Virtualjad-Vcac 6 Poc Guide 6.0-1.1

© 2014 VMware Inc. All rights reserved.

vCloud Automation Center 6.0 Proof of Concept and Detailed Implementation Guide

Jad El-Zein Principal Engineer [email protected] virtualjad.com | @virtualjad

Version 6.0-1.1 (updated 06-21-14)

vCloud Automation Center 6.0 POC Guide v6.0-1.1 by Jad El-Zein

Introduction

This [unofficial] Proof of Concept and Detailed Installation guide is provided, with no guarantees (or support), to help with the implementation of vCloud Automation Center 6.0 in a pre-configured vSphere 5.x environment.

The guide walks through – in plenty of detail – vCAC 6.0’s deployment, concepts, technologies, and features as they would be used in a real-world implementation. This document can also double as an unofficial hands-on training guide which covers:

–  New Features in vCAC 6.0.x –  Deployment Architecture –  Implementation on VMware platforms (vSphere) –  IaaS and XaaS Service Configuration –  Usage and Navigation –  Advanced Concepts | XaaS

Please provide any feedback to [email protected]

2


EZLAB Logical Architecture


vCAC 6.0 Install & Config Workflow

4

Prerequisites Review

Deploy vCAC ID VA (SSO)

Deploy vCAC VA

Configure IaaS Prereqs

Run IaaS Prereq Checker

Install vCAC IaaS Services

Admin Portal Config

Create initial Tenant

Add vSphere Endpoint

Define Fabric Group

Define Business

Group

Create Reservation

Policy

Create Network Profile

Create Resource

Reservation

Create IaaS Blueprints

Add Catalog Services

Manage Catalog Items

IaaS Entitlements

Governance & Approvals

XaaS Sample Use Case

vCO Configuration

XaaS Entitlements

END!

4.

3.

2.

1.

5.

7.

8.

9.

10.

6.

14.

13.

12.

11.

15.

17.

18.

19.

20.

16.

Deploy / Config

IaaS Config

XaaS Config


Prerequisites Review Before You Begin | Provisioning Requirements

5


IaaS & XaaS Provisioning Requirements

§  For vSphere Provisioning: –  Fully configure vCenter + vSphere

environment per best practices

–  At least 1 vSphere HA+DRS Cluster

–  At least 1 Datastore

–  At least 1 Virtual Switch (standard or dvs acceptable)

–  vMotion properly configured

–  Roles & Permissions appropriately set (in vSphere 5.5, use LDAP vs. SSO)

–  Ensure at least 1 template is available for blue print creation

–  Optional: Create a Resource Pool for vCAC machine placement (no reservations or limits)

–  Optional: VM with a snapshot for Linked Clone blueprints

6

§  For XaaS Service Provisioning: –  vCenter Orchestrator 5.5 (the vCAC VA

ships with vCO embedded, but you can optionally use an external instance)

–  Appropriate vCO Plugins, configured

–  An Imagination and/or real use case examples (we’ll take a look at a DaaS use case)


Deploying vCAC 6 Virtual Appliances vCAC Identity VA (SSO), vCAC “Core” VA

7


Deploying vCAC Identity VA

8

Deploy OVF Template Deploying vCAC ID OVF

Ensure you have downloaded the appropriate vCAC 6.0.x Virtual Appliances (OVA’s) from vmware.com and make them accessible ahead of the install.

vCAC ID VA (SSO) - VMware-Identity-Appliance-2.0.1.0-1545089_OVF10.ova

vCAC VA - VMware-vCAC-Appliance-6.0.1.0-1569764_OVF10.ova

The IaaS installer (.exe) is embedded in the appliance and does not require a separate download.

²  Log into the vSphere Web Client

²  Right-click on the appropriate cluster and select “Deploy OFV Template…” from the menu…



9

Select OVA Source ²  Select “Local file” button

²  Click on “Browse…” and locate the previously downloaded OVA file: VMware-Identity-Appliance-2.0.1.0-1545089_OVF10.ova

²  Click Next to continue…



10

Review OVA Details ²  Verify you are deploying the appropriate OVA.




11

Accept EULA ²  Read (scan) VMware’s EULA




12

Select name and folder ²  Enter a VM name (this is the name that shows up in vCenter Inventory)

²  Select an appropriate VM folder or available datacenter




13

Select storage ²  Select an optional VM Storage Policy (if available)

²  Select an available Datastore (using “vsanDatastore” in this example)




14

Setup networks ²  Map the VA’s source network to an available Destination network. You can select any available standard or distributed port group, just as long as it is accessible by vCenter and the Hosts.

²  Keep IPv4 Selected for IP protocol




15

Customize template ²  Enter details for all required fields:

•  Enter/Confirm root password

•  Hostname (*FQDN REQUIRED*)

•  Default Gateway

•  DNS (comma separated)

•  Network IP Address / Subnet


Note: Be sure a DNS record exists before continuing. Also make sure you use the FQDN hostname.



16

Review settings ²  Review all your inputs and make any necessary changes by clicking the “Back” button

²  Click Finish to deploy.

The ID VA will deploy in a matter of minutes. Give it an opportunity to boot and start it’s services prior to moving to the next step…



17

Log into SSO’s Virtual Appliance Management Interface (VAMI) ²  Once deployed, log into the Virtual Appliance Management Interface (VAMI) to configure SSO services

²  Go to https://<IDVA_FQDN>:5480

•  Username: root

•  Password: <configured pw>

²  Click Login…



18

VAMI: Configure System Settings ²  Go to the “System” tab

²  In the Time Zone section, select your appropriate time zone from the drop-down

²  Click “Save Settings”…



19

VAMI: SSO configuration The ID VA is preconfigured with a default System Domain “vsphere.local” and a default admin account “[email protected]”. This account will be used for initial configuration.

²  Navigate to the “SSO” tab

²  In the “SSO” subsection, enter a password for the System Domain admin account

²  Click Apply

²  Validate SSO is initialized (it can take a couple of minutes for the service to initialize)…

1

2



20

VAMI: SSO Host Settings ²  Navigate to the “Host Settings” section of the SSO tab

²  The SSO Host Settings should be pre-populated with the VA’s FQDN address

²  Append “:7444” to the end of the FQDN

²  Cick Apply…

Note: be sure the FQDN is displayed here. If not, you can adjust the hostname in the “Network” tab.



21

VAMI: SSO SSL Settings ²  Navigate to the “SSL” section of the SSO tab

²  The ID VA ships with a self-signed SSL certificate – you can change or replace the certificate here. For the sake of this setup, keep the existing certificate…



22

VAMI: Active Directory Configuration ²  To configure native Active Directory connection, enter the appropriate settings:

•  Domain Name: <domain fqdn>

•  Domain User: <domain acct>

•  Password: <pw>

²  Click “Join AD Domain”

Note: this step is optional and is intended to create a native Active Directory connection from the SSO engine. A native AD connection provides increased performance and scale and only applies to the default System Domain (vsphere.local).

1

2


Deploying vCAC “Core” VA

23

Select OVA source ²  Select “Local file” button

²  Click on “Browse…” and locate the previously downloaded OVA file: VMware-vCAC-Appliance-6.0.1.0-1569764_OVF10.ova




24

Verify OVA details ²  Verify you are deploying the appropriate OVA.




25

Accept EULA’s ²  Read (scan) VMware’s EULA




26

Select name and folder ²  Enter a VM name (this is the name that shows up in vCenter Inventory)

²  Select an appropriate VM folder or available datacenter




27

Select storage ²  Select an optional VM Storage Policy (if available)

²  Select an available Datastore (using VSAN in this example)




28

Setup networks ²  Map the VA’s source network to an available Destination network. You can select any available standard or distributed port group

²  Keep IPv4 Selected for IP protocol




29

Customize OVA ²  Enter details for all required fields:

•  Enter/Confirm root password

•  Hostname (*FQDN REQUIRED*)

•  Default Gateway

•  DNS (comma separated)

•  Network IP Address / Subnet


Note: Be sure a DNS record exists before continuing. Also make sure you use the FQDN hostname.



30

Ready to complete ²  Review all your inputs and make any necessary changes by clicking the “Back” button

²  Click Finish to deploy

The vCAC VA will deploy in a matter of minutes. Give it an opportunity to boot and start it’s services prior to moving to the next step…



31

Log into vCAC’s Virtual Appliance Management Interface (VAMI)

²  Once deployed, log into the Virtual Appliance Management Interface (VAMI) to configure vCAC’s services

²  Go to https://<IDVA_FQDN>:5480

•  Username: root

•  Password: <configured pw>

²  Click Login…



32

VAMI: System Settings ²  Go to the “System” tab

²  In the Time Zone section, select your appropriate time zone from the drop-down

²  Click “Save Settings”…



33

VAMI: vCAC Host Settings ²  Navigate to the “Host Settings” section under the “vCAC Settings” tab

²  Click “Resolve Host Name” to initiate a DNS query and automatically fill in the hostname (this step validates an FQDN exists – if anything other than a the FQDN is return, double-check your DNS settings. The hostname can manually adjusted from the “Network” tab)

²  Click Save Settings…



34

VAMI: SSL Certificate ²  Navigate to the “SSL” section under the “vCAC Settings” tab (Note: unlike the SSO appliance, the vCAC Appliance does not come with a self-signed certificate – this step configured one)

²  From the “Choose Action” drop-down, select “Generate Self-Signed Certificate”

²  Enter the appropriate details:

•  Common Name

•  Organization

•  Organizational Unit

•  Country Code

²  Click “Replace Certificate”

1

2



35

VAMI: SSO Settings Now we will plug the vCAC VA into the SSO service previously configured in the vCAC Identity Appliance.

²  Enter the ID VA’s FQDN and Port as shown – <ID_FQDN>:7444 (do not use “https”)

²  The SSO Default Tenant is auto-filled with the default System Domain “vsphere.local”

²  Enter the SSO Admin User – “administrator”

²  Enter the Admin Password – <configured pw> (this password is created during SSO initialization – see slide 20)

²  Click “Save Settings” (be patient – this may take up to 10 minutes)

Note: for the sake of this guide, I have chosen to use the stand-alone Identity Server for SSO services. Since the release of vCenter 5.5b, you can optionally use that SSO service instead. In that case, you would plug in the FQDN of that service here instead.

1

2



36

VAMI: Licensing ²  Navigate to the “Licensing” section under the “vCAC Settings” tab

²  Enter a valid vCAC or vCloud Suite license key

²  Click “Submit Key”. Keep this key handy -- you will use it again in a later step during IaaS configuration.

²  Log out of the VAMI once the License is validated

At this point you have completed ID/SSO and vCAC appliance configurations. The next sections dive into the prerequisites and installation configuration of the vCAC IaaS services, which are installed on a dedicated Windows 2008 R2 or 2012 VM.


Installing vCAC IaaS Services IaaS Prerequisites | IaaS Service Install

37


Before You Begin…

vCAC’s IaaS engine is a .NET-based application and requires to be installed on a dedicated Windows machine (2008 R2 or 2012). The following steps walk you configuration of prerequisites and service dependencies and are executed locally on the IaaS server (via RDP, console session, etc).

§  Be sure to start with a clean Windows Server 2008 R2 image (vCAC 6.0 supports Windows 2012, but I use Windows 2008 R2 in this guide) –  2 vCPU

–  4-8GB vRAM

–  30GB Disk

§  Use a dedicated Active Directory service account with local admin privileges during setup and install of all components – I use “LAB\vcacsrvc” for IaaS Setup.

§  Run Windows Update and ensure the host VM is up to date with all recommended patches

§  Disable Windows Firewall on all vCAC VMs

§  Microsoft .NET Framework 4.5. Note that .NET 4.5.1 is NOT supported on Windows 2008 R2 or 2012 implementations -- use the installer that is packaged with the vCAC VA.

§  Ensure all other prerequisites have been implemented

§  Have the vCAC 6.0 Installation and Operations guides handy for reference

38


IaaS Installation Prerequisites

§  Internet Information Services (IIS) modules: –  Windows Authentication

–  Static Content –  Default Document

–  ASPNET –  ISAPI Extensions

–  ISAPI Filter

§  IIS Authentication: –  Windows Authentication enabled –  Anonymous Authentication disabled

–  Negotiate Provider enabled

–  NTLM Provider enabled –  Windows Authentication Kernel Mode enabled

–  Windows Authentication Extended Protection disabled

§  IIS Windows Process Activation Service roles: –  Configuration API –  Net Environment

–  Process Model –  WCF Activation

–  HTTP Activation

–  Non-HTTP Activation

§  vCAC IaaS Services Requirements:

•  Microsoft Distributed Transaction Coordinator Service (MS DTC) enabled

•  Ensure there are no firewalls between vCAC Server and Database Server or web server

•  Enable and Start the Secondary Logon Service on the vCAC server

•  Microsoft .NET Framework 4.5

•  Secondary Log On Service enabled (set to manual or automatic start)

•  Ensure there are no firewalls between vCAC Server and Database Server or web server

§  Database Requirements:

•  MS SQL Server 2008 (or higher) or MS SQL Express 2010 (or higher)

•  Ensure the vCAC Service account has ‘dbo’ and ‘sysadmin’ rights to the SQL Server Instance NOTE: it is recommended to be logged in using the service account during the install

39


Install Prerequisite Services – IIS

Install Web Server (IIS) Server Role

²  From Server Manager, select Roles

²  Select “Add Roles”

²  In the “Select Server Roles” diaglog, select “Web Server (IIS)”

²  Click Next


Install Prerequisite Services – IIS (cont.)

Install Web Server (IIS) Server Role (cont.)

²  Click Next to select Role Services

²  In Role Services dialog, select all the roles displayed below

²  Click Install


Add Service Features

Install Windows Process Activation Services & .NET Framework Features

²  Open Server Manager

²  Select “Features” from the menu pane

²  Select “Add Features” on the right

²  Ensure the features below are selected

²  Click Next

²  Click Install


Configure IIS Authentication Services

§  Enable IIS Server Windows Authentication


²  Under Web Server (IIS) role click on ‘internet Information Services (IIS) Manager

²  Expand [server name]

²  Expand “Sites” folder

²  Click on the “Default” website (or where vCAC will be installed)

²  Under “IIS” section, double-click on “Authentication”

²  Right-click on “Windows Authentication” and select “Enable”


Configure IIS Authentication Services (cont.)

§  Disable IIS Server Anonymous Authentication






²  Under “IIS” section, double-click on “Authentication”

²  Right-click on “Anonymous Authentication” and select “Disable”


Configure IIS Authentication Services (cont.)

Disable IIS Server Windows Authentication Extended Protection & Enable Kernel-mode






²  Select “Windows Authentication” then click on “Advanced Settings…” on the right

²  Ensure that Extended Protection is set to “Off”

²  Ensure “Enable Kernel-mode authentication” is checked

²  Click OK to exit

NOTE: even if these settings are already configured (by default), you may need to toggle them and reset IIS to make sure services register


Configure IIS – Registering .NET

Register .NET 4.5 with IIS

Once you’ve completed all the configurations, you may need to register .NET 4.5 with the IIS service to ensure vCAC’s web services are using the appropriate version

²  From the “Start” menu, right-click “Command Prompt” and select “Run as administrator”

²  Navigate to C:\Windows\Microsoft.Net\Framework64\v4.0.30319

²  Type “aspnet_regiis -i”, hit enter

Reset IIS

²  From the “Start” menu, right-click “Command Prompt” and select “Run as administrator”

²  Type “iisreset”, hit enter

(you can also restart IIS Admin service from the “Services” admin)


Configure MS DTC

Configure MS Distributed Transaction Coordinator (DTC) to allow DTC communications to/from your DB server

²  Open Component Services from Administrative Tools

²  Expand Component Services -> Computers -> My Computer -> Distributed Transaction…

²  Right-click “Local DTC” and select Properties

²  In the “Security” tab, make sure the following are checked:

–  Network DTC Access

–  Allow Remote Clients

–  Allow Remote Administration

–  Allow Inbound

–  Allow Outbound

–  Mutual Authentication Required

²  Click OK

NOTE: make sure your DB server is also set to allow these communications. And make sure there are no firewall policies blocking any needed network traffic


Configure Local Security Policies

²  Configure Local Security Policies for vCAC’s Service Account

²  Open “Local Security Policy” from the Administrative Tools

²  Expand ”Local Policies”

²  Select the “User Rights Assignment” sub folder

²  In the right hand pane, double-click “Log on as a batch job”

²  Click Add User or Group button and add the vCAC service account to the list

²  Click OK

²  Repeat these steps for the “Log on as a service” policy

²  Once complete, reboot the VM


Installing vCAC IaaS Services

49

Download the IaaS Installer ²  Log into the vCAC IaaS Server (RDP / VMRC) using the vCAC Service Account (be sure the service account has local admin privileges)

²  Launch your web browser of choice and connect to the vCAC VA’s file download page: https://<vCAC_FQDN>:5480/Installer

²  Click the download link for setup.exe under IaaS Installation

²  Save the installer to the desktop (or any local path)

²  Once saved, you can close or minimize the browser window…

(notice the download link automatically appends a string to the .exe that is used for initial configuration by the installation wizard…specifically, vCAC’s FQDN and VAMI port)

1

2



50

Launch the IaaS installer ²  Locate the saved setup.exe file on your desktop (or wherever you saved it)

²  Right-click and select “Run as administrator

²  Click “Next” after carefully reading the Welcome message…

1

2



51

End-User License Agreement ²  Read and accept the VMware EULA

²  Click “Next” to continue…



52

Log into vCAC VAMI ²  Enter the Username and Password of the vCAC VAMI (this is the same PW used to log into vCAC VA management):

•  User name: root

•  Password: <root_pw>




53

Installation Type ²  Select “Complete Install” to install and configure all vCAC IaaS components on this machine


Note: the same installer is used to install vCAC’s individual IaaS components for distributed installs, reinstallation, etc.

Use “Custom Install” option to install individual IaaS components:

•  Manager Service

•  Model Manager Web Service

•  Model Manager Data

•  IaaS Admin Portal

•  DEM Orchestrator

•  DEM Worker

•  vSphere Endpoint Agent

•  Web API



54

Verify Prerequisites The Prerequisites checker runs through the system configuration to verify all prereqs have been completed.

²  Verify all the Prereqs display a green arrow. Not that the MSSQLSERVER check will fail if SQL or SQL Express are not installed on the local machine. You can safely ignore this by clicking the “Bypass” button while the warning is highlighted.


If any of the prerequisites fail to be verified, review the prereqs section to ensure all pre-installation tasks have been completed. Not having prereqs installed in the most common cause of a failed installation.



55

Server and Account Settings ²  Enter all the appropriate information in the fields:

•  Username: <vcac service acct> (entered as DOMAIN\UN)

•  PW: <pw>

•  Passphrase: <any_text>

²  SQL DB Info

•  Server: <sql fqdn>

•  DB name: <new db name>

•  Select “Use Windows auth”


Note: vCAC’s installer automatically creates the DB instance in SQL – do not pre-create it unless you’re planning on manually using the DB script for installation (hint: let the installer do it)

Using Windows Authentication assumes you’re logged in with a domain account (preferably a dedicated service account), which as dbo and sys_admin rights to the SQL Server. If not, you’ll need to enter the appropriate credentials here. SQL permissions can be adjusted after the install.



56

DEM Configuration vCAC installs Distributed Execution Managers (DEM’s) to execute IaaS workflows and tasks. Two DEM’s are installed by default: the DEM Worker and DEM Orchestrator. The Worker role is responsible for executing IaaS workflows and the Orchestrator role is responsible for monitoring DEM Worker instances, pre-processing workflows for execution, and scheduling workflows.

²  The setup wizard automatically configures and installed the DEM’s on the local machine – accept the default names:

•  Worker: DEM

•  Orchestrator: DEO

Agents are the integration points for the supported Endpoints, in this case it’s vSphere (vCenter):

²  Ensure “Install and configure vSphere agent” is checked

²  vSphere Agent Details:

•  Agent name: vSphereAgent

•  Endpoint name: <vcenter_name>


The Endpoint name MUST match the endpoint configured in vCAC IaaS. I prefer to use the vCenter shortname here.



57

IaaS Component Registry ²  Component Registry:

•  Server: <vcacva_fqdn>

•  SSO Default Tenant: vsphere.local (clicking “Load” will auto fill this)

²  Certificate: click on “Download” to download the self-signed certificate from vCAC

²  Click “Accept Certificate”

²  SSO Admin Credentials:

•  UN: [email protected]

•  PW: <admin pw> (created during SSO initialization – see slide 20)

²  IaaS

•  IaaS Server: <local server FQDN>

²  Click “Test” where applicable to validate the configuration




58

Ready to Install ²  Review the installation tasks

²  Click “Install” when ready…



59

Installing… ²  Sit back as the installer deploys and configures each IaaS component.

²  Be patient, this can take up to 10 minutes to complete…



60

Installation complete ²  Done!

²  Uncheck “Guide me…” – we’ll step through all the configuration steps in the next section.

²  Click “Finish” to exit the installer

²  You can log out from the IaaS server

At this point the vCAC installation is complete. You should allow an additional 5-10 minutes for all the IaaS services to register to the vCAC VA.

Take a quick break then move on to the next section, “IaaS Configuration”


Admin Portal Config Global Settings | Creating Initial Tenant

61


Administration Portal

62

Logging in for the first time After giving IaaS components ample time to register with vCAC, log into to the admin portal to complete admin configuration tasks, including…

•  Add / Update Tenants

•  Add / Modify Roles & Permissions

•  Branding

•  SMTP Preferences

•  vCO Integration

²  Open your browser of choice (Firefox preferred) and enter vCAC’s Admin Portal URL:

•  https://<vcacva_fqdn>/shell-ui-app

²  Log in to vCAC using the Default (“system”) Domain UN and PW. The default domain is “vsphere.local”


•  PW: <admin_pw>

²  Click “Login”…

https://<vcacva_fqdn>/shell-ui-app


Creating Initial Tenant

63

Administration Portal – Add Tenant A Tenant is created to provide access to vCAC’s services to a specific group of users/consumers. Each tenant may have unique authentication sources, policies, and services. Create a new tenant vs using vsphere.local.

²  Navigate to “Tenants” in the “Administration” tab.

²  Click + to add a new Tenant (you should only see the system tenant, vsphere.local, at this point)

²  Enter a Name and Description for the new tenant

²  Enter a URL Name. The URL name is the alias that will be appended to vCAC’s URL when tenant users log in. Choose something short yet descriptive of the tenant. In this example I selected “ops” for the Cloud Operations tenant. Once created, users will log in to https://<FQDN>/shell-ui-app/org/ops to access their tenant portal.

²  Enter a Tenant Contact email address

²  Click “Submit and Next” to continue



64

Administration Portal – Add Tenant

Identity Stores

²  In the “Identity Storage” tab, click “+” to add a new authentication source

²  Enter the required information:

•  Name: name of the auth source

•  Type: Active Directory (or LDAP)

•  URL: ldap://<ad_fqdn>:389

•  Domain: Domain DN

•  Domain alias: enter an alias that users can use to log in to vCAC in additional to the domain DN. In this example, a user can log in using [email protected] or [email protected]. The alias cannot be the same as the Tenant URL used in the previous screen.

•  Login user DN: enter the full DN for the vCAC service account (this can be copied directly from AD)

•  Password: service account PW

•  Group base DN: enter your domain’s root DN

•  User base DN: enter your domain’s root DN

²  Click “Test Connection” to validate the config

²  Click “Add” to continue…



65

Administration Portal – Add Tenant Administrators

²  Select Tenant and Infrastructure Administrator roles by typing/searching for AD users and groups in each column.

•  Tenant Administrators are responsible for overall administration of a named Tenant’s users, groups, and policies

•  Infrastructure Administrators are responsible for managing IaaS resources and policies from the Tenant’s “Infrastructure” tab

²  Click “Add” to complete the tenant configuration



66

Administration Portal – Creating a Tenant ²  Verify the new Tenant has been added to the “Tenants” list

²  Repeat the previous steps to add additional tenants

Once Tenant configuration is complete, you are ready to move on to configuring other global settings, such as Branding and SMTP preferences (up next)…



67

Branding - Header Branding

Branding allows Administrators change the look/feel of the vCAC portal, including adding custom header graphics, changing visible text, and customizing colors.

²  Navigate to the “Branding” section of the “Administration” tab

²  To customize these settings, uncheck the “Use default” option

²  In the Header tab, select “Browse…” in the “Header Logo:” field to select a custom logo file. (NOTE: the logo file should be no larger than 800 x 52px and in .PNG format. Use a transparent background for best appearance)

²  Change remaining fields to reflect your desired look

•  Company Name

•  Product name

•  Background color

•  Text color

²  Click “Next” to go to Footer tab…



68

Branding - Footer ²  Fill in the Footer fields to reflect your desired settings:

•  Copyright notice

•  Privacy policy link

•  Contact link

²  Click “Update” to save Branding settings



69

Email Servers – Outbound SMTP Email Servers

²  vCAC uses SMTP servers to external communications such as Alerting, Approvals, Provisioning Status, etc. SMTP servers can be global or per-Tenant. Here we will create an outbound SMTP server to be used by all Tenants

²  Navigate to the “Email Servers” section under the “Administration” tab

²  Click “+” next to Email Servers title to add a new server

²  In to “Add Email Server” pop-up window, select “Email – Outbound”, then click OK…



70

Email Servers – Outbound SMTP ²  Configure all the appropriate settings for your SMTP server:

•  Name

•  Description

•  Server Name (address)

•  Encryption

•  Server Port

•  Authentication

•  Auth User Name

•  Auth Password

•  Sender Address

²  If your server requires SSL or TLS, be sure to select “Accept Self Signed Certificates” to avoid communications issues

²  Test Connection to validate

²  Click “Add” to save SMTP settings


IaaS Configuration Tenant IaaS Services

71

²  IaaS Endpoints

²  Business Groups

²  Fabric Groups

²  Network Policies

²  Resource Reservations

²  Reservations Policies

²  Blueprints

²  Catalog Services

²  Entitlements


Tenant IaaS Configuration

72

Tenant Portal Tenant Portal

²  Log in to the new Tenant’s unique URL. The URL is created using the “URL name” when creating the Tenant. In this example, the URL name used was “ops”, so the URL to the Tenant is: https://<FQDN>/shell-ui-app/org/ops

²  Log in to the Tenant Portal using an account that was granted the “Tenant Administrator” and “Infrastructure Administrator” roles during setup.


•  PW: <account_pw>

²  Click “Login”…



73

Home Home Tab

At first login, users are taken to the “Home” section, which displays information unique the user. The Home screen can be customized by adding Portlets. vCAC ships with several admin and user portlets that can provide useful information.

By default only the “My Inbox” portlet is displayed – click on the edit icon circled in red to add additional portlets



74

Administration – User Roles ²  Navigate to the “Administration” tab and click on “Users”

vCAC provides several predefined admin roles that entitle users to various roles within a Tenant. During Tenant config, we gave the current user, “jelzein”, the Tenant Administrator and Infrastructure Administrator roles. Now I’d like to add the remaining roles. The roles available in a basic deployment are:

•  Approval Administrator

•  IaaS Administrator

•  Service Architect

•  Tenant Administrator

²  Search for the user who’s role you want to edit by entering the name or alias into the search field.

²  Click on the desired account to edit

²  Add all the additional roles available on the right, noting the grated permissions with each role

²  Click “Update”…

NOTE: This can also be done for AD or LDAP Groups in the “Groups” section



75

Licensing IaaS Licensing

²  Navigate to the “Infrastructure” tab then select “Administration”

²  Click on Licensing

²  Click “+” to add a new vCAC license

²  In the “Add Licenses” window, enter a valid vCAC or vCloud Suite license. Various IaaS functions are exposed based on the license used. In this example, I’m enter a vCloud Suite Enterprise license

²  Click “OK” to apply


Adding a vSphere Endpoint

76

Endpoints Endpoints

Endpoints are managed resources, clouds, physical infrastructure, etc. that are defined in vCAC to provide a destination for machine deployments. Any supported platform that will be used to deploy machines must be added as an Endpoint. In this example, we will be configuring vSphere (vCenter) endpoint.

vCenter Orchestrator is also a supported endpoint. vCO adds a significant amount extensibility and automation to a vCAC environment through external actions…independent of the Advanced Service Designer.

In this step we will create a single vSphere (vCenter) Endpoint.

²  Select “+ New Endpoint“ -> Virtual -> and click on “vSphere (vCenter)”…

Note: notice that only vCloud and vSphere Endpoints are visible. This is due to the vCloud Suite license that was entered in the previous step. vCAC’s standalone licenses will enable all supported endpoints.


Adding a vSphere Endpoint Endpoint Configuration Endpoint Details

²  Name: Enter the endpoint name (NOTE: this name MUST be the same as the endpoint name entered in during IaaS installation)

²  Description: Enter a description that makes sense

²  Address: Enter the full vCenter URL in the “Address:” field. Example: “https://<vcenter_FQDN>/sdk”

²  Credentials: Use the pop-out menu to select existing or create vSphere Credentials that will be used to access this Endpoint. It is a best practice to use a dedicate service account for this. Details for creating Credentials are on the next page

Note: the Endpoint Name MUST match the name that was entered during IaaS Service Installation (see page 57 for details). The default name is “vCenter”…I prefer using the vCenter’s shortname, “ezlab-vc01” in this example.

77


Adding a vSphere Endpoint Endpoint Credentials Configure Endpoint Credentials

²  Enter a name and description that identifies the credential (ex: the endpoint or account name).

²  In the “Username” field, enter the account name that will be used to access vCenter (typically a vCenter service account). Make sure this account has appropriate access to vCenter and it’s inventory. Enter this account in username@domain format. In this example, a dedicated vCenter service account, [email protected], is specified for access to the vCenter endpoint managing the vSphere hosts.

²  Enter and verify the service account password

²  Click the green check when complete

²  Click “OK” to submit

78


Defining a Fabric Group

79

Fabric Groups Define a Fabric Group

Fabric Groups are created to manage a set of compute resources that are collected from an Endpoint inventory. Fabric Administrators (a set of users or groups) are then assigned to manage those resources.

²  Navigate to “Infrastructure” tab -> “Groups” -> “Fabric Groups

²  Click “+” to create a new Fabric Group from the menu

²  Provide a Name and detailed Description for the group

²  Add the appropriate Users and/or Groups in “Fabric Administrators” section in DN format

²  Select a set of resources that will be managed by this group (here you see available vSphere Clusters collected during Endpoint discovery).

²  Click OK Note: If no compute resources are available for selection, you either have an Endpoint configuration issue or you need to wait a bit for inventory to complete. Check the Log Viewer (Infrastructure tab -> Administration -> Monitoring) for any obvious errors


Defining a Business Group

80

Business Groups Define a Business Group

Business Groups are the consumers of IaaS resources. Business Groups typically represents a business unit or function, or any other organizational container. Users must belong to a Business Group’s “User” role before they can be entitled to IaaS services.

²  Navigate to “Infrastructure” tab -> “Groups” -> “Business Groups”

²  Click “+” to create a new Business Group

²  Provide a Name and Description

²  Enter one or more users for the Group Manager role (see definitions)

²  Attach an existing machine prefix or create a new one (details on the next page)

²  Enter the OU string for new computer objects (see note)

²  Enter one or more Users or Groups in the “User” role

²  Click OK

Note: the Active Directory container field does not apply to blueprints for cloning or external cloud provisioning. While it is required to put something there, you can type any string in that field to satisfy the form validation.

Group managers and Support Users can request and manage machines on behalf of machine owner. Group managers can also be required to approve all provisioning requests from this group.

Users in the “User” role are the actual members of this group and will be granted access to the User Portal and available for Entitlements.



81

Machine Prefixes Create Machine Prefixes

Machine prefixes are used to automatically generate names for provisioned machines by a particular Business Group. The prefix created should help identify the machine.

You will define the prefixes here and use them in the Provisioning Group configuration later.

²  While configuring a Business Group, select “Default Machine Prefix” field

²  Click “+” to create a New Machine Prefix

²  Enter the desired prefix

²  Enter the number of digits that will be automatically appended to the prefix

²  Enter the “Next” (starting) number

²  Click the green check to accept the new prefix

²  Click “OK” to continue (this prefix will be entered in the Business Group’s default prefix field)

Note: vCAC’s default naming conventions are fairly basic, but functional. There are several external resources available for greater customization of hostnames. The custom property “Hostname” can also be used to allow users to manually enter a machine name.



82

Business Groups Verify and repeat the previous steps for all desired Business Groups. Once you’re done, you must refresh your browser or log out / in so new group roles can take effect. In my example, the currently logged in user, “jelzein”, was granted the Fabric Group Administrator and Business Group Manager roles, enabling this account to manage resources and groups for this tenant’s users. Roles can get very granular with greater separation of permissions. For a POC environment it’s much easier to effectively create a “superuser” with all the roles.

After refreshing the browser, you will see additional options in the left management pane, specifically:

•  Reservations

•  Compute Resources

•  Blueprints

If you don’t see these options, be sure you have granted the appropriate roles to the logged-in user.

Next, we will configure Reservations YOU MUST REFRESH YOUR BROWSER FOR NEW ROLES TO TAKE EFFECT


Creating a vSphere Reservation Policy

83

Reservation Policies Create a Reservation Policy (optional)

Reservation policies are created and attached to Reservations and Blueprints (later) to restrict the provisioning of machines to a specific set of rules. Example: setting a vSphere Reservation Policy so that a particular machine blueprint can only be provisioned into a vSphere cluster.

Reservation Policies can also be created for storage resources to define tiers, locations, etc.

²  Navigate to “Infrastructure” tab -> “Reservations” -> “Reservation Policies”

²  Click “+” to create a “New Reservation Policy” or “Storage Reservation Policy”

²  Enter a Name and Description for each Reservation Policy desired. The description should clearly articulate the purpose of each policy

²  Click the green check mark after each policy is defined


Creating a Network Profile

84

Network Profiles Create a Network Profile

Network Profiles are defined when the use of static IP assignment is preferred over simply using DHCP (default). It’s not quite IPAM, but gives you some granularity for vSphere deployments. Once configured, Network Profiles are bound to the “Network Path(s)” of a vSphere Resource Reservation. Greater network functionality is possible when incorporating NSX to the mix, including support for dynamically-provisioned NAT, Private, and Routed networks. In this case, we’ll simply create an External network profile, which does not require NSX or vCNS integration.

²  Navigate to “Infrastructure” tab -> “Reservations” -> “Network Profiles”

²  Click the “+” to create a New Network Profile

²  Select “External” from the network drop-down list…



85

New Network Profile ²  In the “Network Profile Information” tab, complete all the required fields. These settings will be applied to vSphere machines that are deployed to the corresponding network:

•  Name* – enter a name that clearly identifies this profile, such as a scope ID

•  Description – enter a detailed description for the profile

•  Subnet Mask*

•  Gateway

•  Primary DNS

•  Secondary DNS

•  DNS suffix

•  DNS search suffix

•  Preferred WINS

•  Alternate WINS

(* required fields)

²  When done, click on the “IP Ranges” tab…



86

New Network Profile - IP Ranges Add an IP Range

Once a Network Profile is created, you can add a static IP range to the profile to allocate a specific set of IP’s when provisioning machines bound to the corresponding network.

²  From the “IP Ranges” tab, click “+” to create a New IP Range

²  Enter the required information:

•  Name*

•  Description

•  Starting IP address*

•  Ending IP address*

(* required field)

²  Click OK to apply…



87

Review IP Range Once the IP Range is applied, a list of available IP address will be displayed. You can create several IP Ranges in a single Network Profile.

As machines bound to this Network Profile are provisioned, they will show up in the list next to the allocated IP address. This will help in identifying IP address allocation as the environment scales.

Note: In previous versions of vCAC, admins had to manually enable “Static IP Services” prior to configuring Network Profiles. This is now a default capability.


Creating a Resource Reservation

88

Reservations Create a vSphere Reservation

Reservations are a defined set of resource allocations – provided by the endpoints – to which machines will be provisioned. vCAC’s Reservations are similar to the “Virtual DataCenter” (or VDC) concept. Reservations are created for each Cloud, Physical, and Virtual resource. A single vSphere (Virtual) Endpoint was previously configured – next we will create a Reservation to allocate some or all of that Endpoint’s resources.

The previously configured Reservation Policies and Network Profiles will be utilized in this Reservation.

²  Navigate to “Infrastructure” tab -> “Reservations”

²  Click “+ New Reservation” then select “Virtual” -> “vSphere (vCenter)” to create a New Reservation…

Note: Use “Virtual” to configure vSphere reservations as well as any other hypervisor-based reservation (Hyper-V, KVM, XEN, etc). The “Cloud” selection is used for Amazon EC2, OpenStack, and vCloud-based provisioning (incl vCHS). “Physical” is used to configure all supported physical hardware provisioning (Dell, HP, UCS, etc). Since a vCloud Suite license was used during setup, only applicable Endpoints are available.



89

New Reservation – vSphere (vCenter) Create a vSphere Reservation (cont)

²  From the “Compute Resource” drop-down, select a set of Resources to be used. For vSphere reservations select the desired vSphere Cluster – here we select “Mgmt”, which corresponds to the Mgmt cluster discovered during Endpoint Inventory collection…



90


²  The reservation Name will automatically be created, but you can change/edit it if preferred

²  Select a Business Group that will be permitted to provision machines to the selected set of resources (if only one group exists, it will automatically be selected)

²  Optional: apply the pre-defined Reservation Policy to bind the Reservation to the selected policy

²  Optional: set a machine quota or leave blank for unlimited

²  Set a resource Priority of “0” or “1” for this reservation (highest priority is 0).

²  Ensure the reservation is Enabled

²  Select the “Resources” tab to continue configuration…



91


Resources are defined as part of a Reservation to allocate a subset of total available compute resources. Here we identify a set of Memory, Storage, and Network resources as part of this Reservation.

²  Memory: configure total memory (in GB) to be allocated to this Reservation

²  Storage: check one or more vSphere Datastores and set the storage capacity (in GB) and Priority (1) for each – machines will be balanced across all selected datastores based on the entered Priority (vCAC 6 supports SDRS clusters and VSAN Datastores)

²  Resource pool (Optional): from the drop-down, select an available vSphere Resource Pool in which to place provisioned machines

²  Click the “Network” tab to continue configuration…



92

New Reservation – vSphere (vCenter)

Create a vSphere Reservation (cont)

²  In the “Network” tab, check one or more vSphere networks (port groups) that will be allocated to provisioned machines. vCAC supports Standard and Distributed Port Groups as well as vCNS/NSX-backed networks (vWires)

²  (Optional) Select a corresponding Network Profile for the selected Network Path

²  Click “OK” to complete this Reservation

(Note: you can optionally enable and configure resource threshold notifications in the “Alerts” tab)



93

Reservations The vSphere Endpoint in my environment contains two clusters – “Mgmt” and “Cloud Resources”. The previous steps are repeated to create an additional Reservation using the “Cloud Resources” cluster. Since each cluster contains unique resources (Networks, Storage Paths, etc.), the configuration with vary slightly.

Here you see the completed configuration of both Reservations.

Note: more than one Reservation can be created from a single Compute Resource (i.e. vSphere Cluster). This can be done to over-provision resources or to create several sub-allocations of a single Compute Resource.


(Optional) Applying Storage Resource Policies

94

Compute Resources Storage Policies

In previous steps, a Resource Policy was created and [optionally] bound to a resource Reservation. The Resource Policy acts like a tag and will logically tie together all resources using the tag. So far, we’ve created a policy and tied it to a Reservation. We will now apply the Storage Policies to the appropriate Datastores (Storage Paths) in each Compute Resource.

(Resource Policies are Optional)

²  Navigate to “Infrastructure” tab -> “Compute Resources”

²  Hover over the desired Compute Resource and select “Edit”…


(Optional) Applying Storage Resource Policies

95

Edit Compute Resources Storage Policies (cont)

²  Select the “Configuration” tab

²  Click the pencil icon next to each Storage Path (Datastore) to edit it

²  Use the “Storage Reservation Policy” drop-down menu to select the appropriate Reservation Policy

²  Click the green check to save

²  Repeat for each Storage Path in all Compute Resources

²  Click “OK” to apply the changes


Creating IaaS Blueprints

96

Blueprints Create a vSphere Blueprint

Blueprints define the resources and attributes associated with the provisioning of a virtual, physical, or cloud machine. Blueprints are configured for any machine (VM, vApp, Physical, Cloud) or a combination (multi-machine blueprint) that will be available for provisioning in the portal. A unique Blueprint has to be created per platform (vSphere, vCloud, EC2, Hyper-V, KVM, Physical, etc).

In this section we will create two vSphere blueprints – a Linked Clone and a traditional template-based clone…

²  Navigate to “Infrastructure” tab -> “Blueprints”

²  Click “+ New Blueprint” then select -> Virtual -> vSphere (vCenter) to create a new Blueprint based on the available vSphere Endpoint…



97

New Blueprint – Linked Clone, vSphere (vCenter) Create a vSphere Blueprint (cont)

²  In the “Blueprint Information” tab, enter a Name and detailed Description to identify the blueprint (entering a detailed description will help make sense of of it during provisioning)

²  Check “Shared Blueprint” to share this blueprint across this Tenant’s Business Groups

²  (Optional) Select a Reservation Policy to lock provisioning down to a specified resource

²  Select an available prefix or use the group default

²  (Optional) Set “Maximum per user” quota

²  Set Archive days (days stored post-expiration)

²  (Optional) Set a daily cost associated to append to total cost

²  Select the “Build Information” tab…



98


²  Blueprint type: “Server”

²  Action: “Linked Clone” (Linked Clones are uber-efficient delta copies that are based on a machine snapshot and require an available snapshot prior to configuring. You can optionally select “Clone” to create a new machine off of a traditional template)

²  Provisioning workflow: “CloneWorkflow” (auto-selected)

²  Clone from: click on “…” to browse available snapshots (or templates) and select the appropriate one (a win2k8 snapshot is used in this example)

²  Enter Min / Max settings for the following:

•  # CPU’s

•  Memory (MB)

•  Storage (GB)

•  Lease (days)

NOTE: the “Minimum” field is auto filled based on the template config – keep that in mind when building the template



99


²  For Linked-Clone based Blueprints, click on “…” to browse available snapshots (or templates) and select the appropriate one (a win2k8 snapshot is used in this example)

²  Click “Finish” to continue…

Note: VM snapshots are discovered during an Endpoint Inventory collection, and therefore have to exist ahead of that collection in order for them to be available during this selection. In other words, plan accordingly.



100


²  Select the “Properties” tab

The Properties tab allows you to apply Build Profiles and Custom Properties unique to this blueprint for advanced functionality, integration with external systems, identification of resources, etc.

²  Add any available Build Profiles or desired Custom Properties you want to append to this Blueprint – see the vCAC 6.0 Operations Guide for more details. Neither will be used in this example.

²  Select the “Actions” tab…



101


²  Machine Operations: Keep the default settings (all selected). These settings determine what users are permitted to do to the provisioned machine for “Day-2” operations. However, these are legacy settings and will be overridden when Entitling this Blueprint in a later step.

²  Configure Snapshots: Yes / No

²  Allow Reconfigure: Yes / No

²  Click “OK” to complete Blueprint configuration



102

New Blueprint – Clone, vSphere (vCenter)

Create [another] vSphere Blueprint

²  In the “Blueprint Information” tab, enter a Name and detailed Description to identify the blueprint

²  Check “Shared Blueprint” to share this blueprint across this Tenant’s Business Groups

²  (Optional) Select a Reservation Policy to lock provisioning down to a specified compute resource

²  Select an available prefix or use the group default

²  (Optional) Set “Maximum per user” quota

²  Set Archive days (days stored post-expiration)

²  (Optional) Set a daily cost associated to append to total cost

²  Select the “Build Information” tab…



103

New Blueprint – Clone, vSphere (vCenter)

Create [another] vSphere Blueprint (cont)

²  Blueprint type: “Server”

²  Action: “Clone” (basic template-backed clone)

²  Provisioning workflow: “CloneWorkflow” (auto-selected)

²  Clone from: click on “…” to browse available vCenter templates and select the appropriate one (a CentOS template is used in this example)

²  Enter Min / Max settings for the following:

•  # CPU’s

•  Memory (MB)

•  Storage (GB)

•  Lease (days)

²  Click “OK” to complete configuration of this Blueprint



104

Publish Blueprints

Publish Configured Blueprints

Once Blueprints are built, you must Publish them to make them available to vCAC’s service catalogs. Once Published, these Blueprints will be marked as “Catalog Items” and made available for Entitlements (next section)

²  Hover over each configured Blueprint and select “Publish” from the submenu

Note: you cannot un-publish a Blueprint!

Next up: Catalog Services…


Catalog Services Services | Catalog Items | Entitlements

105


Adding Catalog Services

106

Services Catalog Services

vCAC’s Service Catalog provides a way to organize and deliver the various catalog items into related offerings. For example, a Service can be created fore each major service offering (IaaS, XaaS, etc) or by sub-category (Windows, Linux, etc). Services can contain IaaS and XaaS Catalog Items (Blueprints).

Use Services to organize your vCAC catalog however you see fit for your environment.

²  Navigate to “Administration” tab -> “Services”

²  Click “+” to create a new Service…



107

Add Service (#1) Create an “IaaS” Catalog Service

²  Complete all the required fields:

•  Name: enter a name for this Service Catalog (e.g. “IaaS Services”)

•  Description: enter a detailed description for the service. This will show up in the user’s portal

•  Icon: (optional) click “Browse…” to locate an icon to use for this Service. You may select any appropriately-sized .png file. Icons that are less than 200 x 200 px work best.

•  Status: set to “Active” from the drop-down menu

•  Hours: (optional) select service hours

•  Owner: service owner, automatically filled based on logged-in user account

•  Support Team: (optional) enter a group to allow manageability of this Service.

²  Click “Add” to add the new Service



108

Add Service (#2) Create an “XaaS” Catalog Service

²  Complete all the required fields:

•  Name: enter a name for this Service Catalog (e.g. “IaaS Services”)

•  Description: enter a detailed description for the service. This will show up in the user’s portal

•  Icon: (optional) click “Browse…” to locate an icon to use for this Service. You may select any appropriately-sized .png file. Icons that are less than 200 x 200 px work best.

•  Status: set to “Active” from the drop-down menu

•  Hours: (optional) select service hours

•  Owner: service owner, automatically filled based on logged-in user account

•  Support Team: (optional) enter a group to allow manageability of this Service.

²  Click “Add” to add the new Service



109

Services - Review Review Catalog Services

²  Repeat the previous steps for all additional desired Services

Once Services are created, you can associate Catalog Items to them. This will be covered in the next section…


Managing Catalog Items

110

Catalog Items Add Catalog Items to Services

²  Navigate to “Administration” tab -> “Catalog Items”

²  Select one of the available Catalog Items – these are IaaS Blueprints that have been published…



111

Configure Catalog Item (#1) Add Catalog Items to Services (Win2k8)

²  Complete the required fields (most of the fields will be pre-populated):

•  Icon: (optional) click “Browse…” to select an available .png file

•  Status: set to “Active” using the drop-down menu

•  Service: use the drop-down menu to select a configured Service catalog

²  Click “Update” to apply…



112

Configure Catalog Item (#2) Add Catalog Items to Services (CentOS)

²  Complete the required fields (most of the fields will be pre-populated):

•  Icon: (optional) click “Browse…” to select an available .png file


•  Service: use the drop-down menu to select a configured Service catalog

²  (Optional) Select “New and noteworthy” to display this Catalog Item to the “New and Noteworthy” Portlet on the user’s home page

²  Click “Update” to apply


IaaS Entitlements

113

Add Entitlement Entitlements

The final step in making a catalog item available to users is to Entitle it. Entitlements are created to manage user and group access to services, catalog items, and resource actions within business groups of a Tenant. This provides additional granularity and allows for controls over who can see what. Entitlements are also used to add governance (approvals) to a particular item – this will be covered later…

²  Navigate to “Administration” tab -> “Entitlements”

²  Click “+” to add a new Entitlement

²  Complete the required fields:

•  Enter a Name and detailed Description for the Entitlement.

•  Set Status to “Active”

•  Search for Users & Groups to entitle to these items

²  Click “Next”… Note: For added granularity, Entitlements can be based on individual catalog items or entire services. In this example, an Entitlement is created for all IaaS services.


IaaS Entitlements

114

Add Entitlement Items & Approvals

²  In the “Items & Approvals” tab, add the desired items, actions, and approvals (covered later)…

•  Entitled Services – click “+” and select the previously-configured IaaS Service catalog from the list

•  Entitled Catalog Items – click “+” and select the desired IaaS Catalog Items (Blueprints) from the list (see note)

•  Entitled Actions – click “+” to add all the desired resource Actions to this Entitlement. Actions are “day 2” operations that determine which actions users can perform on a machine after it has been provisioned. (These actions override the operations configured at the Blueprint level)

²  Click “Add” to add this Entitlement

Next Up: Adding Governance to service requests…

Note: For added granularity, Entitlements can be based on individual catalog items or entire services. In this example, an Entitlement is created for all IaaS services.


Governance & Approvals Creating Self-Service Approval Policies

115


Adding Approval Policies

116

Approval Policies Approval Policies

Approval Policies are created by Tenant Administrators or Approval Administrators to require any service request to go through a pre- or post-approval process. Once created, Approval Policies are applied to Service Catalogs, Catalog Items, or post-provisioning (“day-2”) actions. Tenant Admins and Business Groups Managers can apply Approval Policies to service items.

Approval Policies can be static (on/off) or based on a condition. Condition-based policies allow you to create triggers based on a characteristic of the request. In this exercise we will create a condition-based approval policy…

²  Navigate to “Administration” tab -> “Approval Policies”

²  Click “+” to add a new Approval Policy…



117

Add Approval Policy Create an Approval Policy

²  In the “Policy Type” drop-down, select “Service Catalog – Catalog Item Request” – this policy can be applied to individual Catalog Items within an Entitlement…



118

Add Approval Policy Create an Approval Policy


•  Name: enter a name that represents this policy

•  Description: enter a detailed description


²  Click “+” next to “Levels” in the Pre-Approval tab…

Note: a “Pre Approval” level is applied ahead of provisioning the associated catalog item. “Post Approval” levels occur post-provisioning.



119

Add Approval Policy – Approval Level Create an Approval Level Based on a Condition


•  Name: enter a name for this approval Level

•  Description: enter a detailed description of the approval (more detail is better)

•  Required?: select “Required based on conditions”

•  In the Conditions sub-menu, create a condition to trigger the policy. In this example, approvals are required if a user requests a catalog item for greater than 90 days

•  Approvers?: select “Specific Users and Groups” then search and add desired approvers from the list

²  Approval Type:

•  Anyone can Approve – requires any (at least 1) of the selected groups or users to approve

•  All must approve – requires all users and groups to approve the request

²  Click “Add” to add the approval level…



120

Apply Approval Policy to Entitlement Applying Approval Policies

Once an Approval Policy is created, it is added to an Entitled Service, Catalog Item, or Action by editing the associated Entitlement(s)…

²  Navigate to “Administration” tab -> “Entitlements”

²  Select one of the available Entitlements to edit

²  Locate the Entitled Service and/or Catalog Items that you want to add the approval policy to

²  Click on the arrow next to each item and select “Modify Policy”

²  In the “Modify Policy” window, select the previously-created Approval Policy from the drop-down

²  Click “OK” to accept

²  Repeat for all desired items

²  Click “Update” to save the changes


IaaS Entitlements

121

Reviewing the IaaS Service Catalog Reviewing the IaaS Catalog

²  Navigate to the “Catalog” tab to view the entitled services (for the currently logged in user)

²  Verify that the Catalog Items selected in the Entitlement are available. Since both Catalog Items (i.e. Blueprints) were added to the same Entitlement, they should both show up here.

²  Also notice at this point only the IaaS Catalog is visible – that’s because no catalog items have been added to the other Service Catalogs at this point. Once added, additional Service Catalogs will be displayed along the left side.

Next Up: a fun XaaS Use Case


XaaS Use Case “DaaS” with vCAC XaaS and Horizon View

122


Introduction

vCloud Automation Center 6.0's “XaaS” feature will allow admins to utilize any prepackaged, new, or existing vCenter Orchestrator workflow and deliver it as a Self-Serviced, Entitled, Governed, and Lifecycle-managed service.

VMware will be shipping a more integrated View/vCAC DaaS solution by Q2’14. Until then we have to improvise to come up with a “DaaS-like” solution that will help fill in the gap until the products are natively integrated. vCAC’s Advanced Service Designer (ASD) provides a quick-fix for an important function using unsophisticated means.

DaaS Use Case Objectives:

–  Allow cloud users to request a Horizon View Desktop machine from vCAC’s Service Catalog to add Self-Service, Governance, and Entitlement to existing View Environments

–  Use vCAC’s Advanced Service Designer to create a Custom Service to deliver DaaS

–  Configure a Governance (Approval) policy for VDI Desktop Requests

–  Utilize vCO’s built-in Active Directory plug-in and a simple workflow to do the magic


XaaS – DaaS Overview

§  Horizon View

–  View is configured with 2 Desktop Pools: •  Floating Desktop Pool: DaaS-Engineering •  Dedicated Desktop Pool: DaaS-Operations

–  Both pools are configured to pre-provision 20 desktops and always have 5 desktops available (unused) in the pool

–  Each pool is entitled to an existing Active Directory Security Group •  DaaS-Engineering -> “DaaS-Eng” •  DaaS-Development-> “DaaS-Ops”

§  For DaaS options, users log into vCAC and click on the Service Catalog called “Desktop Services”

–  Users Select from the appropriate pool

–  Once requested, approvals are invoked to ensure user is authorized

–  XaaS and vCO take over


vCO Configuration Configuring the Active Directory Plug-In


Configure the Active Directory Plug-In vCO 5.5 uses an included workflow to configure the Active Directory plugin. You might want to log into vCO configuration to ensure no existing AD Plugin settings exist…

•  Log into vCenter Orchestrator’s configuration UI (https://hostfqdn:8283). Note that if you are using the embedded vCO node, the FQDN will be the same as your vCAC server.

•  Click on the Active Directory plugin in the left pane to check it’s status

Note: the vCO configuration service on the vCAC VA is stopped by default, run “service vco-configurator start” to start it. This step can also be completed using vCAC’s ASD Endpoint configuration


Configure the Active Directory Plug-In Log into vCO using the vCO Client

•  Use the vCO Client to log into the vCO instance (serverfqdn:8281)

•  By default, vCAC’s embedded vCO instance uses the same [email protected] account and password configured during vCAC setup.


Configure the Active Directory Plug-In Run the Active Directory Configuration Workflow

•  Once logged in, ensure you’re in “Run” mode and select the “Workflows” tab

•  Drill down and expand Library -> Microsoft -> Active Directory -> Configuration •  Right-click “Configure Active Directory server” and select “Start workflow…”



•  Enter all the required fields

•  Click Next…



•  Click “Yes” for “Use a shared session” to use a single service account for this connection

•  Enter the UN (DOMAIN\usrname) and PW (be sure this account has appropriate AD permissions).

•  Click Submit…



• Wait while the workflow runs

•  Once successfully completed, the last step should turn green (look for the green check next to the workflow instance as well)

•  You can now check the vCO configuration to verify the AD plugin was successfully configured


XaaS | DaaS Configuration Configuring the logic in vCAC Advanced Service Designer


XaaS | DaaS Configuration Add a Service Blueprint

•  Once logged in, go to the “Advanced Services” tab

•  Click the green “+” to add a new Service blueprint


XaaS | DaaS Configuration Choose the vCO Workflow

•  Expand the “Orchestrator” and drill down to the Microsoft library

•  Select vCO -> Library -> Microsoft -> Active Directory -> User -> “Add a user to a user group”

•  Click Next to continue


XaaS | DaaS Configuration Enter Service Details

•  In the Details tab, enter a Name and Description for this Blueprint

•  Name: Desktop Request (NOTE: this is what show up in the self-service portal)

•  Description: Enter something that describes this blueprint

•  Click Next to continue…


XaaS | DaaS Configuration Configure Blueprint Form

The Blueprint Forms designer will allow you to change the default page/form titles and vCO input attributes to something that makes sense to the users requesting this form.

•  First, click the pencil icon next to “Add a user to a user group” to edit the Form page name…



•  Change the From page Heading to something that makes sense for this use case (e.g. “Assign User to Desktop Pool”), then click “Submit”



•  Edit the “group” attribute so it reads “Select Desktop Pool”, or something similar

•  Edited the “user” attribute so it reads “Select User”, or something similar

•  Click Next to continue…



•  Edit Form to something that reflects the use case (e.g. “Request Desktop”). This is the title heading that will be visible to users when they select this service.

•  Keep “Screen types” selection unchanged

•  Click Submit to commit the changes…



•  Click the pencil icon to the right of the “Select Desktop Pool” (the “group” attribute) text field

•  Change the Type field to “Drop-down”

The drop down type will allow you to add constraint Values to the field, Search does not (bug?) – we’ll come back here and change this back to “Search” once the Values are added.



•  Select the “Value” tab (the tab shows up after changing Type to drop-down in the previous step

•  Enter the AD Group names you created that correspond with the appropriate View Pools one at a time

•  Click Submit…



•  Back in the “Details” tab, change the Type back to “Search” (notice the “Values” tab disappears)

Note: this is required due to a bug/feature in the forms designer that does properly use the Drop-down or Radio button types with Value constraints. Doing it this way allows us to add the appropriate constraints while still using the working type (Search).



The “Provisioned Resource” tab allows you to associate this Service Blueprint with a resource type for post-provisioning (“day 2”) operations. Since this is just a request blueprint (i.e. no management after requesting), we will not associate it way any resource type.

•  Click Add to add the Blueprint.


XaaS | DaaS Configuration Publish Service Blueprint

•  Your new Service Blueprint “Desktop Request” will show up in the list as a draft

•  From the Actions menu, select Publish

At this point the Service Blueprint is published and ready to be added to a Catalog and Entitled…


XaaS | DaaS Configuration Add a DaaS Service Catalog

We will now create a new Service Catalog to organize our DaaS catalog items.

•  Navigate to “Services” from the “Administration” tab

•  Click the green “+” next to “Services”


XaaS | DaaS Configuration Add a DaaS Service Catalog

•  Enter a Name and Description for this service (e.g. “Desktop Services”) and, optionally, you can select a unique icon for this service catalog


•  Click Add when finished


XaaS | DaaS Configuration Add a DaaS Service Catalog - Review

Once added, the new Desktop Services catalog will show up in you Services list.

Next we will add the appropriate catalog item(s) to this catalog…


XaaS | DaaS Configuration Configure the DaaS Catalog Item

•  Navigate to “Catalog Items” in the “Administration” tab

•  Locate and click on the newly-created “Desktop Request” item (you can click on the item or select “edit” from the Actions menu)…


XaaS | DaaS Configuration Configure the DaaS Catalog Item

•  In the “Configure Catalog Item” screen, click on “Browse…” to select a unique icon for this item

•  Change Status to “Active”

•  From the Service drop down, select the “Desktop Services” service catalog created in the previous steps

•  Select Update to continue


XaaS | Entitlements Add Entitlement

Entitlements are used to assign a Service, Catalog Item, or Action to specific users or groups. We need to entitle the new DaaS Service and Desktop Request catalog item to tenant users.

• While in the “Administration” tab, navigate to “Entitlements”

•  Click the green “+” next to the Entitlements header…



•  Enter a Name and Description for this Entitlement (e.g. VDI Desktop or Win 7 Desktop, etc)


•  Add Users and/or Groups to Entitle to this item (NOTE: you can enter a blank space in the search field to list all available users), then click Next to continue…



•  From the Items & Approvals tab, click on the green “+” next to the Entitled Services header

•  Select the Service to Entitle (in this case, it’s the “Desktop Service” previously created)

•  Click OK to apply…



•  From the Items & Approvals tab, click on the green “+” next to the Catalog Items header

•  Select the Catalog Item to Entitle (in this case, it’s the “Desktop Request” item previously created)

•  Click OK to apply…


XaaS | Entitlements Add Entitlement – Review Configuration

In the previous steps we added a Service and Catalog Item entitlement to the Users & Groups defined in the Details tab. In practice, you have the option to entitle just the Service Catalog, which will automatically apply to all catalog items assigned to that service. However, this method gives you more granularity.

•  Click Add to commit the entitlement


XaaS | DaaS Verify Service and Catalog Item Availability

•  Navigate to the “Catalog” tab and select the newly-created service catalog from the left menu pane

•  Verify that the “Desktop Request” catalog item is visible

(NOTE: be sure you entitle the logged-in account to this service. If not, log in using an account that was entitlement)


END [virtualjad.com]!

Virtualjad-Vcac 6 Poc Guide 6.0-1.1

Documents

Transcript of Virtualjad-Vcac 6 Poc Guide 6.0-1.1