Tag Archives: vRealize Automation

Event Subscriptions in vRealize Automation 8

Featured

Posted on by
Reply

In vRealize Automation 8 the process of creating an Event Subscription has changed a little bit. In vRealize Automation 8 there are 40 Event Topics already defined under Extensibility Library in Cloud Assembly.

Event topics which you can choose from while creating an Event Subscription vRealize Automation are as follows:

Blueprint configuration                                             EventLog            
Blueprint version configuration                               Kubernetes cluster allocation
Compute allocation                                                    Kubernetes cluster post provision
Compute post provision                                            Kubernetes cluster post removal
Compute post removal                                              Kubernetes cluster provision
Compute provision                                                     Kubernetes cluster removal
Compute removal                                                       Load balancer post provision
Compute reservation                                                 Load balancer post removal
Deployment action completed                                 Load balancer provision
Deployment action requested                                  Load balancer removal
Deployment completed                                             Network Configure
Deployment onboarded                                            Network post provisioning
Deployment requested                                              Network post removal
Deployment resource action completed                Network provisioning
Deployment resource action requested                 Network removal
Deployment resource completed                            Project Lifecycle Event Topic
Deployment resource requested                             Security group post provision
Disk allocation                                                             Security group post removal
Disk post Removal                                                      Security group provision
Disk post resize                                                           Security group removal

In order to understand an Event topic review the Descripton, Topic ID, Blocakble and Schema of the Event Topic.

Compute provision Event Topic

If you want to create a Subscription for an Event Topic, just select the Event Topic and click on Subscribe, select the ABX Action or Workflow to trigger, select the Blocking of events and Subscription scope. Schema of an Event Topic can also be reviewed on this screen, Schema (Payload in the previous versions of vRealize Automation) of an Event Topic is a set of Properties which will be passed to Orchestrator when an event of this Topic is triggered.

Test Subscription for Compute provision Event Topic

Important Tip: If you are not sure about the Schema of an Event Topic, create a Blank Workflow with Input Variable of name “inputProperties” & Type “Properties” and Create a Test Subscription using this Blank Workflow. Name of the Input Variable is Important here, if you name it something else it will not receive the Properties from Cloud Assembly.

Schema Properties received by the Orchestrator Workflow

Did you notice that the Workflow ran twice? This is because i have Specified 2 Machine components in the Blueprint and the Workflow ran each time a Machine Component was provisioned for this Deployment request.

2 Workflow Runs for the Test Subscription

The names of the machine components in the Test Blueprint used for this illustration are “Primary_VM” and “Secondary_VM”.

Blueprint for which Event Subscription was triggered

There is one more important thing which you can specify while creating an Event Subscription using Event Topics, which is the Condition. Condition is something which you describe to filter out a specific Event from the list of Events which are triggered when a user requests for Services using Service Broker.

Condition to filter Events for an Event Topic

Condition can only be specified in Javascript Syntax in the current version of vRealize Automation. For Instance if I would like to trigger the same Test Workflow only for the Secondary_VM, i can specify a condition in the Test Subscription as event.data.blueprintId == ‘e9d2abc4-94fa-48f1-a1db-19a31510a375’ && event.data.componentId == ‘Secondary_VM’ Blueprint ID can be copied from one of the previous sample Workflow runs.

Sample Filter Condition for Events in Topic

This condition would ensure that the Workflow is triggered if the Blueprint requested has an id e9d2abc4-94fa-48f1-a1db-19a31510a375 and only for the component with id Secondary_VM. If you request a Deployment now using the same Blueprint, the Workflow will be triggered only once and that is for the Machine Component Secondary_VM.

Single Workflow Run for Secondary_VM Machine Component

Note: I noticed one typo in the examples provided for Condition statement in vRealize Automation 8, there is a space missing after event.data.blueprintId == and the actual id. I had to spend 15 mins figuring out why the event is not triggering a workflow, so make sure that the Syntax for the Condition is correct.

Bad Syntax for the Condition Statement Example

With that you are now ready to create Event Subscription in vRealize Automation 8. Enjoy!!

https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-8549655389727719

Single Sign-On Configuration for VMware vRealize Suite

Featured

Posted on by
4

In vRealize Automation 8.X, Easy Installer deploys a vIDM appliance which is used for Authentication by vRealize Automation whether you choose a Standalone deployment or a Clustered deployment. As we already have an external vIDM appliance as part of our vRA 8.X deployment, we can use it for configuring Single Sign-On for VMware vRealize Suite products.

Single Sign-On configuration is supported in 7.X versions of vRealize Suite products as well but we need an external VMware Identity Manager which most of the customers do not deploy. vRealize Automation 7.X Appliances also include an embedded version of VMware Identity Manager, even though we can enable the UI for the embedded vIDM using the command vcac–vami horizon ui enable but there is no documentation suggesting that making changes directly to VMware Identity Manager is supported by VMware.

In this post we will discuss the process of configuring Single Sign-On for vRealize Suite 8.X version products. In this article I am assuming that an Active Directory domain has already been configured in VMware Identity Manager.

vRealize Automation:

1. Login to VMware Identity Manager and click on Web Apps under the Catalog section.

VMware Identity Manager Web Apps Section

2. Click on New to configure vRealize Automation Web Application Link.

Creating a New Web Application Link in Identity Manager

3. In the Name section enter vRealize Automation 8.X (vRA) and upload an Icon file for vRealize Automation.

vRealize Automation Web App Configuration

4. Leave the Category section blank and click Next.

5. In Authentication Type select Web Application Link and type https://vRA_FQDN/csp/gateway/portal/#/consumer in Target URL.

Target URL for vRealize Automation Web App

5. Click Next and then click Save.

6. Now the only task left is to assign this App to Active Directory users who already have access to vRealize Automation. Select the newly created Application and Click on Assign.

Assign vRealize Automation Web App to Users/Groups

5. Search the name of Users/User Groups to publish the App, select the Deployment type as Automatic and click Save.

Assign vRealize Automation Web App Enterprise Admins Group

6. Next time the user authenticates with vIDM and goes to User Portal, he/she will be able to see the newly published vRA 8.X Application.

Access VMware Identity Manager User Portal

7. Next time the user authenticates with vIDM and goes to User Portal, he/she will be able to see the newly published vRA 8.X Application.

Launch vRealize Automation Web App from vIDM Catalog

8. Once the user clicks on Open on this App, user will be authenticated & re-directed to vRealize Automation portal.

vRealize Log Insight:

1. Before publishing vRealize Log Insight as an App in VMware Identity Manager we need to configure vIDM as an Authentication Source in vRealize Log Insight and we need to obtain the Target URL.

2. Login to vRealize Log Insight. Click on Administration and Under Authentication enter the details of your vIDM.

Configure vRealize Log Insight to use VMware Identity Manager for Authentication

3. Provide access to VMware Identity Manager Users/User Groups in Administration section under Access Control > Users and Groups.

Access Control in vRealize Log Insight

4. In order to obtain the Target URL, logout from vRealize Log Insight & logout from vIDM and select System Domain.

5. Open vRealize Log Insight in a new Tab, select VMware Identity Manager from the Drop-down and click on Login via SSO.

vRealize Log Insight Target URL for VMware Identity Manager

6. You’ll be redirected to VMware Identity Manager for login. Copy the URL from the Address Bar of the browser. URL will look something like:
https://idm01.mydomain.lab/SAAS/auth/login?dest=https://idm01.mydomain.lab/SAAS/auth/oauth2/authorize?response_type%3Dcode%26client_id%3Dbabc6f64a70-2c7c-4c5a-867f-bc631327f5dc%26redirect_uri%3Dhttps://192.168.113.112/login&chainedauthMethods
=%5B%7B%212chainedAuthmethods%212:%5B%7B%22authMethoId%22:15,%212a
uthMethodOrder%22:13%7D%5D%7D,%7B%22chainedAuthmethods%22:%5B%7B%
22authMethoId%22:3,%22authMethodOrder%22:1%7D%5D%7D%5D&ttl=28800

Capture vRealize Log Insight Target URL for VMware Identity Manager

7. URL highlighted in red is our Target URL for vRealize Log Insight. Follow the same process as vRealize Automation App and publish vRealize Log Insight for users using the vRealize Log Insight Target URL.

8. Now the users should be able to launch vRealize Log Insight App from vIDM User Portal & Authenticate using vIDM Single Sign-On.

vRealize Operations Manager:

1. For vRealize Operations Manager we need to follow the process similar to vRealize Log Insight. Configure vIDM as Authentication Source, Grant permissions to vIDM Users/Groups in vROps & obtain the Target URL.

2. Login to vRealize Operations Manager as an Admin user. Click on Administration and Under Authentication Sources click Add. Select Source Type as VMware Identity Manager and enter the details of your vIDM Appliance.

Configure VMware Identity Manager as Authentication Source in vRealize Operations Manager

3. Provide access to VMware Identity Manager Users/Groups by Importing them in Administration section under Access > Access Control > User Accounts and User Groups.

Import Users/Groups from VMware Identity Manager for Access Control in vRealize Operations Manager

4. In order to obtain the Target URL, logout from vRealize Operations Manager & logout from vIDM and select System Domain.

5. Open vRealize Operations Manager in a new Tab, select VMware Identity Manager from the Drop-down and click REDIRECT.

vRealize Operations Manager Target URL for VMware Identity Manager

6. You’ll be redirected to VMware Identity Manager for login. Copy the URL from the Address Bar of the browser. URL will look something like:

https://idm01.mydomain.lab/SAAS/auth/login?dest=https://idm01.mydomain.lab/SAAS/auth/oauth2/authorize?response_type%3Dcode%26client_id%3D0246fe54-d0a5-42ff-b3c1-f3d144b64519%26redirect_uri%3Dhttps://10.11.12.13/ui/vidmClient/vidm/&chainedauth
Methods=%5B%7B%22chainedAuthmethods%22:%5B%7B%22authMethoId%22:15,%
22authMethodOrder%22:13%7D%5D%7D,%7B%22chainedAuthmethods%22:%5B%7
B%22authMethoId%22:3,%22authMethodOrder%22:1%7D%5D%7D%5D&ttl=28800

We are only interested in Client ID highlighted in RED in the above link.

Capture VMware Identity Manager Client ID for vRealize Operations Manager

7. Replace the details of the below URL with your environment details and you’ll get Target URL for vRealize Operations Manager.

https://idm01.mydomain.lab/SAAS/auth/oauth2/authorize?response_type=code&client_id=3D0246fe54-d0a5-42ff-b3c1-f3d144b64519&redirect_uri=https://idm_ip_address/ui/vidmClient/vidm/

8. Follow the same process as vRealize Automation App and publish vRealize Operations Manager App for users using the vRealize Operations Manager Target URL.

9. Now the users should be able to launch vRealize Operations Manager App from vIDM User Portal & Authenticate using vIDM Single Sign-On.

vRealize Suite Lifecycle Manager:

1. For vRealize Suite Lifecycle Manager the process is fairly easy. We just need to provide users access to vLCM under Identity and Tenant Management and publish the Target URL.

2. Login to vRealize Suite Lifecycle Manager as an Admin user. Click on dentity and Tenant Management.

Identity and Tenant Management in vRealize Suite Lifecycle Manager

3. In Directory Management section, click on Directories click Add Directory by selecting Active Directory over LDAP.

Add Active Directory in vRealize Suite Lifecycle Manager

4. The process of Adding the Active Directory is same as vRealize Automation 7.X.

Active Directory over LDAP configuration in vRealize Suite Lifecycle Manager

5. Once Active Directory has been configured, provide relevant permissions to Users/Groups under User Management section.

User Management in vRealize Suite Lifecycle Manager

6. Replace the details of the below URL with your environment details and you’ll get Target URL for vRealize Suite Lifecycle Manager.

http://lcm01.mydomain.lab/lcm/login/vidm

8. The process of publishing vRealize Suite Lifecycle Manager App for users using the vRealize Suite Lifecycle Manager Target URL remains the same.

Note: The current versions of vCenter Server do not support VMware Identity Manager as an Identity Provider. NSX-T does support Single Sign-On configuration using vIDM.
For more details on integrating NSX-T with IDM, check out this blog.

The final catalog of your VMware Identity Manager will have Web Apps for all 4 vRealize Suite Components. Enjoy!!

VMware Identity Manager Signle Sign-On User Catalog

Event Subscriptions in vRealize Automation 8

Featured

Posted on by
Reply

In vRealize Automation 8 the process of creating an Event Subscription has changed a little bit. In vRealize Automation 8 there are 40 Event Topics already defined under Extensibility Library in Cloud Assembly.

Event topics which you can choose from while creating an Event Subscription vRealize Automation are as follows:

Blueprint configuration                                             EventLog            
Blueprint version configuration                               Kubernetes cluster allocation
Compute allocation                                                    Kubernetes cluster post provision
Compute post provision                                            Kubernetes cluster post removal
Compute post removal                                              Kubernetes cluster provision
Compute provision                                                     Kubernetes cluster removal
Compute removal                                                       Load balancer post provision
Compute reservation                                                 Load balancer post removal
Deployment action completed                                 Load balancer provision
Deployment action requested                                  Load balancer removal
Deployment completed                                             Network Configure
Deployment onboarded                                            Network post provisioning
Deployment requested                                              Network post removal
Deployment resource action completed                Network provisioning
Deployment resource action requested                 Network removal
Deployment resource completed                            Project Lifecycle Event Topic
Deployment resource requested                             Security group post provision
Disk allocation                                                             Security group post removal
Disk post Removal                                                      Security group provision
Disk post resize                                                           Security group removal

In order to understand an Event topic review the Descripton, Topic ID, Blocakble and Schema of the Event Topic.

Compute provision Event Topic

If you want to create a Subscription for an Event Topic, just select the Event Topic and click on Subscribe, select the ABX Action or Workflow to trigger, select the Blocking of events and Subscription scope. Schema of an Event Topic can also be reviewed on this screen, Schema (Payload in the previous versions of vRealize Automation) of an Event Topic is a set of Properties which will be passed to Orchestrator when an event of this Topic is triggered.

Test Subscription for Compute provision Event Topic

Important Tip: If you are not sure about the Schema of an Event Topic, create a Blank Workflow with Input Variable of name “inputProperties” & Type “Properties” and Create a Test Subscription using this Blank Workflow. Name of the Input Variable is Important here, if you name it something else it will not receive the Properties from Cloud Assembly.

Schema Properties received by the Orchestrator Workflow

Did you notice that the Workflow ran twice? This is because i have Specified 2 Machine components in the Blueprint and the Workflow ran each time a Machine Component was provisioned for this Deployment request.

2 Workflow Runs for the Test Subscription

The names of the machine components in the Test Blueprint used for this illustration are “Primary_VM” and “Secondary_VM”.

Blueprint for which Event Subscription was triggered

There is one more important thing which you can specify while creating an Event Subscription using Event Topics, which is the Condition. Condition is something which you describe to filter out a specific Event from the list of Events which are triggered when a user requests for Services using Service Broker.

Condition to filter Events for an Event Topic

Condition can only be specified in Javascript Syntax in the current version of vRealize Automation. For Instance if I would like to trigger the same Test Workflow only for the Secondary_VM, i can specify a condition in the Test Subscription as event.data.blueprintId == ‘e9d2abc4-94fa-48f1-a1db-19a31510a375’ && event.data.componentId == ‘Secondary_VM’ Blueprint ID can be copied from one of the previous sample Workflow runs.

Sample Filter Condition for Events in Topic

This condition would ensure that the Workflow is triggered if the Blueprint requested has an id e9d2abc4-94fa-48f1-a1db-19a31510a375 and only for the component with id Secondary_VM. If you request a Deployment now using the same Blueprint, the Workflow will be triggered only once and that is for the Machine Component Secondary_VM.

Single Workflow Run for Secondary_VM Machine Component

Note: I noticed one typo in the examples provided for Condition statement in vRealize Automation 8, there is a space missing after event.data.blueprintId == and the actual id. I had to spend 15 mins figuring out why the event is not triggering a workflow, so make sure that the Syntax for the Condition is correct.

Bad Syntax for the Condition Statement Example

With that you are now ready to create Event Subscription in vRealize Automation 8. Enjoy!!

https://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js?client=ca-pub-8549655389727719

Export vRA 7.6 Reservation Details

Posted on by
1

In this post we are sharing a PowerShell script which uses PowervRA Module to export a list of vRealize Automation 7.6 Reservations along with their respective usage.

Script was tested on below versions:

  • PowervRA 3.7.0
  • PowerShell 5.1 or later

Script:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$cred = Get-Credential
Connect-vRAServer -Server 'vRA_FQDN' -Username $cred.UserName -Password $cred.Password -Tenant "Tenant_Name" -IgnoreCertRequirements
$BGReserves = Get-vRAReservation | Select CreatedDate, Name, TenantId, ExtensionData
$fetchVMDetails= Get-vRAResource | where {$_.ResourceType -eq "Infrastructure.Virtual"}
$output = @()
    foreach($BGReserve in $BGReserves)
    {

        $ReserveVMDetails = ($fetchVMDetails | where {$_.Data.MachineReservationName -eq $BGReserve.name}).Data  | Select MachineName, MachineMemory, MachineStorage
    foreach ($ReserveVMDetail in $ReserveVMDetails)
    {
        $MachineQuotaUsed = $MachineQuotaUsed + 1
        $MemoryUsedinMB = $MemoryUsedinMB + $ReserveVMDetail.MachineMemory
        $StorageUsedinGB = $StorageUsedinGB + $ReserveVMDetail.MachineStorage
    }
    $MemoryUsedinGB = $MemoryUsedinMB/1024
        $fetchReserveDetails = $BGReserve.ExtensionData.entries
        $fetchQuotavalue = ($fetchReserveDetails |  where {$_.key -eq "machineQuota"}).value.value
        $BGReserve | Add-Member -NotePropertyName MachineQuota -NotePropertyValue $fetchQuotavalue
        $fetchMemoryReserve = (($fetchReserveDetails | where {$_.key -eq "reservationMemory"}).value.values.entries | where {$_.key -eq "memoryReservedSizeMb"}).value.value/1024
        $BGReserve | Add-Member -NotePropertyName MemoryReservedinGB -NotePropertyValue $fetchMemoryReserve
        $fetchStorageReserve = (($fetchReserveDetails | where {$_.key -eq "reservationStorages"}).value.items.values.entries | where {$_.key -eq "storageReservedSizeGB"}).value.value
        $BGReserve | Add-Member -NotePropertyName StorageReservedinGB -NotePropertyValue $fetchStorageReserve
        $MachineQuotaAllocated = $MachineQuotaAllocated + $fetchQuotavalue
        $BGReserve | Add-Member -NotePropertyName MachinesAllocated -NotePropertyValue $MachineQuotaUsed
        $MemoryAllocatedinGB = $MemoryAllocatedinGB + $fetchMemoryReserve
        $BGReserve | Add-Member -NotePropertyName MemoryAllocatedinGB -NotePropertyValue $MemoryUsedinGB
        $StorageAllocatedinGB = $StorageAllocatedinGB + $fetchStorageReserve
        $BGReserve | Add-Member -NotePropertyName StorageAllocatedinGB -NotePropertyValue $StorageUsedinGB
        $MachineQuotaAllocated = 0
        $MemoryAllocatedinGB = 0
        $StorageAllocatedinGB = 0
        $MemoryUsedinMB = 0
        $MemoryUsedinGB = 0
        $StorageUsedinGB = 0
        $MachineQuotaUsed = 0
    }

$output = $BGReserves | Select Name, CreatedDate, TenantId, MachineQuota, MachinesAllocated, MemoryReservedinGB, MemoryAllocatedinGB, StorageReservedinGB, StorageAllocatedinGB
$output | FT -AutoSize -Wrap

$output | Export-Csv "Path_To_Target.csv" -NoTypeInformation

Disconnect-vRAServer -Confirm:$false

Just replace the vRA_FQDN, Tenant_Name, Path_To_Target.csv and TenantAdmin Credentials to run the script & to generate a report of vRealize Automation 7.6 Reservations in your environment. BOOM!!

Happy Scripting!!

Export vRA 7.6 Reservation Details

Posted on by
1

In this post we are sharing a PowerShell script which uses PowervRA Module to export a list of vRealize Automation 7.6 Reservations along with their respective usage.

Script was tested on below versions:

  • PowervRA 3.7.0
  • PowerShell 5.1 or later

Script:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$cred = Get-Credential
Connect-vRAServer -Server 'vRA_FQDN' -Username $cred.UserName -Password $cred.Password -Tenant "Tenant_Name" -IgnoreCertRequirements
$BGReserves = Get-vRAReservation | Select CreatedDate, Name, TenantId, ExtensionData
$fetchVMDetails= Get-vRAResource | where {$_.ResourceType -eq "Infrastructure.Virtual"}
$output = @()
    foreach($BGReserve in $BGReserves)
    {

        $ReserveVMDetails = ($fetchVMDetails | where {$_.Data.MachineReservationName -eq $BGReserve.name}).Data  | Select MachineName, MachineMemory, MachineStorage
    foreach ($ReserveVMDetail in $ReserveVMDetails)
    {
        $MachineQuotaUsed = $MachineQuotaUsed + 1
        $MemoryUsedinMB = $MemoryUsedinMB + $ReserveVMDetail.MachineMemory
        $StorageUsedinGB = $StorageUsedinGB + $ReserveVMDetail.MachineStorage
    }
    $MemoryUsedinGB = $MemoryUsedinMB/1024
        $fetchReserveDetails = $BGReserve.ExtensionData.entries
        $fetchQuotavalue = ($fetchReserveDetails |  where {$_.key -eq "machineQuota"}).value.value
        $BGReserve | Add-Member -NotePropertyName MachineQuota -NotePropertyValue $fetchQuotavalue
        $fetchMemoryReserve = (($fetchReserveDetails | where {$_.key -eq "reservationMemory"}).value.values.entries | where {$_.key -eq "memoryReservedSizeMb"}).value.value/1024
        $BGReserve | Add-Member -NotePropertyName MemoryReservedinGB -NotePropertyValue $fetchMemoryReserve
        $fetchStorageReserve = (($fetchReserveDetails | where {$_.key -eq "reservationStorages"}).value.items.values.entries | where {$_.key -eq "storageReservedSizeGB"}).value.value
        $BGReserve | Add-Member -NotePropertyName StorageReservedinGB -NotePropertyValue $fetchStorageReserve
        $MachineQuotaAllocated = $MachineQuotaAllocated + $fetchQuotavalue
        $BGReserve | Add-Member -NotePropertyName MachinesAllocated -NotePropertyValue $MachineQuotaUsed
        $MemoryAllocatedinGB = $MemoryAllocatedinGB + $fetchMemoryReserve
        $BGReserve | Add-Member -NotePropertyName MemoryAllocatedinGB -NotePropertyValue $MemoryUsedinGB
        $StorageAllocatedinGB = $StorageAllocatedinGB + $fetchStorageReserve
        $BGReserve | Add-Member -NotePropertyName StorageAllocatedinGB -NotePropertyValue $StorageUsedinGB
        $MachineQuotaAllocated = 0
        $MemoryAllocatedinGB = 0
        $StorageAllocatedinGB = 0
        $MemoryUsedinMB = 0
        $MemoryUsedinGB = 0
        $StorageUsedinGB = 0
        $MachineQuotaUsed = 0
    }

$output = $BGReserves | Select Name, CreatedDate, TenantId, MachineQuota, MachinesAllocated, MemoryReservedinGB, MemoryAllocatedinGB, StorageReservedinGB, StorageAllocatedinGB
$output | FT -AutoSize -Wrap

$output | Export-Csv "Path_To_Target.csv" -NoTypeInformation

Disconnect-vRAServer -Confirm:$false

Just replace the vRA_FQDN, Tenant_Name, Path_To_Target.csv and TenantAdmin Credentials to run the script & to generate a report of vRealize Automation 7.6 Reservations in your environment. BOOM!!

Happy Scripting!!

Single Sign-On Configuration for VMware vRealize Suite

Featured

Posted on by
3

In vRealize Automation 8.X, Easy Installer deploys a vIDM appliance which is used for Authentication by vRealize Automation whether you choose a Standalone deployment or a Clustered deployment. As we already have an external vIDM appliance as part of our vRA 8.X deployment, we can use it for configuring Single Sign-On for VMware vRealize Suite products.

Single Sign-On configuration is supported in 7.X versions of vRealize Suite products as well but we need an external VMware Identity Manager which most of the customers do not deploy. vRealize Automation 7.X Appliances also include an embedded version of VMware Identity Manager, even though we can enable the UI for the embedded vIDM using the command vcac–vami horizon ui enable but there is no documentation suggesting that making changes directly to VMware Identity Manager is supported by VMware.

In this post we will discuss the process of configuring Single Sign-On for vRealize Suite 8.X version products. In this article I am assuming that an Active Directory domain has already been configured in VMware Identity Manager.

vRealize Automation:

1. Login to VMware Identity Manager and click on Web Apps under the Catalog section.

VMware Identity Manager Web Apps Section

2. Click on New to configure vRealize Automation Web Application Link.

Creating a New Web Application Link in Identity Manager

3. In the Name section enter vRealize Automation 8.X (vRA) and upload an Icon file for vRealize Automation.

vRealize Automation Web App Configuration

4. Leave the Category section blank and click Next.

5. In Authentication Type select Web Application Link and type https://vRA_FQDN/csp/gateway/portal/#/consumer in Target URL.

Target URL for vRealize Automation Web App

5. Click Next and then click Save.

6. Now the only task left is to assign this App to Active Directory users who already have access to vRealize Automation. Select the newly created Application and Click on Assign.

Assign vRealize Automation Web App to Users/Groups

5. Search the name of Users/User Groups to publish the App, select the Deployment type as Automatic and click Save.

Assign vRealize Automation Web App Enterprise Admins Group

6. Next time the user authenticates with vIDM and goes to User Portal, he/she will be able to see the newly published vRA 8.X Application.

Access VMware Identity Manager User Portal

7. Next time the user authenticates with vIDM and goes to User Portal, he/she will be able to see the newly published vRA 8.X Application.

Launch vRealize Automation Web App from vIDM Catalog

8. Once the user clicks on Open on this App, user will be authenticated & re-directed to vRealize Automation portal.

vRealize Log Insight:

1. Before publishing vRealize Log Insight as an App in VMware Identity Manager we need to configure vIDM as an Authentication Source in vRealize Log Insight and we need to obtain the Target URL.

2. Login to vRealize Log Insight. Click on Administration and Under Authentication enter the details of your vIDM.

Configure vRealize Log Insight to use VMware Identity Manager for Authentication

3. Provide access to VMware Identity Manager Users/User Groups in Administration section under Access Control > Users and Groups.

Access Control in vRealize Log Insight

4. In order to obtain the Target URL, logout from vRealize Log Insight & logout from vIDM and select System Domain.

5. Open vRealize Log Insight in a new Tab, select VMware Identity Manager from the Drop-down and click on Login via SSO.

vRealize Log Insight Target URL for VMware Identity Manager

6. You’ll be redirected to VMware Identity Manager for login. Copy the URL from the Address Bar of the browser. URL will look something like:
https://idm01.mydomain.lab/SAAS/auth/login?dest=https://idm01.mydomain.lab/SAAS/auth/oauth2/authorize?response_type%3Dcode%26client_id%3Dbabc6f64a70-2c7c-4c5a-867f-bc631327f5dc%26redirect_uri%3Dhttps://192.168.113.112/login&chainedauthMethods
=%5B%7B%212chainedAuthmethods%212:%5B%7B%22authMethoId%22:15,%212a
uthMethodOrder%22:13%7D%5D%7D,%7B%22chainedAuthmethods%22:%5B%7B%
22authMethoId%22:3,%22authMethodOrder%22:1%7D%5D%7D%5D&ttl=28800

Capture vRealize Log Insight Target URL for VMware Identity Manager

7. URL highlighted in red is our Target URL for vRealize Log Insight. Follow the same process as vRealize Automation App and publish vRealize Log Insight for users using the vRealize Log Insight Target URL.

8. Now the users should be able to launch vRealize Log Insight App from vIDM User Portal & Authenticate using vIDM Single Sign-On.

vRealize Operations Manager:

1. For vRealize Operations Manager we need to follow the process similar to vRealize Log Insight. Configure vIDM as Authentication Source, Grant permissions to vIDM Users/Groups in vROps & obtain the Target URL.

2. Login to vRealize Operations Manager as an Admin user. Click on Administration and Under Authentication Sources click Add. Select Source Type as VMware Identity Manager and enter the details of your vIDM Appliance.

Configure VMware Identity Manager as Authentication Source in vRealize Operations Manager

3. Provide access to VMware Identity Manager Users/Groups by Importing them in Administration section under Access > Access Control > User Accounts and User Groups.

Import Users/Groups from VMware Identity Manager for Access Control in vRealize Operations Manager

4. In order to obtain the Target URL, logout from vRealize Operations Manager & logout from vIDM and select System Domain.

5. Open vRealize Operations Manager in a new Tab, select VMware Identity Manager from the Drop-down and click REDIRECT.

vRealize Operations Manager Target URL for VMware Identity Manager

6. You’ll be redirected to VMware Identity Manager for login. Copy the URL from the Address Bar of the browser. URL will look something like:

https://idm01.mydomain.lab/SAAS/auth/login?dest=https://idm01.mydomain.lab/SAAS/auth/oauth2/authorize?response_type%3Dcode%26client_id%3D0246fe54-d0a5-42ff-b3c1-f3d144b64519%26redirect_uri%3Dhttps://10.11.12.13/ui/vidmClient/vidm/&chainedauth
Methods=%5B%7B%22chainedAuthmethods%22:%5B%7B%22authMethoId%22:15,%
22authMethodOrder%22:13%7D%5D%7D,%7B%22chainedAuthmethods%22:%5B%7
B%22authMethoId%22:3,%22authMethodOrder%22:1%7D%5D%7D%5D&ttl=28800

We are only interested in Client ID highlighted in RED in the above link.

Capture VMware Identity Manager Client ID for vRealize Operations Manager

7. Replace the details of the below URL with your environment details and you’ll get Target URL for vRealize Operations Manager.

https://idm01.mydomain.lab/SAAS/auth/oauth2/authorize?response_type=code&client_id=3D0246fe54-d0a5-42ff-b3c1-f3d144b64519&redirect_uri=https://idm_ip_address/ui/vidmClient/vidm/

8. Follow the same process as vRealize Automation App and publish vRealize Operations Manager App for users using the vRealize Operations Manager Target URL.

9. Now the users should be able to launch vRealize Operations Manager App from vIDM User Portal & Authenticate using vIDM Single Sign-On.

vRealize Suite Lifecycle Manager:

1. For vRealize Suite Lifecycle Manager the process is fairly easy. We just need to provide users access to vLCM under Identity and Tenant Management and publish the Target URL.

2. Login to vRealize Suite Lifecycle Manager as an Admin user. Click on dentity and Tenant Management.

Identity and Tenant Management in vRealize Suite Lifecycle Manager

3. In Directory Management section, click on Directories click Add Directory by selecting Active Directory over LDAP.

Add Active Directory in vRealize Suite Lifecycle Manager

4. The process of Adding the Active Directory is same as vRealize Automation 7.X.

Active Directory over LDAP configuration in vRealize Suite Lifecycle Manager

5. Once Active Directory has been configured, provide relevant permissions to Users/Groups under User Management section.

User Management in vRealize Suite Lifecycle Manager

6. Replace the details of the below URL with your environment details and you’ll get Target URL for vRealize Suite Lifecycle Manager.

http://lcm01.mydomain.lab/lcm/login/vidm

8. The process of publishing vRealize Suite Lifecycle Manager App for users using the vRealize Suite Lifecycle Manager Target URL remains the same.

Note: The current versions of vCenter Server do not support VMware Identity Manager as an Identity Provider. NSX-T does support Single Sign-On configuration using vIDM.
For more details on integrating NSX-T with IDM, check out this blog.

The final catalog of your VMware Identity Manager will have Web Apps for all 4 vRealize Suite Components. Enjoy!!

VMware Identity Manager Signle Sign-On User Catalog

vRealize Automation Managed VMs Report with Machine Owner’s ID

Featured

Posted on by
1

We were working on a requirement last week to pull a report of all vRealize Automation Managed Machines using PowervRA Module version 3.7.0 which supports vRealize Automation 7.6. While generating the report using a PowerShell script we noticed that the output was only showing the name of the Machine owner instead of the ID.

Then we started digging into the function Get-vRAResource of PowervRA Module and we noticed that the method which is used by function Get-vRAResource in PowervRA Module is /catalog-service/api/consumer/resourceViews

vRealize Automation API Method used by function Get-vRAResource in PowervRA

After checking the vRealize Automation Catalog Service API 7.6 documentation we realized that this method was deprecated in vRealize Automation 7.5 version and this method is similar to /catalog-service/api/consumer/resources method.

Method /api/consumer/resourceViews has been deprecated since version 7.5

We used our Good Old API building Platform Postman to do a side by side comparison of vRA API methods /catalog-service/api/consumer/resourceViews and /catalog-service/api/consumer/resources. If you’ll look at the output of both the methods closely, you’ll notice that the resourceViews methods returns only the Name of the Owner where as the resources methods returns an Array which includes the values of tenantName, ref, type & value out of which ref is the Machine Owner’s ID.

Side-by-Side Comparison of API Methods /api/consumer/resourceViews and /api/consumer/resources using Postman

Armed with all that information we prepared our script to pull resource Information of all vRA Managed Machines using PowervRA function Get-vRAResource and then we used the vRealize Automation API method /catalog-service/api/consumer/resources/{ResourceID} to get the Machine Owner’s ID of each Resource to generate our vRA Managed VMs report with Owner’s ID.

Script:

Set-ExecutionPolicy RemoteSigned

$cred = Get-Credential
$vRAFQDN = "vRA_FQDN"
$vRATenant = "TenantName"

#Connecting to vRA Server using PowervRA 3.7.0 Module
Connect-vRAServer -Server $vRAFQDN -Tenant $vRATenant -Username $cred.UserName -Password $cred.Password -IgnoreCertRequirements

#Fetching List of vRealize Automation Managed Virtual Machines
$filter = Get-vRAResource | where {$_.ResourceType -eq "Infrastructure.Virtual"}
$date = Get-Date -Format "yyyy-MM-dd-hh-mm-tt"
$print =  $filter | Select Data,Owners,ResourceId
$output = $print | Select @{Name="VMName";Expression={$_.Data.MachineName}}, @{Name="BusinessGroup";Expression={$_.Data.MachineGroupName}},`
@{Name="Owner";Expression={$_.Owners}}, @{Name="OwnersID";Expression={""}}, @{Name="ResourceID";Expression={$_.ResourceId}}, @{Name="ReservationName";Expression={$_.Data.MachineReservationName}},`
@{Name="vCPUs";Expression={$_.Data.MachineCPU}}, @{Name="Memory (MB)";Expression={$_.Data.MachineMemory}}, @{Name="Storage (GB)";Expression={$_.Data.MachineStorage}}
 
$output = $output | where {$_.VMName -ne $null}
 
$output | ft -AutoSize -Wrap

[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add('Accept','application/json')
$headers.Add('Content-Type','application/json')
 
$Body = @{
    username = $cred.UserName
    password = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto([System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($cred.Password))
    tenant = $vRATenant
} | ConvertTo-Json
 
#Generating API Bearer Token for vRA Login
 
$url = "https://" + $vRAFQDN
$tokenurl = $url + "/identity/api/tokens"
$token = Invoke-RestMethod -Method Post -Uri $tokenurl -Body $Body -Headers $headers -Verbose
$token = $token.id
$headers.Add('Authorization',"Bearer $token")
$printvalue = @{}
$i=0;

#Get Machine Owner's ID for each Managed Machine

foreach ($item in $output)
{
    $owneridurl = $url + "/catalog-service/api/consumer/resources/" + $item.ResourceId
    $ownersId = Invoke-RestMethod -Method Get -Headers $headers -uri $owneridurl -Verbose
    $item.OwnersID = $ownersId.owners.ref
    $printvalue[$i] = $item
    $i = $i + 1
}

$printvalue.Values | FT -AutoSize -Wrap
 
$printvalue.Values | Export-Csv C:\Users\Administrator\Desktop\vRAManagedMachineReport-$date.csv -NoTypeInformation

Output:

Sample Output

Just replace the vRA_FQDN and TenantName with the details of your vRA environment and supply the output file path to generate the report.

Happy Scripting!!

Two-Factor Authentication for vRealize Automation

Featured

Posted on by
Reply

In vRealize Automation 7.X VMware Identity Manager (vIDM) was embedded in vRealize Automation Appliance, even though the UI for vIDM is disabled however we can still use the capability of vRealize Automation to Authenticate using a RADIUS server. There is a very informative VMware blog on Configuring vRA 7 for 2 Factor Authentication posted by Jon Schulman back in February 2016 but a few things have changed since then.

I had to configure Two Factor Authentication for one the customers, this was when i realized that there are few modification which are required to configure Two-Factor Authentication in vRA. In order to provide a brief overview, we will be using a Ubuntu Machine to install and will install Google Authenticator and RADIUS server on this machine. Ubuntu machine will integrate with Active Directory for Authentication and then we will configure vRealize Automation to use RADIUSAuthAdapter to Authenticate users with “AD Password + Google Authenticator Passcode”.

Configuring Two-Factor Authentication:

Pre-requisites:

1. 1 Ubuntu 18.04.3 VM
2. VM should have minimum of 2 vCPUs and 4 GB RAM
3. Active Directory
4. vRealize Automation 7.X
5. DNS Record for Ubuntu Machine

1. Configure Ubuntu Machine:

I am using an Ubuntu VM of 2 vCPUs, 4 GB Memory and 20 GB HDD for this Demo.

Patch/Update the Ubuntu machine and Install open-vm-tools using the below commands:

sudo apt-get update
sudo apt-get dist-upgrade
sudo apt-get install open-vm-tools

Install NTP and Open-SSH on the Ubuntu machine using the below commands:

sudo apt-get install ntp
sudo apt-get install openssh-server

Now would be a good time to verify DNS resolution for Active Directory and vRealize Automation.

Download and Install latest PowerBroker Identity Services package pbis-open-9.1.0.551.linux.x86_64.deb.sh from BeyondTrust Github repo:

sudo ./Desktop/pbis-open-9.1.0.551.linux.x86_64.deb.sh

Once the Power Broker Identity Services has been installed, there is one more thing that we need to do before we add Ubuntu machine to Active Directory. We need to uninstall Avahi daemon:

sudo apt-get remove avahi-daemon

Now we can add our Ubuntu machine to Active Directory using the below command:

sudo /opt/pbis/bin/domainjoin-cli join vmlab.local administrator@vmlab.local

After you have successfully joined the system to Active Directory, login to Active Directory and verify that the Computer Object has been created.

Reboot your Ubuntu machine. Once the machine has been restarted, you should be able to login to the machine using Active Directory Credentials.

Now we will setup the Default Domain, Home Directory and Shortname for our Active Directory Domain in the Ubuntu server by running the below commands:

sudo /opt/pbis/bin/config AssumeDefaultDomain true
sudo /opt/pbis/bin/config LoginShellTemplate /bin/bash
sudo /opt/pbis/bin/config HomeDirTemplate %H/%U
sudo /opt/pbis/bin/config UserDomainPrefix VMLAB

Now we need to add the below mentioned lines to /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf file to allow users to login to Ubuntu machine using Active Directory Credentials on Ubuntu login screen:

sudo nano /usr/share/lightdm/lightdm.conf.d/50-ubuntu.conf

allow-guest=false
greeter-show-manual-login=true

Install Freeradius Server on your Ubuntu machine using the below command:

sudo apt install freeradius

Edit the file /etc/freeradius/3.0/radiusd.conf and replace the below entries:
Replace:
user = freerad
group = freerad

With:
user = root
group = root

Run the below command to enable PAM modules:
ln -sf /etc/freeradius/3.0/mods-available/pam /etc/freeradius/3.0/mods-enabled/pam

Comment out all the lines in the file /etc/pam.d/radiusd and add the below lines:

auth requisite pam_google_authenticator.so forward_pass
account required pam_lsass.so use_first_pass

Add the below entry to the file /etc/freeradius/3.0/users:

DEFAULT Auth-Type := PAM



Modify the file /etc/freeradius/3.0/clients.conf to make an entry for vRealize Automation server in the Ubuntu machine:

client vra76.vmlab.local {
ipaddr = 192.168.0.55
secret = VMwar31!
shortname = vra76
}

Edit the file and uncomment pam to enable Pluggable Authentication Modules in file /etc/freeradius/3.0/sites-enabled/default:

Restart FREEARDIUS service:

2. Install Google Authenticator:

Once your machine has been setup to Authenticate using Active Directory, we will proceed with installing Google Authenticator and generate Google Authenticator Token to generate Passcodes using Google Authenticator Mobile Application:

Use the below command to install Google Authenticator:

sudo apt install libpam-google-authenticator

We can now begin enabling our Active Directory users to start enrolling for Google Authenticator Application on their Mobile phones. Advise the users to login to the respective App Stores (Google Playstore & Apple’s App Store) to download and Install Google Authenticator App.



Assume the Identity of the user you want to enable for login and run the command google-authenticator:

su demo@vmlab.local
google-authenticator

Type y to generate a time-based token and a QR Code and Secret Key will be generated for th user. User can scan the QR code using Google Authenticator App or User can enter the Secret Key to import the tokwn in the App:

There are 5 Emergency Scracth codes which are generated for the user to use when user wants to Authenticate but does not have Mobile phone handy with him/her.
These codes are one-time codes and answer the below questions as per your environment. I would recommend answering the 3rd question as “yes”, as it will allow the users to use a token for upto 4 minutes otherwise the each token expires within 30 seconds.

Google Authenticator doesn’t allow you to take a screenshot of an actie token hence the image but a successfully imported token in Google Authenticator looks like this:

3. Configure vRealize Automation to Authenticate using Radius:

Login to vRealize Automation with Tenant Administrator credentials and click on the Connector under Directories Management section:

Click on the Auth Adapters and click on the RadiusAuthAdapter to enable Radius Authentication.

Enable Radius Adapter and enter the details of the Ubuntu machine, set the Authentication Type as PAP, you can enter Number of attemps to Radius server and Time out values as per your requirement and enter the shortname for your domain followed by a Backslash “\”:

If you want to enable High Availability, you can setup another Ubuntu machine in a similar fashion but for our demo we will not be enabling Secondary server. Click on Save to save the settings and enable the Radius Auth Adapter. Enter the Passphrase hint to provide users information about entering Password followed by Passphrase.

Click on Network Ranges and create a new Network range, All clients which are using the IP addresses of this range will be required to authenticate using Password + Passcode (Two-Factor Authentication). If you are using a Distributed vRealize Automation Deployment, Start and End IP Address of the Network Range should be the vRA Portal VIP:

Now the last step in the configuration is to setup a Policy Rule to enforce Radius Authentication. Create a Policy Rule by selecting the newly created Network Range, select All Device Types to access the content from and select the Authentication method as Radius and click on Ok.

Drag and drop the newly created Network Range to the top of the list and click Save to save the configuration:

Now when you’ll attempt to login to vRealize Automation portal using a client with the IP Address defined in the Network Range, you’ll prompted with the new Passphrase hint:

In order to login to vRA portal, enter your Password followed by the Google Authenticator Passphrase:

BOOM!!, you have managed to configure Two-Factor Authentication for vRealize Automation.

Export vRealize Automation Network Profile’s IP Ranges

Featured

Posted on by
Reply

We received a request to export the details of vRealize Automation Network Profile’s IP Ranges. We wrote a PowerShell script which uses PowervRA (3.6.0) module to extract the details of Network Ranges for each Network Profile.

Pre-requisites:

  • PowervRA 3.6.0
  • PowerShell 5.1 or later

Script:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$cred = Get-Credential
Connect-vRAServer -Server ‘vRA_Server/Portal_Address‘ -Username $cred.UserName -Password $cred.Password -Tenant ‘Tenant_Name‘ -IgnoreCertRequirements

$netids = Get-vRAExternalNetworkProfile
$out = @()
foreach ($netid in $netids)
{
$print = $netid | Select @{Name=”Name”;Expression={$_.Name}}, @{Name=”SubnetMask”;Expression={$_.SubnetMask}},`
@{Name=”BeginIPv4Address”;Expression={$_.DefinedRanges.beginIPv4Address}},`
@{Name=”EndIPv4Address”;Expression={$_.DefinedRanges.endIPv4Address}}
$out = $out + $print
}

$out | Export-Csv C:\Users\Administrator\vRANetProfileRanges.csv -NoTypeInformation
Disconnect-vRAServer -Confirm:$false

Output:

output

Just replace the vRA_Server/Portal_Address and Tenant_Name with the details of your vRA environment and supply the output file path.

Happy Scripting!!

 

Export vRealize Automation Business Group Details

Posted on by
Reply

We received a requirement to export the details of vRealize Automation Business Groups, to be more specific to extract the Business Group Ids, which is a very time consuming task if you have a large number of Business Groups in your environment. I wrote a PowerShell script which uses PowervRA (3.6.0) module to extract the details of Business Groups.

Requirements:

  • PowervRA 3.6.0
  • PowerShell 5.1 or later

Script:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$cred = Get-Credential
Connect-vRAServer -Server ‘vRA_Server/Portal_Address‘ -Username $cred.UserName -Password $cred.Password -Tenant ‘Tenant_Name‘ -IgnoreCertRequirements
$bgdetails = Get-vRABusinessGroup | Select Name, ID, Description
$bgdetails | Export-Csv C:\Users\Administrator\Desktop\BGDetails.csv -NoTypeInformation
Disconnect-vRAServer -Confirm:$false

Just replace the vRA_Server/Portal_Address and Tenant_Name with the details of your vRA environment and supply the output file path.

Happy Scripting!!