E07 Infrastructure Service Installation and Configuration Proceedures

VMware Software-Defined Data Center Services
Infrastructure
v
Service
Installation and Configuration Procedures
for
<Customer>
Prepared by
<Consultant>
VMware Professional Services
<consultant>@vmware.com
VMware and Customer Confidential

Infrastructure Service Installation and Configuration Procedures
Version History
Date Version Author Description Reviewers
© 2015 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright
and intellectual property laws. This product is covered by one or more patents listed at
http://www.vmware.com/download/patents.html.
VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other
jurisdictions. All other marks and names mentioned herein may be trademarks of their respective
companies.
VMware, Inc.
3401 Hillview Ave
Palo Alto, CA 94304
www.vmware.com
© 2015 VMware, Inc. All rights reserved.

Page 2 of 169
Contents
1. Purpose and Assumptions ............................................................... 5

2. Common Configuration Elements .................................................... 6
2.1 Deploying the Identity Appliance.................................................................................... 6
2.2 Deploying the vRealize Automation Appliance .............................................................. 9
2.3 vRealize Automation Infrastructure Services Component Installation Prerequisites ... 12
2.4 Downloading the Infrastructure Services Installer ....................................................... 27
3. Non-Distributed Installation (No High Availability) .......................... 29

3.1 Identity Appliance ......................................................................................................... 29
3.2 vRealize Automation Appliance ................................................................................... 33
3.3 IaaS Components ........................................................................................................ 38
4. Distributed Installation with High Availability................................... 43

4.1 Certificate Generation .................................................................................................. 43
4.2 Identity Appliance ......................................................................................................... 53
4.3 vRealize Automation Appliance ................................................................................... 57
4.4 IaaS Components ........................................................................................................ 73
5. General Configuration Tasks........................................................ 124

5.1 Creating the Default Tenant ....................................................................................... 124
5.2 Creating a New Tenant .............................................................................................. 126
5.3 Licensing the IaaS Components ................................................................................ 129
6. Embedded vRealize Orchestrator ................................................ 130

6.1 Deployment ................................................................................................................ 130
6.2 Configuration .............................................................................................................. 131
6.3 vRealize Automation Integration for External vRealize Orchestrator Instances ........ 136
7. Guest Agent Installation ............................................................... 151

7.1 vRealize Automation Guest Agent Installation ........................................................... 151
8. vRealize Log Insight Content Pack .............................................. 153

8.1 Obtaining the vRealize Log Insight Content Pack for vRealize Automation .............. 153
8.2 Installing the vRealize Log Insight Content Pack ....................................................... 156
9. Configuring vRealize Automation to Forward Log Events ............ 158

9.1 vRealize Automation Virtual Appliance ...................................................................... 158
9.2 vRealize Automation IaaS Windows .......................................................................... 160
9.3 SSO Identity Virtual Appliance ................................................................................... 168

Page 3 of 169

Page 4 of 169
1. Purpose and Assumptions

This document provides step-by-step instructions for deploying and configuring:
 VMware Identity appliance
 VMware vRealize™ Automation™ appliance
 VMware vRealize Automation Infrastructure as a Service (IaaS) components
The document describes how to install an external VMware vRealize Orchestrator™ appliance (if
needed) and dedicate it for any specific tenant in vRealize Automation. It also includes guest agent
installation steps and VMware vRealize Log Insight™ Content Pack for vRealize Automation.
This guide is written with the assumption that the administrator who uses these procedures is familiar
with these products. It is not intended for administrators who have no prior knowledge of the concepts
and terminology.
The following table lists the product versions used in this service.
Table 1. VMware Products and Versions
VMware Product Version Number Build Number
VMware Identity Appliance 2.2.0.0 2300183
VMware vRealize Automation Appliance 6.2.0.0 2330392
VMware vRealize Automation IaaS components 6.2.0.9574
VMware vRealize Orchestrator appliance 6.0.1.0 1617225
Linux Guest Agent for vRealize Automation gugent-6.0.0-2025
VMware vCenter™ Log Insight Content Pack for VMware 1.5 1435442
vCloud® Automation Center™

Page 5 of 169
2. Common Configuration Elements

The following section provides step-by-step procedures for common configuration steps required
during the implementation of vRealize Automation.
2.1 Deploying the Identity Appliance

Task Task Description Screenshot
1. In the VMware vSphere® Web Client, select

Actions > D ep lo y OVF Template.
2. In the Select source dialog box, click

Local file and click Browse. Browse to the
location of the identity appliance file with
the .ova or .ovf extension and click
Open.
Click Next.
3. In the Review details dialog box, review

the summary details and click Next.
4. In the Accept EULAs dialog box, accept

the license agreement by clicking Accept.
Click Next.

Page 6 of 169
5. In the Select name and folder dialog box,

enter a unique name for the virtual
appliance according to the IT naming
convention of your organization in the
Name text box.
Select the folder or data center location
where you want to deploy the virtual
appliance.
Click Next.
6. In the Select a resource dialog box, select

the cluster where you want to deploy the
virtual appliance.
Click Next.
7. In the Select storage dialog box, select the

disk format that you want to use for the
virtual appliance from the Select virtual
disk format drop-down list.
Click the datastore you want to place the
virtual appliance on.
Click Next.
8. In the Setup networks dialog box, select

the network that you want to connect the
virtual appliance to using the Destination
drop-down list.
Click Next.

Page 7 of 169
9. In the Customize template dialog box,

configure the following values:
a. In the Enter password and Confirm
password text boxes, type the root
password to use when you log in to the
virtual appliance console.
b. In the Hostname text box, enter a
name for the virtual appliance.
c. In the Default Gateway text box, enter
the IP address of the default gateway.
d. In the DNS text box, enter the DNS
servers for the virtual appliance.
e. In the Network 1 IP Address text box,
enter the IP address for the virtual
appliance.
f. In the Network 1 Netmask text box,
enter the subnet mask for the virtual
appliance.
g. Click Next.
10. In the Ready to Complete dialog box,

select the Power on after deployment
check box.
Click Finish.

Page 8 of 169
2.2 Deploying the vRealize Automation Appliance

1. In the vSphere Web Client, select Actions

> D ep lo y OVF Template.
2. In the Select source dialog box, click

Local file and click Browse. Browse to the
location of the identity appliance file with
the .ova or .ovf extension and click
Open.
Click Next.
3. In the Review details dialog box, review

the summary details.
Click Next.
4. Click Accept in the Accept EULAs dialog

box to accept the license agreement.
Click Next.

Page 9 of 169
5. In the Select name and folder dialog box,

enter a unique name in the Name text box
for the virtual appliance according to the IT
naming convention of your organization.
Select the data center and folder location
where you want to deploy the virtual
appliance.
Click Next.
6. In the Select a resource dialog box, select

the cluster where you want to deploy the
virtual appliance.
Click Next.
7. In the Select storage dialog box, select a

datastore with sufficient space.
Click Next.
8. In the Setup networks dialog box, select

the network you want to connect the virtual
appliance to using the Destination drop-
down menu.
Click Next.

Page 10 of 169
9. In the Customize template dialog box,

configure the following values:
a. In the Enter password and Confirm
password text boxes, type the root
password to use when you log in to the
virtual appliance console.
b. In the Hostname text box, enter a
name for the virtual appliance.
c. In the Default Gateway text box, enter
the IP address of the default gateway.
d. In the DNS text box, enter the DNS
servers for the virtual appliance.
e. In the Network 1 IP Address text box,
enter the IP address for the virtual
appliance.
f. In the Network 1 Netmask text box,
enter the subnet mask for the virtual
appliance.
g. Click Next.
10. In the Ready to Complete dialog box,

select the Power on after deployment
check box.
Click Finish.

Page 11 of 169
2.3 vRealize Automation Infrastructure Services Component

Installation Prerequisites
2.3.1 Enabling Time Sync on the Windows Machine
1. If a virtual machine is used (instead of a

physical unit), edit the virtual machine
settings.
Verify that the option Synchronize guest
time with host is selected as part of
VMware Tools on the Options tab.
2. To verify or enable time sync from within

the guest operating system:
a. Open a command prompt on the
Windows machine.
b. Go to the VMware Tools™ directory
using the following command:
cd C:\Program
Files\VMware\VMware Tools
c. Check the status of time sync using the
following command:
VMwareToolboxCmd.exe timesync
status
d. If time sync is disabled, enable it using
the following command:
VMwareToolboxCmd.exe timesync
enable

Page 12 of 169
2.3.2 Prerequisite for Windows Server 2012 and 2012 R2 Configuration

Before installing the Infrastructure Services components for vRealize Automation, you must first
configure several elements of the Windows system. These elements include:
 Configuration of Active Directory Domain Service Accounts for Local Administrators Group
 Configuration of Windows Server 2012 R2 Firewall
 Installation of Microsoft .NET 4.5.2 Framework
 Installation of Java Runtime 64-bit Environment (jre-7u67-windows-x64.exe; required to install the
database)
 Configuration of the Java Runtime Environment Variable for Windows
 Configuration of MSDTC
 Installation and configuration of IIS Server
 Installation of Window Process Activation Services
 Configuration of the firewall
 Enabling the Secondary Login Service
 Configuration of the batch login access and service login
2.3.3 Configuration of Active Directory Domain Service Accounts for Local

Administrators Group
1. On the Windows Server 2012 R2 Host

where IaaS Components will be installed,
go to the Server Manager > Click Local
Server.
In the Properties for <For server>, verify
computer name and host joined to the
domain <Active Directory Domain>.

go to Server Manager >Tools >
Computer Management, select Local
Users and Groups, and add
<Domain\<IaaS service account> to the
Administrators Group.

Page 13 of 169
2.3.4 Configuration of Windows Server 2012 R2 Firewall

1. On the Windows Server 2012 R2 Host, go

to Server Manager > Click Local Server.
In the Properties for <Local Server>,
select Windows Firewall.
2. Select Turn Windows Firewall on or off

and Turn off for Domain network
settings, Private Network Settings, and
Public Network Settings.
Click OK.
2.3.5 Installation of the Microsoft .NET 4.5.2 Framework


go to Server Manager. Click Local Server.
Click Manage > Add Roles and Features.
2. In the Add Roles and Features Wizard

dialog box, select Next.

Page 14 of 169
3. In the Select installation type dialog box,

click Role-based or feature-based
installation and click Next.
4. In the Select destination server dialog

box, click Select a server from the server
pool <Local IaaS Server> and click Next.
5. In the Select server roles dialog box, click

and check for the Web Server (IIS).
Click Add Feature to accept the Add
features that are required for web server
(IIS) management tools.
Click Next to continue.
On the Add Roles and Features Wizard,
select Add Features.

Page 15 of 169
6. In the Select Features dialog box, expand

.Net Framework 4.5 Features. Select the
check box for .NET Framework 4.5
Features and select .NET Framework 4.5.
Click Next.
Click Next again, and click Install.
When the installation is complete, click
Close.
Note: By default, .Net Framework 4.5.2
features are installed in Windows Server
2012 R2.

Page 16 of 169
2.3.6 Installation of Java Runtime 64-bit Environment

1. Go to a web browser and enter

https://java.com/en/download/manual.jsp.
Select the Windows Offline (64-bit)
Version 7 (jre7u67-windows-x64) of Java.
(Version 8 is not currently supported.)
Save the file to the local Windows Server
and run the installation as Administrator.
2.3.7 Configuration of the Java Runtime 64-bit Environment Variable for

Windows
1. In the Control Panel, select System and

Security > System. Click Advanced
system settings.
Click Environment Variables
2. Select New under System variables.

In the Edit System Variable window, enter
the following:
a. Variable name: JAVA_HOME
b. Variable value: C:\Program
Files\Java\jre7
c. Click OK and OK again to close the
Edit System Variable and Environment
Variables windows.
d. Restart the Windows Server to finalize
the changes.
3. Validate the version of Java SE Runtime

Environment Build is (build 1.7.0.67-b01)
and close run the Admin Command
Prompt.
Run the command java.exe –version.

Page 17 of 169
2.3.8 Configure Microsoft Distributed Transaction Coordinator

1. Configure MSDTC and start the service, if it

is not already running, as follows:
a. Open Component Services from Start
> All Programs > Administrative
Tools.
b. Expand Component Services >
Computers > My Computer >
Distributed Transaction Coordinator.
c. Right-click Local DTC and select
Properties.
d. Click the Security tab.
e. Select Network DTC Access.
f. Select Allow Remote Clients.
g. Select Allow Inbound and Allow
Outbound.
h. Select Mutual Authentication
Required.
i. Click O K.
j. A warning message stating that the
MSDTC service will be stopped and
restarted is displayed. Click Yes.
k. Click OK in the MSDTC service has
been restarted dialog box.
l. Click OK to close the Component
Services window.

Page 18 of 169
2. Install the web server (IIS Modules) role

with the necessary role services:
a. Open Server Manager from Start >
Server Manager > Local Server.
b. Click Manage > Add Roles and
Features.
c. Click Next In the Add Roles and
Features Wizard dialog box.
d. In the Select installation type dialog
box, click Role-based or feature-
based installation and click Next.
e. In the Select destination server dialog
box, click Select a server from the
server pool and click Next.
f. In the Select server roles dialog box,
select Web Server (IIS) and click Next.
g. Click Add Features to Include
management tools (if applicable).
h. Click Next on the Add Roles and
Features Wizard.
i. Authentication.
j. Under Performance, select Static
Content Compression.
k. Under Management Tools > IIS 6
Management Compatibility, select IIS
6 Metabase Compatibility.
l. Click Next.
m. Click Install.
n. Click Close.

Page 19 of 169
3. Click Add Features to include management

tools (if applicable).
Click Next and Next again on the Add
Roles and Features Wizard.
4. In the Select Role service dialog box, add

the following role services by selecting the
relevant Web Server options:
 Under Common HTTP Features, select
Default Document and HTTP
Redirection.

Page 20 of 169
5. a. Under Application Development,

select the following options:
 Select ASP.NET 3.5
 Select ASP.NET 4.5
(In the Add Role services Wizard dialog
box, click Add Required Role Services.)
 Select .NET Extensibility 3.5
 Select .NET Extensibility 4.5
 Select ISAPI Extensions
 Select ISAPI Filters
b. Under Security, select the following
option:
 Windows Authentication
c. Under Performance, select the
following option:
 Static Content Compression
d. Under Management Tools > IIS 6
Management Compatibility, select the
following option:
 IIS 6 Metabase Compatibility.
e. Click Next, and click Next again.
f. Click Install.
g. Click Close
6. Install Windows Process Activation

Services as follows:
b. Click Manage > Add Roles and
Features.
c. Click Next in the Add Roles and
Features Wizard dialog box.
d. In the Select installation type dialog
box, click Role-based or feature-
based installation and click Next.
e. In the Select destination server dialog
box, click Select a server from the
server pool and click Next. Select
Features in the left panel.

Page 21 of 169
7. a. On Server Roles, click Next.

b. Click Add Features under the
Features Summary.
c. Expand .NET Framework 3.5
Features.
 Select HTTP Activation.
 Select Non-HTTP Activation.
d. Expand .NET Framework
4.5.Features.
e. Expand WCF Services:
 Select HTTP Activation.
f. Expand Windows Process Activation
Service:
 Select Process Model.
 Select .NET Environment 3.5.
 Select Configuration APIs.
g. Click Next.
h. Click Install.
i. Click Close.
8. Configure Windows Authentication as

follows:
b. Click Tools > Internet Information
Services (IIS) Manager.
c. Expand Web Server (IIS) Local Host.
d. Under Connections in the middle
pane, expand the server. For example,
vra-iaas-01.sddc.lab.
e. Expand Sites.
f. Select Default Web Site.
Under Default Web Site Home in the
right pane, under IIS, double-click
Authentication.

Page 22 of 169
9. a. Right-click Anonymous
Authentication and select Disable.
b. Right-click Windows Authentication
and select Enable.
c. Select Windows Authentication and
on the right pane, click Providers.
d. Select Negotiate under the Enabled
Providers and click Remove.
e. Select NTLM under the Enabled
Providers and click Remove.
f. Under Available Providers, select
Negotiate and click Add.
g. Under Available Providers, select
NTLM and click Add.
h. Click OK.
i. Select Windows Authentication. In
the right pane, click Advanced
Settings.
j. Under Extended Protection, select
Off. (If it was already off, change it to
something else, and change it back to
off.)
k. Confirm that Enable Kernel-mode
authentication is selected and click
OK.
10. Register Microsoft .NET 4 Framework with

IIS.
a. Open Command Prompt from Start >
All Programs > Accessories.
b. Right-click Command Prompt and
select Run as administrator.
c. Go to
C:\Windows\Microsoft.Net\Fram
ework64\v4.0.30319.
d. Type aspnet_regiis –i and press
Enter.

Page 23 of 169
11. After all the configuration steps are

completed, reset IIS as follows:
a. Open Command Prompt from Start >
All Programs > Accessories.
b. Right-click Command Prompt and
c. Click Yes in the User Account Control
box.
d. Type iisreset and press Enter.
e. Close the Command Prompt window.
12. Configure the Secondary Logon Service as

follows:
a. Open Server Manager from Start > All
Programs > Administrative Tools.
b. Expand Configuration.
c. Select Services.
d. Locate the Secondary Logon Service,
set it to Automatic and start the
service.
e. Click OK.
13. Configure the firewall by disabling firewall

services between the vRealize Automation
infrastructure services servers and the
database server. Alternatively, open the
ports as described in the product
documentation and Cloud Automation
Configuration Workbook Communication
Flow.
Click OK.
14. Although Distributed Transaction

Coordinator has been enabled, the
prerequisite check on the distributed
transaction might fail even when the firewall
is turned off. Configure the firewall as
follows:
a. From the Control Panel, click System
and Security.
b. Click Allow a program through
Windows Firewall under the Windows
Firewall section.
c. Select Change settings button and
check the Distributed Transaction
Coordinator for the domain.
d. Click OK.

Page 24 of 169
15. Configure the batch login rights for the

Model Manager Web Service account.
a. Open Local Security Policy from Start
> Administrative Tools.
b. Expand Local Policies.
c. Select User Rights Assignment in the
left panel.
d. Double-click Log on as a batch job
policy.
e. Click Add User or Group.
f. Type ad mi ni st rat or , click Check
Names, and click OK.
g. Click OK and close the Local Security
Policy window.
Note Use the same process to configure

Service login rights.

Page 25 of 169
2.3.9 Preparing the Database System for Installation

1. Confirm the prerequisites for installation of

the vRealize Automation infrastructure
services database.
Log in to the Microsoft SQL server with
local administrator privileges.
Configure the database TCP/IP protocol as
follows:
a. Click Start > All Programs >
Microsoft SQL Server 2008.
b. Click Configuration Tools.
c. Open SQL Server Configuration
Manager.
d. Expand SQL Server Network
Configuration.
e. Select Protocols for MSSQLSERVER.
f. Right-click TCP/IP and select Enable
(if it is not already enabled).
g. Close SQL Server Configuration
Manager.
2. Configure the database credentials as

follows:
a. Click Start > All Programs >
Microsoft SQL Server 2008 R2.
b. Open SQL Server Management
Studio.
c. On the Connect to Server screen,
type the SQL Administrator credentials
and click Connect.
d. Add the domain administrator account
to the logins.
e. Add the domain administrator account
to the sysadmin role so that it can
create the database and alter its size.
Note If you are using SQL Server Express, set the SQL Server Browsing service to automatic and
start it. But SQL Server Express is not recommended for production or development
platforms.

Page 26 of 169
2.4 Downloading the Infrastructure Services Installer

Download the installer for the vRealize Automation infrastructure services components onto the
Windows Server 2012 (or 2012 R2) machine on which you plan to perform the installation.
1. Open a web browser on the Windows

Server 2012 or 2012 R2 host where the
IaaS components will be installed. Browse
to the Windows installer download page
using the host name in the format
<hostname.domain.name>:5480/installer/.
Note You can also get to the installer

from:
https://<hostname.domain.name>
Click the Open installer page link.
If you are using Internet Explorer, make
sure that Enhanced Security
Configuration is not enabled.
See
res://iesetup.dll/SoftAdmin.htm.
2. Accept the certificate by clicking I

understand the Risks, and click Add
Exception.
Finally, click Confirm Security Exception.
3. Click IaaS Installer to install IaaS

components on Windows.

Page 27 of 169
4. When prompted, save the installer file to the

local machine. The file is named
setup__hostname@5480.exe.
Do not rename the file.

Page 28 of 169
3. Non-Distributed Installation (No High Availability)

The following section provides step-by-step guidance for the deployment of vRealize Automation in a
non-distributed implementation providing no high availability. The high-level process consists of
completing the steps in the following sections:
 Section 2.1, Deploying the Identity Appliance
 Section 3.1.1, Configuring the Identity Appliance Configuring the Identity Appliance
 Section 2.2, Deploying the vRealize Automation Appliance
 Section 3.2.1, Configuring the vRealize Automation Appliance
 Section 2.3, vRealize Automation Infrastructure Services Component Installation Prerequisites
 Section 3.3.1, Installing IaaS Components
3.1 Identity Appliance

3.1.1 Configuring the Identity Appliance
1. Go to the Identity Appliance management

console by using its FQDN.
Use the following format:
https://<identity-
hostname.domain.name>:5480/
2. Click I Understand the Risks, and click

Add Exception to accept the certificate.
Click Confirm Security Exception.
3. Log in using the user name root and the

password you specified when you deployed
the Identity Appliance.
4. Click the System tab and click Time Zone

button.
Use the System Time Zone drop-down
menu to set your time zone for the
appliance.

Page 29 of 169
5. Click the SSO tab.

The red text provides a status. It is not an
error message.
6. The default domain name in the System

Domain text box is vsphere.local. This is
the local default domain for the identity
appliance. A default tenant is created using
this name.
Note Do not change this.
In the Admin Password and Repeat

password text boxes, type the password
that you want to assign to the system
administrator
(adm ini st r at o r@v sph er e .lo c al ).
Record the password in a secure place.
The password is required when you
configure the vRealize Automation
appliance later in the installation process.
It is also the system administrator login for
the vRealize Automation console.
Click Apply.
Note It can take several minutes for the

success message to appear. Do
not interrupt the process.
7. When the green success SSO is

initialized message appears stating
VMware vCenter Single Sign-On™ is
initialized, click Host Settings.
8. In the SSO Host Name text box, verify that

the appliance’s FQDN name is entered
correctly. If it is incorrect, make the
required alteration.
Click Apply.

Page 30 of 169
9. Select SSL to generate an SSL certificate

for the identity appliance.
a. Using the drop-down list for Choose
Action, select Generate Self Signed
Certificate.
b. In the Common Name text box, ensure
the common name matches the FQDN
of your appliance.
c. In the Organization text box, type your
organization name, such as your
company name.
d. In the Organizational Unit text box,
type your organizational unit, such as
your department name or location.
e. In the Country Code text box, enter
your two-character country code.
f. Click Apply Settings.
After a few minutes, the certificate is
generated and its details appear on the
page.
10. Click Active Directory and enter the

following values:
a. In the Domain Name text box, type the
Active Directory domain name.
b. In the Domain User text box, type the
domain user (us e r@ dom ain ) that
will join the domain.
c. In the Password text box, type the
password for the domain user.
d. Click Join AD Domain.
Note Verify that the host name matches

the DNS record. Otherwise, you
will receive a warning message
about network misconfiguration.

Page 31 of 169
3.1.1.1. Enabling Time Synchronization
The clocks on the identity appliance, vRealize Automation appliance, and IaaS Windows Servers
must be synchronized for a successful installation.
1. Click the Admin tab and the click Time

Settings.
2. Select an option from the Time Sync

Mode drop-down menu.
 If using Network Time Protocol for
timekeeping, select Use Time
Server from the Time Sync Mode
menu.
 If you are using VMware Tools for
timekeeping, select Use Host Time
from the Time Sync Mode menu.
You must configure the connections
to Network Time Protocol servers
before you can use VMware Tools.
Click Save Settings.
3. Verify that the value in Current Time is

correct.
4. Another way of configuring time

synchronization of the appliance is
within the vSphere Web Client. Go to
Manager > Settings > VMware Tools.
Select the option Synchronize guest
time with host.

Page 32 of 169
3.2 vRealize Automation Appliance

3.2.1 Configuring the vRealize Automation Appliance
1. Go to the vRealize Automation appliance

management console by using its FQDN.
https://<vcac-
2. Accept the certificate by clicking I

Understand the Risks, and click Add
Exception.

password you specified when deploying the
vRealize Automation appliance.
4. Click the System tab and click Time Zone.

appliance.

Page 33 of 169
5. Click the vRA Settings tab. Select the Host

Settings menu in the Host Configuration
pane and select Resolve Automatically.
Enter the fully qualified host name of the
vRealize Automation appliance in the Host
Name text box.
6. Go to the SSL Configuration pane to

generate an SSL certificate to authenticate
the vRealize Automation appliance to the
SSO appliance.
a. Using the SSL Configuration pane,
select Generate Self Signed
Certificate.
b. In the Common Name text box, verify
that the common name matches the
FQDN of your appliance.
Note If you are using a load balancer,

enter the load balancer FQDN.
c. In the Organization text box, type your

organization name, such as your
company name.
d. In the Organizational Unit text box,
type your organizational unit.
e. Enter your department name or
location.
f. In the Country Code text box, enter
your two-character country code.
g. Click Save Settings.
After a few minutes, the certificate is
generated, and its details are displayed.

Page 34 of 169
7. Click SSO to configure the SSO settings

that the vRealize Automation appliance will
use to interact with the identity appliance.
These settings must match the settings you
entered when configuring the identity
appliance.
a. In the SSO Host and Port text box,
enter the FQDN of the identity
appliance using the format
<host.domain.name>:7444.
You must specify the SSO instance
deployed by the identity appliance. You
cannot point to an existing installation of
SSO unless it is running a support
version of SSO. (In vSphere, for
example.)
d. In the SSO Default Tenant text box,
accept the default, vsphere.local.
e. In the SSO Admin User text box, type
adm in ist r at o r@v sph e re .l oc a l .
f. In the SSO Admin Password text box,
type the SSO administrator password.
The password must match the
password you specified in the SSO
settings for the identity appliance.
g. Click Save Settings. When you receive
the certificate warning, accept it by
clicking OK.
After a few minutes, a success message is
displayed, and SSO Status is updated to
Connected.
8. Click Licensing to configure the License.

In the New License Key text box, type a
valid vRealize Automation license key and
click Submit Key.

Page 35 of 169
1. Click the Admin tab and click Time

Settings.
2. Select an option from the Time Sync Mode

drop-down menu.
 If you are using Network Time Protocol
for timekeeping, select Use Time
Server from the Time Sync Mode
menu.
from the Time Sync Mode menu. You
must configure the connections to
Network Time Protocol servers before
you can use VMware Tools.

correct.

synchronization of the appliance is within
the vSphere Web Client. Go to Manager >
Settings > VMware Tools.
Select the option Synchronize guest time
with host.

Page 36 of 169
5. Verify Registered Services are available

for authorization and authentication by
selecting Services > Registered Services.

Page 37 of 169
3.3 IaaS Components

Update the following process based on the customer’s environment when building a non-distributed
implementation of vRealize Automation. This process is relevant when delivering the following
services:
 Cloud Automation Accelerator Services
 Cloud Automation Center Design and Deploy Service for the purpose of implementing a
development environment.
3.3.1 Installing IaaS Components

1. Launch the installer by right-clicking the

setup file with the .exe extension that you
downloaded in the previous section and
2. In the Welcome to the vCloud

Automation Center Configuration dialog
box, click Next.
3. In the End-User License Agreement

dialog box, select I accept the terms in
the license agreement.
Click Next.

Page 38 of 169
4. Enter the appliance login information:

a. User name: <vRealize appliance
account>
b. Password: <customer supplied>
c. Select the Accept Certificate check
box.
d. Click Next.
5. In the Installation Type dialog box, select

Complete Install.
Click Next.
The Prerequisite Checker opens. It will
verify that your system matches installation
requirements.
6. In the Verify Prerequisites dialog box:

If the Prerequisite Checker displays
warnings, select the entry in the left panel
and follow the instructions that appear on
the right for each item that requires
attention.
When all issues are resolved, click Check
Again, and verify that all items are OK and
have green check marks next to them.
Note You can click Check Again at any

time to check the status of the
prerequisites. If non-critical errors
still occur, click Bypass to continue
the installation.
Click Next.

Page 39 of 169
7. In the Server and Account Settings

dialog box, perform the following steps:
a. Leave the default User name (the
currently logged-in admin user).
b. Enter the user’s password in the
Password and Confirm text boxes.
c. In the Passphrase and Confirm text
boxes, type a passphrase to create an
encryption key for database security.
Note A passphrase is required to

configure the components. A
passphrase is a series of words
used to create a phrase that
generates the encryption key. The
key is used to protect data while at
rest in the database and for data
recovery.
Note The passphrase you create during

installation must be used across
the entire IaaS deployment so that
each component has the same
encryption keys. The passphrase
might be required during an
upgrade. Store it in a secure
location or memorize it.
d. In the Microsoft SQL Server

Database Installation Information
box:
 Type your SQL server database
host name in the Server text box
and your database name in the
Database name text box.
 Select Use Windows
authentication or deselect it to
use SQL authentication.
 If you use SQL authentication, type
your user name and password.
 Click Next.

Page 40 of 169
8. In the Distributed Execution Managers

And Proxy vSphere Agent dialog box,
specify the following configuration details:
a. Accept the default or enter a name for
the DEM worker in the DEM Worker
name text box.
b. Accept the default or enter a name for
the DEM Orchestrator name in the
DEM Orchestrator name text box.
c. Verify that Install and configure
vSphere agent is selected.
d. Accept the default or enter a name for
the vSphere Agent in the vSphere
Agent name text box.
e. Accept the default or enter a name for
the endpoint in the Endpoint name
text box.
f. Click Next.
9. On the Component Registry dialog,

specify the following configuration details:
a. Leave the default Server, which is
populated with the host name or IP
address of the vRealize Automation
virtual appliance server from which you
downloaded the installer.
b. Click Load to populate the Default
Tenant text box with your SSO domain
name.
c. Click View Certificate and click Test.
d. When the certificate confirmation
appears, click OK.
e. Select Accept Certificate to install the
SSO certificate.
f. Type the SSO administrator’s name
(adm ini st r at o r@v sph er e . lo c al)
and password in the SSO
Administrator Credentials text box.
g. Click Test to verify the credentials.
h. The IaaS Server is automatically
populated with the host name or IP
address of the Windows machine on
which you are performing the
installation. Click Test to verify.
i. Click Next.

Page 41 of 169
10. In the Ready to Install dialog box, review

the information and click Install.
The installation begins. Depending on your
network configuration, the installation can
take from approximately 5 minutes to 1
hour to complete.
Click Next.
11. In the vCloud Automation Center

Configuration is complete dialog box,
leave Guide me through the initial
system configuration selected.
Click Finish.

Page 42 of 169
4. Distributed Installation with High Availability

The following section provides step-by-step guidance for the deployment of vRealize Automation in a
highly available, distributed implementation. The high-level process consists of steps from the
following sections:
 Section 4.1, Certificate Generation
 Section 2.1, Deploying the Identity Appliance
 Section 4.2.1, Configuring the Identity Appliance
 Section 2.2, Deploying the vRealize Automation Appliance
 Section 4.3.1, Initial Configuration of the Primary Node
 Section 4.3.2, Initial Configuration of the Secondary Node
 Section 4.3.3, Configuring the PostgreSQL Cluster
 Section, 4.3.4, Update Database Settings on the Primary Node
 Section 4.3.5, Testing Database Replication
 Section 4.3.6, Configure Single Sign-On and Licensing on the Primary Node
 Section 4.3.7, Configure the Secondary Node for High Availability
 Section 4.3.8, Test Promotion of the Secondary Node to Primary Node
 Section 4.4.2, IaaS Database
 Section 4.4.3, Primary IaaS Web and Model Manager Data Server
 Section 4.4.4, Secondary IaaS Web Server
 Section 4.4.5, Primary IaaS Manager Service and DEM Orchestrator
 Section 4.4.6, Secondary (Passive) IaaS Manager Service
 Section 4.4.7, Primary and Secondary DEM Workers Server
 Section 4.4.8, Proxy Agents Server
4.1 Certificate Generation

A production, distributed vRealize Automation deployment depends on utilizing Certificate Authority
(CA) signed security certificates as each component communicates exclusively over SSL. While it is
possible to import self-signed certificates on necessary components, this is not recommended in a
production environment.
Typically the Active Directory domain server acts as the Certificate Authority for internally facing
services. The process documented within this step-by-step guide assumes that Microsoft Certificate
Authority is used to issue certificates for each component within vRealize Automation platform.
Table 2. vRealize Automation Certificate Requirements
Certificate Common Name Application Role Encoding Needed
vra-id-03.sddc.lab Identity Appliance PEM and unencrypted key
portal.sddc.lab vRealize Automation Appliance PEM and unencrypted key
web.sddc.lab IaaS Web Servers PKCS12
mgr.sddc.lab IaaS Manager Service PKCS12

Page 43 of 169
4.1.1 Generate PKCS12 SSL Certificate

The order of operation is to first generate a PKCS12 formatted certificate. After a certificate is in
PKCS12 format, it can be converted to PEM encoding and a DER encoded certificate can be
generated from that PEM. In addition, an unencrypted key can be extracted from the PEM certificate.
1. Prepare for certificate generation using the

following procedure:
a. Install OpenSSL on the Windows server
where you will generate the certificates.
b. Create a base folder (C:\Certs in this
example) with separate sub-folders for
each vRealize Automation component.
2. Log in to the Microsoft Certificate Authority

Web Interface.
Click Download a CA certificate,
certificate chain or CRL.
3. Click Base 64.

Click the Download CA certificate chain
link.
Save the certificate chain as cachain.p7b
in the c:\Certs folder.
Click the Download CA certificate link.
Save the CA certificate as RootCA.crt in the
c:\Certs folder

Page 44 of 169

[ req ]
4. Create a configuration file for the identity default_bits = 2048
appliance using the format opposite. default_keyfile = rui.key
Save the configuration file to: distinguished_name =
req_distinguished_name
C:\Certs\Identity\vcid.cfg encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature,
keyEncipherment, dataEncipherment,
nonRepudiation
extendedKeyUsage = serverAuth,
clientAuth
subjectAltName = DNS:vcid,
IP:10.161.0.210, DNS:vra-id-
03.sddc.lab
[ req_distinguished_name ]
countryName = US
stateOrProvinceName = CF
localityName = Palo Alto
0.organizationName = VMware
organizationalUnitName =
IdentityAppliance
commonName = vra-id-03.sddc.lab
5. Run the following OpenSSL command to

generate the certificate request and the
private key for this certificate:
openssl req -new -nodes -out
C:\Certs\Identity\vra-id-03.csr
-keyout C:\Certs\Identity\vra-
id-03.key -config
C:\Certs\Identity\vra-id-03.cfg
Note Remember to replace the path and

file names for each new service.

convert the keys to the RSA format required
by the appliances:
openssl rsa -in
C:\Certs\Identity\vra-id-03.key
-out C:\Certs\Identity\vra-id-
03.key
7. Navigate back to the home page of the

Certificate Server.
Click Request a certificate.

Page 45 of 169
8. Click advanced certificate request.

Click Submit a certificate Request by
using a base- 64-encoded CMC or PKCS
#10 file, or submit a renewal request by
using a base-64-encoded PKCS #7 file.
9. In the Submit a Certificate Request or

Renewal Request web page:
a. Open the vra-id-03.csr file
generated in step 5 in notepad.
b. Copy and paste the contents into the
Base-64-encoded certificate request
textbox.
c. Select the template created using the
Certificate Template process.
d. Click Submit.

Page 46 of 169
10. Click Base 64 encoded radio button on the

Certificate issued screen. Click the
Download Certificate link.
a. Save the Certificate as vra-id-03 in
the folder C:\Certs\Identity\.
b. Click the Download Certificate chain
link.
c. Save the certificate chain as
cachain.p7b file and navigate to
C:\Certs\Identity\chain.p7b.
d. Navigate to C:\Certs\Identity and
Double-click the cachain.p7b file.
e. Right-click the root certificate, select All
Actions > Export, and click Next.
f. Select Base64-encoded X.509 (.CER)
and click Next.
g. Save the export to your
location/Root64.cer and click
Next and Finish.

convert the certificates to PKCS12 format:
openssl pkcs12 -export -in
C:\Certs\Identity\vra-id-03.cer
-inkey C:\Certs\Identity\vra-id-
03.key -certfile
C:\Certs\Root64.cer -name vra-
id-03 -passout pass:VMware1! -
out C:\Certs\Identity\vra-id-
03.pfx

Page 47 of 169

convert the certificates to PEM format:
openssl pkcs12 -nokeys -in
C:\Certs\Identity\vra-id-03.pfx
-inkey C:\Certs\Identity\vra-id-
03.key -out
C:\Certs\Identity\vra-id-03.pem
-nodes -passin pass:VMware1!
[ req ]
13. ` Follow steps 5-12 to generate the certificate default_bits = 2048
for the vRealize Automation appliances load default_keyfile = rui.key
balancer address. distinguished_name =
Use the configuration details opposite as a req_distinguished_name
template and alter items in red. encrypt_key = no
prompt = no
Save the configuration file to: string_mask = nombstr
C:\Certs\vRAva\portal.cfg req_extensions = v3_req
Note Remember to modify the OpenSSL [ v3_req ]

commands to match the service basicConstraints = CA:FALSE
you are working with. keyUsage = digitalSignature,
nonRepudiation
clientAuth
: subjectAltName = DNS: portal, IP:
10.161.0.222, DNS: portal.sddc.lab,
DNS: vra-srv-03, DNS: vra-srv-
03.sddc.lab, DNS: vra-srv-04, DNS:
vra-srv-04.sddc.lab
countryName = US
vRealizeAutomation
commonName = portal.sddc.lab

Page 48 of 169

[ req ]
14. Follow steps 5-11 to generate the certificate default_bits = 2048
for the vRealize Automation IaaS Web load default_keyfile = rui.key
balancer address. distinguished_name =
prompt = no
C:\Certs\IaaSWeb\web.cfg req_extensions = v3_req
Remember to modify the OpenSSL [ v3_req ]

commands to match the service you are basicConstraints = CA:FALSE
working with. keyUsage = digitalSignature,
nonRepudiation
clientAuth
subjectAltName = DNS: vra-iws-03,
DNS:vra-iws-03.sddc.lab, DNS: vra-
iws-04, DNS:vra-iws-04.sddc.lab,
DNS: web, IP:10.161.0.223, DNS:
web.sddc.lab
countryName = US
vRealizeAutomationIaaSWeb
commonName = web.sddc.lab

Page 49 of 169

[ req ]
15. Follow steps 5-11 to generate the certificate default_bits = 2048
for the vRealize Automation IaaS Manager default_keyfile = rui.key
Service load balancer address. distinguished_name =
prompt = no
C:\Certs\IaaSMgr\mgr.cfg req_extensions = v3_req
Remember to modify the OpenSSL [ v3_req ]

commands to match the service you are basicConstraints = CA:FALSE
working with. keyUsage = digitalSignature,
nonRepudiation
clientAuth
subjectAltName = DNS: vra-ims-03,
DNS: vra-ims-03.sddc.lab, DNS: vra-
ims-04, DNS: vra-ims-04.sddc.lab,
DNS: mgr, IP: 10.161.224, DNS:
mgr.sddc.lab
countryName = US
vRealizeAutomationIaaSMgr
commonName = mgr.sddc.lab

Page 50 of 169
4.1.2 Creating and Publishing a Certificate Template

1. Open the MMC console for Certificate

Templates:
a. Click File and select Add/Remove
Snap-in.
b. Select Certificate Templates in
Available snap-ins and Click Add then
OK.
c. From the right pane, right-click Web
Server template.
d. Click Duplicate Template.
2. In Properties of New Template dialog box:

a. Click the General tab.
b. Type the name of the template in
Template name text box.

a. Click the Subject Name tab.
b. Select the radio button Supply in the
request.

Page 51 of 169

a. Click Security tab.
b. Assign Full Control privileges to the
Domain Administrator.
c. Assign Full Control privileges to the
computer issuing this certificate.
d. Click OK.
5. Open the MMC console for Certification

Authority for the Domain:
a. Right-click Certificate Templates
b. Select New > Certificate Template to
issue.
6. In the Enable Certificate Templates dialog

box:
a. Select the certificate created in steps 1-
4.
b. Click OK.

Page 52 of 169
4.2 Identity Appliance

4.2.1 Configuring the Identity Appliance
1. Go to the identity appliance management

console by using its FQDN.
https://<identity-
2. Click I Understand the Risks, and click

Add Exception to accept the certificate.

password you specified when you deployed
the identity appliance.
4. Click the System tab and click Time Zone

button.
appliance.
5. Click the SSO tab.

The red text provides a status. It is not an
error message.

Page 53 of 169
6. The default domain name in the System

Domain text box is vsphere.local. This is
the local default domain for the Identity
Appliance. A default tenant will be created
using this name.
Note Do not change this.
In the Admin Password and Repeat

password text boxes, type the password
that you want to assign to the system
administrator
(adm ini st r at o r@v sph er e .lo c al ).
Record the password in a secure place.
The password is required when you
configure the vRealize Automation
appliance later in the installation process.
It is also the system administrator login for
the vRealize Automation console.
Click Apply.
Note It can take several minutes for the

success message to appear. Do
not interrupt the process.
7. When the green success SSO is

initialized message appears stating
vCenter Single Sign-On is initialized, click
the Host Settings button.
8. In the SSO Host Name text box, verify that

the appliance’s FQDN name is displayed
correctly. If it is wrong, make the required
alteration.
Click Apply.

Page 54 of 169
9. Select the SSL button to import the SSL

certificate for the identity appliance.
Action, select Import PEM encoded
Certificate.
b. Open the vra-id-03.key file for your
Identity appliance in a text editor and
paste the contents of the file into the
RSA Private Key textbox.
c. Open the vra-id-03.pem file for your
paste the full contents into the
Certificate Chain textbox.
d. Enter the password used when
generating the certificates into the
Pass Phrase.
e. Click Apply Settings.
g.
10. Click the Active Directory button and

enter the following values:
a. In the Domain Name text box, type the
Active Directory Domain Name.
b. In the Domain User text box, type the
domain user (us e r@ dom ain ) that
will join the domain.
c. In the Password text box, type the
password for the domain user.
d. Click Join AD Domain.
Note Verify that the host name matches

the DNS record. Otherwise, you
will receive a warning message
about network misconfiguration.

Page 55 of 169
The clocks on the identity appliance, vRealize Automation Appliance, and IaaS Windows servers must
be synchronized for a successful installation.
1. Click the Admin tab and the click Time

Settings.
2. Select an option from the Time Sync

Mode drop-down menu.
 If you are using Network Time
Protocol for timekeeping, select
Use Time Server from the Time
Sync Mode menu. For each time
server that you are using, type the
IP address or the host name in the
Time Server text box.
from the Time Sync Mode menu.
You must configure the connections
to Network Time Protocol servers
before you can use VMware Tools.

correct.

synchronization of the appliance is
within the vSphere Web Client go to
Manager > Settings > VMware Tools.
Select the option Synchronize guest
time with host.

Page 56 of 169
4.3 vRealize Automation Appliance

4.3.1 Initial Configuration of the Primary Node


appliance.

Settings menu and enter the vRA load
balancer FQDN address in the vRA Host
Name text box.
Note The vRealize Automation load

balancer FQDN address is the
hostname used to access the
vRealize Automation portal by
consumers. This address relates to
the virtual interface configured on
the load balancer and must be
registered in DNS with forward and
reverse DNS records.

Page 57 of 169
4. Select the SSL Configuration pane to

import the SSL certificate generated from a
Certificate Authority for the vRealize
Automation Appliance.
Certificate.
b. Open the portal.key file for your
identity appliance in a text editor and
RSA Private Key text box.
c. Open the portal.pem file for your
paste the contents into the Certificate
Chain text box.
generating the certificates into the Pass
Phrase.
e. Click Save Settings.
Note Do not configure SSO at this point.

Page 58 of 169
4.3.2 Initial Configuration of the Secondary Node



appliance.

Settings menu and enter the vRA load
balancer FQDN address in the vRA Host
Name text box.
Note The vRealize Automation load

balancer FQDN address is the host
name used to access the vRealize
Automation portal by consumers.
This address relates to the virtual
interface configured on the load
balancer and must be registered in
DNS with forward and reverse DNS
records.

Page 59 of 169
4. Select the SSL Configuration pane to

import the SSL certificate generated from a
Certificate Authority for the vRealize
Automation appliance.
Certificate.
b. Open the portal.key file for your
identity appliance in a text editor and
RSA Private Key textbox.
c. Open the portal.pem file for your
paste the contents into the Certificate
Chain textbox.
generating the certificates into the Pass
Phrase.
e. Click Save Settings.
Note Do not configure SSO at this point.

Page 60 of 169
4.3.3 Configuring the PostgreSQL Cluster

1. Using PuTTY, make an SSH connection to

each node (vRAnode1 and vRAnode2) and
copy the postgresCluster.tar to the /tmp
folder and untar the file by running the
following commands:
cd /tmp
tar xvf postgresCluster.tar
chmod 755 pgClusterSetup.sh
vPostgresService.py
promote_replica_to_primary
Note The postgressCluster.tar file

is located in the tools folder of
Infrastructure Service Technical
Materials zip package.

Page 61 of 169

the primary node.
a. Run the pgClusterSetup.sh script
using the following syntax:
cd /tmp
./pgClusterSetup.sh -d <vCAC
Database load balancer FQDN
Address> -D <vCAC Database
load balancer IP Address> -h
<vCAC load balancer FQDN
Address> -p <Password for the
local postgres user account>
-r <Repeat password> -x <The
Partner vCAC Node>
For example:
./pgClusterSetup.sh -d portal-
db.sddc.lab -d 10.161.0.222 -h
portal.sddc.lab -p VMware1! -r
VMware1! -x vra-srv-04.sddc.lab
b. When prompted set the local postgres
user account with a new password and
press Enter.
c. Re-enter the password.
d. At the Update VAMI with Database
Failover buttons prompt, enter y and
the press Enter.
Note Verify that you have a CNAME alias

set up in DNS for the vRA
address that resolves to the same
IP address as the vRA load
balancer FQDN address.

Page 62 of 169

the secondary node.
a. Run the pgClusterSetup.sh script
using the following syntax:
cd /tmp
./pgClusterSetup.sh -d <vCAC
Database load balancer FQDN Address>
-D <vCAC Database load balancer IP
Address> -h <vCAC load balancer FQDN
Address> -p <Password for the local
postgres user account> -r <Repeat
password> -x <The Partner vCAC Node>
For example:
./pgClusterSetup.sh -d portal-
db.sddc.lab -d 10.161.0.222 -h
portal.sddc.lab -p VMware1! -r
VMware1! -x vra-srv-03.sddc.lab
b. When prompted, set the local Postgres
user account new password and press
Enter.
c. Re-enter the password.
d. At the Update VAMI with Database
Failover buttons prompt, enter Y and
press Enter.

the secondary node and stop the Postgres
database by running the following
command:
service vpostgres stop

Page 63 of 169
4.3.4 Update Database Settings on the Primary Node

1. Log in to the primary node using the user

name root and the password you specified
when deploying the vRealize Automation
appliance.
2. Click the vRA Settings tab and click the

Database menu.
a. In the Host text box, enter the vRA
address.
b. Enter the password you have selected
previously.
c. Click Save Settings.
3. The Connection Status at this point will

say NOT Connected. To force a
connection, perform the following steps:
a. Using PuTTY, make an SSH
connection to the primary node.
b. Run the following commands:
cd /tmp
./pgClusterSetup.sh
c. Return to the web interface and use the
Refresh button to update the console.
Connection status should now show
CONNECTED.

Page 64 of 169

the secondary node and perform the
following steps to start database
replication.
a. Log in as user postgres.
b. Run the run_as_replica command
to start the replication process:
/opt/vmware/vpostgres/current
/share/run_as_replica -h
<Master replica node FQDN
name> -b -W -U replicate
For example:
/share/run_as_replica -h vra-
srv-03.sddc.lab -b -W -U
replicate
c. Enter the replication user's password
for the primary node.
d. Accept the SSH Key.
e. Re-enter the replication user's
password.
f. When the message WAL Archiving is
not enabled on the primary. This
needs to be enabled for replication.
Type yes to enable WAL archiving
on the primary appears, type yes and
press Enter.
g. When the message WARNING: The
base backup operation will replace
the current contents of the data
directory. Please confirm by typing
yes appears, type yes and press
Enter.

Page 65 of 169
4.3.5 Testing Database Replication


the primary node and log in as user
postgres.
a. Run the following command to verify
that the WAL process is running:
ps -ef |grep wal
b. Run the following commands to enter
the SQL query tool::
/bin/psql vcac
c. Run the following commands to create
a new table and then exit the SQL
query tool:
CREATE TABLE
replication_test(name
varchar);
\q
2. Using Putty, make an SSH connection to

the secondary node and log in as user
postgres.
a. Run the following command to verify
the replication status:
/opt/vmware/vpostgres/current/sh
are/show_replication_status
b. Run the following command to enter the
SQL query tool:
/opt/vmware/vpostgres/current/bi
n/psql vcac
c. Run the following command to validate
that the table has been created and
replicated:
SELECT * FROM replication_test;
\q

Page 66 of 169

the primary node and log in as user
postgres.
a. Run the following command to enter the
SQL query tool:
/opt/vmware/vpostgres/current/bi
n/psql vcac
b. Run the following command to delete
the table we created for the test:
DROP TABLE replication_test;
\q

Page 67 of 169
4.3.6 Configure Single Sign-On and Licensing on the Primary Node

1. Log in to the primary node using the user

name root and the password you specified
when deploying the vRealize Automation
appliance.
2. Click the vRA Settings tab. Click the SSO

button to configure the SSO settings that
the vRealize Automation Appliance will use
to interact with the identity appliance. These
settings must match the settings you
entered when configuring the identity
appliance.
a. In the SSO Host and Port text box,
enter the FQDN of the identity
appliance using the format
<host.domain.name>:7444.
Note You must specify the SSO instance

deployed by the identity appliance.
You cannot point to an existing
installation of SSO unless it is
running a supported version of
SSO.
b. In the SSO Admin User text box, type

adm in ist r at o r@v sph e re .l oc a l .
c. In the SSO Admin Password text box,
type the SSO administrator password.
d. Click Save Settings. When you receive
the certificate warning, accept it by
clicking OK.
Note After a few minutes, a success

message is displayed and SSO
Status is updated to Connected.
3. Click Licensing to configure the license.

In the New License Key text box, type a
valid vRealize Automation license key and
click Submit Key.

Page 68 of 169
4.3.7 Configure the Secondary Node for High Availability

1. Log in to the secondary node using the

user name root and the password you
specified when deploying the vRealize
Automation appliance.
2. Click the vRA Settings tab. Select the

Cluster menu to join the secondary node to
the primary node in the HA cluster.
a. In the Leading cluster node text box,
enter the FQDN of the primary node.
b. In the Admin User text box, enter root.
c. In the Password text box, enter the
password set for the root account.
d. Click Join Cluster.
e. Accept the certificate by clicking OK.
Verify that it has joined the HA cluster
successfully.
3. Select the vRA Settings tab and select

Host Settings menu to verify that the
certificate settings in the SSL
Configuration pane have been
automatically configured during the HA
cluster join process.

Page 69 of 169
4. Select the SSO menu to verify that the

Single Sign-On settings have been
5. Select the Licensing menu to verify that

the license settings have been
6. Select the Database menu to verify that the

database settings have been automatically
configured during the HA cluster join
process.

Page 70 of 169
4.3.8 Test Promotion of the Secondary Node to Primary Node

1. Now that replication is in place from the

primary node to the secondary node, test
the process of switching roles so that the
secondary node becomes the primary node.
connection to the secondary node and
log in as the postgres user.
b. A custom
promote_replica_to_primary file
has been included, which will attempt to
shut down the remote node to stop
load-balanced traffic.
cd
/share
./promote_replica_to_primary
Should display:
server promoting
Check your load balancer pool for the
Postgres database (port 5432), and you
should see that the primary and secondary
servers are swapped.

Page 71 of 169
2. Now reverse the replication from the

primary node to the secondary node:
connection to the primary node and
login in as the postgres user.
b. Run the following commands to
replicate from the secondary node to
the primary node:
cd
are
./run_as_replica -h vra-srv-
04.sddc.lab -b -W -U replicate
In this example, we are running the
command from vra-srv-03.sddc.lab:
cd
are
./run_as_replica -h vra-srv-
04.sddc.lab -b -W -U replicate
When the message Are you sure you
want to continue connecting (yes/no)?
appears, type yes and press Enter.
When the message WARNING: The base
backup operation will replace the current
contents of the data directory. Please
confirm by typing yes: appears, type yes
and press Enter.
Following our example, the primary node
is now vra-srv-04 and the secondary node
is now vra-srv-03.

Page 72 of 169

the new primary node (vra-srv-04) and
log in as user postgres.
Run the following command:
cd
are
./show_replication_status
Verify that the secondary node is shown
under the slave column.
After completion, you have set up all
configuration required for bidirectional
failover/failback.
Note You can leave vra-srv-04 as

Primary Node and vra-srv-03 as
Secondary Node or you can repeat
the steps outlined in 4.3.8 to
promote back vra-srv-03 as
Primary Node. If you decide to
repeat the steps, note that these
must take into account the new
primary node and secondary node
positions.
4.4 IaaS Components

Use the instructions in this section only if you are NOT installing the product using a single installation
method (as described in section 3 where all IaaS components are installed on a single Windows
virtual machine).
Use these instructions if you want to install the product in a distributed manner (where all IaaS
components are installed on different Windows virtual machines for scalability).
You can complete the installation using the accounts listed in the following table.
Table 3. Installation Accounts
Product Component Account
Identity Appliance Root
vRealize Automation Appliance Root
Default Tenant administrator@vsphere.local
Website and Model Manager svc-vra

vRealize Automation
Manager Service and DEM Orchestrator svc-vra
DEM Worker svc-vra

Page 73 of 169
Product Component Account
Proxy Agent svc-vra
The following table lists the host name information for each component. Use this table as a reference.
Table 4. Server Deployment Information
Component Load Balancer Server FQDN
Identity Appliance N/A vra-id-03.sddc.lab
vRealize Automation portal.sddc.lab vra-srv-03.sddc.lab

Appliance
vra-srv-04.sddc.lab
Website and Model Manager web.sddc.lab vra-iws-03.sddc.lab

vra-iws-04.sddc.lab
Manager Service and DEM mgr.sddc.lab vra-ims-03.sddc.lab

Orchestrator
vra-ims-04.sddc.lab
DEM Workers and Agents N/A vra-dem-03.sddc.lab

vra-dem-04.sddc.lab

Page 74 of 169
4.4.1 Required vCenter Account Permissions

This table shows the detailed permissions the vSphere endpoint credentials must have to manage a
vCenter server instance. These requirements are also listed in the VMware vRealize Automation 6.2
Installation and Configuration document (http://pubs.vmware.com/vra-
62/topic/com.vmware.ICbase/PDF/vrealize-automation-62-installation-and-configuration.pdf).
Table 5. vCenter Server Permissions
Attribute Value Permission
Global Manage Custom Attributes
Set Custom Attribute
Folder Create Folder
Delete Folder
Datastore Create Folder
Delete Folder
Virtual Machine
Inventory Create from existing

Create New
Move
Remove
Interaction Power On
Power Off
Suspend
Reset
Device Connection
Configure CD Media
Tools Install
Console Interaction

Page 75 of 169
Attribute Value Permission
Configuration Rename
Add Existing Disk
Add New Disk
Remove Disk
Change CPU Count
Memory
Add or Remove Device
Settings
Change Resource
Advanced
Swap Placement
Modify Device Settings
Disk Change Tracking
Set Annotation (5.0 and 5.1 only)
Provisioning Customize
Clone
Deploy Template
Read Customization Specs
State Create Snapshot

Remove Snapshot
Revert to Snapshot
Resource Assign VM to Res Pool
Migrate
Permissions Modify Permission
Assign Network

Page 76 of 169
4.4.2 IaaS Database

Verify that you have performed the following tasks before proceeding:
 Installed Microsoft .NET 4.5.2 Framework.
 Installed Java Runtime Environment.
 Downloaded the IaaS installer from the vRealize Automation appliance
(https://hostname.domain:5480/installer).
Perform the following step-by-step instructions to install the IaaS database.
1. Download the IaaS installer from the

vRealize Automation appliance
2. Launch the installer by right clicking the

downloaded.
Select Run as administrator.

box.
Click Next.

Page 77 of 169

Click Next.
5. On the Log In dialog, enter the vRealize

Automation appliance administrator
credentials.
Click Next.
6. On the Installation Type dialog, select

Custom Install.
Then select IaaS Server.
Click Next.

Page 78 of 169
7. On the IaaS Server Custom Install dialog,

select the Database checkbox.
Enter the following details in the Database
tab:
a. In the Database instance text box,
enter the FQDN of the SQL database
server.
b. In Database name text box, enter the
name of the database to be used for
IaaS components.
c. Click Next.
8. In the Verify Prerequisites dialog:

If the Prerequisite Checker displays
warnings, select the entry in the left panel
and follow the instructions that appear on
the right for each item that requires
attention.
When all issues are addressed, click
Check Again, and verify that all items have
green check marks next to them.
You can click Check Again at any time to
check the status of the prerequisites. If
non-critical errors still occur, click Bypass
to continue the installation.
Click Next.
9. On the Ready to Install dialog box, click

Install.

Page 79 of 169
10. On the Installing all the vCloud

Automation Center Components on the
system complete dialog, select Next.
11. On the vCloud Automation Center

Configuration is complete dialog,
deselect the Guide me through the initial
system configuration check box.
Click Finish.

Page 80 of 169
4.4.3 Primary IaaS Web and Model Manager Data Server

 Load balancer is configured for the web service.
 Performed the Windows Server prerequisites:
o Configuration of MSDTC
o Installation and configuration of IIS Server
o Installation of Window Process Activation Services
o Loopback Back Connection Host Names Disabled
(http://support.microsoft.com/KB/926642/EN-US)
o Start the Secondary Logon service
o Logon as a Batch Job access for the Service Account
 In your load balancer, verify that only the basic HTTPS monitor is enabled and all the other
vRealize Automation specific monitors are disabled. The disabled monitors can be re-enabled
after all IaaS components are installed.
Perform the following step-by-step instructions to install the primary IaaS Web Server and Model
Manager.
1. The following registry modification is

required for the IaaS web server (vra-iws-
03), Windows Server 2012, or R2 registry
to include Local Security Authority host
names that can be referenced in in the
NTLM authentication requests for CNAME
and load balancer FQDN addresses.
a. Open the Windows registry and
browse
HKEY_LOCAL_MACHINE\SYSTEM\Cu
rrentControlSet\Control\Lsa\
MSV1_0.
b. Right-click MSV1_0, point to New, and
click Multi-String Value.
c. In the Name column, type
BackConnectionHostNames, and
press Enter.
d. In the Value text box, type the
CNAME or DNS alias that is used for
the local shares on the computer, and
click OK.
Example for IaaS Web Servers:
web.sddc.lab

Page 81 of 169
2. Import the CA issued certificate for the

IaaS web server.
a. Open the MMC console for
Certificates.
b. Expand Certificates.
c. Right-click Personal >All Tasks >
Import.
3. On the File to Import dialog box:

a. In File name, browse and select the
PKCS file with the .pfx extension that
represents the CA issued certificate for
IaaS web server.
b. Click Next.
4. On the Password dialog box:

a. Enter the password for the private key.
b. Click Next.

Page 82 of 169
5. On the Certificate Store dialog:

a. Accept the default Place all
certificates in the following store.
b. Click Next.
c. Click Finish.
d. Click OK on Import Successful.
6. Before the installation of the IaaS

components, verify system cryptography.
Go to the Local Group Policy Editor,
expand Computer Configuration, expand
Windows Settings, expand Security
Settings, expand Local Policies, expand
Security Options and use FIPS-compliant
algorithms for encryption and hashing.
Verify that signing is set to Disabled.

downloaded. (See Section 2.4.)

Page 83 of 169

box.
Click Next.

Click Next.

credentials.
Click Next.

Page 84 of 169

Custom Install.
Then select the IaaS Server.
Click Next.

select the Website and
ModelManagerData check boxes.
13. On the Administration & Model Manager

Web Site tab:
Select the certificate that was imported in
the previous steps and select Test
Binding.
Select the Suppress certificate mismatch
check box.
Click the Model Manager Data tab.

Page 85 of 169
14. On the Model Manager Data tab:

a. Enter the FQDN of the vRealize
Automation load-balanced address.
b. Click Load to populate the SSO
Default Tenant text box with your SSO
domain name.
c. Click Download.
d. Click View Certificate.
e. When the certificate confirmation
appears, click Install Certificate.
f. Click the Accept Certificate check box
to install the SSO certificate.
g. Type the SSO administrator’s name
and password in the SSO
Administrator Credentials text box.
Use
adm in ist r at o r@v sph e re .l oc a l
(where domain is the name you
specified when configuring SSO).
h. Click Test to verify.
i. Enter the FQDN of the server that
hosts the vRealize Automation web site
component. Click Test to verify.
j. Click Next.
15. On the Verify Prerequisites dialog, verify

all the prerequisites are met.
Click Next.

Page 86 of 169
16. On the Server and Account Settings

dialog:
a. Enter the vRealize Automation service
user in User name text box.
c. In Passphrase and Confirm text
A passphrase is required to configure
the components. A passphrase is a
series of words used to create a phrase
that generates the encryption key that
is used to protect data while at rest in
the database and for data recovery
The passphrase you create during
installation must be used across the
entire IaaS deployment so that each
component has the same encryption
keys. The passphrase might be
required during an upgrade. Therefore,
you should store it in a secure location
or memorize it.
d. In Microsoft SQL Server Database
Installation Information, do the
following and click Next.
 Select Windows authentication or
deselect it to use SQL
authentication.
17. On the Ready to Install dialog, review the

information and click Install.
network configuration, installation can take
from five to sixty minutes.
Click Install.

Page 87 of 169
18. On the Installing dialog, click Next.

Click Finish.

Page 88 of 169
4.4.4 Secondary IaaS Web Server

 Performed the Windows Server perquisites.
o Start the Secondary Logon service.
o Logon as a Batch Job access for the Service Account.
Perform the following step-by-step instructions to install the secondary IaaS Web Server.

required for the IaaS web server (vra-iws-
04), Windows Server 2012 or R2 registry to
include Local Security Authority host
names that can be referenced in in the
NTLM authentication requests for CNAME
and load balancer FQDN addresses.
a. Open the Windows registry and browse
HKEY_LOCAL_MACHINE\SYSTEM\Cur
rentControlSet\Control\Lsa\MS
V1_0.
then click Multi-String Value.
then press Enter.
d. In the Value data box, type the CNAME
or DNS alias that is used for the local
shares on the computer, and then click
OK.
Example for IaaS Web Servers:
web.sddc.lab

Page 89 of 169
2. Import the CA issued certificate for IaaS

web server.
Certificates.
c. Right-click Personal >All Tasks >
Import.

a. In the Certificate Import Wizard, click
OK.
b. In File name, browse and select the
IaaS web server.
c. Click Next.
4. On the Password dialog:

b. Click Next.

Page 90 of 169

b. Click Next.
c. Click Finish.
d. Click OK on Import Successful.

downloaded. (See section 2.4.)

Page 91 of 169

box, click Next.

Click Next.

credentials.
Click Next.

Page 92 of 169
10. On the Installation Type dialog, select the

Custom Install.
Then select IaaS Server.
Click Next.
11. In the IaaS Server Custom Install dialog

box, select only the WebSite check box.
a. Select the certificate that you imported
in the previous steps and select Test
Binding.
b. Check the Suppress certificate
mismatch checkbox.
c. In the IaaS Server textbox, enter the
load balancer address for the web
services.
d. Click Next.

all the prerequisites are met.
Click Next.

Page 93 of 169

dialog:
a. Enter the service user in User name
text box.
Installation Information configure the
following and click Next.
 Select Windows authentication or
deselect it to use SQL
authentication.

from 5 to 60 minutes.
Click Install.

Page 94 of 169

Click Finish.

Page 95 of 169
4.4.5 Primary IaaS Manager Service and DEM Orchestrator

 Configured the load balancer for the Manager Service.
(http://support.microsoft.com/KB/926642/EN-US) Start the Secondary Logon service.
o Logon as Service access for the Service Account.
Perform the following step-by-step instructions to install the primary Manager Service server.

required for the IaaS Active Manager
Server (vra-ims-03) Windows Server 2012
or R2 registry to include Local Security
Authority host names that can be
referenced in in the NTLM authentication
requests for CNAME and load balancer
FQDN addresses.
V1_0
press Enter.
d. In the Value text box, type the CNAME
shares on the computer, and click OK.
Example for IaaS Manager Service
Servers: mgr.sddc.lab.

Page 96 of 169

web server.
Certificates.
Right-click Personal >All Tasks > Import.
3. On the File to Import box:

a. In the Certificate Import Wizard dialog
box, click OK.
b. In File name, browse and select the
IaaS web server.
c. Click Next.

b. Click Next.

Page 97 of 169

b. Click Next.
c. Click Finish.
d. Click OK on the Certificate Import
Wizard.

downloaded. (See section 2.4).

box, click Next.

Page 98 of 169

Click Next.

credentials and click Next.

Custom Install.
Click Next.

Page 99 of 169

select the Manager Service check box.
Within the Manager Service tab:
a. In the IaaS Server textbox, enter the
FQDN of Web server load balancer.
b. For Manager Service Startup Type
click Active node with startup type
set to automatic.
c. In Available Certificates, select the
CA issued Certificate that was imported
into the server for the manager service.
d. Click View Selected Certificate and
Verify the information is correct.
e. Click Next.

that all the prerequisites are met.
Click Next.

Page 100 of 169

dialog:
a. Enter the service account in User
name text box.
Installation Information.
e. Type your SQL server database host
name in the Server text box and your
database name in the Database name
text box.
f. Select Windows authentication or
deselect it to use SQL authentication.
g. If you use SQL authentication, type
h. Click Next.

Click Next.

Page 101 of 169

Click Finish.
17. Now you must install the first DEM

Orchestrator.
Launch the installer by right clicking the
downloaded. (See section 2.4)

box, click Next.

Click Next.

Page 102 of 169

credentials.
Click Next.

Custom Install.
Select Distributed Execution Managers.
Click Next.

Click Next.

Page 103 of 169

dialog, enter the password for the service
account.
Click Next.
24. On the Install Distributed Execution

Manager dialog:
a. Use the drop-down list for DEM role
and select Orchestrator.
b. Enter a name for the DEM Orchestrator
in the DEM Name text box.
c. Enter a description for the DEM
Orchestrator in the DEM description
text box.
d. Enter the FQDN of the load balancer
Manager Service server and click
Test.
e. Enter the FQDN of the load balancer
Model Manager Web Service server
and click Test.
f. Click Add.
g. Click Next.

Click Next.

Page 104 of 169

system configuration check box and click
Finish.
Verify the Manager Service and DEM-

Orchestrator services have started before
proceeding.

Page 105 of 169
4.4.6 Secondary (Passive) IaaS Manager Service

o Logon as Service access for the Service Account.
Perform the following step-by-step instructions to install the secondary (passive) Manager Service
server.

required for the IaaS Passive Manager
Service Server (vra-iws-04) Windows
Server 2012 or R2 registry to include Local
Security Authority host names that can be
referenced in in the NTLM authentication
requests for CNAME and load balancer
FQDN addresses.
V1_0
Ba c kCo nne ct ion Ho st Na me s ,
and press Enter.
d. In the Value text box, type the CNAME
shares on the computer, and click OK.
Example for IaaS Manager Service Server:
mgr.sddc.lab

Page 106 of 169

web server.
Certificates.
Right-click Personal >All Tasks > Import.

a. In File name, browse and select the
IaaS web server.
b. Click Next.

b. Click Next.

Page 107 of 169

b. Click Next.
c. Click Finish.


box, click Next.

Page 108 of 169

Click Next.

credentials.
Click Next.

Custom Install.
Click Next.

Page 109 of 169

select the Manager Service check box.
Within the Manager Service tab:
a. In the IaaS Server text box, enter the
FQDN of Web server load balancer.
b. In the Manager Service Startup Type,
click Disaster recovery cold standby
node.
c. In Available Certificates, select the
CA issued certificate that was imported
into the server for the manager service.
d. Click View Selected Certificate and
verify the information is correct.
e. Click Next.

Click Next.

Page 110 of 169

dialog:
a. Enter the service account in User
name text box.
Installation Information.
e. Type your SQL server database host
name in the Server text box and your
database name in the Database name
text box.
f. Select Windows authentication or
deselect it to use SQL authentication.
g. If you use SQL authentication, type
h. Click Next.

Click Next.

Page 111 of 169

Click Finish.
17. Now you must install the second DEM

Orchestrator.
Launch the installer by right clicking the

box.
Click Next.

Page 112 of 169

Click Next.

credentials.
Click Next.

Custom Install.
Select Distributed Execution Managers.
Click Next.

Page 113 of 169

Click Next.

account.
Click Next.

Manager dialog:
and select Orchestrator.
b. Enter a name for the DEM Orchestrator
in the DEM Name text box.
c. Enter a description for the DEM
Orchestrator in the DEM description
text box.
Test.
and click Test.
f. Click Add.
g. Click Next.

Page 114 of 169

Click Next.

system configuration check box and click
Finish.

Page 115 of 169
4.4.7 Primary and Secondary DEM Workers Server

o Loopback Disabled (http://support.microsoft.com/KB/926642/EN-US)
Perform the following step-by-step instructions to install the DEM Worker, and repeat the process on
two separate machines to load balance the worker processes.

downloaded. (See Section 2.4.).

box, click Next.

Page 116 of 169

dialog box, select I accept the terms in the
license agreement.
Click Next.

credentials.
Click Next.

Custom Install.
Click Next.

Page 117 of 169

Click Next.

account.
Click Next.

Manager dialog
and Select Worker.
b. Enter a name for the DEM Worker in
the DEM Name text box.
c. Enter a description for the DEM Worker
in the DEM description text box.
Test.
and click Test.
f. Click Add.
g. Click Next

Page 118 of 169

Click Next.

Click Finish.

Page 119 of 169
4.4.8 Proxy Agents Server

Perform the following step-by-step instructions to install the proxy agents. To provide high availability
of a single agent, repeat the process on two separate servers, verifying that you specify the same
settings.

downloaded. (See Section 2.4.)

box, click Next.

dialog box, select I accept the terms in the
license agreement.
Click Next.

Page 120 of 169

credentials.
Click Next.

Custom Install.
Then select the Proxy Agents.
Click Next.

account.
Click Next.

Page 121 of 169
7. In the Install Proxy Agent dialog, specify

configuration details:
a. Select Agent Type vSphere.
b. Enter an Agent name that will be used
to identify the Agent service.
c. Enter the FQDN of the load balancer
Test.
and click Test.
e. Enter a unique Endpoint name that will
be used during tenant endpoint
configuration.
f. Click Add.
g. Click Next.

between five minutes to one hour.
Click Next.

Page 122 of 169

Click Finish.

Page 123 of 169
5. General Configuration Tasks

5.1 Creating the Default Tenant
Use this section if the customer’s design will use the default tenant. See the next section if the
customer’s design requires the creation of additional tenants.
1. Open a browser tab and navigate to

https://<hostname.domain.name>/vcac/.
To log in to the vCloud Automation Center
console, use the fully qualified domain
name (exactly as specified when you
created the SSL certificate).
Log in as
adm in ist r at o r@v sph e re .l o c a l with
your administrative password.
The Administration tab opens to the
Tenants page.
2. A tenant called v sph e re .l oc al already

exists. This is created by default.
Click the vsphere.local tenant name.
3. The values on the General tab are already

configured. This is performed by default for
the default tenant.
Click Next.

Page 124 of 169
4. On the Identity Stores tab, click + Add

Identity Store to add an identity store for
this tenant.
5. Specify the identity store information for

your environment.
Complete this step when setting the Type
to Native Active Directory. For other types,
skip this step and proceed to step 6.
Provide the DNS name of the Active
Directory domain name in the Domain
field.
Click Add, and click Next. Skip to step 8 to
continue configuring the default tenant.

your environment.
When setting Type to Active Directory or
OpenLDAP, complete this step.
Use the correct syntax for your identity
store when defining the Login User DN,
Group Search Base DN, and User
Search Base DN values. Use the following
example as reference.

Page 125 of 169
7. Click Test Connection to confirm. A

message Connection is available is
displayed.
Click Add and click Next.
8. On the Administrators tab, specify a

tenant administrator and an infrastructure
administrator.
Search for an account within the Identity
Store and assign it the tenant administrator
role. Repeat this step for the infrastructure
administrator role.
Note If IaaS components are not

configured yet, this message is
displayed.
Click Update.
5.2 Creating a New Tenant

Use this section if the customer’s design requires the creation of additional tenants. See the previous
section if the customer’s design will use the default tenant.
1. Open a browser tab and navigate to

https://<hostname.domain.name>/vcac/.
Log in as
adm in ist r at o r@v sph e re .l oc a l with
your administrative password.
The Administration tab opens to the
Tenants page.

Page 126 of 169
2. A tenant called v sph e re .l oc al already

exists. This is created by default.
Create a new tenant (for example, S DD C ),
by clicking + Add Tenant.
3. On the General tab, enter the following

values:
a. In the Name text box, enter a name for
the tenant.
b. (Optional) In the Description text box,
enter a description for the tenant.
c. In the URL Name text box, enter a
URL name for the tenant.
d. (Optional) In the Contact email text
box, enter a contact email address.
e. Click Submit and Next.
4. On the Identity Stores tab, click the + Add

Identity Store button to add an identity
store for this tenant.

Page 127 of 169

your environment.
Use the correct syntax for your identity
store when defining the Login User DN,
Group Search Base DN, and User
Search Base DN values. Use the following
example as reference.
6. Click Test Connection to confirm. A

message Connection is available is
displayed.
Click Add and click Next.
7. On the Administrators tab, specify a

tenant administrator.
Search for an account within the Identity
Store and assign it the tenant administrator
role. Repeat this step for the infrastructure
administrator role.
Note If IaaS components are not

configured yet, this message is
displayed.
Click Add.

Page 128 of 169
5.3 Licensing the IaaS Components

1. Log in as a tenant of vRealize Automation

using an Infrastructure Administrator
account. Use the following format:
http://hostname.domain/vcac/org/tenant
2. Click the Infrastructure tab.
3. Using the menu, select Administration >

Licensing.

Page 129 of 169
4. Click Add License and enter a valid

license key.
Click OK.
5. Review the License Information to verify

that the license has been applied correctly.
6. Embedded vRealize Orchestrator

6.1 Deployment
The vRealize Automation appliance contains an embedded instance of vRealize Orchestrator which
should be up and running by default.
6.1.1 Confirm the vRealize Automation Embedded vRealize Orchestrator

Appliance is Running
Step Description Screenshot
1. To verify that the vRealize

Automation embedded
vRealize Orchestrator
instance is up and running,
start an SSH session to the
vRealize Automation Server
and run service vco-
server status. Verify that
the service status is running.

Page 130 of 169
6.2 Configuration
6.2.1 Configure the vRealize Automation Embedded vRealize Orchestrator
The vRealize Orchestrator server distributed together with the vRealize Automation appliance is
preconfigured, and therefore when your system administrator deploys the vRealize Automation
Appliance, the vRealize Orchestrator server is up and running.
1. SSH to the vRealize Automation

appliance and run service
vco-configurator start to
start the vRealize Orchestrator
Configuration service. Verify that
the service status is running.
2. Open a browser and navigate to

https://vCAC_appliance:8283/
Accept any certificate warnings.
On the vRealize Orchestrator
Configuration page, enter user
name v mw are and password
v mw are . Click Login.
3. Enter a new password for the

vRealize Orchestrator
configuration interface and click
Apply Changes to open the
home page.

Page 131 of 169
4. On the Network tab, set the IP

address of the vRealize
Automation appliance and click
Apply changes.
5. On the Network tab, click SSL

Trust Manager. In the URL
from which to import the
certificate field, enter the name
of the vCenter Server and click
Import.
6. Review the certificate and click

Import. Repeat the step for
each vCenter Server instance
you want vRealize Orchestrator
to communicate with.

Page 132 of 169
7. On the Licenses tab, select

Use vCenter Server License
and in the Host text box, type
the name of the vCenter Server
that will supply the license.
Alternatively, you can manually
provide the license. Click Apply
changes.
8. Click License details and

review the license.
Note A restart of the server

might be required before
using the vRealize
Orchestrator client.

Page 133 of 169
6.2.2 Accessing the Embedded vRealize Orchestrator Server

1. Open a browser and navigate to

https://<vcac_server>:8281.
Accept any certificate warnings.
Click Start Orchestrator Client.
Note JRE 1.7+ is required to

launch the vRealize
Orchestrator 6.0 client.
2. Enter the host name of the

embedded vRealize Orchestrator
Appliance and log in with user name
adm in ist r at o r@v sph e re .l oc a l
and password.
3. Select Install the Certificate and do

not display any security warnings
for it anymore and click Ignore.

Page 134 of 169
4. Verify that you can now see the

vRealize Orchestrator Client
Interface.

Page 135 of 169
6.3 vRealize Automation Integration for External vRealize

Orchestrator Instances
6.3.1 Configure vRealize Automation to Use External vRealize Orchestrator
Server
The following procedure shows how a tenant administrator can configure an external dedicated
vRealize Orchestrator server or an infrastructure administrator can configure an external vRealize
Orchestrator for all tenants.
1. Open a browser and navigate to the

appropriate vRealize Automation page:
 To configure vRealize Automation to
use an external vRealize
Orchestrator Server for the entire
infrastructure, log in to the default
tenant:
https://vcac_server/vcac/
 To configure vRealize Automation to
use an external vRealize
Orchestrator Server for a specific
tenant, log in to the Tenant page:
https://vcac_server/vcac/org/tenant_
name
2. Select Administration, select

Advanced Services, and select Server
Configuration.
3. Select Use an external Orchestrator

server.
Enter a name, the FQDN of the external
vRealize Orchestrator, and port number
(8281).
Select Basic for Authentication and
enter the credentials of a user that is a
member of the vRO Admin group as
defined in the configuration of the
vRealize Orchestrator server.
Click Test Connection.
Verify that the connection is successful.

Page 136 of 169
4. Click Update.
Accept the Delete Endpoints warning
message.
5. Click Endpoints on the left panel.

Click Add.
6. Under the Plug-in tab, select vCenter

Server.
Click Next.
7. Enter a name for the vCenter Server.

Click Next.

Page 137 of 169
8. Under the Set the vCenter Server

interface properties tab on the Details
tab, enter the FQDN of the vCenter
Server in the IP or host name of the
vCenter Server instance to add field.
Leave the default values for Port of the
vCenter instance and Location of the
SDK that you use to connect to
vCenter Server instance.
Click Next.
9. Under the Set the connection

properties tab, enter vCenter Server
administrator credentials.
10. Click Add.
11. Verify that an endpoint for the vCenter

Server is successfully created.

Page 138 of 169
12. Verify that the vCenter Server objects

are visible using the vCenter
Orchestrator Client.
Log in to the vRealize Orchestrator as a
user that is a member of the vRO
Admin group.
13. Confirm that the vCenter Server objects

are available in vRealize Orchestrator,
which is now an endpoint created by the
tenant administrator.

Page 139 of 169
6.3.2 Install the vRealize Automation Plug-In for vRealize Orchestrator

You must use the Orchestrator configuration interface to install the vRealize Automation plug-in. You
can use either the default vRealize Orchestrator server embedded in vRealize Automation, or an
external vRealize Orchestrator server.
Step Task Description Screenshot
1. Log in to the vRealize Orchestrator

configuration interface at
http://orchestrator_server:8283. On the
General tab, click Install Application.
2. Upload the vRealize Automation plug-

in. Click the magnifying glass icon.
Select the .vmoapp file to install. Click
Open.
3. Click Install.

Page 140 of 169
4. Review and accept the license

agreement.
5. Notice the message that appears after

successful installation. The vRealize
Automation plug-in is installed without
a tab in the vRealize Orchestrator
configuration interface.
6. On the Startup Options tab, click

Restart service to complete the plug-
in installation.

Page 141 of 169
6.3.3 Accessing the vRealize Automation Plug-In Configuration Workflows

You can use the workflows in the Configuration workflow categories to manage vRealize Automation
hosts. Access these workflows from the Configuration subdirectory of the plug-in library in the
Workflows view of the vRealize Orchestrator client.
1. Open a browser, navigate to

https://vcac-server:8281 and click
Start Orchestrator Client.
2. Enter the host name of the vRealize

Orchestrator appliance and log in as a
user that is a member of the vRO
Admin group.
3. Expand the Workflow library and

navigate to Library > vCloud
Automation Center > Configuration.

Page 142 of 169
6.3.4 vRealize Orchestrator for vRealize Automation (Plug-In Configuration)

Follow this procedure to add a vRealize Automation host to vRealize Orchestrator.
1. Right-click the Add a vCAC host

workflow and select Start workflow.
Enter a unique name for the host in
the Host Name text box. Enter the
URL address of the host in the Host
URL text box. Enter the name of the
tenant in the Tenant text box. Select
whether to install the SSL certificates
automatically without user
confirmation.
(Optional) Enter timeout intervals in
the Connection timeout (seconds)
and Operation timeout (seconds)
text boxes. Click Next.
2. Select Shared Session. Enter

credentials for the vRealize
Automation host in the Authentication
username and Authentication
password text boxes. Click Next.

Page 143 of 169
3. Click Submit. Verify that the workflow

finishes successfully.
4. Go to the Inventory tab and navigate

to vCloud Automation Center. Verify
that the vRealize Automation Server
host you just added is listed.
5. Repeat these steps for all vRealize

Automation hosts you want to manage
with this vRealize Orchestrator
instance.

Page 144 of 169
6.3.5 Add an IaaS Host of a vRealize Automation Host in vRealize

Orchestrator (Plug-In Configuration)
Follow this procedure to add an IaaS host of a vRealize Automation host in vRealize Orchestrator.
1. Expand the Workflow library and

navigate to Library > vCloud
Automation Center > Configuration.
2. Right-click Add the IaaS host of a

vRA host and select Start workflow.
Select the vRealize Automation host
for which you want to configure an
IaaS host from the vRA host drop-
down menu. Click Next.

Page 145 of 169
3. Enter a unique name for the host in

the Host Name text box. Enter the
URL address of the host in the Host
URL text box.
(Optional) Enter timeout intervals in
the Connection timeout (seconds)
and Operation timeout (seconds)
text boxes. Click Next.
4. Select a session mode. Fill in the

credentials. Click Next.
5. Enter the NetBIOS domain name in

the Domain for NTLM authentication
text box. Click Submit.

Page 146 of 169
6. Go to the Inventory tab and navigate

to vCloud Automation Center >
Infrastructure Administration. Verify
that the IaaS host you just added is
listed.
Redo these steps for each IaaS you
want to manage with this vRealize
Orchestrator Instance.
7. You can use the infrastructure

administration workflows to provision
virtual machines and run basic or
CRUD operations. You can find these
workflows in the Infrastructure
Administration subdirectory of the
plug-in library in the Workflows view
of the vRealize Orchestrator client.

Page 147 of 169
6.3.6 vRealize Orchestrator for Extensibility

1. You use the extensibility package to

customize vRealize Automation with
the ability to call vRealize Orchestrator
workflows either as part of the
provisioning process, or by custom
operation menus.
You can find these workflows in the
Infrastructure Administration >
Extensibility subdirectory of the plug-
in library in the Workflow views of the
vRealize Orchestrator client.
2. Run the Install vCO Customizations

workflow from the Installation
subdirectory of the Extensibility
folder.
This updates the vRealize Automation
workflows stubs with an activity to call
vRealize Orchestrator workflows
stubs.

Page 148 of 169
3. These vRealize Orchestrator workflow

stubs are part of the vRealize
Orchestrator plug-in for vRealize
Automation.
4. Use the Workflow Template workflow

as a starting point when creating
workflows to assign to a state change
or a menu operation.
This workflow has specifically named
input parameters to facilitate logging
and modification of common items
such as custom properties and to work
with common objects such as the
vC:VM scriptable object. This
facilitates correlation to the machine
upon which the operation is being
performed without writing additional
JavaScript code.
5. The vRealize Orchestrator workflow

stubs that are called by the vRealize
Automation workflow stubs are located
in the Infrastructure Administration
> Extensibility > Workflows Stubs
subdirectory of the plug-in library in the
Workflows view of the vRealize
Orchestrator client.
These workflows call a workflow
named Workflow Runner that will
eventually call the workflow that is
assigned to the state change
operation.

Page 149 of 169
6. For vRealize Automation to call

vRealize Orchestrator during the
provisioning process, you must first
run Assign a state change workflow
to a blueprint and its virtual
machines. This workflow is located in
the Extensibility folder.
7. When running the workflow you must

provide the name of the vRealize
Automation host, the workflow stub on
which vRealize Automation will call out
to vRealize Orchestrator, the blueprint
for which this will happen as part of the
deployment process, and the user
workflow that must be run at that point.

Page 150 of 169
7. Guest Agent Installation

7.1 vRealize Automation Guest Agent Installation
The following steps provide instructions for installing and configuring a Linux Guest Agent in a
CentOS6-x86 virtual machine that will be provisioned to vCloud Automation Center 6.0.
1. Log in as ro ot .
2. Open the browser to https://<vcloud-

automation-center-
appliance:5480/installer> and download
Linux guest agent packages.
3. Save the .zip file.
4. Unzip the file.

Page 151 of 169
5. Navigate to the LinuxGuestAgentPkgs

and locate the subdirectory that
corresponds to the guest operating system
you are deploying during provisioning.
Install the gugent rpm.
6. Configure the guest agent with the

vRealize Automation Manager Service host
and port number.
Run the following command with the right
parameters.
# ./installgugent.sh <vcac-
fqdn>:443 ssl
7. Shut down the virtual machine.

Convert it to a template.

Page 152 of 169
8. vRealize Log Insight Content Pack

8.1 Obtaining the vRealize Log Insight Content Pack for vRealize
Automation
1. Click the admin credentials. Log in to the

admin portal.
2. On the top right, select Administration

from pull-down menu.
Select Content Packs.
3. The vSphere content pack that is

preinstalled with the vRealize Log Insight
appliance by default is displayed.
On the left panel, Click Download more.
4. Click Visit the Marketplace.

Page 153 of 169
5. Log in to solutionsexchange.vmware.com.
Click Log Insight Content Packs.
6. Under Solutions, navigate to the next

page.
7. Locate the vCAC Log Insight Content

Pack section.
8. On the vCAC Log Insight Content Pack

page, click Try.

Page 154 of 169
9. Download the content pack (.vlcp file).

Page 155 of 169
8.2 Installing the vRealize Log Insight Content Pack

1. Go to the Contents Packs page in the

admin portal.
Click Import Content Pack on the bottom
of the left panel.
2. Click Browse and locate the content pack

in the download directory.
Click Import.

Page 156 of 169
3. You can ignore the Content Pack Notice.

Click Continue.
4. Once installed successfully, the pack will

be listed under the available Content
Packs.

Page 157 of 169
9. Configuring vRealize Automation to Forward Log

Events
vRealize Automation is part of the VMware vCloud Suite® of management products and is comprised
of multiple components. Each component must be configured to forward their respective logs to
vRealize Log Insight.
The vRealize Automation 6.2 Content Pack for Log Insight includes analytics for the following
components:
 vRealize Automation CAFE services
 IaaS services
 Application Services
 SSO
 Apache
These components are hosted on one or more of the following hosts:
 vRealize Automation Virtual Appliance
 IaaS Windows
 Application Services Virtual Appliance
 SSO Identity Virtual Appliance (or vCenter Server 5.5b SSO)
You must configure each of these hosts to forward its log files to your vRealize Log Insight instance.
The following sections provide details about the log files locations and sample configuration files.
9.1 vRealize Automation Virtual Appliance

The vRealize Automation Virtual Appliance is an Apache Tomcat server that hosts the CAFE services
(including the Service Catalog) and a local vRealize Orchestrator instance. You should configure all
log files to forward to vRealize Log Insight.
9.1.1 Log Files

Task Task Description Relevant Files
1. These log files should be monitored on the /var/log/vcac/catalina.out

vRealize Automation virtual appliance.
/var/log/vco/app-
server/catalina.out
/var/log/apache2/error_log
/var/log/apache2/ssl_request_log

Page 158 of 169
9.1.2 Syslog Forwarding Configuration

You can easily configure the vRealize Automation Virtual Appliance to forward log files to vRealize
Log Insight by modifying the remote.conf configuration file located in /etc/rsyslog.d/. You
must also replace the <Log Insight> string with your vRealize Log Insight host IP address or
FQDN and restart the agent after you update the configuration file per the comments provided.
Task Task Description Relevant File(s)
1. Modify relevant sections of the #

/etc/rsyslog.d/remote.conf # vCAC log files
file. # Add to: /etc/rsyslog.d/remote.conf
# Replace with Log Insight FQDN
# Run: /etc/init.d/syslog restart
#
$ModLoad imfile
$InputFileName
/var/log/vmware/vcac/catalina.out
$InputFileTag vcac:
$InputFileStateFile stat-vcac-catalina1
$InputFileSeverity info
$InputFileFacility local7
$InputRunFileMonitor
$InputFileName /var/log/vco/app-
server/catalina.out
$InputFileTag vco:
$InputFileStateFile stat-vco-catalina1
$InputFileName
/var/log/apache2/access_log
$InputFileTag apache:
$InputFileStateFile stat-apache2-
access1
$InputFileName
/var/log/apache2/error_log
$InputFileStateFile stat-apache2-error1
$InputFileSeverity error
$InputFileName
/var/log/apache2/ssl_request_log
$InputFileStateFile stat-apache2-ssl1
# check for new lines every 10 seconds
$InputFilePollInterval 10
*.* @@<Log Insight>
vCAC

Page 159 of 169
9.2 vRealize Automation IaaS Windows

The vRealize Automation IaaS Windows host provides the Infrastructure services. In a distributed
environment, you must configure the host on each Windows server according to the service installed.
Windows does not include a native syslog agent, but you can install several free agents (such as the
Datagram Syslog Agent) and configure them to forward log files.
9.2.1 Log Files

You should monitor the following log files on the vRealize Automation Windows server:
 C:\Program Files (x86)\VMware\vCAC\Agents\<plugin>\logs\<file>
o Plug-in examples
 CPI61, nsx, VC50, VC51Agent, VC51TPM, vc51withTPM, VC55Agent, vc55u,
VDIAgent
o File examples
 vSphereAgent, EpiPowerShellAgent, VdiPowerShellAgent
 C:\Program Files (x86)\VMware\vCAC\Distributed Execution
Manager\DEMOR\Logs\DEMOR_All
 C:\Program Files (x86)\VMware\vCAC\Distributed Execution
Manager\DEMWR\Logs\DEMWR_All
 C:\Program Files (x86)\VMware\vCAC\Server\Logs\All
 C:\Program Files
(x86)\VMware\vCAC\Server\ConfigTool\Log\vCACConfiguration-<date>
 C:\Program Files (x86)\VMware\vCAC\Server\Model Manager
Data\Logs\<nothing today>
 C:\Program Files (x86)\VMware\vCAC\Server\Model Manager
Web\Logs\Repository
 C:\Program Files (x86)\VMware\vCAC\Server\Website\Logs\Web_Admin_All
 C:\Program Files (x86)\VMware\vCAC\Web API\Logs\<nothing today>

If you use the Datagram Syslog Agent, configure the agent after installation with the following
Windows registry settings. You must restart the agent after following the instructions in the comments
below.
Windows Registry Editor Version 5.00
;
; Install Datagram Syslog Agent
; Configure the agent to forward logs to Log Insight
; Save this as vcac-datagram.reg
; Open Registry Editor, on the File menu click Import, find the reg file
and select Import
; Be sure to start/restart the agent after importing the registry file
;
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs]
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\vCAC -
Agents

Page 160 of 169
- CPI61]
"FileExtension"="log"
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Agents\\CPI61\\logs\\"
"FileName"=""
"RotateFileName"=""
"RotatedFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"ParseSeverity"=hex:01
"Unicode"=hex:00
"Severity"=dword:00000006
"ParseProcess"=hex:00
"ProcessName"="vcac"
"Facility"=dword:00000017
"IgnorePrefixLines"=hex:00
"Prefix"=""
"IgnoreFirstLines"=hex:00
"NbrIgnoreLines"=dword:00000000
Agents
- NSX]
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Agents\\nsx\\logs\\"
"FileName"=""
"RotateFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"Unicode"=hex:00
"Prefix"=""
Agents
- VC50]
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Agents\\VC50\\logs\\"
"FileName"=""
"RotateFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"Unicode"=hex:00
Page 161 of 169
"Prefix"=""
Agents
- VC51Agent]
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Agents\\VC51Agent\\logs\\"
"FileName"=""
"RotateFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"Unicode"=hex:00
"Prefix"=""
Agents
- VC51TPM]
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Agents\\VC51TPM\\logs\\"
"FileName"=""
"RotateFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"Unicode"=hex:00
"Prefix"=""
Agents
- vc51withTPM]

Page 162 of 169
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Agents\\vc51withTPM\\logs\\"
"FileName"=""
"RotateFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"Unicode"=hex:00
"Prefix"=""
Agents
- VC55Agent]
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Agents\\VC55Agent\\logs\\"
"FileName"=""
"RotateFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"Unicode"=hex:00
"Prefix"=""
Agents
- VDIAgent]
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Agents\\VDIAgent\\logs\\"
"FileName"=""
"RotateFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"Unicode"=hex:00
Page 163 of 169
"Prefix"=""
Agents
vc55u]
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Agents\\vc55u\\logs\\"
"FileName"=""
"RotateFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"Unicode"=hex:00
"Prefix"=""
API]
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Web API\\Logs\\"
"FileName"=""
"RotateFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"Unicode"=hex:00
"Prefix"=""
DEM -
DEMOR]
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Distributed Execution
Manager\\DEMOR\\Logs\\"
"FileName"=""

Page 164 of 169
"RotateFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"Unicode"=hex:00
"Prefix"=""
DEM -
DEMWR]
Manager\\DEMWR\\Logs\\"
"FileName"=""
"RotateFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"Unicode"=hex:00
"Prefix"=""
DEM -
DEMWR]
Manager\\DEMWR\\Logs\\"
"FileName"=""
"RotateFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"Unicode"=hex:00
"ProcessName"="Process Name"

Page 165 of 169
"Prefix"=""
Server]
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Server\\Logs\\"
"FileName"=""
"RotateFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"Unicode"=hex:00
"Prefix"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Datagram\SyslogAgent\ApplicationLogs\vCAC –
Server - ConfigTool]
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Server\\ConfigTool\\Log\\"
"FileName"=""
"RotateFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"Unicode"=hex:00
"Prefix"=""
Server - MMD]
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Server\\Model Manager
Data\\Logs\\"
"FileName"=""
"RotateFileName"=""

Page 166 of 169
"ParseDate"=hex:00
"ParseHost"=hex:00
"Unicode"=hex:00
"Prefix"=""
Server - MMW]
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Server\\Model Manager
Web\\Logs\\"
"FileName"=""
"RotateFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"Unicode"=hex:00
"Prefix"=""
Server - Website]
"Path"="C:\\Program Files (x86)\\VMware\\vCAC\\Server\\Website\\Logs\\"
"FileName"=""
"RotateFileName"=""
"ParseDate"=hex:00
"ParseHost"=hex:00
"Unicode"=hex:00
"Prefix"=""

Page 167 of 169
9.3 SSO Identity Virtual Appliance

The SSO Identity Virtual Appliance is an Apache Tomcat server that hosts the authentication services.
9.3.1 Log Files

The following log files should be monitored on the SSO Virtual Appliance:
 /var/log/vmware/sso/catalina.out
 /var/log/vmware/sso/ssoAdminServer.log
 /var/log/vmware/sso/vmware-identity-sts-perf.log
 /var/log/vmware/sso/vmware-identity-sts.log
 /var/log/vmware/sso/vmware-sts-idmd-perf.log
 /var/log/vmware/sso/vmware-sts-idmd.err
 /var/log/vmware/sso/vmware-sts-idmd.log
 /var/log/vmware/vmafd/vmafdd.log
 /var/log/vmware/vmdir/vdcsetupldu.log
 /var/log/vmware/vmdir/vmafdvmdirclient.log
 /var/log/vmware/vmkdc/vmkdcd.log

The SSO Virtual Appliance can be easily configured to forward its logs to vRealize Log Insight by
modifying the syslog-ng.conf configuration file located in /etc/syslog-ng/. You must also replace
the <LogInsight> string with the Log Insight host IP address or FQDN. You must restart the agent
after you update the configuration file per the comments provided.
# SSO log files
# Add to: /etc/syslog-ng/syslog-ng.conf
# Replace with Log Insight FQDN
# Run: /etc/init.d/syslog restart
#
source sso {
file("/var/log/vmware/sso/catalina.out" follow_freq(1) log_prefix("sso: ")
flags(no-parse));
file("/var/log/vmware/sso/ssoAdminServer.log" follow_freq(1)
log_prefix("sso:
") flags(no-parse));
file("/var/log/vmware/sso/vmware-identity-sts-perf.log" follow_freq(1)
log_prefix("sso: ") flags(no-parse));
file("/var/log/vmware/sso/vmware-identity-sts.log" follow_freq(1)
file("/var/log/vmware/sso/vmware-sts-idmd-perf.log" follow_freq(1)
file("/var/log/vmware/sso/vmware-sts-idmd.err" follow_freq(1)
log_prefix("sso:

Page 168 of 169
file("/var/log/vmware/sso/vmware-sts-idmd.log" follow_freq(1)
log_prefix("sso:
file("/var/log/vmware/vmafd/vmafdd.log" follow_freq(1) log_prefix("sso: ")
flags(no-parse));
file("/var/log/vmware/vmdir/vdcsetupldu.log" follow_freq(1)
log_prefix("sso: ")
flags(no-parse));
file("/var/log/vmware/vmdir/vmafdvmdirclient.log" follow_freq(1)
file("/var/log/vmware/vmkdc/vmkdcd.log" follow_freq(1) log_prefix("sso: ")
flags(no-parse));
};
destination logserver { tcp("<Log Insight>" port (514)); };
log { source(sso); destination(logserver); };
log { source(src); destination(logserver); };

Page 169 of 169

E07 Infrastructure Service Installation and Configuration Proceedures

Uploaded by

Copyright:

Available Formats

You might also like

E07 Infrastructure Service Installation and Configuration Proceedures

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

E07 Infrastructure Service Installation and Configuration Proceedures

Uploaded by

Copyright:

Available Formats

VMware Software-Defined Data Center Services

VMware and Customer Confidential

Date Version Author Description Reviewers

© 2015 VMware, Inc. All rights reserved.

1. Purpose and Assumptions ............................................................... 5

3. Non-Distributed Installation (No High Availability) .......................... 29

4. Distributed Installation with High Availability................................... 43

5. General Configuration Tasks........................................................ 124

6. Embedded vRealize Orchestrator ................................................ 130

7. Guest Agent Installation ............................................................... 151

8. vRealize Log Insight Content Pack .............................................. 153

9. Configuring vRealize Automation to Forward Log Events ............ 158

© 2015 VMware, Inc. All rights reserved.

© 2015 VMware, Inc. All rights reserved.

1. Purpose and Assumptions

VMware Product Version Number Build Number

VMware Identity Appliance 2.2.0.0 2300183

VMware vRealize Automation Appliance 6.2.0.0 2330392

VMware vRealize Automation IaaS components 6.2.0.9574

VMware vRealize Orchestrator appliance 6.0.1.0 1617225

Linux Guest Agent for vRealize Automation gugent-6.0.0-2025

© 2015 VMware, Inc. All rights reserved.

2. Common Configuration Elements

2.1 Deploying the Identity Appliance

1. In the VMware vSphere® Web Client, select

2. In the Select source dialog box, click

3. In the Review details dialog box, review

4. In the Accept EULAs dialog box, accept

© 2015 VMware, Inc. All rights reserved.

Task Task Description Screenshot

5. In the Select name and folder dialog box,

6. In the Select a resource dialog box, select

7. In the Select storage dialog box, select the

8. In the Setup networks dialog box, select

© 2015 VMware, Inc. All rights reserved.

Task Task Description Screenshot

9. In the Customize template dialog box,

10. In the Ready to Complete dialog box,

© 2015 VMware, Inc. All rights reserved.

2.2 Deploying the vRealize Automation Appliance

1. In the vSphere Web Client, select Actions

2. In the Select source dialog box, click

3. In the Review details dialog box, review

4. Click Accept in the Accept EULAs dialog

© 2015 VMware, Inc. All rights reserved.

Task Task Description Screenshot

5. In the Select name and folder dialog box,

6. In the Select a resource dialog box, select

7. In the Select storage dialog box, select a

8. In the Setup networks dialog box, select

© 2015 VMware, Inc. All rights reserved.

Task Task Description Screenshot

9. In the Customize template dialog box,

10. In the Ready to Complete dialog box,

© 2015 VMware, Inc. All rights reserved.

2.3 vRealize Automation Infrastructure Services Component

1. If a virtual machine is used (instead of a

2. To verify or enable time sync from within

© 2015 VMware, Inc. All rights reserved.