In the previous post we talked about Scaling out our newly deployed vIDM Deployment using vRealize Suite Lifecycle Manager. In this post we will take you through the process of Enabling Multi-Tenancy in vRealize Automation 8 Deployment.
Before we start with Enabling Multi-Tenancy ensure that you have generated and applied VMware Identity Manager and vRealize Automation Certificates using the process shared in the previous post Part-3: Scale-Out VMware Identity Manager Deployment.
The following steps in this final Blog of this Blog series will help us in Enabling Multi-Tenancy and will create 2 tenants for vRealize Automation 8.X Deployment:
1. Before we begin ensure that you have taken snapshot of all the Appliances and you have added your Active Directory under Directory Management in vRealize Suite Lifecycle Manager.
2. We can enable Multi-Tenancy under Tenant Management section of Identity and Tenant Management in vRealize Suite Lifecycle Manager:
vRealize Suite Lifecycle Manager – My Services Screen
3. We will observe a page with 4 recommendations to ensure an easy and error free tenancy experience. Click on ENABLE TENANCY.
Enable Tenancy – Tenant Management Screen
3. Ensure that you have taken Snapshots for all the Appliances and Trigger an Inventory Sync before clicking on Proceed.
4. On the next screen we will have to supply the name of our default tenant which is tenant in our case and click on ENABLE TENANCY.
Enable Tenancy – Master Tenant Screen
5. The request will go through 6 steps including the Step 6 of Initialize vRealize Automation cluster which Stops and Starts vRealize Automation services.
Enable Tenancy – Request Details Screen
6. Once we have successfully Enabled Tenancy, we can go back to Tenant Management in Identity and Tenant Management to ADD TENANT.
Add Tenant – Tenant Management Screen
7. Input the Tenant Name as tenant1 and supply the rest of the details for your tenant.
Add Tenant – Tenant Details Screen
8. We can copy the Directory from our Default tenant to the new tenant by supplying the Bind DN and Password or Copy the Directory to new tenant later on. For LCM to copy a Directory to a new tenant, the Directory has to be mapped to the Default tenant.
Add Tenant – Directory Details Screen
9. Select your vRA Environment. There is a reminder there on this screen to ensure that you have created the Certificates and have applied them to vRA Environment.
Add Tenant – Select Environment Screen
10. Run the Precheck and ensure that status reports Successful on completion.
Add Tenant – Run Precheck Screen
11. Review the details on the Summary screen and click CREATE TENANT.
12. The process of creating a new Tenant takes around 2 mins and after successful creation of new Tenant we can see our new Tenant listed under Tenant Management in Identity and Tenant Management section of vRealize Suite Lifecycle Manager.
Tenant Management – Tenant List Screen
With that we have come to the end of this 4 Blog series of Deploying and Configuring a Clustered vRealize Automation 8 Environment which is Highly-Available, Clustered, Distributed & Production ready with the capability of Multi-Tenancy.
In the previous post we talked about Deploying vRSLCM, vRA and vIDM Appliances using Easy Installer. In this post we will take you through the process of Expanding VMware Identity Manager Deployment from a Single-Node to a 3-Node Environment.
Before we start expanding VMware Identity Manager Deployment we need to generate Certificates for vRealize Automation and VMware Identity Manager Appliances. We will be generating SAN Certificates in this post using vRealize Suite Lifecycle Manager but you can also apply Custom CA Signed certificates by Importing the Certificates in vRealize Suite Lifecycle Manager.
The following steps will help in generating and applying the new Certificates with the help of vRealize Suite Lifecycle Manager:
1. We can find the existing Certificates and Generate new Certificates under Locker > Certificates section in vRLSCM:
vRealize Suite Lifecycle Manager Certificates
2. If you want to use Custom CA Certificates, you can click on Generate CSR and fill the details and send it to your CA for generating the Certificates but in this post we will be using the Generate option to Generate SSL Certificates using vRSLCM. Click on Generate and fill in the following details for vIDM Certificate:
Name: MyCloud-vIDM Certificate Common Name (CN): vidm Organization (O): MyCloud Organization Unit (OU): Delhi Country Code (C): IN Locality (L): Delhi State (ST): Delhi Key Length: 2048 Server/Domain/Hostname: vidm1.mycloud.lab, vidm2.mycloud.lab, vidm3.mycloud.lab, vidm.mycloud.lab, tenant.mycloud.lab, tenant1.mycloud.lab IP Address: 192.168.10.17, 192.168.10.18, 192.168.10.19, 192.168.10.16, 192.168.10.22
Generating new Certificate using vRSLCM
3. We need to Generate another Certificate for vRA Appliances:
Name: MyCloud-vRA Certificate Common Name (CN): vra Organization (O): MyCloud Organization Unit (OU): Delhi Country Code (C): IN Locality (L): Delhi State (ST): Delhi Key Length: 2048 Server/Domain/Hostname: vra.mycloud.lab, vra1.mycloud.lab, vra2.mycloud.lab, vra3.mycloud.lab, tenant1.vra.mycloud.lab IP Address: 192.168.10.12, 192.168.10.13, 192.168.10.14, 192.168.10.15
Note: If you are not very concerned about the certificates and would like to use a wildcard certificate, you can simply generate a wildcard certificate *.mycloud.lab
4. Once we have generated the Certificates, we will have to Import the MyCloud-vIDM Certificate in NSX-LB. We mentioned this Step as the last Step in Part-1: Configure Load Balancer for vRA 8 and vIDM of this Blog Series.
Import vIDM Certificate to NSX-LB
4. We will login to vRealize Suite Lifecycle Manager, under Lifecycle Operations section we need to go to globalenvironment & MyCloud-VRA8 Environment. Select Replace Certificate and apply the respective Certificates to each solution.
Replace vIDM and vRA Environment Certificates
5. Once we have successfully applied the newly Generated Certificates, we will proceed with the Actual Task at hand which is to expand our VMware Identity Manager Deployment from 1-Node to 3-Node which will make our environment truly Production Ready and Highly-Available. Now we need to go into globalenvironment under Environments and click on Add Components.
Adding Secondary Nodes to vIDM Environment
6. Please ensure that you have taken snapshots of your vIDM and vRA Appliances before proceeding, Trigger Inventory Sync, check the Checkbox which ensures that VMware Identity Manager cluster is Healthy and click Proceed.
Snapshot and vIDM Health Warning Screen
7. In Infrastructure section Select the Target vCenter Server, Cluster, Folder, Network and Datastore where you would like to Host the Secondary VMware Identity Manager Appliances. You can also enable Thin Disk Mode for the Storage of these Appliances.
Target Infrastructure for Secondary vIDM Nodes
8. Network Section should already have the details of Default Gateway, Netmask, Domain Name, Domain Search Path and DNS Servers.
9. Under Configuration section click on + next to Components and Select VMware Identity Manager Secondary Node. Repeat the process to add another Secondary Node to VMware Identity Manager Deployment and fill in the following details:
Cluster VIP FQDN: vidm.mycloud.lab Database IP Address: 192.168.10.20 VIDM3 VM Name: VIDM3 VIDM3 FQDN: vidm3.mycloud.lab VIDM3 IP Address: 192.168.10.19 VIDM2 VM Name: VIDM2 VIDM2 FQDN: vidm2.mycloud.lab VIDM2 IPAddress: 192.168.10.18
Cluster and Secondary Node IP Details for vIDM
10. Click on RUN PRECHECK and System will run multiple tests against the Entered Data, Infrastructure and VMware Identity Manager Configuration.
Run Precheck ScreenRe-Run Precheck and Download Report Screen
11. Once all Pre-Checks have Passed, Review all the details on Summary screen and click Submit.
Scale-Out Identity Manager Request Summary Screen
12. Once you click Submit, vRSLCM goes through Stages 1 to 16 for Expanding VMware Identity Manager Deployment from 1-Node to 3-Nodes.
vIDM Scale-Out Task Screen
The entire process of Expanding VMware Identity Manager Deployment took us around 1 hour and 45 mins on a Production Grade Hardware right from Generating new Certificates to Deploying and Configuring Secondary VMware Identity Manager Nodes. In the next and final part of this Blog series Part-4: Enable Multi-Tenancy for vRealize Automation 8 Deployment, we will discuss the process of Enabling Multi-Tenancy for your newly Deployed vRealize Automation 8 setup.
In the previous post we talked about Configuring Load Balancer for vRealize Automation 8 and VMware Identity Manager in a NSX-V environment. In this post we will take you through the process of Deploying vRealize Lifecycle Manager, Clustered vRealize Automation Appliances and VMware Identity Manager appliance
Ensure that all DNS Records and IP Reservations are in place
Keep DNS server and NTP server details handy
Now we re ready to deploy to deploy our new appliances, the steps to deploy vRSLCM, vRA and vIDM appliances are as follows:
1. Mount the Easy Installer ISO and Launch installer.exe located under F:\vrlcm-ui-installer\win32\installer.exe
vRealize Easy Installer Launch Screen
2. Please go through the Introduction and Accept the End User License Agreement. Click Next
End User License Agreement Screen
3. Enter the Appliance Deployment Target details like vCenter Server Hostname, Administrator Username and Password.
Appliance Deployment Target Screen
4. Select a Target Location, Target Cluster and Datastore.
Select a Target Location ScreenSelect a Target Compute Resource ScreenSelect a Destination Storage Location Screen
6. Enter the details of Network Configuration which includes Target Network, IP Assignment Type, Subnet Mask, Default Gateway, DNS Servers, Domain Name and NTP Servers.
Network: DC_MGMT_VLAN100 IP Assignment: static Subnet Mask: 255.255.255.0 Default Gateway: 192.168.10.1 DNS Servers: 192.168.10.50, 192.168.10.51 Domain Name: mycloud.lab Provide NTP Server for the appliance: 192.168.10.70,192.168.10.71
Network Configuration Screen
7. Enter your Password. This password will be used for vRSLCM admin & root account, vRA root account, vIDM admin, sshuser, root user and default configuration user.
Password Configuration Screen
8. Enter Virtual Machine name, IP Address, FQDN, Datacenter Name and vCenter Name for vRealize Suite Lifecycle Manager. Set Increase Disk Size in GB to 20 and Leave FIPS Mode Compliance to deafult.
Virtual Machine Name: VRSLCM IP Address: 192.168.10.11 Hostname: vrslcm.mycloud.lab Data Center Name: MYCLOD-DC vCenter Name: MYCLOUD-VC Increase Disk Size in GB: 20 FIPS Mode Compliance: Enabled
Lifecycle Manager Appliance Configuration Screen
9. In Identity Manager Configuration, we will initially configure a Single Node VMware Identity Manager deployment which will be expanded to a clustered deployment in next blog in this series. Select Install New VMware Identity Manager and Enter the details of Virtual Machine Name, IP Address, FQDN, Default Configuration Admin, E-mail Address and Node size as per your environment’s requirement. Tick Sync Group Members to the Directory When Adding Group checkbox.
Virtual Machine Name: VIDM1 IP Address: 192.168.10.17 Hostname: vidm1.mycloud.lab Default Configuration Admin: configadmin Default Configuration Email: configadmin@vsphere.local Node Size: Medium Sync Group Members to the Directory When Adding Group: Enabled
Identity Manager Appliance Configuration Screen
10 a. Under vRealize Automation Configuration section select Clustered Deployment. Enter vRealize Automation Environment Name, License Key, Turn Off FIPS Compliance Mode and Select the Node size.
vRA Environment Name: MYCLOUD-VRA8 License Key: XXXXX-XXXXX-XXXXX-XXXXX-XXXXX FIPS Compliance Mode: Disabled Node Size: Medium
10 b. Enter vRealize Automation Load Balancer IP Address, Load Balancer FQDN and leave SSL terminated at Load-Balancer unchecked. In the vRealize Automation Primary Node Details section, enter Virtual Machine Name, IP Address and FQDN for the vRA Primary Node.
10 c. Enter vRealize Automation Secondary Node-1 and Secondary Node-2 Details, Virtual Machine Name, IP Address and FQDN. Leave Advanced Configuration for vRealize Automation to default.
vRealize Automation Node Details: Primary Node Virtual Machine Name: VRA1 IP Address: 192.168.10.13 Hostname: vra1.mycloud.lab Secondary Node-1 Virtual Machine Name: VRA2 IP Address: 192.168.10.14 Hostname: vra2.mycloud.lab Secondary Node-2 Virtual Machine Name: VRA3 IP Address: 192.168.10.15 Hostname: vra3.mycloud.lab Internal Pods and Services Configuration: Use Default
vRealize Automation Configuration – Secondary Node-1 and Secondary Node-2 Details
11. Review Configuration details on the Summary screen and click Submit.
vRealize Easy Installer Summary Screen
12. Installation Process goes through 5 stages: Initializing, Installing vRSLCM, Moving Binaries, Initiating install vIDM and vRA and Finish vRA Install.
Installation Process Screen
13. Once the Installation Process has passed the stage of vRSLCM Installation, we can login to vRSLCM UI using the username as admin@local and Password which we entered during the Password Configuration stage.
Installation Process – vRSLCM Services Started Screen
14. In vRealize Suite Lifecycle Manager select Lifecycle Operations under My Services and then to the Requests section. You’ll find 2 requests: globalenvironment – Create Environment (IDM Installation) and MYCLOUD-VRA8 – Create Environment (vRA Installation).
vRealize Suite Lifecycle Manager – My Services Screen
15. VMware Identity Manager Installation Request goes through 8 Stages before your vIDM deployment is ready.
16. vRealize Automation Installation Request goes through 13 Stages before your vRealize Automation Deployment is setup and ready to use. Our vRealize Automation Installation failed twice during the setup process but the process was intelligent enough to provide intuitive insights into error and to allow us to resume from failed stage.
MYCLOUD-VRA8 – Create Environment Screen
The entire Deployment and Setup process took us around 1 hour and 35 mins and we were using Enterprise Grade Hardware for this setup. In the next part of this series Part-3: Scale-Out VMware Identity Manager Deployment, we will discuss the process of Expanding vIDM Environment by Adding Two Secondary Nodes.
In this series of blog posts we will talk about the steps involved in deploying a Clustered Production-Ready vRealize Automation Environment enabled with Multi-Tenancy. We have divided this series into 4 blog posts which will be as follows:
In this post we are going to talk about one of the Primary requirement to deploy a clustered vRealize Automation deployment with Multi-Tenancy, which is, Setting up your Load Balancer. We are using NSX-V for our setup but you can use NSX-T, F-5 or Citrix Netscaler. We are assuming that you already have your Active Directory and DNS configured.
Before we begin setting up our Load Balancer we need to perform the following pre-requisites:
We need 11 IP Addresses and 12 DNS entries.
vRSLCM (A-Type Record) – 1 IP Address and DNS Record vrslcm.mycloud.lab – 192.168.10.11
vRA- 3 IP Addresses for vRA Appliances and 1 vRA-LB IP with DNS Records vra.mycloud.lab (A-Type Record) – 192.168.10.12 (vRA LB IP Address) vra1.mycloud.lab (A-Type Record) – 192.168.10.13 vra2.mycloud.lab (A-Type Record) – 192.168.10.14 vra3.mycloud.lab (A-Type Record) – 192.168.10.15
vIDM – 3 IP Addresses for vIDM Appliances and 1 vIDM-LB IP with DNS Records We will also need 1 IP Address for vIDM Postgres replication vidm.mycloud.lab (A-Type Record) – 192.168.10.16 (vIDM LB IP Address) vidm1.mycloud.lab (A-Type Record) – 192.168.10.17 vidm2.mycloud.lab (A-Type Record) – 192.168.10.18 vidm3.mycloud.lab (A-Type Record) – 192.168.10.19 Internal vIDM Postgres IP Address – 192.168.10.20
Load Balancer Interface IP Address – 192.168.10.21
DNS Entry for Default Tenant tenant.mycloud.lab (A-Type Record) – 192.168.10.16 tenant1.mycloud.lab (A-Type Record) – 192.168.10.16
Multi-Tenancy DNS Entries: tenant1.vra.mycloud.lab (CNAME Record) – vra.mycloud.lab
Now we re ready to configure our Load Balancer in NSX-V, the steps to configure NSX-V LB are as follows:
1. Deploy a new NSX-V Edge Services Gateway with High Availability.
6. Enter the Name for the Interface, Select the Port Group and enter the Primary and Secondary IP Addresses. Primary IP Address should be your Load Balancer Interface IP and Secondary IP Addresses should be the Load Balancer IPs for your vRA & vIDM.
4. Create 2 Service Monitors, One for vRealize Automation and one for VMware Identity Manager.Create 2 Service Monitors, One for vRealize Automation and one for VMware Identity Manager.
vRealize Automation Service Monitor: Name: vRealize Automation8 Interval: 3 Timeout: 10 Max Retries: 3 Type: HTTP Expected: 200 Method: GET URL: /health
NSX Edge – Service Monitor for vRealize Automation Screen
VMware Identity Manager Service Monitor: Name: VMware Identity Manager Interval: 3 Timeout: 10 Max Retries: 3 Type: HTTPS Expected: 200 Method: GET URL: /SAAS/API/1.0/REST/system/health/heartbeat
NSX Edge – Service Monitor for VMware Identity Manager Screen
5. Now we will create 2 Pools of Member Servers, One for vRealize Automation and one for VMware Identity Manager.
NSX Edge – Pool Configuration for vRealize Automation Screen
vRealize Automation Pool Members: Members: vra1, vra2 and vra3 IP Addresses: 192.168.10.13, 192.168.10.14 and 192.168.10.15 Monitor Port: 8008 Port: 443
NSX Edge – vRealize Automation Pool Members Screen
NSX Edge – VMware Identity Manager Pool Configuration Screen
VMware Identity Manager Pool Members: Members: vidm1, vidm2 and vidm3 IP Addresses: 192.168.10.17, 192.168.10.18 and 192.168.10.19 Monitor Port: 443 Port: 443
NSX Edge – VMware Identity Manager Pool Members Screen
6. The last step in the process of setting up our Load Balancer is to create 2 Virtual Servers, again one for vRealize Automation and one for VMware Identity Manager.
In Part-2 of this Blog post series Part-2: Deploy vRSLCM, vRA and vIDM Appliances using Easy Installer, we will discuss the process to deploy vRealize Suite Lifecycle Manager 8, vRealize Automation 8 and VMware Identity Manager Appliances using Easy Installer. Stay Tuned.
