7.1
Table Of Contents
- Configuring vRealize Automation
- Contents
- Configuring vRealize Automation
- Updated Information
- External Preparations for Provisioning
- Preparing Your Environment for vRealize Automation Management
- Checklist for Preparing NSX Network and Security Configuration
- Checklist for Preparing External IPAM Provider Support
- Preparing Your vCloud Director Environment for vRealize Automation
- Preparing Your vCloud Air Environment for vRealize Automation
- Preparing Your Amazon AWS Environment
- Preparing Red Hat OpenStack Network and Security Features
- Preparing Your SCVMM Environment
- Preparing for Machine Provisioning
- Choosing a Machine Provisioning Method to Prepare
- Checklist for Running Visual Basic Scripts During Provisioning
- Using vRealize Automation Guest Agent in Provisioning
- Checklist for Preparing to Provision by Cloning
- Preparing for vCloud Air and vCloud Director Provisioning
- Preparing for Linux Kickstart Provisioning
- Preparing for SCCM Provisioning
- Preparing for WIM Provisioning
- Preparing for Virtual Machine Image Provisioning
- Preparing for Amazon Machine Image Provisioning
- Scenario: Prepare vSphere Resources for Machine Provisioning in Rainpole
- Preparing for Software Provisioning
- Preparing Your Environment for vRealize Automation Management
- Configuring Tenant Settings
- Choosing Directories Management Configuration Options
- Directories Management Overview
- Using Directories Management to Create an Active Directory Link
- Configure a Link to Active Directory
- Configure Directories Management for High Availability
- Configure a Bi Directional Trust Relationship Between vRealize Automation and Active Directory
- Configure SAML Federation Between Directories Management and SSO2
- Add Users or Groups to an Active Directory Connection
- Select Attributes to Sync with Directory
- Add Memory to Directories Management
- Create a Domain Host Lookup File to Override DNS Service Location (SRV) Lookup
- Managing User Attributes that Sync from Active Directory
- Managing Connectors
- Join a Connector Machine to a Domain
- About Domain Controller Selection
- Managing Access Policies
- Integrating Alternative User Authentication Products with Directories Management
- Configuring SecurID for Directories Management
- Configuring RADIUS for Directories Management
- Configuring a Certificate or Smart Card Adapter for Use with Directories Management
- Configuring a Third-Party Identity Provider Instance to Authenticate Users
- Managing Authentication Methods to Apply to Users
- Configuring Kerberos for Directories Management
- Scenario: Configure an Active Directory Link for a Highly Available vRealize Automation
- Configure Smart Card Authentication for vRealize Automation
- Create a Multi Domain or Multi Forest Active Directory Link
- Configuring Groups and User Roles
- Scenario: Configure the Default Tenant for Rainpole
- Scenario: Create Local User Accounts for Rainpole
- Scenario: Connect Your Corporate Active Directory to vRealize Automation for Rainpole
- Scenario: Configure Branding for the Default Tenant for Rainpole
- Scenario: Create a Custom Group for Your Rainpole Architects
- Scenario: Assign IaaS Administrator Privileges to Your Custom Group of Rainpole Architects
- Create Additional Tenants
- Delete a Tenant
- Configuring Custom Branding
- Checklist for Configuring Notifications
- Configuring Global Email Servers for Notifications
- Add a Tenant-Specific Outbound Email Server
- Add a Tenant-Specific Inbound Email Server
- Override a System Default Outbound Email Server
- Override a System Default Inbound Email Server
- Revert to System Default Email Servers
- Configure Notifications
- Customize the Date for Email Notification for Machine Expiration
- Configuring Templates for Automatic IaaS Emails
- Subscribe to Notifications
- Create a Custom RDP File to Support RDP Connections for Provisioned Machines
- Scenario: Add Datacenter Locations for Cross Region Deployments
- Configuring vRealize Orchestrator and Plug-Ins
- Choosing Directories Management Configuration Options
- Configuring Resources
- Checklist for Configuring IaaS Resources
- Store User Credentials
- Choosing an Endpoint Scenario
- Create a vSphere Endpoint
- Create a vSphere Endpoint with Network and Security Integration
- Create a vRealize Orchestrator Endpoint
- Create an External IPAM Provider Endpoint
- Create a vCloud Air Endpoint
- Create a vCloud Director Endpoint
- Create a Hyper-V (SCVMM) Endpoint
- Create a Standalone Endpoint for Hyper-V
- Create a NetApp ONTAP Endpoint
- Create a KVM (RHEV) Endpoint
- Create a Xen Pool Endpoint
- Create a XenServer Endpoint
- Create an Amazon Endpoint
- Create an OpenStack or PowerVC Endpoint
- Import a List of Endpoints
- Troubleshooting Attached vSphere Endpoint Cannot be Found
- Troubleshooting Locate the vCloud Air Management URL for an Organization Virtual Data Center
- Create a Fabric Group
- Configure Machine Prefixes
- Managing Key Pairs
- Creating a Network Profile
- Configuring Reservations and Reservation Policies
- Reservations
- Choosing a Reservation Scenario
- Creating Cloud Category Reservations
- Creating Virtual Category Reservations
- Edit a Reservation to Assign a Network Profile
- Reservation Policies
- Storage Reservation Policies
- Reservations
- Scenario: Configure IaaS Resources for Rainpole
- Scenario: Apply a Location to a Compute Resource for Cross Region Deployments
- Checklist for Provisioning a vRealize Automation Deployment Using an External IPAM Provider
- Configuring XaaS Resources
- Installing Additional Plug-Ins on the Default vRealize Orchestrator Server
- Working With Active Directory Policies
- Checklist for Configuring IaaS Resources
- Providing On-Demand Services to Users
- Designing Blueprints
- Exporting and Importing Blueprints
- Building Your Design Library
- Designing Machine Blueprints
- Space-Efficient Storage for Virtual Provisioning
- Configure a Machine Blueprint
- Machine Blueprint Settings
- Adding Network and Security Properties to a Machine Component
- Scenario: Create a vSphere CentOS Blueprint for Cloning in Rainpole
- Scenario: Turn Your Rainpole Machine into a Base for Delivering Software Components
- Add RDP Connection Support to Your Windows Machine Blueprints
- Scenario: Add Active Directory Cleanup to Your CentOS Blueprint
- Scenario: Allow Requesters to Specify Machine Host Name
- Scenario: Enable Users to Select Datacenter Locations for Cross Region Deployments
- Designing Machine Blueprints with NSX Networking and Security
- New Blueprint and Blueprint Properties Settings with NSX
- Configuring Network and Security Component Settings
- Associating Network and Security Components
- Designing Software Components
- Property Types and Setting Options
- When Your Software Component Needs Information from Another Component
- Passing Property Values Between Life Cycle Stages
- Best Practices for Developing Components
- Create a Software Component
- Scenario: Create a MySQL Software Component for Rainpole
- Software Component Settings
- Creating XaaS Blueprints and Resource Actions
- vRealize Orchestrator Integration in vRealize Automation
- List of vRealize Orchestrator Plug-Ins
- Creating Custom Resources
- Creating XaaS Blueprints and Resource Actions
- Mapping Other Resources to Work with XaaS Resource Actions
- Designing Forms for XaaS Blueprints and Actions
- XaaS Examples and Scenarios
- Create an XaaS Blueprint and Action for Creating and Modifying a User
- Create a Test User as a Custom Resource
- Create an XaaS Blueprint for Creating a User
- Publish the Create a User Blueprint as a Catalog Item
- Create a Resource Action to Change a User Password
- Publish the Change a Password Resource Action
- Create a Catalog Service for Creating a Test User
- Associate the Catalog Item with the Create a Test User Service
- Entitle the Service and the Resource Action to a Consumer
- Create and Publish an XaaS Action to Migrate a Virtual Machine
- Create an XaaS Action to Migrate a Virtual Machine With vMotion
- Create and Publish an XaaS Action to Take a Snapshot
- Create and Publish an XaaS Action to Start an Amazon Virtual Machine
- Create an XaaS Blueprint and Action for Creating and Modifying a User
- Troubleshooting Incorrect Accents and Special Characters in XaaS Blueprints
- Publishing a Blueprint
- Designing Machine Blueprints
- Assembling Composite Blueprints
- Understanding Nested Blueprint Behavior
- Selecting a Machine Component that Supports Software Components
- Creating Property Bindings Between Blueprint Components
- Creating Explicit Dependencies and Controlling the Order of Provisioning
- Scenario: Assemble and Test a Blueprint to Deliver MySQL on Rainpole Linked Clone Machines
- Managing the Service Catalog
- Checklist for Configuring the Service Catalog
- Creating a Service
- Working with Catalog Items and Actions
- Creating Entitlements
- Working with Approval Policies
- Examples of Approval Policies Based on the Virtual Machine Policy Type
- Example of Actions with Approval Policies Applied in a Composite Deployment
- Example of an Approval Policy in Multiple Entitlements
- Processing Approval Policies in the Service Catalog
- Create an Approval Policy
- Modify an Approval Policy
- Deactivate an Approval Policy
- Delete an Approval Policy
- Scenario: Configure the Catalog for Rainpole Architects to Test Blueprints
- Scenario: Test Your Rainpole CentOS Machine
- Scenario: Make the CentOS with MySQL Application Blueprint Available in the Service Catalog
- Scenario: Create and Apply CentOS with MySQL Approval Policies
- Index
Option Action
Authenticatio
n type
Enter the authentication protocol that is supported by the RADIUS server. Either PAP, CHAP,
MSCHAP1, OR MSCHAP2.
Shared secret Enter the shared secret that is used between the RADIUS server and the VMware Identity Manager
service.
Server
timeout in
seconds
Enter the RADIUS server timeout in seconds, after which a retry is sent if the RADIUS server does
not respond.
Realm Prex (Optional) The user account location is called the realm.
If you specify a realm prex string, the string is placed at the beginning of the user name when the
name is sent to the RADIUS server. For example, if the user name is entered as jdoe and the realm
prex DOMAIN-A\ is specied, the user name DOMAIN-A\jdoe is sent to the RADIUS server. If
you do not congure these elds, only the user name that is entered is sent.
Realm Sux (Optional) If you specify a realm sux, the string is placed at end of the user name. For example, if
the sux is @myco.com, the username jdoe@myco.com is sent to the RADIUS server.
Login page
passphrase
hint
Enter the text string to display in the message on the user login page to direct users to enter the
correct Radius passcode. For example, if this eld is congured with AD password and then
SMS passcode, the login page message would read Enter your AD password and then SMS
passcode. The default text string is RADIUS Passcode.
5 You can enable a secondary RADIUS server for high availability.
Congure the secondary server as described in step 4.
6 Click Save.
What to do next
Add the RADIUS authentication method to the default access policy. Select Administration > Directories
Management > Policies and click Edit Default Policy to edit the default policy rules to add the RADIUS
authentication method to the rule in the correct authentication order.
Configuring a Certificate or Smart Card Adapter for Use with
Directories Management
You can congure x509 certicate authentication to allow clients to authenticate with certicates on their
desktop and mobile devices or to use a smart card adapter for authentication. Certicate-based
authentication is based on what the user has (the private key or smart card), and what the person knows
(the password to the private key or the smart-card PIN.) An X.509 certicate uses the public key
infrastructure (PKI) standard to verify that a public key contained within the certicate belongs to the user.
With smart card authentication, users connect the smart card with the computer and enter a PIN.
The smart card certicates are copied to the local certicate store on the user's computer. The certicates in
the local certicate store are available to all the browsers running on this user's computer, with some
exceptions, and therefore, are available to a Directories Management instance in the browser.
n
Using User Principal Name for Certicate Authentication on page 107
You can use certicate mapping in Active Directory. Certicate and smart card logins uses the user
principal name (UPN) from Active Directory to validate user accounts. The Active Directory accounts
of users aempting to authenticate in the Directories Management service must have a valid UPN that
corresponds to the UPN in the certicate.
n
Certicate Authority Required for Authentication on page 107
To enable logging in using certicate authentication, root certicates and intermediate certicates must
be uploaded to the Directories Management.
Configuring vRealize Automation
106 VMware, Inc.