capability Tags
sfo-production-web-192-168-91–24 n env:prod
n function:web
sfo-production-db-192-168-92–24 n env:prod
n function:db
sfo-production-app-192-168-93-0–24 n env:prod
n function:app
sfo-development-web-192-168-95-0–24 n env:dev
n function:web
sfo-development-db-192-168-96-0–24 n env:dev
n function:db
sfo-development-app-192-168-97-0–24 n env:dev
n function:app
g On the Networks tab, click the Name link for each of the production segments, configure the settings, and click Save.
SettingValue for sfo-production-web
Value for sfo-production-db
Value for sfo-production-app
Name sfo-production-web-192-168-91-0–24
sfo-production-db-192-168-92-0–24
sfo-production-app-192-168-93-0–24
Domain sfo01.rainpole.local sfo01.rainpole.local sfo01.rainpole.local
IPv4 CIDR 192-168-91.0/24 192-168-92.0/24 192-168-93.0/24
IPv4 Default Gateway 192-168-91.1 192-168-92.1 192-168-93.1
DNS Servers 172.16.11.4,172.16.11.5 172.16.11.4,172.16.11.5 172.16.11.4,172.16.11.5
DNS Search Domains sfo01.rainpole.local sfo01.rainpole.local sfo01.rainpole.local
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 226
h On the Networks tab, click the Name link for each of the development segments, configure the settings, and click Save.
SettingValue for sfo-development-web
Value for sfo-development-db
Value for sfo-development-app
Network sfo-development-web-192-168-95-0–24
sfo-development-db-192-168-96-0–24
sfo-development-app-192-168-97-0–24
Domain sfo01.rainpole.local sfo01.rainpole.local sfo01.rainpole.local
IPv4 CIDR 172.11.10.0/24 172.11.11.0/24 172.11.12.0/24
IPv4 Default Gateway 172.11.10.1 172.11.11.1 172.11.12.1
DNS Servers 172.16.11.4,172.16.11.5 172.16.11.4,172.16.11.5 172.16.11.4,172.16.11.5
DNS Search Domains sfo01.rainpole.local sfo01.rainpole.local sfo01.rainpole.local
i On the Networks tab, select the check box for a segment, click Mange IP ranges, click New IP range, configure the corresponding settings for each production segment, click Add and click Close.
SettingValue for sfo-production-web
Value for sfo-production-db
Value for sfo-production-app
Network sfo-production-web-192.168.91-0–24
sfo-production-db-192.168.92-0–24
sfo-production-app-192.168.93-0–24
Source Internal Internal Internal
Name sfo-production-web-192.168.91-0–24
sfo-production-db-192.168.92-0–24
sfo-production-app-192.168.93-0–24
Description Production: Web Tier Network Static IP Range
Production: Database Tier Network Static IP Range
Production: Application Tier Network Static IP Range
CIDR 192.168.91.0/24 192.168.92.0/24 192.168.93.0/24
Start IP Address 192.168.91.20 192.168.92.20 192.168.93.20
End IP Address 192.168.91.250 192.168.92.250 192.168.93.250
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 227
j On the Networks tab, select the check box for a segment, click Mange IP ranges, click New IP range, configure the corresponding settings for each development segment, click Add and click Close.
SettingValue for sfo-development-web
Value for sfo-development-db
Value for sfo-development-app
Name sfo-development-web-192.168.95-0–24
sfo-development-db-192.168.96-0–24
sfo-development-app-192.168.97-0–24
Description Development: Web Tier Network Static IP Range
Development: Database Tier Network Static IP Range
Development: Application Tier Network Static IP Range
CIDR 192.168.95.0/24 192.168.96.0/24 192.168.97.0/24
Start IP Address 192.168.95.20 192.168.96.20 192.168.97.20
End IP Address 192.168.95.250 192.168.96.250 192.168.97.250
k On the New network profile page, click Create.
Configure Storage Profiles in Region A
You configure disk customizations and type of storage for the provisioned workloads by defining a storage profile in Cloud Assembly for the specific cloud account and region.
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Services.
3 In the My services section, click Cloud Assembly.
4 Click the Infrastructure tab, select Configure > Storage profiles.
5 On the Storage profiles page, click New storage profile, configure the settings, and click Create.
Setting Value
Account / Region sfo01w01vc01 / sfo01-w01dc
Name platinum-sfo01-w01-vsan01
Description Storage Policy for Workload Domain 01, Cluster 01
Storage Policy vSAN Default Storage Policy
Datastore / Cluster sfo01-w01-vsan01
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 228
Setting Value
Provisioning Type Thin
Preferred Storage for This Region Selected
Capability Tags tier:platinum
Configure a Sample Project in vRealize Automation for Region A
You configure a project in vRealize Automation to define the users that can provision workloads, the priority and cloud zone of deployments, as well as the maximum allowed deployment instances.
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Services.
3 In the My services section, click Cloud Assembly.
4 Click the Infrastructure tab, select Configure > Projects.
5 Click New project.
The New project page opens.
6 On the Summary tab, configure the settings.
Setting Value
Name Sample
Description Sample Project
7 Click the Users tab, click Add groups, configure the settings, and click Add.
Setting Value for project-admins Value for project-users
Group [email protected]
Assign role Administrator Member
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 229
8 Click the Provisioning tab, click Add cloud zone, configure the settings, and click Add.
Setting Value
Cloud zone sfo01w01vc01 / sfo01-w01dc
Provisioning priority 1
Instances limit 0
Memory limit (GB) 0
CPU limit 0
Storage limit (GB) 0
9 On the Provisioning tab, in the Custom naming section, configure the settings.
Setting Value
Template ${project.name}-${user}-${######}
10 Click Create.
Configure Sample Blueprint in Region A
You configure a sample blueprint to deploy to your organization's cloud providers. Blueprints determine the specifications, such as target cloud region, resources, guest operating systems, and others, for the services or applications that consumers of this blueprint can deploy.
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Services.
3 In the My services section, click Cloud Assembly.
4 Click the Design tab and, on the Blueprints page, click New.
5 In the New blueprint dialog box, configure the settings and click Create.
Setting Value
Name Sample Blueprint
Description Sample Blueprint
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 230
Setting Value
Project Sample
Blueprint sharing in Service Broker Share only with this project
6 On the Blueprints page, click Sample blueprint to open its design page.
7 In the Code editor, enter the following YAML code.
name: Sample Workload
formatVersion: 1
inputs:
targetCloud:
type: string
oneOf:
- title: Rainpole Private Cloud
const: 'cloud:private'
title: Cloud
description: Select a target cloud.
targetRegion:
type: string
oneOf:
- title: Region A (US West 1)
const: 'region:sfo'
title: Region
description: Select a target region.
targetEnvironment:
type: string
oneOf:
- title: Production
const: 'env:prod'
- title: Development
const: 'env:dev'
title: Environment
description: Select a target environment.
targetFunction:
type: string
oneOf:
- title: Web Server
const: 'function:web'
- title: Application Server
const: 'function:app'
- title: Database Server
const: 'function:db'
title: Function
description: Select a target function.
performanceTier:
type: string
oneOf:
- title: Platinum
const: 'tier:platinum'
title: Performance Tier
description: Select a performance tier.
operatingSystem:
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 231
type: string
oneOf:
- title: Ubuntu Server 19.10
const: ubuntu-server-1910
- title: Ubuntu Server 18.04 LTS
const: ubuntu-server-1804-lts
- title: Microsoft Windows Server 2019 Standard
const: windows-server-2019-standard
- title: Microsoft Windows Server 2016 Standard
const: windows-server-2016-standard
title: Operating System and Version
description: Select a operationg system and version.
nodeSize:
type: string
oneOf:
- title: X-Small
const: x-small
- title: Small
const: small
- title: Medium
const: medium
- title: Large
const: large
- title: X-Large
const: x-large
title: Node Size
description: 'Select a standard node size.<br/><br/>Refer to <a href="https://
support.rainpole.local" target=" _blank">support.rainpole.local/sizing</a> for our standard
resource sizing.'
nodeCount:
type: integer
default: 1
maximum: 100
title: Node Count
description: Select the number of VMs between 1 and 100.
resources:
Cloud_vSphere_Machine_1:
type: Cloud.vSphere.Machine
properties:
image: '${input.operatingSystem}'
flavor: '${input.nodeSize}'
count: '${input.nodeCount}'
customizationSpec: '${input.operatingSystem}'
constraints:
- tag: '${input.targetCloud}'
- tag: '${input.targetRegion}'
networks:
- network: '${resource.Cloud_NSX_Network_1.id}'
assignment: static
attachedDisks: []
Cloud_NSX_Network_1:
type: Cloud.NSX.Network
properties:
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 232
networkType: existing
constraints:
- tag: '${input.targetFunction}'
- tag: '${input.targetEnvironment}'
8 Test the sample blueprint.
a On the Sample blueprint design page, click Test.
b In the Testing Sample dialog box, configure the settings and click Test.
Setting Value
Cloud Rainpole Private Cloud
Region Region A (US West 1)
Environment Production
Function Web Server
Performance tier Platinum
Operating system and version Ubuntu Server 18.04 LTS
Node size Small
Node count 1
The simulation examines syntax, placement, and blueprint validity.
9 Version the sample blueprint.
a On the Sample blueprint design page, click Version.
b In the Creating version dialog box, configure the settings and click Create.
Setting Value
Version 1.0
Description Sample Blueprint
Change log Initial Release
Release Select Release this version to the catalog.
c On the Sample blueprint design page, click Close.
Service Broker Configuration in Region A
To enable users to deploy workloads, you import blueprints, create a content source and share these blueprints within a project in vRealize Automation Service Broker.
Procedure
1 Configure a Content Source for Service Broker in Region A
To provide access to vRealize Automation Cloud Assembly blueprints to users, you create and configure a content source in Service Broker.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 233
2 Share Blueprints from a Content Source in Service Broker in Region A
You can share imported blueprints and content sources within a project to enable project members to deploy these blueprints in the specified cloud zone.
Configure a Content Source for Service Broker in Region A
To provide access to vRealize Automation Cloud Assembly blueprints to users, you create and configure a content source in Service Broker.
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Services.
3 In the My services section, click Service Broker.
4 Click the Content and policies tab.
5 In the navigation pane, click Content sources, click New, configure the settings, and click Validate.
Setting Value
Type Cloud Assembly Blueprint
Name Sample - Blueprints
Description Sample - Blueprints
Source Project Sample
6 On the New content source page, click Create and import.
Share Blueprints from a Content Source in Service Broker in Region A
You can share imported blueprints and content sources within a project to enable project members to deploy these blueprints in the specified cloud zone.
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 234
Setting Value
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Services.
3 In the My services section, click Service Broker.
4 Click the Content and policies tab.
5 In the navigation pane, click Content sharing.
6 In the Project text box, enter Sample and click Add items.
7 In the Share items with Sample dialog box, from the Content sources drop-down menu, select Content sources, select the Sample blueprints, and click Save.
Deploy Sample Blueprint in Region A
After you import the Cloud Assembly blueprint and share it with members of your project, you test the provisioning by requesting a deployment.
Procedure
1 In a Web browser, log in to vRealize Automation by using the cloud services console.
Setting Value
URL https://vra01svr01.rainpole.local/csp/gateway/portal
User name configadmin
Password wsa01svr01_configadmin_password
Domain System Domain
2 On the main navigation bar, click Services.
3 In the My services section, click Service Broker.
4 Click the Catalog tab.
5 In the Sample blueprint card, click Request.
6 On the New request page, configure the settings and click Submit.
Setting Value
Version 1.0
Deployment name Sample Deployment
Project Sample
Node size Small
Node count 1
Cloud Rainpole Private Cloud
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 235
Setting Value
Region Region A (US West 1)
Function Web Server
Operating system and version Ubuntu Server 18.04 LTS
Performance tier Platinum
Environment Production
7 Verify that the deployment completes successfully.
a Click the Deployments tab and click the Sample deployment card.
b Click the History tab and click the Request details tab.
c Verify that the table shows the applied blueprint constraint tags.
d When the deployment completes, verify that the Sample deployment card has the Create Successful tag.
Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10
VMware, Inc. 236