Outgoing Ports for the vCloud Automation Center Appliance. Port. Protocol. Comments. 25, 587. TCP, UDP. SMTP for sending
Installation and Configuration vCloud Automation Center 6.1
This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see http://www.vmware.com/support/pubs.
EN-001442-02
Installation and Configuration
You can find the most up-to-date technical documentation on the VMware Web site at: http://www.vmware.com/support/ The VMware Web site also provides the latest product updates. If you have comments about this documentation, submit your feedback to:
[email protected]
Copyright © 2008–2014 VMware, Inc. All rights reserved. Copyright and trademark information.
VMware, Inc. 3401 Hillview Ave. Palo Alto, CA 94304 www.vmware.com
2
VMware, Inc.
Contents
vCloud Automation Center Installation and Configuration
5
Updated Information 7
1 vCloud Automation Center Installation Overview 9 vCloud Automation Center Installation Components 9 Choosing Your Deployment Path 12
2 Preparing for Installation 17
DNS and Host Name Resolution 17 Hardware and Virtual Machine Requirements 17 Browser Considerations 18 PostgreSQL path="{ProgramFiles}\Microsoft System Center 2012\Virtual Machine Manager\bin" /> [...]
Procedure 1
Stop the DEM Worker.
2
Determine the installation path.
3
Update the DynamicOps.DEM.exe.config file.
4
Restart the DEM Worker.
The default DEM Worker path is updated to the new folder.
Perform Virtual Provisioning on SCVMM When setting up a virtual machine template in SCVMM, a system administrator can add a Guest OS Profile directly to a Windows template by using SCVMM Console. Prerequisites Some restrictions apply to SCVMM template and hardware profile names. Specifically, these names cannot start with the following words. n
TemporaryTemplate
n
Temporary Template
n
TemporaryProfile
n
Temporary Profile
n
Profile
Because of naming conventions that SCVMM and VMware use for temporary templates and hardware profiles, these words are ignored during store="https://vcac.example.com/" />
10
Add the user="sqlUser" password="sqlPassword" store="https://vcac.example.com/" />
11
Save and close the file.
12
Start the vCloud Automation Center Service.
SQL server authentication is now in use at run-time. What to do next Restart Internet Information Service.
110
VMware, Inc.
Configuring Additional Tenants
7
You create the default tenant when you install vCloud Automation Center, but you can create additional tenants to represent business units in an enterprise or companies that subscribe to cloud services from a service provider. This chapter includes the following topics: n
“Tenancy Overview,” on page 111
n
“Create and Configure a Tenant,” on page 115
Tenancy Overview A tenant is an organizational unit in a vCloud Automation Center deployment. A tenant can represent a business unit in an enterprise or a company that subscribes to cloud services from a service provider. Each tenant has its own dedicated configuration. Some system-level configuration is shared across tenants. Table 7‑1. Tenant Configuration Configuration Area
Description
Login URL
Each tenant has a unique URL to the vCloud Automation Center console. The default tenant URL is in the following format: https://hostname/vcac n The URL for additional tenants is in the following format: https://hostname/vcac/org/tenantURL n
Identity stores
Each tenant requires access to one or more directory services, such as OpenLDAP or Microsoft Active Directory servers, that are configured to authenticate users. You can use the same directory service for more than one tenant, but you must configure it separately for each tenant.
Branding
A tenant administrator can configure the branding of the vCloud Automation Center console including the logo, background color, and information in the header and footer. System administrators control the default branding for all tenants.
Notification providers
System administrators can configure global email servers that process email notifications. Tenant administrators can override the system default servers, or add their own servers if no global servers are specified.
Business policies
Administrators in each tenant can configure business policies such as approval workflows and entitlements. Business policies are always specific to a tenant.
VMware, Inc.
111
Installation and Configuration
Table 7‑1. Tenant Configuration (Continued) Configuration Area
Description
Service catalog offerings
Service architects can create and publish catalog items to the service catalog and assign them to service categories. Services and catalog items are always specific to a tenant.
Infrastructure resources
The underlying infrastructure fabric resources, for example, vCenter servers, Amazon AWS accounts, or Cisco UCS pools, are shared among all tenants. For each infrastructure source that vCloud Automation Center manages, a portion of its compute resources can be reserved for users in a specific tenant to use.
About the Default Tenant When the system administrator configures single sign-on during the installation of vCloud Automation Center, a default tenant is created with the built-in system administrator account to log in to the vCloud Automation Center console. The system administrator can then configure the default tenant and create additional tenants. The default tenant supports all of the functions described in Tenant Configuration. In the default tenant, the system administrator can also manage system-wide configuration, including global system defaults for branding and notifications, and monitor system logs. The default tenant is the only tenant that supports native Active Directory authentication. All other tenants must use Active Directory over OpenLDAP.
User and Group Management All user authentication is handled through single sign-on. Each tenant has one or more identity stores, such as Active Directory servers, that provide authentication. The system administrator performs the initial configuration of single sign-on and basic tenant setup, including designating at least one identity store and a tenant administrator for each tenant. Thereafter, a tenant administrator can configure additional identity stores and assign roles to users or groups from the identity stores. Tenant administrators can also create custom groups within their own tenant and add users and groups defined in the identity store to custom groups. Custom groups, like identity store groups and users, can be assigned roles or designated as the approvers in an approval policy. Tenant administrators can also create business groups within their tenant. A business group is a set of users, often corresponding to a line of business, department or other organizational unit, that can be associated with a set of catalog services and infrastructure resources. Users, identity store groups, and custom groups can be added to business groups.
Comparison of Single-Tenant and Multitenant Deployments vCloud Automation Center supports deployments with either a single tenant or multiple tenants. The configuration can vary depending on how many tenants are in your deployment. System-wide configuration is always performed in the default tenant and can apply to one or more tenants. For example, system-wide configuration might specify defaults for branding and notification providers. Infrastructure configuration, including the infrastructure sources that are available for provisioning, can be configured in any tenant and is shared among all tenants. The infrastructure resources, such as cloud or virtual compute resources or physical machines, can be divided into fabric groups managed by fabric administrators. The resources in each fabric group can be allocated to business groups in each tenant by using reservations.
112
VMware, Inc.
Chapter 7 Configuring Additional Tenants
Single-Tenant Deployment In a single-tenant deployment, all configuration can occur in the default tenant. Tenant administrators can manage users and groups, configure tenant-specific branding, notifications, business policies, and catalog offerings. All users log in to the vCloud Automation Center console at the same URL, but the features available to them are determined by their roles. Figure 7‑1. Single-Tenant Example http://vcac.mycompany.com/shell-ui-app/
Default Tenant (Tenant config)
Business group mgr
Tenant admin
Business Group • User management • Tenant branding • Tenant notification providers • Approval policies • Catalog management
Business goup mgr
Business Group
http://vcac.mycompany.com/shell-ui-app/
Default Tenant
Reservation
(System and infrastructure config)
Fabric admin
System admin
• Tenant creation • System branding • System notification poviders • Event logs
Reservation
Fabric Group
IaaS admin
Reservation
Reservation
Fabric admin
Fabric Group
Reservation Fabric admin
Reservation
Fabric Group
Infrastructure Fabric
Hypervisors
Public clouds
Physical servers
NOTE In a single-tenant scenario, it is common for the system administrator and tenant administrator roles to be assigned to the same person, but two distinct accounts exist. The system administrator account is always
[email protected]. The tenant administrator must be a user in one of the tenant identity stores, such as
[email protected].
Multitenant Deployment In a multitenant environment, the system administrator creates tenants for each organization that uses the same vCloud Automation Center instance. Tenant users log in to the vCloud Automation Center console at a URL specific to their tenant. Tenant-level configuration is segregated from other tenants and from the default tenant. Users with system-wide roles can view and manage configuration across multiple tenants. There are two main scenarios for configuring a multi-tenant deployment.
VMware, Inc.
113
Installation and Configuration
Table 7‑2. Multitenant Deployment Examples Example
Description
Manage infrastructure configuration only in the default tenant
In this example, all infrastructure is centrally managed by IaaS administrators and fabric administrators in the default tenant. The shared infrastructure resources are assigned to the users in each tenant by using reservations.
Manage infrastructure configuration in each tenant
In this scenario, each tenant manages its own infrastructure and has its own IaaS administrators and fabric administrators. Each tenant can provide its own infrastructure sources or can share a common infrastructure. Fabric administrators manage reservations only for the users in their own tenant.
The following diagram shows a multitenant deployment with centrally managed infrastructure. The IaaS administrator in the default tenant configures all infrastructure sources that are available for all tenants. The IaaS administrator can organize the infrastructure into fabric groups according to type and intended purpose. For example, a fabric group might contain all virtual resources, or all Tier One resources. The fabric administrator for each group can allocate resources from their fabric groups. Although the fabric administrators exist only in the default tenant, they can assign resources to business groups in any tenant. NOTE Some infrastructure tasks, such as importing virtual machines, can only be performed by a user with both the fabric administrator and business group manager roles. These tasks might not be available in a multitenant deployment with centrally managed infrastructure. Figure 7‑2. Multitenant Example with Infrastructure Configuration Only in Default Tenant http://vcac.mycompany.com/ shell-ui-app/org/tenanta/
http://vcac.mycompany.com/ shell-ui-app/org/tenantb/
http://vcac.mycompany.com/ shell-ui-app/org/tenantc/
Tenant A
Tenant B
Tenant C
Tenant admin
Default Tenant (System and infrastructure config)
System admin
Tenant admin
Tenant admin
Business group mgr
Business group mgr
Business group mgr
Business group mgr
Business group mgr
Business group mgr
Business Group
Business Group
Business Group
Business Group
Business Group
Business Group
Reservation
Reservation
Fabric admin
Fabric Group
IaaS admin
Resv Fabric admin
Resv
Resv
Fabric Group
Resv Fabric admin
Resv
Resv
Fabric Group
Infrastructure Fabric
http://vcac.mycompany.com/shell-ui-app/
Hypervisors
Physical servers
Public clouds
The following diagram shows a multitenant deployment where each tenant manages their own infrastructure. The system administrator is the only user who logs in to the default tenant to manage system-wide configuration and create tenants.
114
VMware, Inc.
Chapter 7 Configuring Additional Tenants
Each tenant has an IaaS administrator, who can create fabric groups and appoint fabric administrators with their respective tenants. Although fabric administrators can create reservations for business groups in any tenant, in this example they typically create and manage reservations in their own tenants. If the same identity store is configured in multiple tenants, the same users can be designated as IaaS administrators or fabric administrators in each tenant. Figure 7‑3. Multitenant Example with Infrastructure Configuration in Each Tenant http://vcac.mycompany.com/ shell-ui-app/org/tenanta/
http://vcac.mycompany.com/ shell-ui-app/org/tenantb/
http://vcac.mycompany.com/ shell-ui-app/org/tenantc/
Tenant A
Tenant B
Tenant C
Tenant admin
http:/vcac. mycompany.com/ shell-ui-app/
Default Tenant
Tenant admin
Business group mgr
Business group mgr
Business group mgr
Business group mgr
Business group mgr
Business group mgr
Business Group
Business Group
Business Group
Business Group
Business Group
Business Group
Reservation
Reservation
Reservation
Reservation
Reservation
Reservation
Fabric admin
(System config)
System admin
Tenant admin
IaaS admin
Fabric Group
Infrastructure
Hypervisors
Fabric admin
IaaS admin
Fabric Group
Fabric
Public clouds
Fabric admin
Fabric Group
IaaS admin
Physical servers
Create and Configure a Tenant System administrators create tenants and specify basic configuration such as name, login URL, identity stores, and administrators. Prerequisites Log in to the vCloud Automation Center console as a system administrator. Procedure 1
Specify Tenant Information on page 116 The first step to configuring a tenant is to add the new tenant to vCloud Automation Center and create the tenant-specific access URL.
2
Configure Identity Stores on page 116 Each tenant must be associated with at least one identity store. Identity stores can be OpenLDAP or Active Directory. Use of Native Active Directory is also supported for the default tenant.
3
Appoint Administrators on page 117 You can appoint one or more tenant administrators and IaaS administrators from the identity stores you configured for a tenant.
VMware, Inc.
115
Installation and Configuration
Specify Tenant Information The first step to configuring a tenant is to add the new tenant to vCloud Automation Center and create the tenant-specific access URL. Prerequisites Log in to the vCloud Automation Center console as a system administrator. Procedure 1 2
Select Administration > Tenants. Click the Add icon (
).
3
Enter a name in the Name text box.
4
(Optional) Enter a description in the Description text box.
5
Type a unique identifier for the tenant in the URL Name text box. This URL token is used to create tenant-specific URLs to access vCloud Automation Center.
6
(Optional) Type an email address in the Contact Email text box.
7
Click Submit and Next.
Your new tenant is saved and you are automatically directed to the Identity Stores tab for the next step in the process.
Configure Identity Stores Each tenant must be associated with at least one identity store. Identity stores can be OpenLDAP or Active Directory. Use of Native Active Directory is also supported for the default tenant. Prerequisites “Specify Tenant Information,” on page 116. Procedure 1
Click the Add icon (
).
2
Enter a name in the Name text box.
3
Select the type of identity store from the Type drop-down menu.
4
Type the URL for the identity store in the URL text box. For example, ldap://ldap.mycompany.com:389 .
5
Type the domain for the identity store in the Domain text box.
6
(Optional) Type the domain alias in the Domain Alias text box. The alias allows users to log in by using userid@domain-alias rather than userid@identity-store-domain as a user name.
7
Type the Distinguished Name for the login user in the Login User DN text box. Use the display format of the user name, which can include spaces and is not required to be identical to the user ID. For example, cn=Demo Admin,ou=demo,dc=dev,dc=mycompany,dc=com.
116
VMware, Inc.
Chapter 7 Configuring Additional Tenants
8
Type the password for the identity store login user in the Password text box.
9
Type the group search base Distinguished Name in the Group Search Base DN text box. For example, ou=demo,dc=dev,dc=mycompany,dc=com.
10
(Optional) Type the user search base Distinguished Name in the User Search Base DN text box. For example, ou=demo,dc=dev,dc=mycompany,dc=com.
11
Click Test Connection. Check that the connection is working.
12
Click Add.
13
(Optional) Repeat Step 1 to Step 12 to configure additional identity stores.
14
Click Next.
Your new identity store is saved and associated with the tenant. You are directed to the Administrators tab for the next step in the process.
Appoint Administrators You can appoint one or more tenant administrators and IaaS administrators from the identity stores you configured for a tenant. Tenant administrators are responsible for configuring tenant-specific branding, as well as managing identity stores, users, groups, entitlements, and shared blueprints within the context of their tenant. IaaS Administrators are responsible for configuring infrastructure source endpoints in IaaS, appointing fabric administrators, and monitoring IaaS logs. Prerequisites n
“Configure Identity Stores,” on page 116.
n
Before you appoint IaaS administrators, you must install IaaS. For more information about installation, see Installation and Configuration.
Procedure 1
Type the name of a user or group in the Tenant Administrators search box and press Enter. Repeat this step to appoint additional tenant administrators.
2
Type the name of a user or group in the Infrastructure Administrators search box and press Enter. Repeat this step to appoint additional IaaS administrators.
3
VMware, Inc.
Click Update.
117
Installation and Configuration
118
VMware, Inc.
8
Updating Certificates
A system administrator can update certificates for the Identity Appliance, the vCloud Automation Center Appliance, and IaaS components. Typically, an update is performed when switching from self-signed certificates to certificates provided by a certificate authority chosen by the system administrator. When you update a certificate for a vCloud Automation Center component, components that have a dependency on this certificate are affected. You must register the new certificate with these components to ensure certificate trust. You must update all components of the same type in a distributed system. For example, if you update a certificate for one vCloud Automation Center Appliance in a distributed environment, you must update all instances of vCloud Automation Center Appliance for that installation. Certificates for the Identity Appliance management site and vCloud Automation Center Appliance management site do not have registration requirements. Update components in the following order: 1
Identity Appliance
2
vCloud Automation Center Appliance
3
IaaS components
With one exception, changes to later components do not affect earlier ones. For example, if you import a new certificate to a vCloud Automation Center Appliance, you must register this change with the IaaS server, but not with the Identity Appliance. The exception is that an updated certificate for IaaS components must be registered with vCloud Automation Center Appliance. The following table shows registration requirements when you update a certificate. Table 8‑1. Registration Requirements
Updated Certificate
Register new certificate with Identity Appliance
Register new certificate with vCloud Automation Center Appliance
Register new certificate with IaaS
Identity Appliance
Not applicable
Yes
Done automatically
vCloud Automation Center Appliance
No
Not applicable
Yes
IaaS
No
Yes
Not applicable
NOTE If your certificate uses a passphrase for encryption and you do not enter it when you replace your certificate on the virtual appliance, the Unable to load private key message appears. Verify that you have supplied the correct passphrase.
VMware, Inc.
119
Installation and Configuration
Updating Certificates When a Host Name is Changed When a vCloud Automation Center Appliance host name is changed, you must update the Identity Appliance with the vCloud Automation Center Appliance certificate. For more information, see “Update the Identity Appliance with the vCloud Automation Center Appliance Certificate,” on page 124. This chapter includes the following topics: n
“Extracting Certificates and Private Keys,” on page 120
n
“Updating the Identity Appliance Certificate,” on page 120
n
“Updating the vCloud Automation Center Appliance Certificate,” on page 123
n
“Updating the IaaS Certificate,” on page 126
n
“Update the Certificate of the Identity Appliance Management Site,” on page 128
n
“Update the Certificate of the vCloud Automation Center Appliance Management Site,” on page 128
Extracting Certificates and Private Keys Certificates that you use with the virtual appliances must be in the PEM file format. The examples in the following table use Gnu openssl commands to extract the certificate information you need to configure the virtual appliances. Table 8‑2. Sample Certificate Values and Commands (openssl) Certificate Authority Provides
Command
Virtual Appliance Entries
RSA Private Key
openssl pkcs12 -in path _to_.pfx certificate_file -nocerts -out key.pem
RSA Private Key
PEM File
openssl pkcs12 -in path _to_.pfx certificate_file -clcerts -nokeys -out cert.pem
Certificate Chain
(Optional) Pass Phrase
n/a
Pass Phrase
Updating the Identity Appliance Certificate The system administrator can replace a self-signed certificate with another self-signed certificate or a domain certificate after the installation is complete. 1
Replace a Certificate in the Identity Appliance on page 121 The system administrator can replace a self-signed certificate with one from a certificate authority. The same certificate can be used on multiple machines.
2
Update the vCloud Automation Center Appliance with the Identity Appliance Certificate on page 122 After the Identity Appliance certificate is updated, the system administrator updates the vCloud Automation Center Appliance with the new certificate information. This process reestablishes trusted communications between the virtual appliances.
3
Update the IaaS Servers with the Certificate for the Single Sign-On Server on page 122 After the certificate for the single sign-on server is updated, the system administrator updates the IaaS component registry on all IaaS component machines with the new virtual appliance certificate information. This process reestablishes trusted communications between the virtual appliance and IaaS components.
120
VMware, Inc.
Chapter 8 Updating Certificates
Replace a Certificate in the Identity Appliance The system administrator can replace a self-signed certificate with one from a certificate authority. The same certificate can be used on multiple machines. The labels for the private key and certificate chain headers and footers depend on the certificate authority in use. Information here is based on headers and footers for a certificate generated by openssl. Procedure 1
Navigate to the Identity Appliance management console by using its fully qualified domain name, https://identity-hostname.domain.name:5480/.
2
Log in with user name root and the password you specified when deploying the Identity Appliance.
3
Click the SSO tab.
4
Click SSL.
5
Select the certificate type from the Choose Action menu. If you are using a PEM encoded certificate, for example for a distributed environment, select Import PEM encoded certificate. Certificates that you import must be trusted and must also be applicable to all instances of vCloud Automation Center Appliance and any load balancer by using Subject Alternative Name (SAN) certificates. Option
Action
Import a certificate
a
b
c
Generate a self-signed certificate
a
b c d
6
Copy the certificate values from BEGIN PRIVATE KEY to END PRIVATE KEY, including the header and footer, and paste them in the RSA Private Key text box. Copy the certificate values from BEGIN CERTIFICATE to END CERTIFICATE, including the header and footer, and paste them in the Certificate Chain text box. (Optional) If your certificate has one, copy the pass phrase that encrypts the private key of the certificate that you are importing, and paste it in the Pass Phrase text box. Type a common name for the certificate in the Common Name text box. You can use the fully qualified domain name of the virtual appliance (hostname.domain.name) or a wild card, such as *.mycompany.com. If you use a load balancer, you need to specify the FQDN of the load balancer or a wildcard that matches the name of the load balancer. Do not accept a default value if one is shown, unless it matches the host name of the virtual appliance. Type your organization name, such as your company name, in the Organization text box. Type your organizational unit, such as your department name or location, in the Organizational Unit text box. Type a two-letter ISO 3166 country code, such as US, in the Country text box.
Click Replace Certificate, even if you are generating a new certificate. After a few minutes the certificate details appear on the page. If you are using a load balancer, the certificate is for the load balancer.
The certificate is updated.
VMware, Inc.
121
Installation and Configuration
Update the vCloud Automation Center Appliance with the Identity Appliance Certificate After the Identity Appliance certificate is updated, the system administrator updates the vCloud Automation Center Appliance with the new certificate information. This process reestablishes trusted communications between the virtual appliances. Use the import-certificate command to import the SSL certificate from the Identity Appliance into the SSL keystore used by the vCloud Automation Center Appliance. The alias value specifies the alias under which the imported certificate is stored in the keystore, and url is the address of the SSL endpoint. Prerequisites “Replace a Certificate in the Identity Appliance,” on page 121. Procedure 1
Start Putty or another Unix SSL remote login tool.
2
Log in to the vCloud Automation Center Appliance with user name root and the password you specified when deploying the appliance.
3
Execute the import-certificate command: /usr/sbin/vcac-config import-certificate --alias websso --url https://identityhostname.domain.name:7444
For example: /usr/sbin/vcac-config import-certificate --alias websso --url https://identityvm76-115.eng.mycompany.com:7444
4
Restart the vCloud Automation Center Appliance.
5
Navigate to the vCloud Automation Center Appliance management console by using its fully qualified domain name, https://vcac-va-hostname.domain.name:5480/.
6
Select System > Reboot.
7
Click Services. The following services must be running to log in to the console. They usually start in about 10 minutes. n
authorization
n
authentication
n
eventlog-service
n
shell-ui-app
n
branding-service
n
plugin-service
The certificate is updated on the vCloud Automation Center Appliance.
Update the IaaS Servers with the Certificate for the Single Sign-On Server After the certificate for the single sign-on server is updated, the system administrator updates the IaaS component registry on all IaaS component machines with the new virtual appliance certificate information. This process reestablishes trusted communications between the virtual appliance and IaaS components. Run this procedure once from the Model Manager value=" https://[IaaS address]:443/repository/" />
2
Browse to the address with Internet Explorer.
3
Continue through any error messages about certificate trust issues.
4
Obtain a security report from Internet Explorer and use it to troubleshoot why this certificate is not trusted.
If problems persist, repeat the procedure by browsing with the address that needs to be registered, the Endpoint address that you used to register with vcac-config.exe.
Cannot Log in to a Tenant or Tenant Identity Stores Disappear Ninety days after deployment, you cannot log into a tenant or the identity store for a tenant disappears. Problem n
When you log in to a tenant, you see a blank page displayed with a Submit button in the upper lefthand corner.
n
You receive a System Exception error when accessing the tenant ID store configuration page.
n
The ID store configuration disappears.
n
You cannot log in to a tenant by using an LDAP account.
n
The catalina.out log located in /var/log/vmware/vcac/ shows an error similar to the following: 12:40:49,190 [tomcat-http--34] [authentication] INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl $RequestResponseProcessor.handleFaultCondition:922 - Failed trying to retrieve token: ns0:RequestFailed: Error occurred looking for solution user :: Insufficient access YYYY-03-18 12:40:49,201 [tomcat-http--34] [authentication] ERROR com.vmware.vcac.platform.service.rest.resolver.ApplicationExceptionHandler.handleUnexpectedEx ception:820 - Failed trying to retrieve token: ns0:RequestFailed: Error occurred looking for solution user :: Insufficient access com.vmware.vim.sso.client.exception.InternalError: Failed trying to retrieve token: ns0:RequestFailed: Error occurred looking for solution user :: Insufficient access
n
VMware, Inc.
The Identity Appliance messages log located in /var/log/ shows an error message similar to the following:
139
Installation and Configuration
T16:50:18-05:00 lsassd[2913]: GSSAPI Error: The referenced context has expired (Unknown error) T08:34:41-06:00 vmdird: t@139870073485056: Lockout policy check - password expired. (cn=tenantadmin,cn=users,dc=tenant) T11:58:03-06:00 lsassd[2943]: GSSAPI Error: The referenced context has expired (Unknown error).... Account "cn=tenantadmin,cn=users,dc=qic" password expired and caused login/bind from IDM to fail. YYYY-03-18T11:38:46-06:00 denqca3vcacid01 vmdird: t@140689332778752: LoginBlocked DN (cn=tenantadmin,cn=users,dc=tenant), error (9239)(Account access blocked)
Cause The SSO internal tenant administrator password expires after 90 days by default. This issue is internal to vCloud Automation Center and does not affect external identity stores such as OpenLDAP or Active Directory. It is a known issue that the vCloud Automation Center user interface does not provide notification that the tenant administrator password is expiring. The workaround for this issue is to disable password expiration for the tenant administrator account. For step-by-step instructions to solve this issue, see the VMware knowledge base article at http://kb.vmware.com/kb/2075011.
140
VMware, Inc.
Index
A account settings, specifying 39 agents choosing the installation scenario 86 configuring Hyper-V 93 configuring XenServer 93 configuring vSphere agents 90 enabling remote WMI requests 102 EPI Powershell 11 Hyper-V 91, 92 installation location and requirements 87 installing 85 installing WMI 102 installing XenDesktop 96 installing Citrix agents 98 installing EPI agent for Citrix 97 installing for Visual Basic scripting 100 installing the EPI agent for VB scripting 99 installing vSphere agents 89 integration agents 11 VDI PowerShell 11 Visual Basic scriptiong requirements 100 WMI agents 11 XenServer 91, 92 appliances, configuring additional 63
C certificate name mismatch 133 certificates component registry 122, 125, 127 IaaS certificate 126 trust relationships 45 updating 119 updating Appliance certificate after renaming a vCloud Automation Center Appliance host 124 updating the Identity Appliance certificate 121, 122 updating the vCloud Automation Center Appliance certificate 123 updating the vCloud Automation Center Identity appliance 120 change the management site SSL certificate 128 Citrix, installing the EPI agent 97 Citrix agents, installing 98
VMware, Inc.
clusters;joing 63 component registry, updating 122, 125, 127 configuring tenants 111
D database configuring standalone PostgreSQL 55 configuring standalone PostreSQL 54 creating by using the wizard 70 preparing IaaS database 67 DEM about installing 81 installing 81 DEM Worker, connecting to SCVMM 82 dems Amazon Web Services EC2 requirements 20 Red Hat requirements 20 SCVMM requirements 20 deployment scenario distributed deployment 43 minimal deployment 27 minimal installation 12 deployment path choosing 12 distributed installation 12 distributed deployment installation overview 14 validating 65 Distributed Execution Managers, See also DEM distributed installation, overview 43 Distributed Execution Manager, See DEM
E Encryption.key file, setting permissions 136 EPI agents, installing for Visual Basic scripting 99, 100
H Hyper-V agent 91 proxy agent 91 requirements 91 Hyper-V agents, installing 92 hypervisor, requirements 91
I IaaS agents 11
141
Installation and Configuration
download installer 67 updating the certificate 126 IaaS administrators, appointing 107, 117 IaaS components installing 36 installing in a distributed configuration 65 registering 40 IaaS components,definitions 44 IaaS installer, downloading 38 IaaS services, verifying 84 IaaS database configuring Windows service for access 108 configuring Windows services account to use SQL authentication 109 creating the database manually 68 creating the database using the wizard 70 specifying the SQL database 39 IaaS database access, enabling from service user 109 IaaS distributed installation 44 IaaS Manager Service, requirements 19 Identity Appliance configuring 30, 52 deploy in a distributed environment 51 enabling time sync 29, 52 identity stores, configuring tenant 105, 106, 116 Identity stores, troubleshooting 139 Identity Appliance certificate, updating 121, 122 Identity Appliance management site;certificates 128 identity virtual appliance, deploying 28, 49 infrastructure components, installing 37 installation certificates 119 completing 41 configuring 131 configuring tenants 111 distributed deployment overview 14 DNS and host name resolution 17 minimal deployment overview 13 minimal installation overview 27 overview 9 specifying agents 40 specifying managers 40 troubleshooting 131 vCloud Automation Center Appliance 32, 57 installation components checking prerequisites 39 choosing a deployment path 12 SSO 9 VMware Identity Appliance 10 VMware Infrastructure as a Service (IaaS) 10 VMware vCloud Automation Center Appliance 10
142
installation preparation, time synchronization 26 installation requirements credentials 23 deployment environments 17 IaaS requirements 19 operating system 17 port requirements 21 security 25 users 23 virtual machine 17 Windows server 18 XenDesktop 95 installation failure, servers out of sync 136 installation requirements, hardware 17 installation type logging in 38 selecting 38 installing browser considerations 18 configuring vCloud Automation Center Appliances 51 deploying vCloud Automation Center Appliances 49 download IaaS installer 67 worksheet 46
L License, IaaS 108 Log in, failure 137 login failure, servers out of sync 136 logs, locations 131 Logs IaaS 131 troubleshooting 131 loopback check, disabling 133
M Manager service, definition 44 Manager Service installing 77, 79 requirements 19 migrating installing and configuring the target system 13 supported migration paths 13 minimal deployment, installation overview 13 Minimal installation, uninstalling 135 Model Manager definition 44 editable business logic 10 execution policies 10 secure multi-tenancy 10 troubleshooting install failures 133 unified data model 10 Model Manager data, installing 71–73, 75
VMware, Inc.
Index
P PEM files, command for extracting 120 post-installation tasks configuring Windows service to access IaaS database 108 updating certificates 119 PostgreSQL database configuring standalone 55 requirements 18, 44 set a password 56 PostgreSQL, configuring external database 58 PostreSQL database, configuring standalone 54 PowerShell, setting to RemoteSigned 86 prerequisites browser considerations 18 checking 39 provisioning server 97 proxy agents, installing and configuring for vSphere 87
R remote servers, troubleshooting communication errors 138 requirements 97 RSA private keys, command for extracting 120
S scenarios, choosing the agent installation 86 security certificates 25 IaaS certificates 37, 66 passphrase 25 third-party software 26 trust relationships 45 server settings, specifying 39 Server requirements IaaS database 18 IaaS or Windows server 19 SSL certificates, extracting 120 SSO, configuring the Identity Appliance 30, 52 support bundle, creating 132 System error message 136
T tenancy default tenant 111 overview 111 single-tenant vs. multi-tenant 112 tenant administrators, appointing 107, 117 tenants appointing administrators 107, 117 configuring 111, 115 configuring identity store 105, 106, 116 configuring default tenant 105 configuring identity stores 116 creating 115, 116
VMware, Inc.
group management 112 troubleshooting ID stores 139 troubleshooting login 139 user management 112 time sync, enabling on Windows machine 36 troubleshooting blank pages appearing 138 log locations 131 server times out of sync 136 trusted certificate issues 133
U Uninstall, failled installation 135 updated information 7 upgrading, supported upgrade paths 12 user and groups, overview 112
V vCloud Automation Center Appliance configuring 33, 59 deploying 32, 50 vCloud Suite, licensing 5 vCloud Automation Center Appliance certificate updating 123 updating after renaming a host 124 vCloud Automation Center Appliance clusters;joining 63 VDI agent for XenDesktop, installing 94 virtualization proxy agents 11 Visual Basic, scripting requirements 100 Visual Basic scripting installing EPI agents 100 installing the EPI agent 99 VMware IaaS distributed execution manager 11 manager service 10 Vmware IaaS, database 11 VMware IaaS, IaaS web site 10 VMware IaaS, Model Manager 10 vSphere agents configuring 90 installing 89 vSphere agent required permissions 87 supported configuration for concurrency 87 vSphere proxy agents, installing and configuring 87
W website component, installing 71–73, 75 Windows services account, configuring to use SQL authentication 109 WMI agents enabling remote requests 102 installing 102
143
Installation and Configuration
X XenDesktop installation requirements 95 installing agent 96 installing VDI agent 94 XenServer agent 91 proxy agent 91 XenServer agents, installing 92 XenServer Host name, setting 95
144
VMware, Inc.
![Installation and Configuration - vCloud Automation Center 6.1 [PDF]](https://m.moam.info/img/260x300/installation-and-configuration-vcloud-automation-c_6484e103098a9e7e678b457e.jpg)
