installation and configuration -...

Installation and ConfigurationvCloud Automation Center 6.0

This document supports the version of each product listed andsupports all subsequent versions until the document isreplaced by a new edition. To check for more recent editionsof this document, see http://www.vmware.com/support/pubs.

EN-001315-04

http://www.vmware.com/support/pubs

Installation and Configuration

2 VMware, Inc.

You can find the most up-to-date technical documentation on the VMware Web site at:

http://www.vmware.com/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

[email protected]

Copyright © 2008–2014 VMware, Inc. All rights reserved. Copyright and trademark information.

VMware, Inc.3401 Hillview Ave.Palo Alto, CA 94304www.vmware.com

http://www.vmware.com/support/

mailto:[email protected]

http://pubs.vmware.com/copyright-trademark.html

Contents

vCloud Automation Center Installation and Configuration 7

Updated Information 9

1 Installation Overview 11

Installation Components 11VMware Identity Appliance 12VMware vCloud Automation Center Appliance 12VMware Infrastructure as a Service 12

Order of Installation 14Choosing a Deployment Path 14

Minimal Installation Overview 15Performing a Minimal Installation 15Distributed Installation Overview 16Performing a Distributed Installation 18

2 Preparing for Installation 19

DNS and Host Name Resolution 19Hardware and Virtual Machine Requirements 20Browser Considerations 20PostgreSQL Database Requirements 20Windows Server Requirements 21

IaaS Database Server Requirements 21IaaS (Windows Server) Requirements 21IaaS Manager Service 22Distributed Execution Manager Requirements 22

Port Requirements 24Users and Credentials Required for Installation 26Security 27

Certificates 27Security Passphrase 28Third-Party Software 28

Time Synchronization 28

3 Minimal Installation 29

Deploy and Configure the Identity Appliance 29Deploy the Identity Appliance 30Enable Time Synchronization on the Identity Appliance 30Configure the Identity Appliance 31

Deploy and Configure the vCloud Automation Center Appliance 33Deploy the vCloud Automation Center Appliance 33Enable Time Synchronization on the vCloud Automation Center Appliance 34

VMware, Inc. 3

Configure the vCloud Automation Center Appliance 35Installing IaaS Components 38

Enable Time Synchronization on the Windows Server 38IaaS Certificates 38Install the Infrastructure Components 39

4 Distributed Installation 43

Distributed Installation Components 43Distributed Installation Architecture 44Distributed Installation Scenario 46Create an External PostgreSQL Database 47Deploy and Configure the Identity Appliance 48

Deploy the Identity Appliance 48Enable Time Synchronization on the Identity Appliance 49Configure the Identity Appliance 50

Deploy and Configure the Primary vCloud Automation Center Appliance 52Deploy the vCloud Automation Center Appliance 52Configure the vCloud Automation Center Appliance for Clustering 53Enable Time Synchronization on the vCloud Automation Center Appliance 54Configure an External PostgreSQL Database on the vCloud Automation Center Appliance 55Configure the vCloud Automation Center Appliance 55

Configure the vCloud Automation Center Appliance Load Balancer Certificate 58Deploy and Configure Additional vCloud Automation Center Appliances 58

Deploy the vCloud Automation Center Appliance 59Enable Time Synchronization on the vCloud Automation Center Appliance 60Configure Additional vCloud Automation Center Appliances 60Disable Unused Services 62Validate the Distributed Installation 62

Choosing an IaaS Database Scenario 63Create the IaaS Database Manually 63Prepare an Empty Database 64

IaaS Certificates 65Install the IaaS Components in a Distributed Configuration 65

Download the IaaS Installer 66Create the IaaS Database Using the Installation Wizard 67Install the IaaS Website Component and Model Manager Data 68Install the Manager Service 71

Installing Distributed Execution Managers 72Install the Distributed Execution Managers 73Configure the DEM to Connect to SCVMM on a Nonstandard Installation Path 74Perform Virtual Provisioning on SCVMM 75

5 Post-Installation Tasks 77

Verify IaaS Services 77Provide the Infrastructure License 77Updating Certificates 78

Updating the Identity Appliance Certificate 79Updating the vCloud Automation Center Appliance Certificate 82


4 VMware, Inc.

Updating the IaaS Certificate 84Configuring Windows Service to Access the IaaS Database 87

Enable IaaS Database Access from the Service User 87Configure the Windows Services Account to Use SQL Authentication 88

6 Installing Agents 89

Set the PowerShell Execution Policy to RemoteSigned 89Choosing the Agent Installation Scenario 90Agent Installation Location and Requirements 90Installing and Configuring the Proxy Agent for vSphere 90

vSphere Agent Requirements 91Install the vSphere Agent 92Configure the vSphere Agent 93

Installing the Proxy Agent for Hyper-V or XenServer 94Hyper-V and XenServer Requirements 94Install the Hyper-V or XenServer Agent 95Configure the Hyper-V or XenServer Agent 96

Installing the VDI Agent for XenDesktop 97XenDesktop Requirements 97Set the XenServer Host Name 98Install the XenDesktop Agent 98

Installing the EPI Agent for Citrix 99Citrix Provisioning Server Requirements 99Install the Citrix Agent 100

Installing the EPI Agent for Visual Basic Scripting 101Visual Basic Scripting Requirements 102Install the Agent for Visual Basic Scripting 102

Installing the WMI Agent for Remote WMI Requests 103Enable Remote WMI Requests on Windows Machines 103Install the WMI Agent 104

7 Troubleshooting 107

Log Locations 107Create a Support Bundle 108Installers Fail to Download 108Failed to Install Model Manager Data and Web Components 109Save Settings Warning Appears During IaaS Installation 110Rolling Back a Failed Installation 110

Roll Back a Minimal Installation 110Roll Back a Distributed Installation 111

Server Times Are Not Synchronized 111Encryption.key File has Incorrect Permissions 112Cannot Access https:// vcac-va-hostname /shell-ui-app 112Error Communicating to the Remote Server 113Blank Pages when Using Internet Explorer 9 or 10 on Windows 7 113Cannot Establish Trust Relationship for the SSL/TLS Secure Channel 114SSO Configuration Fails for vCloud Automation Center Appliance 114Cannot Log in to a Tenant or Tenant Identity Stores Disappear 115

Contents

VMware, Inc. 5

8 Configuring Tenants 117

Tenancy Overview 117User and Group Management 118Comparison of Single-Tenant and Multitenant Deployments 118

Configure the Default Tenant 121Configure Identity Stores for the Default Tenant 122Appoint Administrators 123

Create and Configure a Tenant 123Specify Tenant Information 124Configure Identity Stores 124Appoint Administrators 125

Index 127


6 VMware, Inc.

vCloud Automation Center Installation andConfiguration

The vCloud Automation Center Installation and Configuration explains how to install and configureVMware vCloud® Automation Center™.

Upgrades from earlier versions of vCloud Automation Center are not currently supported in version 6.0.Upgrade capability will be available in a future version.

NOTE Not all features and capabilities of vCloud Automation Center are available in all editions. For acomparison of feature sets in each edition, see https://www.vmware.com/products/vcloud-automation-center/.

Intended AudienceThis information is intended for experienced Windows or Linux system administrators who are familiarwith virtual machine technology and datacenter operations.

VMware Technical Publications GlossaryVMware Technical Publications provides a glossary of terms that might be unfamiliar to you. For definitionsof terms as they are used in VMware technical documentation, go to http://www.vmware.com/support/pubs.

VMware, Inc. 7

https://www.vmware.com/products/vcloud-automation-center/

https://www.vmware.com/products/vcloud-automation-center/

http://www.vmware.com/support/pubs


8 VMware, Inc.

Updated Information

This Installation and Configuration guide for vCloud Automation Center is updated with each release of theproduct or when necessary.

This table provides the update history of the Installation and Configuration guide.

Revision Description

EN-001315-04 n New troubleshooting guidance if you cannot log in to a tenant or tenant identity stores disappear.See “Cannot Log in to a Tenant or Tenant Identity Stores Disappear,” on page 115.

n Updates to “IaaS (Windows Server) Requirements,” on page 21 to provide guidance for IISauthentication settings when using SH512 with certificates in a Windows 2012 environment.

EN-001315-03 New information about “Browser Considerations,” on page 20 to reflect single session requirements.

EN-001315-02 n Edits to the topic “Port Requirements,” on page 24.n Updates to information about using certificates with vCloud Automation Center in these topics:

n “Configure the Identity Appliance,” on page 31 for minimal installationsn “Configure the Identity Appliance,” on page 50 for distributed installationsn “Configure the vCloud Automation Center Appliance,” on page 35 for minimal installationsn “Configure the vCloud Automation Center Appliance,” on page 55 for distributed installations.n “Update the Certificate in Internet Information Services,” on page 85

n New information about configuring the vCloud Automation Center Appliance when using loadbalancers and additional cross references in the topic “Configure the vCloud Automation CenterAppliance,” on page 35 for distributed installations.

n Clarification of instructions for downloading the IaaS installer in the topic “Download the IaaSInstaller,” on page 39.

n Enhanced instructions on specifying disk formatting information in the topic “Deploy the vCloudAutomation Center Appliance,” on page 59.

n Correction to the path for monitoring service start up, enhanced information on specifying loadbalancer names, and removal of note about restrictions on SSO instances, which is no longer valid, inthe topic “Configure the vCloud Automation Center Appliance,” on page 55 for distributedinstallations.

n Addition of information for load balancers in the topic “Install the IaaS Components in a DistributedConfiguration,” on page 65.

n A new section on working with certificates when a host name is changed in the topic, “UpdatingCertificates,” on page 78.

n Corrected permission name for swap placement in the topic “vSphere Agent Requirements,” onpage 91.

n Updated information on installing the Model Manager component in a load balanced enviroment inthe topic “Install the IaaS Website Component and Model Manager Data,” on page 68.

EN-001315-00 Initial release.

VMware, Inc. 9


10 VMware, Inc.

Installation Overview 1There are three primary components to vCloud Automation Center, an identity server, which providesauthentication services, vCloud Automation Center Appliance, which provides administration and self-service capabilities, and the Infrastructure as a Service (IaaS) Windows Server, which supports cross-product infrastructure capabilities.

After installation, system administrators can customize the installation environment and configure one ormore tenants, which sets up access to out-of-the-box self-service provisioning and life cycle management ofcloud services.

By using the secure portal web interface, administrators, developers, or business users can request ITservices and manage specific cloud and IT resources based on their roles and privileges. Users can requestinfrastructure, applications, desktops, and virtually any type of IT service through a common servicecatalog.

This chapter includes the following topics:

n “Installation Components,” on page 11

n “Order of Installation,” on page 14

n “Choosing a Deployment Path,” on page 14

Installation ComponentsA vCloud Automation Center installation includes installing and configuring Single Sign-on (SSO)capabilities, the user interface portal, and Infrastructure as a Service (IaaS) components.

NOTE You can use the SSO provided with vCloud Automation Center or some versions of the SSOprovided with vSphere. For information on supported versions see the vCloud Automation Center SupportMatrix.

An installation consists of the following components.

n VMware Identity Appliance on page 12The VMware Identity Appliance is a preconfigured virtual appliance that provides Single Sign-On(SSO) capabilities for the vCloud Automation Center environment.

n VMware vCloud Automation Center Appliance on page 12The vCloud Automation Center Appliance is a pre-configured virtual appliance that deploys thevCloud Automation Center server. The vCloud Automation Center Appliance is delivered as an openvirtualization format (OVF) template. The system administrator deploys the virtual appliance into theexisting virtualized infrastructure.

VMware, Inc. 11

n VMware Infrastructure as a Service on page 12Infrastructure as a Service (IaaS) enables the rapid modeling and provisioning of servers and desktopsacross virtual and physical, private and public, or hybrid cloud infrastructure.

VMware Identity ApplianceThe VMware Identity Appliance is a preconfigured virtual appliance that provides Single Sign-On (SSO)capabilities for the vCloud Automation Center environment.

NOTE You can use the VMware Identity Appliance SSO provided with vCloud Automation Center or someversions of the SSO provided with vSphere. For information on supported versions see thevCloud Automation Center Support Matrix.

The VMware Identity Appliance is delivered as an open virtualization format (OVF) template. The systemadministrator deploys the virtual appliance into the existing virtualization infrastructure.

SSO is an authentication broker and security token exchange that interacts with the enterprise identity store(Active Directory or LDAP) to authenticate users. A system administrator configures SSO settings toprovide access to the VMware Identity Appliance console.

VMware vCloud Automation Center ApplianceThe vCloud Automation Center Appliance is a pre-configured virtual appliance that deploys thevCloud Automation Center server. The vCloud Automation Center Appliance is delivered as an openvirtualization format (OVF) template. The system administrator deploys the virtual appliance into theexisting virtualized infrastructure.

The server includes the vCloud Automation Center Appliance console, which provides a single portal forself-service provisioning and management of cloud services, as well as authoring, administration, andgovernance.

VMware Infrastructure as a ServiceInfrastructure as a Service (IaaS) enables the rapid modeling and provisioning of servers and desktopsacross virtual and physical, private and public, or hybrid cloud infrastructure.

The system administrator installs IaaS components onto a Windows machine (virtual or physical). IaaScapabilities are then available from the Infrastructure tab on the user interface console. IaaS has severalcomponents that can be installed in a custom configuration to meet the needs of your organization.

IaaS WebsiteThe IaaS website component provides the infrastructure administration and service authoring capabilities tothe vCloud Automation Center console. The Website component communicates with the Model Manager,which provides it with updates from the Distributed Execution Manager (DEM), proxy agents and database.

Model ManagervCloud Automation Center models facilitate integration with external systems and databases. Theyimplement business logic that is executed by a Distributed Execution Manager.

The Model Manager provides services and utilities for persisting, versioning, securing, and distributingmodel elements. It communicates with the database, the DEMs, and the console web site.


12 VMware, Inc.

Manager ServiceThe Manager Service coordinates communication between DEMS, agents, and the database. The ManagerService communicates with the console web site through the Model Manager. This service requiresadministrative privileges to run.

DatabaseThe IaaS component of vCloud Automation Center uses a Microsoft SQL Server database to maintaininformation about the machines it manages and its own elements and policies. Typically, a systemadministrator creates the database during installation.

Distributed Execution ManagersA Distributed Execution Manager (DEM) executes the business logic of custom models, interacting with thedatabase and with external databases and systems as required. DEMs also manage cloud and physicalmachines.

Each DEM instance performs one of two roles: Worker or Orchestrator. The Worker role is responsible forexecuting workflows. The Orchestrator role is responsible for monitoring DEM Worker instances, pre-processing workflows for execution, and scheduling workflows.

The DEM Orchestrator performs these tasks.

n Monitors the status of DEM Workers and ensures that if a Worker instance stops or loses its connectionto the Model Manager, its workflows are put back in the queue for another DEM Worker to pick up.

n Manages scheduled workflows by creating new workflow instances at the scheduled time.

n Ensures that only one instance of a particular scheduled workflow is running at a given time.

n Pre-processes workflows before execution, including checking preconditions for workflows (used in theimplementation of the “RunOneOnly” feature) and creating the workflow execution history.

Exactly one DEM Orchestrator instance is designated as the active Orchestrator that performs these tasks.Since the DEM Orchestrator is essential for the execution of workflows, it is recommended that you install atleast one additional Orchestrator instance on a separate machine for redundancy. The additional DEMOrchestrator monitors the status of the active Orchestrator so that it can take over if the active Orchestratorgoes offline.

AgentsvCloud Automation Center uses agents to integrate with external systems. The vSphere agent can beinstalled as part of a minimal installation. Additional agents can be installed as needed.

Virtualization Proxy Agents

The virtual machines that are managed by vCloud Automation Center are created on virtualization hosts.vCloud Automation Center uses virtualization proxy agents to send commands to and collect data from ESXServer, XenServer, and Hyper-V virtualization hosts and the virtual machines provisioned on them. A proxyagent has three characteristics.

n Typically requires administrator-level access to the virtualization platform it manages

n Communicates with the Manager Service

n Is installed separately with its own configuration file

Chapter 1 Installation Overview

VMware, Inc. 13

Integration Agents

Virtual desktop integration (VDI) PowerShell agents allow vCloud Automation Center to integrate withexternal virtual desktop systems. Currently, virtual machines provisioned by vCloud Automation Centercan be registered with XenDesktop on a Citrix Desktop Delivery Controller (DDC) and their owners canaccess the XenDesktop Web Interface from vCloud Automation Center.

External provisioning integration (EPI) PowerShell agents allow vCloud Automation Center to integrateexternal systems into the machine provisioning process. For example, integration with Citrix ProvisioningServer enables provisioning of machines by on-demand disk streaming, and an EPI agent allows you to runVisual Basic scripts as extra steps during the provisioning process.

VDI and EPI agents require administrator-level access to the external systems with which they interact.

WMI Agent

The vCloud Automation Center Windows Management Instrumentation (WMI) agent enhances your abilityto monitor and control system information and allows you to manage remote servers from a centrallocation. It enables the collection of data from Windows machines that are managed byvCloud Automation Center.

Order of InstallationThe system administrator installs three vCloud Automation Center components in a prescribed order.

1 VMware Identity Appliance or vSphere SSO.

2 vCloud Automation Center Appliance

3 vCloud Automation Center infrastructure components

Choosing a Deployment PathThe installation consists of several independent components. The system administrator can install themtogether in a minimal installation or distribute them over separate servers in a custom installation.

The VMware vCloud Automation Center Reference Architecture, available as a technical paper from http://www.vmware.com/resources/techresources/, provides important information to help you plan yourdeployment, including considerations around scalability and high availability, and profiles for small,medium, and large deployments.

You can deploy vCloud Automation Center in the following basic configurations.

Minimal installation A minimal installation deploys a single instance of each virtual applianceand installs all IaaS components on a single machine. The databases can beinstalled on the same machine or on a dedicated SQL Server machine.

A minimal installation is appropriate for development environments orproof-of-concepts. It is not suitable for a production environment.

For more information, see Chapter 3, “Minimal Installation,” on page 29.

Distributed installation A distributed installation allows you to design the topology best suited toyour organization's needs. Components can be distributed over multipleservers to provide failover capability and redundancy.

For more information, see Chapter 4, “Distributed Installation,” on page 43.


14 VMware, Inc.

http://www.vmware.com/resources/techresources/

Minimal Installation OverviewTo complete a minimal installation, the system administrator installs three independent components.

The following components make up a minimal vCloud Automation Center installation.

n VMware Identity Appliance, which supports Single Sign-On capabilities. It is installed as a virtualappliance.

n vCloud Automation Center, which includes the web console interface. It is installed as a virtualappliance. By default, the PostgreSQL database installed on this machine is used.

n Infrastructure as a Service (IaaS), which is installed on a Windows Server machine.

The IaaS database can be installed on the same machine as IaaS or on its own server.

Performing a Minimal InstallationThe following list provides a high-level overview of the tasks required to complete a minimal installation.

1 Prepare the installation environment and ensure that all installation prerequisites are met. See Chapter 2, “Preparing for Installation,” on page 19.

2 Install the vCloud Automation Center components, beginning with the Identity Appliance, followed bythe vCloud Automation Center Appliance and the IaaS components on a single Windows server. See Chapter 3, “Minimal Installation,” on page 29.

3 Perform any post-installation configuration, such as entering the IaaS license and updating certificates.See Chapter 5, “Post-Installation Tasks,” on page 77.

4 The complete installation for IaaS includes an option to install a vSphere agent. You can installadditional agents if required. See Chapter 6, “Installing Agents,” on page 89.

5 Configure one or more tenants to appoint administrators and enable users to log in. See Chapter 8,“Configuring Tenants,” on page 117.


VMware, Inc. 15

Distributed Installation OverviewThe system administrator can deploy and install multiple instances of the vCloud Automation Centerappliances and individual IaaS components.

In this sample architecture, the IaaS components are highly distributed over multiple machines. In practice,the system administrator chooses a distribution architecture that is compatible with the company'senvironment and goals for scale, redundancy, high availability, and disaster recovery.

Load balancers distribute the workload across the computing environment. System administrators configureload balancers outside of the vCloud Automation Center framework.


16 VMware, Inc.

See “Distributed Installation Scenario,” on page 46 for an explanation of each component.


VMware, Inc. 17

Performing a Distributed InstallationA system administrator can deploy and install vCloud Automation Center in a minimal configuration or ina distributed (or custom) configuration. In a distributed installation, multiple instances of thevCloud Automation Center Appliance and IaaS components are deployed and installed, providing failoverprotection and high-availability through redundancy.

NOTE High-availability and failover protection for the Identity Appliance is handled outside ofvCloud Automation Center. Use a vSphere HA-enabled cluster to protect the virtual appliance.

Follow these steps to complete a distributed installation.

1 Prepare the installation environment and ensure that all installation prerequisites are met. See Chapter 2, “Preparing for Installation,” on page 19.

2 Install the vCloud Automation Center components in a distributed configuration. See Chapter 4,“Distributed Installation,” on page 43.

3 Perform any post-installation configuration, such as entering the IaaS license and updating certificates.See Chapter 5, “Post-Installation Tasks,” on page 77.

4 Install agents if needed to integrate with external systems. See Chapter 6, “Installing Agents,” onpage 89.

5 Configure one or more tenants to appoint administrators and enable users to log in. See Chapter 8,“Configuring Tenants,” on page 117.


18 VMware, Inc.

Preparing for Installation 2System Administrators install vCloud Automation Center into their existing virtualization environments.Before the installation begins, there are a number of preliminary steps that must be completed to prepare thedeployment environment.


n “DNS and Host Name Resolution,” on page 19

n “Hardware and Virtual Machine Requirements,” on page 20

n “Browser Considerations,” on page 20

n “PostgreSQL Database Requirements,” on page 20

n “Windows Server Requirements,” on page 21

n “Port Requirements,” on page 24

n “Users and Credentials Required for Installation,” on page 26

n “Security,” on page 27

n “Time Synchronization,” on page 28

DNS and Host Name ResolutionvCloud Automation Center requires the system administrator to identify hosts using their fully qualifieddomain names (FQDN). For example, the FQDN for a VMware Identity Appliance might besso-1-01a.corp.local:7444. Domain Name System (DNS) must be configured to resolve host names in yourenvironment. System administrators can use the method of their choice.

NOTE vCloud Automation Center does not allow navigation to hosts that contain the underscore (_)character in the host name.

VMware, Inc. 19

Hardware and Virtual Machine RequirementsInstallation requires minimum system resources to install virtual appliances and minimum hardwarerequirements to install IaaS components on the Windows Server (a Windows virtual machine or physicalhost). A supported browser and deployment environment must be in place.

For operating system and high-level environment requirements, including information about supportedbrowsers and operating systems, see the vCloud Automation Center Support Matrix.

NOTE vCloud Automation Center 6.0 does not support Compatibility View mode for Internet Explorer 9 or10 on Windows 7 platforms. If you experience problems using Internet Explorer 10 (you cannot log in to theappliance management consoles or you get an error on the SSO tab) use the Developer Tools to set thebrowser mode to Internet Explorer 7.

The Hardware Requirements table shows the minimum configuration requirements for deployment of thevirtual appliances and installation of IaaS components. The appliances are pre-configured virtual machinesthat you add to your vCenter Server or ESXi inventory. The IaaS components are installed on a physical orvirtual Windows 2008 R2 SP1 or 2012 servers.

Table 2‑1. Hardware Requirements

Identity AppliancevCloud Automation CenterAppliance IaaS Components (Windows Server)

1 CPU2 GB memory2 GB disk storage

2 CPUs8 GB memory30 GB disk storage

2 CPUs8 GB memory30 GB disk storage

Browser ConsiderationsKeep in mind vCloud Automation Center requirements when choosing a browser to use withvCloud Automation Center.

n vCloud Automation Center does not support Compatibility View mode for Internet Explorer 9 or 10 onWindows 7 platforms. If you are unable to log in to the appliance management consoles or you receivean error on the SSO tab when using Internet Explorer 9 or 10, use the Developer Tools to set thebrowser mode to Internet Explorer 7.

n Multiple browser windows and tabs are not supported. vCloud Automation Center supports onesession per user.

For operating system and high-level environment requirements, including information about supportedbrowsers and operating systems, see the vCloud Automation Center Support Matrix.

PostgreSQL Database RequirementsvCloud Automation Center appliances store data in a PostgreSQL database.

During deployment of the virtual appliances, the PostgreSQL database is created automatically on the firstvCloud Automation Center Appliance. A system administrator can install the database on a separate serveror on multiple servers to create a high-availability environment.

Consult the vCloud Automation Center Support Matrix on the VMware web site for information aboutsupported versions of PostgreSQL.


20 VMware, Inc.

Windows Server RequirementsThe virtual or physical Windows machine that hosts the IaaS components must meet a number ofconfiguration requirements for the IaaS database, the IaaS server, the IaaS Manager Service, and DistributedExecution Managers.

IaaS Database Server RequirementsYour environment must meet these general requirements that support the installation of the IaaS Database(SQL Server).

n TCP/IP protocol enabled for MS SQL Server

n Microsoft Distributed Transaction Coordinator Service (MS DTC) enabled on all SQL nodes in thesystem

n No firewalls between Database Server and the Web server or IaaS Server, or ports opened as describedin “Port Requirements,” on page 24.

n If using SQL Server Express, the SQL Server Browser service must be running.

IaaS (Windows Server) RequirementsYour environment must meet software and configuration prerequisites that support installation of the IaaSserver.

Table 2‑2. IaaS Requirements

Area Requirements

Prerequisite Server Configuration The following components must be installed on the host before installingIaaS:n Microsoft .NET Framework 4.5n Microsoft PowerShell 2.0 (included with Windows Server 2008 R2 SP1

and later) or Microsoft PowerShell 3.0 on Windows Server 2012n Microsoft Internet Information Services 7.5 (see Table 2-3)

Database Requirements Microsoft SQL ServerThe database can reside on the IaaS (Windows) server host or on a remotehost.

Chapter 2 Preparing for Installation

VMware, Inc. 21

Table 2‑3. Required Configuration for Microsoft Internet Information Services

IIS Component Setting

Internet Information Services (IIS)modules installed

n WindowsAuthenticationn StaticContentn DefaultDocumentn ASPNETn ISAPIExtensionsn ISAPIFilter

IIS Authentication settings n Windows Authentication enabledn AnonymousAuthentication disabledn Negotiate Provider enabledn NTLM Provider enabledn Windows Authentication Kernel Mode enabledn Windows Authentication Extended Protection disabledn For certificates using SHA512, TLS1.2 disabled on Windows 2012

machines

IIS Windows Process Activation Serviceroles

n ConfigurationApin NetEnvironmentn ProcessModeln WcfActivation (Windows 2008 only)n HttpActivationn NonHttpActivation

IaaS Manager ServiceYour environment must meet some general requirements that support the installation of the IaaS ManagerService.

n .NET Framework 4.5 is installed.

n Microsoft PowerShell 2.0, included with Windows Server 2008 R2 SP1 and later, or MicrosoftPowerShell 3.0, Windows Server 2012, is installed.

n SecondaryLogOnService is running.

n No firewalls can exist between DEM host and Windows Server, nor can ports be opened as described in “Port Requirements,” on page 24.

Distributed Execution Manager RequirementsYour environment must meet some general requirements that support the installation of DistributedExecution Managers (DEMs).

n .NET Framework 4.5

n Microsoft PowerShell 2.0 (included with Windows Server 2008 R2 SP1 and later) or MicrosoftPowerShell 3.0 on Windows Server 2012 SecondaryLogOnService running

n No firewalls between DEM host and the Windows server, or ports opened as described in “PortRequirements,” on page 24.

DEM Worker instances might have additional requirements depending on the provisioning resources thatthey interact with.


22 VMware, Inc.

Amazon Web Services EC2 RequirementsThe IaaS Windows server communicates with and collects data from an Amazon EC2 account.

When you use Amazon Web Services for provisioning, DEM workers must meet these configurationrequirements.

n Hosts on which DEMs are installed must have access to the Internet.

If there is a firewall, HTTPS traffic must be allowed to and from aws.amazon.com, as well as the URLsrepresenting all the EC2 regions your AWS accounts have access to, for example ec2.us-east-1.amazonaws.com for the US East region. Each URL resolves to a range of IP addresses, so you mayneed to use a tool, such as the one available from the Network Solutions web site, to list and configurethese IP addresses.

n Internet access from the DEM host is through a proxy server, the DEM service must be running undercredentials that can authenticate to the proxy server.

Red Hat Enterprise Virtualization KVM (RHEV) RequirementsYour environment must meet these Red Hat Enterprise requirements to support installation of DistributedExecution Managers (DEMs).

n Each KVM (RHEV) environment must be joined to the domain containing the IaaS server.

n The credentials used to manage the endpoint representing a KVM (RHEV) environment must haveAdministrator privileges on the RHEV environment. These credentials must also have sufficientprivileges to create objects on the hosts within the environment.

SCVMM RequirementsAny DEM Worker used to manage virtual machines through SCVMM must be installed on a host on whichthe SCVMM Console is installed.

In addition, the following requirements must be met:

n The DEM must have access to the SCVMM PowerShell module installed with the console.

n The MS PowerShell Execution Policy must be set to RemoteSigned or Unrestricted.

For information on PowerShell Execution Policy issue one of the following commands at Power-Shellcommand prompt:

help about_signing

help Set-ExecutionPolicy

n If all DEM Workers within the instance are not on compute resources meeting these requirements, Skillsmust be used to direct all SCVMM-related workflows to those that are.

The following additional requirements apply to SCVMM:

n Each SCVMM instance must be joined to the domain containing the server.

n The credentials used to manage the endpoint representing an SCVMM instance must haveAdministrator privileges on the SCVMM server. These credentials must also have Administratorprivileges on the Hyper-V servers within the instance.

n Hyper-V servers within an SCVMM instance to be managed must be Windows 2008 R2 SP1 Serverswith Hyper-V installed. The processor must be equipped with the necessary virtualizationextensions .NET Framework 4.5 must be installed and Windows Management Instrumentation (WMI)must be enabled.

n To provision machines on an SCVMM compute resource, a user must be added in at least one securityrole within the SCVMM instance.


VMware, Inc. 23

Port RequirementsvCloud Automation Center uses designated ports for communication and data access.

Identity ApplianceThe following ports are used by the Identity Appliance.

Table 2‑4. Incoming Ports for the Identity Appliance

Port Protocol Comments

22 TCP Optional. SSH.

5480 TCP Access to virtual appliance Web management interface

7444 TCP SSO service over HTTPS

Table 2‑5. Outgoing Ports for the Identity Appliance


53 TCP, UDP DNS

67, 68, 546, 547 TCP, UDP DHCP

80 TCP Optional. For fetching software updates. Updates can be downloadedseparately and applied.

123 TCP, UDP Optional. For connecting directly to NTP instead of using host time.

389, 636 TCP, UDP LDAP and Active Directory

vCloud Automation Center ApplianceThe following ports are used by the vCloud Automation Center Appliance.

In addition to the ports listed below, additional ports may be required by specific vCenter Orchestratorplugins that communicate with external systems. For more information, see the documentation for theplugin.

Table 2‑6. Incoming Ports for the vCloud Automation Center Appliance


22 TCP Optional. SSH.

80 TCP Optional. Redirects to 443.

111 TCP, UDP RPC

443 TCP Access to the vCloud Automation Center console and API calls.

5480 TCP Access to virtual appliance Web management interface

5488, 5489 TCP Internal. Used by vCloud Automation Center Appliance for updates.

8230, 8280, 8281 TCP Internal vCenter Orchestrator instance

Table 2‑7. Outgoing Ports for the vCloud Automation Center Appliance


25, 587 TCP, UDP SMTP for sending outbound notification emails

53 TCP, UDP DNS

67, 68, 546, 547 TCP, UDP DHCP


24 VMware, Inc.

Table 2‑7. Outgoing Ports for the vCloud Automation Center Appliance (Continued)


80 TCP Optional. For fetching software updates. Updates can be downloadedseparately and applied.

110, 995 TCP, UDP POP for receiving inbound notification emails

143, 993 TCP, UDP IMAP for receiving inbound notification emails

123 TCP, UDP Optional. For connecting directly to NTP instead of using host time.

443 TCP IaaS Manager Service over HTTPS

5433 TCP, UDP Optional. For communicating with an external PostgreSQL database.

7444 TCP Communication with SSO service over HTTPS

8281 TCP Optional. For communicating with an external vCenter Orchestrator instance .

Infrastructure as a ServiceIn addition to verifying that the ports listed in the following table are free for use, you must enableMicrosoft Distributed Transaction Coordinator Service (MS DTC) communication between all servers in thedeployment. The Prerequisite Checker validates whether MS DTC is running and that the required ports areopen.

Any virtualization hosts managed by proxy agents must also have TCP port 443 open for incoming traffic.

Table 2‑8. Incoming Ports for Infrastructure as a Service Components

Component Port Protocol Comments

SQL Server instance 1433 TCP MSSQL

Manager Service 443 TCP Communication with IaaS components andvCloud Automation Center Appliance over HTTPS

Table 2‑9. Outgoing Ports for Infrastructure as a Service Components

Component Port Protocol Comments

All 53 TCP, UDP DNS

All 67, 68, 546,547

TCP, UDP DHCP

All 123 TCP, UDP Optional. NTP.

Manager Service 443 TCP Communication withvCloud Automation Center Appliance over HTTPS

Website 443 TCP Communication with Manager Service over HTTPS

Distributed ExecutionManagers

443 TCP Communication with Manager Service over HTTPS

Proxy agents 443 TCP Communication with Manager Service and virtualizationhosts over HTTPS

Guest agent 443 TCP Communication with Manager Service over HTTPS

Manager Service, Website 1433 TCP MSSQL


VMware, Inc. 25

Users and Credentials Required for InstallationYou must verify that you have the roles and credentials to install vCloud Automation Center components.

vCenter Service AccountIf you plan to use a vSphere endpoint, you need a domain or local account that has the appropriate level ofaccess configured in vCenter.

Virtual Appliance InstallationTo deploy the VMware Identity Appliance and the vCloud Automation Center Appliance, you must haveadministrator privileges on the deployment platform (for example, vSphere administrator credentials).

During the deployment process, you specify the passwords for the virtual appliance administrator accountsand the system administrator account. These accounts provide access to the VMware Identity Appliance andvCloud Automation Center Appliance management consoles where you configure and administer thevirtual appliances.

IaaS InstallationBefore installing IaaS components, add the user under which you plan to execute the IaaS installationprograms to the Administrator group on the installation host.

IaaS Database CredentialsYou can create the database using the installation wizard or create it manually by running the providedscripts. If you use the complete install option to create a minimal installation, you must create the databaseusing the installer.

If you use the IaaS installer to create or populate the IaaS database the following requirements apply:n If you use the installer to create the database and select Use Windows Authentication, the credentials

under which you executed the installer must have the sysadmin role in SQL Server to create and alterthe size of the database.

n If you use the installer to create the database and do not select Use Windows Authentication, you mustprovide SQL credentials with the sysadmin role. If you do not use Windows authentication, thecredentials you provide are used only for database creation (not for run-time access after initialcreation).

n If you use the installer to populate a pre-created database, the user credentials you provide (either thecurrent Windows user or the specified SQL user) needs only dbo privileges for the IaaS database.

IaaS Service User CredentialsIaaS installs several Windows services that share a single service user.

The following requirements apply to the service user for IaaS services:n The user must be a domain user.

n The user must have local Administrator privileges on all hosts on which the Manager Service or website component is installed.

n The user must have dbo privileges for the IaaS database. If you use the installer to create the database,ensure that the service user login is added to SQL Server prior to running the installer. The installergrants the service user dbo privileges after creating the database

n The account under which the installer is running should have the sysadmin role enabled underMSSQL.


26 VMware, Inc.

SecurityvCloud Automation Center uses SSL to ensure secure communication between components. Passphrases areused for secure database storage.

CertificatesvCloud Automation Center uses certificates for secure communication between IaaS components and bothvirtual appliances. The system administrator obtains or generates certificates for the appliances and for IaaS.The appliances and the Windows installation machine exchange these certificates to establish a trustedconnection.

You should use a certificate that is trusted by your web client for distributed installations. VMwarerecommends a domain certificate or a wildcard domain certificate for a distributed installation. The installeroffers an option to generate a self-signed certificate as a convenience in a proof-of-concept or developmentenvironment where all components are installed on the same machine. VMware does not recommend usingself-signed certificates in a production or distributed environment.

Virtual AppliancesUse a self-signed certificate for proof-of-concept deployments. During the deployment of the virtualappliances, you can use a self-signed certificate, domain certificate, or wildcard domain certificate. Afterdeployment, you can replace certificates. You can change from self-signed certificates to a trustedcertificates.

When you supply the domain certificate information during virtual appliance configuration or certificateupdating, the following information is required. The examples in this table use Gnu's openssl commands toextract the certificate information you need to configure the virtual appliances.

Table 2‑10. Sample Certificate Values and Commands (openssl)

Certificate AuthorityProvides Command Virtual Appliance Entries

RSA Private Key openssl pkcs12 -in path _to_.pfxcertificate_file-nocerts -out key.pem

RSA Private Key

PEM File openssl pkcs12 -in path _to_.pfxcertificate_file-clcerts -nokeys -outcert.pem

Certificate Chain

(Optional) Pass Phrase n/a Pass Phrase

NOTE If your certificate uses a pass phrase for encryption and you do not enter it when you replace yourcertificate on the virtual appliance, the Unable to load private key message appears. Make sure you havesupplied the correct pass phrase.

IaaS Certificaten If you are performing a distributed installation, you should use a certificate that is trusted by your web

client for distributed installations. VMware recommends a domain certificate or a wildcard domaincertificate for a distributed installation. Make sure you import the same certificate on each IaaSinstallation machine. If you cannot use a non-wildcard certificate, use certificate suppression when youinstall the IaaS components with a domain certificate.


VMware, Inc. 27

n If you are performing a minimal (Complete) installation, you can use a domain certificate(recommended), accept the self-signed certificate generated during installation, or you can usecertificate suppression when you install IaaS.

NOTE If you do not have sufficient permissions to install domain certificates, the browser prompts you withsecurity exceptions when you open vCloud Automation Center. The procedure required to accept thecertificate varies by browser. Follow the instructions for your browser to permanently trust each self-signedcertificate.

Security PassphrasevCloud Automation Center uses security passphrases for database security. A passphrase is a series ofwords used to create a phrase that generates the encryption key that protects data while at rest in thedatabase.

Use the same passphrase for all components in a distributed environment.

Follow these guidelines when creating a security passphrase for the first time.

n Use the same passphrase across the entire installation to ensure that each component has the sameencryption key.

n Use a phrase that is greater than eight characters long.

n Include uppercase, lowercase and numeric characters, and symbols.

n Memorize the passphrase or keep it in a safe place. The passphrase is required to restore databaseinformation in the event of a system failure. Without the passphrase, you cannot restore successfully.

Third-Party SoftwareSome components of vCloud Automation Center depend on third-party software, including MicrosoftWindows and SQL Server. To guard against security vulnerabilities in third-party products, ensure thatyour software is up-to-date with the latest patches from the vendor.

Time SynchronizationA system administrator must set up accurate timekeeping as part of the vCloud Automation Centerinstallation.

Installation fails if time synchronization is set up incorrectly.

Timekeeping must be consistent and synchronized across the Identity Appliance,vCloud Automation Center Appliance, and Windows servers. By using the same timekeeping method foreach component, you can ensure this consistency.

For virtual machines, you can use the following methods:

n Configuration by using Network Time Protocol (directly)

n Configuration by using Network Time Protocol through ESXi with VMware Tools. You must have NTPset up on the ESXi.

For Windows servers, consult Timekeeping best practices for Windows, including NTP.


28 VMware, Inc.

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1318&sliceId=2&docTypeID=DT_KB_1_1&dialogID=103758696&stateId=1%200%20103768132

Minimal Installation 3A minimal installation consists of one instance of the Identity Appliance, one instance of thevCloud Automation Center Appliance, and all the IaaS components installed on a single Windows machine.


n “Deploy and Configure the Identity Appliance,” on page 29

n “Deploy and Configure the vCloud Automation Center Appliance,” on page 33

n “Installing IaaS Components,” on page 38

Deploy and Configure the Identity ApplianceDownload and configure the Identity Appliance to provide Single Sign-On (SSO) capability for thevCloud Automation Center environment.

You can deploy and configure multiple Identity Appliance instances.

NOTE You can use the SSO provided with vCloud Automation Center or some versions of the SSOprovided with vSphere. For information on supported versions, see vCloud Automation Center Support Matrix

.

1 Deploy the Identity Appliance on page 30The Identity Appliance is a pre-configured virtual appliance that provides single sign-on capabilities.It is delivered as an open virtualization format (OVF) template. The system administrator downloadsthe Identity Appliance and deploys it into vCenter Server or ESX/ESXi inventory.

2 Enable Time Synchronization on the Identity Appliance on page 30Clocks on the Identity Appliance server, the vCloud Automation Center server, and Windows serversmust be synchronized to ensure a successful installation.

3 Configure the Identity Appliance on page 31The Identity Appliance provides Single-Sign On (SSO) capability for vCloud Automation Center users.SSO is an authentication broker and security token exchange that interacts with the enterprise identitystore (Active Directory or LDAP) to authenticate users. A system administrator configures SSOsettings to provide access to the vCloud Automation Center.

VMware, Inc. 29

Deploy the Identity ApplianceThe Identity Appliance is a pre-configured virtual appliance that provides single sign-on capabilities. It isdelivered as an open virtualization format (OVF) template. The system administrator downloads theIdentity Appliance and deploys it into vCenter Server or ESX/ESXi inventory.

Prerequisites

n Verify that the Identity Appliance was downloaded from the VMware website.

n Log in to the vSphere client as a user with system administrator privileges.

Procedure

1 In the vSphere client, select File > Deploy OVF Template.

2 Browse to the Identity Appliance file with the .ova or .ovf extension and click Open.

3 Click Next.

4 Click Next on the OVF Template Details page.

5 Accept the license agreement and click Next.

6 Type a unique virtual appliance name according to the IT naming convention of your organization inthe Name text box, select the datacenter and location to which you want to deploy the virtual appliance,and click Next.

7 Follow the prompts until the Disk Format page appears.

8 Verify on the Disk Format page that enough space exists to deploy the virtual appliance and click Next.

9 Follow the prompts to the Properties page.

The options that appear depend on your vSphere configuration.

10 Configure the values on the Properties page.

a Type the root password to use when you log in to the virtual appliance console in the Enterpassword and Confirm password text boxes.

b Type the fully qualified domain name of the virtual machine in the Hostname text box, even if youare using DHCP.

c Configure the networking properties.

11 Click Next.

12 If the Power on after deployment option is available on the Ready to Complete page, select it and clickFinish.

13 Restart the machine.

14 Verify that the fully qualified domain name can be resolved against the IP address of theIdentity Appliance by opening a command prompt and pinging the FQDN.

Enable Time Synchronization on the Identity ApplianceClocks on the Identity Appliance server, the vCloud Automation Center server, and Windows servers mustbe synchronized to ensure a successful installation.

If you see certificate warnings during this procedure, continue past them.

Prerequisites

“Deploy the Identity Appliance,” on page 30.


30 VMware, Inc.

Procedure

1 Navigate to the Identity Appliance management console by using its fully qualified domain name,https://identity-hostname.domain.name:5480/.

2 Log in by using the user name root and the password you specified when you deployed theIdentity Appliance.

3 Select Admin > Time Settings.

4 Select an option from the Time Sync Mode menu.

Option Action

Network Time Protocol Select Use Time Server from the Time Sync Mode menu. For each timeserver that you are using, type the IP address or the host name in the TimeServer text box.

VMware Tools Select Use Host Time from the Time Sync Mode menu. You mustconfigure the connections to Network Time Protocol servers before youcan use VMware Tools.

5 Click Save Settings.

6 Verify that the value in Current Time is correct.

Configure the Identity ApplianceThe Identity Appliance provides Single-Sign On (SSO) capability for vCloud Automation Center users. SSOis an authentication broker and security token exchange that interacts with the enterprise identity store(Active Directory or LDAP) to authenticate users. A system administrator configures SSO settings toprovide access to the vCloud Automation Center.

Optionally, when you configure the appliance, you can specify a Native Active Directory, for largedeployments with multiple forests, for example. Native Active Directories have the followingcharacteristics:

n Use Kerberos to authenticate

n Do not require a search base, making it easier to find the correct Active Directory store

n Can be used only with the default tenant

You must also specify an Active Directory identity store when you configure tenants. See Chapter 8,“Configuring Tenants,” on page 117.

Prerequisites

“Enable Time Synchronization on the Identity Appliance,” on page 30.

Procedure


2 Continue past the certificate warning.

3 Log in with user name root and the password you specified when the appliance was deployed.

4 The default domain name in System Domain is vsphere.local.

This name is the local default domain for the Identity Appliance. The default tenant is created with thisname.

Chapter 3 Minimal Installation

VMware, Inc. 31

5 Type the password to assign to the system administrator ([email protected]) in the AdminPassword and Repeat password text boxes.

Record the password in a secure place. The password is required when you configurevCloud Automation Center Appliance later in the installation process. It is also used with the systemadministrator log in for the vCloud Automation Center console.

6 Click Apply.

It can take several minutes for the success message to appear. Do not interrupt the process.

7 When the success message appears, click the Host Settings tab.

8 Append the SSO port :7444 to the host name in the SSO Host Name text box.

For example: vcac-sso.mycompany.com:7444. SSO cannot function correctly without the 7444 port.

9 Click Apply.

It can take several minutes to apply your settings. Do not interrupt the process. The process is completewhen the load icon stops spinning.

10 Click SSL.

11 Select the certificate type from the Choose Action menu. If you are using a PEM encoded certificate, forexample for a distributed environment, select Import PEM encoded certificate.

Certificates that you import must be trusted and must also be applicable to all instances ofvCloud Automation Center Appliance and any load balancer, either by using wildcards or by usingSubject Alternative Name (SAN) certificates.

IMPORTANT Using self-signed certificates is not recommended for production environments.

Option Action

Import a certificate a Copy the certificate values from BEGIN PRIVATE KEY to ENDPRIVATE KEY, including the header and footer, and paste them in theRSA Private Key text box.

b Copy the certificate values from BEGIN CERTIFICATE to ENDCERTIFICATE, including the header and footer, and paste them in theCertificate Chain text box.

c (Optional) If your certificate has one, copy the pass phrase thatencrypts the private key of the certificate that you are importing, andpaste it in the Pass Phrase text box.

Generate a self-signed certificate a Type a common name for the certificate in the Common Name textbox. You can use the fully qualified domain name of the virtualappliance (hostname.domain.name) or a wild card, such as*.mycompany.com. If you use a load balancer, you need to specify theFQDN of the load balancer or a wildcard that matches the name of theload balancer. Do not accept a default value if one is shown, unless itmatches the host name of the virtual appliance.

b Type your organization name, such as your company name, in theOrganization text box.

c Type your organizational unit, such as your department name orlocation, in the Organizational Unit text box.

d Type a two-letter ISO 3166 country code, such as US, in the Countrytext box.


32 VMware, Inc.

12 (Optional) To use Native Active Directory, click the Active Directory tab.

You must also specify an Active Directory identity store when you configure tenants, even if youspecify Native Active Directory settings here.

a Type the Active Directory domain name that contains the pool of users to create asvCloud Automation Center administrators in Domain Name.

b Type the name of the Active Directory domain name user for the identity store in Domain User.

c Click Join AD Domain.

The SSO host is initialized. If Identity Appliance does not function correctly after configuration, redeployand reconfigure the appliance. Do not make changes to the existing appliance.

Deploy and Configure the vCloud Automation Center ApplianceThe vCloud Automation Center Appliance is a pre-configured virtual appliance that deploys thevCloud Automation Center Appliance server and web console (the user portal). It is delivered as an openvirtualization format (OVF) template. The system administrator downloads the appliance and deploys itinto the vCenter Server or ESX/ESXi inventory.

1 Deploy the vCloud Automation Center Appliance on page 33To deploy the vCloud Automation Center Appliance, a system administrator must log in to thevSphere client and select deployment settings.

2 Enable Time Synchronization on the vCloud Automation Center Appliance on page 34Clocks on the Identity Appliance server, vCloud Automation Center server, and Windows serversmust be synchronized to ensure a successful installation.

3 Configure the vCloud Automation Center Appliance on page 35To prepare the vCloud Automation Center Appliance for use, a system administrator configures thehost settings, generates an SSL certificate, and provides SSO connection information.

Deploy the vCloud Automation Center ApplianceTo deploy the vCloud Automation Center Appliance, a system administrator must log in to the vSphereclient and select deployment settings.

Prerequisites

n Verify that the vCloud Automation Center Appliance was downloaded from the VMware Web site.


Procedure

1 Select File > Deploy OVF Template from the vSphere client.

2 Browse to the vCloud Automation Center Appliance file you downloaded and click Open.

3 Click Next.






VMware, Inc. 33








11 Click Next.



14 Open a command prompt and ping the FQDN to verify that the fully qualified domain name can beresolved against the IP address of vCloud Automation Center Appliance.

Enable Time Synchronization on the vCloud Automation Center ApplianceClocks on the Identity Appliance server, vCloud Automation Center server, and Windows servers must besynchronized to ensure a successful installation.

If you see certificate warnings during this process, continue past them to finish the installation.

Prerequisites

“Deploy the vCloud Automation Center Appliance,” on page 33.

Procedure

1 Navigate to the vCloud Automation Center Appliance management console by using its fully qualifieddomain name, https://vcac-va-hostname.domain.name:5480/.




Option Action






34 VMware, Inc.

Configure the vCloud Automation Center ApplianceTo prepare the vCloud Automation Center Appliance for use, a system administrator configures the hostsettings, generates an SSL certificate, and provides SSO connection information.

Prerequisites

“Enable Time Synchronization on the vCloud Automation Center Appliance,” on page 34.

Procedure



3 Log in with user name root and the password you specified when you deployedvCloud Automation Center Appliance.

4 Select vCAC Settings > Host Settings and click Resolve Host Name to view the name of the currentlyspecified host.

5 (Optional) If you want to change the host name, enter the fully qualified domain name, vcac-hostname.domain.name, of the vCloud Automation Center Appliance. If you are using a load balancer,enter the fully qualified domain name for the load balancer server.


7 Click SSL.


VMware, Inc. 35




Option Action








9 Configure the SSO settings that the vCloud Automation Center Appliance uses to interact with the

Identity Appliance. These settings must match the settings you entered when configuring theIdentity Appliance.

a Click SSO.

b Type the fully qualified domain name of the Identity Appliance, identity-va-hostname.domain.name:7444, in the SSO Host and Port text box. Do not use an https:// prefix.

For example, vcac-sso.mycompany.com:7444.

c Note that the default tenant vsphere.local in SSO Default Tenant. Do not modify this.

d Type the default administrator name [email protected] in the SSO Admin User textbox.

e Type the SSO administrator password in the SSO Admin Password text box. The password mustmatch the password you specified in the SSO settings for the Identity Appliance.

f Click Save Settings.

After a few minutes, a success message appears and SSO Status is updated to Connected.

g (Optional) If the spinner does not stop within a few minutes, exit the appliance, close the browser,and log in again.


36 VMware, Inc.

10 If you plan to deploy your vCloud Automation Center PostgreSQL database on an external host,specify the database information.

a Click Database.

b Specify the host, port, database name (the default is vcac), and the database authenticationinformation for the PostgreSQL database.

c Click Save Settings.

11 If you see the message Error restarting VCAC server after you click Save Settings, ignore the messageand continue with the next step.

12 Click Services.

The following services must be running before you can log in to the console. Depending on your siteconfiguration, this can take about 10 minutes.

n authorization

n authentication

n eventlog-service

n shell-ui-app

n branding-service

n plugin-service

NOTE You can log in to the appliance and run tail -f /var/log/vcac/catalina.out to monitor startupof the services.

13 Configure the license to enable the Infrastructure tab on the vCloud Automation Center console.

a Click Licensing.

b Type a valid vCloud Automation Center license key that you downloaded when you downloadedthe installation files, and click Submit Key.

NOTE If you experience a connection error, you might have a problem with the load balancer. Checknetwork connectivity to the load balancer.

14 Confirm that you can log in to thevCloud Automation Center console.

a Open a browser and navigate to https://vcac-hostname.domain.name/shell-ui-app.

b Accept the vCloud Automation Center certificate.

c Accept the SSO certificate.

d Log in with [email protected] and the password you specified when you configuredSSO.

The console opens to the Tenants page on the Administration tab. A single tenant namedvsphere.local appears in the list.

You have finished the deployment and configuration of your vCloud Automation Center Appliance. If theappliance does not function correctly after configuration, redeploy and reconfigure the appliance. Do notmake changes to the existing appliance.

What to do next

“Install the Infrastructure Components,” on page 39


VMware, Inc. 37

Installing IaaS ComponentsThe administrator installs a complete set of infrastructure (IaaS) components on a Windows machine(physical or virtual). Administrator rights are required to perform these tasks.

A minimal installation installs all of the components on the same Windows server, except for the SQLdatabase, which you can install on a separate server.

Enable Time Synchronization on the Windows ServerClocks on the Identity Appliance server, vCloud Automation Center server, and Windows servers must besynchronized to ensure a successful installation.

The following steps describe how to enable time synchronization with the ESX/ESXi host by using VMwaretools. If you are installing the IaaS components on a physical host or do not want to use VMware tools fortime synchronization, ensure that the server time is accurate by using your preferred method.

Procedure

1 Open a command prompt on the Windows installation machine.

2 Type the following command to navigate to the VMware Tools directory.

cd C:\Program Files\VMware\VMware Tools

3 Type the command to display the timesync status.

VMwareToolboxCmd.exe timesync status

4 If timesync is disabled, type the following command to enable it.

VMwareToolboxCmd.exe timesync enable

IaaS CertificatesvCloud Automation Center IaaS components use certificates and SSL to secure communications betweencomponents.

In a minimal installation for proof-of-concept purposes, you can use self-signed certificates.

In a distributed environment, VMware recommends that you obtain a domain certificate from a trustedcertificate authority.

If you are performing a distributed installation, follow these steps to prepare the IaaS certificate.

1 Get a certificate from a trusted certificate authority.

2 To ensure that the certificate authority and that the root certificate is trusted, place the root certificatefrom the certificate authority into the Trusted Root using the Windows certificate plug-in.

3 Add the certificate to IIS.

4 Restart the IIS machine.

5 Start the IaaS installer.


38 VMware, Inc.

Install the Infrastructure ComponentsThe system administrator logs into the Windows machine and follows the installation wizard to install theinfrastructure components (IaaS) on the Windows virtual or physical machine.

Prerequisites

n Verify that your installation machine meets the requirements described in “IaaS (Windows Server)Requirements,” on page 21.

n “Enable Time Synchronization on the Windows Server,” on page 38.

n Verify that you have deployed and fully configured the vCloud Automation Center Appliance, and thatthe necessary services are running (plugin-service, catalog-service, iaas-proxy-provider).

Procedure

1 Download the IaaS Installer on page 39A system administrator downloads the installer to a Windows 2008 or Windows 2012 physical orvirtual machine.

2 Log In and Select the Installation Type on page 40The system administrator runs the installer wizard from the Windows 2008 or 2012 installationmachine.

3 Check Prerequisites on page 40The Prerequisite Checker verifies that your machine meets IaaS installation requirements.

4 Specify Server and Account Settings on page 41The system administrator specifies server and account settings for the Windows installation serverand selects a SQL database server instance and authentication method.

5 Specify Managers and Agents on page 41The minimum installation installs the required Distributed Execution Managers and the defaultvSphere proxy agent. The system administrator can install additional proxy agents (XenServer, orHyper-V, for example) after installation.

6 Register the IaaS Components on page 42The system administrator installs the IaaS certificate and registers the IaaS components with the SSO.

7 Complete the Installation on page 42The system administrator completes the IaaS installation.

Download the IaaS InstallerA system administrator downloads the installer to a Windows 2008 or Windows 2012 physical or virtualmachine.


Prerequisites

n Microsoft .NET Framework 4.5 must be installed on the IaaS installation machine. You can downloadthe .NET installer from the installer Web page.

n If you are using Internet Explorer for the download, verify that Enhanced Security Configuration is notenabled. See res://iesetup.dll/SoftAdmin.htm.

n Log in to the Windows server as a local administrator.


VMware, Inc. 39

Procedure

1 Open a Web browser.

2 Enter the URL for the Windows IaaS installer download page.

For example, https://vcac-va-hostname.domain.name:5480/installer, where vcac-va-hostname.domain.name is the name of the vCloud Automation Center Appliance host.

3 Click setup.exe.

4 When prompted, save the installer file ([email protected]) to the desktop.

Do not change the file name. It is used to connect the installation to thevCloud Automation Center Appliance.

Log In and Select the Installation TypeThe system administrator runs the installer wizard from the Windows 2008 or 2012 installation machine.

Prerequisites

“Download the IaaS Installer,” on page 66.

Procedure

1 Right-click the [email protected] setup file that you downloaded andselect Run as administrator.

If you see a Microsoft .NET 4.5 missing prompt, navigate to the fully configuredvCloud Automation Center Appliance at https://vcac-va-hostname.domain.name, select the .NET installerlink and restart the machine. Begin this procedure again.

2 Click Next.


4 Type the administrator credentials for the vCloud Automation Center Appliance on the Log In pageand click Next.

The user name is root and the password is the password that you specified when you deployed thevCloud Automation Center Appliance.

5 Click Next.

6 Select Complete Install on the Installation Type page and click Next.

Check PrerequisitesThe Prerequisite Checker verifies that your machine meets IaaS installation requirements.

Prerequisites

“Log In and Select the Installation Type,” on page 40.

Procedure

1 If warnings appear in the Prerequisite Checker, for each item that requires attention, select the entry inthe left pane and follow the instructions that appear on the right.

2 When all problems are addressed, click Check Again and verify that all items have check marks next tothem.

You can click Check Again at any time to check the status of the prerequisites.


40 VMware, Inc.

3 If noncritical errors still occur, click Bypass to continue the installation.

Bypassing critical errors causes the installation to fail.

4 Click Next.

The machine meets installation requirements.

Specify Server and Account SettingsThe system administrator specifies server and account settings for the Windows installation server andselects a SQL database server instance and authentication method.

Prerequisites

“Check Prerequisites,” on page 40.

Procedure

1 On the Server and Account Settings page, specify the user name and password for a user with SQLadministrative privileges or a local administrator.

2 Type a phrase in the Passphrase text box.

The passphrase is a series of words that generates the encryption key used to secure database data.

3 In the Microsoft SQL Server Database Installation Information panel, accept the default server to installthe database instance on the same server with the IaaS components, or type a new server name to installthe database on another machine.

4 Accept the default in the Database Name text box.

5 Select the authentication method.

u Select Use Windows authentication if you want to create the database using the Windowscredentials of the current user.

u Deselect Use Windows authentication if you want to create the database using SQLauthentication. Type the User name and Password of the SQL Server user with administratorcredentials on the SQL server instance.

6 Click Next.

Specify Managers and AgentsThe minimum installation installs the required Distributed Execution Managers and the default vSphereproxy agent. The system administrator can install additional proxy agents (XenServer, or Hyper-V, forexample) after installation.

Prerequisites

“Specify Server and Account Settings,” on page 41.

Procedure

1 On the Distributed Execution Managers And Proxy vSphere Agent page, accept the defaults.

2 (Optional) Install a vSphere agent to enable provisioning with vSphere.

a Select Install and configure vSphere agent.

b Accept the default agent and endpoint, or type a name.

Make a note of the Endpoint name value. This information is used when you configure the vSphereendpoint in the vCloud Automation Center console.


VMware, Inc. 41

3 Click Next.

Register the IaaS ComponentsThe system administrator installs the IaaS certificate and registers the IaaS components with the SSO.

Prerequisites

“Specify Managers and Agents,” on page 41.

Procedure

1 Accept the default Server value, which is populated with the fully qualified domain name of thevCloud Automation Center Appliance server from which you downloaded the installer.

2 Click Load to populate the value of SSO Default Tenant (vsphere.local).

3 Click Download to retrieve the certificate from the vCloud Automation Center Appliance.

You can click View Certificate to view the certificate details.

4 Select Accept Certificate to install the SSO certificate.

5 In the SSO Administrator panel, type [email protected] in User name and the passwordyou defined for this user when you configured SSO in Password and Confirm password.

6 Accept the default in IaaS Server, which contains the host name of the Windows machine where youare installing.

7 Click Next.

Complete the InstallationThe system administrator completes the IaaS installation.

Prerequisites

“Register the IaaS Components,” on page 42.

Procedure

1 On the Ready to Install page, review the information and click Install.

The installation begins. Depending on your network configuration, installation can take between fiveminutes and one hour.

2 When the success message appears, leave the Guide me through initial configuration check boxselected and click Next, and Finish.

3 Close the Configure the System message box.

The installation is now complete.

What to do next

“Verify IaaS Services,” on page 77.


42 VMware, Inc.

Distributed Installation 4In a distributed installation, the system administrator installs components on multiple machines in thedeployment environment.


n “Distributed Installation Components,” on page 43

n “Distributed Installation Architecture,” on page 44

n “Distributed Installation Scenario,” on page 46

n “Create an External PostgreSQL Database,” on page 47

n “Deploy and Configure the Identity Appliance,” on page 48

n “Deploy and Configure the Primary vCloud Automation Center Appliance,” on page 52

n “Configure the vCloud Automation Center Appliance Load Balancer Certificate,” on page 58

n “Deploy and Configure Additional vCloud Automation Center Appliances,” on page 58

n “Choosing an IaaS Database Scenario,” on page 63

n “IaaS Certificates,” on page 65

n “Install the IaaS Components in a Distributed Configuration,” on page 65

n “Installing Distributed Execution Managers,” on page 72

Distributed Installation ComponentsIn a distributed installation, the system administrator can deploy multiple instances of the appliances andinstall IaaS components over multiple machines in the deployment environment.

VMware, Inc. 43

Table 4‑1. Virtual Appliances and PostgreSQL Database

Component Description

Identity Appliance A pre-configured virtual appliance that provides SingleSign-On capabilities.

vCloud Automation Center Appliance A pre-configured virtual appliance that deploys thevCloud Automation Center server. The server includes thevCloud Automation Center console, which provides asingle portal for self-service provisioning and managementof cloud services, as well as authoring and administration.

PostgreSQL Database Stores information required by the virtual appliances. Thedatabase is embedded automatically on everyvCloud Automation Center Appliance. This configurationis useful for small deployments. For high availability andfailover recovery, prepare an external instance of thedatabase and set up redundancy outside of the appliance.

You can select the individual IaaS components you want to install and specify the installation location.

Table 4‑2. IaaS Components

Component Description

Website Provides the infrastructure administration and serviceauthoring capabilities to the vCloud Automation Centerconsole. The Website component communicates with theModel Manager, which provides it with updates from theDistributed Execution Manager (DEM), proxy agents anddatabase.

Manager Service The Manager Service coordinates communication betweenagents, the database, Active Directory (or LDAP), andSMTP. The Manager Service communicates with theconsole web site through the Model Manager. This servicerequires administrative privileges to run.

Model Manager The Model Manager communicates with the database, theDEMs, and the portal website. The Model Manager isdivided into two separately installable components — theModel Manager web service and the Model Manager datacomponent.

Distributed Execution Managers (Orchestrator andWorker)

A Distributed Execution Manager (DEM) executes thebusiness logic of custom models, interacting with the IaaSdatabase and external databases. DEMs also manage cloudand physical machines.

Agents Virtualization, integration and WMI agents thatcommunicate with infrastructure resources.

Distributed Installation ArchitectureThe system administrator chooses a distribution architecture that is compatible with the companyenvironment and its goals for redundancy, high-availability, and disaster recovery.

In this sample architecture, the IaaS components are highly distributed over multiple machines. Loadbalancers distribute the workload across the computing environment. System administrators configure loadbalancers outside of the vCloud Automation Center framework.

See “Distributed Installation Scenario,” on page 46 for an explanation of each component.


44 VMware, Inc.

Chapter 4 Distributed Installation

VMware, Inc. 45

Distributed Installation ScenarioA system administrator has flexibility in setting up and configuring the load balancers and the machinesthey manage.

Installation ComponentsThis sample installation scenario describes one possible deployment. Load balancers distribute theworkload across the servers. The components in this table describe the numbered items “DistributedInstallation Architecture,” on page 44.

NOTE Disable all nodes under the load balancer except for the node you are configuring. For example, ifyou have three nodes, disable nodes 1 and 2 when you configure node 3.

Table 4‑3. Distributed Installation Components

Component Description Requirements and Options

1 vCloud AutomationCenter ApplianceLoad Balancer

Only necessary if you are deploying more than onevCloud Automation Center Appliance.

2 PostgreSQL DatabaseCluster

External PostgreSQL database. Created on everyvCloud Automation Center Appliance when the appliance is deployed. Forhigh availability and failover, install the database on and external server andconfigure the database as a cluster.

3 Identity Appliance One instance required. Multiple instances possible for high availability andfailover recovery.

4 vCloud AutomationCenter Appliance 1

One instance required. Multiple instances possible for high availability andfailover recovery must be deployed with vSphere High Availability.

5 vCloud AutomationCenter Appliance 2,3, ...

Deploy multiple instances under the vCloud Automation Center ApplianceLoad Balancer.

6 IaaS Web LoadBalancer

Only necessary if you are installing more than one Website Component. InstallWebsite Component 1 and Model Manager Data on one machine under thisload balancer.

7 SQL Database Cluster Install one instance during IaaS installation. Database administrator handlesredundancy outside of IaaS context. See “Choosing an IaaS DatabaseScenario,” on page 63.

8 Website Component 1and Model ManagerData

Required. Install together on one machine under the IaaS Web Load Balancer.Only one instance of Model Manager Data is allowed. See “Install the IaaSWebsite Component and Model Manager Data,” on page 68

9 Website Component 2,3, ...

Optional. Install multiple instances under the IaaS Web Load Balancer for highavailability and failover recovery.

10 IaaS Manager ServiceLoad Balancer

Install the first instance of the Manager Service and the first instance of theDEM Orchestrator together on one machine under this load balancer. See “Install the Manager Service,” on page 71 and “Install the DistributedExecution Managers,” on page 73.

11 Manager Service 1 andDEM Orchestrator 1

Install the first instance of the Manager Service and the first instance of theDEM Orchestrator together on one machine under the IaaS Manager ServiceLoad Balancer. The first Manager Service instance is active. Only one can beactive at any given time. See “Install the Manager Service,” on page 71 and “Install the Distributed Execution Managers,” on page 73.


46 VMware, Inc.

Table 4‑3. Distributed Installation Components (Continued)

Component Description Requirements and Options

12 Manager Service 2,3, ...

Passive instances for backup only. If the Active Manager Service fails, start theservice on the passive node.

13 Agents and DEMs Install the first DEM Orchestrator on the active Manager Service machine.Install Agents, DEM Orchestrators, and DEM Workers together or on separatemachines. See Chapter 6, “Installing Agents,” on page 89 and “Install theDistributed Execution Managers,” on page 73.

Create an External PostgreSQL DatabaseA system administrator installs the database on a separate server or on multiple servers to create a high-availability environment.

NOTE Using the embedded vCenter Orchestrator instance is not supported with an external PostgreSQLdatabase. If you configure an external database, you must also configure vCloud Automation Center to usean external vCenter Orchestrator server. For information about configuring an externalvCenter Orchestrator server, see Advanced Service Designer Configuration.

Prerequisites

Verify that PostgreSQL is installed. See “PostgreSQL Database Requirements,” on page 20.

Procedure

1 Log in to the PostgreSQL server with administrator-level privileges.

2 Open an SQLshell (psql) session.

3 Run the following commands to create an empty database and a user with the rights to create andmodify tables.

\c template1

CREATE USER vcac WITH NOCREATEDB NOCREATEROLE NOCREATEUSER INHERIT LOGIN ENCRYPTED PASSWORD

'mypassword';

CREATE DATABASE vcacdb WITH OWNER vcac;

In this example, the database name is vcacdb and the database owner is a user named vcac with thepassword mypassword. Replace these values with the values that are appropriate to your environment.

4 Run the following commands to configure the database. Replace vcacdb with the name of your databaseif you used a different name.

\c vcacdb

CREATE EXTENSION "hstore";

CREATE EXTENSION "uuid-ossp";

5 Log out of the PostgreSQL server.

\q


VMware, Inc. 47

Deploy and Configure the Identity ApplianceDownload and configure the Identity Appliance to provide Single Sign-On (SSO) capability for thevCloud Automation Center environment.

You can deploy and configure multiple Identity Appliance instances.

NOTE You can use the SSO provided with vCloud Automation Center or some versions of the SSOprovided with vSphere. For information on supported versions, see vCloud Automation Center Support Matrix

.

1 Deploy the Identity Appliance on page 48The Identity Appliance is a pre-configured virtual appliance that provides single sign-on capabilities.It is delivered as an open virtualization format (OVF) template. The system administrator downloadsthe Identity Appliance and deploys it into vCenter Server or ESX/ESXi inventory.

2 Enable Time Synchronization on the Identity Appliance on page 49Clocks on the Identity Appliance server, the vCloud Automation Center server, and Windows serversmust be synchronized to ensure a successful installation.

3 Configure the Identity Appliance on page 50The Identity Appliance provides Single-Sign On (SSO) capability for vCloud Automation Center users.SSO is an authentication broker and security token exchange that interacts with the enterprise identitystore (Active Directory or LDAP) to authenticate users. A system administrator configures SSOsettings to provide access to the vCloud Automation Center Appliance.

Deploy the Identity ApplianceThe Identity Appliance is a pre-configured virtual appliance that provides single sign-on capabilities. It isdelivered as an open virtualization format (OVF) template. The system administrator downloads theIdentity Appliance and deploys it into vCenter Server or ESX/ESXi inventory.

Prerequisites

n Verify that the Identity Appliance was downloaded from the VMware website.


Procedure

1 In the vSphere client, select File > Deploy OVF Template.

2 Browse to the Identity Appliance file with the .ova or .ovf extension and click Open.

3 Click Next.









48 VMware, Inc.





11 Click Next.



14 Verify that the fully qualified domain name can be resolved against the IP address of theIdentity Appliance by opening a command prompt and pinging the FQDN.

Enable Time Synchronization on the Identity ApplianceClocks on the Identity Appliance server, the vCloud Automation Center server, and Windows servers mustbe synchronized to ensure a successful installation.


Prerequisites

“Deploy the Identity Appliance,” on page 48.

Procedure


2 Log in by using the user name root and the password you specified when you deployed theIdentity Appliance.



Option Action






VMware, Inc. 49

Configure the Identity ApplianceThe Identity Appliance provides Single-Sign On (SSO) capability for vCloud Automation Center users. SSOis an authentication broker and security token exchange that interacts with the enterprise identity store(Active Directory or LDAP) to authenticate users. A system administrator configures SSO settings toprovide access to the vCloud Automation Center Appliance.

Optionally, when you configure the appliance, you can specify a Native Active Directory, for largedeployments with multiple forests, for example. Native Active Directories have the followingcharacteristics:

n Use Kerberos to authenticate

n Do not require a search base, making it easier to find the correct Active Directory store

n Can be used only with the default tenant

You must also specify an Active Directory identity store when you configure tenants. See Chapter 8,“Configuring Tenants,” on page 117.

Prerequisites

“Enable Time Synchronization on the Identity Appliance,” on page 49.

Procedure




4 Click the SSO tab.

The red text is a prompt, not an error message.

5 The default domain name in System Domain is vsphere.local.

This name is the local default domain for the Identity Appliance. The default tenant is created with thisname.

6 Type the password to assign to the system administrator ([email protected]) in the AdminPassword and Repeat password text boxes.

Record the password in a secure place. The password is required when you configurevCloud Automation Center Appliance later in the installation process. It is also used with the systemadministrator log in for the vCloud Automation Center console.

7 Click Apply.


8 Append the SSO port :7444 to the host name in the SSO Host Name text box.

For example: vcac-sso.mycompany.com:7444. SSO cannot function correctly without the 7444 port.

9 Click Apply.


10 Click SSL.


50 VMware, Inc.




Option Action








12 Click Replace Certificate, even if you are generating a new certificate.

After a few minutes the certificate details appear on the page. If you are using a load balancer, thecertificate is for the load balancer.

13 (Optional) To use Native Active Directory, click the Active Directory tab.

You must also specify an Active Directory identity store when you configure tenants, even if youspecify Native Active Directory settings here.

a Type the Active Directory domain name that contains the pool of users to create asvCloud Automation Center administrators in Domain Name.

b Type the name of the Active Directory domain name user for the identity store in Domain User.

c Click Join AD Domain.

The SSO host is initialized. If Identity Appliance does not function correctly after configuration, redeployand reconfigure the appliance. Do not make changes to the existing appliance.


VMware, Inc. 51

Deploy and Configure the Primary vCloud Automation CenterAppliance

The vCloud Automation Center Appliance is a pre-configured virtual appliance that deploys thevCloud Automation Center server and web console (the user portal). It is delivered as an open virtualizationformat (OVF) template. The system administrator downloads the appliance and deploys it into the vCenterServer or ESX/ESXi inventory.

The certificate you configure for the primary instance of the appliance is copied to the load balancer andadditional appliance instances in subsequent procedures.

Prerequisites

n Deploy a load balancer in your environment and enable session affinity (sticky sessions).

n Get a domain certificate for the vCloud Automation Center Appliance. See “Certificates,” on page 27.

n “Create an External PostgreSQL Database,” on page 47.

n “Deploy and Configure the Identity Appliance,” on page 48.

Procedure


2 Configure the vCloud Automation Center Appliance for Clustering on page 53A system administrator must edit configuration files on the vCloud Automation Center Appliance toenable clustering.


4 Configure an External PostgreSQL Database on the vCloud Automation Center Appliance onpage 55By default, the vCloud Automation Center Appliance is configured to use an embedded PostgreSQLdatabase. For high availability and large-scale deployments, an external database is required.

5 Configure the vCloud Automation Center Appliance on page 55To prepare the vCloud Automation Center Appliance for use, a system administrator configures thehost settings, generates an SSL certificate, and provides SSO connection information.

What to do next

You can use this instance of the vCloud Automation Center Appliance as a template for configuringadditional appliances. See “Deploy and Configure Additional vCloud Automation Center Appliances,” onpage 58.


Prerequisites




52 VMware, Inc.

Procedure



3 Click Next.












11 Click Next.




Configure the vCloud Automation Center Appliance for ClusteringA system administrator must edit configuration files on the vCloud Automation Center Appliance to enableclustering.

Prerequisites


Procedure

1 Log in to the vCloud Automation Center Appliance by using SSH.

The user is root and the password is the password you specified when you deployed thevCloud Automation Center Appliance.

2 Change the properties of /etc/vcac/setenv-core to read/write and edit the file.

3 Add the following line:

VCAC_OPTS="$VCAC_OPTS -Dspring.profiles.active=default,cluster"

4 (Optional) To invalidate caches between nodes for up to 5-6 seconds add the following line:

VCAC_OPTS="$VCAC_OPTS -Dcluster.cache.invalidation.poll.enabled=true"


VMware, Inc. 53

5 Save and close the file.

6 Edit the file /etc/vcac/server.xml.

7 Locate the following line:

<Connector address="localhost" acceptCount="100"

8 Edit the value of the address attribute as in the following example:

<Connector address="*" acceptCount="100"


10 To make sure that the encryption key value is correct, type the following command.

test -s /etc/vcac/encryption.key || dd if=/dev/random of=/etc/vcac/encryption.key bs=48

count=1

The encryption.key value is used to share the certificate information with the load balancer andadditional vCloud Automation Center Appliance instances.

11 Log out of the vCloud Automation Center Appliance.



Prerequisites

“Configure the vCloud Automation Center Appliance for Clustering,” on page 53.

Procedure





Option Action






54 VMware, Inc.

Configure an External PostgreSQL Database on thevCloud Automation Center Appliance

By default, the vCloud Automation Center Appliance is configured to use an embedded PostgreSQLdatabase. For high availability and large-scale deployments, an external database is required.

Prerequisites

n “Create an External PostgreSQL Database,” on page 47.

n “Enable Time Synchronization on the vCloud Automation Center Appliance,” on page 54.

Procedure


2 Navigate to vCAC Settings > Database.

3 Specify the database information.

a Type the fully qualified domain name of the external database host in the Host text box.

b Type the port name of the external database host in the Port text box.

c Type the external database name in the Database text box.

d Type the user name of the external database owner in the User text box.

e Type the password for the database owner in the Password text box.


NOTE The message Error restarting VCAC server appears. This warning is safe to ignore, as thevCloud Automation Center server has not been started yet.

The virtual appliance creates the necessary tables in the database if they do not already exist. If anotherdatabase had previously been used, the new database is used after the vCloud Automation Centerserver restarts. No data is migrated from the previous database to the new database.

5 Disable the unused services on the vCloud Automation Center Appliance.

a Log in to the vCloud Automation Center Appliance by using SSH.

b Stop the database service.

service vpostgres stop

chkconfig vpostgres off

c Stop the embedded vCenter Orchestrator service.

service vco-server stop

chkconfig vco-server off

d Log out of the vCloud Automation Center Appliance.

Configure the vCloud Automation Center ApplianceTo prepare the vCloud Automation Center Appliance for use, a system administrator configures the hostsettings, generates an SSL certificate, and provides SSO connection information.

Prerequisites

“Configure an External PostgreSQL Database on the vCloud Automation Center Appliance,” on page 55.


VMware, Inc. 55

Procedure



3 Log in with user name root and the password you specified when deploying thevCloud Automation Center Appliance.

4 Select vCAC Settings > Host Settings and click Resolve Host Name.

To change the name manually, type the fully qualified host name (vcac-hostname.domain.name) of thevCloud Automation Center Appliance.

5 (Optional) If you are using a load balancer as part of a distributed installation, enter the fully qualifiedname for the load balancer server in the CAFE Host Name text box.


7 Click SSL.




Option Action








9 Configure the SSO settings that the vCloud Automation Center Appliance uses to interact with the

Identity Appliance. These settings must match the settings you entered when configuring theIdentity Appliance.

a Click SSO.

b Type the fully qualified domain name of the Identity Appliance (identity-va-hostname.domain.name:7444) in the SSO Host and Port text box without an http:// prefix.


56 VMware, Inc.

c Note the default tenant vsphere.local in SSO Default Tenant.

d Type the default administrator name [email protected] in SSO Admin User.

e Type the SSO administrator password in the SSO Admin Password text box. The password mustmatch the password you specified in the SSO settings for the Identity Appliance.

f Click Save Settings.

After a few minutes, a success message appears and SSO Status is updated to Connected.

NOTE If the spinner does not stop within a few minutes, exit the appliance, close the browser, andlog in again.

10 Click Services.

The following services must be running to log into the console. They usually start in about 10 minutes.

n authorization

n authentication

n eventlog-service

n shell-ui-app

n branding-service

n plugin-service

NOTE You can also log in to the appliance and run tail -f /var/log/vcac/catalina.out to monitorthe startup of the services.

11 Configure the License to enable the Infrastructure tab on the vCloud Automation Center console.

a Click Licensing.

b Enter a valid vCloud Automation Center license key (one that you downloaded when youdownloaded the installation files) and click Submit Key.

NOTE If you experience a connection error, you might have a problem with the load balancer. Checknetwork connectivity to the load balancer.

12 Confirm that you can log into vCloud Automation Center console.

a Open a browser and navigate to http://vcac-hostname.domain.name/shell-ui-app.

b Accept the vCloud Automation Center certificate.

c Accept the SSO certificate.

d Log in with [email protected] and the password you specified when configuring SSO.

The console opens to the Tenants page on the Administration tab. A single tenant namedvsphere.local appears in the list.


VMware, Inc. 57

Configure the vCloud Automation Center Appliance Load BalancerCertificate

The system administrator can set up any kind of load balancer to distribute traffic among multiple instancesof the vCloud Automation Center Appliance. All machines under the load balancer must have the samecertificate. The system administrator copies the server.pem file to the load balancer from the primaryvCloud Automation Center Appliance after configuration of the appliance.

Prerequisites

n Deploy and configure a load balancer in your environment and enable session affinity (sticky sessions).

n Obtain a wild card certificate for the primary vCloud Automation Center Appliance. See “Certificates,”on page 27.

n “Deploy and Configure the Primary vCloud Automation Center Appliance,” on page 52 (includingcertificate configuration).

Procedure

1 Locate the certificate directory on the load balancer.

The required location varies by load balancer. For example, some load balancers store certificate pathinformation in a conf.ssl file.

2 Copy the server.pem file from the vCloud Automation Center Appliance to the appropriate directoryon the load balancer.

NOTE The server.pem file is copied along with the other configuration files when you configureadditional appliances. See “Deploy and Configure Additional vCloud Automation Center Appliances,”on page 58

Deploy and Configure Additional vCloud Automation CenterAppliances

The system administrator can deploy multiple instances of the vCloud Automation Center Appliance toensure redundancy in a high-availability environment.

Prerequisites


n Deploy one instance of the vCloud Automation Center Appliance to serve as a template for additionalappliances. See “Deploy and Configure the Primary vCloud Automation Center Appliance,” onpage 52.

Procedure




58 VMware, Inc.

3 Configure Additional vCloud Automation Center Appliances on page 60The system administrator can copy the configuration from the primary instance of thevCloud Automation Center Appliance to additional instances to ensure that all appliances in thedeployment are configured identically.

4 Disable Unused Services on page 62If you are using an external PostgreSQL database, a system administrator can disable the database(which is deployed with every appliance) and embedded vCenter Orchestrator services. These servicesare not used in a distributed deployment so they should be disabled so as not to consume unnecessaryresources.

5 Validate the Distributed Installation on page 62After deploying additional instances of the vCloud Automation Center Appliance, you shouldvalidate that you can access the clustered appliances.

What to do next

You can repeat these steps as many times as needed to deploy additional instances of thevCloud Automation Center Appliance.


Prerequisites



Procedure



3 Click Next.













VMware, Inc. 59

11 Click Next.






Prerequisites


Procedure





Option Action





Configure Additional vCloud Automation Center AppliancesThe system administrator can copy the configuration from the primary instance of thevCloud Automation Center Appliance to additional instances to ensure that all appliances in thedeployment are configured identically.

Prerequisites

“Enable Time Synchronization on the vCloud Automation Center Appliance,” on page 60.

Procedure

1 Log in to the secondary vCloud Automation Center Appliance that you just deployed by using SSH.


60 VMware, Inc.

2 Copy the following files from the primary instance of the vCloud Automation Center Appliance to thesecondary instance.

/etc/vcac/encryption.key

/etc/vcac/security.properties

/etc/vcac/server.xml

/etc/vcac/setenv-core

/etc/vcac/solution-users.properties

/etc/vcac/vcac.keystore

/etc/vcac/vcac.properties

/etc/apache2/server.pem

3 Change the permissions on the files in /etc/vcac directory so that they are owned by the vcac user andgrant read and write permissions to the owner only.

cd /etc/vcac

chown vcac:vcac encryption.key security.properties \

server.xml setenv-core solution-users.properties \

vcac.keystore vcac.properties

chmod 600 encryption.key security.properties \

server.xml setenv-core solution-users.properties \

vcac.keystore vcac.properties

4 Change the permissions on the file that you copied to /etc/apache2 so that they are owned by the rootuser and grant read permissions to the owner only.

cd /etc/apache2

chown root server.pem

chgrp root server.pem

chmod 400 server.pem

5 Update the cluster configuration for the vCloud Automation Center Appliance.

a Edit the file /etc/vcac/setenv-core.

b Locate the following line:

VCAC_OPTS="$VCAC_OPTS -Dcluster.node.instance=cafe.node.1"

c Edit the value so that the node instance identifier is unique, for example, by incrementing thenumber.

VCAC_OPTS="$VCAC_OPTS -Dcluster.node.instance=cafe.node.2"

d Save and close the file.

e Restart the vCloud Automation Center server.

service vcac-server restart

Wait approximately 15 minutes for the services to restart.

f Log out of the vCloud Automation Center Appliance.

6 Add the new vCloud Automation Center Appliance to the load balancer pool by editing the loadbalancer management interface or configuration file.


VMware, Inc. 61

Disable Unused ServicesIf you are using an external PostgreSQL database, a system administrator can disable the database (which isdeployed with every appliance) and embedded vCenter Orchestrator services. These services are not used ina distributed deployment so they should be disabled so as not to consume unnecessary resources.

Prerequisites

“Configure Additional vCloud Automation Center Appliances,” on page 60.

Procedure

1 Log in to the vCloud Automation Center Appliance by using SSH.

2 Stop the database service.

service vpostgres stop

chkconfig vpostgres off

3 Stop the embedded vCenter Orchestrator service.

service vco-server stop

chkconfig vco-server off

4 Log out of the vCloud Automation Center Appliance.

Validate the Distributed InstallationAfter deploying additional instances of the vCloud Automation Center Appliance, you should validate thatyou can access the clustered appliances.

Procedure

1 In the load balancer management interface or configuration file, temporarily disable all nodes exceptthe node that you are testing.

2 Confirm that you can log in to the vCloud Automation Center console by navigating to https://vcac-hostname.domain.name/shell-ui-app, where vcac-hostname.domain.name is the address of the load balancer.

3 After you have verified that the new vCloud Automation Center Appliance is accessible by using theload balancer, re-enable the other nodes.


62 VMware, Inc.

Choosing an IaaS Database ScenarioIaaS uses a Microsoft SQL Server database to maintain information about the machines it manages and itsown elements and policies. Depending on your preferences and privileges, there are several procedures tochoose from to create the IaaS database.

Table 4‑4. Choosing an IaaS Database Scenario

Scenario Procedure

Create the IaaS database manually using the provideddatabase scripts. This option enables a databaseadministrator to review the changes carefully beforecreating the database.

“Create the IaaS Database Manually,” on page 63.

Prepare an empty database and use the installer topopulate the database schema. This option enables theinstaller to use a database user with dbo privileges topopulate the database, instead of requiring sysadminprivileges.

“Prepare an Empty Database,” on page 64.

Use the installer to create the database. This is the simplestoption but requires the use of sysadmin privileges in theinstaller.

“Create the IaaS Database Using the Installation Wizard,”on page 67.

Create the IaaS Database ManuallyThe system administrator can create the database manually using VMware-provided scripts.

Prerequisites

n .NET 4.5 must be installed on the SQL Server host.

n Use Windows Authentication (rather than SQL Authentication) to connect to the database.

n Verify the database installation prerequisites. See “IaaS Database Server Requirements,” on page 21.

n Download the IaaS database installer scripts from the vCloud Automation Center Appliance bynavigating to (https://vcac-va-hostname.domain.name:5480/i/.

Procedure

1 Navigate to the Database directory within the directory where you extracted the installation zip archive.

2 Extract the DBInstall.zip archive to a local directory.

3 Log in to the Windows database host with sufficient rights to create and drop databases sysadminprivileges within the SQL Server instance.

4 Review the database deployment scripts as needed. In particular, review the settings in the DBSettingssection of CreateDatabase.sql and edit them if necessary.

The settings in the script are the recommended settings. Only ALLOW_SNAPSHOT_ISOLATION ON andREAD_COMMITTED_SNAPSHOT ON are required.

5 Execute the following command with the arguments described in the table.

BuildDB.bat /p:DBServer=db_server;

DBName=db_name;DBDir=db_dir;

LogDir=[log_dir];ServiceUser=service_user;

ReportLogin=web_user


VMware, Inc. 63

Table 4‑5. Database Values

Variable Value

DBServer The SQL Server instance in the format hostname\instancehostname if using the default instance. Default islocalhost.

DBName Name of the database. Default is vcac.

DBDir Path to the data directory for the database, excluding thefinal slash.

LogDir Path to the log directory for the database, excluding the finalslash.

Service User User name under which the Manager Service runs.

ReportLogin User name under which the Web services run.

The database is created.

What to do next

“Install the IaaS Components in a Distributed Configuration,” on page 65.

Prepare an Empty DatabaseA system administrator can install the IaaS schema on an empty database. This installation method providesmaximum control over database security.

Prerequisites

n Verify the database installation prerequisites. See “IaaS Database Server Requirements,” on page 21.

n Download the IaaS database installer scripts from the vCloud Automation Center Appliance bynavigating to (https://vcac-va-hostname.domain.name:5480/i/.

Procedure

1 Navigate to the Database directory within the directory where you extracted the installation zip archive.


3 Log in to the Windows database host with sysadmin privileges within the SQL Server instance.

4 Edit CreateDatabase.sql and replace all instances of the variables in the table with the correct valuesfor your environment.

Table 4‑6. Database Values

Variable Value

$(DBName) Name of the database, such as vCAC.

$(DBDir) Path to the data directory for the database, excluding thefinal slash.

$(LogDir) Path to the log directory for the database, excluding the finalslash.

5 Review the settings in the DB Settings section of CreateDatabase.sql and edit them if needed.

The settings in the script are the recommended settings for the IaaS database. OnlyALLOW_SNAPSHOT_ISOLATION ON and READ_COMMITTED_SNAPSHOT ON are required.

6 Open SQL Server Management Studio.


64 VMware, Inc.

7 Click New Query.

An SQL Query window opens.

8 On the Query menu, ensure that SQLCMD Mode is selected.

9 Paste the entire modified contents of CreateDatabase.sql into the query pane.

10 Click Execute.

The script runs and creates the database.

What to do next

“Install the IaaS Components in a Distributed Configuration,” on page 65.

IaaS CertificatesvCloud Automation Center IaaS components use certificates and SSL to secure communications betweencomponents.

In a minimal installation for proof-of-concept purposes, you can use self-signed certificates.

In a distributed environment, VMware recommends that you obtain a domain certificate from a trustedcertificate authority.

If you are performing a distributed installation, follow these steps to prepare the IaaS certificate.


2 To ensure that the certificate authority and that the root certificate is trusted, place the root certificatefrom the certificate authority into the Trusted Root using the Windows certificate plug-in.

3 Add the certificate to IIS.

4 Restart the IIS machine.

5 Start the IaaS installer.

Install the IaaS Components in a Distributed ConfigurationThe system administrator installs the IaaS components after the appliances are deployed and fullyconfigured. The IaaS components provide access to vCloud Automation CenterInfrastructure features.

Prerequisites


n “Deploy and Configure the Primary vCloud Automation Center Appliance,” on page 52.

n If your site includes multiple instances of vCloud Automation Center Appliance, “Deploy andConfigure Additional vCloud Automation Center Appliances,” on page 58.

n Verify that your installation servers meet the requirements described in “IaaS (Windows Server)Requirements,” on page 21.

n Verify that you imported a certificate to IIS and that the certificate root or the certificate authority is inthe trusted root on the installation machine.

n If you are using components in your environment, verify that you installed and configured a loadbalancer for them. All servers must share the same certificate under the load balancer.


VMware, Inc. 65

Procedure

1 Download the IaaS Installer on page 66A system administrator downloads the installer from the vCloud Automation Center Appliance andruns the installation wizard.

2 Create the IaaS Database Using the Installation Wizard on page 67vCloud Automation Center uses a Microsoft SQL Server database to maintain information about themachines it manages and its own elements and policies.

3 Install the IaaS Website Component and Model Manager Data on page 68The Website component provides access to infrastructure capabilities in thevCloud Automation Center web console. The system administrator can install one or many instancesof the Website component. The machine that hosts the first Website component must also host theModel Manager Data component. Model Manager Data can be installed only once.

4 Install the Manager Service on page 71The Manager Service component coordinates communication between agents (including proxyagents), the database, and SMTP. A minimum of one instance of the Manager Service component mustbe installed. The administrator can install one primary instance and one backup instance of theManager Service component to provide redundancy in a high-availability deployment.

What to do next

Install a DEM Orchestrator and at least one DEM Worker instance. See “Installing Distributed ExecutionManagers,” on page 72.

Download the IaaS InstallerA system administrator downloads the installer from the vCloud Automation Center Appliance and runsthe installation wizard.


See “Certificates,” on page 27 to help you select a certificate.

Prerequisites


n “Deploy and Configure the Primary vCloud Automation Center Appliance,” on page 52 and optionally, “Deploy and Configure Additional vCloud Automation Center Appliances,” on page 58.

n Verify that your installation servers meet the requirements described in “IaaS (Windows Server)Requirements,” on page 21.

n Verify that you imported a certificate to IIS and that the certificate root or the certificate authority is inthe trusted root on the installation machine.


Procedure

1 If you did not already do so, import the certificate to IIS and verify that the certificate root or thecertificate authority is in the trusted root on the installation machine.

2 If you are installing on a Windows 2012 machine:

a From Server Manager, select Features > Add Features.

b Under .NET Framework 4.5 Features, expand WCF Services and select HTTP Activation.


66 VMware, Inc.

3 Open a browser and navigate to the fully configured vCloud Automation Center Appliance(https://vcac-va-hostname.domain.name).

4 Click vCloud Automation Center Installer IaaS installation page.

5 Click setup.exe.

6 When prompted, save the installer file ([email protected]) to the desktop.

Do not change the file name. It is used to connect the installation to thevCloud Automation Center Appliance.

Create the IaaS Database Using the Installation WizardvCloud Automation Center uses a Microsoft SQL Server database to maintain information about themachines it manages and its own elements and policies.

The following steps describe how to create the IaaS database using the installer or populate an existingempty database. It is also possible to create the database manually. See “Create the IaaS DatabaseManually,” on page 63.

Prerequisites

n If you are creating the database with Windows authentication (instead of SQL authentication), makesure the user executing the installer has sysadmin rights on the SQL server.

n “Download the IaaS Installer,” on page 66.

Procedure



2 Click Next.




5 Click Next.

6 Select Custom Install on the Installation Type page.

7 Select IaaS Server on the Installation Type page.

8 Accept the root install location or click Change and select an installation path.

9 Click Next.

10 On the IaaS Server Custom Install page, select Database.

11 In Database Instance, select the database instance or click Scan to show a list of instances.

12 Select the database instance from the list.

13 Choose your database installation type from the Database Name panel.

n Select Use existing empty database to create the schema in an existing database.

n Type a new database name or type the default name vcac to create a database.


VMware, Inc. 67

14 Deselect Use default data and log directories to specify alternative locations or leave it selected to usethe default directories (recommended).

15 Select an authentication method for installing the database from the Authentication list.

a Select User Windows identity... to use the credentials under which you are running the installer tocreate the database.

b Deselect Use Windows identity... to specify SQL authentication. Type SQL credentials in the userand password text boxes.

By default, the Windows service user account is used during run time access to the database, and musthave access to the SQL Server instance. The credentials used to access the database at run time can beconfigured to use SQL credentials.

16 Click Next.


18 You can specify the database instance if you are deploying the database to non-default SQL ServerInstance.

a Right-click the Database node in the navigation pane on the left.

The Database Settings window appears.

b Type the name of the database instance in the Database instance text box.

c Click OK.

d Click Check Again.





21 Click Install.

22 When the success message appears, deselect Guide me through initial configuration and click Next.

23 Click Finish.

The database is ready for use.

Install the IaaS Website Component and Model Manager DataThe Website component provides access to infrastructure capabilities in the vCloud Automation Center webconsole. The system administrator can install one or many instances of the Website component. The machinethat hosts the first Website component must also host the Model Manager Data component. Model ManagerData can be installed only once.

If you are using a load balancer, disable the Microsoft loopback check on the installation machine. For moreinformation about how to disable the loopback check feature, see this http://support.microsoft.com/KB/926642/EN-US.

Prerequisites

n “Create the IaaS Database Using the Installation Wizard,” on page 67.


68 VMware, Inc.

http://support.microsoft.com/KB/926642/EN-US

n If you previously installed other components in this environment, verify that you know the passphrasethat was created. See “Security Passphrase,” on page 28.


Procedure



2 Click Next.

3 Click Next.




6 Click Next.




10 Click Next.

11 Select Website and ModelManagerData on the IaaS Server Custom Install page.

12 Select a Web site from available Web sites or accept the default Web site on the Administration &Model Manager Web Site tab.

13 Type an available port number in the Port number text box, or accept the default port 443.

14 Click Test Binding to confirm that the port number is available for use.

15 Select the certificate for this component.

a If you imported a certificate after you began the installation, click Refresh to update the list.

b Select the certificate to use from Available certificates.

c If you imported a certificate that does not have a friendly name and it does not appear in the list,deselect Display certificates using friendly names and click Refresh.

If you are installing in a test or nonproduction environment without load balancers, you can selectGenerate a Self-Signed Certificate instead of selecting a certificate. If you are installing additional Website components behind a load balancer, do not generate self-signed certificates. Import the certificateform the main IaaS Web server to ensure that you use the same certificate on all servers behind the loadbalancer.

16 (Optional) Click View selected certificate, view the certificate, and click OK to close the informationwindow.

17 (Optional) Select Suppress certificate mismatch to suppress certificate errors that arise when the nameof the certificate differs from the name used to access it (when using an IP address instead of the fullyqualified domain name, for example).


VMware, Inc. 69

18 (Optional) If you are deploying Model Manager Data with the first Website component, and want todeploy additional Website components, click the Model Manager Data tab and continue to Step 13.

19 If you are deploying a secondary Website component, continue to Step 20.

20 Type the fully qualified domain name of the vCloud Automation Center Appliance or its load balancerin the Server text box.

For example, vcac.eng.mycompany.com.

21 Click Load to display the SSO Default Tenant.

The vsphere.local default tenant is created automatically when you configure single sign-on. Do notmodify it.

22 Click Download to import the certificate from the virtual appliance.

It might take several minutes to download the certificate.

23 (Optional) Click View Certificate to validate it and click OK to close the information box.

24 Click Accept Certificate.

25 Type [email protected] in the User name text box and the password you created when youconfigured the SSO in the Password text box.

26 Click Test to verify the credentials.

27 Type the fully qualified domain name of the IaaS Website Server or the name of its load balancer (if youdeployed multiple IaaS Website servers) in the IaaS Server text box.

28 Click Test to verify the server connection.

29 Click Next.






33 Type the user name and password of the service account user who has administrative privileges on thecurrent installation server in the Server Installation Information text box on the Server and AccountSettings page.

34 If you already installed components in this environment, type the same passphrase you created in thePassphrase text box and click Confirm. Otherwise, type a new passphrase.

35 Specify the database server, database name, and authentication method for the database server in theMicrosoft SQL Database Installation Information text box.

This is the same database server, name, and authentication information that you already specified.

36 Click Next.

37 Click Install.

38 When the installation finishes, deselect Guide me through the initial configuration and click Next.

What to do next

Repeat this procedure to install additional Website Components. For subsequent installations, selectWebsite Component without Model Manager Data.


70 VMware, Inc.

Install the Manager ServiceThe Manager Service component coordinates communication between agents (including proxy agents), thedatabase, and SMTP. A minimum of one instance of the Manager Service component must be installed. Theadministrator can install one primary instance and one backup instance of the Manager Service componentto provide redundancy in a high-availability deployment.

Prerequisites

n If you previously installed other components in this environment, verify that you know the passphrasethat was created. See “Security Passphrase,” on page 28.

n (Optional) If you want to install the Manager Service in a Web site other than the default Web site, firstcreate a Web site in Internet Information Services.

n .NET Framework 4.5 is installed.

n Verify that you have a certificate from a certificate authority imported into IIS and that the rootcertificate or certificate authority is trusted. All components under the load balancer must have thesame certificate.

n Verify that the Website load balancer is configured.

n “Install the IaaS Website Component and Model Manager Data,” on page 68.

Procedure



2 Click Next.




5 Click Next.




9 Click Next.

10 Select ManagerService on the IaaS Server Custom Install page.

11 Type the fully qualified domain name of the IaaS Web server or the Website load balancer in the IaaSServer text box.

12 Select Active node with startup type set to automatic if this is the primary instance or Disasterrecovery cold standby node if this is a backup instance.

13 Select a Web site from available Web sites or accept the default Web site on the Administration &Model Manager Web Site tab.

14 Type an available port number in the Port number text box, or accept the default port 443.


VMware, Inc. 71

15 Click Test Binding to confirm that the port number is available for use.

16 Select the certificate for this component.

a If you imported a certificate after you began the installation, click Refresh to update the list.

b Select the certificate to use from Available certificates.

c If you imported a certificate that does not have a friendly name and it does not appear in the list,deselect Display certificates using friendly names and click Refresh.

If you are installing in a test or nonproduction environment without load balancers, you can selectGenerate a Self-Signed Certificate instead of selecting a certificate. If you are installing additional Website components behind a load balancer, do not generate self-signed certificates. Import the certificateform the main IaaS Web server to ensure that you use the same certificate on all servers behind the loadbalancer.

17 (Optional) Click View selected certificate, view the certificate, and click OK to close the informationwindow.

18 Click Next.

19 Check the prerequisites and click Next.

20 Type the user name and password of the service account user who has administrative privileges on thecurrent installation server in the Server Installation Information text box on the Server and AccountSettings page.

21 If you already installed components in this environment, type the same passphrase you created in thePassphrase text box and click Confirm. Otherwise, type a new passphrase.

22 Specify the database server, database name, and authentication method for the database server in theMicrosoft SQL Database Installation Information text box.

This is the same database server, name, and authentication information that you already specified.

23 Click Next.

24 Click Install.


26 Click Finish.

27 If this is the first instance of the Manager Service component, verify that the vCloud Automation CenterService is running. If this is the second instance, the service must not be running.

What to do next

If you have not already done so, install an additional instance of the Manager Service component as apassive backup that you can start manually if the primary instance fails. Select Disaster Recovery coldstandby node during installation.

Installing Distributed Execution ManagersThe Distributed Execution Manager can be installed as one of two roles: DEM Orchestrator or DEM Worker.At least one DEM instance must be present for each role.

Additional DEM instances can be installed to support failover and high-availability. The systemadministrator must choose installation machines that meet predefined system requirements. The DEMOrchestrator and the Worker can reside on the same machine.

As you plan to install Distributed Execution Managers, keep in mind the following considerations:

n Only one DEM Orchestrator instance is active at any time.


72 VMware, Inc.

n The Orchestrator should be installed on a machine with strong network connectivity to the ModelManager host (typically the same machine as the Manager Service).

n VMware strongly recommends that you install a second DEM Orchestrator on a different machine forfailover.

n DEM Workers can be installed on any machine in your deployment architecture.

n As with the DEM Orchestrator, it is important for DEM Workers to have network connectivity to theModel Manager host.

n Additional DEM instances can be added for redundancy and scalability, including multiple instanceson the same machine.

n The installation procedure is the same for both the DEM Orchestrator and Worker roles.

There are specific requirements for the DEM installation that depend on the endpoints you use. See “Distributed Execution Manager Requirements,” on page 22.

Install the Distributed Execution ManagersA system administrator installs at least one instance of each Distributed Execution Manger (Worker andOrchestrator). The procedure is the same for both roles.

An instance of the DEM Orchestrator is installed on each Manager Service machine (active and passive). TheDEM Orchestrator and DEM Worker can reside on the same machine.

Prerequisites

n If you previously installed other components in this environment, verify that you know the passphrasethat was created.


Procedure



2 Click Next.




5 Click Next.


7 On the Installation Type page, select Distributed Execution Managers.


9 Click Next.

10 Check prerequisites and click Next.

11 On the Server and Account Settings page, type the log in credentials for the administrator account thatis performing the installation.


VMware, Inc. 73

12 Click Next.

The Install Distributed Execution Manager page appears.

13 Select Worker or Orchestrator from the DEM role menu.

The Worker executes workflows. The Orchestrator oversees the DEM worker's activities, includingscheduling and preprocessing workflows. It also checks the DEM worker's online status.

14 Type a unique name that identifies this DEM in your deployment in the DEM name text box.

The name cannot include spaces and cannot exceed 128 characters.

15 (Optional) Type a description of this instance in DEM description.

16 Type the host names and ports in the Manager Service Host name and Model Manager Web ServiceHost name text boxes.

n If you are not using load balancers, type the fully qualified domain name and port of the co-locatedManager Service component and Website component (hostname.domain.name:port).

n If you are using load balancers, type the fully qualified domain name of the load balancer for theManager Service and the load balancer for the Model Manager Web Service.

The default port is 443.

17 Click Test to test the connection to the Manager Service.

18 In Model Manager Web Service Host name, type the fully qualified domain name and port of theWebsite host (hostname.domain.name:port).

The default port is 443.

19 Click Test to test the connection to the Model Manager Web Service.

20 Click Add.

21 Click Next.

22 Click Install.


24 Click Finish.

Configure the DEM to Connect to SCVMM on a Nonstandard Installation PathBy default, the DEM Worker configuration file (DynamicOps.DEM.exe.config) points to the standardinstallation path of Microsoft's System Center Virtual Machine Manager (SCVMM) console:{ProgramFiles}\Microsoft System Center 2012\Virtual Machine Manager\bin. The system administratormust change the path if it is installed in another location.

Prerequisites

n If the SCVMM Console has been installed in another location, the configuration file of the DEM Worker(located in Program Files (x86)VMware\vCAC\Distributed Execution Manager\<InstanceName>\DynamicOps.DEM.exe.config must be updated to change the default path in theassemblyLoadConfiguration section to point to the new folder.

<assemblyLoadConfiguration>

<assemblies>



<add name="Errors" path="{ProgramFiles}\Microsoft System Center 2012\Virtual


74 VMware, Inc.

Machine Manager\bin" />

[...]

</assemblies>

</assemblyLoadConfiguration>

Procedure

1 Stop the DEM Worker.

2 Determine the installation path.

3 Update the DynamicOps.DEM.exe.config file.

4 Restart the DEM Worker.

The default DEM Worker path is updated to the new folder.

Perform Virtual Provisioning on SCVMMWhen setting up a virtual machine template in SCVMM, a system administrator can add a Guest OS Profiledirectly to a Windows template by using SCVMM Console.

Prerequisites

Some restrictions apply to SCVMM template and hardware profile names. Specifically, these names cannotstart with the following words.

n TemporaryTemplate

n Temporary Template

n TemporaryProfile

n Temporary Profile

n Profile

Because of naming conventions that SCVMM and VMware use for temporary templates and hardwareprofiles, these words are ignored during data collection. A compute resource running under SCVMM canhave multiple paths in the placement section that are collected and assigned in a reservation. On a Hyper-Vcluster under SCVMM management, data collection is for Shared Volumes only, work loads can beprovisioned on a shared resource of a cluster only.

When running data collection on Standalone hosts for storage used in the reservation,vCloud Automation Center collects the default virtual machine path. This can be configured throughSCVMM Console under the Placement section.

Procedure

1 View the SCVMM Console.

2 Right-click the Hyper-V cluster to select properties.

3 Browse to the Shared Volumes section to view the storage properties.

4 To configure the SCVMM for data collection on standalone hosts:

a View the SCMVV Console.

b Right-click the Hyper-V standalone host to select properties.

c Browse to the Placement section to view the storage properties.


VMware, Inc. 75


76 VMware, Inc.

Post-Installation Tasks 5A system administrator can customize the installation environment by updating certificates and changingthe authentication method used to communicate with the SQL database during run-time.


n “Verify IaaS Services,” on page 77

n “Provide the Infrastructure License,” on page 77

n “Updating Certificates,” on page 78

n “Configuring Windows Service to Access the IaaS Database,” on page 87

Verify IaaS ServicesAfter installation, the system administrator verifies that the IaaS services are running. If the services arerunning, the installation is a success.

Procedure

1 From the Windows desktop of the IaaS machine, select Administrative Tools > Services.

2 Locate the following services and verify that their status is Started.

n VMware DEM – Orchestrator – DEO

n VMware DEM – Worker – DEM

n VMware vCloud Automation Center Agent Agent name

n VMware vCloud Automation Center Service

3 Close the Services window.

What to do next

“Provide the Infrastructure License,” on page 77.

Provide the Infrastructure LicenseAfter installation, the IaaS administrator logs into the vCloud Automation Center console and provides alicense for the Infrastructure components.

Procedure

1 Navigate to the vCloud Automation Center Appliance console by using its fully qualified domainname, https://vcac-hostname.domain.name/shell-ui-app/.

2 Accept the certificate.

VMware, Inc. 77

3 Log in to the vCloud Automation Center console as IaaS administrator.

4 Click the Infrastructure tab.

5 Navigate to Administration > Licensing.

6 Click Add License.

7 Type the VMware license code in the License key text box.

8 Click OK.

What to do next

Configure a default tenant. For more information, see Chapter 8, “Configuring Tenants,” on page 117.

Updating CertificatesA system administrator can update certificates for the Identity Appliance, thevCloud Automation Center Appliance, and IaaS components. Typically, an update is performed whenswitching from self-signed certificates to certificates provided by a certificate authority chosen by the systemadministrator.

When you update a certificate for a vCloud Automation Center component, components that have adependency on this certificate are affected. You must register the new certificate with these components toensure certificate trust.

You must update all components of the same type in a distributed system. For example, if you update acertificate for one vCloud Automation Center Appliance in a distributed environment, you must update allvCloud Automation Center Appliances for that installation.

Update components in the following order:

1 Identity Appliance

2 vCloud Automation Center Appliance

3 IaaS components

With one exception, changes to later components do not affect earlier ones. For example, if you import anew certificate to a vCloud Automation Center Appliance, you must register this change with the IaaSserver, but not with the Identity Appliance. The exception is that an updated certificate for IaaS componentsmust be registered with vCloud Automation Center Appliance.

The following table shows registration requirements when you update a certificate.

Table 5‑1. Registration Requirements

Updated CertificateRegister new certificatewith Identity Appliance

Register new certificatewithvCloud AutomationCenter Appliance

Register new certificatewith IaaS

Identity Appliance Not applicable Yes Yes

vCloud Automation CenterAppliance

No Not applicable Yes

IaaS No Yes Not applicable

Updating Certificates When a Host Name is ChangedWhen a vCloud Automation Center Appliance host name is changed, you must update the IdentityAppliance with the vCloud Automation Center Appliance certificate. For more information, see “Update theIdentity Appliance with the vCloud Automation Center Appliance Certificate,” on page 84


78 VMware, Inc.

Updating the Identity Appliance CertificateThe system administrator can replace a self-signed certificate with another self-signed certificate or adomain certificate after the installation is complete.

1 Replace a Certificate in the Identity Appliance on page 79The system administrator can replace a self-signed certificate with one from a certificate authority. Thesame certificate can be used on multiple machines.

2 Update the vCloud Automation Center Appliance with the Identity Appliance Certificate on page 80After the Identity Appliance certificate is updated, the system administrator updates thevCloud Automation Center Appliance with the new certificate information. This process reestablishestrusted communications between the virtual appliances.

3 Update the IaaS Servers with the Identity Appliance Certificate on page 81After the Identity Appliance certificate is updated, the system administrator updates the IaaScomponent registry on all IaaS component machines with the new virtual appliance certificateinformation. This process reestablishes trusted communications between the virtual appliance andIaaS components.

Replace a Certificate in the Identity ApplianceThe system administrator can replace a self-signed certificate with one from a certificate authority. The samecertificate can be used on multiple machines.

The labels for the private key and certificate chain headers and footers depend on the certificate authority inuse. Information here is based on headers and footers for a certificate generated by openssl.

Procedure


2 Log in with user name root and the password you specified when deploying the Identity Appliance.


4 Click SSL.

Chapter 5 Post-Installation Tasks

VMware, Inc. 79




Option Action








6 Click Replace Certificate, even if you are generating a new certificate.

After a few minutes the certificate details appear on the page. If you are using a load balancer, thecertificate is for the load balancer.

The certificate is updated.

Update the vCloud Automation Center Appliance with the Identity ApplianceCertificateAfter the Identity Appliance certificate is updated, the system administrator updates thevCloud Automation Center Appliance with the new certificate information. This process reestablishestrusted communications between the virtual appliances.

Use the import-certificate command to import the SSL certificate from the Identity Appliance into the SSLkeystore used by the vCloud Automation Center Appliance. The alias value specifies the alias under whichthe imported certificate is stored in the keystore, and url is the address of the SSL endpoint.

Prerequisites

“Replace a Certificate in the Identity Appliance,” on page 79.

Procedure

1 Start Putty or another Unix SSL remote login tool.

2 Log in to the vCloud Automation Center Appliance with user name root and the password youspecified when deploying the appliance.


80 VMware, Inc.

3 Execute the import-certificate command:

/usr/sbin/vcac-config import-certificate --alias websso --url https://identity-

hostname.domain.name:7444

For example:

/usr/sbin/vcac-config import-certificate --alias websso --url https://identity-

vm76-115.eng.mycompany.com:7444

4 Restart the vCloud Automation Center Appliance.


6 Select System > Reboot.

7 Click Services. The following services must be running to log in to the console. They usually start inabout 10 minutes.

n authorization

n authentication

n eventlog-service

n shell-ui-app

n branding-service

n plugin-service

The certificate is updated on the vCloud Automation Center Appliance.

Update the IaaS Servers with the Identity Appliance CertificateAfter the Identity Appliance certificate is updated, the system administrator updates the IaaS componentregistry on all IaaS component machines with the new virtual appliance certificate information. This processreestablishes trusted communications between the virtual appliance and IaaS components.

Run this command once from the Model Manager Data machine. This procedure updates the database. AllIaaS servers are updated from the database.

Prerequisites

“Update the vCloud Automation Center Appliance with the Identity Appliance Certificate,” on page 80.

Procedure

1 Open a command prompt as an administrator and navigate to the Cafe directory on the IaaS installationmachine.

C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Cafe

2 Type the following commands to download the root certificates from the Identity Appliance into thelocal operating system trusted certificate store.

n vcac-config.exe DownloadRootCertificates --RootCertPath

"C:\Program Files (x86)\VMware\vCAC\Server\Website\SSO root.cer"

--SignCertPath "C:\Program Files (x86)\VMware\vCAC\Server\Website\SSO

signing.cer" –v

n vcac-config.exe DownloadRootCertificates --RootCertPath

"C:\Program Files (x86)\VMware\vCAC\Web API\SSO root.cer"

--SignCertPath "C:\Program Files (x86)\VMware\vCAC\Web API\SSO

signing.cer" -v


VMware, Inc. 81

3 Type iisreset to reset IIS.

Updating the vCloud Automation Center Appliance CertificateThe system administrator can replace a self-signed certificate with another self-signed certificate, a domaincertificate, or a wildcard domain certificate after the installation is complete.

1 Replace a Certificate in the vCloud Automation Center Appliance on page 82The system administrator can replace a self-signed certificate with a trusted one from a certificateauthority. The same certificate can be used on multiple machines as a wildcard domain certificate.

2 Update the IaaS Servers with the vCloud Automation Center Appliance Certificate on page 83After the virtual appliance certificates are updated, the system administrator updates the IaaS serverrunning the Model Manager Data component registry to reestablish trusted communications betweenthe virtual appliances and IaaS components.

3 (Optional) Update the Identity Appliance with the vCloud Automation Center Appliance Certificateon page 84When the host name for a vCloud Automation Center Appliance, is changed, the system administratormust re-enter Identity Appliance SSO settings.

Replace a Certificate in the vCloud Automation Center ApplianceThe system administrator can replace a self-signed certificate with a trusted one from a certificate authority.The same certificate can be used on multiple machines as a wildcard domain certificate.

Procedure



3 Navigate to vCAC Settings > SSL.

4 Click SSL.


82 VMware, Inc.




Option Action








6 Click Replace Certificate.

After a few minutes, the certificate details appear on the page.

The certificate is updated.

Update the IaaS Servers with the vCloud Automation Center Appliance CertificateAfter the virtual appliance certificates are updated, the system administrator updates the IaaS serverrunning the Model Manager Data component registry to reestablish trusted communications between thevirtual appliances and IaaS components.

Execute the vcac-Config.exe command with the UpdateServerCertificates argument to update the IaaSdatabase with the certificate information.

Type the following command for a list of vcac-Config arguments.

vcac-Config.exe help

Prerequisites

“Update the Identity Appliance with the vCloud Automation Center Appliance Certificate,” on page 84.

Procedure

1 Open a command prompt as an administrator and navigate to the Cafe directory on the ModelManager Data installation machine.



VMware, Inc. 83

2 Type the following command to update the IaaS database with the certificate information in one step.Supply the IaaS database name (vcac, by default) and the fully qualified domain name of the databaseserver.

vcac-Config.exe UpdateServerCertificates -d vcac_database -s sql_database_server -v

For example:

vcac-Config.exe UpdateServerCertificates -d vCAC -s tr-w2008-13.eng.mycompany -v

NOTE The version of the command shown here, without the thumbprint argument, downloads thecertificate in one step.

3 Type iisreset to reset IIS.

(Optional) Update the Identity Appliance with thevCloud Automation Center Appliance CertificateWhen the host name for a vCloud Automation Center Appliance, is changed, the system administrator mustre-enter Identity Appliance SSO settings.

Prerequisites

“Replace a Certificate in the vCloud Automation Center Appliance,” on page 82.

Procedure



3 Go to vCAC Settings > SSO.

4 Verify that the fully qualified name and port for the Identity Appliance, identity-va-hostname.domain.name:7444, appears in the SSO Host and Port text box.

For example, vcac-sso.mycompany.com:7444. The https:// prefix is not used.

5 Verify that the SSO default tenant is vsphere.local. Do not change this name.

6 Type the default administrator name [email protected] in the SSO Admin User text box.

7 Type the SSO administrator password in the SSO Admin Password text box. The password mustmatch the password you specified in the SSO settings for the Identity Appliance.


The Identity Appliance is updated with certificate information for the newvCloud Automation Center Appliance host name.

Updating the IaaS CertificateThe system administrator can replace a self-signed certificate with another self-signed certificate or acertificate from a certificate authority after the installation is complete. Certificate updates are requiredwhen the certificate type changes or the certificate expires.

1 Update the Certificate in Internet Information Services on page 85The system administrator can replace a self-signed certificate with one from a certificate authority toensure security in a distributed deployment environment.


84 VMware, Inc.

2 Update the vCloud Automation Center Appliance with the IaaS Certificate on page 86After certificates are updated on the IaaS servers, the system administrator updates the IaaScomponent registry to reestablish trusted communications between the virtual appliances and IaaScomponents. In a distributed environment, this process is repeated for each IaaS server where youupdated certificates.

Update the Certificate in Internet Information ServicesThe system administrator can replace a self-signed certificate with one from a certificate authority to ensuresecurity in a distributed deployment environment.

The same certificate can be used on multiple machines (as a wildcard). The certificate must be added to thetrusted root certificate store on the IIS machine. The IIS machine is the machine on which the ComponentWebsite and Model Manager data are installed during the IaaS installation.

This procedure adds the certificate to the trusted root in the certificate store.

Procedure


2 Open the Internet Information Services (IIS) Manager.

3 Double-click Server Certificates from Features View.

4 Click Import in the Actions pane.

a Type a file name in the Certificate file text box, or click the browse button (…), to navigate to thename of a file where the exported certificate is stored.

b Type a password in the Password text box if the certificate was exported with a password.

5 Click OK.

6 Click on the imported certificate and select View.

7 Verify that the certificate is trusted. If the certificate is untrusted, you see the message, This CA rootcertificate is not trusted.

8 Update IIS bindings.

a Select the site that hosts the component Web site and model manager.

b Click Bindings in the Action pane.

c Click Edit on the https (443) in the Site Bindings dialog box.

d Change the SSL certificate to the newly imported one.

9 Restart IIS or open a command prompt window and type iisreset.

10 Open the vCloud Automation Center site with a browser. The server address is of the formhttps://<IaaS_server_address>/vCAC/.

When you open the site, you should see the message 401 Not authorized, which indicates thatcertificates are configured on the IaaS server.


VMware, Inc. 85

Update the vCloud Automation Center Appliance with the IaaS CertificateAfter certificates are updated on the IaaS servers, the system administrator updates the IaaS componentregistry to reestablish trusted communications between the virtual appliances and IaaS components. In adistributed environment, this process is repeated for each IaaS server where you updated certificates.

As part of updating the IaaS certificate, you must re-register the certificate with thevCloud Automation Center. You can use the hostname or IP address of the IaaS machines in the followingcommands. If you are using a load balancer, supply the host name of the load balancer instead.

If you encounter errors, see the troubleshooting section of Installation and Configuration.

Prerequisites

“Update the Certificate in Internet Information Services,” on page 85.

Procedure

1 Navigate to the Cafe directory on the IaaS machine that has an updated certificate.


2 Register the endpoint address for the UI using a command of this form:

Vcac-Config.exe RegisterEndpoint --EndpointAddress

https://<IaaS UI server hostname> or <lbhostname>/

<IaaS UI application path> --Endpoint ui -v

For example:Vcac-Config.exe RegisterEndpoint --EndpointAddress https://192.168.1.1/vCAC/ --Endpoint ui -v

3 Register the endpoint address for the SSL callback using a command of this form:


https://<IaaS UI server hostname> or <lbhostname>/

<IaaS UI application path>/SslCallback.aspx --Endpoint ssl -v

For example:Vcac-Config.exe RegisterEndpoint --EndpointAddress https://192.168.1.1/vCAC/SslCallback.aspx

--Endpoint ssl -v

4 Register the endpoint address for the Model Manager Web server using a command of this form:


https://<Model Manager Web server hostname> or <lbhostname>/

<Model Manager Web application path> --Endpoint repo -v

For example:

Vcac-Config.exe RegisterEndpoint --EndpointAddress https://192.168.1.1/Repository --Endpoint

repo -v

5 Register the endpoint address for the WAPI server using a command of this form:


https://<IaaS WAPI server hostname> or <lbhostname>/

<IaaS WAPI application path>/ --Endpoint wapi -v

For example:

Vcac-Config.exe RegisterEndpoint --EndpointAddress https://192.168.1.1/WAPI --Endpoint wapi -

v


86 VMware, Inc.

6 Register the address for the status endpoint using a command of this form:


https://<IaaS WAPI server hostname> or <lbhostname>/

<IaaS WAPI application path>/api/status --Endpoint status -v

For example:

Vcac-Config.exe RegisterEndpoint --EndpointAddress https://192.168.1.1/WAPI/api/status --

Endpoint status -v

7 Restart each vCloud Automation Center server by using the following command:

service vcac-server restart

Wait approximately 15 minutes for the services to restart.

Configuring Windows Service to Access the IaaS DatabaseA system administrator can change the authentication method used to access the SQL database during runtime (after the installation is complete). By default, the Windows identity of the currently logged on accountis used to connect to the database after it is installed.

Enable IaaS Database Access from the Service UserIf the SQL database is installed on a separate host from the Manager Service, database access from theManager Service must be enabled. If the user name under which the Manager Service will run is the ownerof the database, no action is required. If the user is not the owner of the database, the system administratormust grant access.

Prerequisites

n “Choosing an IaaS Database Scenario,” on page 63.

n Verify that the user name under which the Manager Service will run is not the owner of the database.

Procedure

1 Navigate to the Database subdirectory within the directory where you extracted the installation ziparchive.


3 Log in to the database host as a user with the sysadmin role in the SQL Server instance.

4 Edit VMPSOpsUser.sql and replace all instances of $(Service User) with user (from Step 3) under whichthe Manager Service will run.

Do not replace ServiceUser in the line ending with WHERE name = N'ServiceUser').

5 Open SQL Server Management Studio.

6 Select the database (vCAC by default) in Databases in the left-hand pane.

7 Click New Query.

The SQL Query window opens in the right-hand pane.

8 Paste the modified contents of VMPSOpsUser.sql into the query window.

9 Click Execute.

Database access is enabled from the Manager Service.


VMware, Inc. 87

Configure the Windows Services Account to Use SQL AuthenticationBy default, the Windows services account accesses the database during run-time, even if you created thedatabase using SQL authentication. A system administrator can change the run-time authentication methodfrom Windows, to SQL, when the database is on an untrusted domain, for example.

Prerequisites

“Choosing an IaaS Database Scenario,” on page 63.

Procedure

1 Log in to the Manager Service host as a local user with administrator privileges.

2 Stop the vCloud Automation Center service.

3 Navigate to the Server directory.

C:\Program Files (x86) \VMware\vCAC\Server\

4 Open the ManagerService.exe.config file in a text editor.

5 In the connectionStrings section and the serviceConfiguration serviceURIsection, replaceIntegrated Security=True with User Id=DATABASE_USER;Password=DATABASE_PASSWORD.


7 Navigate to C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Web\.

8 Open the Web.config file in a text editor.

9 Locate the repository server section.

<repository server="localhost" database="vCAC" store="https://vcac.example.com/" />

10 Add the database user command.

user=DATABASE_USER password=DATABASE_PASSWORD. For example:

<repository server="localhost" database="vCAC" user="sqlUser" password="sqlPassword"

store="https://vcac.example.com/" />


12 Start the vCloud Automation Center Service.

SQL server authentication is now in use at run-time.

What to do next

Restart Internet Information Service.


88 VMware, Inc.

Installing Agents 6vCloud Automation Center uses agents to integrate with external systems. A system administrator installsagents that communicate with virtualization platforms.

vCloud Automation Center uses the following types of agents to manage external systems:

n Hypervisor proxy agents (vSphere, Citrix Xen Servers and Microsoft Hyper-V servers)

n External provisioning infrastructure (EPI) integration agents

n Virtual Desktop Infrastructure (VDI) agents

n Windows Management Instrumentation (WMI) agents

In a complete installation, you have the option to install a vSphere agent. You can also add other agents(including additional vSphere agents) after the installation.

In a distributed installation, you can install as many agents as you want. The agents you install depend onthe resources in your infrastructure.


n “Set the PowerShell Execution Policy to RemoteSigned,” on page 89

n “Choosing the Agent Installation Scenario,” on page 90

n “Agent Installation Location and Requirements,” on page 90

n “Installing and Configuring the Proxy Agent for vSphere,” on page 90

n “Installing the Proxy Agent for Hyper-V or XenServer,” on page 94

n “Installing the VDI Agent for XenDesktop,” on page 97

n “Installing the EPI Agent for Citrix,” on page 99

n “Installing the EPI Agent for Visual Basic Scripting,” on page 101

n “Installing the WMI Agent for Remote WMI Requests,” on page 103

Set the PowerShell Execution Policy to RemoteSignedYou must set the PowerShell Execution Policy from Restricted to RemoteSigned or Unrestricted to allowlocal PowerShell scripts to be run.

Prerequisites

n Log in as a Windows administrator.

n Microsoft PowerShell must be installed on the installation host before agent installation. The versionrequired depends on the operating system of the installation host. See Microsoft Help and Support.

VMware, Inc. 89

n For more information about PowerShell Execution Policy, run help about_signing or help Set-ExecutionPolicy at the PowerShell command prompt.

Procedure

1 Select Start > All Programs > Windows PowerShell version > Windows PowerShell.

2 For Remote Signed, run Set-ExecutionPolicy RemoteSigned.

3 For Unrestricted, run Set-ExecutionPolicy Unrestricted.

4 Verify that the command did not produce any errors.

5 Type Exit at the PowerShell command prompt.

Choosing the Agent Installation ScenarioThe agents you need to install depend on the external systems you plan to integrate.

Table 6‑1. Choosing an Agent Scenario

Integration Scenario Agent Requirements and Procedures

Provisioning with vSphere n “Installing and Configuring the Proxy Agent forvSphere,” on page 90

Provisioning with Hyper-V n “Installing the Proxy Agent for Hyper-V orXenServer,” on page 94

Provisioning with XenServer n “Installing the Proxy Agent for Hyper-V orXenServer,” on page 94


Provisioning with XenDesktop n “Installing the VDI Agent for XenDesktop,” onpage 97


Running Visual Basic scripts during provisioning n “Installing the EPI Agent for Visual Basic Scripting,”on page 101

Collect data from Windows machines using WMI n “Installing the WMI Agent for Remote WMI Requests,”on page 103

If the virtual provisioning platform you want to use is not on this list, it does not require an agent. Cloudand physical provisioning do not require agents.

Agent Installation Location and RequirementsA system administrator typically installs the agents on the vCloud Automation Center server that hosts theactive Manager Service component.

If an agent is installed on another host, the network configuration must allow communication between theagent and Manager Services installation machine.

Each agent is installed under a unique name in its own directory, Agents\agentname, under thevCloud Automation Center installation directory (typically Program Files(x86)\VMware\vCAC), with itsconfiguration stored in the file VRMAgent.exe.config in that directory.

Installing and Configuring the Proxy Agent for vSphereA system administrator installs proxy agents to communicate with vSphere server instances. The agentsdiscover available work, retrieve host information, and report completed work items and other host statuschanges.


90 VMware, Inc.

vSphere Agent RequirementsCredentials under which the agent service runs must have administrative access to the installation host.

When creating the endpoint representing the vCenter Server instance to be managed by a vSphere agent, theagent can use the credentials the service is running under to interact with the vCenter Server or specifyseparate endpoint credentials.

This table shows the detailed permissions the vSphere endpoint credentials must have to manage avCenter Server instance.

Table 6‑2. Permissions Required for vSphere Agent to Manage vCenter Server Instance

Attribute Value Permission

Global Manage Custom Attributes

Set Custom Attribute

Folder Create Folder

Delete Folder

Datastore Allocate Space

Browse Datastore

Virtual Machine Inventory Create from existing

Create New

Move

Remove

Interaction Power On

Power Off

Suspend

Reset

Device Connection

Configure CD Media

Tools Install

Console Interaction

Configuration Rename

Add Existing Disk

Add New Disk

Remove Disk

Change CPU Count

Memory

Add or Remove Device

Settings

Change Resource

Advanced

Swapfile Placement

Modify Device Settings

Disk Change Tracking

Chapter 6 Installing Agents

VMware, Inc. 91

Table 6‑2. Permissions Required for vSphere Agent to Manage vCenter Server Instance (Continued)

Attribute Value Permission

Set Annotation (5.0 and 5.1 only)

Provisioning Customize

Clone Template

Clone Virtual Machine

Deploy Template

Read Customization Specs

State Create Snapshot

Remove Snapshot

Revert to Snapshot

Resource Assign VM to Res Pool

Migrate Powered Off Virtual Machine

Migrate Powered On Virtual Machine

Permissions Modify Permission

Network Assign Network

Disable or reconfigure any third-party software that might change the power state of virtual machinesoutside of vCloud Automation Center. Such changes can interfere with the management of the machine lifecycle by vCloud Automation Center.

Install the vSphere AgentThe vSphere agent manages vCenter Server instances. An administrator typically installs the agent on thesame machine that hosts the Manager Service component.

Prerequisites

n The IaaS components, including the Manager Service and Website, are installed.

n Verify that you have satisfied all the “vSphere Agent Requirements,” on page 91.

n If you already created a vSphere endpoint for use with this agent, make a note of the endpoint name.


Procedure



2 Click Next.




5 Click Next.


92 VMware, Inc.


7 Select Proxy Agents on the Installation Type page.


9 Click Next.

10 Type the user name and password for the Windows services user with sysadmin privileges on theinstallation machine.

11 Click Next.

12 Select vSphere from the Agent type list.

13 Type a unique identifier for this agent in the Agent name text box.

Maintain a record of each agent's name, credentials, and platform instance for use when adding hosts inthe future. Agent names cannot be duplicated unless the agent configurations are identical.

14 Type the fully qualified domain name and port number, if you are not using the default 443 port, of themachine where you installed the Manager Service component.

For example, hostname.domain.name:444

15 Type the fully qualified domain name and the port number, if you are not using the default 443 port, ofthe machine where you installed the Manager Website component.


16 Click Test to verify connectivity to each host.

17 Type the name of the Endpoint.

If you have already created a vSphere endpoint for use with this agent, the endpoint name must matchexactly. If you have not yet created an endpoint, make note of the name.

18 Click Add.

19 Click Next.

20 Click Install to begin the installation.

After several minutes a success message appears.

21 Click Next.

22 Click Finish.

What to do next

“Configure the vSphere Agent,” on page 93.

Configure the vSphere AgentA system administrator can modify proxy agent configuration settings, such as provisioning machinecredentials and deletion policy for virtualization platforms, after installation. The proxy agent utility can beused to modify the initial configurations that are encrypted in the agent configuration file. The systemadministrator can also use the utility to change the machine deletion policy for virtualization platforms.

Prerequisites

Log in as a system administrator to the machine where you installed the agent.

Procedure

1 Open a Windows command console as administrator.


VMware, Inc. 93

2 Change to the agents installation directory, where agent_name is the directory that contains the proxyagent, which is also the name under which the agent was installed.

cd Program Files (x86)\VMware\vCAC\CD Agents\agent_name

3 View the current configuration settings.

u Type DynamicOps.Vrm.VRMencrypt.exe VRMAgent.exe.config get

The following is an example of the output of the command:

managementEndpointName: VCendpoint

doDeletes: True

4 To change one of the properties, type the set command, where property is one of the options shown inthe table.

Dynamic0ps.Vrm.VRMencrypt.exe VRMAgent.exe.config set property value

If you omit value, the utility prompts you for a new value.

Property Description

managementEndpointName The name of the generic endpoint for which the agent was configured at installation.Changing this property renames the generic endpoint withinvCloud Automation Center rather than changing endpoints.

doDeletes Determines whether machines are deleted from vCenter Server when destroyed invCloud Automation Center, or instead moved to the VRMDeleted folder.

5 Navigate to Start > Administrative Tools > Services and restart the vCloud Automation Center Agent –agentname service.

Example: Place Destroyed Machines in a FolderType the following command to change deletion settings such that destroyed machines are placed in avCenter Server folder, VRMDeleted, instead of immediately deleting them in the vCenter Server (the default).

Dynamic0ps.Vrm.VRMencrypt.exe VRMAgent.exe.config set doDeletes false

Installing the Proxy Agent for Hyper-V or XenServerA system administrator installs proxy agents to communicate with Hyper-V and XenServer server instances.The agents discover available work, retrieve host information, and report completed work items and otherhost status changes.

Hyper-V and XenServer RequirementsHypervisor proxy agents require system administrator credentials for installation.

The credentials under which to run the agent service must have administrative access to the installationhost.

Administrator-level credentials are required for all XenServer or Hyper-V instances on the hosts to bemanaged by the agent.


94 VMware, Inc.

If you are using Xen pools, all nodes within the Xen pool must be identified by their fully qualified domainnames. vCloud Automation Center cannot communicate with or manage any node that is not identified byits fully qualified domain name within the Xen pool.

NOTE By default, Hyper-V is not configured for remote management. A vCloud Automation CenterHyper-V proxy agent cannot communicate with a Hyper-V server unless remote management has beenenabled.

To configure Hyper-V for remote management, see the Microsoft documentation.

Install the Hyper-V or XenServer AgentThe Hyper-V agent manages Hyper-V server instances. The XenServer agent manages XenServer serverinstances.

Make sure that you note the Agent name from step 7. Give this name to the IaaS Administrator whoconfigures endpoints. The endpoint must be linked to the agent that was configured for it to enable accessand data collection.

Prerequisites


n Verify that you have satisfied all the “Hyper-V and XenServer Requirements,” on page 94.


Procedure



2 Click Next.




5 Click Next.




9 Click Next.


11 Click Next.

12 Select the agent from the Agent type list.

n Xen

n Hyper-V


VMware, Inc. 95








17 Type the credentials of a user with administrative-level permissions on the managed server instance.

18 Click Add.

19 Click Next.



21 Click Next.

22 Click Finish.

What to do next

“Configure the Hyper-V or XenServer Agent,” on page 96.

Configure the Hyper-V or XenServer AgentA system administrator can modify proxy agent configuration settings, such as deletion policy forvirtualization platforms, after installation. The proxy agent utility can be used to modify the initialconfigurations that are encrypted in the agent configuration file.

Prerequisites

Log in as a system administrator to the machine where you installed the agent.

Procedure

1 Change to the agents installation directory, where agent_name is the directory containing the proxyagent, which is also the name under which the agent was installed.

cd Program Files (x86)\VMware\vCAC Agents\agent_name

2 View the current configuration settings.

Type DynamicOps.Vrm.VRMencrypt.exe VRMAgent.exe.config get

The following is an example of the output of the command:

Username: XSadmin

3 Type the set command to change a property, where property is one of the options shown in the table.

Dynamic0ps.Vrm.VRMencrypt.exe VRMAgent.exe.config set property value

If you omit value, the utility prompts you for a new value.


96 VMware, Inc.

Property Description

username The username representing administrator-level credentials for the XenServer or Hyper-V server theagent communicates with.

password The password for the administrator-level username.

4 Click Start > Administrative Tools > Services and restart the vCloud Automation Center Agent –agentname service.

Example: Change Administrator-Level CredentialsType the following command to change the administrator-level credentials for the virtualization platformspecified during the agent installation.

Dynamic0ps.Vrm.VRMencrypt.exe VRMAgent.exe.config set username jsmith

Dynamic0ps.Vrm.VRMencrypt.exe VRMAgent.exe.config set password

Installing the VDI Agent for XenDesktopvCloud Automation Center uses Virtual Desktop Integration (VDI) PowerShell agents to register theXenDesktop machines it provisions with external desktop management systems.

The VDI integration agent provides the owners of registered machines with a direct connection to theXenDesktop Web Interface. A VDI agent can be installed as a dedicated agent to interact with a singleDesktop Delivery Controller (DDC) or as a general agent that con interact with multiple DDCs.

XenDesktop RequirementsA system administrator installs a Virtual Desktop Infrastructure (VDI) agent to integrate XenDesktopservers into vCloud Automation Center.

You can install a general VDI agent to interact with multiple servers. If you are installing one dedicatedagent per server for load balancing or authorization reasons, you must provide the name of the XenDesktopDDC server when installing the agent. A dedicated agent can handle only registration requests directed tothe server specified in its configuration.

Consult the vCloud Automation Center Support Matrix on the VMware web site for information on supportedversions of XenDesktop for XenDesktop DDC servers.

Installation Host and CredentialsThe credentials under which the agent runs must have administrative access to all XenDesktop DDC serverswith which it interacts.

XenDesktop RequirementsThe name given to the XenServer Host on your XenDesktop server must match the UUID of the Xen Pool inXenCenter. See “Set the XenServer Host Name,” on page 98 for more information.

Each XenDesktop DDC server with which you intend to register machines must be configured in thefollowing way:

n The group/catalog type must be set to Existing for use with vCloud Automation Center.

n The name of a vCenter Server host on a DDC server must match the name of the vCenter Serverinstance as entered in the vCloud Automation Center vSphere endpoint, without the domain. Forexample, if the address in the endpoint is https://virtual-center27.domain/sdk, the name of the host onthe DDC server must be set to virtual-center27.


VMware, Inc. 97

XenDesktop Agent Host requirementsCitrix XenDesktop SDK must be installed. The SDK for XenDesktop is included on the XenDesktopinstallation disc.

Microsoft PowerShell must be installed on the installation host before agent installation. The versionrequired depends on the operating system of the installation host. See Microsoft Help and Support.

MS PowerShell Execution Policy must be set to RemoteSigned or Unrestricted. See “Set the PowerShellExecution Policy to RemoteSigned,” on page 89.

For more information about PowerShell Execution Policy, run help about_signing or help Set-ExecutionPolicy at the PowerShell command prompt.

Set the XenServer Host NameIn XenDesktop, the name given to the XenServer Host on your XenDesktop server must match the UUID ofthe Xen Pool in XenCenter. If no XenPool is configured, it must match the UUID of the XenServer itself.

Procedure

1 In Citrix XenCenter, select your XenPool or standalone XenServer and click the General tab. Record theUUID.

2 When adding your XenServer Pool or standalone host to XenDesktop, type the UUID that was recordedin the previous step for the Connection name.

Install the XenDesktop AgentVirtual desktop integration (VDI) PowerShell agents integrate with external virtual desktop system, such asXenDesktop and Citrix. Use a VDI PowerShell agent to manage the XenDesktop machine.

Prerequisites


n Verify that you have satisfied all the “XenDesktop Requirements,” on page 97.


Procedure



2 Click Next.




5 Click Next.




98 VMware, Inc.


9 Click Next.


11 Click Next.

12 Select Vdi Power Shell from the Agent type list.








17 Select the VDI version.

18 Type the fully qualified domain name of the managed server in the VDI Server text box.

19 Click Add.

20 Click Next.



22 Click Next.

23 Click Finish.

Installing the EPI Agent for CitrixExternal provisioning Integration (EPI) PowerShell agents integrate Citrix external machines into theprovisioning process. The EPI agent provides on-demand streaming of the Citrix disk images from whichthe machines boot and run.

The dedicated EPI agent interacts with a single external provisioning server. You must install one EPI agentfor each Citrix provisioning server instance.

Citrix Provisioning Server RequirementsA system administrator uses External Provisioning Infrastructure (EPI) agents to integrate Citrixprovisioning servers and to enable the use of Visual Basic scripts in the provisioning process.

Installation Location and CredentialsInstall the agent on the PVS host for Citrix Provisioning Services instances. Verify that the installation hostmeets “Citrix Agent Host Requirements,” on page 100 before you install the agent.


VMware, Inc. 99

Although an EPI agent can generally interact with multiple servers, Citrix Provisioning Server requires adedicated EPI agent. You must install one EPI agent for each Citrix Provisioning Server instance, providingthe name of the server hosting it. The credentials under which the agent runs must have administrativeaccess to the Citrix Provisioning Server instance.

Consult the vCloud Automation Center Support Matrix for information about supported versions of Citrix PVS.

Citrix Agent Host RequirementsPowerShell and Citrix Provisioning Services SDK must be installed on the installation host prior to agentinstallation. Consult the vCloud Automation Center Support Matrix on the VMware web site for details.

Microsoft PowerShell must be installed on the installation host before agent installation. The versionrequired depends on the operating system of the installation host. See Microsoft Help and Support.

You must also ensure that the PowerShell Snap-In is installed. For more information, see the CitrixProvisioning Services PowerShell Programmer's Guide on the Citrix web site.

MS PowerShell Execution Policy must be set to RemoteSigned or Unrestricted. See “Set the PowerShellExecution Policy to RemoteSigned,” on page 89.

For more information about PowerShell Execution Policy, run help about_signing or help Set-ExecutionPolicy at the PowerShell command prompt.

Install the Citrix AgentExternal provisioning integration (EPI) PowerShell agents integrate external systems into the machineprovisioning process. Use the EPI PowerShell agent to integrate with Citrix provisioning server to enableprovisioning of machines by on-demand disk streaming.

Prerequisites


n Verify that you have satisfied all the “Citrix Provisioning Server Requirements,” on page 99.


Procedure



2 Click Next.




5 Click Next.




9 Click Next.


100 VMware, Inc.


11 Click Next.

12 Select EPI Power Shell from the Agent type list.








17 Select the EPI type.

18 Type the fully qualified domain name of the managed server in the EPI Server text box.

19 Click Add.

20 Click Next.



22 Click Next.

23 Click Finish.

Installing the EPI Agent for Visual Basic ScriptingA system administrator can specify Visual Basic scripts as additional steps in the provisioning processbefore or after provisioning a machine, or when deprovisioning. To run Visual Basic scripts, an ExternalProvisioning Integration (EPI) PowerShell agent must be installed.

Visual Basic scripts are specified in the blueprint from which machines will be provisioned. Such scriptshave access to all of the custom properties associated with the machine and can update their values. Thenext step in the workflow then has access to these new values.

For example, you could use a script to generate certificates or security tokens before provisioning and usethem in machine provisioning.

To enable scripts in provisioning, you must install a specific type of EPI agent and place the scripts youwant to use on the system on which the agent is installed.

When executing a script, the EPI agent passes all machine custom properties as arguments to the script. Toreturn updated property values, you must place these properties in a dictionary and call avCloud Automation Centerfunction. A sample script is included in the scripts subdirectory of the EPI agentinstallation directory. This script contains a header to load all arguments into a dictionary, a body in whichyou can include your function(s), and a footer to return updated custom properties values.

NOTE You can install multiple EPI/VBScripts agents on multiple servers and provision using a specificagent and the Visual Basic scripts on that agent’s host. If you need to do this, contact VMware customersupport.


VMware, Inc. 101

Visual Basic Scripting RequirementsA system administrator installs External Provisioning Infrastructure (EPI) agents to enable the use of VisualBasic scripts in the provisioning process.

The following table describes the requirements that apply to installing an EPI agent to enable the use ofVisual Basic scripts in the provisioning process.

Table 6‑3. EPI Agents for Visual Scripting

Requirement Description

Credentials Credentials under which the agent will run must have administrative access tothe installation host.

Microsoft PowerShell Microsoft PowerShell must be installed on the installation host prior to agentinstallation: The version required depends on the operating system of theinstallation host and might have been installed with that operating system. Visithttp://support.microsoft.com for more information.

MS PowerShell Execution Policy MS PowerShell Execution Policy must be set to RemoteSigned or Unrestricted.For information on PowerShell Execution Policy issue one of the followingcommands at Power-Shell command prompt:

help about_signinghelp Set-ExecutionPolicy

Install the Agent for Visual Basic ScriptingExternal provisioning integration (EPI) PowerShell agents allow integrate external systems into the machineprovisioning process. Use an EPI agent to run Visual Basic Scripts as extra steps during the provisioningprocess.

Prerequisites


n Verify that you have satisfied all the “Visual Basic Scripting Requirements,” on page 102.


Procedure



2 Click Next.




5 Click Next.




102 VMware, Inc.


9 Click Next.


11 Click Next.

12 Select EPI Power Shell from the Agent type list.








17 Select the EPI type.

18 Type the fully qualified domain name of the managed server in the EPI Server text box.

19 Click Add.

20 Click Next.



22 Click Next.

23 Click Finish.

Installing the WMI Agent for Remote WMI RequestsA system administrator enables the Windows Management Instrumentation (WMI) protocol and installs theWMI agent on all managed Windows machines to enable management of data and operations. The agent isrequired to collect data from Windows machines, such as the Active Directory status of the owner of amachine.

Enable Remote WMI Requests on Windows MachinesTo use WMI agents, remote WMI requests must be enabled on the managed Windows servers.

Procedure

1 In each domain that contains provisioned and managed Windows virtual machines, create an ActiveDirectory group and add to it the service credentials of the WMI agents that execute remote WMIrequests on the provisioned machines.

2 Enable remote WMI requests for the Active Directory groups containing the agent credentials on eachWindows machine provisioned.


VMware, Inc. 103

Install the WMI AgentThe Windows Management Instrumentation (WMI) agent enables data collection from Windows managedmachines.

Prerequisites


n Verify that you have satisfied all the requirements, see “Enable Remote WMI Requests on WindowsMachines,” on page 103.


Procedure



2 Click Next.




5 Click Next.




9 Click Next.


11 Click Next.

12 Select WMI from the Agent type list.









104 VMware, Inc.

17 Click Add.

18 Click Next.



20 Click Next.

21 Click Finish.


VMware, Inc. 105


106 VMware, Inc.

Troubleshooting 7This information can be useful should you encounter any problems when installing or configuringvCloud Automation Center.


n “Log Locations,” on page 107

n “Create a Support Bundle,” on page 108

n “Installers Fail to Download,” on page 108

n “Failed to Install Model Manager Data and Web Components,” on page 109

n “Save Settings Warning Appears During IaaS Installation,” on page 110

n “Rolling Back a Failed Installation,” on page 110

n “Server Times Are Not Synchronized,” on page 111

n “Encryption.key File has Incorrect Permissions,” on page 112

n “Cannot Access https://vcac-va-hostname/shell-ui-app,” on page 112

n “Error Communicating to the Remote Server,” on page 113

n “Blank Pages when Using Internet Explorer 9 or 10 on Windows 7,” on page 113

n “Cannot Establish Trust Relationship for the SSL/TLS Secure Channel,” on page 114

n “SSO Configuration Fails for vCloud Automation Center Appliance,” on page 114

n “Cannot Log in to a Tenant or Tenant Identity Stores Disappear,” on page 115

Log LocationsConsult system and product log files for information on a failed installation.

The file paths shown are the default paths. If you installed IaaS in another directory, navigate to yourcustom installation directory instead.

Windows Logs

Log Location

Windows Event Viewer logs Start > Control Panel > System and Maintenance > Administrative Tools > Event Viewer

VMware, Inc. 107

Installation Logs

Log Location

Installation Logs %TEMP%\vCAC

C:\Program Files (x86)\VMware\vCAC\Server\ConfigTool\Log

WAPI Installation Logs C:\Program Files (x86)\VMware\vCAC\Web API\ConfigTool\LogfilenameWapiConfiguration-<XXX>

IaaS Logs

Log Default Location

Website Logs C:\Program Files (x86)\VMware\vCAC\Server\Website\Logs

Repository Log C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Web\Logs

Manager Service Logs C:\Program Files (x86)\VMware\vCAC\Server\Logs

Orchestrator Logs C:\Program Files (x86)\VMware\vCAC\Distributed Execution Manager\DEO\Logs

Agent Logs C:\Program Files (x86)\VMware\vCAC\Agents\agent_name\logs

Identity ApplianceYou can generate a complete log file by creating a support bundle. See “Create a Support Bundle,” onpage 108.

vCloud Automation Center Framework Logs

Log Default location

Framework Logs /var/log/vmware

Create a Support BundleA root user can create a support bundle in the vCloud Automation Center Appliance management console.This bundle can help support staff to identify problems.

Procedure


2 Log in and navigate to vCAC Settings > Logs.

3 Click Create support bundle.

4 Click Download and save the file on your system.

Installers Fail to DownloadInstallers fail to download from the vCloud Automation Center Appliance.

Problem

Installers do not download when running setup__vcac-va-hostname.domain.name.exe.

Cause

n Network connectivity issues when connecting to the vCloud Automation Center Appliance machine.


108 VMware, Inc.

n Not able to connect to the vCloud Automation Center Appliance machine because the machine cannotbe reached or it cannot respond before the connection times out.

Solution

1 Check that you can connect to the vCloud Automation Center Appliance by typing the following URLin a web browser.

https://vcac-va-hostname.domain.name

2 Check the other vCloud Automation Center Appliance troubleshooting topics.

3 Download the setup file and try again.

Failed to Install Model Manager Data and Web ComponentsThe IaaS installer failed to save the Model Manager Data and Web components.

Problem

The IaaS installer failed to save the Model Manager Data and Web components.

Cause

n Connectivity issues to the vCloud Automation Center Appliance or the Identity Applianceorconnectivity issues between the appliances. A connection attempt fails because there was no responseor the connection could not be made.

n Trusted certificate issues in IaaS when using a distributed configuration.

n Trusted certificate issues between the vCloud Automation Center Appliance and theIdentity Appliance.

n A certificate name mismatch in a distributed configuration.

n The certificate may be invalid or an error on the certificate chain might exist.

n Misconfiguration of the load balancer in a distributed configuration.

n Loopback problem.

n The Repository Service fails to start.

Solution

Connectivity: Check that you can connect to thevCloud Automation Center Appliance by typing thefollowing URL in a web browser: https//vcac-va-hostname.domain.name.

Trusted certificate Issues: In IaaS run mmc.exe (Microsoft Management Console) and check that the certificateused in the installation has been added to the Trusted Root Certificate Store in the machine. Use the browserand check the https://<ip-web>/repository/data/MetaModel.svc and verify that you do not see certificateerrors in your browser.

Certificate Name Mismatch: This error can occur when the certificate is issued to a particular name and adifferent name or IP address is used. The certificate name mismatch error can be suppressed during theinstallation by selecting Suppress certificate mismatch.

Invalid Certificate: Run mmc.exe (Microsoft Management Console) and check the certificate expiration dateand status, and check the certificates in the certificate chain and make sure that the status of all thecertificates in the chain are OK. You might have to import other certificates in the chain into the TrustedRoot Certificate Store when using a Certificate hierarchy.

Chapter 7 Troubleshooting

VMware, Inc. 109

Repository Service: Check that the repository service is working. Use the browser and check that thehttps://<ip-web>/repository/data/MetaModel.svc is working ok. Check the Repository.log for errors. ResetIIS (iisreset) if you have problems with the applications hosted on the Web site (Repository, vCAC orWAPI). Check the web site logs in %SystemDrive%\inetpub\logs\LogFiles for additional logginginformation. Make sure that Prerequisite Checker passed when checking the requirements. On Windows2012, check that WCF Services under .NET Framework 4.5 is installed and that HTTP activation is installed.

Loopback: To install the Model Manager Data Component in a load balancer environment, you must disablethe Microsoft loop back check on the Model Manager machine. For more information, see the Microsoftsupport article about http://support.microsoft.com/KB/926642/EN-US.

Save Settings Warning Appears During IaaS InstallationMessage appears during IaaS Installation. Warning: Could not save settings to the virtual applianceduring IaaS installation.

Problem

An inaccurate error message indicating that user settings have not been saved appears during IaaSinstallation.

Cause

Communication or network problems can cause this message to appear erroneously.

Solution

Ignore the error message and proceed with the installation. This message should not cause the setup to fail.

Rolling Back a Failed InstallationWhen an installation fails and rolls back, the system administrator must verify that all required files havebeen uninstalled before starting another installation. Some files must be uninstalled manually.

Roll Back a Minimal InstallationA system administrator must manually remove some files and revert the database to completely uninstall afailed IaaS installation.

Procedure

1 If the following components are present, uninstall them with the Windows uninstaller.

n vCloud Automation Center Agents

n vCloud Automation Center DEM-Worker

n vCloud Automation Center DEM-Orchestrator

n vCloud Automation Center Server

n vCloud Automation Center WAPI

NOTE If you see the following message, restart the machine and then follow the steps in this procedure:Error opening installation log file. Verify that the specified log file location exists and

it is writable

2 Revert your database to the state it was in before the installation was started. The method you usedepends on the original database installation mode.

3 In IIS (Internet Information Services Manager) select Default Web Site (or your custom site) and clickBindings. Remove the https binding (defaults to 443).


110 VMware, Inc.

http://support.microsoft.com/KB/926642/EN-US

4 Check that the Applications Repository, vCAC and WAPI have been deleted and that the applicationpools RepositoryAppPool, vCACAppPool, WapiAppPool have also been deleted.

The installation is completely removed.

Roll Back a Distributed InstallationA system administrator must manually remove some files and revert the database to completely uninstall afailed IaaS installation.

Procedure

1 If the following components are present, uninstall them with the Windows uninstaller.

n vCloud Automation Center Server

n vCloud Automation Center WAPI

NOTE If you see the following message, restart the machine and then follow this procedure: Erroropening installation log file. Verify that the specified log file location exists and it is

writable.

2 Revert your database to the state it was in before the installation was started. The method you usedepends on the original database installation mode.

3 In IIS (Internet Information Services Manager) select the Default Web Site (or your custom site) andclick Bindings. Remove the https binding (defaults to 443).

4 Check that the Applications Repository, vCAC and WAPI have been deleted and that the applicationpools RepositoryAppPool, vCACAppPool, WapiAppPool have also been deleted.

Table 7‑1. Roll Back Failure Points

Failure Point Action

Installing Manager Service If present, uninstall vCloud Automation Center Server.

Installing DEM-Orchestrator If present, uninstall vCloud Automation Center DEM Orchestrator .

Installing DEM-Worker If present, uninstall VMware vCloud Automation CenterDEM-Worker.

Installing an Agent If present, uninstall vCloud Automation Center Agents.

Server Times Are Not SynchronizedAn installation might not succeed when IaaS time servers are not synchronized with thevCloud Automation Center Appliance and the Identity Appliance.

Problem

You cannot log in after installation, or the installation fails while it is completing.

Cause

Time servers on all servers might not be synchronized.

Solution

For each server (Identity Appliance, vCloud Automation Center Appliance, and all Windows servers wherethe IaaS components will be installed), enable time synchronization as described in the following topics:

n “Enable Time Synchronization on the Identity Appliance,” on page 30

n “Enable Time Synchronization on the vCloud Automation Center Appliance,” on page 34


VMware, Inc. 111

n “Enable Time Synchronization on the Windows Server,” on page 38

For an overview of timekeeping for vCloud Automation Center, see “Time Synchronization,” on page 28.

Encryption.key File has Incorrect PermissionsA system error can result when incorrect permissions are assigned to the Encryption.key file for a virtualapplicance.

Problem

You log in to vCloud Automation Center Appliance and the Tenants page is displayed. After the page hasbegun loading, you see the message System Error.

Cause

The Encryption.key file has incorrect permissions or the group or owner user level is incorrectly assigned.

Solution

Prerequisites

Log in to the virtual appliance that displays the error.

NOTE If your virtual appliances are running under a load balancer, you must check each virtualappliance.

Procedure

1 View the log file /var/log/vcac/catalina.out and search for the message Cannot writeto /etc/vcac/Encryption.key.

2 Go to the /etc/vac/ directory and check the permissions and ownership for the Encryption.key file.You should see a line similar to the following one:

-rw------- 1 vcac vcac 48 Dec 4 06:48 encryption.key

Read and write permission is required and the owner and group for the file must be vcac.

3 If the output you see is different, change the permissions or ownership of the file as needed.

What to do next

Log in to the Tenant page to verify that you can log in without error.

Cannot Access https:// vcac-va-hostname /shell-ui-appYour installation appears to have completed successfully, but you cannot log in.

Problem

You cannot access https://vcac-va-hostname/shell-ui-app.

Cause

Multiple conditions can prevent you from logging in to vCloud Automation Center console.

Solution


2 Log in and select System > Reboot to reboot the appliance.


112 VMware, Inc.


4 Log in and select System > Reboot to reboot the appliance.

NOTE You can also check the status of the services under the SSO tab in the vCloud Automation Centerconsole or log in to the appliance and run tail -f /var/vcac/log/catalina.

Error Communicating to the Remote ServerAn error message indicating a communication problem between the vCloud Automation Center Applianceand the Identity Appliance appears when a problem exists in Common Name.

Problem

Error Communicating to the Remote Server error message appears when you configure the SSO from thevCloud Automation Center Appliance management console, even when the configuration is correct and thevirtual appliances are communicating successfully.

Cause

The Common Name or the alternative names in the Identity SSL certificate do not match the hostname inthe SSO URL you entered in the vCloud Automation Center Appliance.

Solution

1 In the Identity Appliance management console, replace the SSL certificate, making sure you enter ascommon name exactly the same FQDN (no protocol or port included) as it is accessed fromvCloud Automation Center Appliance.


3 Replace the SSL certificate and type the fully qualified domain name of the SSO host (as it is accessedfrom the vCloud Automation Center Appliance) in the Common Name text box.

Do not include the https:// prefix or the port number.

Blank Pages when Using Internet Explorer 9 or 10 on Windows 7When you use Internet Explorer 9 or 10 on Windows 7 and compatibility mode is enabled, some pagesappear to have no content.

Problem

When using Internet Explorer 9 or 10 on Windows 7, the following pages have no content:

n Infrastructure

n Default Tenant Folder on the Orchestration page

n Server Configuration on the Orchestration page

Cause

The problem could be related to compatibility mode being enabled. You can disable compatibility mode forInternet Explorer with the following steps.

Solution

Prerequisites

Ensure that the menu bar is displayed. If you are using Internet Explorer 9 or 10, press Alt to displaythe Menu bar (or right-click the Address bar and then select Menu bar).


VMware, Inc. 113

Procedure

1 Select Tools > Compatibility View settings.

2 Deselect Display intranet sites in Compatibility View.

3 Click Close.

Cannot Establish Trust Relationship for the SSL/TLS Secure ChannelYou might receive the message "Cannot establish trust relationship for the SSL/TLS secure channel whenupgrading security certificates for vCloud Automation Center.

Problem

If a certificate issue occurs with vcac-config.exe when upgrading a security certificate, you might see thefollowing message:

The underlying connection was closed: Could not establish trust relationship

for the SSL/TLS secure channel

You can find more information about the cause of the issue by using the following procedure.

Solution

1 Open the vcac-config.exe.config file and locate the repository address : <add key="repositoryAddress"value=" https://[IaaS address]:443/repository/" />

2 Browse to the address with Internet Explorer.

3 Continue through any error messages about certificate trust issues.

4 Obtain a security report from Internet Explorer and use it to troubleshoot why this certificate is nottrusted.

If problems persist, repeat the procedure by browsing with the address that needs to be registered (that is,the Endpoint address that you used to register with vcac-config.exe.

SSO Configuration Fails for vCloud Automation Center Appliance

Problem

SSO configuration fails with the following error: Error communicating to the remote serverhttps://identity.different.fqdn:7444/... However, the host and port are correct and the connectionbetween the two servers is working.

Cause

This error can occur when there is a mismatch between the common name or alternative name you specifyfor the Identity SSL certificate and the hostname for the SSO URL that you specified on the SSO tab in thevCloud Automation Center Appliance management console.

Solution



3 Click the vCAC Settings tab.

4 Click SSO.

5 Note the name in the SSO Host and Port field.


114 VMware, Inc.





10 Click SSL.

11 If the common name is different from the FQDN in the SSO Host and Port field forvCloud Automation Center Appliance, replace the certificate, using the FQDN for the common oralternative name. Do not include a port number.

12 Exit the management consoles.

Cannot Log in to a Tenant or Tenant Identity Stores DisappearNinety days after deployment, you cannot log into a tenant or the identity store for a tenant disappears.

Problem

n When you log in to a tenant, you see a blank page displayed with a Submit button in the upper left-hand corner.

n You receive a System Exception error when accessing the tenant ID store configuration page.

n The ID store configuration disappears.

n You cannot log in to a tenant by using an LDAP account.

n The catalina.out log located in /var/log/vmware/vcac/ shows an error similar to the following:

12:40:49,190 [tomcat-http--34] [authentication] INFO

com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl

$RequestResponseProcessor.handleFaultCondition:922 - Failed trying to retrieve token:

ns0:RequestFailed: Error occured looking for solution user :: Insufficient access YYYY-03-18

12:40:49,201 [tomcat-http--34] [authentication] ERROR

com.vmware.vcac.platform.service.rest.resolver.ApplicationExceptionHandler.handleUnexpectedEx

ception:820 - Failed trying to retrieve token: ns0:RequestFailed: Error occured looking for

solution user :: Insufficient access com.vmware.vim.sso.client.exception.InternalError:

Failed trying to retrieve token: ns0:RequestFailed: Error occured looking for solution

user :: Insufficient access

n The Identity Appliance messages log located in /var/log/ shows an error message similar to thefollowing:

T16:50:18-05:00 lsassd[2913]: GSSAPI Error: The referenced context has expired (Unknown

error) T08:34:41-06:00 vmdird: t@139870073485056: Lockout policy check - password expired.

(cn=tenantadmin,cn=users,dc=tenant) T11:58:03-06:00 lsassd[2943]: GSSAPI Error: The

referenced context has expired (Unknown error)....

Account "cn=tenantadmin,cn=users,dc=qic" password expired and caused login/bind from IDM to

fail. YYYY-03-18T11:38:46-06:00 denqca3vcacid01 vmdird: t@140689332778752: LoginBlocked DN

(cn=tenantadmin,cn=users,dc=tenant), error (9239)(Account access blocked)

Cause

The SSO internal tenant administrator password expires after 90 days by default. This issue is internal tovCloud Automation Center and does not affect external identity stores such as OpenLDAP or ActiveDirectory.


VMware, Inc. 115

It is a known issue that the vCloud Automation Center user interface does not provide notification that thetenant administrator password is expiring. The workaround for this issue is to disable password expirationfor the tenant administrator account.

For step-by-step instructions to solve this issue, see the VMware knowledge base article at http://kb.vmware.com/kb/2075011.


116 VMware, Inc.

http://kb.vmware.com/kb/2075011

Configuring Tenants 8After installation, you must configure the default tenant or create additional tenants so other users can login to the vCloud Automation Center console.


n “Tenancy Overview,” on page 117

n “Configure the Default Tenant,” on page 121

n “Create and Configure a Tenant,” on page 123

Tenancy OverviewA tenant is an organizational unit in a vCloud Automation Center deployment. A tenant can represent abusiness unit in an enterprise or a company that subscribes to cloud services from a service provider.

Each tenant has its own dedicated configuration. Some system-level configuration is shared across tenants.

Table 8‑1. Tenant Configuration

Configuration Area Description

Login URL Each tenant has a unique URL to the vCloud Automation Center console.n The default tenant URL is in the following format: https://hostname/shell-ui-

appn The URL for additional tenants is in the following format:

https://hostname/shell-ui-app/org/tenantURL

Identity stores Each tenant requires access to one or more directory services, such asOpenLDAP or Microsoft Active Directory servers, that are configured toauthenticate users. You can use the same directory service for more than onetenant, but you must configure it separately for each tenant.

Branding A tenant administrator can configure the branding of thevCloud Automation Center console including the logo, background color, andinformation in the header and footer. System administrators control the defaultbranding for all tenants.

Notification providers System administrators can configure global email servers that process emailnotifications. Tenant administrators can override the system default servers, oradd their own servers if no global servers are specified.

Business policies Administrators in each tenant can configure business policies such as approvalworkflows and entitlements. Business policies are always specific to a tenant.

VMware, Inc. 117

Table 8‑1. Tenant Configuration (Continued)

Configuration Area Description

Service catalog offerings Service architects can create and publish catalog items to the service catalog andassign them to service categories. Services and catalog items are always specificto a tenant.

Infrastructure resources The underlying infrastructure fabric resources, for example, vCenter servers,Amazon AWS accounts, or Cisco UCS pools, are shared among all tenants. Foreach infrastructure source that vCloud Automation Center manages, a portionof its compute resources can be reserved for users in a specific tenant to use.

About the Default TenantWhen the system administrator configures single sign-on during the installation ofvCloud Automation Center, a default tenant is created with the built-in system administrator account to login to the vCloud Automation Center console. The system administrator can then configure the defaulttenant and create additional tenants.

The default tenant supports all of the functions described in Tenant Configuration. In the default tenant, thesystem administrator can also manage system-wide configuration, including global system defaults forbranding and notifications, and monitor system logs.

The default tenant is the only tenant that supports native Active Directory authentication. All other tenantsmust use Active Directory over LDAP or OpenLDAP.

User and Group ManagementAll user authentication is handled through single sign-on. Each tenant has one or more identity stores, suchas Active Directory servers, that provide authentication.

The system administrator performs the initial configuration of single sign-on and basic tenant setup,including designating at least one identity store and a tenant administrator for each tenant. Thereafter, atenant administrator can configure additional identity stores and assign roles to users or groups from theidentity stores.

Tenant administrators can also create custom groups within their own tenant and add users and groupsdefined in the identity store to custom groups. Custom groups, like identity store groups and users, can beassigned roles or designated as the approvers in an approval policy.

Tenant administrators can also create business groups within their tenant. A business group is a set of users,often corresponding to a line of business, department or other organizational unit, that can be associatedwith a set of catalog services and infrastructure resources. Users, identity store groups, and custom groupscan be added to business groups.

Comparison of Single-Tenant and Multitenant DeploymentsvCloud Automation Center supports deployments with either a single tenant or multiple tenants. Theconfiguration can vary depending on how many tenants are in your deployment.

System-wide configuration is always performed in the default tenant and can apply to one or more tenants.For example, system-wide configuration might specify defaults for branding and notification providers.

Infrastructure configuration, including the infrastructure sources that are available for provisioning, can beconfigured in any tenant and is shared among all tenants. The infrastructure resources, such as cloud orvirtual compute resources or physical machines, can be divided into fabric groups managed by fabricadministrators. The resources in each fabric group can be allocated to business groups in each tenant byusing reservations.


118 VMware, Inc.

Single-Tenant DeploymentIn a single-tenant deployment, all configuration can occur in the default tenant. Tenant administrators canmanage users and groups, configure tenant-specific branding, notifications, business policies, and catalogofferings.

All users log in to the vCloud Automation Center console at the same URL, but the features available tothem are determined by their roles.

Figure 8‑1. Single-Tenant Example

Tenantadmin

Businessgroup mgr

BusinessGroup

Businessgoup mgr

BusinessGroup

http://vcac.mycompany.com/shell-ui-app/

Default Tenant(System and

infrastructure config)

Systemadmin

IaaSadmin

Infrastructure Fabric

Hypervisors Publicclouds

Physicalservers

Default Tenant

• User management• Tenant branding• Tenant notification providers• Approval policies• Catalog management

• Tenant creation• System branding• System notification poviders• Event logs

Fabricadmin Fabric

Group

Reservation Reservation

Fabricadmin Fabric

Group


Fabricadmin Fabric

Group



(Tenant config)

NOTE In a single-tenant scenario, it is common for the system administrator and tenant administrator rolesto be assigned to the same person, but two distinct accounts exist. The system administrator account isalways [email protected]. The tenant administrator must be a user in one of the tenant identitystores, such as [email protected].

Multitenant DeploymentIn a multitenant environment, the system administrator creates tenants for each organization that uses thesame vCloud Automation Center instance. Tenant users log in to the vCloud Automation Center console ata URL specific to their tenant. Tenant-level configuration is segregated from other tenants and from thedefault tenant. Users with system-wide roles can view and manage configuration across multiple tenants.

There are two main scenarios for configuring a multi-tenant deployment.

Chapter 8 Configuring Tenants

VMware, Inc. 119

Table 8‑2. Multitenant Deployment Examples

Example Description

Manage infrastructure configurationonly in the default tenant

In this example, all infrastructure is centrally managed by IaaS administratorsand fabric administrators in the default tenant. The shared infrastructureresources are assigned to the users in each tenant by using reservations.

Manage infrastructure configuration ineach tenant

In this scenario, each tenant manages its own infrastructure and has its ownIaaS administrators and fabric administrators. Each tenant can provide its owninfrastructure sources or can share a common infrastructure. Fabricadministrators manage reservations only for the users in their own tenant.

The following diagram shows a multitenant deployment with centrally managed infrastructure. The IaaSadministrator in the default tenant configures all infrastructure sources that are available for all tenants. TheIaaS administrator can organize the infrastructure into fabric groups according to type and intendedpurpose. For example, a fabric group might contain all virtual resources, or all Tier One resources. Thefabric administrator for each group can allocate resources from their fabric groups. Although the fabricadministrators exist only in the default tenant, they can assign resources to business groups in any tenant.

NOTE Some infrastructure tasks, such as importing virtual machines, can only be performed by a user withboth the fabric administrator and business group manager roles. These tasks might not be available in amultitenant deployment with centrally managed infrastructure.

Figure 8‑2. Multitenant Example with Infrastructure Configuration Only in Default Tenant

Tenantadmin

Tenant A

Businessgroup mgr

BusinessGroup

Businessgroup mgr

BusinessGroup

http://vcac.mycompany.com/shell-ui-app/org/tenanta/

Tenantadmin

Tenant B

Businessgroup mgr

BusinessGroup

Businessgroup mgr

BusinessGroup

http://vcac.mycompany.com/shell-ui-app/org/tenantb/

Tenantadmin

Tenant C

Businessgroup mgr

BusinessGroup

Businessgroup mgr

BusinessGroup

http://vcac.mycompany.com/shell-ui-app/org/tenantc/

DefaultTenant

(System andinfrastructure config)

Systemadmin

Fabricadmin

IaaSadmin

Fabric Group


Fabricadmin Fabric Group

Resv ResvResv


Resv ResvResv

Infrastructure Fabric


Physicalservers


The following diagram shows a multitenant deployment where each tenant manages their owninfrastructure. The system administrator is the only user who logs in to the default tenant to managesystem-wide configuration and create tenants.


120 VMware, Inc.

Each tenant has an IaaS administrator, who can create fabric groups and appoint fabric administrators withtheir respective tenants. Although fabric administrators can create reservations for business groups in anytenant, in this example they typically create and manage reservations in their own tenants. If the sameidentity store is configured in multiple tenants, the same users can be designated as IaaS administrators orfabric administrators in each tenant.

Figure 8‑3. Multitenant Example with Infrastructure Configuration in Each Tenant

IaaSadmin

IaaSadmin

Tenantadmin

Tenant A

http://vcac.mycompany.com/shell-ui-app/org/tenanta/

Tenantadmin

Tenant B

Businessgroup mgr

BusinessGroup

Businessgroup mgr

BusinessGroup

http://vcac.mycompany.com/shell-ui-app/org/tenantb/

Tenantadmin

Tenant C

Businessgroup mgr

BusinessGroup

Businessgroup mgr

BusinessGroup

http://vcac.mycompany.com/shell-ui-app/org/tenantc/

DefaultTenant

(System config)


Physicalservers

IaaSadmin

Fabric


Businessgroup mgr

BusinessGroup

Businessgroup mgr

BusinessGroup




Reservation Reservation Reservation Reservation

http:/vcac.mycompany.com/

shell-ui-app/

Systemadmin

Infrastructure

Configure the Default TenantThe default tenant is automatically created when you configure single sign-on. You cannot edit any of thetenant details, but you can configure identity stores and appoint administrators.

Prerequisites

Log in to the vCloud Automation Center console as a system administrator.

Procedure

1 Configure Identity Stores for the Default Tenant on page 122Each tenant must be associated with at least one identity store. Identity stores can be OpenLDAP orActive Directory. For the default tenant, you can also use Active Directory in native mode.

2 Appoint Administrators on page 123You can appoint one or more tenant administrators and IaaS administrators from the identity storesyou configured for a tenant.


VMware, Inc. 121

Configure Identity Stores for the Default TenantEach tenant must be associated with at least one identity store. Identity stores can be OpenLDAP or ActiveDirectory. For the default tenant, you can also use Active Directory in native mode.

Prerequisites


Procedure

1 Select Administration > Tenants.

2 Click the name of the default tenant, vsphere.local.

3 Click the Identity Stores tab.

4 Click the Add icon ( ).

5 Type a name in the Name text box.

6 Select the type of identity store from the Type drop-down menu.

7 Type the URL for the identity store in the URL text box.

For example, ldap://ldap.mycompany.com:389 .

8 Type the domain for the identity store in the Domain text box.

9 (Optional) Type the domain alias in the Domain Alias text box.

The alias allows users to log in by using userid@domain-alias rather than userid@identity-store-domain as auser name.

10 Type the Distinguished Name for the login user in the Login User DN text box.

Use the display format of the user name, which can include spaces and is not required to be identical tothe user ID.

For example, cn=Demo Admin,ou=demo,dc=dev,dc=mycompany,dc=com.

11 Type the password for the identity store login user in the Password text box.

12 Type the group search base Distinguished Name in the Group Search Base DN text box.

For example, ou=demo,dc=dev,dc=mycompany,dc=com.

13 Type the user search base Distinguished Name in the User Search Base DN text box.


14 Click Test Connection.

15 Click Add.

16 (Optional) Repeat Step 4 to Step 12 to configure additional identity stores.

17 Click Next.

Your new identity stores are saved and associated with the tenant. You are directed to the Administratorstab for the next step in the process.


122 VMware, Inc.

Appoint AdministratorsYou can appoint one or more tenant administrators and IaaS administrators from the identity stores youconfigured for a tenant.

Tenant administrators are responsible for configuring tenant-specific branding, as well as managing identitystores, users, groups, entitlements, and shared blueprints within the context of their tenant. IaaSAdministrators are responsible for configuring infrastructure source endpoints in IaaS, appointing fabricadministrators, and monitoring IaaS logs.

Prerequisites

n “Configure Identity Stores for the Default Tenant,” on page 122.

n Before you appoint IaaS administrators, you must install IaaS, as described in Installation andConfiguration.

Procedure

1 Type the name of a user or group in the Tenant Administrators search box and press Enter.

Repeat this step as needed to appoint additional tenant administrators.

2 Verify that the user or group name appears in Tenant Administrators list.

3 Type the name of a user or group in the Infrastructure Administrators search box and press Enter.

Repeat this step as needed to appoint additional IaaS administrators.

4 Verify that the user or group name appears in the Infrastructure Administrators list.

5 Click Update.

Create and Configure a TenantSystem administrators create tenants and specify basic configuration such as name, login URL, identitystores, and administrators.

Prerequisites


Procedure

1 Specify Tenant Information on page 124The first step to configuring a tenant is to add the new tenant to vCloud Automation Center and createthe tenant-specific access URL.

2 Configure Identity Stores on page 124Each tenant must be associated with at least one identity store. Identity stores can be OpenLDAP orActive Directory. Use of Native Active Directory is also supported for the default tenant.

3 Appoint Administrators on page 125You can appoint one or more tenant administrators and IaaS administrators from the identity storesyou configured for a tenant.


VMware, Inc. 123

Specify Tenant InformationThe first step to configuring a tenant is to add the new tenant to vCloud Automation Center and create thetenant-specific access URL.

Prerequisites


Procedure

1 Select Administration > Tenants.



4 (Optional) Type a description in the Description text box.

5 Type a unique identifier for the tenant in the URL Name text box.

This URL token is used to create tenant-specific URLs to access vCloud Automation Center.

For example, if you access vCloud Automation Center at https://my-vcloud-suite.local/shell-ui-app ,then a tenant with the URL name sales accesses vCloud Automation Center at https://my-vcloud-suite.local/shell-ui-app/org/sales.

6 (Optional) Type an email address in the Contact Email text box.

7 Click Submit and Next.

Your new tenant is saved and you are automatically directed to the Identity Stores tab for the next step inthe process.

Configure Identity StoresEach tenant must be associated with at least one identity store. Identity stores can be OpenLDAP or ActiveDirectory. Use of Native Active Directory is also supported for the default tenant.

Prerequisites

“Specify Tenant Information,” on page 124.

Procedure



3 Select the type of identity store from the Type drop-down menu.

4 Type the URL for the identity store in the URL text box.

For example, ldap://ldap.mycompany.com:389 .

5 Type the domain for the identity store in the Domain text box.

6 (Optional) Type the domain alias in the Domain Alias text box.

The alias allows users to log in by using userid@domain-alias rather than userid@identity-store-domain as auser name.


124 VMware, Inc.

7 Type the Distinguished Name for the login user in the Login User DN text box.

Use the display format of the user name, which can include spaces and is not required to be identical tothe user ID.

For example, cn=Demo Admin,ou=demo,dc=dev,dc=mycompany,dc=com.

8 Type the password for the identity store login user in the Password text box.

9 Type the group search base Distinguished Name in the Group Search Base DN text box.


10 Type the user search base Distinguished Name in the User Search Base DN text box.


11 Click Test Connection.

Check that the connection is working.

12 Click Add.

13 (Optional) Repeat Step 1 to Step 12 to configure additional identity stores.

14 Click Next.

Your new identity stores are saved and associated with the tenant. You are directed to the Administratorstab for the next step in the process.

Appoint AdministratorsYou can appoint one or more tenant administrators and IaaS administrators from the identity stores youconfigured for a tenant.

Tenant administrators are responsible for configuring tenant-specific branding, as well as managing identitystores, users, groups, entitlements, and shared blueprints within the context of their tenant. IaaSAdministrators are responsible for configuring infrastructure source endpoints in IaaS, appointing fabricadministrators, and monitoring IaaS logs.

Prerequisites

n “Configure Identity Stores,” on page 124.

n Before you appoint IaaS administrators, you must install IaaS. For more information about installation,see Installation and Configuration.

Procedure

1 Type the name of a user or group in the Tenant Administrators search box and press Enter.

Repeat this step as needed to appoint additional tenant administrators.

2 Type the name of a user or group in the Infrastructure Administrators search box and press Enter.

Repeat this step as needed to appoint additional IaaS administrators.

3 Click Update.


VMware, Inc. 125


126 VMware, Inc.

Index

Aaccount settings, specifying 41Additional vCloud Automation Center

Appliances, configuring 60agents

choosing the installation scenario 90configuring Hyper-V 96configuring XenServer 96configuring vSphere agents 93enabling remote WMI requests 103EPI Powershell 13Hyper-V 94, 95installation location and requirements 90installing 89installing WMI 104installing XenDesktop 98installing Citrix agents 100installing EPI agent for Citrix 99installing for Visual Basic scripting 102installing the EPI agent for VB scripting 101installing vSphere agents 92integration agents 13VDI PowerShell 13Visual Basic scriptiong requirements 102WMI agents 13XenServer 94, 95

Ccertificates

component registry 81, 83, 86IaaS certificate 85updating 78updating Appliance certificate after renaming a

vCloud Automation Center Appliancehost 84

updating the Identity Appliance certificate 79,80

updating the vCloud Automation CenterAppliance certificate 82

updating the vCloud Automation CenterIdentity appliance 79

Citrix, installing the EPI agent 99Citrix agents, installing 100component registry, updating 81, 83, 86configuring tenants 117

Ddatabase

creating by using the wizard 67preparing IaaS database 63

DEM, about installing 72DEM Worker, connecting to SCVMM 74dems

Amazon Web Services EC2 requirements 23Red Hat requirements 23SCVMM requirements 23

deployment scenariodistributed installation 43minimal installation 14, 29

deployment pathchoosing 14distributed installation 14

distributed installationoverview 18scenario 46validating 62

Distributed Execution Managers, See also DEMdistribution installation, architecture 44

EEPI agents, installing for Visual Basic

scripting 101, 102Error communicating with the remote server 114

HHyper-V

agent 94proxy agent 94requirements 94

Hyper-V agents, installing 95hypervisor, requirements 94

IIaaS

agents 13updating the certificate 85

IaaS administrators, appointing 123, 125IaaS components

installing 38installing in a distributed configuration 65registering 42

IaaS installer, downloading 39IaaS services, verifying 77

VMware, Inc. 127

IaaS databaseconfiguring Windows service for access 87configuring Windows services account to use

SQL authentication 88IaaS database access, enabling from service

user 87IaaS distributed installation 43IaaS Manager Service, requirements 22Identity Appliance

configuring 31, 50deploy in a distributed environment 48enabling time sync 30, 49

identity stores, configuring tenant 122, 124Identity stores, troubleshooting 115Identity Appliance certificate, updating 79, 80identity virtual appliance, deploying 30, 48infrastructure components, installing 39installation

certificates 78completing 42configuring 107configuring tenants 117DNS and host name resolution 19overview 11specifying agents 41specifying managers 41troubleshooting 107vCloud Automation Center Appliance 33, 52

installation componentschecking prerequisites 40choosing a deployment path 14SSO 11VMware Identity Appliance 12VMware Infrastructure as a Service (IaaS) 12VMware vCloud Automation Center

Appliance 12installation preparation, time synchronization 28installation requirements

credentials 26deployment environments 20IaaS requirements 21operating system 20port requirements 24security 27users 26virtual machine 20Windows server 21XenDesktop 97

installation failure, servers out of sync 111installation requirements, hardware 20installation type

logging in 40selecting 40

installing, browser considerations 20

Lload balancers, configuring for vCloud

Automation Center Appliance 58login failure, servers out of sync 111login failure, when to reboot system 112logs, locations 107Logs

IaaS 107troubleshooting 107

MManager Service

installing 71requirements 22

Minimal installation, uninstalling 110Model Manager

editable business logic 12execution policies 12secure multi-tenancy 12troubleshooting install failures 109unified data model 12

Model Manager data, installing 68

Ppost-installation tasks

configuring Windows service to access IaaSdatabase 87

updating certificates 78PostgreSQL database, requirements 20PostgreSQL, configuring external database 55PostgreSQL Database, creating external 47PowerShell, setting to RemoteSigned 89prerequisites

browser considerations 20checking 40

provisioning server 99proxy agents, installing and configuring for

vSphere 90

Rremote servers, troubleshooting communication

errors 113requirements 99

Sscenarios

choosing the agent installation 90distributed installation 46

securitycertificates 27IaaS certificates 38, 65passphrase 28third-party software 28

server settings, specifying 41


128 VMware, Inc.

Server requirementsIaaS database 21IaaS or Windows server 21

Single Sign-On configuration failure 114SSO, configuring the Identity Appliance 31, 50support bundle, creating 108System error message 112

Ttenancy

default tenant 117overview 117single-tenant vs. multi-tenant 118

tenant administrators, appointing 123, 125tenants

appointing administrators 123, 125configuring 117, 123configuring identity store 122, 124configuring default tenant 121configuring identity stores 124creating 123, 124group management 118troubleshooting ID stores 115troubleshooting login 115user management 118

time sync, enabling on Windows machine 38troubleshooting

blank pages appearing 113log locations 107login failure 112server times out of sync 111

UUninstall, failled installation 111updated information 9user and groups, overview 118

VvCloud Automation Center Appliance

configuring 35, 55deploying 33, 52, 59

vCloud Automation Center Appliance certificateupdating 82updating after renaming a host 84

VDI agent for XenDesktop, installing 97virtualization proxy agents 13Visual Basic, scripting requirements 102Visual Basic scripting

installing EPI agents 102installing the EPI agent 101

VMware IaaSdistributed execution manager 13manager service 13

Vmware IaaS, database 13

VMware IaaS, IaaS web site 12VMware IaaS, Model Manager 12vSphere agents

configuring 93installing 92

vSphere agent, required permissions 91vSphere proxy agents, installing and

configuring 90

Wwebsite component, installing 68Windows services account, configuring to use

SQL authentication 88WMI agents

enabling remote requests 103installing 104

XXenDesktop

installation requirements 97installing agent 98installing VDI agent 97

XenServeragent 94proxy agent 94

XenServer agents, installing 95XenServer Host name, setting 98

Index

VMware, Inc. 129


130 VMware, Inc.

installation and configuration -...

Documents