Installing Minimal vRA 7: Part 4 – Running Initial Content Creation Item

ow that the IaaS server is installed and vRA is up and running you can go and do STUFF with it!  But what if you don’t really know what ‘stuff’ is supposed to look like?  Well, at the end of part 3b of this series we pressed the button marked Create Initial Content.  This creates a nice catalogue item you can click on in vRA.

So, what we’re going to do in this stage is log in to vRA as the user configurationadmin (created by the install wizard in part 3b), run the initial content creation catalog item and then watch how this creates some ready made blueprints based on your vSphere environment for you to use and modify.

I should point out here that there are two types of catalog item in vRA. Either a published Blueprint (allowing the creation of a VM) or an Advanced Services item which is a way of instantiating vRO workflows with parameters from vRA (and yes, that is as powerful as you would think).

Before Step 0: Before You Start

You should ensure that you have at least one (preferably 2 or more)VMware machine templates ready and waiting in vCenter as this step will use them to create vRA Blueprints.  If there’s no templates, the process will run but do nothing interesting!

Step 1: Log on to vRA

To start, we need to log on to the default vRA tenant as the specially created user configurationadmin.  This was created at the end of the installer wizard.

Open a browser and navigate to https://<vraappliance&gt;.<domain>.<whatever>/vcac

Yes, REALLY… ‘vCAC’ <rolls eyes>

You’ll see the logon page.  Log in as configurationadmin with the password you specified in the installer wizard.

Tenant Logon box.

After a few moments the vRA default tenant portal should appear.  If you click on the Catalog tab at the top to see the current Service Catalog.  You should see the vSphere Initial Setup item ready to be requested.

The initial catalog.

click on the Sphere Initial Setup item.

Click Me.

Once you click, a multi stage form will appear asking many questions.  This is part of the power of vRA you can create single click items or complex workflows that appear simple to the end user.

The first window is all abut Tenant Settings.  Tenants in vRA are like organisations.  Logically distinct entities that have their own Service Catalog with their own set of actions and Blueprints published for them.  Generally they are aligned to a specific vCenter or compute resource.  The form give you these options:

Do you want to use current tenant (y/n): This is simply asking if you want the blueprints to be created in the default tenant.  You could do this but in this exampleI want to create a tenant as if it were a real life business unit/organisation.  Select No.

Do you want to create a new tenant (y/n): If you click yes (we we will) the process will create a new tenant for you.

System tenant administrator password:  This is the admin password for the default tenant (i.e. the one we’re logged in to) that you created in the installation wizard.  Type this here. NOTE: this is NOT the ‘configurationadmin‘ users password.

Tenant name: What would you like to call the tenant?  Enter this here.  NOTE: make it easy to type and simple. vRA tenants are accessed by appending the tenant name to a url e.g. https://vra7.lab.local/vcac/org/<tenant name>

First Name: Type in your (or a friendly) first name.

Last Name: Type in your (or a friendly) last name.

Email address: Type in an email address for approval and status mails to be sent to.  NOTE: this doesn’t have to be right but you’ll have to manually remember to check for pending approvals if you don’t use a real address (I don’t in the lab).

Username: Type a sensible username.  This will be created and then used by you to log on to this new tenant.

Password:  Type a sensible password for the above username.

Click next and continue with the process.

Tenant Settings

Now we’re at the vSphere setting section.  The screen below doesn’t show it but you need to add this information in manually (my first screenshot was messed, this is a summary shot with the correct information). You’ll need to enter:

Endpoint name: This is the name you gave to the Proxy Agent back in step 3b. This MUST match EXACTLY what you typed before or it wont work.  Fi you check back (or remember) this is the part where I said you should name the agent and the endpoint the same thing.   NOTE:  This is case sensitive.

Endpoint host: Enter here the FQDN of your vCenter.

Endpoint compute resource: The name of the resource you wnat to coneect to. e.g. the cluster name of your lab.  In my case, ‘HomeLab’.

Username: The username of the account hat has admin rights on the vCenter server you used in the previous step.

Password: The password for the above.

Now you’re ready to run the action.  So click next / ok to continue.

vSphere Settings

You’ll now get a standard vRA “Request Submitted Successfully” message as shown below.  This means the action is being processed and you should be able to track it progress.

Success (probably)

For me, the initial part of this took a good 10-15 mins.  You can check on the status of a request by selecting the Requests tab. This lists all vRA requests chronologically in the order requested.   It’s a good idea to check here now as, although the process can take a while to complete, if you’ve typed a setting incorrectly it will fail FAST and the status of your request will change to Failed.

NOTE: This screen does not auto update.  You have to click the refresh icon at the bottom.

What you would see is not blurred…


After about 10 mins, refresh and check that the request is still in progress. If it is, check for notifications in your inbox.  This is done by clicking the Inbox tab or going back to the home screen as there is an inbox widget on that to.


You should see an item asking for approval.  Open it, read it and approve it.  The next bit is very fast and, by the time you’ve clicked on the requests page again, should now be complete


Now you’ll want to see what the process has created so log out of the default tenant and in to the one you had created using the above process with the system admin password you specified.   In our case that means navigating to: https://vra7.lab.local/vcac/org/pepsicac7

Now click on the Catalog tab and you should see a shiny set of blueprints, one for each template you have available in your vCenter.

Look! Blueprints!

Now it’s time to play around.  Try to provision a few VMs via the blueprints and see if  you can edit the settings.


NOTE: when I initially tried out my blueprints they all failed with an error message “cannot find the template xxxx”  simply editing, changing nothing and then saving the blueprint caused everything to work.  Seems vRA7 still isn’t without it’s oddities.

Next up in part 5 of this series I’ll do a quick tour of the interface and manual configurations screens for vRA.  However, the install is essentially complete now so go forth an play around.

I’ll be adding in a how to series also in the near future for common operations.




Installing Minimal vRA 7: Part 3b Iaas Install and Automatically Installing Pre-Requisits

Stage 0: I Should Have Clicked the Button

This post, right here, is one of the reasons why vRA 7 is leagues ahead of vRA /vCAC 6.x.    In vRA 6 you had to manually ensure that  each of the many, MANY pre-requisites for installing the IaaS server on a Windows machine were exactly right before trying.  If even the slightest detail was incorrect you had to start over again (and I mean from the vRA appliance forward. It broke everything).  vRA 7 has a nice pre-req checker that  tells you if your out of compliance with any of the requirements and wont let you continue until you’re done.  Crucially, it has a button labelled “Fix” that I didn’t know about that will sort EVERYTHING for you automatically.  I didn’t know about this the first time so spend a good few hours manually sorting all the pre reqs before starting.  This was a waste of time…

So, if you want to get going quickly and easily keep reading.  If you wan to see what is required first hand in getting a server ready for an IaaS install (and it is interesting to see how it all fits together) I would like to direct you to the alternative version of this bog “Part 3 a”<<<COMING SOON>>>


Stage 1: Getting Your Server Ready

NOTE: I’m assuming that you have provisioned a vanilla Windows 2012 R2 server ready to be used as the IaaS server.  It must be:

  • Part of the same domain as the vRA appliance
  • Be registered in DNS
  • Have no ports blocked between it and the vRA VA (personally I just turn the FW off in the lab).
  • Meet the minimum system requirements of 2 x vCPU, 8GB RAM, 30GB HDD space (in addition to Windows)
    • For a lab environment you CAN drop the RAM after install but not before completion.

Stage 2: Install IaaS Management Agent

Before starting the main install of the IaaS server you need to install the IaaS Management Agent on the IaaS server (It looks for it in the initial setup).  You can get this by navigating to the URL https://<VRA Appliance FQDN>:5480/installer on the iaas server.

vra installer.png

This brings up a page with various packages available for download from the vRA7 appliance server.  We’re interested in the top one at this time.  Click the link to download the Management Agent Installer.


Save this file somewhere easy on your IaaS server and then run the installer to start the wizard. Continue through until you reach the Management Site Service window.

Welcome… next!
Sign away your soul and continue…
Install to an appropriate location and continue…

At this stage you’ll be asked to fill out a few important fields.  The main thing to note here is that if you get the vRA appliance address incorrect (or the UN/pwd) you will be unable to load the SHA1 fingerprint and continue.

You also have to tick the box confirming that you know the fingerprint is correct.  I’m not checking this in this guide but you should do in a production environment (steps on how to do this will be in the “enterprise” deployment blog).

Once you’ve got the URL, Username and Password correct you’ll be able to load the fingerprint and continue.

Information of your vRA Appliance

Next you’ll be asked to ender the active directory account created earlier that will be used to run the Management Agent Service.  This must have local admin rights as well as Logon as a service and logon as batch job rights.

NOTE: If you need to enable the logon as a service right for the account but dont know how to Follow this link to the Microsoft TechNet article describing how to achieve this.

Entering the Service account information
Ready? Continue…
In Progress…

Stage 4: Starting the IaaS Install Automation Wizard

Now we’re finally ready to start the main IaaS install and configuration using the new Wizard process.  To start, navigate to the following URL in a browser from the IaaS server:


The vRA appliance URL

This will bring you to a logon screen where you need to log on as root with the password specified in Part 1 of this blog series.

Appliance Logon page

Once you successfully logon for the first time the Wizard should automatically start.

IMPORTANT: The Wizard will only start ONCE.  if you get part way through the process and quit you will not be able to initiate setup via this method again.  If this happen you’ll have to use the old fashioned method of install and configuration.

The wizard begins
Another EULA. Does ANYONE read these?

After the EULA you get to select your instillation type.  For this exercise we are installing vRA 7 in the Minimal Deployment type so ensure this is selected.  You also get the option to deselect the Infrastructure as a Service option to not install the IaaS server portion of vRA (and thus rely on Advanced services and Orchestrator).  We want to be able to use the ‘easy’ Blueprints in the test environment so we’re going to install it (i.e. ensure it’s checked as an option).

Deployment type selection screen

Now there is the first of two prerequisite check screens.  This is checking for the pre-reqs for the install to begin. the screen below shows you how the screen looks if you have NOT deployed the IaaS Management agent on this server already (or if it’s not contactable).

Install Pre-req screen

You’ll be unable to proceed unless the agent shows up and can contact the vRA 7 appliance.  As we have already installed and configured the agent you should see something like this…

A visible management agent

Note:  In the above screenshot time sync was out as my windows box wasn’t using the same time sync as the ESXi host.  The install fixes this which is why the NTP configuration option is important.  It must be set to the same as the source for the appliance.

Next up is the important bit.  The prerequisite checker screen.  vRA 7 IaaS is still very specific in what you need to be able to successfully install the componant on the Windows server.  There’s a LONG list of things that have to be ‘just so’ listed in the manual.  If you want to know how everything hangs together and what needs to be changed check out “Part 3a” of my guide where i do everything manual because I thought I had to.  If not… Click the  Run button and the wizard will go off and start checking the system for you.

Pre-Req Checker Screen

Once you’ve click to start the process the screen will show the status.  First off you’ll see something like that shown below.  The name of the IaaS server is displayed and a “waiting….” style message appears.  On my lab this took 3-5 mins.


Soon after you’ll probably be greeted with something like this telling you that your server isn’t configured right…

Panic! (Don’t panic)

Now, in vCAC / vRA 6.x this would mean checking every setting it said was wrong (or guessing) or reinstalling if everything looked ok (but wasn’t).  In vRA 7, however,  VMware have made this bit far, far better that before.

You can simply click the “Fix” button on the pre-req checker screen and the wizard will go off and fix pretty much everything for you (A restart will be required).  It looks like this:

Fixing everything for you.  Please wait…

I tried this twice and it worked perfectly both times.  Your mileage may vary but i gave it a vanilla Windows 2012 R2 server and it behaved brilliantly.  Anyone coming from vCAC / vRA 6.x will understand how big of a deal this is!

If y0ur server requires a reboot let it come back up and re navigate to: https://<vr_server&gt;:5480 and log back in as root.  The Wizard will (should) restart where it left off.  You should find that the wizard restarts at the pre-req checker stage.  Re run, ensure things are ok and continue on…

Once you’re done you can continue on to the vRealize Automation Host specification page. you can enter the host manually if you want or, as I prefer, click the Resolve Automatically option and the wizard should resolve the FQDN itself. NOTE: The screenshot below has the Enter Host option selected the one we’re talking about appears beloe.

Enter your FQDN…

I actually think this is a good test that everything is working correctly before going any further as the management service SHOULD be able to see the appliance at this point.  If you can’t then you might want to fix that first! (Remember NOT to cancel the wizard).

It will look something like this if it’s working:

Automatically resolved!

Once the appliance information has been entered it’s on to specifying the administrator password for the default tenant account.  The default tenant account is the part of vRA when you can log in and configure everything important vRA related INCLUDING creating other tenants and setting up permissions for others to use them.

This is the only tenant that can do this so be sure not to lose this password or set it to something completely esoteric for no reason.

Chose a sensible, secure password…

We now need to specify the configuration parameters for the IaaS server (the one you’re on).

The IaaS web address should be the same as the DNS entry you’ve set up (i.e. the servers FQDN if you get windows do it when you joined the domain).

The Install IaaS Components on drop down should only have one entry (this server).

The Username field should be set to the domain account you set up right at the beginning that has local admin rights on this server.  The password is, obviously, the one you set.

Security Passphrase is very important.  Communication to the SQL database will require the use of an encryption key (that you’re setting here).  This must be remembered at al costs.  Recovery in the event of a failure without this phrase is not possible.  I personally like to go with something long but memorable such as “thephantommenacewascompletegarbageandyouknowit” just ensure you remember it!

IaaS Host configuration

Next is the SQL server configuration.  You don’t have to have pre created a database as the wizard will do this for you.   In the lab we’re using default settings and Windows Authentication. Just ensure that the account you’re logged on as / Running the Management agent as is also a dbcreator / sysadmin on your SQL server before continuing.

SQL server configuration…

Next up is the Distributed Execution Managers setup.  DEMs are actually two separate processed.  The DEM-Orchestrator that takes care of scheduling asks within vRA and the DEM-Worker which handles the actual execution of vRA tasks (up to 15 per DEM-W).

These are installed to an IaaS server (in our case THIS IaaS server) they need a name and a description (I’ve not been very creative in the example below).  These processes run as Windows services so the username and password must be from an account that has Logon As A Service Rights in the IaaS system.  This is the account we set up earlier.

DEM setup…

On to the next step… Agents.  This is where you enter the infomration used to set up  the communication between the vRA install and you vCenter & vSphere endpoints.  vRA will then install and agent that allows communication between the two systems.  Remember, vCenter doesn’t know about vRA, it’s vRA that gathers information on vCenter and then send requests.  The agent is the go-between / proxy for this two way communication.

IMPORTANT: The Endpoint name and Agent Name fields should be descriptive and the SAME.  This is because the explicit name of these two inputs are used in the configuration of vRA down the line and it’s something you have to manually type in and GET RIGHT.  Specifically, there’s no way I know of getting the correct Endpoint name if you can’t remember it or didn’t call it the same as the Agent (which shows up in Windows services).  So, if you forget and want to configure an endpoint manually for an agent you can’t remember the name of you’re left with a free form text box and not a hope in heck!  This is one of the parts of vCAC that seems to have carried over….  It needs to go!

So, enter sensible information and the details of the relevant username and password (that has vCenter Admin rights in this case) and continue.  As before, in a production environment this would probably be a separate account.

Get this right!

Now it comes to Certificates.  These are tricky in vRA under an enterprise install.  BUT, in a minimal install you are allowed to use Self-Signed Certificates.  And we are most certainly going to do this!  First up is the certificate for the virtual appliance.

The screen below shows the result of the following procedure.

Select the Generate Certificate option.
Type in a relevant Organisation, Organizational unit and country code (the first two can be whatever, the country code needs to be right).
Click Save Generated Certificate and wait a sec.
The screen will refresh to that shown below.

Generated Self-Signed Certificate…

Now on to the creation of the Web certificate for the IaaS server.  Same procedure as before using the same values and you should be left looking at a screen as shown below. This is a time saving of about 3 hours and two servers over the enterprise way of doing this section.

Another certificate done quick!

Finally… the Manager service certificate.  It should pick up that it’s on the same box as the IaaS Web server and use the cert you just generated.  It will look something like this.

Using the Web cert.

The wizard is now almost done.  It’s time to validate the install.  Click the Validate button and you’re away.  Progress will be shown like the screenshot below.

Mid-Way through validation

Take note of this line.  It really does take this long.  Go make another cuppa…

Please wait…

After the wait you should be greeted with this.  We’re finally ready to install.


The next screen gives very important advice.  vCAC 6.x was notorious for failing the install and leaving everything in such a state that you had to rebuild from scratch (yes, seriously) and try again with fingers crossed.  Guard against this possibility by snapshotting the vRA appliance, this IaaS server and the SQL server before attempting the install.  It’s worth the wait!

DO THIS, It’s really important

Once you’ve done this it’s time to ignore this next screen and press Install.


Now all you need to do is wait while everything gets installed and configured. a pretty helpful status is shown.

NOTE: I ended up with a screen showing “success” and “100%” install but with the final item on the list still showing as in progress.  This is, I think, a bug.  everything had completed fine and the system functions as expected.


Once the install is complete vRA will ask you for the licence key.

NOTE: You don’t HAVE to enter a key at this time.  However, you can’t do anything if you don’t as there’s no free trial period with vRA 7.  If you go on without the key you can display the logon page and sign in.  However, it just sits there with a spinning wheel and wont load the mains creen

Licence…. You need one…

Next to the option to turn on telemetry which sends info to VMware.  IMO this product needs all the help it can get (despite being awesome).  Turn it on.

Enable Big Brother (y/n)

Finally there is the option to create a vRA catalog items that will go off and create a suite of blueprints for you to get you started.  This is quite a cool idea and takes the guess work out of navigating the interface the first time.  it’s basic but its useful.

You simply need to choose a password for a user that will be created called configurationadmin.  In the next stage you’ll log in as this user and run the process to create initial blueprints.


Click the Create Initial Content button and you should see:

More success!

That’s it!  Now it’s time to log in and create some blueprints.  This will be covered in part 4 of this series!



Onwards… To part 4



Installing Minimal vRA 7: Part 2 Deploying The vRA Appliance

Now that we know what we’re aiming for we can get the really easy bit out of the way right now.  Deploying the  vRA 7 Virtual Appliance.  Throughout this example I’m using the svc-vra-admin account created in step 1 as it has rights for pretty much everything.

NOTE: My lab was running vSphere 5.5 when I did this blog post so screenshots below are from the c# client and NOT the Web client (yes, yes I know….).  Any additional posts after install will probably be from the Web Client and vSphere 6.0

Deployment Steps

I’m going to assume here that you have already downloaded the vRA 7 appliance OVA from VMware website.  If not, go do it now.

Step 1: Create a DNS entry for your appliance

vRA and, indeed, most other VMware products really like DNS to be set up correctly or they will behave most oddly.  Therefore, before deploying the vRA appliance you should.

  1. Log on to your server hosting DNS (in my case my labs AD).
  2. Create a new A record and associated PTR for the vRA appliance.
    1. e.g vra7.lab.local,
    2. Ensure the Create Associated Pointer (PTR) record option is ticked (if using Windows DNS).
  3. Check the new name is ping-able from within your environment.

Step 2: Deploy the OVF

With that step out of the way we can now deploy and configure the appliance.

  • Open Virtual Center and select File > Deploy OVF TemplateSnapCrab_LABVC01lablocal - vSphere Client_2016-1-5_12-5-39_No-00.png
  • The  deployment wizard will start.  Select your downloaded OVA file and continue through the steps (Shown Below).  These initial steps allow you to pick a name and location for the appliance.  My values are shown for example.  Continue until you get to the Disk Format stage of the wizard.
Select the source of your OVA file and continue…
Ignore the details and continue…
Press Accept without reading just like everyone else and continue…
Give you VM a sensible name (e.g. use your DNS name) and continue…
Select Your host / cluster and continue…
Select a resource pool if you want to and continue…
Select the datastore you want to deploy to…
  •  This next window is probably where you want to start paying actual attention to the  wizard.  The default option here is Thick Provisioned, Lazy Zeroed.  For a quick deployment and a lab setup this is silly and wasteful so ensure you select Thin Provisioned and continue…
Select Thin Provisioning and continue…
  • The next screen is the most important to get exactly right now or else there will be issues later down the line.  You’ll need to fill out:
  • Initial Root Password: Something memorable for logging in as root (Don’t Forget This!)
  • Enable SSH service in the appliance: Checked. As this is a lab we want to turn this on as we’re going to play.  If you were installing that as a production system you should leave this off for security reasons and only enable it when required.
  • Hostname: The FQDN of your appliance as its been set up in DNS. <server>.<domain>.<whatever> or, in my case: vra7.lab.local
  • Default gateway:  Your route to the internet or network for this appliance
  • Domain Name: The domain suffix of the VM <domain>.<whatever> or, in my case. lab.local
  • Domain Search Path: the NETBIOS style name of the domain all user / security accounts are contained in e.g. <Domain>.  In my case it’s just called “lab”
  • Domain Name Servers:  The IP Addresses  (IPV4) of the DNS server to use for the appliance.  In this example DNS is installed on my AD server so I use this IP.
  • Network 1 IP Address: the IP V4 network address you want to assign to the appliance.
  • Network 1 Netmask: The subnet mask for the appliance.

Once you’re sure all of the entries are correct for your environment continue…

Make sure all these entries are accurate!
  • Check the details are correct, click next and get the appliance provisioning into your lab.  Make sure you check the Power on after deployment option.  Saves waiting around!
Ready to deploy!  Go Make A Cuppa.
  • Wait for the VM to deploy and turn on  Once it’s up and running open up a CMD / PowerShell window and ping the appliance via it’s DNS name.  This ensures that DNS is working correctly and the appliance has successfully applied it’s network settings. If it fails here fix DNS resolution before going any further.


That’s it.  The appliance is now up and running  and it should even look like this if you go to the console and take a look.


Now you are  ready to move on to the next stage of preparing the Windows server for the IaaS install.  You can do this the easy way or the hard (but interesting way).  I learnt on vCAC 6.0.x so have a healthy distrust for the automatic pre req install. So, I did it manually first.  Only LATER did I try the automatic method and find out that it actually works…. So I present both ways.

Hard Way: Installing Minimal vRA 7: Part 3a – Manually Installing Pre-Requisites
Easy Way: Installing Minimal vRA 7: Part 3b – Automatically Installing Pre-Requisits

Installing Minimal vRA 7: Part 1 Which Version For The Lab?

Finally, after pretty much a full year of waiting VMware released version 7 of the vRealize Automation suite.  Rumour is that it’s far easier to install, more stable and bug free than before.  Given the difference between the hell that was 6.0.1 and the, much better but still poor, 6.2.2 releases I’ve had the pleasure of deploying I’m hopeful of significant progress.  Obviously I want to check it out as son as possible so this series of Blogs will be about getting it deployed in my home lab.

Installing In A Home Lab

vRA is a beast when it comes to system requirements 6.x was massive but 7 is much improved.  Gone are the requirements for a separate Identity appliance (SSO) and pSQL DB to talk to the vRA host.  Both of these as now included in the basic appliance.  It’s still beefy though so, for a 1st time I’m going to deploy the “minimal” version of vRA

So, What Does It Look Like?

The minimal install looks like this:


This is nice and simple for the lab.  We only NEED two boxes.  One vRA appliance and one Windows Box for the IaaS components, agents and SQL.

In this series of blog posts I’m going to be using a SQL server I already have as part of the lab (the same one that houses my Virtual Center DB). Therefore I’ll be interacting with three boxes that make up the install.

So, What’s Being Provisioned?

The vRA7 lab install will be made up of:

  • 1 x vRealize Automation appliance, which deploys the management console, manages Single Sign-On and houses the internal PSQL DB and Orchestrator server.
  • 1 x Windows Server box (2012 R2) for the  Infrastructure as a Service (IaaS) components.  This includes the Web Server, Model Manager Data, Manager Service (agent), Distributed Execution Managers (worker and orchestrator) as well as the agents for vSphere / vCenter etc.

What Have I already Provisioned?

  • An MS SQL Server for the IaaS Database (Server 2012).  This is already set up in my lab.
  • An Active Directory Domain with a domain already set up.  This is fr creating users and groups with relevant permissions.

What We Need To Proceed

To complete the install you’ll need:

  • 1 x vRA7 OVF file from VMware to deploy the appliance.
    • Download from the MY VMware site.
  • 1 x Vanilla Windows 2012 R2 server for the IaaS components
    • 2 x vCPUs
    • 8GB RAM
    • 60GB HDD (30GB Windows, 30GB Free for IaaS Components)
  • 1 x Licence Key for vRA.
    • It doesn’t work without one so don’t try (installs, wont log in)

Accounts And Logins Required

Before you start it’s best to create any users and groups you may require now.  vRA has some specific requirements such has insisting that the IaaS server is installed as the account that has local admin rights on the Windows Server. I have created the following users and groups that are used in my Active Directory.

User: svc-vra-admin
This is my generic service account that I create for anything vRA related.  In this case it’s used to log on and install the IaaS components as well as run the vRA services (i.e. the service runs AS THIS USER).  It’s also the account I give permissions in vCenter to have admin access for data collection later in the process.  In a real world environment you probably shouldn’t just use the one account. However, as this is a lab PoC test I have.

Member Of Groups:
vRA Administrators 
– For defining an account as having vRA admin permissions.
vRA Users – For defining an account as a standard user.
VC Admins – Group giving members admin rights to my Virtual Center.
vRO Admins – Group giving members admin rights in vRO.

Additional Standard Groups This User Is A Member Of:
Domain Admin
Domain Users

NOTE:  This isn’t close to best practice.  In a shared environment, anything facing the internet or a real deployment Create seperate users as appropriate.  After this simple guide I will be doing an “Enterprise” install with the correct segregation of duties. This solution is, obviously, not production ready!

Once you’ve got all this downloaded and provisioned You’ll be ready for the Next Stage.  Deploying the vRA Appliance

Installing vCAC – Part 3: Certificates Prep and Configuration (Continued)

Continuing from the previous posts. Here we shall generate the certificates used for the vCAC appliances.

Step 5: Install Open SSL

VMware requires that a very specific version of Open SSL is installed for use with vCAC appliances and components.  In this instance we have to use Open SSL v0.9.8zb as anything from the 1.x stack is not supported in this version.  This version of 0.9.8 is a patched version that is NOT vulnerable to the security flaws that prompted the 1.x version release.

Prior to installing Open SSL on your issuing CA (again, in my lab this is the DC running MS Certificate Services).  you need to ensure the per-requisites for Installing OpenSSL have been met.  In this case it is the downloading and instillation of Visual C++ 2008 Redistributable.  This is available from Microsoft (vcredist_x86.exe).

So, first off install that pre-req and then download and install Win32OpenSSL-0_9_8zb.exe

The instillation of Open SSL is mostly a ‘Keep Clicking Next affair’ However, as outlined below you should ensure that the Open SSL binaries are stored in the /bin directory and NOT the Windows system directory.  It makes things MUCH easier later and allows things to happen automatically.

SnapCrab_NoName_2015-2-27_14-5-59_No-00Step 6: Issue SSL Certificates for the vCAC and SSO Appliances

Open a PowerShell windows and make a new directory as shown and then launch the certificates Manager console. Or do it via Windows Explorer if you like.

md C:\Certificates\vCAC

Expand the Trusted Root Certification Authority and then select Certificates.  You should be able to see the Root certificate for the Authority. SnapCrab_NoName_2015-2-27_14-20-37_No-00Now, in the details pane, right click on your created Root Certificate (In my case LabDC01-EntRootCA) and select All Tasks > Export

SnapCrab_NoName_2015-2-27_14-16-26_No-00The Export wizard will open up. Follow the process ensuring that the certificate is exported in Base-64 encoded X-509(.CER) format (shown below).


Then save the file in the C:\Certificates\vCAC folder as Root64-1.cer and complete the wizard. Note that the names of the folders and files here refers to commands we will soon be executing.  If this was in an offline root CA  with an online issuing CA there would be a second root certificate in the chain of trust and this would also have to be exported (hence the ‘-1’ at the end of the certificates file name).

SnapCrab_NoName_2015-2-27_14-19-13_No-00The requirements for vCAC certificates are long and specific.  Luckily a guy called Ross Davies has created a PowerShell script that will do all the Open SSL stuff for you.  All you have to do is enter a few variables and the hard work is done! (I’m really not a regular user of Open SSL so this was a godsend).  Check out his post to get the script and see how he made it.

Below is the user variable area of the script with my values plugged in. Ensure you have the $CertOutputPath and $OpenSslInstallDir are correct before running the script.  Also note that there are NO SPACES in the Certificate Template name as the template name is created without spaces regardless of the friendly name given.

# Path to directory to store created certificates
$CertOutputPath = "C:\Certificates\vCAC"

# OpenSSL location
$OpenSslInstallDir = "C:\OpenSSL"

# CA Name
$CAName = "LabDC01\LabDC01-EntRootCA"

# Certificate Template Name
$CertificateTemplateName = "VMwareSSLCertificate"
$CertificateCountryName = "GB"
$CertificateStateOrProvinceName = "London"
$CertificateLocalityName = "London"
$CertificateOrganizationName = "Lab"
$CertificateOrganizationalUnitName = "Dev"

When the script is run it simply asks a few questions (shown below) all revolve around Subject Alternate Names (SAN) values for the certificates.  vCAC gets really, REALLY sniffy about these values existing so it is best to put in all names you can think of here.  NOTE: The common Name must be FQDN, the SANs are DNS names and entries.  Normally I wouldn’t put the IP address as an entry here but this is a lab environment so I want a fail back if I mes my DNS up!SnapCrab_NoName_2015-2-27_15-1-5_No-00The script will do some OpenSSL goodness and then ask you if the Root CA certificate is in the correct location.  Check that the Root64-1.cer is there and then select Yes.

SnapCrab_NoName_2015-2-27_15-4-26_No-00Again, Magic will happen and the following confirmation should appear:

SnapCrab_NoName_2015-2-27_15-6-5_No-00The same steps are required now for the vCAC Virtual Appliances.  As before, ensure the SANs are entered correctly and thoroughly.  Remember that, in a distributed environment the main address for the vCAC VA will be the load balancer address / DNS entry.

SnapCrab_NoName_2015-2-27_15-9-5_No-00Again, a confirmation will appear (shown below) if everything has gone right.SnapCrab_NoName_2015-2-27_15-10-55_No-00To check everything has run correctly you can take a look in c:\Certificates\vCAC and you should see two new folders created (vCAC-SSO and vCAC-vAPP).  These folders will contain numerous files within making up the certificates in the right formats for importing in to the vCAC appliances.

SnapCrab_NoName_2015-2-27_15-16-44_No-00That’s it. We are now done with certificates and can get on with Installing the vCAC appliances.


Installing vCAC – Part 2: Certificates Prep and Configuration

When installing vCAC in a distributed / load balanced way it is not possible to use self-signed certificates to get everything working correctly (wildcard certs are not supported either).  Therefore, correct certificates have to be generated for your environment and then issued for the various vCAC components.  In a production environment the Public Key Infrastructure (PKI) would ideally be an Offline Root CA server with a second server provisioned as an Online Issuing Certificate Authority.  In my lab environment I don’t have the capacity for this so my online Domain controller will be an Enterprise Root CA. There wont be a secondary issuing server.  I will also assume that you are setting up a PKI for the first time and it’s not already installed

Step 1: Create A CAPolicy.inf File

Before installing Active Directory Certificate Services you can create a CAPolicy.inf file that defines certain default values you want the PKI to adhere to.  In my case i was strong encryption with long validity so I don’t ever have to worry about replacing anything later.

The file should be created as %windir%\CAPolicy.inf and contain the values you require.  In my case it looks like:

Signature="$Windows NT$" 



This specifies a key length of 4096 bit (strong) with a 40 year validity period and a 20 year period for Certificate Revocation Lists.  Delta CRLs are disabled for simplicity!

NOTE: I believe this file is only used if the GUI configuration of the CA is followed.  If using PS as below these settings need to be configured manually.

Step 2: Install Active Directory Certificate Services

I prefer to add features to Windows using PowerShell as it means I don’t have to keep clicking Next every few seconds. The commands I use going forward only work on Windows Server 2012 upwards (sorry).  If you are running 2008R2 or older you’ll have to install the roles and features the old way. Also note that the method below requires the server I am installing on be a Domain Controller.

To install AD-CS Open up a PowerShell Window (ensure it’s running as an administrator) and run the command:

SnapCrab_NoName_2015-2-26_16-35-0_No-00Install-WindowsFeature -name AD-Certificate -IncludeManagementTools

This will install the feature pretty quickly.  A progress bar will appear if the command works:

SnapCrab_NoName_2015-2-26_16-35-51_No-00Then, upon successful install, a confirmation message is shown:

SnapCrab_NoName_2015-2-26_16-36-7_No-00All this has done is install the feature.  The server still needs to be configured as an Enterprise Root CA.  Firstly we run the PS command below to setup the server as an Online Enterprise Root CA:

Install-AdcsCertificationAuthority -CAType EnterpriseRootCA -KeyLength 4096 -HashAlgorithmName SHA1 -ValidityPeriod Years -ValidityPeriodUnits 40 -CACommonName "LabDC01-EntRootCA" -CADistinguishedNameSuffix "DC=lab,DC=local" -CryptoProviderName "Microsoft Strong Cryptographic Provider"

Remember, you can use the –whatif switch to check that the command is valid and to see what it will do.

SnapCrab_NoName_2015-2-27_10-2-34_No-00There will be a confirmation dialogue (as show above), confirm the action and wait for the process to complete(almost instant).  The confirmation is odd (shown below). It looks like an error but isn’t

SnapCrab_NoName_2015-2-26_17-11-55_No-00Successful configuration at this point can be confirmed by opening Certificate Services:


Right clicking on the root server (should have a green tick by it) and selecting Properties and then View Certificate.


If all is well you should notice that, in the details tab, the Public Key field is set at 4096 and the validity period is indeed 40 years.SnapCrab_NoName_2015-2-26_17-16-45_No-00There is a little more configuration required to set up the publication URLs, CRLs and disable Delta CRLs.  The commands below need to be entered (modify for your use

certutil.exe –setreg CA\CRLPublicationURLs “1:C:\Windows\System32\CertSrv\CertEnroll\%3%8.crl\n2:http://pki.lab.local/pki/%3%8.crl”
certutil.exe –setreg CA\CACertPublicationURLs “2:http://pki.lab.local/pki/%1_%3%4.crt”
certutil.exe –setreg CA\CRLPeriodUnits 20
certutil.exe –setreg CA\CRLPeriod “Years”
certutil.exe –setreg CA\CRLDeltaPeriodUnits 0
certutil.exe –setreg CA\CRLDeltaPeriod “Days”
certutil.exe –setreg CA\CRLOverlapPeriodUnits 4
certutil.exe –setreg CA\CRLOverlapPeriod “Weeks”
certutil.exe –setreg CA\ValidityPeriodUnits 40
certutil.exe –setreg CA\ValidityPeriod “Years”
certutil.exe –setreg CA\DSConfigDN “DC=lab,DC=local”
Restart-Service certsvc
certutil -crl

As an example you should get output similar to the screenshot below if the commands complete successfully.SnapCrab_NoName_2015-2-27_10-30-27_No-00Now, if you check: C:\Windows\System32\CertSrv\CertEnroll You should see your root certificate all present and correct.

SnapCrab_NoName_2015-2-27_10-45-36_No-00Step 3: Creating A vCAC Specific Web Enrollment Template

Now, to be able to issue the correct type of certificates for vCAC (it has very specific requirements according to the docs) we need to create an new Certificate Template.  This done by launching the Certificate Authority utility on your issuing CA (In my case this is the Enterprise Root CA installed above).

Expand the Certification Authority tree and right click on Certificate Templates.  Now select Manage from the context menu.  This will open up the Certificate Templates Console. Scroll down the list and select Web Server. Right click and select Duplicate Template.  (Shown Below).

SnapCrab_NoName_2015-2-27_11-3-38_No-00The properties window will be displayed. Leave the compatibility level at Windows Server 2003 level and then select the General tab.

SnapCrab_NoName_2015-2-27_11-7-5_No-00In the general tab change the information to that shown below.  Specifically, make sure the Publish certificate in Active Directory check box is selected and that the validity periods are right for your environment (I don’t want to bother replacing them so have set it long).

SnapCrab_NoName_2015-2-27_11-7-57_No-00Now select the Extensions tab, select Key Usage and ensure the options shown below are checked.SnapCrab_NoName_2015-2-27_11-10-3_No-00Click OK and then, still in the Extensions tab, select Application Policies and then Edit.  Click add and then select Client Authentication and then OK.

SnapCrab_NoName_2015-2-27_11-14-33_No-00Click OK and close the Certificates Template Console. The certificate is now available  in AD and available to publish.

Step 4: Publish The New Web Enrollment Template

Still logged on to your Issuing CA with an account that has Domain Admin privileges open the Certification Authority  utility and expand the tree as before.  Right click on the Certificate Templates folder and select New > Certificate Template to Issue from the menu.SnapCrab_NoName_2015-2-27_11-17-32_No-00The Enable Certificate Templates window will appear.  Scroll down and select VMware SSL Certificate as created above and click OK.


The VMware SSL Certificate should then appear in the Certificate Templates folder.

Next up is installing Open SSL.  This will be continued in Part 3

Installing vCAC – Part 1: Windows Pre-Requisites

This series of posts will guide you through a full distributed install of VMware vCloud Automation Center (vCAC This is something I’ve done in a live environment but I’m going to try to re-create a small setup in my lab environment to enable me to test upgrading between vCAC versions. Why? Because I’m interested.

A Note on System Requirements
I don’t have a super powerful lab. Storage is fast but not that plentiful. As this is a test install that won’t really do much some of the Components will be t minimum spec or below if I know I can get away with it. This will show mostly on the second side of the stack. This will be set up to prove clustering and load balancing but will be logically turned OFF and left undersized once running.

Part One – Windows Pre-Requisites

For ease of administration, and to replicate what I would do in a Live environment, I have created the following security groups in Active Directory using the Users and Computers utility.  These will hold relevant accounts that are needed in the install process.

SnapCrab_NoName_2015-2-26_15-52-8_No-00The following accounts were also created in Active Directory Users and Computers utility as they will be needed later.

SnapCrab_NoName_2015-2-26_15-52-26_No-00When creating these accounts you will need to specify a password.  This should, obviously, be strong but be aware that some special characters will cause issues with the vCAC install later on because of the way the installer uses SOAP to pass through certain password.  For this reason it’s a good idea to avoid ‘#‘, ‘&‘, ‘@‘ for sure (other characters may also be bad).

I’ve added my personal account and the domain admins group to the VC Admins group, the svc_vcac_admin user is a member of vCAC Administrators and svc_sql to the SQL Administrators group.

Set Up a DNS Entry for PKI

vCAC uses Certificates a LOT and we will need to set up a Public Key Infrastructure (PKI) to be able to do this in the lab. I will be installing PKI on my Lab DC so, for later use, I’m also creating a DNS A record looking like: pki.lab.local

This can be done from the DNS Manager Utility.