Deployment of VMware vRealize Suite 2019 on VMware Cloud … · 2021. 4. 20. · Connect vRealize...

Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10

Modified on 20 APR 2021VMware Validated DesignVMware Cloud Foundation 3.10vRealize Suite 2019

You can find the most up-to-date technical documentation on the VMware website at:

https://docs.vmware.com/

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

Copyright ©

2020-2021, VMware, Inc. All rights reserved. Copyright and trademark information.


VMware, Inc. 2

https://docs.vmware.com/

https://docs.vmware.com/copyright-trademark.html

Contents

About Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10 9

Planning and Preparation for Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10 15Software Requirements 15

VMware Scripts and Tools 15

Third-Party Software 16

External Services 16

IP Subnets for the Application Virtual Networks 17

Host Names and IP Addresses 17

Time Synchronization 19

User Accounts and Groups 21

Active Directory Computer Objects 29

Additional Storage Requirements 30

My VMware Account Requirements 30

1 Prepare the Environment for Deployment of Cloud Operations and Automation in Region A 32Remove the Default vRealize Log Insight Cluster in Region A 32

Create the Virtual Machine and Template Folders in Region A 33

Deploy the NSX Data Center for vSphere Load Balancer in Region A 34

2 vRealize Suite Lifecycle Manager Implementation in Region A 38Prerequisites for Deploying vRealize Suite Lifecycle Manager in Region A 39

Configure User Access in vSphere for Integration with vRealize Suite Lifecycle Manager in Region A 40

Define a User Role in vSphere for vRealize Suite Lifecycle Manager in Region A 40

Configure Service Account Permissions in vSphere for Integration with vRealize Suite Lifecycle Manager in Region A. 41

Deploy the vRealize Suite Lifecycle Manager Appliance in Region A 42

Post-Deployment Configuration of the vRealize Suite Lifecycle Manager Instance in Region A44

Configure the vRealize Suite Lifecycle Manager Instance in Region A 45

Replace the Certificate of the vRealize Suite Lifecycle Manager Instance in Region A 46

Register the vRealize Suite Lifecycle Manager Instance with My VMware 47

Upload and Map Product Binaries to the vRealize Suite Lifecycle Manager Instance in Region A48

Configure Data Centers and vCenter Server in vRealize Suite Lifecycle Manager in Region A50

VMware, Inc. 3

Add the Cross-Region Environment Password to vRealize Suite Lifecycle Manager 51

3 Cross-Region Workspace ONE Access Implementation in Region A 53Prerequisites for Deploying Cross-Region Workspace ONE Access 53

Configure the Load Balancer for the Cross-Region Workspace ONE Access Cluster in Region A54

Import the Load Balancer Certificate of the Cross-Region Workspace ONE Access Cluster55

Configure the Virtual IP Address for Load Balancing the Cross-Region Workspace ONE Access Cluster in Region A 56

Create a Service Monitor for the Cross-Region Workspace ONE Access Cluster in Region A56

Create a Server Pool for the Cross-Region Workspace ONE Access Cluster in Region A 57

Create Application Profiles for the Cross-Region Workspace ONE Access Cluster in Region A59

Create Virtual Servers for the Cross-Region Workspace ONE Access Cluster in in Region A60

Deploy the Cross-Region Workspace ONE Access Cluster in Region A 61

Import the Cross-Region Workspace ONE Access Cluster Certificate to vRealize Suite Lifecycle Manager in Region A 62

Add the Passwords for the Cross-Region Workspace ONE Access Deployment to vRealize Suite Lifecycle Manager in Region A 62

Deploy the Cross-Region Workspace ONE Access Cluster Using vRealize Suite Lifecycle Manager in Region A 63

Resize the Cross-Region Workspace ONE Access Cluster Nodes in Region A 66

Configure the Cross-Region Workspace ONE Access Cluster in Region A 68

Configure an Anti-Affinity Rule and a Virtual Machine Group for the Cross-Region Workspace ONE Access Cluster in Region A 69

Configure NTP on the Cross-Region Workspace ONE Access Cluster in Region A 70

Configure Custom Branding for the Cross-Region Workspace ONE Access Deployment in Region A 71

Configure Identity Sources for the Cross-Region Workspace ONE Access Cluster in Region A72

Add the Cross-Region Workspace ONE Access Nodes as Identity Provider Connectors in Region A 74

Assign Roles to User Groups in Cross-Region Workspace ONE Access 75

Assign Roles to User Groups in vRealize Suite Lifecycle Manager 76

4 Region-Specific Workspace ONE Access Implementation in Region A 78Prerequisites for Deploying Region-Specific Workspace ONE Access in Region A 78

Deploy the Region-Specific Workspace ONE Access Instance in Region A 79

Complete the Initial Configuration of the Region-Specific Workspace ONE Access Instance in Region A 81

Configure Region-Specific Workspace ONE Access for the Management Domain in Region A82


VMware, Inc. 4

Replace the Certificate of the Region-Specific Workspace ONE Access Instance in Region A82

Configure Preferences and Custom Branding for the Region-Specific Workspace ONE Access Instance in Region A 83

Configure NTP of the Region-Specific Workspace ONE Access Instance in Region A 84

Configure Identity Source of the Region-Specific Workspace ONE Access Instance in Region A 85

Assign Roles in the Region-Specific Workspace ONE Access Instance in Region A 87

Integrate NSX-T Data Center with the Region-Specific Workspace ONE Access Instance in Region A 88

Obtain the Certificate Thumbprint from the Region-Specific Workspace ONE Access Instance in Region A 89

Integrate NSX-T Data Center with the Region-Specific Workspace ONE Access Instance in Region A 89

Configure Role-Based Access Control for NSX-T Data Center in Region A 91

5 vRealize Operations Manager Implementation in Region A 92Configure the Load Balancer for vRealize Operations Manager in Region A 94

Configure the Virtual IP Address for Load Balancing the Analytics Cluster in Region A 94

Create a Service Monitor for vRealize Operations Manager in Region A 95

Create a Server Pool for vRealize Operations Manager in Region A 96

Create the Application Profiles for vRealize Operations Manager in Region A 97

Create Virtual Servers for vRealize Operations in Region A 98

Deploy vRealize Operations Manager in Region A 99

Prerequisites for Deploying vRealize Operations Manager in Region A 99

Add the vRealize Operations Manager Multi-SAN Certificate to vRealize Suite Lifecycle Manager 101

Add the vRealize Operations Manager Password to vRealize Suite Lifecycle Manager 102

Create the Cross-Region Environment in vRealize Suite Lifecycle Manager in Region A 102

Deploy vRealize Operations Manager Using vRealize Suite Lifecycle Manager in Region A104

Update vRealize Operations Manager Authentication Source 109

Configure vSphere DRS Anti-Affinity Rules for vRealize Operations Manager in Region A 110

Create a VM Group and Define the Startup Order of the Analytics Cluster in Region A 111

Group the Remote Collector Nodes in Region A 112

Configure User Access in vRealize Operations Manager in Region A 113

Configure User Access in vSphere for Integration with vRealize Operations Manager in Region A114

Define a User Role in vSphere for vCenter Adapters in vRealize Operations Manager in Region A 114

Define a User Role in vSphere for Storage Devices Adapters in vRealize Operations Manager in Region A 116

Configure User Privileges in vSphere for Integration with vRealize Operations Manager in Region A 116

Add vCenter Server Cloud Accounts to vRealize Operations Manager in Region A 117


VMware, Inc. 5

Enable vSAN Monitoring in vRealize Operations Manager in Region A 119

Connect vRealize Operations Manager to NSX Data Center for vSphere in Region A 121

Install the vRealize Operations Manager Management Pack for NSX for vSphere in Region A121

Configure User Privileges in NSX Manager for Integration with vRealize Operations Manager in Region A 122

Enable NSX Data Center for vSphere Monitoring in vRealize Operations Manager in Region A124

Enable NSX-T Data Center Monitoring in vRealize Operations Manager in Region A 125

Enable Storage Device Monitoring in vRealize Operations Manager in Region A 126

Install the vRealize Operations Manager Management Pack for Storage Devices in Region A126

Add Storage Devices Adapters in vRealize Operations Manager in Region A 127

Connect vRealize Operations Manager to the Workspace ONE Access Instances in Region A129

Install the vRealize Operations Manager Management Pack for VMware Identity Manager in Region A 129

Add VMware Identity Manager Adapter Instances to vRealize Operations Manager in Region A 130

Set the Currency for Cost Calculation in vRealize Operations Manager 131

Configure Email Alerts in vRealize Operations Manager in Region A 132

6 vRealize Log Insight Implementation in Region A 134Deploy vRealize Log Insight in Region A 135

Prerequisites for Deploying vRealize Log Insight in Region A 136

Add the vRealize Log Insight Multi-SAN Certificate to vRealize Suite Lifecycle Manager 138

Add the vRealize Log Insight Password to vRealize Suite Lifecycle Manager 138

Deploy vRealize Log Insight Using vRealize Suite Lifecycle Manager in Region A 139

Configure a vSphere DRS Anti-Affinity Rule for vRealize Log Insight 142

Create a VM Group and Define the Startup Order of the vRealize Log Insight Cluster in Region A 143

Configure SMTP for vRealize Log Insight in Region A 144

Disable the SSL Connection Requirement in vRealize Log Insight in Region A 145

Integrate vRealize Log Insight with the Region-Specific Workspace ONE Access in Region A146

Enable Region-Specific Workspace ONE Access Integration with vRealize Log Insightin Region A 146

Configure Identity and Access Management for vRealize Log Insight in Region A 147

Connect vRealize Log Insight to the vSphere Environment in Region A 148

Configure User Privileges in vSphere for Integration with vRealize Log Insight in Region A148

Connect vRealize Log Insight to vSphere in Region A 150

Configure vCenter Server to Forward Log Events to vRealize Log Insight in Region A 151

Connect vRealize Log Insight to vRealize Operations Manager in Region A 152


VMware, Inc. 6

Configure User Privileges in vRealize Operations Manager for Integration with vRealize Log Insight in Region A 153

Enable the vRealize Log Insight Integration with vRealize Operations Manager in Region A154

Connect vRealize Operations Manager to vRealize Log Insight in Region A 154

Configure the vRealize Log Insight Agent on the Analytics Cluster to Forward Log Events to vRealize Log Insight in Region A 155

Connect vRealize Log Insight to NSX Data Center for vSphere in Region A 156

Install the vRealize Log Insight Content Pack for NSX Data Center for vSphere in Region A156

Update the NSX Manager Log Forwarding Protocol in Region A 157

Configure the NSX Controller Nodes to Forward Log Events to vRealize Log Insight in Region A 158

Update the Log Forwarding Protocol on the NSX Edge Instances in Region A 160

Connect vRealize Log Insight to NSX-T Data Center in Region A 161

Install the vRealize Log Insight Content Pack for NSX-T Data Center in Region A 162

Configure the Workload Domain NSX-T Managers to Forward Log Events to vRealize Log Insight in Region A 162

Configure the NSX-T Edges to Forward Log Events to vRealize Log Insight in Region A 165

Download the vRealize Log Insight Agent 168

Install and Configure the vRealize Log Insight Agent on the Workspace ONE Access Nodes169

Configure Log Forwarding for vRealize Suite Lifecycle Manager in Region A 171

Validate Log Forwarding for SDDC Manager in Region A 171

Collect Operating System Logs from the Management Virtual Appliances in vRealize Log Insight in Region A 173

Install the vRealize Log Insight Content Pack for Linux for the Management Virtual Appliances in Region A 173

Configure a Log Insight Agent Group for the Management Virtual Appliances in Region A174

Install the vRealize Log Insight Content Pack for Linux for Workspace One Access in Region A 175

Configure a Log Insight Agent Group for the Management Virtual Appliances of Workspace One Access in Region A 176

Configure Log Retention and Archiving for vRealize Log Insight in Region A 177

7 vRealize Automation Implementation in Region A 178Configure the Load Balancer for vRealize Automation in Region A 178

Configure the Virtual IP Address for Load Balancing the vRealize Automation Cluster in Region A 179

Create a Service Monitor for vRealize Automation in Region A 180

Create a Server Pool for vRealize Automation in Region A 180

Create the Application Profiles for vRealize Automation in Region A 182

Create Virtual Servers for vRealize Automation in Region A 182

Deploy vRealize Automation in Region A 183

Prerequisites for Deploying vRealize Automation in Region A 184


VMware, Inc. 7

Import the vRealize Automation Multi-SAN Certificate to vRealize Suite Lifecycle Manager in Region A 185

Add the vRealize Automation Password to vRealize Suite Lifecycle Manager in Region A186

Deploy vRealize Automation Using vRealize Suite Lifecycle Manager in Region A 186

Post-Deployment vRealize Automation Configuration in Region A 189

Configure NTP on the vRealize Automation Cluster 189

Create a Folder and a Resource Pool for vRealize Automation Workloads on the Workload Domain vCenter Server in Region A 190

Configure Service Account Privileges in Region A 191

Configure the vSphere DRS Anti-Affinity Rule and Startup Order for vRealize Automation in Region A 196

Configure Organization Settings for vRealize Automation in Region A 197

Configure Cloud Assembly in Region A 200

Configure the Embedded vRealize Orchestrator Instance in Region A 204

Configure Email Alerts for vRealize Automation in Region A 206

Post-Deployment Operations Management Integration with vRealize Automation in Region A207

Connect vRealize Automation to vRealize Operations Manager in Region A 208

Connect vRealize Operations Manager to vRealize Automation in Region A 210

Connect vRealize Log Insight to vRealize Automation in Region A 212

Configure vRealize Automation for a Sample Project Implementation in Region A 212

Content Library Configuration in Region A 214

Customization Specifications for vRealize Automation Configuration in Region A 216

Configure vRealize Automation Mappings for Region A 219

Configure vRealize Automation Profiles for Region A 221

Configure a Sample Project in vRealize Automation for Region A 229

Configure Sample Blueprint in Region A 230

Service Broker Configuration in Region A 233

Deploy Sample Blueprint in Region A 235


VMware, Inc. 8

About Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10

The Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10 document contains prescriptive guidance for deploying and configuring the vRealize® Suite 2019 products to a Software-Defined Data Center (SDDC) deployment of VMware Cloud Foundation™ 3.10.

The bill of materials of VMware Cloud Foundation 3.10 includes vRealize Suite products of earlier versions than the product versions in vRealize Suite 2019. This document provides a supported guidance to substitute the vRealize Suite products in the bill of materials with the vRealize Suite 2019 products.

This guidance is developed with design objectives that included multi-region and disaster recovery use cases. At the time of this release, the guidance is provided only for single-region.

Intended Audience

This design is intended for cloud architects and administrators who want to deploy and use vRealize Suite 2019 on an SDDC that is deployed by using VMware Cloud Foundation 3.10.

Required VMware Software

Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10 is compliant and validated with specific vRealize Suite 2019 products and adjacent components. Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10 is also compatible with specific later vRealize Suite 2019 product versions.

The procedures in this guidance are prescriptive for the validated product versions. For the compatible product versions, you can use this guidance by replacing the corresponding product versions. If there are differences between the user interfaces of the validated and compatible versions, refer to the product documentation.

VMware, Inc. 9

Table 1-1. vRealize Suite 2019 Products and Components

Product Group and Edition Product Compatible Versions

Validated Guidance Version

VMware vRealize®

Suite Lifecycle Manager™

vRealize Suite Lifecycle Manager

8.4 8.3 8.2 8.1 Patch 1 with 8.1 Product Support Pack 1

VMware Workspace ONE®

Access™

VMware Workspace ONE Access

3.3.4 3.3.4 3.3.2 3.3.2

VMware vRealize®

Operations Manager™

Advanced or higher

vRealize Operations Manager

8.4 8.3 8.2 8.1

VMware vRealize®

Operations Management Pack for NSX™

for vSphere®

3.6.1* 3.6.1* 3.6.1* 3.6.1*

VMware vRealize®

Operations Management Pack for VMware Identity Manager™

(Workspace ONE Access)

1.1* 1.1* 1.1* 1.1*

VMware vRealize®

Operations Management Pack for Storage Devices

8.0* 8.0* 8.0* 8.0*

VMware vRealize®

Log Insight™vRealize Log Insight

8.4 8.3 8.2 8.1.1

VMware vRealize® Log Insight™ Content Pack for NSX Data Center for vSphere

4.2.1* 4.2.1* 4.2.1* 4.0*

VMware vRealize® Log Insight™ Content Pack for NSX-T Data Center

4.0.2* 4.0.2* 4.0.2* 3.9*


VMware, Inc. 10

Table 1-1. vRealize Suite 2019 Products and Components (continued)

Product Group and Edition Product Compatible Versions

Validated Guidance Version

VMware vRealize® Log Insight™ Content Pack for Linux

-** -** 2.1* 2.1*

VMware vRealize® Log Insight Content Pack for Linux - Systemd

1.0* 1.0* 1.0* 1.0*

VMware vRealize® Log Insight Content Pack for vRealize Automation 8.3+

1.0** 1.0** - -

VMware vRealize® Log Insight Content Pack for vRealize Suite Lifecycle Manager 8.0.1+

1.0.2*** 1.0.2*** 1.0.2***

VMware vRealize®

Automation™

Advanced or higher

vRealize Automation

8.4 8.3 8.2 8.1 Patch 1

* VMware Marketplace and in-product marketplace provide only the latest versions of the management packs for vRealize Operations Manager and the content packs for vRealize Log Insight. The software components table contains the latest versions of the packs that were available at the time this guidance was published or validated. When you deploy the components, it is possible that the version of a management or content pack on VMware Marketplace and in-product marketplace is newer than the one provided.

** Workspace ONE Access 3.3.4 is based on Photon OS and must transition to use the vRealize Log Insight Content Pack for Linux – Systemd.

*** Recommended compatible component.

VMware makes available patches and releases to address critical security and functional issues for several products. After deploying using this guidance, verify that you are using the latest security and express patches or hotfixes for a given component available.

n For applying patches and hotfixes to ESXi, vCenter Server, and NSX, use update bundles in SDDC Manager.

n For applying patches and hotfixes to vRealize Suite Lifecycle Manager, Workspace ONE Access, vRealize Operations Manager, vRealize Log Insight, or vRealize Automation, use vRealize Suite Lifecycle Manager.


VMware, Inc. 11

If a patch must be applied to your environment, follow the VMware published practices and VMware Knowledge Base articles for the specific patch. If an issue occurs during or after the process of applying a patch, contact VMware Technical Support.

Before You Apply This Guidance

To use Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10, you must have a VMware Cloud Foundation 3.10 SDDC deployment with the following requirements:

n A newly deployed single-region SDDC

n A standard architecture - management domain and at least one virtual infrastructure workload domain

n During the VMware Cloud Foundation 3.10 bring-up, VXLAN-based overlay networks are created in the management domain. VMware Cloud Foundation 3.10 uses NSX Data Center for vSphere to create VXLAN-based overlay networks, called application virtual networks (AVNs). vRealize Suite products are deployed using these AVNs.

n vCenter Server instances in the management and workload domains are joined to Active Directory

Table 1-2. SDDC Virtual Infrastructure Components

Product Management Domain VI Workload Domain

SDDC Manager ✓ x

VMware vSphere®✓ ✓

VMware vSAN™ ✓ Optional. Supports also NFS and FC.

VMware NSX® Data Center for vSphere®

✓ ✓

VMware NSX-T™ Data Center x ✓

For information about the versions of the SDDC virtual infrastructure components, see the VMware Cloud Foundation 3.10 Release Notes.

For information about deploying an SDDC by using VMware Cloud Foundation 3.10, see VMware Cloud Foundation Architecture and Deployment Guide at VMware Cloud Foundation Documentation.

Update History

This Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10 is updated with each release of the product or when necessary.


VMware, Inc. 12

https://docs.vmware.com/en/VMware-Cloud-Foundation/index.html

https://docs.vmware.com/en/VMware-Cloud-Foundation/index.html

Revision Description

20 APR 2021 n This guidance is compatible with the 8.3 and 8.4 versions of the vRealize Suite 2019 products. You can replace the corresponding validated product versions with the compatible versions. If there are differences between the user interfaces of the validated and compatible versions, refer to the product documentation. See Table 1-1. vRealize Suite 2019 Products and Components.

n For vRealize Log Insight 8.2, the compatible content packs for NSX Data Center for vSphere, for NSX-T Data Center, and for vRealize Suite Lifecycle Manager are now the latest versions. See Table 1-1. vRealize Suite 2019 Products and Components.

03 DEC 2020 n This guidance is compatible with the 8.2 versions of the vRealize Suite 2019 products. You can replace the corresponding validated product versions with the compatible versions. If there are differences between the user interfaces of the validated and compatible versions, refer to the product documentation. See Table 1-1. vRealize Suite 2019 Products and Components.

n To disassociate the default vRealize Log Insight deployment from SDDC Manager, you use a supported script from KB article https://kb.vmware.com/kb/81718. See the prerequisite in Remove the Default vRealize Log Insight Cluster in Region A.

01 OCT 2020 n The vRealize Automation to vSphere Integration role now includes privileges for vSphere tagging, datastore low level file operations, and vApp application configuration. See Define Custom User Roles in vSphere for vRealize Automation in Region A.

n At VMware, we value inclusion. To foster this principle within our customer, partner, and internal community, we are replacing some of the terminology in our content. We have updated this guide to remove instances of non-inclusive language.

17 AUG 2020 The vRealize Automation implementation now includes a reference to a KB article for use if the deployment fails while connecting to Workspace ONE Access. See Deploy vRealize Automation Using vRealize Suite Lifecycle Manager in Region A.

13 AUG 2020 The vRealize Suite Lifecycle Manager implementation now includes updating the management domain vCenter Server in the region-specific data center to use the dedicated service account for the deployment of the region-specific components. See Configure Data Centers and vCenter Server in vRealize Suite Lifecycle Manager in Region A.


VMware, Inc. 13

https://kb.vmware.com/s/article/81718

Revision Description

08 JUL 2020 The vRealize Automation implementation now includes an NTP configuration. See Configure NTP on the vRealize Automation Cluster.

25 JUN 2020 Initial release.


VMware, Inc. 14

Planning and Preparation for Deployment of VMware vRealize Suite 2019 on VMware Cloud Foundation 3.10

Before you deploy and configure the vRealize Suite components and Workspace ONE Access, you must prepare the prerequsites.

Software Requirements

To prepare for implementing the vRealize Suite components and Workspace ONE Access, you must download and license the VMware products, scripts, and tools, as well as the third-party software required for building the SDDC.

Download the software for building the SDDC to a host machine that you allocated for SDDC access, which has connectivity to the VMware ESXi™ management network in the management cluster.

n VMware Scripts and Tools

Download the following scripts and tools required for the deployment of vRealize Suite 2019 on VMware Cloud Foundation 3.10.

n Third-Party Software

Download and license the following third-party software products.

VMware Scripts and Tools

Download the following scripts and tools required for the deployment of vRealize Suite 2019 on VMware Cloud Foundation 3.10.

Table 1-1. VMware Scripts and Tools Required for vRealize Suite 2019 deployment

SDDC LayerProduct or Product Group

Software or Script or Tool Download Location Description

SDDC VMware Validated Design certificate generation utility

CertGenVVD 6.0 VMware Knowledge Base article 78246

Use this tool to generate Certificate Signing Request (CSR), OpenSSL CA-signed certificates, and Microsoft CA-signed certificates for the products included in this guide.

VMware, Inc. 15



Third-Party Software

Download and license the following third-party software products.

Table 1-2. Third-Party Software Required for the vRealize Suite 2019 deployment

SDDC LayerRequired by VMware Component Vendor Product Item Product Version

Virtual Infrastructure A host machine in the data center that has access to the ESXi management network.

Any Supported Any Supported Any supported operating system and browser for the VMware vSphere®

Client.

Operations Management

vRealize Operations Manager and vRealize Log Insight

Postman Postman App https://www.postman.com/

External Services

You must provide a set of external services before you deploy the vRealize Suite 2019 and Workspace ONE Access components for this guidance.

n IP Subnets for the Application Virtual Networks

You must allocate an IP subnet to each application virtual network and the management applications that are in this network.

n Host Names and IP Addresses

Before you deploy vRealize Suite 2019 and Workspace ONE Access, you must define the host names and IP addresses for each of the components. These host names must also be configured in DNS with fully qualified domain names (FQDN) that map the hosts to their IP addresses.

n Time Synchronization

Synchronized systems over NTP are essential. Consistent system clocks are important for the proper operation of the components in the SDDC.

n User Accounts and Groups

Before you deploy and configure vRealize Suite 2019 and Workspace ONE Access on VMware Cloud Foundation, you must provide a specific configuration of Active Directory users and groups. You use these users and Active Directory groups for application login, for assigning roles, and for application-to-application authentication.

n Active Directory Computer Objects

You must create Active Directory computer objects for the Workspace ONE Access virtual appliances, so that they can join the Active Directory domain for connector operations.

n Additional Storage Requirements

For vRealize Log Insight log archiving, you must provide supplemental storage.


VMware, Inc. 16

https://www.postman.com/

https://www.postman.com/

IP Subnets for the Application Virtual Networks

You must allocate an IP subnet to each application virtual network and the management applications that are in this network.

Table 1-3. IP Subnets for the Application Virtual Networks

Application Virtual Network Subnet

Mgmt-xRegion01-VXLAN 192.168.11.0/24

Mgmt-RegionA01-VXLAN 192.168.31.0/24

Note Use these IP subnets as examples. Configure the actual IP subnets according to your environment.

Host Names and IP Addresses

Before you deploy vRealize Suite 2019 and Workspace ONE Access, you must define the host names and IP addresses for each of the components. These host names must also be configured in DNS with fully qualified domain names (FQDN) that map the hosts to their IP addresses.

n Host Names and IP Addresses for the Virtual Infrastructure Layer

Allocate host names and IP addresses to components you deploy for the virtual infrastructure layer of the SDDC.

n Host Names and IP Addresses for vRealize Suite 2019 and Workspace ONE Access

Allocate host names and IP addresses to all components you deploy for the vRealize Suite 2019 and Workspace ONE Access in the SDDC.

Host Names and IP Addresses for the Virtual Infrastructure Layer

Allocate host names and IP addresses to components you deploy for the virtual infrastructure layer of the SDDC.

Table 1-4. Host Names and IP Addresses for the Virtual Infrastructure Layer in Region A

Component Group Host Name DNS Zone IP Address Description

NSX® Data Center for vSphere

sfo01m01nsx01 sfo01.rainpole.local 172.16.11.65 NSX Manager for the management domain

sfo01m01lb01 - 192.168.11.2 NSX Edge device for load balancing management applications

Host Names and IP Addresses for vRealize Suite 2019 and Workspace ONE Access

Allocate host names and IP addresses to all components you deploy for the vRealize Suite 2019 and Workspace ONE Access in the SDDC.


VMware, Inc. 17

Table 1-5. Host Names and IP Addresses for Cloud Operations and Cloud Automation


Cross-Region Workspace ONE Access

wsa01svr01 rainpole.local 192.168.11.60 External load balancer virtual server VIP for the Workspace ONE Access cluster

wsa01svr01a rainpole.local 192.168.11.61 Primary node of the cross-region Workspace ONE Access cluster

wsa01svr01b rainpole.local 192.168.11.62 Secondary node 1 of the cross-region Workspace ONE Access cluster

wsa01svr01c rainpole.local 192.168.11.63 Secondary node 2 of the cross-region Workspace ONE Access cluster

n/a n/a 192.168.11.64 Postgres Database IP of the cross-region Workspave ONE access cluster

Region-Specific Workspace ONE Access

sfo01wsa01 sfo01.rainpole.local 192.168.31.60 Standalone node of the regional Workspace ONE Access instance

vRealize® Suite Lifecycle Manager

vrslcm01svr01 rainpole.local 192.168.11.20 vRealize Suite Lifecycle Manager appliance

vRealize®Operations Manager

vrops01svr01 rainpole.local 192.168.11.30 External load balancer virtual server VIP for the vRealize Operations Manager analytics cluster

vrops01svr01a rainpole.local 192.168.11.31 Primary node of vRealize Operations Manager

vrops01svr01b rainpole.local 192.168.11.32 Primary replica node of vRealize Operations Manager

vrops01svr01c rainpole.local 192.168.11.33 Data node 1 of vRealize Operations Manager

sfo01vropsc01a sfo01.rainpole.local 192.168.31.31 Remote Collector 1 of vRealize Operations Manager


VMware, Inc. 18

Table 1-5. Host Names and IP Addresses for Cloud Operations and Cloud Automation (continued)


sfo01vropsc01b sfo01.rainpole.local 192.168.31.32 Remote Collector 2 of vRealize Operations Manager

vRealize® Log Insight sfo01vrli01 sfo01.rainpole.local 192.168.31.10 Integrated load balancer VIP of vRealize Log Insight cluster

sfo01vrli01a sfo01.rainpole.local 192.168.31.11 Primary node of the vRealize Log Insight cluster

sfo01vrli01b sfo01.rainpole.local 192.168.31.12 Worker node 1 of the vRealize Log Insight cluster

sfo01vrli01c sfo01.rainpole.local 192.168.31.13 Worker node 2 of the vRealize Log Insight cluster

VMware vRealize®

Automationvra01svr01 rainpole.local 192.168.11.50 External load balancer

virtual server VIP of vRealize Automation cluster

vra01svr01a rainpole.local 192.168.11.51 Node 1 of vRealize Automation cluster

vra01svr01b rainpole.local 192.168.11.52 Node 2 of vRealize Automation cluster

vra01svr01c rainpole.local 192.168.11.53 Node 3 of the vRealize Automation cluster

Time Synchronization

Synchronized systems over NTP are essential. Consistent system clocks are important for the proper operation of the components in the SDDC.

Using NTP also makes it easier to correlate log files from multiple sources during troubleshooting, auditing, or inspection of log files to detect attacks.

n Requirements for Time Synchronization

All vRealize Suite 2019 and Workspace ONE Access components must be configured to use NTP for time synchronization.

Requirements for Time Synchronization

All vRealize Suite 2019 and Workspace ONE Access components must be configured to use NTP for time synchronization.


VMware, Inc. 19

NTP Server Configuration

n Configure two time sources per region that are external to the SDDC. These sources can be physical radio or GPS time servers, or even NTP servers running on physical routers or servers.

n Ensure that the external time servers are synchronized to different time sources to ensure desirable NTP dispersion.

DNS Configuration

Configure a DNS Canonical Name (CNAME) record that maps the two time sources to one DNS name.

Table 1-6. NTP Server FQDN and IP Configuration in Region A

NTP Server FQDN Mapped IP Address

ntp.sfo01.rainpole.local n 172.16.11.251

n 172.16.11.252

0.ntp.sfo01.rainpole.local 172.16.11.251

1.ntp.sfo01.rainpole.local 172.16.11.252

Time Synchronization on the SDDC Nodes

n Synchronize time with NTP on the following SDDC components:

n Active Directory domain controllers

n SDDC Manager

n vCenter Server instances

n ESXi hosts

n NSX Managers, Edges, and Controllers, as applicable

n Workspace ONE Access instance and cluster appliances

n vRealize Suite Lifecycle Manager appliance

n vRealize Log Insight cluster appliances

n vRealize Operations Manager cluster appliances

n vRealize Automation cluster appliances

n Configure each system with one or more NTP server aliases.

Time Synchronization for Virtual Machines

As a best practice, for time synchronization on virtual machines, enable NTP-based time synchronization instead of the VMware Tools periodic time synchronization. NTP is an industry standard and ensures accurate timekeeping in the guest operating system.


VMware, Inc. 20

User Accounts and Groups

Before you deploy and configure vRealize Suite 2019 and Workspace ONE Access on VMware Cloud Foundation, you must provide a specific configuration of Active Directory users and groups. You use these users and Active Directory groups for application login, for assigning roles, and for application-to-application authentication.

Active Directory Service Accounts

In an environment that has parent and child domains in a single forest, store service accounts in the parent domain and user accounts in each of the child domains. By using the group scope attribute of Active Directory groups, you manage resource access across domains.

Active Directory Administrator Account

Some installation and configuration tasks require a domain account with elevated permissions to add computer objects to the Active Directory domains.

n Active Directory Groups

To grant user and service accounts the access that is required to perform their task, create Active Directory groups according to certain rules.

n Active Directory User Accounts

A service account provides non-interactive and non-human access to services and APIs to the components of the SDDC. You must create service accounts for accessing functionality on the SDDC nodes, and user accounts for operations and tenant administration.

n Local Application User Accounts

Local application user accounts enable you to perform system and application administration. To deploy vRealize Suite and Workspace ONE Access components, you must follow the required password complexity to set the passwords for local root and administrative accounts.

n Password Complexity for Application and Service Accounts

You must consider the requirements for password complexity. Provide the default passwords for the products according to the requirements before you run the deployment operation.

Active Directory Groups

To grant user and service accounts the access that is required to perform their task, create Active Directory groups according to certain rules.

Create Active Directory groups according to the following rules:

1 Add user and service accounts to universal groups in the parent domain.

2 Add the global groups in each child domain to the universal groups.


VMware, Inc. 21

3 Where applicable, assign access rights and permissions to the global groups located in the child domains, and to the universal groups located in the parent domain, rainpole.local, to specific products according to their role.

Universal Groups in the Parent Domain

In the parent domain, rainpole.local, create the following universal groups:

Table 1-7. Universal Groups in the Parent Domain

Group Name Group Scope Description

ug-wsa-admins Universal Group for Workspace ONE Access administrators

ug-wsa-directory-admins Universal Group for Workspace ONE Access directory administrators

ug-wsa-read-only Universal Group for Workspace ONE Access read-only user

ug-vrslcm-admins Universal Group for vRealize Suite Lifecycle Manager administrators

ug-vrslcm-content-admins Universal Group for vRealize Suite Lifecycle Manager content administrators

ug-vrslcm-content-developers Universal Group for vRealize Suite Lifecycle Manager content developers

ug-vrops-admins Universal Group for vRealize Operations administrators

ug-vrops-content-admins Universal Group for vRealize Operations content administrators

ug-vrops-read-only Universal Group for vRealize Operations read-only users

ug-vrli-admins Universal Group for vRealize Log Insight super administrators

ug-vrli-users Universal Group for vRealize Log Insight dashboard users

ug-vrli-viewers Universal Group for vRealize Log Insight view-only users

ug-vra-org-owners Universal Group for vRealize Automation organization owners

ug-vra-cloud-assembly-admins Universal Group for vRealize Automation organization member and Cloud Assembly administrators

ug-vra-cloud-assembly-users Universal Group for vRealize Automation organization member and Cloud Assembly users

ug-vra-service-broker-admins Universal Group for vRealize Automation organization member and Service Broker administrators

ug-vra-service-broker-users Universal Group for vRealize Automation organization member and Service Broker users

ug-vra-orchestrator-admins Universal Group for vRealize Automation organization member and vRealize Orchestrator administrators

ug-vra-orchestrator-designers Universal Group for vRealize Automation organization member and vRealize Orchestrator workflow designers


VMware, Inc. 22

Table 1-7. Universal Groups in the Parent Domain (continued)

Group Name Group Scope Description

ug-vra-project-admins-

sample

Universal Group for vRealize Automation organization member and project administrators for the sample project

ug-vra-project-admins-x Universal Group for vRealize Automation organization member and project administrators for a specific project

ug-vra-project-users-

sample

Universal Group for vRealize Automation organization member and project member for the sample project

ug-vra-project-users-x Universal Group for vRealize Automation organization member and project member for a specific project

Global Groups in the Child Domains

In each child domain, add the relevant role-specific global group in the child domain to the role-specific universal group in the parent domain.

Table 1-8. Global Groups in the Child Domains

Group Name Group Scope Description Member of Groups

gg-vrslcm-admins Global Global group in a child domain for vRealize Suite Lifecycle Manager administrators

RAINPOLE\ug-vrslcm-admins

gg-vrslcm-content-admins Global Global group in a child domain for vRealize Suite Lifecycle Manager content administrators

RAINPOLE\ug-vrslcm-content-admins

gg-vrslcm-content-developers

Global Global group in a child domain for vRealize Suite Lifecycle Manager content developers

RAINPOLE\ug-vrslcm-content-developers

gg-vrops-admins Global Global group in a child domain for vRealize Operations Manager administrators

RAINPOLE\ug-vrops-admins

gg-vrops-content-admins Global Global group in a child domain for vRealize Operations Manager content administrators

RAINPOLE\ug-vrops-content-admins

gg-vrops-read-only Global Global group in a child domain for vRealize Operations Manager read-only users

RAINPOLE\ug-vrops-read-only

gg-vrli-admins Global Global group in a child domain for vRealize Log Insight super administrators

RAINPOLE\ug-vrli-admins

gg-vrli-users Global Global group in a child domain for vRealize Log Insight dashboard users

RAINPOLE\ug-vrli-users


VMware, Inc. 23

Table 1-8. Global Groups in the Child Domains (continued)

Group Name Group Scope Description Member of Groups

gg-vrli-viewers Global Global group in a child domain for vRealize Log Insight view-only users

RAINPOLE\ug-vrli-viewers

gg-vra-org-owners Global Global group in a child domain for vRealize Automation organization owners

RAINPOLE\ug-vra-org-owners

gg-vra-cloud-assembly-admins

Global Global group in a child domain for vRealize Automation organization member and Cloud Assembly administrators

RAINPOLE\ug-vra-cloud-assembly-admins

gg-vra-cloud-assembly-users

Global Global group in a child domain for vRealize Automation organization member and Cloud Assembly users

RAINPOLE\ug-vra-cloud-assembly-users

gg-vra-service-broker-admins

Global Global group in a child domain for vRealize Automation organization member and Service Broker administrators

RAINPOLE\ug-vra-service-broker-admins

gg-vra-service-broker-users Global Global group in a child domain for vRealize Automation organization member and Service Broker users

RAINPOLE\ug-vra-service-broker-users

gg-vra-orchestrator-admins Global Global group in a child domain for vRealize Automation organization member and Orchestrator administrators

RAINPOLE\ug-vra-orchestrator-admins

gg-vra-orchestrator-designers

Global Global group in a child domain for vRealize Automation organization member and Orchestrator workflow designers

RAINPOLE\ug-vra-orchestrator-designers

gg-vra-project-admins-sample

Global Global group in a child domain for vRealize Automation organization member and Project Administrators for the sample project

RAINPOLE\ug-vra-project-admins-sample

gg-vra-project-admins-x Global Global group in a child domain for vRealize Automation organization member and project administrators for the specific project

RAINPOLE\ug-vra-project-admins-x

gg-vra-project-users-sample Global Global group in a child domain for vRealize Automation organization member and project member for the sample project

RAINPOLE\ug-vra-project-users-sample

gg-vra-project-users-x Global Global group in a child domain for vRealize Automation organization member and project member for the specific project

RAINPOLE\ug-vra-project-users-x


VMware, Inc. 24

Active Directory User Accounts

A service account provides non-interactive and non-human access to services and APIs to the components of the SDDC. You must create service accounts for accessing functionality on the SDDC nodes, and user accounts for operations and tenant administration.

Service Accounts

A service account is a standard Active Directory account that you configure in the following way:

n The password never expires.

n The user cannot change the password.

In addition, a special service account is also required to perform domain join operations if a component registers itself in Active Directory as a computer object. This account must have the right to join computers to the Active Directory domain.

Service Accounts for vRealize Suite 2019 and VMware Workspace ONE Access

This design introduces a set of service accounts that are used in a one- or bidirectional fashion to enable secure application communication. You use custom roles to ensure that these accounts have only the least permissions that are required for authentication and data exchange.

Table 1-9. Application-to-Application or Application Service Accounts in vRealize Suite and VMware Workspace ONE Access

User Name Description Source Destination

Required Role on the Destination

Password Complexity Category

svc-domain-join

Service account for performing domain-join operations for Workspace ONE Access connectors

Workspace ONE Access

Active Directory n Account Operators Group

n Delegation to Join Computers to Domain for both the parent and child domains

Standard

svc-wsa-ad Service account used for performing Active Directory bind operations in the Workspace ONE Access directory


Active Directory - Standard

svc-vrslcm-vsphere

A service account for deploying and managing the lifecycle of vRealize Suite components on the Software-Defined Data Center


Management domain vCenter Server

vRealize Suite Lifecycle Manager User (Custom)

Standard

Workload domain vCenter Server

No Access Standard


VMware, Inc. 25

Table 1-9. Application-to-Application or Application Service Accounts in vRealize Suite and VMware Workspace ONE Access (continued)




svc-vrli-vsphere

Service account for connecting vRealize Log Insight to vCenter Server and ESXi for forwarding log information

vRealize Log Insight

vCenter Server Log Insight User (Custom)

Standard

svc-vrli-vrops

Service account for connecting vRealize Log Insight to vRealize Operations Manager for log forwarding, alerts, and for Launch in Context integration



Administrator Standard

svc-vrops-vsphere

Service account for monitoring and collecting general metrics about vSphere objects, including infrastructure and virtual machines, from vCenter Server into vRealize Operations Manager. Also to perform some actions or tasks on the objects it manages in vCenter Server


vCenter Server vSphere Actions User

Standard

svc-vrops-nsx

Service account that is available in the Active Directory domain and locally on NSX Manager for collecting data in vRealize Operations Manager from the NSX Manager instances about virtual networking.

Important Only applicable to NSX Data Center for vSphere.


vCenter Server Read-Only Standard

NSX Data Center for vSphere

Security Administrator

Standard


VMware, Inc. 26

Table 1-9. Application-to-Application or Application Service Accounts in vRealize Suite and VMware Workspace ONE Access (continued)




svc-vrops-vsan

Service account for monitoring and collecting metrics about vSAN datastores from vCenter Server in vRealize Operations Manager


vCenter Server MPSD Metrics User

Standard

svc-vrops-mpsd

Service account for monitoring storage devices from vCenter Server in vRealize Operations Manager


vCenter Server MPSD Metrics User

Standard

svc-vrops-vra

Service account for monitoring vRealize Automation in vRealize Operations Manager


vRealize Automation

n Organization Owner

n Cloud Assembly

n Cloud Assembly Administrator

Standard

svc-vra-vrops

Service account for retrieving statistics from vRealize Operations Manager in vRealize Automation for workload placement and costs

vRealize Automation


Read-Only Standard

svc-vra-vsphere

Service account for access from vRealize Automation to vCenter Server.

vRealize Automation


No Access Standard


vRealize Automation to vSphere Integration (Custom)

Standard

svc-vro-vsphere

Service account for access from vRealize Orchestrator to vCenter Server

vRealize Orchestrator


No Access Standard


vRealize Orchestrator to vSphere Integration (Custom)

Standard


VMware, Inc. 27

Local Application User Accounts

Local application user accounts enable you to perform system and application administration. To deploy vRealize Suite and Workspace ONE Access components, you must follow the required password complexity to set the passwords for local root and administrative accounts.

All passwords must meet the specific requirements for their complexity category. See Password Complexity for Application and Service Accounts. Passwords can be the same or different across components.

Table 1-10. Local Application Accounts

SDDC Layer Component User Account DescriptionPassword Complexity Category

Security and Compliance


root Appliance operating system account

Standard

sshuser Appliance operating system account

Standard

admin Default application administrator account

Standard

configadmin Bootstrapped application user account

Standard

Cloud Operations



Standard

admin@local Default application administrator account

Standard



Standard


Standard





Standard

Cloud Automation

vRealize Automation


Standard

Password Complexity for Application and Service Accounts

You must consider the requirements for password complexity. Provide the default passwords for the products according to the requirements before you run the deployment operation.

Passwords can be different per account or common across multiple accounts.

You set passwords for both the required local accounts and Active Directory users. For information on the use, names, and required roles for the accounts, see Active Directory User Accounts and Local Application User Accounts.


VMware, Inc. 28

Table 1-11. Categories of Password Complexity Requirements

Password Category Type Password Property Requirements for Complexity

Standard Length 8-125 characters

Characters n Must include the following characters:

n A mix of upper-case and lower-case letters

n A number

n A special character such as @ ! # $ % ^ ?

n Must not include characters such as { } [ ] ( ) / \ ' " ` ~ , ; : . < >

ESG Length 12-255 characters

Characters n Must include the following characters:


n A number


n Must not include the following characters:

n Characters such as { } [ ] ( ) / \ ' " ` ~ , ; : . < >

n Words, for example, admin

n Characters repeated subsequently more than three times

vRealize Log Insight Length 8-12 characters

Characters n Must include the following types of characters:


n A number


n Must not include a character repeated subsequently more than four times

Active Directory Computer Objects

You must create Active Directory computer objects for the Workspace ONE Access virtual appliances, so that they can join the Active Directory domain for connector operations.

Computer Objects in the Parent Domain

In the parent domain, rainpole.local, create the following computer objects.

Table 1-12. Computer Objects in the Parent Domain

Computer Name User or Group Description

wsa01svr01a rainpole.local\svc-domain-join Workspace ONE Access connectors

wsa01svr01b

wsa01svr01c

Computer Objects in the Child Domains

In the child domain, sfo01.rainpole.local, create the following computer objects.


VMware, Inc. 29

Table 1-13. Computer Objects in the Child Domain

Computer Name User or Group Description

sfo01wsa01 sfo01.rainpole.local\svc-domain-join Workspace ONE Access connectors

Additional Storage Requirements

For vRealize Log Insight log archiving, you must provide supplemental storage.

Table 1-14. NFS Export Configuration for vRealize Log Insight

Server Export Size Description

nfs_server_address /sfo01vrli01_archive 400 GB NFS datastore for log archiving in vRealize Log Insight

My VMware Account Requirements

You register vRealize Suite Lifecycle Manager with My VMware to download product binaries to the local repository used during some post-deployment and upgrade operations. With the My VMware account, you can also download content from the VMware Marketplace API service through the vRealize Suite Lifecycle Manager integration.

You use the My VMware integration to simplify, automate, organize, and update the repository. If your organization restricts outbound traffic from the management components of the SDDC, you can download the product binaries from My VMware and discover them in the vRealize Suite Lifecycle Manager user interface for inclusion in the repository.

To register vRealize Suite Lifecycle Manager with My VMware, invite a designated user to the entitlement account and limit the folder level permissions for the user.

n For information about inviting a user to a My VMware account, see KB 2070555.

n For information about assigning user permissions in a My VMware account, see KB 2006977.

You can structure the folders, user, and permissions in a My VMware entitlement account in any way that best serves the asset management and operations support needs of your business. The minimum requirements and permissions for the My VMware account used by vRealize Suite Lifecycle Manager include:

n A folder with the vRealize Suite product entitlements

n View License Keys & User Permissions

n Download Products


VMware, Inc. 30



Table 1-15. My VMware Account for vRealize Suite Lifecycle Manager

First Name Last Name User EmailMinimum Folder Permissions Folder

Product Entitlement in Folder

vRealize Suite Lifecycle Manager User

at Rainpole [email protected]

n View License Keys & User Permissions

n Download Products

n Home folder

n Child folder

vRealize Suite


VMware, Inc. 31

Prepare the Environment for Deployment of Cloud Operations and Automation in Region A

1Before you begin the deployment of vRealize Suite 2019 and Workspace ONE Access in Region A, your environment must meet target prerequisites and be in a specific starting state. Prepare the SDDC by configuring the necessary infrastructure, operational, and management components.

Prerequisites

You have a newly deployed VMware Cloud Foundation 3.10 SDDC.

Procedure

1 Remove the Default vRealize Log Insight Cluster in Region A

You first disassociate the default vRealize Log Insight deployment from SDDC Manager, then you power off and delete the vRealize Log Insight nodes from the management domain vCenter Server.

2 Create the Virtual Machine and Template Folders in Region A

Create folders in which to group the vRealize Suite and Workspace ONE Access components for easier management.

3 Deploy the NSX Data Center for vSphere Load Balancer in Region A

You deploy a load balancer for use by the cross-region Workspace ONE Access, vRealize Operations Manager, and vRealize Automation components, which are connected to the Mgmt-xRegion01-VXLAN application virtual network.

Remove the Default vRealize Log Insight Cluster in Region A

You first disassociate the default vRealize Log Insight deployment from SDDC Manager, then you power off and delete the vRealize Log Insight nodes from the management domain vCenter Server.

VMware, Inc. 32

Table 1-1. vRealize Log Insight Nodes

vRealize Log Insight Node VM Name

Primary node sfo01vrli01a

Worker node 1 sfo01vrli01b

Worker node 2 sfo01vrli01c

Prerequisites

Disassociate the default vRealize Log Insight deployment from SDDC Manager by using a supported script on the SDDC Manager appliance. See https://kb.vmware.com/kb/81718.

Procedure

1 In a Web browser, log in to vCenter Server by using the vSphere Client.

Setting Value

URL https://sfo01m01vc01.sfo01.rainpole.local/ui

User name [email protected]

Password vsphere_admin_password

2 From the Hosts and clusters inventory, select the sfo01-m01-mgmt01 cluster.

3 Click the VMs tab.

4 In the Filter text box, enter sfo01vrli01 and press Enter.

5 Right click each vRealize Log Insight virtual machine and select Power -> Power off.

6 Wait for the virtual machines to power off.

7 Right click each vRealize Log Insight virtual machine and select Delete from Disk.

Create the Virtual Machine and Template Folders in Region A

Create folders in which to group the vRealize Suite and Workspace ONE Access components for easier management.

You create folders to group application components.

Application Folder

vRealize Suite Lifecycle Manager sfo01-m01fd-vrslcm

Cross-region and region-specific Workspace ONE Access sfo01-m01fd-wsa

vRealize Operations Manager sfo01-m01fd-vrops

vRealize Operations Manager remote collectors sfo01-m01fd-vropsrc


VMware, Inc. 33

https://kb.vmware.com/kb/81718

Application Folder

vRealize Log Insight sfo01-m01fd-vrli

vRealize Automation sfo01-m01fd-vra

Procedure


Setting Value




2 In the VMs and templates inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree.

3 Right-click the sfo01-m01dc data center, and select New folder > New VM and template folder.

4 In the New folder dialog box, enter sfo01-m01fd-vrslcm as the folder name, and click OK.

5 Repeat this procedure to create the remaining folders for the applications components.

Deploy the NSX Data Center for vSphere Load Balancer in Region A

You deploy a load balancer for use by the cross-region Workspace ONE Access, vRealize Operations Manager, and vRealize Automation components, which are connected to the Mgmt-xRegion01-VXLAN application virtual network.

Procedure


Setting Value




2 In the Networking and security inventory, click NSX Edges.

3 From the NSX Manager drop-down menu, select 172.16.11.65.

4 Click Add and select Edge services gateway.


VMware, Inc. 34

5 On the Basic details page of the New edge services gateway wizard, enter these values and click Next.

Setting Value

Name sfo01m01lb01

Hostname sfo01m01lb01.sfo01.rainpole.local

Tenant -

Description Load Balancer for vRealize Suite

Deploy NSX Edge Selected

Enable high availability Selected

6 On the Settings page, enter these values and click Next.

Setting Value

User name admin

Password edge_admin_password

Enable SSH access Selected

Enable FIPS mode Deselected

Enable auto rule generation Selected

Edge control level logging Info

7 On the Deployment configuration page, perform the following configuration steps, and click Next.

a From the Datacenter drop-down menu, select sfo01-m01dc.

b Under Appliance size, select Large.

c Click Add edge appliance VM, enter these values, and click OK.

Setting Value

Resource pool sfo01-m01-mgmt01

Datastore sfo01-m01-vsan01

Folder sfo01-m01fd-nsx

Resource reservation System Managed

d Repeat Step 7.c to create a second appliance.


VMware, Inc. 35

8 On the Configure interfaces page, configure the OneArmLB interface.

a Click Add.

b On Basic tab, enter these values.

Setting Value

Name OneArmLB

Type Internal

Connected to Mgmt-xRegion01-VXLAN

Connectivity status Connected

c On Basic tab, under Configure subnets, click Add and enter these values.

Setting Value

Primary IP address 192.168.11.2

Subnet prefix length 24

d Click the Advanced tab and enter these values.

Setting Value

MAC address -

MTU 9000

Proxy ARP Disabled

Send ICMP redirect Selected

Reverse path filter Enable Strict

Fence parameters -

e Click OK and click Next.

9 On the Default gateway page, turn off the Configure default gateway toggle to disable the default gateway and click Next.

10 On the Firewall default policy page, configure these settings and click Next.

Setting Value

Firewall default policy Enabled

Default traffic policy Accept

Logging Disabled

11 On the High availability page, configure these settings and click Next.

Setting Value

vNIC any

Declare dead time 15


VMware, Inc. 36

Setting Value

Management IPS -

HA logging Disabled

12 On the Review page, review the configuration settings that you entered and click Finish.

13 Enable HA logging.

a On the NSX Edges page, click the ID of the sfo01m01lb01 edge services gateway to open its network settings.

b Click the Configure tab and click High availability.

c Click Edit.

d Turn on the Logging toggle and click Save.

14 Configure the default gateway.


b Click the Routing tab and click Global configuration.

c Next to Default Gateway, click Edit.

d In the Gateway IP text box, enter 192.168.11.1 and click Save.

e Click Publish changes.

15 Enable the Load Balancer and Acceleration mode.


b Click the Load balancer tab, click Global configuration.

c Click Edit and turn on the Load balancer and Acceleration toggles.

d Click Save.


VMware, Inc. 37

vRealize Suite Lifecycle Manager Implementation in Region A 2You deploy the vRealize Suite Lifecycle Manager appliance by using the vRealize Easy Installer, configure common settings, upload and configure product binaries.

Procedure

1 Prerequisites for Deploying vRealize Suite Lifecycle Manager in Region A

Before you deploy vRealize Suite Lifecycle Manager in Region A, verify that your environment fulfills the requirements for this deployment.

2 Configure User Access in vSphere for Integration with vRealize Suite Lifecycle Manager in Region A

Configure an operations service account with the required permissions to enable the vRealize Suite Lifecycle Manager instance to deploy and manage the vRealize Suite components of the Software-Defined Data Center (SDDC) on the Management domain vCenter Server.

3 Deploy the vRealize Suite Lifecycle Manager Appliance in Region A

You deploy the vRealize Suite Lifecycle Manager appliance by using VMware vRealize Suite Lifecycle Manager 8.1 Easy Installer, configure storage, networking, and other appliance attributes.

4 Post-Deployment Configuration of the vRealize Suite Lifecycle Manager Instance in Region A

You configure the vRealize Suite Lifecycle Manager appliance system settings and replace the appliance certificate.

5 Register the vRealize Suite Lifecycle Manager Instance with My VMware

You can integrate vRealize Suite Lifecycle Manager directly with a My VMware account to access vRealize Suite licenses within an entitlement account and manage the download of product OVA files for install, patch, and upgrade. You can also use the My VMware account registration to download content from the VMware Marketplace.

6 Upload and Map Product Binaries to the vRealize Suite Lifecycle Manager Instance in Region A

You upload product binaries to the vRealize Suite Lifecycle Manager repository and map the binaries by using vRealize Suite Lifecycle Manager UI.

VMware, Inc. 38

7 Configure Data Centers and vCenter Server in vRealize Suite Lifecycle Manager in Region A

Before you can create a local environment for product deployments, you must update the credentials for the Management domain vCenter Server that is associated with the region-specific data center in vRealize Suite Lifecycle Manager. Before you can create a cross-region environment for product deployments, you must add a cross-region data center and the associated Management domain vCenter Server to vRealize Suite Lifecycle Manager.

8 Add the Cross-Region Environment Password to vRealize Suite Lifecycle Manager

To enable vRealize Suite Lifecycle Manager to deploy cross-region solution products, you must add the cross-region environment administrator account to the vRealize Suite Lifecycle Manager Locker.

Prerequisites for Deploying vRealize Suite Lifecycle Manager in Region A

Before you deploy vRealize Suite Lifecycle Manager in Region A, verify that your environment fulfills the requirements for this deployment.

Verify that your environment satisfies the following prerequisites for the deployment of vRealize Suite Lifecycle Manager.

Prerequisite Value

Storage n Virtual disk provisioning: Thin

n Required storage: 254 GB

Software Features n Verify that vCenter Server is operational.

n Verify that vCenter Server is joined to Active Directory

n Verify that the application virtual networks are available.

n Verify that you have a VMware Cloud Foundation edition that covers the products in the vRealize Suite.

n Verify that static IP address and FQDN for the vRealize Suite Lifecycle Manager deployment. See Host Names and IP Addresses for vRealize Suite 2019 and Workspace ONE Access.

Installation packages Verify that you downloaded the VMware vRealize Suite Lifecycle Manager 8.1 Easy Installer OVA file from My VMware.

Software Entitlement Verify that you obtained a vRealize Suite edition satisfies the requirements of this design.

My VMware Account Verify that you have a My VMware account with permissions to view licenses and download products.


VMware, Inc. 39

Prerequisite Value

Active Directory Verify that you have a parent Active Directory with the SDDC user roles configured for the domain.

n svc-vrslcm-vsphere (User)

Certificate Authority Verify that you have a validated SSL certificate. You can generate the certificate using the CertGenVVD utility. See Certificate Generation Utility for VMware Validated Design for Software-Defined Data Center 6.x (78246).

Configure User Access in vSphere for Integration with vRealize Suite Lifecycle Manager in Region A

Configure an operations service account with the required permissions to enable the vRealize Suite Lifecycle Manager instance to deploy and manage the vRealize Suite components of the Software-Defined Data Center (SDDC) on the Management domain vCenter Server.

Procedure

1 Define a User Role in vSphere for vRealize Suite Lifecycle Manager in Region A

Create a user role in the vSphere Client with the required privileges to enable the vRealize Suite Lifecycle Manager instance to deploy and manage the vRealize Suite components.

2 Configure Service Account Permissions in vSphere for Integration with vRealize Suite Lifecycle Manager in Region A.

To allow deploying and managing SDDC components on the Management domain vCenter Server inventory, you assign account permissions to the service account for communication from vRealize Suite Lifecycle Manager to vSphere.

Define a User Role in vSphere for vRealize Suite Lifecycle Manager in Region A

Create a user role in the vSphere Client with the required privileges to enable the vRealize Suite Lifecycle Manager instance to deploy and manage the vRealize Suite components.

Procedure


Setting Value




2 Select Menu > Administration.

3 In the left pane, select Access control > Roles.


VMware, Inc. 40



4 From the Roles provider drop-down menu, select sfo01m01vc01.sfo01.rainpole.local.

5 Click the Create role action icon, select these privileges, and click Next.

Category Privilege

Content library All content library privileges

Datastore All datastore privileges

Host Inventory.Modify cluster

Local Operations.Add host to vCenter

Local Operations.Create virtual machine

Local Operations.Delete virtual machine

Local Operations.Reconfigure virtual machine

Network Assign network

Resource Assign vApp to resource pool

Assign virtual machine to resource pool

Virtual machine All virtual machine privileges

vApp All vApp privileges

6 In the Role name text box, enter vRealize Suite Lifecycle Manager to vSphere Integration and click Finish.

Configure Service Account Permissions in vSphere for Integration with vRealize Suite Lifecycle Manager in Region A.

To allow deploying and managing SDDC components on the Management domain vCenter Server inventory, you assign account permissions to the service account for communication from vRealize Suite Lifecycle Manager to vSphere.

Procedure


Setting Value





VMware, Inc. 41

2 Assign global permissions to the service account.

a Select Menu > Administration.

b In the left pane, select Access control > Global permissions.

c Click the Add permission icon, enter these values, and click OK.

Setting Value

Domain rainpole.local

User/Group svc-vrslcm-vsphere

Role vRealize Suite Lifecycle Manager to vSphere Integration

Propagate to children Selected

3 Restrict access to the workload domain in Region A for the svc-vrslcm-vsphere service account.

a In the Global inventory lists inventory, under Resources, click vCenter Servers.

b Select the Workload domain vCenter Server, sfo01w01vc01.sfo01.rainpole.local, and click the Permissions tab.

c In the User/Group column, click the RAINPOLE\svc-vrslcm-vsphere service account, and click the Change role icon.

d From the Role drop-down menu, select No access, leave the Propagate to children check-box selected, and click OK.

4 If there are other workload domains that are added to the SDDC, repeat Step 3 for each additional Workload domain vCenter Server.

Deploy the vRealize Suite Lifecycle Manager Appliance in Region A

You deploy the vRealize Suite Lifecycle Manager appliance by using VMware vRealize Suite Lifecycle Manager 8.1 Easy Installer, configure storage, networking, and other appliance attributes.

Procedure

1 Mount the vRealize Suite Lifecycle Manager 8.1 Easy Installer ISO file on the host machine that has access to your data center by using a virtual CD-ROM emulator program.

2 Open the vRealize Suite Lifecycle Manager Easy Installer ISO file and navigate to the vrlcm-ui-installer\workstation_OS folder for the OS of your host machine.

For a Windows host machine, navigate to the cdrom:\vrlcm-ui-installer\win32\ folder.


VMware, Inc. 42

3 Run the installer executable in the folder.

For a Windows host machine, double-click the installer.exe file.

The vRealize Suite Lifecycle Manager Easy Installer wizard opens.

4 Click Install.

5 On the Introduction page, click Next.

6 On the End user license agreement page, read and accept the terms of the license agreement.

7 Select Join the VMware customer experience improvement program and click Next

8 On the Appliance deployment target page, enter these values and click Next.

Setting Value

vCenter Server hostname sfo01m01vc01.sfo01.rainpole.local

HTTPS port 443

Username [email protected]

Password svc-vrslcm-vsphere_password

9 If a Certificate warning dialog box appears, verify that the SSL certificate thumbprint matches the sfo01m01vc01.sfo01.rainpole.local appliance and click Accept.

10 On the Select a location page, expand sfo01m01vc01.sfo01.rainpole.local, expand sfo01-m01dc, select sfo01-m01fd-vrslcm and click Next.

11 On the Select a compute resource page, select the sfo01-m01-mgmt01 cluster and click Next.

12 On the Select a storage location page, select the sfo01-m01-vsan01 datastore, select Enable thin disk mode, and click Next.

13 On the Network configuration page, enter these values and click Next.

Setting Value

Network Distributed port group that ends with Mgmt-xRegion01-VXLAN.

IP assignment static

Subnet mask 255.255.255.0

Default gateway 192.168.11.1

DNS servers 172.16.11.4,172.16.11.5

Domain name rainpole.local

Provide NTP server for the appliance ntp.sfo01.rainpole.local

14 On the Password configuration page, configure the password for the vRealize Suite Lifecycle Manager root and admin users, and click Next.


VMware, Inc. 43

15 On the Lifecycle Manager configuration page, enter these values and click Next.

Setting Value

Virtual machine name vrslcm01svr01

IP address 192.168.11.20

Hostname vrslcm01svr01.rainpole.local

Data center name sfo01-m01dc

vCenter name sfo01m01vc01.sfo01.rainpole.local

Increase disk size in GB 100

16 On the Identity Manager configuration page, turn on the Skip vIDM installation and import toggle and click Next.

17 On the vRealize Automation configuration page, click Next.

18 On the Summary page, review the installation configuration settings and click Submit.

An installation progress bar appears.

19 When the installation finishes, in the Installation process dialog box, click Close.

What to do next

Install vRealize Suite Lifecycle Manager 8.1 Patch 1 with product support pack 1 to support vRealize Log Insight 8.1.1:

1 Install vRealize Suite Lifecycle Manager 8.1 Patch 1.

See Download and Installation in the VMware vRealize Suite Lifecycle Manager 8.1 Patch 1 Release Notes.

2 Install the vRealize Suite Lifecycle Manager 8.1 product support pack 1 for vRealize Log Insight 8.1.1.

See vRealize Suite Lifecycle Manager 8.1 Product Support Pack 1 for vRealize Log Insight 8.1.1 in the VMware vRealize Suite Lifecycle Manager 8.1 Release Notes.

Post-Deployment Configuration of the vRealize Suite Lifecycle Manager Instance in Region A

You configure the vRealize Suite Lifecycle Manager appliance system settings and replace the appliance certificate.

Procedure

1 Configure the vRealize Suite Lifecycle Manager Instance in Region A

Add the password of the svc-vrslcm-vsphere service account to Locker. If the access to My VMware, VMware Marketplace, and VMware Updates requires a proxy server, configure a proxy for vRealize Suite Lifecycle Manager.


VMware, Inc. 44

https://docs.vmware.com/en/VMware-vRealize-Suite-Lifecycle-Manager/8.1/rn/VMware-vRealize-Lifecycle-Manager-81-Patch1.html

https://docs.vmware.com/en/VMware-vRealize-Suite-Lifecycle-Manager/8.1/rn/VMware-vRealize-Lifecycle-Manager-81-Patch1.html

https://docs.vmware.com/en/VMware-vRealize-Suite-Lifecycle-Manager/8.1/rn/VMware-vRealize-Suite-Lifecycle-Manager-81-Release-Notes.html#pspk

2 Replace the Certificate of the vRealize Suite Lifecycle Manager Instance in Region A

To establish a trusted connection to vRealize Suite Lifecycle Manager, you replace the SSL certificate on the appliance.

Configure the vRealize Suite Lifecycle Manager Instance in Region A

Add the password of the svc-vrslcm-vsphere service account to Locker. If the access to My VMware, VMware Marketplace, and VMware Updates requires a proxy server, configure a proxy for vRealize Suite Lifecycle Manager.

Procedure

1 In a Web browser, log in to vRealize Suite Lifecycle Manager by using the administration interface.

Setting Value

URL https://vrslcm01svr01.rainpole.local

User name admin@local

Password vrslcm_admin_password

2 Add the password of the svc-vrslcm-vsphere service account to Locker.

a On the My services page, click Locker.

b In the navigation pane, click Password.

c Click Add, enter these values, and click Add.

Setting Value

Password alias svc-vrslcm-vsphere

Password svc-vrslcm-vsphere_password

Confirm password svc-vrslcm-vsphere_password

Password description Password for [email protected]


3 Return to the My services page by clicking the vRealize Suite Lifecycle Manager icon on the top left corner.

4 If required, configure a proxy server for vRealize Suite Lifecycle Manager.

a On the My services page, click Lifecycle operations.

b In the navigation pane, click Settings.

c Under System administration, click Proxy.


VMware, Inc. 45

d Select the Configure proxy check box, enter these values, and click Save.

Setting Value

Server proxy_server_fqdn_or_ipaddress

Port proxy_server_port

Credential proxy_server_user

e Create the password alias for the proxy user by using Step 2.

Replace the Certificate of the vRealize Suite Lifecycle Manager Instance in Region A

To establish a trusted connection to vRealize Suite Lifecycle Manager, you replace the SSL certificate on the appliance.

Procedure


Setting Value




2 Add the certificate of the vRealize Suite Lifecycle Manager appliance to Locker.

a On the My services page, click Locker.

b In the navigation pane, click Certificate.

c On the Certificate page, click Import.

d On the Import certificate page, enter these values and click Import.

Setting Value

Name vrslcm01svr01-certificate

Pass phrase vrslcm01svr01_certificate_password

Select certificate file Navigate to vrslcm01svr01.2.chain.pem

3 Return to the My services page by clicking the vRealize Suite Lifecycle Manager icon on the top-left corner.

4 On the My services page, click Lifecycle operations.

5 In the navigation pane, click Settings.

6 Under System administration, click Change certificate.

7 On the Change certificate page, click Replace certificate.


VMware, Inc. 46

8 On the Current certificate page, click Next.

9 On the Select certificate page, from the drop-down menu, select vrslcm01svr01-certificate, and click Next.

10 On the Precheck page, click Run.

11 Wait for all validations to pass and click Finish.

12 Log out, restart the browser, and log back in to vRealize Suite Lifecycle Manager by using the administration interface.

Register the vRealize Suite Lifecycle Manager Instance with My VMware

You can integrate vRealize Suite Lifecycle Manager directly with a My VMware account to access vRealize Suite licenses within an entitlement account and manage the download of product OVA files for install, patch, and upgrade. You can also use the My VMware account registration to download content from the VMware Marketplace.

As an alternative to using a My VMware account integration, you can directly upload product binaries to the vRealize Suite Lifecycle Manager repository. See Upload and Map Product Binaries to the vRealize Suite Lifecycle Manager Instance in Region A.

Prerequisites

If your organization restricts outbound access, configure a proxy server for the vRealize Suite Lifecycle Manager appliance. See Configure the vRealize Suite Lifecycle Manager Instance in Region A.

Procedure


Setting Value




2 On the My services page, click Locker.

3 In the navigation pane, click Password.

4 Click Add, enter these values, and click Add.

Setting Value

Password alias svc-vrslcm-myvmware

Password svc-vrslcm-myvmware_password


VMware, Inc. 47

Setting Value

Confirm password svc-vrslcm-myvmware_password

Password description [email protected]


5 Return to the My services page by clicking the vRealize Suite Lifecycle Manager icon on the top left corner.



8 Under Servers & accounts, click My VMware.

9 Click Add My VMware account, enter these values, and click Validate.

Setting Value


Password svc-vrslcm-myvmware_password

10 After the successful validation of the My VMware details, click Add .

Upload and Map Product Binaries to the vRealize Suite Lifecycle Manager Instance in Region A

You upload product binaries to the vRealize Suite Lifecycle Manager repository and map the binaries by using vRealize Suite Lifecycle Manager UI.

During the vRealize Suite Lifecycle Manager deployment, the vRealize Suite Lifecycle Manager Easy Installer uploads and maps the binary files for vRealize Automation and Workspace ONE Access. After the vRealize Suite Lifecycle Manager deployment, you upload and map the product binary files for vRealize Operations Manager and vRealize Log Insight.

If your organization restricts external access on the vRealize Suite Lifecycle Manager appliance, you obtain the necessary product binaries from the My VMware repository. After that, you upload and discover the product binaries to the vRealize Suite Lifecycle Manager appliance directly.

Table 2-1. Product Binary Files

Product Binary File Name

VMware vRealize Operations Manager 8.1 vRealize-Operations-Manager-

Appliance-8.1.0.build_number_OVF10.ova

VMware vRealize Log Insight 8.1.1 VMware-vRealize-Log-Insight-8.1.1.0-

build_number_OVF10.ova


VMware, Inc. 48

Alternatively, if your organization does not restrict external access on the vRealize Suite Lifecycle Manager appliance, you can download the product binaries for install and upgrade by using a registration of vRealize Suite Lifecycle Manager with a My VMware account. See Register the vRealize Suite Lifecycle Manager Instance with My VMware.

Procedure

1 Download the vRealize Operations Manager and vRealize Log Insight product binary files to your host machine.

2 Use an SCP client, such as WinSCP, to transfer the .ova files to the vRealize Suite Lifecycle Manager appliance by using these values.

Settings Values

Host name vrslcm01svr01.rainpole.local

User name root

Password vrslcm_root_password

Upload folder location /data


Setting Value






6 Under Servers & accounts, click Binary mapping.

7 On the Product binaries tab, click Add binaries.

8 For the Location type menu item, select the Local radio button.

9 In the Base location text box, enter /data and click Discover.

You can see a list of the supported products and versions for which you uploaded the binary files to the /data folder.

10 For each product, select the Install type of binary and click Add.

You submitted a product source mapping request for each product binary.

11 In the navigation pane, click Requests and monitor the Product source mapping request for each product.

The status of each product source mapping request transitions from Inprogress to Completed.


VMware, Inc. 49

Configure Data Centers and vCenter Server in vRealize Suite Lifecycle Manager in Region A

Before you can create a local environment for product deployments, you must update the credentials for the Management domain vCenter Server that is associated with the region-specific data center in vRealize Suite Lifecycle Manager. Before you can create a cross-region environment for product deployments, you must add a cross-region data center and the associated Management domain vCenter Server to vRealize Suite Lifecycle Manager.

During the vRealize Suite Lifecycle Manager deployment, vRealize Easy Installer adds the region-specific data center, sfo01-m01dc, to vRealize Suite Lifecycle Manager. SDDC Manager associates the region-specific data center with the Management domain vCenter Server by using the administrator@local account. You update the Management domain vCenter Server in the region-specific data center to use the svc-vrslcm-vsphere account for the deployment of the region-specific components, such as vRealize Log Insight.

Also, you add the cross-region data center, cross-region-dc, and the associated Management domain vCenter Server for the deployment of the cross-region components, such as the Workspace ONE Access cluster, the vRealize Operations Manager analytics cluster, and the vRealize Automation cluster.

Procedure


Setting Value





3 In the navigation pane, click Datacenters.

4 Update the Management domain vCenter Server in the region-specific data center to use the svc-vrslcm-vsphere account.

a On the Datacenters page, expand the sfo-m01-dc01 data center.

b In the row for sfo01m01vc01.sfo01.rainpole.local, click Edit vCenter.

c Update these values and click Validate.

Setting Value

vCenter credentials svc-vrslcm-vsphere

vCenter type Management

d After the successful vCenter Server validation, click Save.


VMware, Inc. 50

5 Click Add datacenter, enter the values for the cross-region data center, and click Add.

Setting Value

Name cross-region-dc

Use custom location Disabled

Location San Francisco, California, US

6 Add the Management domain vCenter Server to the cross-region data center.

a On the Datacenters page, expand the cross-region-dc data center and click Add vCenter.

b Enter the vCenter Server information and click Validate.

Setting Value for the cross-region-dc Data Center

vCenter name sfo01m01vc01.sfo01.rainpole.local

vCenter FQDN sfo01m01vc01.sfo01.rainpole.local

vCenter credentials svc-vrslcm-vsphere

vCenter type Management

7 After the successful vCenter Server validation, click Save.

8 In the navigation pane, click Requests and verify that the state of the vCenter data collection request shows Completed.

Add the Cross-Region Environment Password to vRealize Suite Lifecycle Manager

To enable vRealize Suite Lifecycle Manager to deploy cross-region solution products, you must add the cross-region environment administrator account to the vRealize Suite Lifecycle Manager Locker.

Procedure


Setting Value





3 In the navigation pane, click the Password.


VMware, Inc. 51


Setting Value

Password alias xregion-env-admin

Password xregion-env-admin_password

Confirm password xregion-env-admin_password

Password description Cross-region environment admin user

User Name admin


VMware, Inc. 52

Cross-Region Workspace ONE Access Implementation in Region A

3Identity and access management services in the SDDC are provided by VMware Workspace ONE Access. You use vRealize Suite Lifecycle Manager to deploy a cross-region Workspace ONE Access cluster. After that, you perform the necessary post-deployment configurations and customization.

Procedure

1 Prerequisites for Deploying Cross-Region Workspace ONE Access

Before you deploy the cross-region Workspace ONE Access cluster, verify that your environment fulfills the requirements for this deployment.

2 Configure the Load Balancer for the Cross-Region Workspace ONE Access Cluster in Region A

You configure load balancing for the cross-region Workspace ONE Access cluster services by using the dedicated NSX Data Center for vSphere edge services gateway.

3 Deploy the Cross-Region Workspace ONE Access Cluster in Region A

You configure deployment details and deploy the cross-region Workspace ONE Access cluster by using vRealize Suite Lifecycle Manager.

4 Configure the Cross-Region Workspace ONE Access Cluster in Region A

Perform the necessary post-deployment configuration steps for the cross-region Workspace ONE Access cluster to enable identity management for the SDDC.

Prerequisites for Deploying Cross-Region Workspace ONE Access

Before you deploy the cross-region Workspace ONE Access cluster, verify that your environment fulfills the requirements for this deployment.

Deployment Prerequisites

Verify that your environment satisfies the following prerequisites for the deployment of cross-region Workspace ONE Access.

VMware, Inc. 53

Prerequisite Value


n Required storage per node: 4.8 GB

Software Features n Verify that Management domain vCenter Server is operational.


n Verify that the NSX Data Center for vSphere is operational.

n Verify that static IP address and FQDN for the application virtual networks are available for the cross-region Workspace ONE Access deployment. See Host Names and IP Addresses for vRealize Suite 2019 and Workspace ONE Access.

Active Directory n Verify that you have a parent active directory with the SDDC user roles configured for the rainpole.local domain.

n Verify that required Active Directory service accounts are created. See Active Directory User Accounts.

n Verify that required Active Directory security groups are created. See Active Directory Groups.

Certificate Authority Verify that you have a validate SSL certificate. You can generate the certificate using the CertGenVVD utility. See Certificate Generation Utility for VMware Validated Design for Software-Defined Data Center 6.x (78246).

Configure the Load Balancer for the Cross-Region Workspace ONE Access Cluster in Region A

You configure load balancing for the cross-region Workspace ONE Access cluster services by using the dedicated NSX Data Center for vSphere edge services gateway.

Procedure

1 Import the Load Balancer Certificate of the Cross-Region Workspace ONE Access Cluster

To allow secure connection to the cross-region Workspace ONE Access cluster, import the certificate for the virtual IP address in the Management domain NSX Manager.

2 Configure the Virtual IP Address for Load Balancing the Cross-Region Workspace ONE Access Cluster in Region A

Configure the VIP address for load balancing the cross-region Workspace ONE Access cluster in Region A.


VMware, Inc. 54



3 Create a Service Monitor for the Cross-Region Workspace ONE Access Cluster in Region A

You set up health check monitoring in NSX Data Center for vSphere for the cross-region Workspace ONE Access cluster to monitor the server pool. Servers that fail to respond to the health checks within a specified time period are excluded from future connection handling.

4 Create a Server Pool for the Cross-Region Workspace ONE Access Cluster in Region A

You create a server pool in NSX Data Center for vSphere for the cross-region Workspace ONE Access cluster nodes. The server pool determines the load-balancing algorithm and combines resources from the pool members.

5 Create Application Profiles for the Cross-Region Workspace ONE Access Cluster in Region A

You create an application profile in NSX Data Center for vSphere and associate it with a virtual server to define the behavior of a particular type of network traffic. The virtual server processes traffic according to the values specified in the profile.

6 Create Virtual Servers for the Cross-Region Workspace ONE Access Cluster in in Region A

You create two virtual servers in NSX Data Center for vSphere for the cross-region Workspace ONE Access cluster. These virtual servers are associated with the configured application profile and server pool, and distribute client connections among the server pool members.

Import the Load Balancer Certificate of the Cross-Region Workspace ONE Access Cluster

To allow secure connection to the cross-region Workspace ONE Access cluster, import the certificate for the virtual IP address in the Management domain NSX Manager.

Procedure


Setting Value






4 Click the ID of the sfo01m01lb01 edge services gateway to open its network settings.

5 Click the Configure tab and click Certificates.

6 Click Add and select Certificate.


VMware, Inc. 55

7 In the New certificate dialog box, enter these settings, and click Add.

Setting Value

Certificate contents Paste the content of the wsa01svr01.2.chain.pem file without the private key.

Private key Paste the content of the wsa01svr01.key file.

Password -

Description Certificate for the cross-region Workspace ONE Access cluster.

Configure the Virtual IP Address for Load Balancing the Cross-Region Workspace ONE Access Cluster in Region A

Configure the VIP address for load balancing the cross-region Workspace ONE Access cluster in Region A.

Procedure


Setting Value







5 Click the Configure tab and click Interfaces.

6 Select the OneArmLB interface and click Edit.

7 On the Basic tab, under Configure subnets, in the row for primary IP address 192.168.11.2, in the Secondary IP addresses cell, add the cross-region Workspace ONE Access cluster IP address, 192.168.11.60.

8 Click Save.

Create a Service Monitor for the Cross-Region Workspace ONE Access Cluster in Region A

You set up health check monitoring in NSX Data Center for vSphere for the cross-region Workspace ONE Access cluster to monitor the server pool. Servers that fail to respond to the health checks within a specified time period are excluded from future connection handling.


VMware, Inc. 56

Procedure


Setting Value






4 Click the ID of the sfo01m01lb01 edge service gateway to open its network settings.

5 Click the Load balancer tab and click Service monitoring.

6 Click Add, enter these values to configure the health check parameters, and click Add.

Setting Value

Name wsa-https-monitor

Interval 3

Timeout 10

Max retries 3

Type HTTPS

Expected 200

Method GET

URL /SAAS/API/1.0/REST/system/health/heartbeat

Receive ok

Create a Server Pool for the Cross-Region Workspace ONE Access Cluster in Region A

You create a server pool in NSX Data Center for vSphere for the cross-region Workspace ONE Access cluster nodes. The server pool determines the load-balancing algorithm and combines resources from the pool members.

You add the three cross-region Workspace ONE Access cluster nodes as members of the server pool.


VMware, Inc. 57

Procedure


Setting Value







5 Click the Load balancer tab and click Pools.

6 Click Add and, on the General tab of the New pool dialog box, enter these values to configure the load-balancing profile.

Setting Value

Name wsa-server-pool

Description Cross-Region Workspace ONE Access Server Pool

Algorithm LEASTCONN

Monitors wsa-https-monitor

IP filter Any

Transparent Turned off

7 Click the Members tab of the New pool dialog box.

8 To add each cross-region Workspace ONE Access cluster node to the pool, click Add, enter the values for the node, and click OK.

Setting Value for wsa01svr01a Value for wsa01svr01b Value for wsa01svr01c

Name wsa01svr01a wsa01svr01b wsa01svr01c

IP address 192.168.11.61 192.168.11.62 192.168.11.63

State Enable Enable Enable

Port 443 443 443

Monitor port 443 443 443

Weight 1 1 1

Max connections - - -

Min connections - - -

9 On New pool dialog box, click Add.


VMware, Inc. 58

Create Application Profiles for the Cross-Region Workspace ONE Access Cluster in Region A

You create an application profile in NSX Data Center for vSphere and associate it with a virtual server to define the behavior of a particular type of network traffic. The virtual server processes traffic according to the values specified in the profile.

Procedure


Setting Value







5 Click the Load balancer tab and click Application profiles.

6 Create each application profile for the cross-region Workspace ONE Access cluster.

a Click Add.

b In the New application profile dialog box, on the General tab, enter these values.

Setting Value for wsa-https-app-profile Value for wsa-http-redirect

Application profile type HTTPS End-to-End HTTP

Name wsa-https-app-profile wsa-http-redirect

HTTP redirect URL - https://wsa01svr01.rainpole.local/

Persistence Cookie Source IP

Cookie name wsa-cookie-persistence -

Mode Insert -

Expires in (seconds) 3600 1800

Insert X-Forwarded-For HTTP header

Enabled Disabled


VMware, Inc. 59

c In the New application profile dialog box, click the Client SSL tab and enter these values.


Client authentication Ignore -

Service certificates Certificate for the cross-region Workspace ONE Access instance, wsa01svr01.rainpole.local

-

CA certificates Certificate for the Certificate Authority, rainpole-ca

-

d In the New application profile dialog box, click the Server SSL tab and enter these values.


Service certificates Certificate for the cross-region Workspace ONE Access instance, wsa01svr01.rainpole.local

-

e Click Add to save the application profile.

Create Virtual Servers for the Cross-Region Workspace ONE Access Cluster in in Region A

You create two virtual servers in NSX Data Center for vSphere for the cross-region Workspace ONE Access cluster. These virtual servers are associated with the configured application profile and server pool, and distribute client connections among the server pool members.

Procedure


Setting Value







5 Click the Load balancer tab and click Virtual servers.

6 Click Add.


VMware, Inc. 60

7 To create each virtual server, click Add and, on the General tab, enter these values and click Add.

Setting Value for wsa-https Value for wsa-http-redirect

Virtual server Enabled Enabled

Acceleration Disabled Disabled

Application profile wsa-https-app-profile wsa-http-redirect

Name wsa-https wsa-http

Description Cross-Region Workspace ONE Access

Cross-Region Workspace ONE Access Cluster HTTPS Redirect

IP address 192.168.11.60 192.168.11.60

Protocol HTTPS HTTP

Port/Port range 443 80

Default pool wsa-server-pool NONE

Connection limit 0 0

Connection rate limit 0 0

Deploy the Cross-Region Workspace ONE Access Cluster in Region A

You configure deployment details and deploy the cross-region Workspace ONE Access cluster by using vRealize Suite Lifecycle Manager.

Procedure

1 Import the Cross-Region Workspace ONE Access Cluster Certificate to vRealize Suite Lifecycle Manager in Region A

In vRealize Suite Lifecycle Manager, import the cross-region Workspace ONE Access cluster certificate, that you generated using the CertGenVVD utility.

2 Add the Passwords for the Cross-Region Workspace ONE Access Deployment to vRealize Suite Lifecycle Manager in Region A

To allow life cycle management and configuration management, you set the passwords for the vRealize Suite Lifecycle Manager global environment administrator, the cross-region Workspace ONE Access administrator, and the cross-region Workspace ONE Access configuration administrator accounts.

3 Deploy the Cross-Region Workspace ONE Access Cluster Using vRealize Suite Lifecycle Manager in Region A

To provide identity and access management services to the cross-region SDDC components, you create a cross-region environment in vRealize Suite Lifecycle Manager in which you deploy the three nodes of the cross-region Workspace ONE Access cluster.


VMware, Inc. 61

4 Resize the Cross-Region Workspace ONE Access Cluster Nodes in Region A

To ensure the proper operation of the cross-region Workspace ONE Access cluster, increase the CPU and memory resources available to each appliance.

Import the Cross-Region Workspace ONE Access Cluster Certificate to vRealize Suite Lifecycle Manager in Region A

In vRealize Suite Lifecycle Manager, import the cross-region Workspace ONE Access cluster certificate, that you generated using the CertGenVVD utility.

Procedure


Setting Value




2 On the My Services page, click Locker.

3 In the left pane, click Certificate.

4 On the Certificate page, click Import.

5 On the Import certificate page, configure the settings and click Import.

Setting Value

Name wsa01svr01-certificate

Pass Phrase -

Select Certificate File wsa01svr01.2.chain.pem

Add the Passwords for the Cross-Region Workspace ONE Access Deployment to vRealize Suite Lifecycle Manager in Region A

To allow life cycle management and configuration management, you set the passwords for the vRealize Suite Lifecycle Manager global environment administrator, the cross-region Workspace ONE Access administrator, and the cross-region Workspace ONE Access configuration administrator accounts.


VMware, Inc. 62

Procedure


Setting Value






4 For each password, click Add, configure these settings, and click Add.

Setting

Value for Global Environment Administrator

Value for Local Administrator

Value for Local Configuration Administrator

Password alias global-env-admin wsa01svr01-admin wsa01svr01-configadmin

Password global_env_admin_password

wsa01svr01_admin_password

wsa01svr01_configadmin_password

Confirm password global_env_admin_password

wsa01svr01_admin_password

wsa01svr01_configadmin_password

Password description vRealize Suite Lifecycle Manager global environment administrator password

Cross-region Workspace ONE Access administrator

Cross-region Workspace ONE Access configuration administrator

User name admin admin configadmin

Deploy the Cross-Region Workspace ONE Access Cluster Using vRealize Suite Lifecycle Manager in Region A

To provide identity and access management services to the cross-region SDDC components, you create a cross-region environment in vRealize Suite Lifecycle Manager in which you deploy the three nodes of the cross-region Workspace ONE Access cluster.

During the deployment by using vRealize Suite Lifecycle Manager, you configure the cross-region Workspace ONE Access instance to synchronize group members to the directory when adding a group.


VMware, Inc. 63

Procedure


Setting Value





3 On the Dashboard page, click Create environment.

4 Configure these settings and click Next.

Setting Value

Environment name globalenvironment

Administrator email wsa01svr01_configadmin_email

Default password global-env-admin

Data center cross-region-dc

JSON configuration Deselected

Join the VMware customer experience improvement program

Selected

5 On the Select product page, select the check box for VMware Identity Manager, configure these settings, and click Next.

Setting Value

Installation type New Install

Version 3.3.2

Deployment type Cluster

6 On the Accept license agreements page, accept the license agreement and click Next.

7 On the Certificate page, from the Select certificate drop-down menu, select wsa01svr01-certificate, and click Next.

8 On the Infrastructure page, configure these settings and click Next.

Setting Value

vCenter Server sfo01m01vc01.sfo01.rainpole.local

Cluster sfo01-m01dc#sfo01-m01-mgmt01

Folder sfo01-m01fd-wsa

Resource pool sfo01-m01-sddc-mgmt


VMware, Inc. 64

Setting Value

Network Distributed port group that ends with Mgmt-xRegion01-VXLAN


Disk mode Thin

Use content library Deselected

9 On the Network page, configure these settings and Next.

Setting Value


Netmask 255.255.255.0


Domain Search Path rainpole.local

DNS Servers Click Edit server selection, select 172.16.11.4 and 172.16.11.5, and click Next and Finish.

Time Sync Mode Use NTP Server

NTP Servers Click Edit server selection, select ntp.sfo01.rainpole.local, click Next and Finish.

10 On the Products page, configure the deployment properties for the cross-region Workspace ONE Access instance and click Next.

a In the Product properties section, configure the following.

Setting Value

Certificate wsa01svr01-certificate

Admin password wsa01svr01-admin

Default configuration admin user name configadmin

Default configuration admin password wsa01svr01-configadmin

Sync group members Selected

b In the Cluster VIP FQDN section, configure these settings.

Setting Value

FQDN wsa01svr01.rainpole.local

Database IP Address 192.168.11.64


VMware, Inc. 65

c In the Components section, configure the primary cluster node.

Setting Value

VM Name wsa01svr01a

FQDN wsa01svr01a.rainpole.local

IP Address 192.168.11.61

d In the Components section, configure the second cluster node.

Setting Value

VM name wsa01svr01b

FQDN wsa01svr01b.rainpole.local

IP address 192.168.11.62

e In the Components section, configure the third cluster node.

Setting Value

VM name wsa01svr01c

FQDN wsa01svr01c.rainpole.local

IP address 192.168.11.63

11 On the Manual validation page, review the manual checks, select I have taken care of the manual steps above and ready to proceed, and click Run precheck.

12 Review the validation report and, after a successful validation, click Next.

13 On the Summary page, review the deployment specification, disable Run prechecks on submit, and click Submit.

Resize the Cross-Region Workspace ONE Access Cluster Nodes in Region A

To ensure the proper operation of the cross-region Workspace ONE Access cluster, increase the CPU and memory resources available to each appliance.

Procedure


Setting Value





VMware, Inc. 66

2 Perform a graceful shutdown of the Workspace ONE Access cluster.

a On the My services page, click Lifecycle operations.

b On the Dashboard page, click Manage environments.

c In the globalenvironment card, click View details.

d In the VMware Identity Manager section, click the ellipsis icon and, from the drop-down menu, select Trigger cluster health.

e On the Trigger health collection dialog box, click Submit.

On the Request details page, the health collection status becomes Successful.

f In the left pane, click Dashboard and click Manage environments.

g In the globalenvironment card, click View details.

h In the VMware Identity Manager section, click the ellipsis icon and, from the drop-down menu, select Power off.

i On the Power off VMware Identity Manager dialog box, click Submit.

On the Request details page, the power off operation status becomes Successful.


Setting Value




4 In the Hosts and clusters inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree and expand the sfo01-m01dc data center.

5 Expand the sfo01-m01-mgmt01 cluster, right-click the wsa01svr01a virtual machine, and select Edit settings.

6 On the Edit settings dialog box, configure these settings and click OK

Setting Value

CPU 8

Memory 16 GB

7 Repeat Step 5 and Step 6 to increase the CPU and memory resources for the wsa01svr01b and wsa01svr01c virtual machines.

8 Power on the Workspace ONE Access cluster.

a Back in the vRealize Suite Lifecycle Manager user interface, on the My services page, click Lifecycle operations.

b On the Dashboard page, click Manage environments.


VMware, Inc. 67

c In the globalenvironment card, click View details.

d In the VMware Identity Manager section, click the ellipsis icon and, from the drop-down menu, select Power on.

e On the Power on VMware Identity Manager dialog box, click Submit.

On the Request details page, the power on operation status becomes Successful.

Configure the Cross-Region Workspace ONE Access Cluster in Region A

Perform the necessary post-deployment configuration steps for the cross-region Workspace ONE Access cluster to enable identity management for the SDDC.

Procedure

1 Configure an Anti-Affinity Rule and a Virtual Machine Group for the Cross-Region Workspace ONE Access Cluster in Region A

To protect the cross-region Workspace ONE Access nodes from a host-level failure, configure an affinity rule to run the virtual machines on different hosts in the first vSphere cluster of the Management domain. After that, you configure a VM group to define the startup order to ensure the vSphere High Availability powers on the cross-region Workspace ONE Access cluster members in the correct order.

2 Configure NTP on the Cross-Region Workspace ONE Access Cluster in Region A

To keep the cross-region Workspace ONE Access cluster nodes synchronized with the other SDDC components, configure the time synchronization on each node in the cross-region Workspace ONE Access cluster.

3 Configure Custom Branding for the Cross-Region Workspace ONE Access Deployment in Region A

To personalize the sign-in screen for your organization, you configure the branding of the cross-region Workspace ONE Access deployment.

4 Configure Identity Sources for the Cross-Region Workspace ONE Access Cluster in Region A

You integrate your Active Directory with Workspace ONE Access and configure attributes to synchronize users and groups to enable identity and access management in the SDDC.

5 Add the Cross-Region Workspace ONE Access Nodes as Identity Provider Connectors in Region A

To provide high availability for the identity and access management services of the cross-region Workspace ONE cluster, you join the cluster nodes to the rainpole.local domain and add them as directory connectors.


VMware, Inc. 68

6 Assign Roles to User Groups in Cross-Region Workspace ONE Access

Workspace ONE Access uses role-based access control to manage administrator roles. You assign the Super Admin, Directory Admin, and ReadOnly roles to directory user groups to manage administrative access to the cross-region Workspace ONE Access cluster.

7 Assign Roles to User Groups in vRealize Suite Lifecycle Manager

To enable identity and access management for vRealize Suite Lifecycle Manager, you integrate the component with the cross-region Workspace ONE Access deployment.

Configure an Anti-Affinity Rule and a Virtual Machine Group for the Cross-Region Workspace ONE Access Cluster in Region A

To protect the cross-region Workspace ONE Access nodes from a host-level failure, configure an affinity rule to run the virtual machines on different hosts in the first vSphere cluster of the Management domain. After that, you configure a VM group to define the startup order to ensure the vSphere High Availability powers on the cross-region Workspace ONE Access cluster members in the correct order.

Procedure


Setting Value





3 Select the sfo01-m01-mgmt01 cluster and click the Configure tab.

4 Create the anti-affinity rule for the cross-region Workspace ONE Access virtual machines.

a In the left pane, select Configuration > VM/Host rules and click Add.

b In the Create VM/Host rule dialog box, configure these settings and click OK.

Setting Value

Name anti-affinity-rule-wsa

Enable rule Selected

Type Separate Virtual Machines

Members n wsa01svr01a

n wsa01svr01b

n wsa01svr01c


VMware, Inc. 69

5 Create a virtual machine group for the cross-region Workspace ONE Access cluster nodes.

a In the left pane, select Configuration > VM/Host groups and click Add.

b In the Create VM/Host group dialog box, configure these settings and click OK.

Setting Value

Name Cross-Region Workspace ONE Access Virtual Appliances

Type VM Group

Members n wsa01svr01a

n wsa01svr01b

n wsa01svr01c

Configure NTP on the Cross-Region Workspace ONE Access Cluster in Region A

To keep the cross-region Workspace ONE Access cluster nodes synchronized with the other SDDC components, configure the time synchronization on each node in the cross-region Workspace ONE Access cluster.

Table 3-1. Cross-Region Workspace ONE Access Cluster Nodes and NTP Servers

FQDN NTP Servers

wsa01svr01a.rainpole.local ntp.sfo01.rainpole.local

wsa01svr01b.rainpole.local

wsa01svr01c.rainpole.local

Procedure

1 Log in to the cross-region Workspace ONE Access instance by using a Secure Shell (SSH) client.

Setting Value

FQDN wsa01svr01a.rainpole.local

User name sshuser

Password wsa01svr01_sshuser_password


VMware, Inc. 70

2 Configure the NTP source of the Workspace ONE Access appliance.

a Switch to the super user.

su

b Edit the /etc/ntp.conf file.

vi /etc/ntp.conf

c Edit the server entries and enter :wq! to save the file.

server ntp.sfo01.rainpole.local

3 Enable the NTP service.

a To disable time synchronization with the ESXi host, run the command.

vmware-toolbox-cmd timesync disable

b To enable and start the NTP service, run the commands.

chkconfig ntp on

service ntp start

c To verify the status of the NTP service, run the command.

service ntp status

4 Repeat this procedure to configure the NTP service on the wsa01svr01b.rainpole.local and wsa01svr01c.rainpole.local nodes.

Configure Custom Branding for the Cross-Region Workspace ONE Access Deployment in Region A

To personalize the sign-in screen for your organization, you configure the branding of the cross-region Workspace ONE Access deployment.

Procedure

1 In a Web browser, log in to the Workspace ONE Access cross-region cluster by using the administration interface.

Setting Value

URL https://wsa01svr01.rainpole.local/admin

User name configadmin

Password wsa01svr01_configadmin_password

Domain System Domain

2 On the main navigation bar, click Identity and access management.


VMware, Inc. 71

3 Click Setup and click the Custom branding tab.

4 On the Custom branding page, click Names and logos, configure these settings, and click Save.

Setting Value

Company Name Rainpole

Product Name Cloud

Favicon Upload a 16px by 16px transparent .png image.

5 On the Custom branding page, click Sign-in screen, configure these settings, and click Save.

Setting Value

Logo Upload a 100px height transparent .png image.

Image Upload a 1400px width and 900px height .png or .jpg image.

Configure Identity Sources for the Cross-Region Workspace ONE Access Cluster in Region A


Procedure


Setting Value






3 Click the Directories tab, and from the Add directory drop-down menu, select Add Active Directory over LDAP/IWA.

4 On the Add directory page, configure these settings, and click Save and next.

Setting Value

Directory name rainpole.local

Active Directory (integrated Windows authentication) Selected

Sync connector wsa01svr01a.rainpole.local

Do you want this connector also perform authentication Yes


VMware, Inc. 72

Setting Value

Directory search attribute sAMAccountName


Domain admin user name svc-domain-join

Domain admin password svc-domain-join_password

Bind user name svc-wsa-ad

Bind user password svc-wsa-ad_password

5 On the Select the domains page, configure these settings and click Next.

Setting Value

rainpole.local (RAINPOLE) Selected

sfo01.rainpole.local (SFO01) Selected

6 On the Map user attributes page, review the attribute mappings and click Next.

7 On the Select the groups you want to sync page, configure these settings.

Setting Value

Sync nested group members Selected

Specify the group DN Click the plus icon and enter OU=Security Groups,DC=rainpole,DC=local.

8 For each group DN, click Select, select the group to use by the cross-region Workspace ONE Access cluster, click Save, and click Next.

Product Value

Workspace ONE Access ug-wsa-admins

ug-wsa-directory-admins

ug-wsa-read-only

vRealize Suite Lifecycle Manager ug-vrslcm-admins

ug-vrslcm-content-admins

ug-vrslcm-content-developers

vRealize Operations ug-vrops-admins

ug-vrops-content-admins

ug-vrops-read-only

vRealize Automation ug-vra-org-owners

ug-vra-cloud-assembly-admins

ug-vra-cloud-assembly-users

ug-vra-service-broker-admins

ug-vra-service-broker-users


VMware, Inc. 73

Product Value

ug-vra-orchestrator-admins

ug-vra-orchestrator-designers

ug-vra-project-admins-sample

ug-vra-project-users-sample

9 On the Select the users you want to sync page, configure these settings and click Next.

Setting Value

Specify the user DN Click the plus icon and enter OU=Security Users,DC=rainpole,DC=local.

10 On the Review page, click Edit, from the Sync frequency drop-down menu, select Every 15 minutes, and click Save.

11 To initialize the directory import, click Sync directory.

Add the Cross-Region Workspace ONE Access Nodes as Identity Provider Connectors in Region A

To provide high availability for the identity and access management services of the cross-region Workspace ONE cluster, you join the cluster nodes to the rainpole.local domain and add them as directory connectors.

Procedure


Setting Value





2 Join the wsa01svr01b.rainpole.local and wsa01svr01c.rainpole.local connectors to the rainpole.local domain.

a On the main navigation bar, click Identity and access management.

b Click Setup and click the Connectors tab.

c On the Connectors page, next to the wsa01svr01b.rainpole.local connector, click Join domain.


VMware, Inc. 74

d In the Join domain dialog box, configure these settings and click Join domain.

Setting Value

Domain Custom Domain

Custom Domain rainpole.local

Domain User svc-domain-join

Domain Password svc-domain-join_password

Organizational unit (OU) of domain to join CN=Computers,DC=rainpole,DC=local

e Repeat these steps to join the wsa01svr01c.rainpole.local connector to the rainpole.local domain.

3 Add the wsa01svr01b.rainpole.local and wsa01svr01c.rainpole.local connectors as identity providers.

a On the main navigation bar, click Identity and access management.

b Click Manage and click the Identity providers tab.

c Click the WorkspaceIDP__1 identity provider.

d On the WorkspaceIDP__1 details page, from the Add a connector drop-down menu, select wsa01svr01b.rainpole.local, configure these settings, and click Add connector.

Setting Value

Connector wsa01svr01b.rainpole.local

Bind to AD Checked



Domain admin password svc-domain-join-password

e Repeat this step for the wsa01svr01c.rainpole.local connector.

f In the IdP Hostname text box, enter wsa01svr01.rainpole.local.

g Click Save.

Assign Roles to User Groups in Cross-Region Workspace ONE Access

Workspace ONE Access uses role-based access control to manage administrator roles. You assign the Super Admin, Directory Admin, and ReadOnly roles to directory user groups to manage administrative access to the cross-region Workspace ONE Access cluster.

You assign the Workspace ONE Access roles to the Workspace ONE Access user groups.


VMware, Inc. 75

Table 3-2. Workspace ONE Access Roles and Groups

Role Group

Super Admin [email protected]

Directory Admin [email protected]

ReadOnly Admin [email protected]

Procedure


Setting Value





2 On the main navigation bar, click Roles.

3 Select the Super Admin role and click Assign.

4 In the Users / groups search box, enter [email protected], select the group, and click Save.

5 Repeat these steps to configure the Directory Admin and the ReadOnly Admin roles.

Assign Roles to User Groups in vRealize Suite Lifecycle Manager

To enable identity and access management for vRealize Suite Lifecycle Manager, you integrate the component with the cross-region Workspace ONE Access deployment.

You assign the vRealize Suite Lifecycle Manager roles to the vRealize Suite Lifecycle Manager user groups.

Table 3-3. vRealize Suite Lifecycle Manager User Groups and Roles

User Group Role

[email protected] LCM Cloud Admin

[email protected] Content Release Manager

[email protected] Content Developer


VMware, Inc. 76

Procedure


Setting Value




2 On the My Services page, click Identity and tenant management.

3 In the navigation pane, click User management and click Add user / group.

The Assign roles wizard opens.

4 On the Select users / groups page, in the search box, enter [email protected], select the user group from the organization directory, and click Next.

5 On the Select roles page, select the LCM cloud admin role and click Next.

6 On the Summary page, click Submit.

7 Repeat these steps to assign roles to the ug-vrslcm-content-admins and ug-vrslcm-content-developers user groups.


VMware, Inc. 77

Region-Specific Workspace ONE Access Implementation in Region A

4To provide identity and access management services to the region-specific SDDC components, you deploy the Workspace ONE Access instance in the management domain cluster, configure storage, network, and other appliance attributes in Region A.

Procedure

1 Prerequisites for Deploying Region-Specific Workspace ONE Access in Region A

Before you deploy the region-specific Workspace ONE Access instance, verify that your environment fulfills the requirements for this deployment.

2 Deploy the Region-Specific Workspace ONE Access Instance in Region A

Deploy and configure the region-specific Workspace ONE Access instance in Region A.

3 Complete the Initial Configuration of the Region-Specific Workspace ONE Access Instance in Region A

Complete the initial configuration of the region-specific Workspace ONE Access instance by setting the root, administrator, and remote user account passwords, and initializing the application database.

4 Configure Region-Specific Workspace ONE Access for the Management Domain in Region A

To ensure the operation of the region-specific Workspace ONE Access instance in the SDDC, you replace the default certificate, configure time synchronization, integrate and synchronize the instance with Active Directory, and assign role based access.

5 Integrate NSX-T Data Center with the Region-Specific Workspace ONE Access Instance in Region A

To provide a role-based access for the NSX-T Data Center instance for the workload domain, integrate it with the region-specific Workspace One Access instance.

Prerequisites for Deploying Region-Specific Workspace ONE Access in Region A

Before you deploy the region-specific Workspace ONE Access instance, verify that your environment fulfills the requirements for this deployment.

VMware, Inc. 78

Deployment Prerequisites

Verify that your environment satisfies the following prerequisites for the deployment of region-specific Workspace ONE Access instance.

Prerequisite Value


n Required storage: 4.8 GB

Installation packages Verify that you downloaded the VMware Workspace ONE Access OVA file from My VMware.

Software Features n Verify that the Management domain vCenter Server is operational.


n Verify that the Management domain NSX Data Center for vSphere is operational.

n Verify that static IP address and FQDN for the application virtual networks are available for the region-specific Workspace ONE Access deployment. See Host Names and IP Addresses for vRealize Suite 2019 and Workspace ONE Access.

Active Directory n Verify that you have a parent active directory with the SDDC user roles configured for the rainpole.local domain.

n Verify that required Active Directory service accounts are created. See Active Directory User Accounts.

n Verify that required Active Directory security groups are created. See Active Directory Groups.


Deploy the Region-Specific Workspace ONE Access Instance in Region A

Deploy and configure the region-specific Workspace ONE Access instance in Region A.

Procedure


Setting Value





VMware, Inc. 79




3 Right-click the sfo01-m01-sddc-mgmt resource pool and select Deploy OVF template.

4 On the Select an OVF template page, select Local file, click Choose files, browse to the location of the Workspace ONE Access OVA file, and click Next.

5 On the Select a name and folder page, configure these settings, and click Next.

Setting Value

Virtual machine name sfo01wsa01

Virtual machine location sfo01-m01fd-wsa

6 On the Select a compute resource page, select the sfo01-m01-sddc-mgmt resource pool and click Next.

7 On the Review details page, review the settings and click Next.

8 On the License agreements page, accept the license agreement and click Next.

9 On the Select storage page, configure these settings and click Next.

Setting Value

Select virtual disk format Thin provision

VM storage policy vSAN default storage policy

Datastores sfo01-m01-vsan01

10 On the Select networks page, from the Destination network drop-down menu, select the distributed port group that ends with Mgmt-RegionA01-VXLAN and click Next.

11 On the Customize template page, configure these settings and click Next.

Setting Value

Timezone setting US/Pacific


Selected

Hostname sfo01wsa01.sfo01.rainpole.local


Domain name sfo01.rainpole.local

Domain search path sfo01.rainpole.local,rainpole.local

Domain name servers 172.16.11.4,172.16.11.5

Network 1 IP address 192.168.31.60

Network 1 netmask 255.255.255.0

12 On the Ready to complete page, click Finish and wait for the process to complete.


VMware, Inc. 80

13 Power on the region-specific Workspace ONE Access virtual machine.

a In the VMs and templates inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree, expand the sfo01-m01dc data center, and expand the sfo01-m01fd-wsa folder.

b Right-click the sfo01wsa01 virtual machine and, from the Actions menu, select Power > Power on.

It takes time for the virtual machine to complete the power on process.

Complete the Initial Configuration of the Region-Specific Workspace ONE Access Instance in Region A

Complete the initial configuration of the region-specific Workspace ONE Access instance by setting the root, administrator, and remote user account passwords, and initializing the application database.

Procedure

1 In a Web browser, log in to the region-specific Workspace ONE Access instance in Region A by using the administration interface, https://sfo01wsa01.sfo01.rainpole.local.

2 On the Get started page, click Continue.

3 On the Set passwords page, configure the settings and click Continue.

User Value

Appliance administrator account sfo01wsa01_admin_password

Appliance root account sfo01wsa01_root_password

Remote user account sfo01wsa01_sshuser_password

4 On the Select database page, configure Database type as Internal database and click Continue.

The internal database initializes.

5 On the Setup review page, ensure that the Setup is Complete message is displayed.

6 Click Log out.


VMware, Inc. 81

Configure Region-Specific Workspace ONE Access for the Management Domain in Region A

To ensure the operation of the region-specific Workspace ONE Access instance in the SDDC, you replace the default certificate, configure time synchronization, integrate and synchronize the instance with Active Directory, and assign role based access.

Procedure

1 Replace the Certificate of the Region-Specific Workspace ONE Access Instance in Region A

You replace the default self-signed certificate of the region-specific Workspace ONE Access instance in Region A with a signed certificate from the Microsoft Certificate Authority generated by using the CertGenVVD utility.

2 Configure Preferences and Custom Branding for the Region-Specific Workspace ONE Access Instance in Region A

To synchronize group members to the directory when adding a group, you configure the preferences of the region-specific Workspace ONE Access instance. To personalize the sign-in screen for your organization, you configure the branding of the region-specific Workspace ONE Access instance.

3 Configure NTP of the Region-Specific Workspace ONE Access Instance in Region A

To keep the region-specific Workspace ONE Access appliance time synchronized with the other SDDC components, configure the NTP source on the appliance.

4 Configure Identity Source of the Region-Specific Workspace ONE Access Instance in Region A


5 Assign Roles in the Region-Specific Workspace ONE Access Instance in Region A

Workspace ONE Access uses role-based access control to manage administrator roles. You assign the Super Admin, Directory Admin, and ReadOnly roles to directory user groups to manage administrative access to the region-specific Workspace ONE Access instance.

Replace the Certificate of the Region-Specific Workspace ONE Access Instance in Region A

You replace the default self-signed certificate of the region-specific Workspace ONE Access instance in Region A with a signed certificate from the Microsoft Certificate Authority generated by using the CertGenVVD utility.


VMware, Inc. 82

Procedure

1 In a Web browser, log in to the region-specific Workspace ONE Access instance in Region A by using the administration interface.

Setting Value

URL https://sfo01wsa01.sfo01.rainpole.local/admin

User name admin

Password sfo01wsa01_admin_password


2 On the main navigation bar, click the Appliance settings tab.

3 In the left pane, click VA configuration and click Manage configuration.

4 In the left pane, click Install SSL certificates.

5 Click the Server certificate tab, configure these settings, and click Save.

Setting Value

SSL certificate Custom Certificate

SSL certificate chain Paste the content of the sfo01wsa01.2.chain.pem file generated by the CertGenVVD utility.

PrivatekKey Paste the content of the sfo01wsa01.key file generated by the CertGenVVD utility.

Subject alternative names sfo01wsa01.sfo01.rainpole.local

6 In the Updating certificate dialog box, click OK.

It takes time for the certificate installation to complete and the services to restart.

7 After the services are restarted, close all Web browsers, open a new Web browser, log in back to the region-specific Workspace ONE Access instance, and verify that the certificate is replaced.

Configure Preferences and Custom Branding for the Region-Specific Workspace ONE Access Instance in Region A

To synchronize group members to the directory when adding a group, you configure the preferences of the region-specific Workspace ONE Access instance. To personalize the sign-in screen for your organization, you configure the branding of the region-specific Workspace ONE Access instance.


VMware, Inc. 83

Procedure


Setting Value


User name admin




3 Click Setup and click the Preferences tab.

4 On the Preferences page, next to Sync group members to the directory when adding group, select the Enable check box, and click Save.

5 Click the Custom branding tab.

6 Click Names and logos, configure these settings, and click Save.

Setting Value

Company Name Rainpole

Product Name Cloud

Favicon Upload a 16px by 16px transparent .png image.

7 On the Custom branding page, click Sign-in screen, configure these settings, and click Save.

Setting Example Value

Logo Upload a 100px height transparent .png image.

Image Upload a 1400px width and 900px height .png or .jpg image.

Configure NTP of the Region-Specific Workspace ONE Access Instance in Region A

To keep the region-specific Workspace ONE Access appliance time synchronized with the other SDDC components, configure the NTP source on the appliance.


VMware, Inc. 84

Procedure

1 Log in to the region-specific Workspace ONE Access instance in Region A by using a Secure Shell (SSH) client.

Setting Value

FQDN sfo01wsa01.sfo01.rainpole.local

User name sshuser

Password sfo01wsa01_sshuser_password

2 Configure the NTP source of the Workspace ONE Access appliance.

a Switch to the super user.

su

b Edit the /etc/ntp.conf file.

vi /etc/ntp.conf

c Edit the server entries and save the file.

server ntp.sfo01.rainpole.local

3 Enable the NTP service.

a To disable time synchronization with the ESXi host, run the command.

vmware-toolbox-cmd timesync disable

b To enable and start the NTP service, run the commands.

chkconfig ntp on

service ntp start

c To verify the status of the NTP service, run the command.

service ntp status

Configure Identity Source of the Region-Specific Workspace ONE Access Instance in Region A



VMware, Inc. 85

Procedure


Setting Value


User name admin




3 Click the Directories tab, and from the Add directory drop-down menu, select Add Active Directory over LDAP/IWA.

The Add directory wizard opens.

4 On the Add directory page, configure these settings and click Save and next.

Setting Value

Directory name rainpole.local

Active Directory (Integrated Windows authentication) Selected

Sync connector sfo01wsa01.sfo01.rainpole.local

Do you want this connector also perform authentication Yes

Directory search attribute sAMAccountName



Domain admin password svc-domain-join_password

Bind user name svc-wsa-ad


5 On the Select the domains page, configure these settings and click Next.

Setting Value

Selected rainpole.local (RAINPOLE)

Selected sfo01.rainpole.local (SFO01)

6 On the Map user attributes page, review the attribute mappings and click Next.


VMware, Inc. 86

7 On the Select the groups you want to sync page, configure the settings and click Find groups.

Setting Value

Sync nested group members Selected

Specify the group DN Click the plus icon and enter OU=Security Groups,DC=rainpole,DC=local

8 For each group DN, click Select, select the group to use by the region-specific Workspace ONE Access instance in Region A, click Save, and click Next.

Product Value

NSX Data Center ug-nsx-enterprise-admins

Workspace One Access ug-wsa-admins

ug-wsa-directory-admins

ug-wsa-read-only

vRealize Log Insight ug-vrli-admins

ug-vrli-users

ug-vrli-viewers

9 On the Select the users you want to sync page, configure these settings and click Next.

Setting Value

Specify the user DN Click the plus icon and enter OU=Security Users,DC=rainpole,DC=local

10 On the Review page, click Edit, from the Sync frequency drop-down menu, select Every 15 minutes, and click Save.

11 To initialize the directory import, click Sync directory.

This process might take a some time to complete.

Assign Roles in the Region-Specific Workspace ONE Access Instance in Region A

Workspace ONE Access uses role-based access control to manage administrator roles. You assign the Super Admin, Directory Admin, and ReadOnly roles to directory user groups to manage administrative access to the region-specific Workspace ONE Access instance.

You assign the Workspace ONE Access roles to the Workspace ONE Access user groups.


VMware, Inc. 87

Table 4-1. Workspace ONE Access Roles and Groups

Role Group

Super Admin [email protected]

Directory Admin [email protected]

ReadOnly Admin [email protected]

Procedure


Setting Value


User name admin



2 On the main navigation bar, click Roles.

3 Select the Super Admin role and click Assign.

4 In the Users / groups search box, enter [email protected], select the group, and click Save.

5 Repeat these steps to configure the Directory Admin and the ReadOnly Admin roles.

Integrate NSX-T Data Center with the Region-Specific Workspace ONE Access Instance in Region A

To provide a role-based access for the NSX-T Data Center instance for the workload domain, integrate it with the region-specific Workspace One Access instance.

Procedure

1 Obtain the Certificate Thumbprint from the Region-Specific Workspace ONE Access Instance in Region A

Before you configure the integration of Workspace ONE Access with NSX-T Data Center in the workload domain, you must obtain the certificate thumbprint from the region-specific Workspace ONE Access instance.

2 Integrate NSX-T Data Center with the Region-Specific Workspace ONE Access Instance in Region A

First, you create a remote app access client in the region-specific Workspace ONE Access for the integration with NSX-T Data Center. Then, you use the certificate thumbprint, ClientID, and shared secret, to register NSX-T Data Center to identify it as a trusted consumer of the Workspace ONE Access identity and authentication services.


VMware, Inc. 88

3 Configure Role-Based Access Control for NSX-T Data Center in Region A

After you integrate the region-specific Workspace ONE Access instance with NSX-T Data Center, you configure role-based access controls to manage access to NSX-T Data Center in the workload domain.

Obtain the Certificate Thumbprint from the Region-Specific Workspace ONE Access Instance in Region A

Before you configure the integration of Workspace ONE Access with NSX-T Data Center in the workload domain, you must obtain the certificate thumbprint from the region-specific Workspace ONE Access instance.

Procedure

1 Log in to vCenter Server by using a Secure Shell (SSH) client.

Setting Value

FQDN sfo01m01vc01.sfo01.rainpole.local

User name root

Password vcenter_server_root_password

2 To switch to the bash shell, run the shell command.

3 To retrieve the SHA-256 thumbprint of the Workspace ONE Access certificate, run the command.

openssl s_client -connect sfo01wsa01.sfo01.rainpole.local:443 < /dev/null 2> /dev/null | openssl

x509 -sha256 -fingerprint -noout -in /dev/stdin

4 Save the fingerprint to later integrate NSX-T Data Center with Workspace ONE Access.

Integrate NSX-T Data Center with the Region-Specific Workspace ONE Access Instance in Region A

First, you create a remote app access client in the region-specific Workspace ONE Access for the integration with NSX-T Data Center. Then, you use the certificate thumbprint, ClientID, and shared secret, to register NSX-T Data Center to identify it as a trusted consumer of the Workspace ONE Access identity and authentication services.

Procedure


Setting Value


User name admin


VMware, Inc. 89

Setting Value



2 On the main navigation bar, from the Catalog drop-down menu, select Settings.

3 In the left pane, click Remote app access.

4 Click Clients and click Create client.

5 In the Create client dialog box, configure these settings, and click Add.

Setting Value

Access type Service Client Token

Client ID sfo01w01nsx01-oauth

Scope admin

Shared secret Generate and save a shared secret

Issue Refresh Token Selected

Token type Bearer

Access Token Time-To-Live (TTL) 8 hours

Refresh Token Time-To-Live (TTL) 1 month

Idle Token Time-to-Live (TTL) 4 days

6 In a Web browser, log in to the NSX-T Manager for the workload domain by using the user interface.

Setting Value

URL https://sfo01w01nsx01.sfo01.rainpole.local

User name admin

Password nsx-t_admin_password

7 On the main navigation bar, click System.

8 In the left pane, click Users, click the Configuration tab, and click Edit.

9 In the Edit VMware Identity Manager configuration dialog box, configure these settings and click Save.

Setting Value

External load balancer Disabled

Integration VMware Identity Manager Enabled

VMware Identity Manager Appliance sfo01wsa01.sfo01.rainpole.local

OAuth Client ID sfo01w01nsx01-oauth

OAuth Client Secret Generated_Shared_Secret


VMware, Inc. 90

Setting Value

SSL Thumbprint Certificate_SHA-256_Thumbprint

NSX Appliance sfo01w01nsx01.sfo01.rainpole.local

Results

Important After you configure Workspace ONE Access as an identity provider, the NSX-T Manager URL for a local account login is appended by /login.jsp?local=true, that is, https://sfo01w01nsx01.sfo01.rainpole.local/login.jsp?local=true.

Configure Role-Based Access Control for NSX-T Data Center in Region A

After you integrate the region-specific Workspace ONE Access instance with NSX-T Data Center, you configure role-based access controls to manage access to NSX-T Data Center in the workload domain.

Procedure


Setting Value


User name admin


2 On the main navigation bar, click System.

3 In the left pane, click Users and click the Roles assignments tab.

4 From the Add drop-down menu, select Role assignment, configure these settings, and click Save.

Setting Value

User / User Group Name [email protected]

Roles Enterprise Admins


VMware, Inc. 91

vRealize Operations Manager Implementation in Region A 5Deploy vRealize Operations Manager components to monitor the resources in your SDDC.

Deploy the vRealize Operations Manager analytics cluster with three nodes to monitor the resources in your SDDC. Deploy also the remote collector group with two nodes to collect data from the management components in the SDDC.

Procedure

1 Configure the Load Balancer for vRealize Operations Manager in Region A

Configure load balancing for the analytics cluster on the dedicated NSX Edge services gateway. The remote collector group in Region A does not require load balancing.

2 Deploy vRealize Operations Manager in Region A

Deploy the vRealize Operations Manager analytics cluster nodes and the remote collector nodes by using vRealize Suite Lifecycle Manager.

3 Update vRealize Operations Manager Authentication Source

To ensure that users are redirected to the load balancer address when authenticating to vRealize Operations Manager with a cross-region Workspace ONE Access user account, you update the vRealize Operations Manager authentication source. You set the redirect FQDN to the load balancer VIP FQDN and rename the authentication source.

4 Configure vSphere DRS Anti-Affinity Rules for vRealize Operations Manager in Region A

To protect the vRealize Operations Manager virtual machines from a host-level failure, configure vSphere DRS to run the virtual machines of the analytics cluster and the remote collectors on different hosts in the first cluster in the management domain.

5 Create a VM Group and Define the Startup Order of the Analytics Cluster in Region A

VM groups allow you to define the startup order of virtual machines. The startup order you define ensures that vSphere HA powers on virtual machines in the correct order.

6 Group the Remote Collector Nodes in Region A

Join the remote collectors in a group for adapter resiliency in case the collector experiences network interruption or becomes unavailable.

VMware, Inc. 92

7 Configure User Access in vRealize Operations Manager in Region A

To enable enterprise users to log in with required role based access controls, you configure the enterprise identity source user groups that are synced in Workspace ONE Access for vRealize Operations Manager.

8 Configure User Access in vSphere for Integration with vRealize Operations Manager in Region A

Configure operations service accounts with the required permissions to enable vRealize Operations Manager access to monitoring data on the vCenter Server instances.

9 Add vCenter Server Cloud Accounts to vRealize Operations Manager in Region A

After you deploy the analytics cluster and the remote collector nodes of vRealize Operations Manager and start vRealize Operations Manager, create a vCenter Server cloud account for each vCenter Server instance in the region.

10 Enable vSAN Monitoring in vRealize Operations Manager in Region A

Configure the vSAN adapter to collect monitoring data about vSAN usage in the SDDC.

11 Connect vRealize Operations Manager to NSX Data Center for vSphere in Region A

Install and configure the vRealize Operations Management Pack for NSX for vSphere to monitor the NSX networking services deployed in the management domain and view the vSphere hosts in the NSX transport zones.

12 Enable NSX-T Data Center Monitoring in vRealize Operations Manager in Region A

Configure the vRealize Operations Management Pack for NSX-T to monitor the NSX-T networking services deployed in the workload domain and view the vSphere hosts in the NSX-T transport zones.

13 Enable Storage Device Monitoring in vRealize Operations Manager in Region A

Install and configure the vRealize Operations Management Pack for Storage Devices to view the storage topology in the SDDC and to monitor the capacity and problems on storage components.

14 Connect vRealize Operations Manager to the Workspace ONE Access Instances in Region A

Install and configure the vRealize Operations Management Pack for VMware Identity Manager to monitor Workspace ONE Access cluster node, certificates, storage space, database connections, RabbitMQ and other resource kinds.

15 Set the Currency for Cost Calculation in vRealize Operations Manager

Set the currency used for cost calculations in vRealize Operations Manager.

16 Configure Email Alerts in vRealize Operations Manager in Region A

Configure email notifications in vRealize Operations Manager so that users and applications receive the administrative alerts from vRealize Operations Manager about certain situations in the data center.


VMware, Inc. 93

Configure the Load Balancer for vRealize Operations Manager in Region A

Configure load balancing for the analytics cluster on the dedicated NSX Edge services gateway. The remote collector group in Region A does not require load balancing.

Procedure

1 Configure the Virtual IP Address for Load Balancing the Analytics Cluster in Region A

Configure the virtual IP address for load balancing the analytics cluster of vRealize Operations Manager in Region A.

2 Create a Service Monitor for vRealize Operations Manager in Region A

The service monitor defines health check parameters for each member in the server pool.

3 Create a Server Pool for vRealize Operations Manager in Region A

A server pool consists of one or more servers that are configured and running the same application. After you create a server pool, you associate a service monitor with the pool to manage and share the back-end servers flexibly and efficiently.

4 Create the Application Profiles for vRealize Operations Manager in Region A

To define the behavior of a particular type of network traffic, you create an application profile. The virtual server then processes traffic according to the values specified in the profile. Using profiles enhances your control over managing network traffic, and makes traffic-management tasks easier and more efficient.

5 Create Virtual Servers for vRealize Operations in Region A

Create virtual servers for the configured server pool. When a virtual server receives a request, it selects the appropriate pool to which to send traffic. Each pool consists of one or more members.

Configure the Virtual IP Address for Load Balancing the Analytics Cluster in Region A

Configure the virtual IP address for load balancing the analytics cluster of vRealize Operations Manager in Region A.

Procedure


Setting Value






VMware, Inc. 94





7 On the Basic tab, under Configure subnets, in the row for primary IP address 192.168.11.2, in the Secondary IP addresses cell, add the vRealize Operations Manager analytics cluster IP address, 192.168.11.30.

8 Click Save.

Create a Service Monitor for vRealize Operations Manager in Region A

The service monitor defines health check parameters for each member in the server pool.

Procedure


Setting Value









Setting Value

Name vrops-https-monitor

Interval 5

Timeout 16

Max retries 2

Type HTTPS

Expected -

Method GET

URL /suite-api/api/deployment/node/status?service=api&service=admin&service=ui

Recieve ONLINE


VMware, Inc. 95

Create a Server Pool for vRealize Operations Manager in Region A

A server pool consists of one or more servers that are configured and running the same application. After you create a server pool, you associate a service monitor with the pool to manage and share the back-end servers flexibly and efficiently.

You add the three vRealize Operations Manager analytics cluster nodes as a member of the server pool.

Procedure


Setting Value







5 Click the Load Balancer tab and click Pools.


Setting Value

Name vrops-server-pool

Description vRealize Operations Manager analytics cluster server pool

Algorithm LEASTCONN

Monitors vrops-https-monitor

IP filter Any

Transparent Turned off


8 To add each analytics cluster node to the pool, click Add, enter the values for the node, and click OK.

Setting Value for vrops01svr01a Value for vrops01svr01b Value for vrops01svr01c

Name vrops01svr01a vrops01svr01b vrops01svr01c

IP address 192.168.11.31 192.168.11.32 192.168.11.33

State Enabled Enabled Enabled

Port 443 443 443


VMware, Inc. 96

Setting Value for vrops01svr01a Value for vrops01svr01b Value for vrops01svr01c

Monitor Port 443 443 443

Weight 1 1 1

Max connections - - -

Min connections - - -


Create the Application Profiles for vRealize Operations Manager in Region A

To define the behavior of a particular type of network traffic, you create an application profile. The virtual server then processes traffic according to the values specified in the profile. Using profiles enhances your control over managing network traffic, and makes traffic-management tasks easier and more efficient.

Procedure


Setting Value








6 To create each application profile, click Add and, on the General tab of the New application profile dialog box, enter the values for the profile and click Add.

Setting Value for vrops-https-app-profile Value for vrops-http-redirect

Application Profile Type SSL passthrough HTTP

Name vrops-https-app-profile vrops-http-redirect

HTTP Redirect URL - https://vrops01svr01.rainpole.local/vcops-web-ent/login.action

Persistence Source IP Source IP

Expires in (Seconds) 1800 1800

Insert X-Forwarded-For HTTP header Disabled Disabled


VMware, Inc. 97

Create Virtual Servers for vRealize Operations in Region A

Create virtual servers for the configured server pool. When a virtual server receives a request, it selects the appropriate pool to which to send traffic. Each pool consists of one or more members.

Procedure


Setting Value






4 Click the ID of the sfo01m01lb01 edge server gateway to open its network settings.


6 To create each virtual server, click Add and, on the General tab, enter the values and click Add.

Setting Value for vrops-https Value for vrops-http-redirect

Virtual server Enabled Enabled

Acceleration Enabled Disabled

Application profile vrops-https-app-profile vrops-http-redirect

Name vrops-https vrops-http-redirect

Description vRealize Operations Manager analytics cluster UI

vRealize Operations Manager analytics cluster HTTP to HTTPS Redirect

IP address 192.168.11.30 192.168.11.30

Protocol HTTPS HTTP


Default pool vrops-server-pool None

Connection limit 0 0

Connection rate limit 0 0


VMware, Inc. 98

Deploy vRealize Operations Manager in Region A

Deploy the vRealize Operations Manager analytics cluster nodes and the remote collector nodes by using vRealize Suite Lifecycle Manager.

Procedure

1 Prerequisites for Deploying vRealize Operations Manager in Region A

Before you deploy vRealize Operations Manager, verify that your environment fulfills the requirements for this deployment.

2 Add the vRealize Operations Manager Multi-SAN Certificate to vRealize Suite Lifecycle Manager

To enable vRealize Suite Lifecycle Manager to deploy vRealize Operations Manager, you must add the vRealize Operations Manager SSL certificate to the vRealize Suite Lifecycle Manager Locker.

3 Add the vRealize Operations Manager Password to vRealize Suite Lifecycle Manager

To enable vRealize Suite Lifecycle Manager to deploy vRealize Operations Manager, you must add the vRealize Operations Manager password to the vRealize Suite Lifecycle Manager Locker.

4 Create the Cross-Region Environment in vRealize Suite Lifecycle Manager in Region A

Before you deploy vRealize Operations Manager by using vRealize Suite Lifecycle Manager, you create a cross-region environment in vRealize Suite Lifecycle Manager. You configure network, storage, and other environment parameters required for the deployment.

5 Deploy vRealize Operations Manager Using vRealize Suite Lifecycle Manager in Region A

In the vRealize Suite Lifecycle Manager Create environment wizard, after the environment configuration, you configure the deployment details for vRealize Operations Manager. You configure advanced settings for the required VMs that are part of the vRealize Operations Manager deployment.

Prerequisites for Deploying vRealize Operations Manager in Region A

Before you deploy vRealize Operations Manager, verify that your environment fulfills the requirements for this deployment.

Verify that your environment fulfills the prerequisites for the deployment of vRealize Operations Manager.


VMware, Inc. 99

Prerequisite Value


n Required storage per analytics cluster node.

n Initial storage for the analytics cluster node: 274 GB

n Additional storage for monitoring data per analytics cluster node: 1 TB

Software Features n Verify that vCenter Server is operational.

n Verify that the vSphere cluster has vSphere DRS and HA enabled.

n Verify that the NSX Manager is operational.Verify that the application virtual networks are available.

n Verify that the Postman application is installed.

n Verify that the load balancer service is enabled on the NSX Edge service gateway.

n Verify that vRealize Suite Lifecycle Manager is operational and data collection from the Management vCenter Server instance has run successfully.

n Verify that static IP addresses and FQDNs for the application virtual networks are available for the vRealize Operations Manager deployment. See Host Names and IP Addresses for vRealize Suite 2019 and Workspace ONE Access.

Installation Package n Download the .pak file for the vRealize Operations Manager Management Pack for NSX for vSphere from VMware Solutions Exchange.

n Download the .pak file for the vRealize Operations Manager Management Pack for Storage Devices from VMware Solutions Exchange.

n Download the .pak file for the vRealize Operations Management Pack for VMware Identity Manager from VMware Solutions Exchange.

License Verify that you obtained the vRealize Suite or vCloud Suite license with a quantity that fulfills the requirements of this design.

Workspace ONE Access n Verify that required Active Directory users are synchronized to the cross-region Workspace ONE Access. See Active Directory User Accounts.

n Verify that required Active Directory security groups users are synchronized to the cross-region Workspace ONE Access. See Active Directory Groups.


VMware, Inc. 100

Prerequisite Value


External Services n Verify that you have access to an SMTP server.

n Verify that SNMP is enabled in your network environment, to monitor network devices.

n Verify that Link Layer Discovery Protocol (LLDP) or Cisco Discovery Protocol (CDP) is enabled on each network device for complete monitoring of your environment.

n Verify that central NTP services are available.

n Verify that all DNS addresses resolve both forward and reverse.

Add the vRealize Operations Manager Multi-SAN Certificate to vRealize Suite Lifecycle Manager

To enable vRealize Suite Lifecycle Manager to deploy vRealize Operations Manager, you must add the vRealize Operations Manager SSL certificate to the vRealize Suite Lifecycle Manager Locker.

Procedure


Setting Value





3 On the Certificate page, click Import, enter these values, and click Import.

Setting Value

Name vrops01svr01-certificate

Pass phrase PEM_pass_phrase

Select certificate file Navigate to the vRealize Operations Manager certificate PEM file, vrops01svr01.2.chain.pem.


VMware, Inc. 101



Add the vRealize Operations Manager Password to vRealize Suite Lifecycle Manager

To enable vRealize Suite Lifecycle Manager to deploy vRealize Operations Manager, you must add the vRealize Operations Manager password to the vRealize Suite Lifecycle Manager Locker.

Procedure


Setting Value







Setting Value

Password alias xregion-vrops-root

Password xregion-vrops-root_password

Confirm password xregion-vrops-root_password

Password description Cross-region vRealize Operations Manager root user

User name root

Create the Cross-Region Environment in vRealize Suite Lifecycle Manager in Region A

Before you deploy vRealize Operations Manager by using vRealize Suite Lifecycle Manager, you create a cross-region environment in vRealize Suite Lifecycle Manager. You configure network, storage, and other environment parameters required for the deployment.

Procedure


Setting Value






VMware, Inc. 102

3 On the Dashboard page, click Create environment, enter these values, and click Next.

Setting Value

Environment name Cross-Region-Env

Administrator email xregion-env-admin_email

Default password Click Select default password and select xregion-env-admin.

Select datacenter cross-region-dc

JSON configuration Disabled


Selected

4 On the Select product page, select the check box for vRealize Operations, configure these values, and click Next.

Setting Value

Installation type New install

Version 8.1.0

Deployment type Medium

Node count 3

Enable HA Enabled

5 On the End user license agreement page, read the EULA, select the I agree to the terms and conditions check box, and click Next.

6 On the License page, add or select the vRealize Suite license.

n To select a license by using the My VMware product entitlement, click Select, select the license, and click Update.

n To add the license manually, click Add, enter the vRealize Suite or vCloud Suite License alias and key, click Validate, and then click Add.

7 To validate the license, click Validate association and click Next.

8 On the Certificate page, from the Select certificate drop-down menu, select the vRealize Operations Manager certificate and click Next.

9 On the Infrastructure page, enter these values, and click Next.

Setting Value

Select vCenter Server sfo01m01vc01.sfo01.rainpole.local

Select cluster sfo01-m01dc#sfo01-m01-mgmt01

Select folder sfo01-m01fd-vrops

Select resource pool sfo01-m01-sddc-mgmt


VMware, Inc. 103

Setting Value

Select network Distributed port group that ends with Mgmt-xRegion01-VXLAN.

Select datastore sfo01-m01-vsan01

Select disk mode Thin

Integrate with Identity Manager Enabled

10 On the Network page, enter these values and click Next.

Setting Value


Netmask 255.255.255.0


Domain search path rainpole.local,sfo01.rainpole.local

DNS servers Click Edit server selection, select 172.16.11.4 and 172.16.11.5, and click Next and Finish.

Time sync mode Use NTP Server

NTP servers Click Edit server selection, select ntp.sfo01.rainpole.local, click Next and Finish.

Results

You are redirected to the Products page of the Create Environment wizard to deploy vRealize Operation Manager.

Deploy vRealize Operations Manager Using vRealize Suite Lifecycle Manager in Region A

In the vRealize Suite Lifecycle Manager Create environment wizard, after the environment configuration, you configure the deployment details for vRealize Operations Manager. You configure advanced settings for the required VMs that are part of the vRealize Operations Manager deployment.

Procedure

1 On the Products page of the Create environment wizard, under Install vRealize Operations, in the Product properties panel, enter these values.

Setting Value

Disable TLS version TLSv1,TLSv1.1

Certificate vrops01svr01-certificate

Anti-affinity / affinity rule Deselected

Product password xregion-vrops-root

Integrate with Identity Manager Selected


VMware, Inc. 104

Setting Value


NTP servers ntp.sfo01.rainpole.local

2 Add the nodes for the vRealize Operations Manager deployment configuration.

a In the Components panel, click the Add component icon and select Remote collector.

b Repeat Step 2.a to add the second Remote collector node.

3 Configure the vRealize Operations Manager primary node.

a In the master panel, enter these values and click the Advanced Settings icon.

Setting Value

VM name vrops01svr01a

FQDN vrops01svr01a.rainpole.local

IP address 192.168.11.31

b On the Advanced configuration page, enter these values and click Save.

Setting Value

Storage extension

Extended storage sfo01-m01-vsan01

Default properties

Time zone UTC

4 Configure the vRealize Operations Manager replica node.

a In the replica panel, enter these values and click the Advanced settings icon.

Setting Value

VM name vrops01svr01b

FQDN vrops01svr01b.rainpole.local

IP address 192.168.11.32


Setting Value

Storage extension


Default properties

Time zone UTC


VMware, Inc. 105

5 Configure the vRealize Operations Manager data node.

a In the data panel, enter these values and click the Advanced settings icon.

Setting Value

VM name vrops01svr01c

FQDN vrops01svr01c.rainpole.local

IP address 192.168.11.33


Setting Value

Storage extension


Default properties

Time zone UTC


VMware, Inc. 106

6 Configure the vRealize Operations Manager vrops-remotecollector node.

a In the vrops-remotecollector panel, enter these values and click the Advanced settings icon.

Setting Value

VM name sfo01vropsc01a

FQDN sfo01vropsc01a.sfo01.rainpole.local

IP address 192.168.31.31

Node size Standard


Setting Value

Infrastructure



Select folder sfo01-m01fd-vropsrc


Select network Distributed port group that ends with Mgmt-RegionA01-VXLAN


Network

Gateway 192.168.31.1

Domain sfo01.rainpole.local

DNS search domain sfo01.rainpole.local,rainpole.local

DNS 172.16.11.5,172.16.11.4

Netmask 255.255.255.0

NTP Settings

NTP Click Edit server selection, select ntp.sfo01.rainpole.local, click Next and Finish.

Default properties

Time zone UTC


VMware, Inc. 107

7 Configure the vRealize Operations Manager vrops-remotecollector-2 node.

a In the vrops-remotecollector-2 panel, enter these values and click the Advanced settings icon.

Setting Value

VM name sfo01vropsc01b

FQDN sfo01vropsc01b.sfo01.rainpole.local

IP address 192.168.31.32

Node size Standard


Setting Value

Infrastructure



Select folder sfo01-m01fd-vropsrc


Select network Distributed port group that ends with Mgmt-RegionA01-VXLAN


Network

Gateway 192.168.31.1

Domain sfo01.rainpole.local

DNS search domain sfo01.rainpole.local,rainpole.local

DNS 172.16.11.5,172.16.11.4

Netmask 255.255.255.0

NTP Settings

NTP Click Edit server selection, select ntp.sfo01.rainpole.local, click Next and Finish.

Default properties

Time zone UTC

8 On the Products page, click Next.

9 On the Precheck page, clilck Run precheck.

10 Wait for all Pre validation successful messages and click Next.

11 On the Summary page, review the configuration details.

12 (Optional) To back up the deployment configuration, click Export configuration.


VMware, Inc. 108

13 Click Submit to start the deployment.

The Request details page displays the progress of deployment.

14 Monitor the steps of the deployment graph until all stages are marked as COMPLETED.

Update vRealize Operations Manager Authentication Source

To ensure that users are redirected to the load balancer address when authenticating to vRealize Operations Manager with a cross-region Workspace ONE Access user account, you update the vRealize Operations Manager authentication source. You set the redirect FQDN to the load balancer VIP FQDN and rename the authentication source.

Procedure

1 In a Web browser, log in to the vRealize Operations Manager by using the operations interface.

Settings Value

URL https://vrops01svr01.rainpole.local

User name admin

Password vrops_admin_password

2 On the main navigation bar, click Administration.

3 In the left pane, select Access > Authentication sources.

4 On the Authentication sources page, click the vIDMAuthSource vertical ellipsis and click Edit.

5 In the Edit source for user and group import dialog box, rename the source name and configure these values.

Setting Value

Source display name WorkspaceONE

Username configadmin


Redirect FQDN/IP vrops01svr01.rainpole.local

6 Click Test.

7 In the Info dialog box, click OK.

8 In the Edit source for user and group import dialog box, click OK.


VMware, Inc. 109

Configure vSphere DRS Anti-Affinity Rules for vRealize Operations Manager in Region A

To protect the vRealize Operations Manager virtual machines from a host-level failure, configure vSphere DRS to run the virtual machines of the analytics cluster and the remote collectors on different hosts in the first cluster in the management domain.

Use two anti-affinity rules for the vRealize Operations Manager virtual machines. One anti-affinity rule is for the analytics nodes and another anti-affinity rule is for the remote collector nodes. This rule configuration also accommodates the case when you place a host from the management cluster in maintenance mode.

Table 5-1. Anti-Affinity Rules for vRealize Operations Manager

Rule Name Members Description

anti-affinity-rule-vropsm n vrops01svr01a

n vrops01svr01b

n vrops01svr01c

Anti-affinity rule for the analytics nodes.

anti-affinity-rule-vropsr n sfo01vropsc01a

n sfo01vropsc01b

Anti-affinity rule for the remote collector nodes.

Procedure


Setting Value






4 In the left pane, select Configuration > VM/Host rules.

5 Click Add VM/host rule, enter the values for the analytics cluster rule, and click OK.

Setting Value

Name anti-affinity-rule-vropsm



VMware, Inc. 110

Setting Value


Members Click Add VM/host rule member, select the analytics cluster nodes, and click OK.

n vrops01svr01a

n vrops01svr01b

n vrops01svr01c

6 Repeat Step 5 for the remote collectors rule.

Create a VM Group and Define the Startup Order of the Analytics Cluster in Region A


Procedure


Setting Value






4 In the left pane, select Configuration > VM/Host groups.

5 Click Add VM/host group and enter these values.

Setting Value

Name vRealize Operations Manager Virtual Appliances

Type VM Group

Members Click Add VM/host group members, select the analytics cluster nodes, and click OK.

n vrops01svr01a

n vrops01svr01b

n vrops01svr01c

6 Click OK.


VMware, Inc. 111

7 Create a rule to power on the cross-region Workspace ONE Access nodes before the vRealize Operations Manager nodes.

a Select the sfo01-m01-mgmt01 cluster and click the Configure tab.

b In the left pane, select Configuration > VM/Host rules.

c Click Add VM/host rule, enter these values, and click OK.

Setting Value

Name SDDC Cloud Operations


Type Virtual Machines to Virtual Machines

The VM dependency restart condition must be met before continuing to

Cross-Region Workspace ONE Access Virtual Appliances

On restart for VM group vRealize Operations Manager Virtual Appliances

Group the Remote Collector Nodes in Region A

Join the remote collectors in a group for adapter resiliency in case the collector experiences network interruption or becomes unavailable.

Procedure


Settings Value


User name admin



3 In the left pane, select Management > Collector groups.

4 Click Add, configure these settings, and click Save.

Setting Value

Name sfo01-remote-collectors

Description Remote collector group for sfo01

sfo01vropsc01a Selected

sfo01vropsc01b Selected


VMware, Inc. 112

Results

In the vRealize Operations Manager user interface, the sfo01-remote-collectors group appears on the Collector groups page of the Administration view.

Configure User Access in vRealize Operations Manager in Region A

To enable enterprise users to log in with required role based access controls, you configure the enterprise identity source user groups that are synced in Workspace ONE Access for vRealize Operations Manager.

User Groups Role

[email protected] Administrator

[email protected] ContentAdmin

[email protected] ReadOnly

Procedure


Settings Value


User name admin



3 In the left pane, select Access > Access control.

4 Click the User groups tab.

5 Click the horizontal ellipsis and click Import.

6 Import the [email protected] user group.

a From the Import from drop-down menu, select WorkspaceONE.

b In the Domain name text box, enter rainpole.local.

c In the Search prefix text box, enter [email protected] and click Search.

d Select [email protected] and click Next.


VMware, Inc. 113

7 On the Roles and objects page, configure these values, and click Finish.

Setting Value

Select role Administrator

Assign this role to the group Selected

Allow access to all objects in the system Selected

8 To allow access to all objects in the system, in the confirmation dialog box, click Yes.

9 Repeat the steps to import and assign roles to the remaining user groups.

Configure User Access in vSphere for Integration with vRealize Operations Manager in Region A

Configure operations service accounts with the required permissions to enable vRealize Operations Manager access to monitoring data on the vCenter Server instances.

You associate the svc-vrops-solution service accounts in Active Directory with user roles that have certain privileges and you assign the users to the vCenter Server instances in the inventory by using global permissions.

Procedure

1 Define a User Role in vSphere for vCenter Adapters in vRealize Operations Manager in Region A

In vSphere, create a user role with the required privileges to query information from vCenter Server and receive metric data in vRealize Operations Manager. In vRealize Operations Manager, you can also run actions or tasks on the objects it manages in vCenter Server.

2 Define a User Role in vSphere for Storage Devices Adapters in vRealize Operations Manager in Region A

In vSphere, create a user role with privileges that are required for collecting data about storage devices in vRealize Operations Manager.

3 Configure User Privileges in vSphere for Integration with vRealize Operations Manager in Region A

Assign global permissions to the operations service accounts to access monitoring data from vCenter Server in vRealize Operations Manager.

Define a User Role in vSphere for vCenter Adapters in vRealize Operations Manager in Region A

In vSphere, create a user role with the required privileges to query information from vCenter Server and receive metric data in vRealize Operations Manager. In vRealize Operations Manager, you can also run actions or tasks on the objects it manages in vCenter Server.


VMware, Inc. 114

Add the privileges to the role that are required for typical virtual machine life cycle operations, such as snapshot management and virtual machine resource configuration.

Procedure


Setting Value







5 Create a role for collecting data from and performing actions on vCenter Server.

a Click the Create role action icon, configure these privileges, and click Next.

Category Privilege

Virtual machine Change Configuration.Change CPU count

Change Configuration.Change resource

Change Configuration.Change memory

Edit Inventory.Remove

Interaction.Power on

Interaction.Power off

Snapshot Management.Create snapshot

Snapshot Management.Remove snapshot

Resource Assign virtual machine to resource pool

Migrate powered off virtual machine

Migrate powered on virtual machine

Datastore Allocate space

b In the Role name text box, enter vRealize Operations to vSphere Integration (Actions) and click Finish.

This role inherits the System.Anonymous, System.View, and System.Read privileges.

The Management domain vCenter Server in Region A propagates the role to the other linked vCenter Server instances.


VMware, Inc. 115

Define a User Role in vSphere for Storage Devices Adapters in vRealize Operations Manager in Region A

In vSphere, create a user role with privileges that are required for collecting data about storage devices in vRealize Operations Manager.

Procedure


Setting Value







5 Create a role for collecting storage device data.

a Click the Create role action icon, configure these privileges, and click Next.

Category Privilege

Host CIM.CIM interaction

Configuration.Storage partition configuration

Profile-driven storage Profile-driven storage view

Storage views View

b In the Role name text box, enter vRealize Operations to vSphere Integration (Metrics) and click Finish.

This role inherits the System.Anonymous, System.View, and System.Read privileges.

The Management domain vCenter Server in Region A propagates the role to the other linked vCenter Server instances.

Configure User Privileges in vSphere for Integration with vRealize Operations Manager in Region A

Assign global permissions to the operations service accounts to access monitoring data from vCenter Server in vRealize Operations Manager.

n The svc-vrops-vsphere user has the privileges to collect data from and perform actions on vCenter Server from vRealize Operations Manager.

n The svc-vrops-nsx user has read-only access on all objects in vCenter Server.


VMware, Inc. 116

n The svc-vrops-mpsd and svc-vrops-vsan users have privileges for access to storage device and vSAN information, respectively, in vRealize Operations Manager on all objects in vCenter Server.

You assign global permissions that are based on the following roles to these service accounts:

Service Account Role

[email protected] vRealize Operations to vSphere Integration (Actions)

[email protected] Read-only

[email protected] vRealize Operations to vSphere Integration (Metrics)

[email protected] vRealize Operations to vSphere Integration (Metrics)

Procedure


Setting Value





3 In the left pane, select Access control > Global permissions.

4 Click the Add permission icon, enter these values, and click OK.

Setting Value


User / Group svc-vrops-vsphere

Role vRealize Operations to vSphere Integration (Actions)


5 Repeat the steps to assign global permissions to the remaining service accounts.

Add vCenter Server Cloud Accounts to vRealize Operations Manager in Region A

After you deploy the analytics cluster and the remote collector nodes of vRealize Operations Manager and start vRealize Operations Manager, create a vCenter Server cloud account for each vCenter Server instance in the region.


VMware, Inc. 117

Procedure


Settings Value


User name admin



3 In the left pane, select Solutions > Cloud accounts.

4 Click Add account, and click vCenter.

5 Enter the values for the Management domain vCenter Server.

Setting Value

Name vCenter Cloud Account - sfo01m01vc01

Description Management domain vCenter Server for sfo01


Credential Click the Add new icon, enter the following values, and click OK.

Credential name vCenter Cloud Account Credentials - sfo01m01vc01


Password svc-vrops-vsphere_password

Collector/Group sfo01-remote-collectors

6 Click Validate connection.

The vCenter Server certificate appears.

7 In the Review and accept certificate dialog box, verify the certificate information, and click Accept.

8 In the Info dialog box, click OK .

9 Leave the Operational actions set to Enable so that vCenter Adapter can run actions on objects in vCenter Server from vRealize Operations Manager.


VMware, Inc. 118

10 Expand Advanced settings and configure the user account with administrator privileges to register vRealize Operations Manager with the vCenter Server instance.

Setting Value

Registration user [email protected]

Registration password vsphere_admin-password

11 Click Define monitoring goals.

12 Under Enable vSphere security configuration guide alerts?, select Yes, leave the default configuration for the other options, and click Save.

13 In the Success dialog box, click OK.

14 Click Add.

15 On the Cloud accounts page, verify that the collection status of the cloud account is OK.

16 Repeat the procedure for the Workload domain vCenter Server by using these values.

Setting Value

Name vCenter Cloud Account - sfo01w01vc01

Description Workload domain vCenter Server for sfo01

vCenter Server sfo01w01vc01.sfo01.rainpole.local


Credential name vCenter Cloud Account Credentials - sfo01w01vc01


Password svc-vrops-vsphere_password


17 If there are other workload domains that are added to the SDDC, repeat the procedure for each additional Workload domain vCenter Server.

Enable vSAN Monitoring in vRealize Operations Manager in Region A

Configure the vSAN adapter to collect monitoring data about vSAN usage in the SDDC.


VMware, Inc. 119

Procedure


Settings Value


User name admin



3 In the left pane, select Solutions > Cloud accounts.

4 Click the cloud account for the Management domain vCenter Server, vCenter Cloud Account -sfo01m01vc01.

5 Click the vSAN tab and turn on the vSAN Configuration toggle switch.

6 Select the Use alternate credentials check box.

7 To configure the credential, click the Add new icon, enter these values, and click OK.

Setting Value

Credential name vSAN Adapter Credentials - sfo01m01vc01

vCenter user name [email protected]

vCenter password svc-vrops-vsan_password



10 Click Save.

11 On the Cloud accounts page, verify that the collection status of the cloud account is OK.

12 If you have a vSAN datastore configured in the Workload domain, repeat this procedure by clicking the vCenter Cloud Account -sfo01w01vc01 cloud account and adding the following credential.

Setting Value

Credential name vSAN Adapter Credentials - sfo01w01vc01


vCenter password svc-vrops-vsan_password


VMware, Inc. 120

Connect vRealize Operations Manager to NSX Data Center for vSphere in Region A

Install and configure the vRealize Operations Management Pack for NSX for vSphere to monitor the NSX networking services deployed in the management domain and view the vSphere hosts in the NSX transport zones.

Install the vRealize Operations Manager Management Pack for NSX for vSphere in Region A

Install the .pak file of the management pack for NSX for vSphere to add the management pack as a solution to vRealize Operations Manager.

Procedure


Settings Value


User name admin



3 In the left pane, select Solutions > Repository.

4 Under the Native management packs list, click Add/Upgrade.

5 On the Select a solution to install page, navigate to the .pak file of the vRealize Operations Manager Management Pack for NSX for vSphere and click Upload.

When the management pack file for NSX-vSphere is uploaded, you see details about the management pack.

6 When the upload finishes, click Next.

7 On the End user license agreement page, accept the license agreement and click Next.

The installation of the management pack starts. You see the progress on the Install solution page.

8 When the installation finishes, on the Install solution page, click Finish.

Results

The Management Pack for NSX-vSphere solution appears on the Repository page in the Other management packs list.


VMware, Inc. 121

Configure User Privileges in NSX Manager for Integration with vRealize Operations Manager in Region A

Assign the permissions to the service account svc-vrops-nsx that are required to access monitoring data from the NSX Manager instance for the management domain in vRealize Operations Manager.

Procedure


Setting Value




2 In the VMs and templates inventory, expand the sfo01m01vc01.sfo01.rainpole.local tree and expand the sfo01-m01dc data center.

3 Expand Management VMs folder, right-click the NSX Manager virtual machine, sfo01m01nsx01, and select Open remote console.

4 At the command prompt, log in by using the following credentials.

Setting Value

User name admin

Password nsx_admin_password

5 Create the svc-vrops-nsx local service account on the NSX Manager instance.

a Run the command to switch to Privileged mode of NSX Manager.

enable

b When prompted, enter the admin password and press Enter.

c Switch to Configuration mode.

configure terminal

d Create the svc-vrops-nsx service account.

user svc-vrops-nsx password plaintext svc-vrops-nsx_password

e Assign the svc-vrops-nsx service account user access to NSX Manager from the vSphere Web Client.

user svc-vrops-nsx privilege web-interface


VMware, Inc. 122

f Commit these updates to the NSX Manager.

write memory

g Exit Configuration mode.

exit

6 Assign the security_admin role to the svc-vrops-nsx service account.

a Log in to the host machine that has access to your data center.

b Run the Postman application and log in.

c In the request pane, provide the URL query for the Management domain NSX Manager.

Setting Value

HTTP request method POST

Request URL https://sfo01m01nsx01.sfo01.rainpole.local/api/2.0/services/usermgmt/role/svc-vrops-nsx?isCli=true

d On the Authorization tab, enter the authorization details.

Setting Value

Type Basic Auth

User name admin


e On the Headers tab, enter the header details.

Setting Value

Key Content-Type

Key value text/xml

f On the Body tab, select the Raw radio-button, and from the Text drop-down menu, select XML (Application/XML).

g In the Body text box, enter the following request body and click Send.

<accessControlEntry>

<role>security_admin</role>

<resource>

<resourceId>globalroot-0</resourceId>

</resource>

</accessControlEntry>

The Status changes to 204 No Content.


VMware, Inc. 123

7 If there are workload domains with NSX Data Center for vSphere that are added to the SDDC, repeat the procedure for each Workload domain NSX Manager.

Enable NSX Data Center for vSphere Monitoring in vRealize Operations Manager in Region A

After you install the management pack and assign the permissions, configure an NSX-vSphere adapter for the NSX Manager instance for the management domain.

Procedure


Settings Value


User name admin



3 In the left pane, select Solutions > Other accounts.

4 Click Add account and click NSX-vSphere adapter.

5 Enter the values for the NSX Manager instance for the management domain.

Setting Value

Name NSX-v Adapter - sfo01m01nsx01

Description Management Domain NSX-v Adapter for sfo01

NSX Manager host sfo01m01nsx01.sfo01.rainpole.local

VC host sfo01m01vc01.sfo01.rainpole.local

Enable Log Insight integration if configured false


Credential name NSX-v Adapter Credentials - sfo01m01nsx01

NSX Manager user name svc-vrops-nsx

NSX Manager password svc-vrops-nsx_password


vCenter password svc-vrops-nsx_password





VMware, Inc. 124

8 Click Add.

9 On the Other accounts page, verify that the collection status of the adapter is OK.


Enable NSX-T Data Center Monitoring in vRealize Operations Manager in Region A

Configure the vRealize Operations Management Pack for NSX-T to monitor the NSX-T networking services deployed in the workload domain and view the vSphere hosts in the NSX-T transport zones.

Procedure


Settings Value


User name admin




4 Click Add account and click NSX-T adapter.

5 Enter the values for the Workload domain NSX-T Manager.

Setting Value

Name NSX-T Adapter - sfo01w01nsx01

Description Workload Domain NSX-T Adapter for sfo01

Virtual IP / NSX-T Manager sfo01w01nsx01.sfo01.rainpole.local


Credential name NSX-T Adapter Credentials - sfo01w01nsx01

User name admin





8 Click Add.


VMware, Inc. 125


10 If there are other workload domains with NSX-T Data Center that are added to the SDDC, repeat the procedure for each Workload domain NSX-T Manager.

Enable Storage Device Monitoring in vRealize Operations Manager in Region A

Install and configure the vRealize Operations Management Pack for Storage Devices to view the storage topology in the SDDC and to monitor the capacity and problems on storage components.

Procedure

1 Install the vRealize Operations Manager Management Pack for Storage Devices in Region A

Install the .pak file of the management pack for storage devices to add the management pack as a solution to vRealize Operations Manager.

2 Add Storage Devices Adapters in vRealize Operations Manager in Region A

After you install the management pack, configure a storage devices adapter to collect monitoring data about the storage devices in the SDDC. Each adapter communicates with a vCenter Server instance to retrieve data about the storage devices from the vCenter Server inventory.

Install the vRealize Operations Manager Management Pack for Storage Devices in Region A

Install the .pak file of the management pack for storage devices to add the management pack as a solution to vRealize Operations Manager.

Procedure


Settings Value


User name admin






VMware, Inc. 126

5 On the Select a solution to install page, navigate to the .pak file of the vRealize Operations Manager Management Pack for Storage Devices and click Upload.

When the Storage Devices management pack file is uploaded, you see details about the management pack.



The installation of the management pack starts. You see the progress on the Install solution page.


Results

The Management pack for storage devices solution appears on the Repository page in the Other management packs list.

Add Storage Devices Adapters in vRealize Operations Manager in Region A

After you install the management pack, configure a storage devices adapter to collect monitoring data about the storage devices in the SDDC. Each adapter communicates with a vCenter Server instance to retrieve data about the storage devices from the vCenter Server inventory.

Procedure


Settings Value


User name admin




4 Click Add account and click Physical storage devices adapter.

5 Enter the values for the connection to the Management domain vCenter Server.

Setting Value

Name Storage Devices Adapter - sfo01m01vc01

Description Storage Devices in Management Domain vCenter for sfo01



VMware, Inc. 127

Setting Value


Credential name Storage Devices Credentials - sfo01m01vc01


vCenter password svc-vrops-mpsd_password




7 In the Review and accept certificate dialog box, verify the vCenter Server certificate information, and click Accept.


9 Click Add.

10 On the Other accounts page, verify that the collection status of the account is OK.

11 Repeat this procedure for the Workload domain vCenter Server by entering these values.

Setting Value

Name Storage Devices Adapter - sfo01w01vc01

Description Storage Devices in Workload Domain vCenter for sfo01



Credential name Storage Devices Credentials - sfo01w01vc01


vCenter password svc-vrops-mpsd_password


12 If there are other workload domains that are added to the SDDC, repeat the procedure for each additional Workload domain vCenter Server.


VMware, Inc. 128

Connect vRealize Operations Manager to the Workspace ONE Access Instances in Region A

Install and configure the vRealize Operations Management Pack for VMware Identity Manager to monitor Workspace ONE Access cluster node, certificates, storage space, database connections, RabbitMQ and other resource kinds.

Procedure

1 Install the vRealize Operations Manager Management Pack for VMware Identity Manager in Region A

Install the .pak file of the management pack for VMware Identity Manager to add the management pack as a solution to vRealize Operations Manager.

2 Add VMware Identity Manager Adapter Instances to vRealize Operations Manager in Region A

After you install the management pack, configure a VMware Identity Manager Adapter for the region-specific and the cross-region Workspace ONE Access deployments.

Install the vRealize Operations Manager Management Pack for VMware Identity Manager in Region A

Install the .pak file of the management pack for VMware Identity Manager to add the management pack as a solution to vRealize Operations Manager.

Procedure


Settings Value


User name admin





5 On the Select a solution to install page, navigate to the .pak file of the vRealize Operations Manager Management Pack for VMware Identity Manager and click Upload.

When the VMware Identity Manager management pack file is uploaded, you see details about the management pack.



VMware, Inc. 129


The installation of the management pack starts. You see its progress on the Install solution page.


Results

The VMware identity manager management pack solution appears on the Repository page in the Other management packs list.

Add VMware Identity Manager Adapter Instances to vRealize Operations Manager in Region A

After you install the management pack, configure a VMware Identity Manager Adapter for the region-specific and the cross-region Workspace ONE Access deployments.

Procedure


Settings Value


User name admin




4 Click Add account and click VMware identity manager adapter.

5 Enter the values for the region-specific Workspace ONE Access instance.

Setting Value

Name Region-specific WSA Adapter - sfo01wsa01

Description WSA Adapter for sfo01

VIDM host sfo01wsa01.sfo01.rainpole.local


Credential name Region-specific WSA Adapter Credentials - sfo01wsa01

User name admin





VMware, Inc. 130


8 Click Add.


10 Repeat this procedure to create an adapter for the cross-region Workspace ONE access deployment by using these values.

Setting Value

Name X-region WSA Adapter - wsa01svr01

Description WSA Adapter for X-Region

VIDM host wsa01svr01.rainpole.local


Credential name X-Region WSA Adapter Credentials - wsa01svr01

User name admin

Password wsa01svr01_admin_password

Collector/Group Default collector group

Set the Currency for Cost Calculation in vRealize Operations Manager

Set the currency used for cost calculations in vRealize Operations Manager.

Procedure


Settings Value


User name admin



3 In the left pane, select Management > Global settings.

4 Set the currency for cost calculation.

a Select Currency and click the Edit icon.

b On the Set currency dialog box, select the target currency.


VMware, Inc. 131

c At the bottom of the Set currency dialog box, select the I understand that once my currency is set it can NOT be changed again for this installation check box and click Set currency.

d In the Info dialog box, click OK.

Configure Email Alerts in vRealize Operations Manager in Region A

Configure email notifications in vRealize Operations Manager so that users and applications receive the administrative alerts from vRealize Operations Manager about certain situations in the data center.

Procedure


Settings Value


User name admin



3 In the left pane, select Management > Outbound settings.

4 Click Add to create an outbound alert instance.

5 In the Add/Edit outbound instance dialog box, configure the settings for the Standard Email Plug-In.

Setting Value

Plugin type Standard Email Plugin

Instance name Alert Mail Relay

Use secure connection Selected

SMTP host FQDN_of_the_SMTP_server

SMTP port Server_port_for_SMTP_requests

Secure connection type TLS

Sender email address Address_that_appears_as_the_sender_of_the_email

Sender name Name_that_appears_as_the_sender_of_the_email

Receiver email address Address_that_appears_as_the_receiver_of_the_email

This address is used for testing purpose only, and is not be kept after the configuration.

6 Click Test to verify the connection with the SMTP server and click OK.


VMware, Inc. 132

7 Click Save.


VMware, Inc. 133

vRealize Log Insight Implementation in Region A 6Deploy vRealize Log Insight in a cluster configuration of three nodes. This configuration is set up with an integrated load balancer and uses one primary and two worker nodes.

Procedure

1 Deploy vRealize Log Insight in Region A

Start the deployment of vRealize Log Insight in Region A by deploying the primary and worker nodes and forming the vRealize Log Insight cluster.

2 Integrate vRealize Log Insight with the Region-Specific Workspace ONE Access in Region A

To propagate user roles in vRealize Log Insight that are maintained centrally and are inline with the other solutions in the SDDC, configure vRealize Log Insight to use the region-specific Workspace ONE Access instance as an authentication source.

3 Connect vRealize Log Insight to the vSphere Environment in Region A

Start collecting log information about the ESXi and vCenter Server instances in the SDDC.

4 Connect vRealize Log Insight to vRealize Operations Manager in Region A

Connect vRealize Log Insight to vRealize Operations Manager so that you can use the Launch in Context functionality between the two applications to troubleshoot management nodes and vRealize Operations Manager by using dashboards and alerts in the vRealize Log Insight user interface.

5 Connect vRealize Log Insight to NSX Data Center for vSphere in Region A

Install and configure the vRealize Log Insight content pack for log visualization and alerting of the NSX Data Center for vSphere real-time operation. You can use the NSX-vSphere dashboards to monitor logs about installation and configuration, and about virtual networking services in the management and workload domains.

6 Connect vRealize Log Insight to NSX-T Data Center in Region A

If you deployed NSX-T Data Center in the workload domain, you connect vRealize Log Insight to the NSX-T Data Center components to start collecting log information.

7 Download the vRealize Log Insight Agent

You download the vRealize Log Insight agent, so that later you install this agent on the Workspace ONE Access nodes.

VMware, Inc. 134

8 Install and Configure the vRealize Log Insight Agent on the Workspace ONE Access Nodes

Install and configure the vRealize Log Insight agent on each Workspace ONE Access node to send audit logs and system events to vRealize Log Insight.

9 Configure Log Forwarding for vRealize Suite Lifecycle Manager in Region A

You configure vRealize Suite Lifecycle Manager to forward logs to vRealize Log Insight.

10 Validate Log Forwarding for SDDC Manager in Region A

The VMware Cloud Foundation 3.10 bring-up process installs and configures the vRealize Log Insight agent in the SDDC Manager appliance. Validate that the vRealize Log Insight аgent in the SDDC Manager appliance is configured to forward logs to the newly deployed vRealize Suite 2019 vRealize Log Insight.

11 Collect Operating System Logs from the Management Virtual Appliances in vRealize Log Insight in Region A

To visualize and analyze operating system logs from the management virtual appliances, you install and configure the vRealize Log Insight content packs for Linux. For the Workspace ONE Access appliance, you install and configure the general content pack for Linux. For the remaining management appliances, you install and configure the content pack that is designed for Photon OS.

12 Configure Log Retention and Archiving for vRealize Log Insight in Region A

Set the retention notification threshold to one week. Enable data archiving, so that you can manually archive logs for 90 days and selectively clean the datastore when free space is required.

Deploy vRealize Log Insight in Region A

Start the deployment of vRealize Log Insight in Region A by deploying the primary and worker nodes and forming the vRealize Log Insight cluster.

Procedure

1 Prerequisites for Deploying vRealize Log Insight in Region A

Before you use vRealize Suite Lifecycle Manager to deploy vRealize Log Insight, verify that your environment fulfills the requirements for this deployment.

2 Add the vRealize Log Insight Multi-SAN Certificate to vRealize Suite Lifecycle Manager

To enable vRealize Suite Lifecycle Manager to deploy vRealize Log Insight, you must first add the vRealize Log Insight SSL certificate to the vRealize Suite Lifecycle Manager Locker.

3 Add the vRealize Log Insight Password to vRealize Suite Lifecycle Manager

To enable vRealize Suite Lifecycle Manager to deploy vRealize Log Insight, you must add the vRealize Log Insight password to the vRealize Suite Lifecycle Manager Locker.


VMware, Inc. 135

4 Deploy vRealize Log Insight Using vRealize Suite Lifecycle Manager in Region A

You first create a local environment in vRealize Suite Lifecycle Manager, then you deploy vRealize Log Insight by using vRealize Suite Lifecycle Manager.

5 Configure a vSphere DRS Anti-Affinity Rule for vRealize Log Insight

To protect the vRealize Log Insight virtual machines from a host-level failure, configure vSphere DRS to run the virtual machines on different hosts in the first cluster in the management domain.

6 Create a VM Group and Define the Startup Order of the vRealize Log Insight Cluster in Region A


7 Configure SMTP for vRealize Log Insight in Region A

After the vRealize Log Insight cluster is successfully deployed, you configure the SMTP setting by using the vRealize Log Insight user interface.

8 Disable the SSL Connection Requirement in vRealize Log Insight in Region A

The syslog clients communicate by using the TCP protocol, therefore you must disable the SSL connection requirement in vRealize Log Insight.

Prerequisites for Deploying vRealize Log Insight in Region A

Before you use vRealize Suite Lifecycle Manager to deploy vRealize Log Insight, verify that your environment fulfills the requirements for this deployment.

Verify that your environment satisfies the following prerequisites for deploying vRealize Log Insight.


VMware, Inc. 136

Prerequisite Value


n Required initial storage per node: 510 GB

n Required initial cluster storage for archiving: 400 GB

n Verify the following NFS datastore requirements:

n Create an NFS share of 400 GB and export it as /sfo01vrli01_archive

n Verify that the NFS server supports NFS v3.

n Verify that the NFS partition allows read and write operations for guest accounts.

n Verify that the mount does not require authentication.

n Verify that the NFS share is directly accessible to vRealize Log Insight.

n If using a Windows NFS server, allow unmapped user UNIX access (by UID/GID).

Software Features n Verify that the vCenter Server instances are operational.

n Verify that the vSphere cluster has DRS and HA enabled.

n Verify that the NSX Manager is operational.

n Verify that vRealize Operations Manager is operational.


n Verify that the Postman application is installed.


n Verify that static IP addresses and FQDNs for the application virtual networks are available for the vRealize Log Insight deployment. See Host Names and IP Addresses for vRealize Suite 2019 and Workspace ONE Access.

License Verify that you have obtained a vRealize Suite or vCloud Suite license with a quantity that fulfills the requirements of this design.

Workspace ONE Access n Verify that required Active Directory users are synchronized to the region-specific Workspace ONE Access. See Active Directory User Accounts.

n Verify that required Active Directory security groups are synchronized to the region-specific Workspace ONE Access. See Active Directory Groups.

Active Directory Verify that you have a parent and child Active Directory domain controllers configured with the role-specific SDDC users and groups for the rainpole.local domain.


VMware, Inc. 137

Prerequisite Value


Email account Provide an email account to send vRealize Log Insight notifications.

Add the vRealize Log Insight Multi-SAN Certificate to vRealize Suite Lifecycle Manager

To enable vRealize Suite Lifecycle Manager to deploy vRealize Log Insight, you must first add the vRealize Log Insight SSL certificate to the vRealize Suite Lifecycle Manager Locker.

Procedure


Setting Value





3 On the Certificate page, click Import, enter these values, and click Import.

Setting Value

Name sfo01vrli01-certificate

Pass phrase PEM_pass_phrase

Select certificate file Navigate to the vRealize Log Insight certificate PEM file, sfo01vrli01.2.chain.pem.

Add the vRealize Log Insight Password to vRealize Suite Lifecycle Manager

To enable vRealize Suite Lifecycle Manager to deploy vRealize Log Insight, you must add the vRealize Log Insight password to the vRealize Suite Lifecycle Manager Locker.

You add the password of the admin user to be used for deploying the vRealize Log Insight components in Region A.


VMware, Inc. 138



Procedure


Setting Value





3 In the navigation, click Password.

4 On Password page click Add, enter these values, and click Add.

Setting Value

Password alias sfo01vrli01-admin

Password sfo01vrli01-admin_password

Confirm password sfo01vrli01-admin_password

Password description Log Insight Region A admin user

User name admin

Deploy vRealize Log Insight Using vRealize Suite Lifecycle Manager in Region A

You first create a local environment in vRealize Suite Lifecycle Manager, then you deploy vRealize Log Insight by using vRealize Suite Lifecycle Manager.

Procedure


Setting Value





3 On the Dashboard page, click Create environment, enter these values, and click Next.

Setting Value

Environment name SFO-Region-Env

Administrator email sfo-vrli-admin_email


VMware, Inc. 139

Setting Value

Default password Click Select default password and select the vRealize Log Insight password, sfo01vrli01-admin.

Select Datacenter sfo01-m01dc


Selected

4 On the Select Product page, select the check box for vRealize Log Insight, configure these values, and click Next.

Setting Value

Installation type New Install

Version 8.1.1


5 On the End user license agreement page, read the EULA, select the I agree to the terms and conditions check box, and click Next.

6 On the License page, add or select the vRealize Suite license.

n To select a license by using the My VMware product entitlement, click Select, select the license, and click Update.

n To add the license manually, click Add, enter the vRealize Suite or vCloud Suite License alias and key, click Validate, and then click Add.

7 To validate the license, click Validate association and click Next.

8 On the Certificate page, from the Select certificate drop-down menu, select the vRealize Log Insight certificate and click Next.

9 On the Infrastructure page, enter these values, and click Next.

Setting Value



Select folder sfo01-m01fd-vrli


Select network Distributed port group that ends with Mgmt-RegionA01-VXLAN.


Select disk mode Thin

Integrate with Identity Manager Deselected



VMware, Inc. 140


Setting Value


Netmask 255.255.255.0


Domain search path sfo01.rainpole.local,rainpole.local

DNS servers Click Edit server selection, select 172.16.11.5 and 172.16.11.4, click Next. Change server priority and Finish.


NTP servers Click Edit server selection, select ntp.sfo01.rainpole.local, click Next and Finish.

11 In the Product properties panel, enter these values, leaving the other settings to their default values.

Setting Value

Node size Medium

Certificate sfo01vrli01-certificate

Configure cluster VIP Yes

Anti-affinity / affinity rule Deselected

Upgrade VM compatibility Deselected

Always use English Deselected

Product password sfo01vrli01-admin

Integrate with Identity Manager Deselected

Time sync mode Use NTP server

12 In the Cluster virtual IP panel, enter these values.

Option Value

FQDN sfo01vrli01.sfo01.rainpole.local

IP Address 192.168.31.10

13 In the vrli-master panel, enter the values for the primary node.

Setting Value

VM Name sfo01vrli01a

FQDN sfo01vrli01a.sfo01.rainpole.local

IP Address 192.168.31.11


VMware, Inc. 141

14 In the vrli-worker-1 panel, enter these values.

Setting Value

VM Name sfo01vrli01b

FQDN sfo01vrli01b.sfo01.rainpole.local

IP Address 192.168.31.12

15 In the vrli-worker-2 panel, enter these values.

Setting Value

VM Name sfo01vrli01c

FQDN sfo01vrli01c.sfo01.rainpole.local

IP Address 192.168.31.13

16 On the Products page, click Next.

17 On the Precheck page, click Run precheck.

18 Wait for all Pre Validation successful messages and click Next.

19 On the Summary page, review the configuration details.

20 (Optional) To back up the deployment configuration, click Export configuration.

21 Click Submit to start the deployment.

The Request details page displays the progress of deployment.

22 Monitor the steps of the deployment graph until all stages are marked as COMPLETED.

Configure a vSphere DRS Anti-Affinity Rule for vRealize Log Insight

To protect the vRealize Log Insight virtual machines from a host-level failure, configure vSphere DRS to run the virtual machines on different hosts in the first cluster in the management domain.

Use an anti-affinity rule for the vRealize Log Insight virtual machines. This rule configuration accommodates the case when you place a host from the management cluster in maintenance mode.

Procedure


Setting Value






VMware, Inc. 142


4 In the left pane, select Configuration > VM/Host rules.

5 Click Add VM/host rule, enter the values for the anti-affinity rule, and click OK.

Setting Value

Name anti-affinity-rule-vrli



Members Click Add VM/host rule member, select the vRealize Log Insight nodes, and click OK.

n sfo01vrli01a

n sfo01vrli01b

n sfo01vrli01c

Create a VM Group and Define the Startup Order of the vRealize Log Insight Cluster in Region A


Procedure


Setting Value






4 In the left pane, select Configuration > VM/Host groups.

5 Click Add VM/host group and enter these values.

Setting Value

Name vRealize Log Insight Virtual Appliances

Type VM Group

Members Click Add VM/host group members, select the vRealize Log Insight nodes, and click OK.

n sfo01vrli01a

n sf01vrli01b

n sfo01vrli01c


VMware, Inc. 143

6 Click OK.

7 On the VM/host groups page click Add VM/host group again and enter these values.

Setting Value

Name Region-specific Workspace ONE Access Virtual Appliances

Type VM Group

Members Click Add VM/host group members, select the region-specific Workspace ONE Access node, sfo01wsa01, and click OK.

8 Click OK.

9 Create a rule to power on the region-specific Workspace ONE Access node before the vRealize Log Insight nodes.




Setting Value

Name SDDC Cloud Logging




region-specific Workspace ONE Access Virtual Appliances

On restart for VM group vRealize Log Insight Virtual Appliances

Configure SMTP for vRealize Log Insight in Region A

After the vRealize Log Insight cluster is successfully deployed, you configure the SMTP setting by using the vRealize Log Insight user interface.

Procedure

1 In a Web browser, log in to vRealize Log Insight by using the user interface.

Setting Value

URL https://sfo01vrli01.sfo01.rainpole.local

User name admin

Password vrli_admin_password

2 In the vRealize Log Insight user interface, click Administration.


VMware, Inc. 144

3 In the left navigation pane, under Configuration, click SMTP and enter these values.

Settings Values

SMTP server FQDN_of_the_SMTP_server

Port Server_port_for_SMTP_requests

SSL(SMTPS) Enable or disable encryption for the SMTP transport option connection.

STARTTLS encryption Enable or disable the STARTTLS encryption.

Sender Address_for_the_email_sender

User name User_name_on_the_SMTP_server

Password Password_for_the_SMTP_user_name

4 To verify that the SMTP configuration is correct, enter a valid email address and click Send test email.

vRealize Log Insight sends a test email to the address that you provided.

5 Click Save.

Disable the SSL Connection Requirement in vRealize Log Insight in Region A

The syslog clients communicate by using the TCP protocol, therefore you must disable the SSL connection requirement in vRealize Log Insight.

Procedure


Setting Value


User name admin



3 In the left navigation pane, under Configuration, click SSL.

4 Turn off the Require SSL Connection toggle.

5 Click Save.


VMware, Inc. 145

Integrate vRealize Log Insight with the Region-Specific Workspace ONE Access in Region A

To propagate user roles in vRealize Log Insight that are maintained centrally and are inline with the other solutions in the SDDC, configure vRealize Log Insight to use the region-specific Workspace ONE Access instance as an authentication source.

Procedure

1 Enable Region-Specific Workspace ONE Access Integration with vRealize Log Insightin Region A

Configure vRealize Log Insight integration with the region-specific Workspace ONE Access instance.

2 Configure Identity and Access Management for vRealize Log Insight in Region A

Configure enterprise identity source user groups in vRealize Log Insight to enable enterprise users to log in with required role based access control.

Enable Region-Specific Workspace ONE Access Integration with vRealize Log Insightin Region A

Configure vRealize Log Insight integration with the region-specific Workspace ONE Access instance.

Procedure


Setting Value


User name admin



3 In the left navigation pane, under Configuration, click Authentication.

4 On the Authentication configuration page, click the VMware Identity Manager tab.

5 Configure the region-specific Workspace ONE Access connection settings.

Setting Value

Enable Single Sign-On Turned on

Host sfo01wsa01.sfo01.rainpole.local

API port 443

Username admin



VMware, Inc. 146

Setting Value

Redirect URL host sfo01vrli01.sfo01.rainpole.local

Allow Active Directory users login Disabled

6 To verify the connection, click Test connection.

7 On the Untrusted SSL certificate dialog box, click Accept.

8 On the Authentication configuration page, click Save.

Configure Identity and Access Management for vRealize Log Insight in Region A

Configure enterprise identity source user groups in vRealize Log Insight to enable enterprise users to log in with required role based access control.

Table 6-1. Groups and Roles in vRealize Log Insight

Group Role

ug-vrli-admins Super Admin

ug-vrli-users User

ug-vrli-viewers View Only Admin

Procedure


Setting Value


User name admin



3 In the left navigation pane, under Management, click Access control.

4 On the Access control page, click the Users and groups tab.

5 Under Directory groups, click New group.

6 Configure the vRealize Log Insight role for the ug-vrli-admins group, and click Save.

Setting Value


Name Enter ug-vrli-admins and, from the drop-down list, select [email protected].

Roles Super Admin

7 Repeat these steps for the remaining groups.


VMware, Inc. 147

Connect vRealize Log Insight to the vSphere Environment in Region A

Start collecting log information about the ESXi and vCenter Server instances in the SDDC.

Procedure

1 Configure User Privileges in vSphere for Integration with vRealize Log Insight in Region A

Assign global permissions to the svc-vrli-vsphere service account to collect log information from the vCenter Server instances and ESXi hosts with vRealize Log Insight. The svc-vrli-vsphere user account is dedicated for collecting log information from vCenter Server and ESXi.

2 Connect vRealize Log Insight to vSphere in Region A

After you configure the svc-vrli-vsphere user with the vSphere privileges that are necessary for retrieving log information from the vCenter Server instances and ESXi hosts, connect vRealize Log Insight to vSphere by using the vRealize Log Insight user interface.

3 Configure vCenter Server to Forward Log Events to vRealize Log Insight in Region A

Configure each vCenter Server instance to forward system logs and events to vRealize Log Insight. After that, you can view and analyze all syslog information in the vRealize Log Insight user interface.

Configure User Privileges in vSphere for Integration with vRealize Log Insight in Region A

Assign global permissions to the svc-vrli-vsphere service account to collect log information from the vCenter Server instances and ESXi hosts with vRealize Log Insight. The svc-vrli-vsphere user account is dedicated for collecting log information from vCenter Server and ESXi.

Procedure


Setting Value








VMware, Inc. 148

5 Create a role for vRealize Log Insight.

a Select the Read-only role and click the Clone role action icon.

You clone the Read-only role because it includes the System.Anonymous, System.View, and System.Read privileges. vRealize Log Insight requires those privileges for accessing log information related to the vCenter Server instances.

b In the Clone Role dialog box, in the Role name text box, enter vRealize Log Insight to vSphere Integration and click OK.

c Select the vRealize Log Insight to vSphere Integration role and click the Edit role action icon.

d In the Edit role dialog box, configure these privileges and click Next.

Category Privilege

Host Configuration.Advanced settings

Configuration.Change settings

Configuration.Network configuration

Configuration.Security profile and firewall

These host privileges allow vRealize Log Insight to configure the syslog service on the ESXi hosts.

e Click Finish.

The vRealize Log Insight to vSphere Integration role is propagated to the other linked vCenter Server instances.

6 Associate the service account with the role and assign global permissions to the [email protected] service account.

a In the left pane, select Access control > Global permissions.

b Click the Add permission icon, enter these values, and click OK.

Setting Value


User/Group svc-vrli-vsphere

Role vRealize Log Insight to vSphere Integration


The global permissions of the [email protected] user propagate to all vCenter Server instances.


VMware, Inc. 149

Connect vRealize Log Insight to vSphere in Region A

After you configure the svc-vrli-vsphere user with the vSphere privileges that are necessary for retrieving log information from the vCenter Server instances and ESXi hosts, connect vRealize Log Insight to vSphere by using the vRealize Log Insight user interface.

Procedure


Setting Value


User name admin



3 In the left navigation pane, under Integration, click vSphere.

4 In the vCenter pane, enter the connection settings for the Management domain vCenter Server in the region.

Setting Value

Hostname sfo01m01vc01.sfo01.rainpole.local


Password svc-vrli-vsphere_user_password

Collect vCenter Server events, tasks and alarms Selected

Configure ESXi hosts to send logs to Log Insight Selected

Target sfo01vrli01.sfo01.rainpole.local

5 Click Test connection.


6 In the Untrusted SSL certificate dialog box, verify the vCenter Server certificate information, and click Accept.

7 To verify that you connected to the correct vCenter Server instance, click Advanced options.

8 In the sfo01m01vc01.sfo01.rainpole.local configuration window, select Configure all ESXi hosts.

9 Under Syslog protocol, select TCP and click OK.

10 Click Save.

A progress dialog box appears.

11 When vRealize Log Insight contacts the vCenter Server instance, in the confirmation dialog box, click OK.


VMware, Inc. 150

12 Repeat these steps to add the Workload domain vCenter Server, sfo01w01vc01.sfo01.rainpole.local.

Results

The vSphere dashboards appear on the vRealize Log Insight Dashboards page, under the VMware - vSphere content pack dashboard category.

Configure vCenter Server to Forward Log Events to vRealize Log Insight in Region A

Configure each vCenter Server instance to forward system logs and events to vRealize Log Insight. After that, you can view and analyze all syslog information in the vRealize Log Insight user interface.

Table 6-2. vCenter Server Instances in Region A

Domain Virtual Appliance Management Interface URL

Management https://sfo01m01vc01.sfo01.rainpole.local:5480

Workload https://sfo01w01vc01.sfo01.rainpole.local:5480

Procedure

1 Redirect the log events from the vCenter Server instances to vRealize Log Insight.

a In a Web browser, log in to vCenter Server by using the Virtual Appliance Management Interface (VAMI).

Setting Value

URL https://sfo01m01vc01.sfo01.rainpole.local:5480

User name root

Password vcenter_server_root_password

b In the navigation pane, click Syslog.

c On the Forwarding configuration page, click Configure.

d In the Create forwarding configuration dialog box, enter these values and click Save.

Table 6-3.

Setting Value

Server address sfo01vrli01.sfo01.rainpole.local

Protocol TCP

Port 514

e Repeat these steps for the other vCenter Server instance by logging in to https://sfo01w01vc01.sfo01.rainpole.local:5480.


VMware, Inc. 151

2 Verify that the vCenter Server instances are forwarding their syslog traffic to vRealize Log Insight.

a In a Web browser, log in to vRealize Log Insight by using the user interface.

b In the vRealize Log Insight user interface, click Dashboards.

c In the left navigation pane, under Content pack dashboards, click VMware - vSphere > General Overview .

d Verify that the vCenter Server instances are presented on the All vSphere events by hostname widget.

Connect vRealize Log Insight to vRealize Operations Manager in Region A

Connect vRealize Log Insight to vRealize Operations Manager so that you can use the Launch in Context functionality between the two applications to troubleshoot management nodes and vRealize Operations Manager by using dashboards and alerts in the vRealize Log Insight user interface.

Procedure

1 Configure User Privileges in vRealize Operations Manager for Integration with vRealize Log Insight in Region A

To configure vRealize Operations Manager to use the launch in context functionality of vRealize Log Insight and display menu items related to vRealize Log Insight, you import the [email protected] service account and assign it the Administrator role.

2 Enable the vRealize Log Insight Integration with vRealize Operations Manager in Region A

In VMware vRealize Log Insight, you enable the launch in context feature for vRealize Operations Manager. This feature enables vRealize Operations Manager to launch vRealize Log Insight with an object-specific query.

3 Connect vRealize Operations Manager to vRealize Log Insight in Region A

Configure a vRealize Log Insight adapter to integrate vRealize Log Insight with vRealize Operations Manager in your environment. You can access unstructured log data about any object in your environment by using Launch in Context in vRealize Operations Manager.

4 Configure the vRealize Log Insight Agent on the Analytics Cluster to Forward Log Events to vRealize Log Insight in Region A

After you connect vRealize Operations Manager to vRealize Log Insight for launch in context, configure the vRealize Log Insight agent on the vRealize Operations Manager analytics cluster to send audit logs and system events to vRealize Log Insight.


VMware, Inc. 152

Configure User Privileges in vRealize Operations Manager for Integration with vRealize Log Insight in Region A

To configure vRealize Operations Manager to use the launch in context functionality of vRealize Log Insight and display menu items related to vRealize Log Insight, you import the [email protected] service account and assign it the Administrator role.

Procedure


Settings Value


User name admin




4 Click the User accounts tab.

5 Click the horizontal ellipsis and select Import.

6 Import the [email protected] service account.

a From the Import from drop-down menu, select WorkspaceONE.

b In the Domain Name text box, enter rainpole.local.

c In the Search Prefix text box, enter svc-vrli-vrops and click Search.

d Select svc-vrli-vrops and click Next.

7 On the Assign groups and permissions page, click the Objects tab, enter these values, and click Finish.

Setting Value

Select role Administrator

Assign this role to the user Selected

Allow access to all objects in the system Selected

8 When prompted with the warning about allowing access to all objects on the system, click Yes.


VMware, Inc. 153

Enable the vRealize Log Insight Integration with vRealize Operations Manager in Region A

In VMware vRealize Log Insight, you enable the launch in context feature for vRealize Operations Manager. This feature enables vRealize Operations Manager to launch vRealize Log Insight with an object-specific query.

Procedure


Setting Value


User name admin



3 In the left pane, under Integration, click vRealize Operations.

4 On the vRealize Operations integration page, configure these integration setting for vRealize Operations Manager.

Setting Value

Hostname vrops01svr01.rainpole.local

Username [email protected]@WorkspaceONE

Password svc-vrli-vrops_root_password

Enable alerts integration Selected

Enable launch in context Selected

Enable metric calculation Selected

Target sfo01vrli01.sfo01.rainpole.local

5 To validate the connection, click Test.

6 In the Untrusted SSL certificate dialog box, click Accept.

7 Click Save and in the progress dialog box, click OK.

Connect vRealize Operations Manager to vRealize Log Insight in Region A

Configure a vRealize Log Insight adapter to integrate vRealize Log Insight with vRealize Operations Manager in your environment. You can access unstructured log data about any object in your environment by using Launch in Context in vRealize Operations Manager.


VMware, Inc. 154

Procedure


Settings Value


User name admin



3 In the left navigation pane, select Management > Integrations.

4 On the Integrations page, click the VMware vRealize Log Insight vertical ellipsis and select Configure.

The VMware vRealize Log Insight dialog box appears.

5 Under Connect information, enter these values for connection to vRealize Log Insight.

Setting Value

Log Insight server sfo01vrli01.sfo01.rainpole.local


6 To validate the connection to vRealize Log Insight, click Validate connection.


8 Click Save.

9 On the Integrations page, verify that the collection status is OK.

Configure the vRealize Log Insight Agent on the Analytics Cluster to Forward Log Events to vRealize Log Insight in Region A

After you connect vRealize Operations Manager to vRealize Log Insight for launch in context, configure the vRealize Log Insight agent on the vRealize Operations Manager analytics cluster to send audit logs and system events to vRealize Log Insight.

Procedure


Settings Value


User name admin



VMware, Inc. 155


3 In the left navigation pane, select Management > Log forwarding.

4 On the Log Forwarding page, enter these values and click Apply changes.

Table 6-4.

Setting Value

Output logs to external log server Selected

Forwarded logs Selected

Log Insight servers sfo01vrli01.sfo01.rainpole.local

Host sfo01vrli01.sfo01.rainpole.local

Protocol cfapi

Port 9000

Use SSL Deselected

Path to certificate authority file N/A

Cluster name vrops01svr01

Connect vRealize Log Insight to NSX Data Center for vSphere in Region A

Install and configure the vRealize Log Insight content pack for log visualization and alerting of the NSX Data Center for vSphere real-time operation. You can use the NSX-vSphere dashboards to monitor logs about installation and configuration, and about virtual networking services in the management and workload domains.

Install the vRealize Log Insight Content Pack for NSX Data Center for vSphere in Region A

To add dashboards to vRealize Log Insight for viewing log details on the NSX Data Center for vSphere operation, install the NSX-vSphere content pack.

Procedure


Setting Value


User name admin


2 In the vRealize Log Insight user interface, click Content packs.

3 In the left pane, under Content pack marketplace, click Marketplace.


VMware, Inc. 156

4 On the Log Insight content pack marketplace page, locate and click the VMware - NSX-vSphere content pack to start the installation.

The Install content pack dialog box appears.

5 Accept the license agreement and click Install.

6 To proceed with installation, click OK.

When the installation finishes, the newly installed content pack appears in the left navigation pane, under Installed content packs.

Update the NSX Manager Log Forwarding Protocol in Region A

The VMware Cloud Foundation 3.10 bring-up process configures the NSX Manager for the management domain to forward logs to the earlier version of vRealize Log Insight that you disassociated. Update the NSX Manager to send audit logs and system events to the newly deployed vRealize Suite 2019 vRealize Log Insight by using TCP protocol.

Procedure

1 In a Web browser, log in to the NSX Manager for the management domain by using the user interface.

Setting Value

URL https://sfo01m01nsx01.sfo01.rainpole.local

User name admin


2 Click Manage appliance settings.

3 Under Settings, click General.

4 In the Syslog server pane, click Edit.

5 In the Syslog server dialog box, verify the syslog server host name and port, configure the protocol, and click OK.

Setting Value

Syslog server sfo01vrli01.sfo01.rainpole.local

Port 514

Protocol TCP



VMware, Inc. 157

Configure the NSX Controller Nodes to Forward Log Events to vRealize Log Insight in Region A

Configure the NSX Controller nodes to forward log information to vRealize Log Insight by using the NSX REST API. To enable log forwarding, you can use a REST client, such as the Postman application.

First, you retrieve the IDs of the NSX Controller nodes, controller-1, controller-2, and controller-3. Then, you send a request to each NSX Controller node to configure vRealize Log Insight as a remote syslog server.

Table 6-5. Management Domain NSX Controller Nodes

NSX ManagerNSX Controller in the Controller Cluster

Request URL for the NSX Controller Syslog Service

sfo01m01nsx01.sfo01.rainpole.local NSX Controller 1 https://sfo01m01nsx01.sfo01.rainpole.local/api/2.0/vdn/controller/controller-1/syslog

NSX Controller 2 https://sfo01m01nsx01.sfo01.rainpole.local/api/2.0/vdn/controller/controller-2/syslog

NSX Controller 3 https://sfo01m01nsx01.sfo01.rainpole.local/api/2.0/vdn/controller/controller-3/syslog

Procedure

1 Log in to the host machine that has access to your data center.

2 Start the Postman application and log in.

3 Configure the headers for requests to the NSX Manager.

a On the Authorization tab, enter the authorization details.

Setting Value

Type Basic Auth

User name admin


b On the Headers tab, enter the header details.

Setting Value

Key Content-Type

Key value application/xml


VMware, Inc. 158

4 Retrieve the IDs of the NSX Controller nodes associated with the Management domain NSX Manager.

a In the request pane, provide the URL query for the NSX Manager and click Send.

Setting Value

HTTP request method GET

Request URL https://sfo01m01nsx01.sfo01.rainpole.local/api/2.0/vdn/controller

Body None

The Postman application sends a query to the NSX Manager about the installed NSX Controller nodes.

b When the NSX Manager sends a response back, click the Body tab in the response pane.

The response body contains a root <controllers> XML element that groups the details about the three controllers that form the controller cluster.

c Within the <controllers> element, locate the <controller> element for each NSX Controller node and write down the content of the <id> element.

NSX Controller IDs have the controller-id format where id represents the sequence number of the controller in the cluster, for example, controller-1, controller-2, and controller-3.

You can form the request URLs for the NSX Controller nodes.

5 For each NSX Controller, send a request to configure vRealize Log Insight as a remote syslog server.

a In the request pane, provide the URL query for the first NSX Controller and click Send.

Setting Value


Request URL https://sfo01m01nsx01.sfo01.rainpole.local/api/2.0/vdn/controller/controller-1/syslog

b On the Body tab, select the Raw radio-button, and from the Text drop-down menu, select XML (Application/XML).


VMware, Inc. 159

c In the Body text box, enter the following request body for configuring vRealize Log Insight as a remote syslog server, and click Send.

<controllerSyslogServer>

<syslogServer>192.168.31.10</syslogServer>

<port>514</port>

<protocol>TCP</protocol>

<level>INFO</level>

</controllerSyslogServer>

d Repeat these steps for the remaining NSX Controllers.

6 Verify the syslog configuration on each NSX Controller.

a In the request pane, provide the URL query for the first NSX Controller and click Send.

Setting Value


Request URL https://sfo01m01nsx01.sfo01.rainpole.local/api/2.0/vdn/controller/controller-1/syslog

Body None

b When the NSX Controller sends a response back, click the Body tab in the response pane.

The response body contains a root <controllerSyslogServer> element, which represents the settings for the remote syslog server on the NSX Controller.

c Verify that the value of the <syslogServer> element is 192.168.31.10.

d Repeat these steps for the remaining NSX Controllers.


Update the Log Forwarding Protocol on the NSX Edge Instances in Region A

Update the log forwarding protocol on the edge services gateways, universal distributed logical router, and load balancer.

Table 6-6. Management Domain NSX Edges

Traffic Type NSX Edge Name NSX Edge Type

North-South Routing sfo01m01esg01 Edge Services Gateway

North-South Routing sfo01m01esg02 Edge Services Gateway

East-West Routing sfo01m01udlr01 Universal Distributed Logical Router

Load Balancer sfo01m01lb01 Edge Services Gateway


VMware, Inc. 160

Procedure


Setting Value






The NSX Edge devices associated with the Management domain NSX Manager appear.

4 Update the log forwarding protocol on each NSX Edge device.

a Click the ID of the NSX Edge device to open its network settings.

b Click the Configure tab and click Appliance Settings.

c Next to Configuration, click the cog icon and select Change syslog configuration.

d In the Change syslog servers dialog box, update the protocol and click OK.

Setting Value

Syslog server 1 192.168.31.10

Protocol TCP

e Repeat these steps for the remaining NSX Edge devices for the management domain.


Results

The vRealize Log Insight user interface starts showing log data under the VMware - NSX-vSphere group of content pack dashboards, in the NSX-vSphere - Overview dashboard.

Connect vRealize Log Insight to NSX-T Data Center in Region A

If you deployed NSX-T Data Center in the workload domain, you connect vRealize Log Insight to the NSX-T Data Center components to start collecting log information.

Procedure

1 Install the vRealize Log Insight Content Pack for NSX-T Data Center in Region A

To add dashboards to vRealize Log Insight for viewing log details on the NSX-T Data Center operation, install the NSX-T content pack.


VMware, Inc. 161

2 Configure the Workload Domain NSX-T Managers to Forward Log Events to vRealize Log Insight in Region A

Configure the NSX-T Managers to send audit logs and system events to vRealize Log Insight.

3 Configure the NSX-T Edges to Forward Log Events to vRealize Log Insight in Region A

Configure the NSX-T Edge nodes to send audit logs and system events to vRealize Log Insight.

Install the vRealize Log Insight Content Pack for NSX-T Data Center in Region A

To add dashboards to vRealize Log Insight for viewing log details on the NSX-T Data Center operation, install the NSX-T content pack.

Procedure


Setting Value


User name admin


2 In the vRealize Log Insight user interface, click Content packs .


4 On the Log Insight content pack marketplace page, locate and click the VMware - NSX-T content pack to start the installation.



6 To proceed with installation, click OK .

When the installation finishes, the newly installed content pack appears in the left navigation pane, under Installed content packs.

Configure the Workload Domain NSX-T Managers to Forward Log Events to vRealize Log Insight in Region A

Configure the NSX-T Managers to send audit logs and system events to vRealize Log Insight.

Use the Postman application to configure log forwarding for all NSX-T Managers in the region by sending a post request to each NSX-T Manager.


VMware, Inc. 162

Table 6-7. Workload domain NSX-T Managers in Region A

NSX Manager Host NameRequest URL for the NSX Manager Syslog Service

sfo01w01nsx01a.sfo01.rainpole.local https://sfo01w01nsx01a.sfo01.rainpole.local/api/v1/node/services/syslog/exporters

sfo01w01nsx01b.sfo01.rainpole.local https://sfo01w01nsx01b.sfo01.rainpole.local/api/v1/node/services/syslog/exporters

sfo01w01nsx01c.sfo01.rainpole.local https:/sfo01w01nsx01c.sfo01.rainpole.local/api/v1/node/services/syslog/exporters

Procedure

1 Log in to the host machine that has access to your data center.


3 Configure the request headers and body.


Setting Value

Type Basic Auth

User name admin



Setting Value

Key Content-Type

Key value application/json

c On the Body tab, select the Raw radio-button, and from the Text drop-down menu, select JSON.

d In the Body text box, enter the following request body for configuring vRealize Log Insight as a remote syslog server.

{

"exporter_name": "syslog1",

"level": "INFO",

"port": 514,

"protocol": "TCP",

"server": "sfo01vrli01.sfo01.rainpole.local"

}


VMware, Inc. 163

4 Send the request to each NSX-T Manager.

a In the request pane, provide the URL query for the Workload domain NSX-T Manager and click Send.

Setting Value


Request URL https://sfo01w01nsx01a.sfo01.rainpole.local/api/v1/node/services/syslog/exporters

b Repeat this step by sending the log configuration request to the request URL of each of the remaining Workload domain NSX-T Managers.

The log data appears on the vRealize Log Insight Dashboards page, under Content pack dashboards, on the VMware - NSX-T > NSX-Infrastructure page.


VMware, Inc. 164

5 Verify the syslog configuration on each NSX-T Manager.

a In the request pane, configure the following settings and click Send.

Setting Value


Request URL https://sfo01w01nsx01a.sfo01.rainpole.local/api/v1/node/services/syslog/exporters

Body None

When the NSX-T Manager appliance sends a response back, on the Body tab, you see the following message.

{

"_schema": "NodeSyslogExporterPropertiesListResult",

"_self": {

"href": "/node/services/syslog/exporters",

"rel": "self"

},

"result_count": 1,

"results": [

{

"_schema": "NodeSyslogExporterProperties",

"_self": {

"href": "/node/services/syslog/exporters/syslog1",

"rel": "self"

},


"level": "INFO",

"port": 514,

"protocol": "TCP",


}

]

}

b Verify that the value of the server element is sfo01vrli01.sfo01.rainpole.local.

c Repeat this step by sending the log verification request to the request URL of each of the remaining Workload domain NSX-T Managers.

6 If there are other workload domains with NSX-T Data Center that are added to the SDDC, repeat the procedure for each additional Workload domain NSX-T Manager.

Configure the NSX-T Edges to Forward Log Events to vRealize Log Insight in Region A

Configure the NSX-T Edge nodes to send audit logs and system events to vRealize Log Insight.

First, you retrieve the ID of each edge transport node by using the NSX-T Manager user interface. Then, you use the Postman application to configure log forwarding for all edge transport nodes in the region by sending a post request to each NSX-T Edge node.


VMware, Inc. 165

Table 6-8. Management Domain NSX-T Edges in Region A

Type NSX-T Edge Host NameRequest URL for the NSX-T Edge Syslog Service NSX-T Manager URL

Workload sfo01w01en01.sfo01.rainpole.local

https://sfo01w01nsx01.sfo01.rainpole.local/api/v1/transport-nodes/node_id_of_sfo01w01en01/node/services/syslog/exporters

https://sfo01w01nsx01.sfo01.rainpole.local

sfo01w01en02.sfo01.rainpole.local

https://sfo01w01nsx01.sfo01.rainpole.local/api/v1/transport-nodes/node_id_of_sfo01w01en02/node/services/syslog/exporters

Procedure


Setting Value


User name admin


2 Retrieve the IDs of the edge transport nodes.

a Click System.

b In the left navigation pane, under Configuration, click Fabric > Nodes.

c Click the Edge transport nodes tab.

d On the row for the sfo01w01en01 edge transport node, click the ID value.

A text box appears showing the transport edge node ID.

e Copy the node ID value, node_id_of_sfo01w01en01.

f Repeat these steps to retrieve the IDs of the remaining NSX-T Edge nodes.



VMware, Inc. 166

4 Configure the request headers and body.


Setting Value

Type Basic Auth

User name admin



Setting Value

Key Content-Type

Key value application/json

c On the Body tab, select the Raw radio-button, and from the Text drop-down menu, select JSON.

d In the Body text box, enter the following request body for configuring vRealize Log Insight as a remote syslog server.

{


"level": "INFO",

"port": 514,

"protocol": "TCP",


}

5 Send the request to each NSX-T Edge node.

a In the request pane, provide the URL query for the first Management domain NSX-T Edge and click Send.

Setting Value


Request URL https://sfo01w01nsx01.sfo01.rainpole.local/api/v1/transport-nodes/node_id_of_sfo01w01en01/node/services/syslog/exporters

b Repeat this step by sending the log configuration request to the API URL of each of the remaining Workload domain NSX-T Edge nodes.


VMware, Inc. 167

6 Verify the syslog configuration on each NSX-T Edge node.

a In the request pane, configure the following settings and click Send.

Setting Value


Request URL https://https://sfo01w01nsx01.sfo01.rainpole.local/api/v1/transport-nodes/node_id_of_sfo01m01en01/node/services/syslog/exporters

Body None

When the NSX-T Edge sends a response back, on the Body tab, you see the following message.

{

"_schema": "NodeSyslogExporterPropertiesListResult",

"_self": {

"href": "/transport-nodes/0d8b168d-44ae-4fba-905a-bf5f7c927d8b/node/services/syslog/

exporters",

"rel": "self"

},

"result_count": 1,

"results": [

{

"_schema": "NodeSyslogExporterProperties",

"_self": {

"href": "/node/services/syslog/exporters/syslog1",

"rel": "self"

},


"level": "INFO",

"port": 514,

"protocol": "TCP",


}

]

}

b Verify that the value of the server element is sfo01vrli01.sfo01.rainpole.local.

c Repeat this step by sending the log verification request to the request URL of each of the remaining Workload domain NSX-T Edge nodes.

7 If there are other workload domains with NSX-T Manager that are added to the SDDC, repeat the procedure for each additional Workload domain NSX-T Edge nodes.

Download the vRealize Log Insight Agent

You download the vRealize Log Insight agent, so that later you install this agent on the Workspace ONE Access nodes.


VMware, Inc. 168

Procedure


Setting Value


User name admin



3 In the left pane, under Management, click Agents.

4 On the Agents page, click Download Log Insight agent version at the bottom of the page.

5 In the Download Log Insight agent version dialog box, click Linux RPM (32-bit/64-bit) and save the .rpm file on your computer.

Install and Configure the vRealize Log Insight Agent on the Workspace ONE Access Nodes

Install and configure the vRealize Log Insight agent on each Workspace ONE Access node to send audit logs and system events to vRealize Log Insight.

To install the vRealize Log Insight agent, you use the .rpm file that you previously downloaded. See Download the vRealize Log Insight Agent.

Table 6-9. Workspace ONE Access Nodesregion-specific

Type FQDN

Region-specific sfo01wsa01.sfo01.rainpole.local

Cross-region wsa01svr01a.rainpole.local

wsa01svr01b.rainpole.local

wsa01svr01c.rainpole.local

Procedure

1 Log in to the region-specific Workspace ONE Access instance in Region A by using a Secure Shell (SSH) client.

Setting Value

FQDN sfo01wsa01.sfo01.rainpole.local

User name sshuser

Password sfo01wsa01_sshuser_password


VMware, Inc. 169

2 Change to root user and provide the password at the prompt.

su -

3 Copy the .rpm file of the vRealize Log Insight Linux agent to the /tmp folder on the Workspace ONE Access appliance.

You can use SCP, FileZilla, or WinSCP.

4 Run the command to install the agent.

rpm -i /tmp/VMware-Log-Insight-Agent-version-build.noarch_192.168.31.10.rpm

5 Configure the vRealize Log Insight agent on the Workspace ONE Access node.

a Edit the liagent.ini file on the Workspace ONE Access node by using a text editor such as vi.

vi /var/lib/loginsight-agent/liagent.ini

b Locate the [server] section, remove the comments for the following parameters, and insert the following values.

[server]

; Log Insight server hostname or ip address

; If omitted the default value is LOGINSIGHT

hostname=sfo01vrli01.sfo01.rainpole.local

; Set protocol to use:

; cfapi - Log Insight REST API

; syslog - Syslog protocol

; If omitted the default value is cfapi

;

proto=cfapi

; Log Insight server port to connect to. If omitted the default value is:

; for syslog: 512

; for cfapi without ssl: 9000

; for cfapi with ssl: 9543

port=9000

;ssl - enable/disable SSL. Applies to cfapi protocol only.

; Possible values are yes or no. If omitted the default value is no.

ssl=no

c Press Escape and enter :wq! to save the file.

d Run the command to restart the vRealize Log Insight agent on the node.

/etc/init.d/liagentd restart

e Run the command to verify that the vRelize Log Insight agent is running.

/etc/init.d/liagentd status

6 Repeat the procedure for each cross-region Workspace ONE Access node.


VMware, Inc. 170

Configure Log Forwarding for vRealize Suite Lifecycle Manager in Region A

You configure vRealize Suite Lifecycle Manager to forward logs to vRealize Log Insight.

Procedure


Setting Value






4 Under System Administration, click Logs.

5 In the Log Insight agent configuration pane, enter these values and click Save.

Setting Value

Hostname sfo01vrli01.sfo01.rainpole.local

Port 9000

Server protocol vRealize Log Insight (CFAPI)

Secure Communication (SSL) Deselected

Accept Any Selected

Accept Any Trusted Selected

Common name -

Reconnection time 30

Buffer size 2000

Validate Log Forwarding for SDDC Manager in Region A

The VMware Cloud Foundation 3.10 bring-up process installs and configures the vRealize Log Insight agent in the SDDC Manager appliance. Validate that the vRealize Log Insight аgent in the SDDC Manager appliance is configured to forward logs to the newly deployed vRealize Suite 2019 vRealize Log Insight.


VMware, Inc. 171

Procedure

1 Log in to SDDC Manager by using a Secure Shell (SSH) client.

Setting Value

FQDN sfo01mgr01.sfo01.rainpole.local

User name vcf

Password vcf_password

2 Validate the vRealize Log Insight agent configuration on SDDC Manager appliance.

a View the liagent.ini file on SDDC Manager node.

cat /var/lib/loginsight-agent/liagent.ini

a Locate the [server] section and verify that the value of the hostname parameter is sfo01vrli01.sfo01.rainpole.local, and that the values for protocol, port, and ssl are set as follows.

[server]

; Log Insight server hostname or ip address

; If omitted the default value is LOGINSIGHT

hostname=sfo01vrli01.sfo01.rainpole.local

; Set protocol to use:

; cfapi - Log Insight REST API

; syslog - Syslog protocol

; If omitted the default value is cfapi

;

proto=cfapi

; Log Insight server port to connect to. If omitted the default value is:

; for syslog: 512

; for cfapi without ssl: 9000

; for cfapi with ssl: 9543

port=9000

;ssl - enable/disable SSL. Applies to cfapi protocol only.

; Possible values are yes or no. If omitted the default value is no.

ssl=no

; Time in minutes to force reconnection to the server

; If omitted the default value is 30

;reconnect=30

b If you made changes in the liagent.ini file, run the command to restart the vRealize Log Insight agent on the node.

/etc/init.d/liagentd restart

a Run the command to verify that the vRealize Log Insight agent is running.

/etc/init.d/liagentd status


VMware, Inc. 172

Collect Operating System Logs from the Management Virtual Appliances in vRealize Log Insight in Region A

To visualize and analyze operating system logs from the management virtual appliances, you install and configure the vRealize Log Insight content packs for Linux. For the Workspace ONE Access appliance, you install and configure the general content pack for Linux. For the remaining management appliances, you install and configure the content pack that is designed for Photon OS.

Procedure

1 Install the vRealize Log Insight Content Pack for Linux for the Management Virtual Appliances in Region A

To visualize and analyze operating system logs from most of the management virtual appliances, install and configure the vRealize Log Insight Content Pack for Linux that is designed for Photon OS.

2 Configure a Log Insight Agent Group for the Management Virtual Appliances in Region A

After you install the content pack for Linux that is designed for Photon OS, configure an agent group to apply common settings to the agents on the appliances in the region.

3 Install the vRealize Log Insight Content Pack for Linux for Workspace One Access in Region A

To visualize and analyze operating system logs from the Workspace One Access nodes, install and configure the general vRealize Log Insight content pack for Linux.

4 Configure a Log Insight Agent Group for the Management Virtual Appliances of Workspace One Access in Region A

After you install the general content pack for Linux, configure an agent group to apply common settings to the agents on the Workspace One Access nodes in the region.

Install the vRealize Log Insight Content Pack for Linux for the Management Virtual Appliances in Region A

To visualize and analyze operating system logs from most of the management virtual appliances, install and configure the vRealize Log Insight Content Pack for Linux that is designed for Photon OS.

Procedure


Setting Value


User name admin



VMware, Inc. 173

2 In the vRealize Log Insight user interface, click Content packs.


4 On the Log Insight content pack marketplace page, locate and click the Linux - Systemd content pack to start the installation.



6 To proceed with the installation, click OK.

When the installation finishes, the content pack appears in the left navigation pane, under Installed content packs.

Configure a Log Insight Agent Group for the Management Virtual Appliances in Region A

After you install the content pack for Linux that is designed for Photon OS, configure an agent group to apply common settings to the agents on the appliances in the region.

Procedure


Setting Value


User name admin




4 From the drop-down at the top, select Linux - Systemd.

5 Click Copy template.

The Copy agent group dialog box appears.

6 In the Name text box, enter SDDC - Photon OS and click Copy.


VMware, Inc. 174

7 From the agent filter drop-down menus, select the object type and operator and, in the agent filter text box, enter the host names by pressing Enter to separate the values.

Object Type Operator Values

Hostname matches n sfo01mgr01.sfo01.rainpole.local

n vrslcm01svr01.rainpole.local

n vrops01svr01a.rainpole.local

n vrops01svr01b.rainpole.local

n vrops01svr01c.rainpole.local

n sfo01vropsc01a.sfo01.rainpole.local

n sfo01vropsc01b.sfo01.rainpole.local

8 Click the Refresh data icon at the top of the page and verify that all the agents listed in the filter appear in the Agents list.

9 Click Save new group at the bottom of the page.

10 Verify that log data is showing up on the Linux dashboards.

a On the main navigation menu, click Dashboards.

b In the left pane, under Content pack dashboards, click the Linux - Systemd content pack.

You see events that occurred over the past 48 hours.

Install the vRealize Log Insight Content Pack for Linux for Workspace One Access in Region A

To visualize and analyze operating system logs from the Workspace One Access nodes, install and configure the general vRealize Log Insight content pack for Linux.

Procedure


Setting Value


User name admin


2 In the vRealize Log Insight user interface, click Content packs .


4 On the Log Insight content pack marketplace page, locate and click the Linux content pack to start the installation.




VMware, Inc. 175

6 To proceed with the installation, click OK.

When the installation finishes, the content pack appears in the left navigation pane, under Installed content packs.

Configure a Log Insight Agent Group for the Management Virtual Appliances of Workspace One Access in Region A

After you install the general content pack for Linux, configure an agent group to apply common settings to the agents on the Workspace One Access nodes in the region.

Procedure


Setting Value


User name admin




4 From the drop-down at the top, select Linux.

5 Click Copy template.

The Copy agent group dialog box appears.

6 In the Name text box, enter SDDC - Linux OS and click Copy.

7 From the agent filter drop-down menus, select the object type and operator and, in the agent filter text box, enter the host names by pressing Enter to separate the values.

Object Type Operator Values

Hostname matches n sfo01wsa01.sfo01.rainpole.local

n wsa01svr01a.rainpole.local

n wsa01svr01b.rainpole.local

n wsa01svr01c.rainpole.local

8 Click the Refresh data icon at the top of the page and verify that all the agents listed in the filter appear in the Agents list.

9 Click Save new group at the bottom of the page.

10 Verify that log data is showing up on the Linux dashboards.

a On the main navigation bar, click Dashboards.

b In the left pane, under Content pack dashboards, click the Linux content pack.

You see events that occurred over the past 48 hours.


VMware, Inc. 176

Configure Log Retention and Archiving for vRealize Log Insight in Region A

Set the retention notification threshold to one week. Enable data archiving, so that you can manually archive logs for 90 days and selectively clean the datastore when free space is required.

Procedure


Setting Value


User name admin



3 Configure notification about reaching a retention threshold of one week.

a In the left pane, under Configuration, click General.

b On the General configuration page, in the Alerts panel, enter these values.

Setting Value

Email system notifications to [email protected]

Retention notification threshold Select Send a notification when capacity drops below

Set 1 week(s) of data in the system

c Click Save.

vRealize Log Insight continuously estimates how long data can be retained with the currently available pool of storage.

If the estimation drops below the retention threshold of one week, vRealize Log Insight immediately notifies the administrator that the amount of searchable log data is likely to drop.

4 Configure data archiving.

a In the left pane, under Configuration, click Archiving.

b Turn on the Enable data archiving toggle switch.

c In the Archive location text box, enter the path in the form of nfs://nfs_server_address/sfo01vrli01_archive to an NFS partition where logs are to be archived.

d Click Test to verify that the share is accessible.

e Click Save.


VMware, Inc. 177

vRealize Automation Implementation in Region A 7The cloud automation layer consists of integrated products that support the management of public, private, and hybrid cloud environments. These products are vRealize Automation and an embedded vRealize Orchestrator.

This chapter includes the following topics:

n Configure the Load Balancer for vRealize Automation in Region A

n Deploy vRealize Automation in Region A

n Post-Deployment vRealize Automation Configuration in Region A

n Post-Deployment Operations Management Integration with vRealize Automation in Region A

n Configure vRealize Automation for a Sample Project Implementation in Region A

Configure the Load Balancer for vRealize Automation in Region A

You configure load balancing for the vRealize Automation cluster nodes by using an NSX Data Center for vSphere load balancer.

You configure the load balancer before you deploy vRealize Automation to use the FQDN of the virtual IP address.

Procedure

1 Configure the Virtual IP Address for Load Balancing the vRealize Automation Cluster in Region A

You begin the load balancing configuration by adding the virtual IP address for load balancing the vRealize Automation cluster to the edge interface.

2 Create a Service Monitor for vRealize Automation in Region A

You set up health check monitoring for vRealize Automation to monitor the server pool that you later create. Servers that fail to respond to the health checks within a specified time period are excluded from future connection handling.

VMware, Inc. 178

3 Create a Server Pool for vRealize Automation in Region A

You create a server pool for vRealize Automation in NSX Data Center for vSphere. The server pool determines the load balancing algorithm and combines resources from the pool members.

4 Create the Application Profiles for vRealize Automation in Region A

You create an application profile and associate it with a virtual server to define the behavior of a particular type of network traffic. The virtual server processes traffic according to the values specified in the profile.

5 Create Virtual Servers for vRealize Automation in Region A

You create two virtual servers for vRealize Automation, one is used for load balancer and the other one is for http redirect to https. These virtual servers are associated with the configured application profile and server pool and distribute client connections among the server pool members.

Configure the Virtual IP Address for Load Balancing the vRealize Automation Cluster in Region A

You begin the load balancing configuration by adding the virtual IP address for load balancing the vRealize Automation cluster to the edge interface.

Procedure


Setting Value









7 On the Basic tab, under Configure subnets, in the row for primary IP address 192.168.11.2, in the Secondary IP addresses cell, add the vRealize Automation cluster IP address, 192.168.11.50.

8 Click Save.


VMware, Inc. 179

Create a Service Monitor for vRealize Automation in Region A

You set up health check monitoring for vRealize Automation to monitor the server pool that you later create. Servers that fail to respond to the health checks within a specified time period are excluded from future connection handling.

Procedure


Setting Value









Setting Value

Name vra-http-monitor

Interval 3

Timeout 10

Max retries 3

Type HTTP

Expected 200

Method GET

URL /health

Send -

Receive -

Extension -

Create a Server Pool for vRealize Automation in Region A

You create a server pool for vRealize Automation in NSX Data Center for vSphere. The server pool determines the load balancing algorithm and combines resources from the pool members.

You add the three vRealize Automation nodes as members of the server pool.


VMware, Inc. 180

Procedure


Setting Value







5 Click the Load Balancer tab and click Pools.


Setting Value

Name vra-server-pool

Description vRealize Automation server pool

Algorithm LEASTCONN

Monitors vra-http-monitor

IP Filter Any

Transparent Disable


8 To add each vRealize Automation cluster node to the pool, click Add, enter the values for the node, and click OK.

Setting Value for vra01svr01a Value for vra01svr01b Value for vra01svr01c

Name vra01svr01a vra01svr01b vra01svr01c

IP 192.168.11.51 192.168.11.52 192.168.11.53

State Enable Enable Enable

Port 443 443 443

Monitor Port 8008 8008 8008

Weight 1 1 1

Max Connections - - -

Min Connections - - -



VMware, Inc. 181

Create the Application Profiles for vRealize Automation in Region A

You create an application profile and associate it with a virtual server to define the behavior of a particular type of network traffic. The virtual server processes traffic according to the values specified in the profile.

Procedure


Setting Value








6 To create each application profile, click Add and, on the General tab of the New application profile dialog box, enter the values for the profile and click Add.

Setting Value for vra-https-app-profile Value for vra-http-redirect-profile

Application Profile Type SSL Passthrough HTTP

Name vra-https-app-profile vra-http-redirect-profile

HTTP Redirect URL - https://vra01svr01.rainpole.local/csp/gateway/portal/

Persistence None None

Insert X-Forwarded-For HTTP header - Disable

Create Virtual Servers for vRealize Automation in Region A

You create two virtual servers for vRealize Automation, one is used for load balancer and the other one is for http redirect to https. These virtual servers are associated with the configured application profile and server pool and distribute client connections among the server pool members.


VMware, Inc. 182

Procedure


Setting Value






4 Click the ID of the sfo01m01lb01 edge server gateway to open its network settings.


6 To create each virtual server, click Add and, on the General tab, enter the values and click Add.

Setting Value for vra-https Value for http-redirect

Virtual server Enable Enable

Acceleration Enable Disable

Application profile vra-https-app-profile vra-https-redirect-profile

Name vra-https vra-http-redirect

Description vRealize Automation Cluster UI vRealize Automation HTTP to HTTPS Redirect

IP address 192.168.11.50 192.168.11.50

Protocol HTTPS HTTP


Server pool vra-server-pool vra-server-pool

Deploy vRealize Automation in Region A

You configure deployment details and deploy vRealize Automation by using vRealize Suite Lifecycle Manager.

Procedure

1 Prerequisites for Deploying vRealize Automation in Region A

Before you deploy vRealize Automation verify that your environment fulfills the requirements for this deployment.


VMware, Inc. 183

2 Import the vRealize Automation Multi-SAN Certificate to vRealize Suite Lifecycle Manager in Region A

In vRealize Suite Lifecycle Manager, import the vRealize Automation certificate that you generated using the CertGenVVD utility.

3 Add the vRealize Automation Password to vRealize Suite Lifecycle Manager in Region A

To allow life cycle management and configuration management, you set the password for the vRealize Automation root user in vRealize Suite Lifecycle Manager.

4 Deploy vRealize Automation Using vRealize Suite Lifecycle Manager in Region A

You configure the deployment details and deploy vRealize Automation in the cross-region environment in vRealize Suite Lifecycle Manager.

Prerequisites for Deploying vRealize Automation in Region A

Before you deploy vRealize Automation verify that your environment fulfills the requirements for this deployment.

Verify that your environment satisfies the following prerequisites for the deployment of vRealize Automation.

Prerequisite Value


n Required storage: 670 GB

Software Features n Verify that Management domain vCenter Server is operational.

n Verify that the Workload domain NSX or NSX-T Manager is operational.


n Verify that the load balancer service is enabled on the NSX Edge service gateway.


n Verify that static IP addresses and FQDNs for the application virtual networks are available for the vRealize Automation deployment. See Host Names and IP Addresses for vRealize Suite 2019 and Workspace ONE Access.

License Verify that you obtained a vRealize Suite or vCloud Suite license that satisfies the requirements of this design.

Active Directory n Verify that the required Active Directory service accounts are created. See Active Directory User Accounts.

n Verify that the required Active Directory security groups are created. See Active Directory Groups.


VMware, Inc. 184

Prerequisite Value

Workspace ONE Access n Verify that the required Active Directory users are synchronized to the cross-region Workspace ONE Access.

n Verify that the required Active Directory security groups users synchronized to the cross-region Workspace ONE Access.

Certification Authority Verify that you have a validate SSL certificate. You can generate the certificate using the CertGenVVD utility. See Certificate Generation Utility for VMware Validated Design for Software-Defined Data Center 6.x (78246).

External Services n Verify that you have access to an SMTP server.

n Verify that SNMP is enabled in your network environment, to monitor network devices.

n Verify that central NTP services are available.

n Verify that all DNS addresses resolve both forward and reverse.

Import the vRealize Automation Multi-SAN Certificate to vRealize Suite Lifecycle Manager in Region A

In vRealize Suite Lifecycle Manager, import the vRealize Automation certificate that you generated using the CertGenVVD utility.

Procedure


Setting Value





3 In the left pane, click Certificate.

4 On the Certificate page, click Import.

5 On the Import certificate page, configure these settings and click Import.

Setting Value

Name vra01svr01-certificate

Pass phrase vra01svr01_certificate_password

Select certificate file Navigate to the vRealize Automation certificate PEM file, vra01svr01.2.chain.pem


VMware, Inc. 185



Add the vRealize Automation Password to vRealize Suite Lifecycle Manager in Region A

To allow life cycle management and configuration management, you set the password for the vRealize Automation root user in vRealize Suite Lifecycle Manager.

Procedure


Setting Value







Setting Value

Password alias vra01svr01-root

Password vra01svr01_root_password

Confirm password vra01svr01_root_password

Password description vRealize Automation root user password

User name root

Deploy vRealize Automation Using vRealize Suite Lifecycle Manager in Region A

You configure the deployment details and deploy vRealize Automation in the cross-region environment in vRealize Suite Lifecycle Manager.

Procedure


Setting Value






VMware, Inc. 186

3 On the Dashboard page, click Manage environments.

4 On the Environments page, in the Cross-Region-Env card, click the ellipsis and select Add product.

5 On the Organic growth page, select the vRealize Automation check box, configure these settings, and click Next.

Setting Value

Installation type New install

Version 8.1.0


6 On the End user license agreement page, accept the agreement and click Next.

7 On the License page, select and apply the product license.

a Click Select, in the Select applicable licenses dialog box, select the license check box, and click Update.

b Click Validate association and click Next.

8 On the Certificate page, from the Select certificate drop-down menu, select vra01svr01-certificate, and click Next.

9 On the Infrastructure page, configure these settings and click Next.

Setting Value


Cluster sfo01-m01dc#sfo01-m01-mgmt01

Folder sfo01-m01fd-vra

Resource Pool sfo01-m01-sddc-mgmt

Network Distributed port group that ends with Mgmt-xRegion01-VXLAN


Disk Mode Thin

Integrate with Identity Manager Selected



Settings Value


Netmask 255.255.255.0


Domain search path rainpole.local


VMware, Inc. 187

Settings Value

Domain name servers 172.16.11.4,172.16.11.5

Time sync mode Use NTP server

NTP servers ntp.sfo01.rainpole.local

11 On the Products page, configure the deployment properties of vRealize Automation and click Next.

a In the Product properties section, configure these settings.

Setting Value

Monitor vRA with vROps Deselected

Workload Placement and Reclamation Deselected

Certificate vra01svr01-certificate

Product Password vra01svr01-root

b In the Cluster Virtual IP section, configure these setting.

Setting Value

FQDN vra01svr01.rainpole.local

Load-Balancer SSL Termination Deselected

c In the Components section, configure these settings for the three vRealize Automation nodes and click Next.

Setting Value for vra01svr01a Value for vra01svr01b Value for vra01svr01c

VM Name vra01svr01a vra01svr01b vra01svr01c

FQDN vra01svr01a.rainpole.local vra01svr01b.rainpole.local

vra01svr01c.rainpole.local

IP Address 192.168.11.51 192.168.11.52 192.168.11.53

12 On the Precheck page, click Run precheck.

13 Review the validation report and, after successful validation, click Next.

14 On the Summary page, review the deployment specification and click Submit.

What to do next

1 If the vRealize Automation deployment fails while connecting to Workspace ONE Access, follow the resolution in https://kb.vmware.com/kb/79609 to set the HTTP-keep-alive timeout to 300s, and retry the deployment request in the vRealize Suite Lifecycle Manager user interface.


VMware, Inc. 188


2 After the vRealize Automation deployment finishes, verify that each node meets the vRealize Automation 8.1 Patch 1 storage requirements.

Table 7-1. vRealize Automation 8.1 Patch 1 Storage Requirements

Setting Value for Disk 1 Value for Disk 2

Partition System Data

Mounted on / /data

Filesystem /dev/sda4 /dev/mapper/data_vg-data

Minimum available space 20 GB 48 GB

3 Install the vRealize Automation 8.1 Patch 1.

See Cumulative Update for vRealize Automation 8.1 (79170).

Post-Deployment vRealize Automation Configuration in Region A

After you deploy vRealize Automation, perform the necessary configuration tasks to enable the vRealize Automation services for the SDDC in Region A.

Configure NTP on the vRealize Automation Cluster

Configure NTP on the vRealize Automation cluster nodes to keep them synchronized with the other SDDC components.

Procedure

1 Log in to the vRealize Automation appliance by using a Secure Shell (SSH) client.

Setting Value

FQDN vra01svr01a.rainpole.local

User name root

Password vra_appA_root_password

2 Run the command to configure the NTP source.

vracli ntp systemd --set ntp.sfo01.rainpole.local

3 Run the command to apply the NTP settings to the vRealize Automation cluster nodes.

vracli ntp apply

4 Run the command to validate the new NTP configuration.

vracli ntp status


VMware, Inc. 189


For each vRealize Automation cluster node, the command output contains the following configurations:

n Network time on: yes

n NTP synchronized: yes

n ESXi time sync configuration: Disabled

Create a Folder and a Resource Pool for vRealize Automation Workloads on the Workload Domain vCenter Server in Region A

You create a virtual machine folder and a resource pool on the Workload domain vCenter Server to group and manage vRealize Automation provisioned workloads in Region A.

Procedure

1 In a Web browser, log in to the Workload domain vCenter Server by using the vSphere Client.

Setting Value

URL https://sfo01w01vc01.sfo01.rainpole.local/ui



2 Create a folder for the vRealize Automation provisioned workload virtual machines.

a In the VMs and templates inventory, expand the sfo01w01vc01.sfo01.rainpole.local tree.

b Right-click the sfo01-w01dc data center, and select New folder > New VM and template folder.

c In the New folder dialog box, enter sfo01-w01fd-workload as the folder name, and click OK.

3 Create a resource pool for the vRealize Automation provisioned workload virtual machines.

a In the Hosts and clusters inventory, expand the sfo01w01vc01.sfo01.rainpole.local tree.

b Right-click the sfo01-w01-comp01 cluster, and select New resource pool .

c In the New resource pool dialog box, enter sfo01-w01rp-user-vm as the resource pool name, and click OK.


VMware, Inc. 190

Configure Service Account Privileges in Region A

To provision virtual machines and network services, configure privileges for vRealize Automation on both the Workload domain vCenter Server instance and the Workload domain NSX-T Manager.

Procedure

1 Define Custom User Roles in vSphere for vRealize Automation in Region A

Create a custom user role in the vSphere Client with the required privileges to enable vRealize Automation integration with vSphere.

2 Configure Service Account Privileges for the vRealize Automation and vRealize Orchestrator Integration to vSphere in Region A

Assign global permissions in vSphere for the service accounts used for the vRealize Automation and vRealize Orchestrator to vSphere integration.

3 Configure Service Account Privileges for the vRealize Automation to NSX Data Center for vSphere Integration on the Workload Domain in Region A

To provide the necessary privileges and permissions to the service account for the vRealize Automation to NSX Data Center for vSphere integration, you assign the Enterprise Administrator role in the Workload domain NSX Manager to the service account.

Define Custom User Roles in vSphere for vRealize Automation in Region A

Create a custom user role in the vSphere Client with the required privileges to enable vRealize Automation integration with vSphere.

Procedure


Setting Value








VMware, Inc. 191

5 Create a role for vRealize Automation in vSphere.

a Click the Create role action icon, configure the privileges, and click Next.

Category Privilege

Content Library Add library item

Create local library

Create subscribed library

Delete library item

Delete local library

Delete subscribed library

Download files

Evict library item

Evict subscribed library

Probe subscription information

Read storage

Sync library item

Sync subscribed library

Type introspection

Update configuration settings

Update files

Update library

Update library item

Update local library

Update subscribed library

View configuration settings

Datastore Allocate space

Browse datastore

Low level file operations

Datastore Cluster Configure a datastore cluster

Folder Create folder

Delete folder

Global Manage custom attributes

Set custom attribute

Network Assign network

Permissions Modify permission

Resource Assign virtual machine to resource pool

Migrate powered off virtual machine


VMware, Inc. 192

Category Privilege

Migrate powered on virtual machine

Tags Assign or unassign vSphere tag

Create a vSphere tag

Create a vSphere tag category

Delete vSphere tag

Delete vSphere tag category

Edit vSphere tag

Edit vSphere tag category

Modify UsedBy field for category

Modify UsedBy field for tag

Virtual Machine Change Configuration.Add existing disk

Change Configuration.Add new disk

Change Configuration.Add or remove device

Change Configuration.Advanced configuration

Change Configuration.Change CPU count

Change Configuration.Change Memory

Change Configuration.Change Settings

Change Configuration.Change Swapfile placement

Change Configuration.Change resource

Change Configuration.Extend virtual disk

Change Configuration.Modify device settings

Change Configuration.Remove Disk

Change Configuration.Rename

Change Configuration.Set annotation

Change Configuration.Toggle disk change tracking

Edit Inventory.Create from existing

Edit Inventory.Create new

Edit Inventory.Move

Edit Inventory.Remove

Interaction.Configure CD media

Interaction.Connect devices

Interaction.Console interaction

Interaction.Install VMware Tools

Interaction.Power off

Interaction.Power on


VMware, Inc. 193

Category Privilege

Interaction.Reset

Interaction.Suspend

Provisioning.Clone template

Provisioning.Clone virtual machine

Provisioning.Customize guest

Provisioning.Deploy template

Provisioning.Read customization specifications

Snapshot management.Create snapshot

Snapshot management.Remove snapshot

Snapshot management.Revert to snapshot

vApp Import

vApp application configuration

b In the Role name text box, enter vRealize Automation to vSphere Integration and click Finish.

6 Create a role for vRealize Orchestrator in vSphere.

a Select the Administrator role and click the Clone role action icon.

b In the Clone role dialog box, set the role name to vRealize Orchestrator to vSphere Integration and click OK.

Configure Service Account Privileges for the vRealize Automation and vRealize Orchestrator Integration to vSphere in Region A

Assign global permissions in vSphere for the service accounts used for the vRealize Automation and vRealize Orchestrator to vSphere integration.

You assign global permissions and restrict access to the management domain for the svc-vra-vsphere and svc-vro-vsphere service accounts.

Procedure


Setting Value






VMware, Inc. 194

3 For each service account, assign global permissions.

a In the left pane, select Access control > Global permissions.

b Click the Add permission icon, configure these settings, and click OK.

Setting Value for svc-vra-vsphere Value for svc-vro-vsphere

Domain rainpole.local rainpole.local

User / group svc-vra-vsphere svc-vro-vsphere

Role vRealize Automation to vSphere Integration

vRealize Orchestrator to vSphere Integration

Propagate to children Selected Selected

4 Restrict access of the vRealize Automation to vSphere Integration service account to the management domain in Region A.

a Select Menu > Global Inventory lists.

b In the Global inventory lists inventory, select Resources > vCenter Servers.

c In the left pane, select sfo01m01vc01.sfo01.rainpole.local and click the Permissions tab.

d Select the svc-vra-vsphere service account with the vRealize Automation to vSphere Integration role and click the Change role icon.

e In the Change role dialog box, from the Role drop-down menu, select No access, select Propagate to children, and click OK.

f Repeat this step for the svc-vro-vsphere service account.

Configure Service Account Privileges for the vRealize Automation to NSX Data Center for vSphere Integration on the Workload Domain in Region A

To provide the necessary privileges and permissions to the service account for the vRealize Automation to NSX Data Center for vSphere integration, you assign the Enterprise Administrator role in the Workload domain NSX Manager to the service account.

Procedure


Setting Value




2 In the Networking and security inventory, click System > Users and domains.

3 From NSX Manager drop-down menu, select 172.16.11.66.


VMware, Inc. 195

4 Click Add, configure the user, and click Next.

Setting Value

User [email protected]

5 Select the Enterprise Administrator role and click Finish.

Configure the vSphere DRS Anti-Affinity Rule and Startup Order for vRealize Automation in Region A

To protect the vRealize Automation nodes from a host-level failure, configure vSphere DRS to run the virtual machines of vRealize Automation on different hosts in the first vSphere cluster of the management domain. After that, you configure a VM group to define the startup order to ensure the vSphere High Availability powers on the vRealize Automation virtual machines in the correct order.

Procedure


Setting Value






4 Create the anti-affinity rule for the vRealize Automation virtual machines.

a In the left pane, select Configuration > VM/Host rules and click Add.

b In the Create VM/Host rule dialog box, configure these settings and click OK.

Setting Value

Name anti-affinity-rule-vra



Members n vra01svr01a

n vra01svr01b

n vra01svr01c


VMware, Inc. 196

5 Create a virtual machine group for the vRealize Automation cluster nodes.

a In the left pane, select Configuration > VM/Host groups and click Add.

b In the Create VM/Host group dialog box, configure these settings and click OK.

Setting Value

Name vRealize Automation Virtual Appliances

Type VM Group

Members n vra01svr01a

n vra01svr01b

n vra01svr01c

6 Create a rule to power on the cross-region Workspace ONE Access nodes before the vRealize Automation nodes.




Setting Value

Name SDDC Cloud Automation




Cross-Region Workspace ONE Access Virtual Appliances

On restart for VM group vRealize Automation Virtual Appliances

Configure Organization Settings for vRealize Automation in Region A

You configure organization name and branding, and set organization and service roles for the Active Directory service accounts to enable identity and access management for vRealize Automation.

Procedure

1 Configure the Organization Name and Branding for vRealize Automation in Region A

As an organization owner, you set the organization name and apply custom branding to the organization in Region A.

2 Assign Organization and Service Roles to User Groups for vRealize Automation in Region A

To manage access to services provided by vRealize Automation, you assign global organization roles and service roles to Active Directory user groups.


VMware, Inc. 197

Configure the Organization Name and Branding for vRealize Automation in Region A

As an organization owner, you set the organization name and apply custom branding to the organization in Region A.

Procedure

1 In a Web browser, log in to vRealize Automation by using the cloud services console.

Setting Value

URL https://vra01svr01.rainpole.local/csp/gateway/portal




2 Set the organization name.

a In the top-right corner, click the logged in user drop-down menu, and select View organization.

b On the Organization page, click Edit.

c In the Display name text box, enter Rainpole, and click Save.

3 Customize the organization branding.

a On the main navigation bar, click Branding.

b On the Header tab, configure these settings.

Setting Value

Company logo Upload a 100px height transparent .png image.

Product name Rainpole Cloud

c Click the Help panel tab, in the Community link text box, enter a link for information or support, and click Apply..

Assign Organization and Service Roles to User Groups for vRealize Automation in Region A

To manage access to services provided by vRealize Automation, you assign global organization roles and service roles to Active Directory user groups.

You assign organization and service roles to the following user groups.


VMware, Inc. 198

Table 7-2. vRealize Automation User Groups and Roles

Group Name Description Organization Role Service Service Role

[email protected]

The universal group in a parent domain for vRealize Automation organization owners

Organization Owner None None

[email protected]

The universal group in a parent domain for vRealize Automation organization member and Cloud Assembly administrators.

Organization Member Cloud Assembly Cloud Assembly Administrator

[email protected]

The universal group in a parent domain for vRealize Automation organization member and Cloud Assembly users.

Organization Member Cloud Assembly Cloud Assembly User

[email protected]

The universal group in a parent domain for vRealize Automation organization member and Service Broker administrators.

Organization Member Service Broker Service Broker Administrator

[email protected]

The universal group in a parent domain for vRealize Automation organization member and Service Broker users.

Organization Member Service Broker Service Broker User

[email protected]

The universal group in a parent domain for vRealize Automation organization member and Orchestrator administrators.

Organization Member Orchestrator Orchestrator Administrator

[email protected]

The universal group in a parent domain for vRealize Automation organization member and Orchestrator workflow designers.

Organization Member Orchestrator Orchestrator Workflow Designer


VMware, Inc. 199

Procedure


Setting Value






3 Click the Enterprise groups tab and click Assign roles.

4 For each enterprise group, assign an organization role and add a service access by assigning a service with a service role.

Configure Cloud Assembly in Region A

You create and link vCenter Server and NSX-T Data Center cloud accounts to Active Directory service users with the necessary privileges to enable blueprint provisioning through vRealize Automation in Region A.

Procedure

1 Add Cloud Accounts in vRealize Automation for Region A

You create vCenter Server and NSX-T Data Center cloud accounts, assign them to Active Directory service accounts, link them to cloud zones, and apply capabilities tags to provide the service accounts with the necessary privileged and access to the SDDC resources in the workload domain.

2 Integrate vRealize Automation with My VMware in Region A

To be able to download and provision blueprints from VMware Marketplace, configure the integration to My VMware in vRealize Automation in Region A.

3 Configure the Workload Domain Cloud Zone for vRealize Automation in Region A

Cloud zones are specific to Cloud Assembly projects and correspond to set of resources within a cloud account. You reconfigure the initial cloud zone, created during the configuration of the NSX and vCenter Server cloud accounts, to assign the appropriate resources to the cloud zone through the use of resource pools, placement policy, and capability tags.

Add Cloud Accounts in vRealize Automation for Region A

You create vCenter Server and NSX-T Data Center cloud accounts, assign them to Active Directory service accounts, link them to cloud zones, and apply capabilities tags to provide the service accounts with the necessary privileged and access to the SDDC resources in the workload domain.


VMware, Inc. 200

Procedure


Setting Value





2 On the main navigation bar, click Services.

3 In the My services section, click Cloud Assembly.

4 Click the Infrastructure tab, and select Connections > Cloud accounts.

5 Add a cloud account for vSphere.

a On the Cloud accounts page, click Add cloud account.

b On the Cloud account types page, click vCenter.

c On the New cloud account page, configure these settings and click Validate.

Setting Value

Name sfo01w01vc01

Description Region A - Workload Domain 01

vCenter IP address / FQDN sfo01w01vc01.sfo01.rainpole.local


Password svc-vra-vsphere_password

Capability tags n cloud:private

n region:sfo

d In the Configuration section, configure the settings and click Add.

Setting Value

Allow provisioning to these datacenters sfo01-w01dc

Create a cloud zone for the selected datacenters Selected

e On the You have successfully added this vCenter account dialog box, click Add another account.


VMware, Inc. 201

6 Add a cloud account for NSX Data Center for vSphere or NSX-T Data Center.

a On the Cloud accounts page, click Add cloud accountconfigure these settings and click Validate.

Setting Value for NSX-T Data CenterValue for NSX Data Center for vSphere

Cloud account type NSX-T NSX-V

Name sfo01w01nsxt01 sfo01w01nsxv01

Description Region A - NSX-T Workload Domain 01

Region A - NSX-V Workload Domain 01

NSX IP address / FQDN sfo01w01nsx01.sfo01.rainpole.local sfo01w01nsx01.sfo01.rainpole.local

User name admin [email protected]

Password nsx-t_admin_password svc-vra-nsx_password


n region:sfo

n cloud:private

n region:sfo

b In the Configuration section, select the following and click Add.

Setting Value

vSphere endpoint sfo01w01vc01

c On the You have successfully added this vCenter account dialog box, click Continue.

Integrate vRealize Automation with My VMware in Region A

To be able to download and provision blueprints from VMware Marketplace, configure the integration to My VMware in vRealize Automation in Region A.

Procedure


Setting Value







4 Click the Infrastructure tab, and select Connections > Integrations.


VMware, Inc. 202

5 Configure the My VMware integration.

a On the Integrations page, click Add integration.

b On the Integration types page, select My VMware.

c On the New integration page, configurese the settings, click Validate, and click Add.

Setting Value

Name My VMware

Description vRealize Automation to My VMware Integration


Password svc-vra-myvmware_password

Configure the Workload Domain Cloud Zone for vRealize Automation in Region A

Cloud zones are specific to Cloud Assembly projects and correspond to set of resources within a cloud account. You reconfigure the initial cloud zone, created during the configuration of the NSX and vCenter Server cloud accounts, to assign the appropriate resources to the cloud zone through the use of resource pools, placement policy, and capability tags.

Procedure


Setting Value







4 Click the Infrastructure tab, and select Configure > Cloud zones.


VMware, Inc. 203

5 Configure the workload domain cloud zone.

a On the Cloud zones page, click the sfo01w01vc01/sfo01-w01dc cloud zone card.

b On the Summary tab, configure these settings.

Setting Value

Description Region A - Workload Domain 01

Placement policy Default

Folder sfo01-w01fd-workload


n region:sfo

c Click the Compute tab, select the sfo01-w01-comp01 / sfo01-w01rp-user-vm resource pool and click Tags.

d In the Tags dialog box, add the cloud:private and region:sfo tags, and click Save.

e On the Compute tab, click Save.

Configure the Embedded vRealize Orchestrator Instance in Region A

vRealize Orchestrator is a platform that provides a library of extensible workflows to allow you to create and run automated, configurable processes to manage the vSphere infrastructure and other VMware and third-party technologies.

vRealize Orchestrator is composed of three distinct layers: an orchestration platform that provides the common features required for an orchestration tool, a plug-in architecture to integrate control of subsystems, and a library of workflows. vRealize Orchestrator is an open platform that can be extended with new plug-ins and libraries and can be integrated into larger architectures through a REST API.

Procedure

1 Import the Root Certificate of the Certificate Authority to vRealize Orchestrator in Region A

Import the root certificate of your Certificate Authority to vRealize Orchestrator to create the trust chain for connecting to the SDDC components.

2 Add the Workload Domain vCenter Server Instance to vRealize Orchestrator in Region A

To enable orchestration, management, and provisioning of workloads, you configure the connection to the Workload domain vCenter Server instance in Region A by running the necessary workflows in vRealize Orchestrator.

Import the Root Certificate of the Certificate Authority to vRealize Orchestrator in Region A

Import the root certificate of your Certificate Authority to vRealize Orchestrator to create the trust chain for connecting to the SDDC components.


VMware, Inc. 204

Procedure

1 In a Web browser, log in to vRealize Orchestrator by using the Control Center interface.

Setting Value

URL https://vra01svr01.rainpole.local/vco-controlcenter

User name root

Password vra01svr01_root_password

2 Click Certificates.

3 Click the Trusted certificates tab and, from the Import drop-down menu, select Import from PEM-encoded file.

4 Click Browse, navigate to the Root64.cer Certificate Authority root certificate file, and click Import.

5 Review the Root CA's certificate and click Import.

Add the Workload Domain vCenter Server Instance to vRealize Orchestrator in Region A

To enable orchestration, management, and provisioning of workloads, you configure the connection to the Workload domain vCenter Server instance in Region A by running the necessary workflows in vRealize Orchestrator.

Procedure


Setting Value






3 In the My services section, click Orchestrator.

4 On the Orchestrator page, on the main navigation bar, click the default Embedded-vRO instance.

5 In the left pane, select Library > Workflows.

6 Add the Workload domain vCenter Server instance.

a In the Workflows page, in the filter text box, enter Add a vCenter Server instance.

b Select the Add a vCenter Server instance workflow card and click Run.


VMware, Inc. 205

c On the Set the vCenter Server instance properties tab, configure the settings.

Setting Value

IP or hostname of the vCenter Server instance to add sfo01w01vc01.sfo01.rainpole.local

HTTPS port of the vCenter Server instance 443

Location of SDK that you use to connect /sdk

Will you orchestrate this instance Selected

Do you want to ignore certificate warnings Deselected

d On the Set connection properties tab, configure the settings and click Run.

Setting Value

Do you want to use a session per user method to manage user access to the vCenter Server system?

Deselected

User name of the user that Orchestrator will use to connect to the vCenter Server instance.

rainpole.local\svc-vro-vsphere

Do you want to use a session per user method to manage user access to the vCenter Server system?

svc-vro-vsphere_password

e On the Add a vCenter Server instance page, on the Waiting for input banner, click Answer.

f On the Input request dialog box, click Answer.

Configure Email Alerts for vRealize Automation in Region A

Configure email notifications in vRealize Automation to alert users and applications about certain situations in the SDDC.

Procedure


Setting Value






3 In the My services section, click Service Broker.

4 On the Service Broker page, click the Content and policies tab.

5 In the left pane, select Notifications > Email server.


VMware, Inc. 206

6 Configure the settings, click Test connection and click Create.

Setting Value

Name SMTP_server_hostname

Description Emails for notifications

Server name FQDN_of_the_SMTP_server

Sender Name Name_that_appears_as_the_sender_of_the_email

Sender Address Address_that_appears_as_the_sender_of_the_email

Authentication Depends on organization requirement

Connection Security SSL/TLS

Server Port Server port for SMTP requests

Trust certificates presented by the host Yes

Post-Deployment Operations Management Integration with vRealize Automation in Region A

After you deploy and configure vRealize Automation, configure its integration with the operations management SDDC components. You can monitor and receive alerts and logs about the cloud management platform to a central location by using vRealize Operations Manager and vRealize Log Insight.

n Connect vRealize Automation to vRealize Operations Manager in Region A

Configure the integration from vRealize Automation to vRealize Operations to view workload performance and usage data.

n Connect vRealize Operations Manager to vRealize Automation in Region A

Configure the integration from vRealize Operations Manager to vRealize Automation to monitor the health and resource capacity in your cloud infrastructure.

n Connect vRealize Log Insight to vRealize Automation in Region A

To collect syslog data from all components of vRealize Automation, you connect vRealize Automation to vRealize Log Insight. You perform this procedure on one of the vRealize Automation nodes, the configuration is then automatically disseminated to the remaining cluster nodes.


VMware, Inc. 207

Connect vRealize Automation to vRealize Operations Manager in Region A

Configure the integration from vRealize Automation to vRealize Operations to view workload performance and usage data.

Procedure

1 Configure Service Account Privileges for the vRealize Automation Integration in vRealize Operations Manager in Region A

Import the service account and assign the necessary permissions in vRealize Operations Manager to enable vRealize Automation to view metrics from vRealize Operations Manager.

2 Integrate vRealize Automation with vRealize Operations Manager in Region A

Configure the integration parameters from vRealize Automation to vRealize Operations Manager.

Configure Service Account Privileges for the vRealize Automation Integration in vRealize Operations Manager in Region A

Import the service account and assign the necessary permissions in vRealize Operations Manager to enable vRealize Automation to view metrics from vRealize Operations Manager.

Procedure


Settings Value


User name admin




4 Click the User accounts tab and, from the ellipsis drop-down menu, select Import.

The Import users wizard opens.

5 On the Import users page, configure these settings, select the svc-vra-vrops account and click Next.

Setting Value

Import from WorkspaceONE


Search prefix svc-vra-vrops

User name svc-vra-vrops


VMware, Inc. 208

6 On the Assign groups and permissions page, click the Objects tab, configure the settings, and click Finish.

Setting Value

Select Role ReadOnly

Assign this role to the user Selected

Select Object vCenter Adapter > vCenter Cloud Account > sfo-w01-vc01

Integrate vRealize Automation with vRealize Operations Manager in Region A

Configure the integration parameters from vRealize Automation to vRealize Operations Manager.

Procedure


Setting Value







4 Click the Infrastructure tab, and select Connections > Integrations.

5 Configure the vRealize Operations Manager integration.

a On the Integrations page, click Add integration.

b On the Integration types page, select vRealize Operations Manager.

c On the New Integration page, configure the settings, click Validate, and click Add.

Setting Value

Name vRealize Operations Manager

Description vRealize Automation to vRealize Operations Manager Integration

IP Address / FQDN https://vrops01svr01.rainpole.local/suite-api

User name [email protected]@WorkspaceONE

Password svc-vra-vrops_password


VMware, Inc. 209

Connect vRealize Operations Manager to vRealize Automation in Region A

Configure the integration from vRealize Operations Manager to vRealize Automation to monitor the health and resource capacity in your cloud infrastructure.

Procedure

1 Assign Organization and Service Roles to the vRealize Operations Manager Service Account in vRealize Automation in Region A

To manage access to services provided by vRealize Automation, you assign global organization roles and services roles to the service account for vRealize Automation to vRealize Operations Manager integration.

2 Configure the vRealize Automation Integration in vRealize Operations Manager in Region A

To configure the necessary permissions to monitor the health and resource capacity, configure the credentials and endpoint for the vRealize Automation integration in vRealize Operations Manager in Region A.

Assign Organization and Service Roles to the vRealize Operations Manager Service Account in vRealize Automation in Region A

To manage access to services provided by vRealize Automation, you assign global organization roles and services roles to the service account for vRealize Automation to vRealize Operations Manager integration.

Procedure


Setting Value







VMware, Inc. 210

3 Assign an organization role and a service role to the [email protected] service account.

a On the Active users tab, select svc-vrops-vra and click Edit roles.

b On the Edit roles page, click Add service access, configure these settings, and click Save.

Settings Value

Assign organization roles Organization Owner

Service Cloud Assembly

Service role Cloud Assembly Administrator

Configure the vRealize Automation Integration in vRealize Operations Manager in Region A

To configure the necessary permissions to monitor the health and resource capacity, configure the credentials and endpoint for the vRealize Automation integration in vRealize Operations Manager in Region A.

Procedure


Settings Value


User name admin



3 In the left pane, select Management > Integrations.

4 On the Integrations page, click the ellipsis icon for VMware vRealize Automation 8.x and click Configure.

5 On the VMware vRealize Automation 8.x page, in the Credentials section, click the Add new icon, configure these settings, and click OK.

Setting Value

Credential name vra01svr01-adapter-credentials

User name svc-vrops-vra

Password svc-vrops-vra_password


VMware, Inc. 211

6 On the VMware vRealize Automation 8.x page, configure the settings.

Setting Value

IP address / FQDN vra01svr01.rainpole.local

Auto discovery true

Credential vra01svr01-adapter-credentials

Collector/Group Default collector group

7 Click Validate connection, accept the certificate, and click Save.

Connect vRealize Log Insight to vRealize Automation in Region A

To collect syslog data from all components of vRealize Automation, you connect vRealize Automation to vRealize Log Insight. You perform this procedure on one of the vRealize Automation nodes, the configuration is then automatically disseminated to the remaining cluster nodes.

Procedure

1 Log in to the vRealize Automation appliance by using a Secure Shell (SSH) client.

Setting Value

FQDN vra01svr01a.rainpole.local

User name root

Password vra_appA_root_password

2 To send logs to vRealize Log Insight, run the command.

vracli vrli set -k -e cross-region http://sfo01vrli01.sfo01.rainpole.local:9000

3 Validate the configuration change by running the command.

vracli vrli

The command outputs the following.

root@xreg-vra01a [ ~ ]# vracli vrli { "agentId": "0", "environment": "cross-region-production",

"host": "sfo01vrli01.sfo01.rainpole.local", "port": 9000, "scheme": "http", "sslVerify": false

Configure vRealize Automation for a Sample Project Implementation in Region A

After completing the vRealize Automation implementation, you can optionally deploy a sample project scenario to test workload provisioning.


VMware, Inc. 212

You prepare for workload provisioning by allocating the necessary infrastructure resources through the use of flavor mappings, image mappings, network profiles, and storage profiles. You configure a sample project, content library, and a sample virtual machine blueprint to test the sharing of workload provisioning capabilities with the cloud infrastructure consumers in your organization.

n Content Library Configuration in Region A

Content libraries are containers for VM templates, vApp templates, and other resources used for vRealize Automation deployment of virtual machines and vApps. Sharing templates and files across multiple vCenter Server instances brings out consistency, compliance, efficiency, and automation in deploying workloads at scale.

n Customization Specifications for vRealize Automation Configuration in Region A

Create customization specifications, one for Linux and one for Windows, for use by the virtual machines images you deploy. Customization specifications are XML files that contain system configuration settings for the guest operating systems used in the virtual machines. You can use the customization specifications, as needed when you create blueprints in vRealize Automation.

n Configure vRealize Automation Mappings for Region A

You define deployment sizing and deployment parameters for workloads by using flavor and image mappings in Cloud Assembly.

n Configure vRealize Automation Profiles for Region A

You define target networks and datastores for workload provisioning by using network and storage profiles in Cloud Assembly.

n Configure a Sample Project in vRealize Automation for Region A

You configure a project in vRealize Automation to define the users that can provision workloads, the priority and cloud zone of deployments, as well as the maximum allowed deployment instances.

n Configure Sample Blueprint in Region A

You configure a sample blueprint to deploy to your organization's cloud providers. Blueprints determine the specifications, such as target cloud region, resources, guest operating systems, and others, for the services or applications that consumers of this blueprint can deploy.

n Service Broker Configuration in Region A

To enable users to deploy workloads, you import blueprints, create a content source and share these blueprints within a project in vRealize Automation Service Broker.

n Deploy Sample Blueprint in Region A

After you import the Cloud Assembly blueprint and share it with members of your project, you test the provisioning by requesting a deployment.


VMware, Inc. 213

Content Library Configuration in Region A

Content libraries are containers for VM templates, vApp templates, and other resources used for vRealize Automation deployment of virtual machines and vApps. Sharing templates and files across multiple vCenter Server instances brings out consistency, compliance, efficiency, and automation in deploying workloads at scale.

You create and manage a content library from a single vCenter Server instance, but you can share the library items with other vCenter Server instances if HTTP(S) traffic is allowed between them.

Procedure

1 Configure a Content Library in the Workload Domain vCenter Server Instance in Region A

Create a content library and populate it with images that you can use to deploy virtual machines in your environment. Content libraries let you synchronize images among workload domain vCenter Server instances so that all images in your environment are consistent.

2 Import OVA Images to the Content Library in the Workload Domain vCenter Server Instance in Region A

You can import OVA files prepared to use as virtual machine images. The images that you add to the content library are used in vRealize Automation blueprints. You repeat this procedure to import all OVA images

Configure a Content Library in the Workload Domain vCenter Server Instance in Region A

Create a content library and populate it with images that you can use to deploy virtual machines in your environment. Content libraries let you synchronize images among workload domain vCenter Server instances so that all images in your environment are consistent.

As you deploy additional workload domains, you can create subscriber content libraries from this publishing content library.

Procedure


Setting Value




2 In the Content libraries inventory, click Create.

The New content library wizard opens.


VMware, Inc. 214

3 On the Name and location page, configure the settings and click Next.

Setting Value

Name sfo01-w01cl-vra01


4 On the Configure content library page, configure the settings and click Next.

Setting Value

Local content library Selected

Enable publishing Selected

Enable authentication Selected

Password sfo01-w01cl-vra01_password

Confirm password sfo01-w01cl-vra01_password

5 On the Add storage page, select sfo01-w01-vsan01 and click Next.

6 On the Ready to complete page, click Finish.

Import OVA Images to the Content Library in the Workload Domain vCenter Server Instance in Region A

You can import OVA files prepared to use as virtual machine images. The images that you add to the content library are used in vRealize Automation blueprints. You repeat this procedure to import all OVA images

Table 7-3. Virtual Machine Templates in Region A

Operating System Type OVA Name Local File Name

Windows Server 2019 Standard img-windows-server-2019-standard windows-server-2019-standard.ova

Windows Server 2016 Standard img-windows-server-2016-standard windows-server-2016-standard.ova

Ubuntu Server 19.10 img-ubuntu-server-1910 ubuntu-server-1910.ova

Ubuntu Server 18.04 LTS img-ubuntu-server-1804-lts ubuntu-server-1804-lts.ova

Procedure


Setting Value




2 In the Content libraries inventory, select the sfo01-w01cl-vra01 content library.

3 On the sfo01-w01cl-vra01 page, click the Actions drop-down menu and select Import item.


VMware, Inc. 215

4 In the Import library item dialog box, specify the settings for the first OVA image and click Import.

Setting Value

Source file windows-server-2019-standard.ova

Item name img-windows-server-2019-standard

Notes Windows Server 2019 Standard

5 Repeat the procedure to import the remaining OVA images.

Customization Specifications for vRealize Automation Configuration in Region A

Create customization specifications, one for Linux and one for Windows, for use by the virtual machines images you deploy. Customization specifications are XML files that contain system configuration settings for the guest operating systems used in the virtual machines. You can use the customization specifications, as needed when you create blueprints in vRealize Automation.

Create a Customization Specification for Windows Guest Operating Systems in Region A

Create a Windows guest operating system specification that you can apply when you create blueprints for use with vRealize Automation. This customization specification can be used to customize virtual machine guest operating systems when provisioning new virtual machines from vRealize Automation.

You configure two customization specifications.

Customization Specification Name Description Operating System Type

windows-server-2019-standard Windows Server 2019 Standard Windows

windows-server-2016-standard Windows Server 2016 Standard Windows

Procedure


Setting Value




2 In the Policies and profiles inventory, select VM customization specifications.

3 On the VM customization specifications page, click the Create a new specification icon.

The New VM guest customization wizard opens.


VMware, Inc. 216

4 On the Name and target OS page, configure the settings and click Next.

Setting Value

Name windows-server-2019-standard

Description Windows Server 2019 Standard


Target Guest OS Windows

Generate New Security ID (SID) Selected

5 On the Registration information page, configure the settings and click Next.

Setting Value

Name Rainpole

Organization Rainpole

6 On the Computer name page, select Use the virtual machine name, and click Next.

7 On the Windows license page, provide licensing information for the Windows operating system, and click Next.

8 On the Administrator password page, enter the default administrator password to set on the virtual machine, and click Next.

9 On the Time zone page, select the time zone, and click Next.

Setting Value

Time Zone (UTC-08:00) Pacific Time(US & Canada)

10 On the Commands to run once page, click Next.

11 On the Network page, click Next.

12 On the Workgroup or domain page, select Windows Server Domain, configure the settings, and click Next.

Setting Example Value

Windows Server Domain sfo01.rainpole.local


Password svc-domain-join_password

13 On the Ready to complete page, review the settings and click Finish to save your changes.

14 Repeat the procedure to create the second Windows customization specification.


VMware, Inc. 217

Create a Customization Specification for Linux Guest Operating Systems in Region A

Create a Linux guest operating system specification that you can apply when you create blueprints for use with vRealize Automation. This customization specification can be used to customize virtual machine guest operating systems when provisioning new virtual machines from vRealize Automation.

You configure two customization specifications.

Customization Specification Name Description Operating System Type

ubuntu-server-1910 Ubuntu Server 19.10 Linux

ubuntu-server-1804-lts Ubuntu Server 18.04 LTS Linux

Procedure


Setting Value




2 In the Policies and profiles inventory, select VM customization specifications.

3 On the VM customization specifications page, click the Create a new specification icon.

The New VM guest customization wizard opens.

4 On the Name and target OS page, configure the settings and click Next.

Setting Value

Name ubuntu-server-1910

Description Ubuntu Server 19.10


Target Guest OS Linux

5 On the Computer name page, select Use the virtual machine name, enter sfo01.rainpole.local for the domain name, and click Next.

6 On the Time zone page, configure the settings, and click Next.

Setting Value

Area America

Location Los Angeles

Hardware clock set to Local time

7 On the Customization script page, click Next.


VMware, Inc. 218

8 On the Network page, click Next.

9 On the DNS settings page, leave the default settings, and click Next.

10 On the Ready to complete page, review the settings and click Finish to save your changes.

11 Repeat the procedure to create the second Linux customization specifications.

Configure vRealize Automation Mappings for Region A

You define deployment sizing and deployment parameters for workloads by using flavor and image mappings in Cloud Assembly.

Procedure

1 Add Flavor Mappings for Region A

You configure flavor mappings for the vSphere-based cloud accounts in Region A to define and group a set of target deployment sizings.

2 Add Image Mappings for Region A

You configure image mappings for the vSphere-based cloud accounts in Region A to define target deployment operating system and related configuration settings.

Add Flavor Mappings for Region A

You configure flavor mappings for the vSphere-based cloud accounts in Region A to define and group a set of target deployment sizings.

You configure five flavor mappings to define the deployment sizings.

Name Region CPU Count Memory Size

x-small sfo01w01vc01 / sfo01-w01dc

1 512 MB

small sfo01w01vc01 / sfo01-w01dc

2 2 GB

medium sfo01w01vc01 / sfo01-w01dc

8 4 GB

large sfo01w01vc01 / sfo01-w01dc

8 16 GB

x-large sfo01w01vc01 / sfo01-w01dc

16 32 GB

Procedure


Setting Value




VMware, Inc. 219

Setting Value





4 Click the Infrastructure tab, and select Configure > Flavor mappings.

5 On the New flavor mapping page, configure the settings and click Create.

Setting Value

Name x-small

Account / region sfo01w01vc01 / sfo01-w01dc

Number of CPUs 1

Memory (MB) 512

6 Repeat this procedure to create the remaining flavor mappings.

Add Image Mappings for Region A

You configure image mappings for the vSphere-based cloud accounts in Region A to define target deployment operating system and related configuration settings.

You configure four image mappings for the previously configured customization specifications.

Name Region Image Source Type

windows-server-2019-standard

sfo01w01vc01 / sfo01-w01dc

img-windows-server-2019-standard

Content Library OVA

windows-server-2016-standard

sfo01w01vc01 / sfo01-w01dc

img-windows-server-2016-standard

Content Library OVA

ubuntu-server-1910 sfo01w01vc01 / sfo01-w01dc

img-ubuntu-server-1910

Content Library OVA

ubuntu-server-1804-lts sfo01w01vc01 / sfo01-w01dc

img-ubuntu-server-1804-lts

Content Library OVA

Procedure


Setting Value






VMware, Inc. 220



4 Click the Infrastructure tab, and select Configure > Image mappings.

5 On the New image mapping page, configure the settings and click Create.

Setting Value

Image name windows-server-2019-standard

Account / region sfo01w01vc01 / sfo01-w01dc

Image img-windows-server-2019-standard

Constraints -

Cloud configuration -

6 Repeat this procedure to create the remaining image mappings.

Configure vRealize Automation Profiles for Region A

You define target networks and datastores for workload provisioning by using network and storage profiles in Cloud Assembly.

Procedure

1 Add Networks for vRealize Automation for Region A

Before project members can request workloads, you must create networks to connect the network profiles defined in vRealize Automation.

2 Configure Network Profiles for Region A

Before project members can request workloads, you must create network profiles to define the subnet and routing configuration for virtual machines. Each network profile is configured for a specific network port group or virtual network segment to specify the IP address and the routing configuration for virtual machines provisioned to that network

3 Configure Storage Profiles in Region A

You configure disk customizations and type of storage for the provisioned workloads by defining a storage profile in Cloud Assembly for the specific cloud account and region.

Add Networks for vRealize Automation for Region A

Before project members can request workloads, you must create networks to connect the network profiles defined in vRealize Automation.


VMware, Inc. 221

For a workload domain with NSX-T Data Center, you create the network segments on the NSX-T Manager for the workload domain. For a workload domain with NSX Data Center for vSphere, you create the logical switches on the NSX Manager for the workload domain.

n Add Network Segments for vRealize Automation on the Workload Domain NSX-T Manager for Region A

If the workload domain uses NSX-T Data Center, you create network segments on the Workload domain NSX-T Manager to connect the network profiles defined in vRealize Automation.

n Add Logical Switches for vRealize Automation on the Workload Domain NSX Manager for Region A

If the workload domain uses NSX Data Center for vSphere, you create logical switches on the Workload domain NSX Manager to connect the network profiles defined in vRealize Automation.

Add Network Segments for vRealize Automation on the Workload Domain NSX-T Manager for Region A

If the workload domain uses NSX-T Data Center, you create network segments on the Workload domain NSX-T Manager to connect the network profiles defined in vRealize Automation.

You configure separate segments for the business tiers.

Table 7-4. Production Segments

Setting Value for production-webValue for sfo-production-db

Value for sfo-production-app

Segment name sfo-production-web-192-168-91-0–24

sfo-production-db-192-168-92–24

sfo-production-app-192-168-93-0–24

Connectivity sfo01-w02-tier-1-01 sfo01-w02-tier-1-01 sfo01-w02-tier-1-01

Transport zone sfo01-w-overlay sfo01-w-overlay sfo01-w-overlay

Subnets 192.168.91.1/24 192.168.92.1/24 192.168.93.1/24

Table 7-5. Development Segments

SettingValue for sfo-development-web

Value for sfo-development-db

Value for sfo-development-app

Segment name sfo-development-web-192-168-95-0–24

sfo-development-db-192-168-96–24

sfo-development-app-192-168-97–24

Connectivity sfo01-w02-tier-1-01 sfo01-w02-tier-1-01 sfo01-w02-tier-1-01

Transport zone sfo01-w-overlay sfo01-w-overlay sfo01-w-overlay

Subnets 192.168.95.1/24 192.168.96.1/24 192.168.97.1/24


VMware, Inc. 222

Procedure


Setting Value


User name admin


2 On the main navigation bar, click Networking.

3 On the Configuration tab of the Network overview page, click Segments.

4 On the Segments tab, click Add segment, configure these settings, and click Save.

Setting Value

Segment name sfo-production-web-192-168-91-0–24

Connectivity sfo01-w02-tier-1-01

Transport zone sfo01-w-overlay

Subnets Click Set subnets, click Add subnet, in the Gateway IP/Prefix length, enter 192.168.91.1/24, click Add, and click Apply.

5 In the Want to continue configuring this Segment? dialog box, click No.

6 Repeat this procedure to create the remaining segments.

Add Logical Switches for vRealize Automation on the Workload Domain NSX Manager for Region A

If the workload domain uses NSX Data Center for vSphere, you create logical switches on the Workload domain NSX Manager to connect the network profiles defined in vRealize Automation.

You configure separate logical switches for the business tiers.

Table 7-6. Production Logical Switch

Setting Value for production-webValue for sfo-production-db


Name sfo-production-web-192-168-91-0–24



Transport zone Comp Universal Transport Zone

Comp Universal Transport Zone


Connected to sfo-production-web-192-168-91-0–24



Prmary IP address 192.168.91.1 192.168.92.1 192.168.93.1

Subnet prefix length 24 24 24


VMware, Inc. 223

Table 7-7. Development Logical Switch




Name sfo-development-web-192-168-95-0–24






Connected to sfo-development-web-192-168-95-0–24



Prmary IP address 192.168.95.1 192.168.96.1 192.168.97.1

Subnet prefix length 24 24 24

Procedure


Setting Value




2 In the Networking and security inventory, click Logical Switches.

3 From NSX Manager drop-down menu, select 172.16.11.66.

4 Click Add, configure these settings, and click Save.

Setting Value



Replication mode Hybrid

MAC learning Disabled

5 Repeat Step 4 to create the remaining logical switches.

6 Add logical switches gateways to the universal distributed logical router.

a In the Networking and security inventory, click NSX Edges.

b Click the ID of the sfo01w01udlr01 universal distributed logical router to open its network settings.

c Click the Configure tab and click Interfaces.


VMware, Inc. 224

d Click Add, configure these settings, and click Add.

Setting Value


Type Internal

Connected to sfo-production-web-192-168-91-0–24

Configure subnets Click Add, in the Primary IP address, enter 192.168.91.1, and, in the Subnet prefix length, enter 24.

e Repeat this step to create the remaining interfaces.

Configure Network Profiles for Region A

Before project members can request workloads, you must create network profiles to define the subnet and routing configuration for virtual machines. Each network profile is configured for a specific network port group or virtual network segment to specify the IP address and the routing configuration for virtual machines provisioned to that network

Procedure


Setting Value







4 Click the Infrastructure tab, select Configure > Network profiles.

5 Configure the network profile.

a Click New network profile.

The New network profile page opens.

b On the Summary tab, configure the settings.

Setting Value

Account / Region sfo01w01vc01 / sfo01-w01dc

Name net-existing-sfo-w01

Description Existing Networks in Region A - Workload Domain 01

c Click the Networks tab and click Add network.


VMware, Inc. 225

d In the Add network dialog box, select VIEW NSX NETWORKS.

e Select the following segments and click OK.

Segment Description

sfo-production-web-192-168-91-0–24 Production Web Tier Network

sfo-production-db-192-168-92-0–24 Production Database Tier Network

sfo-production-app-192-168-93-0–24 Production Application Tier Network

sfo-development-web-192-168-95-0–24 Development Web Tier Network

sfo-development-db-192-168-96-0–24 Development Database Tier Network

sfo-development-app-192-168-97-0–24 Development Application Tier Network

f On the Networks tab, select the check box for a segment, click Tags, configure the corresponding capability tags, and click Save.

Segment Capability Tags

sfo-production-web-192-168-91–24 n env:prod

n function:web

sfo-production-db-192-168-92–24 n env:prod

n function:db

sfo-production-app-192-168-93-0–24 n env:prod

n function:app

sfo-development-web-192-168-95-0–24 n env:dev

n function:web

sfo-development-db-192-168-96-0–24 n env:dev

n function:db

sfo-development-app-192-168-97-0–24 n env:dev

n function:app

g On the Networks tab, click the Name link for each of the production segments, configure the settings, and click Save.

SettingValue for sfo-production-web

Value for sfo-production-db



sfo-production-db-192-168-92-0–24


Domain sfo01.rainpole.local sfo01.rainpole.local sfo01.rainpole.local

IPv4 CIDR 192-168-91.0/24 192-168-92.0/24 192-168-93.0/24

IPv4 Default Gateway 192-168-91.1 192-168-92.1 192-168-93.1

DNS Servers 172.16.11.4,172.16.11.5 172.16.11.4,172.16.11.5 172.16.11.4,172.16.11.5

DNS Search Domains sfo01.rainpole.local sfo01.rainpole.local sfo01.rainpole.local


VMware, Inc. 226

h On the Networks tab, click the Name link for each of the development segments, configure the settings, and click Save.




Network sfo-development-web-192-168-95-0–24

sfo-development-db-192-168-96-0–24

sfo-development-app-192-168-97-0–24

Domain sfo01.rainpole.local sfo01.rainpole.local sfo01.rainpole.local

IPv4 CIDR 172.11.10.0/24 172.11.11.0/24 172.11.12.0/24

IPv4 Default Gateway 172.11.10.1 172.11.11.1 172.11.12.1

DNS Servers 172.16.11.4,172.16.11.5 172.16.11.4,172.16.11.5 172.16.11.4,172.16.11.5

DNS Search Domains sfo01.rainpole.local sfo01.rainpole.local sfo01.rainpole.local

i On the Networks tab, select the check box for a segment, click Mange IP ranges, click New IP range, configure the corresponding settings for each production segment, click Add and click Close.

SettingValue for sfo-production-web

Value for sfo-production-db


Network sfo-production-web-192.168.91-0–24

sfo-production-db-192.168.92-0–24

sfo-production-app-192.168.93-0–24

Source Internal Internal Internal

Name sfo-production-web-192.168.91-0–24

sfo-production-db-192.168.92-0–24

sfo-production-app-192.168.93-0–24

Description Production: Web Tier Network Static IP Range

Production: Database Tier Network Static IP Range

Production: Application Tier Network Static IP Range

CIDR 192.168.91.0/24 192.168.92.0/24 192.168.93.0/24

Start IP Address 192.168.91.20 192.168.92.20 192.168.93.20

End IP Address 192.168.91.250 192.168.92.250 192.168.93.250


VMware, Inc. 227

j On the Networks tab, select the check box for a segment, click Mange IP ranges, click New IP range, configure the corresponding settings for each development segment, click Add and click Close.




Name sfo-development-web-192.168.95-0–24

sfo-development-db-192.168.96-0–24

sfo-development-app-192.168.97-0–24

Description Development: Web Tier Network Static IP Range

Development: Database Tier Network Static IP Range

Development: Application Tier Network Static IP Range

CIDR 192.168.95.0/24 192.168.96.0/24 192.168.97.0/24

Start IP Address 192.168.95.20 192.168.96.20 192.168.97.20

End IP Address 192.168.95.250 192.168.96.250 192.168.97.250

k On the New network profile page, click Create.

Configure Storage Profiles in Region A

You configure disk customizations and type of storage for the provisioned workloads by defining a storage profile in Cloud Assembly for the specific cloud account and region.

Procedure


Setting Value







4 Click the Infrastructure tab, select Configure > Storage profiles.

5 On the Storage profiles page, click New storage profile, configure the settings, and click Create.

Setting Value

Account / Region sfo01w01vc01 / sfo01-w01dc

Name platinum-sfo01-w01-vsan01

Description Storage Policy for Workload Domain 01, Cluster 01

Storage Policy vSAN Default Storage Policy

Datastore / Cluster sfo01-w01-vsan01


VMware, Inc. 228

Setting Value

Provisioning Type Thin

Preferred Storage for This Region Selected

Capability Tags tier:platinum

Configure a Sample Project in vRealize Automation for Region A

You configure a project in vRealize Automation to define the users that can provision workloads, the priority and cloud zone of deployments, as well as the maximum allowed deployment instances.

Procedure


Setting Value







4 Click the Infrastructure tab, select Configure > Projects.

5 Click New project.

The New project page opens.

6 On the Summary tab, configure the settings.

Setting Value

Name Sample

Description Sample Project

7 Click the Users tab, click Add groups, configure the settings, and click Add.

Setting Value for project-admins Value for project-users

Group [email protected]

[email protected]

Assign role Administrator Member


VMware, Inc. 229

8 Click the Provisioning tab, click Add cloud zone, configure the settings, and click Add.

Setting Value

Cloud zone sfo01w01vc01 / sfo01-w01dc

Provisioning priority 1

Instances limit 0

Memory limit (GB) 0

CPU limit 0

Storage limit (GB) 0

9 On the Provisioning tab, in the Custom naming section, configure the settings.

Setting Value

Template ${project.name}-${user}-${######}

10 Click Create.

Configure Sample Blueprint in Region A

You configure a sample blueprint to deploy to your organization's cloud providers. Blueprints determine the specifications, such as target cloud region, resources, guest operating systems, and others, for the services or applications that consumers of this blueprint can deploy.

Procedure


Setting Value







4 Click the Design tab and, on the Blueprints page, click New.

5 In the New blueprint dialog box, configure the settings and click Create.

Setting Value

Name Sample Blueprint

Description Sample Blueprint


VMware, Inc. 230

Setting Value

Project Sample

Blueprint sharing in Service Broker Share only with this project

6 On the Blueprints page, click Sample blueprint to open its design page.

7 In the Code editor, enter the following YAML code.

name: Sample Workload

formatVersion: 1

inputs:

targetCloud:

type: string

oneOf:

- title: Rainpole Private Cloud

const: 'cloud:private'

title: Cloud

description: Select a target cloud.

targetRegion:

type: string

oneOf:

- title: Region A (US West 1)

const: 'region:sfo'

title: Region

description: Select a target region.

targetEnvironment:

type: string

oneOf:

- title: Production

const: 'env:prod'

- title: Development

const: 'env:dev'

title: Environment

description: Select a target environment.

targetFunction:

type: string

oneOf:

- title: Web Server

const: 'function:web'

- title: Application Server

const: 'function:app'

- title: Database Server

const: 'function:db'

title: Function

description: Select a target function.

performanceTier:

type: string

oneOf:

- title: Platinum

const: 'tier:platinum'

title: Performance Tier

description: Select a performance tier.

operatingSystem:


VMware, Inc. 231

type: string

oneOf:

- title: Ubuntu Server 19.10

const: ubuntu-server-1910

- title: Ubuntu Server 18.04 LTS

const: ubuntu-server-1804-lts

- title: Microsoft Windows Server 2019 Standard

const: windows-server-2019-standard

- title: Microsoft Windows Server 2016 Standard

const: windows-server-2016-standard

title: Operating System and Version

description: Select a operationg system and version.

nodeSize:

type: string

oneOf:

- title: X-Small

const: x-small

- title: Small

const: small

- title: Medium

const: medium

- title: Large

const: large

- title: X-Large

const: x-large

title: Node Size

description: 'Select a standard node size.<br/><br/>Refer to <a href="https://

support.rainpole.local" target=" _blank">support.rainpole.local/sizing</a> for our standard

resource sizing.'

nodeCount:

type: integer

default: 1

maximum: 100

title: Node Count

description: Select the number of VMs between 1 and 100.

resources:

Cloud_vSphere_Machine_1:

type: Cloud.vSphere.Machine

properties:

image: '${input.operatingSystem}'

flavor: '${input.nodeSize}'

count: '${input.nodeCount}'

customizationSpec: '${input.operatingSystem}'

constraints:

- tag: '${input.targetCloud}'

- tag: '${input.targetRegion}'

networks:

- network: '${resource.Cloud_NSX_Network_1.id}'

assignment: static

attachedDisks: []

Cloud_NSX_Network_1:

type: Cloud.NSX.Network

properties:


VMware, Inc. 232

networkType: existing

constraints:

- tag: '${input.targetFunction}'

- tag: '${input.targetEnvironment}'

8 Test the sample blueprint.

a On the Sample blueprint design page, click Test.

b In the Testing Sample dialog box, configure the settings and click Test.

Setting Value

Cloud Rainpole Private Cloud

Region Region A (US West 1)

Environment Production

Function Web Server

Performance tier Platinum

Operating system and version Ubuntu Server 18.04 LTS

Node size Small

Node count 1

The simulation examines syntax, placement, and blueprint validity.

9 Version the sample blueprint.

a On the Sample blueprint design page, click Version.

b In the Creating version dialog box, configure the settings and click Create.

Setting Value

Version 1.0

Description Sample Blueprint

Change log Initial Release

Release Select Release this version to the catalog.

c On the Sample blueprint design page, click Close.

Service Broker Configuration in Region A

To enable users to deploy workloads, you import blueprints, create a content source and share these blueprints within a project in vRealize Automation Service Broker.

Procedure

1 Configure a Content Source for Service Broker in Region A

To provide access to vRealize Automation Cloud Assembly blueprints to users, you create and configure a content source in Service Broker.


VMware, Inc. 233

2 Share Blueprints from a Content Source in Service Broker in Region A

You can share imported blueprints and content sources within a project to enable project members to deploy these blueprints in the specified cloud zone.

Configure a Content Source for Service Broker in Region A

To provide access to vRealize Automation Cloud Assembly blueprints to users, you create and configure a content source in Service Broker.

Procedure


Setting Value







4 Click the Content and policies tab.

5 In the navigation pane, click Content sources, click New, configure the settings, and click Validate.

Setting Value

Type Cloud Assembly Blueprint

Name Sample - Blueprints

Description Sample - Blueprints

Source Project Sample

6 On the New content source page, click Create and import.

Share Blueprints from a Content Source in Service Broker in Region A

You can share imported blueprints and content sources within a project to enable project members to deploy these blueprints in the specified cloud zone.

Procedure


Setting Value




VMware, Inc. 234

Setting Value





4 Click the Content and policies tab.

5 In the navigation pane, click Content sharing.

6 In the Project text box, enter Sample and click Add items.

7 In the Share items with Sample dialog box, from the Content sources drop-down menu, select Content sources, select the Sample blueprints, and click Save.

Deploy Sample Blueprint in Region A

After you import the Cloud Assembly blueprint and share it with members of your project, you test the provisioning by requesting a deployment.

Procedure


Setting Value







4 Click the Catalog tab.

5 In the Sample blueprint card, click Request.

6 On the New request page, configure the settings and click Submit.

Setting Value

Version 1.0

Deployment name Sample Deployment

Project Sample

Node size Small

Node count 1

Cloud Rainpole Private Cloud


VMware, Inc. 235

Setting Value

Region Region A (US West 1)

Function Web Server

Operating system and version Ubuntu Server 18.04 LTS

Performance tier Platinum

Environment Production

7 Verify that the deployment completes successfully.

a Click the Deployments tab and click the Sample deployment card.

b Click the History tab and click the Request details tab.

c Verify that the table shows the applied blueprint constraint tags.

d When the deployment completes, verify that the Sample deployment card has the Create Successful tag.


VMware, Inc. 236

Deployment of VMware vRealize Suite 2019 on VMware Cloud … · 2021. 4. 20. · Connect vRealize...

Documents

Transcript of Deployment of VMware vRealize Suite 2019 on VMware Cloud … · 2021. 4. 20. · Connect vRealize...