Install VMware Orchestrator Appliance

  • By Toby
  • 16 Jan, 2017
My first Blog entry will cover an quite simple topic, but we will do a little bit more then the OVA Deployment 🙂 I will cover the lastest version of vRealize Orchestrator (vRO), which is vRealize Orchestrator Appliance 7.2 | 22... Read moreInstall VMware Orchestrator Appliance
I will cover the lastest version of vRealize Orchestrator (vRO), which is vRealize Orchestrator Appliance 7.2 | 22 Nov 2016 | Build 4629837.
Before we start the deployment of the OVA, we need a IP, which way you prefer depends on your personal way, I will use an DHCP reservation, related to my working experience I prefer DCHP because it makes your life much easier in an IP migration scenario. Second one we have to create the DNS Entry (Host A and Reverse Entry). Please don’t skip this step, I often have seen that Customer do not have an working DNS Resolution and this leads to various wrong behaviors (for example vCenter Registration fails).
To verify that our IP Setup is correct we just need a Command-Box and type nslookup  <HOSTNAMEofyourVRO> after this type nslookup <IPofyourVRO> and verify if you get the right IP and Hostname back from your DNS server.
 
So from my point of View, what should be our next Steps?
1.) Basic Setup – Appliance
2.) NTP
3.) Basic Setup – vRO
4.) Certificates
4.) Certificates
4.) Certificates
Before some of you no think, what is wrong with this guy? – Let me explain it. vRO uses 3 Certificates on for the Connection from your Browser/vRO Client, one for signing the Workflows and one for the Appliance Management (VAMI). Since I know that there are enough Blogs about vRO (Setup, Working with, etc.) I will always cover Certificate Management in my Posts, do have a little bit of a differentiation to other blog.
So first we will Basic Setup, do to this just call der VAMI (Virtual Appliance Management Interface) https://<HOSTNAMEofyourVRO>:5480 Username is root and the Password you provided due the OVA Deployment. My fist Tasks are setting up the Time Zone, Proxy Setup if you have one, Update Settings – vRO Appliance can check for Updates over the Internet or via specified Repository or via virtual CDROM drive and, and this is my preferred way, via vCenter Update Manager. Why via Update Manager? – From the Design and Operating point of view, you have one central Management for all your appliances. And then we move on to the Admin Tab – Time Settings. I will not discuss why we are using NTP, because I think the Topic has already often been discussed, so we are just configuring our NTP Server – the same one that all our ESXi, vCenter and Active Directory Controller are using.
We have now finished the Basic Setup of the vRO Appliance and our NTP Configuration, now lets move on to the Basic Setup of our vRO. In the Browser Session we go to https://<HOSTNAMEofyourVRO:8281/vco/ or just enter http://<HOSTNAMEofyourVRO> which will redirect you to Port 8281. Then we need the Orchestrator Control Center which is located in the middle of the Page. The link will open a new Tab, we have to login with our Root User and the Password. First we will configure our Authentication Provider, it depends what you want to use, the important Information right now use, please don’t use LDAP anymore – it will be obsolete in the next releases. vRO supports 3 Authentication Providers: vRealize Automation, vSphere (Plattform Service Controller) and SSO (legacy). IMPORTANT: SOO (legacy) vCenter 5.5 Update 2 and higher is required. More about this you can find here. We will use our vCenter – Plattform Service Controller, select vSphere as Authentication mode and enter the <FQDNofyourPSC> and press connect. You will asked for accepting the Certificate of your PSC, just press the ACCEPT CERTIFICATE button, after accepting we must enter the Identity Information of our PSC. (Username and Password). Then, after saving the Information, our vRO is asking for the Administrator Group – with a Warning Message. Before we can fix this we have to restart the Orchestrator  server, so just click on the “Startup Options” link an restart your Orchestrator server. After the Server Service has restarted we can go back to Configure Authentication Provider and configure the Admin group. Just enter the Active Directory or SSO Group you want to permit and press SEARCH. After finding the Admin group we can finish the task via SAVE Changes. Hint: If you are not sure, you can verify your Configuration via Test Login. – Last step restart the Server Service again.
I have already created an Template based on this KB from Vmware. So first we need our Certificate, since I really like the way of using Subject Alternative Names (SAN) I prefer the DigiCert Util  to create a CSR. Just provide the tool with all of you Information and generate the CSR. Copy your CSR and request the Certificate. After you get back your Certificate just open it an press Install Certificate and Select Local Machine. After importing the Certificate just verify if you have an Private Key for your Certificate. Ok so we have now our Certificate that’s the good news, the bad news are it is on the wrong machine and we can only export it in an format our vRO does not support. So first we will fix the wrong machine, just use your MMC and export your Certificate, please select “Yes, export the private key” and on the second page “Include all certificates in the certification path if possible” and “Export all extended properties” for security reasons I would recommend also to select “Delete private key if the export is successful” but you can also delete the Certificate after the Installation is finished. On the last screen enter a password for your Private Key protection. Next we need to convert the .pfx file to an .pem File. There are many ways to do this, also here it depends on your personal feelings and more or less on you security concerns, you can do the convert online for example here  or with Openssl on your machine. Just run this command if you have a working Openssl installation  openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\vro.pem.  So now since we have our pem Certificate and a working CA Chain we can change our VRO Certificate, to do this we go back to our Control Center -> Certificate -> Orchestrator Server SSL Certificate and select Import. Browse to your .pem File enter your Private Key password and select import. After you checking your Input the Control Center shows you your current certificate and the new one, just press import again, then the certificate will be replaced. To finish the replacement we must restart the Orchestrator Appliance, NOT ONLY the Server Service. You restart your VRO via VAMI or in your vCenter. After the reboot just verify the Certificate Chain. Boom – vRO Webservice Certificate changed.
 
 
 
 
 
 
 
By Toby March 3, 2017
Hi all, today I configured vRealize Log Insight for NSX at a customer site, Since there is a lot of good documentation I will only quickly describe my Problem. I really like the Powershell Script  provided by Martijn Smit (www.vmguru.com), because... Read moreNSX Syslog config – Attention if you are using EMCP
By Toby February 8, 2017
As an colleague of mine has already bloged about the Problem were well, I will use his Post and only provide you with an quick Update vCenter 6.5: #SRM, #vSphere Replication, #NSX problems after SSL change (LS_Update_certs.py) Fabian has described... Read morevCenter 6.5 : #SRM, #NSX, #vSphere Data Protection, #vSphere Replication problems after SSL Change (ls_update_certs.py)