This is pretty much identical with the previous 7.x installs, but as I am rebuilding my vRA lab anyway – I may as well take some screenshots 🙂
The initial deployment is identical to any other OVA deployment. Using your webclient – deploy the OVA
Browse to the OVA
The ‘usual’ stuff
Accept the EULA
Select a location
Select a datastore
.. the network too
Enter a complex password and enable SSH if you wish. Set the hostname.
And of course the network details
Hit Finish if you are happy with the details (may as well power on when done)
And wait until the deployment has finished (here you can see I deploy vRB too)
Once the appliance has been deployed, make sure that name resolution is working – both forward and reverse
Next thing to do is running the installation wizard – but before I do – I will create the certificates to be used by vRA / vRB
Due to the new browser constraints – SHA1 is no longer supported – and will likely throw all sorts of errors. I therefore created a Microsoft CA with SHA512 / 2048 length instead. That hopefully keeps the browsers quiet.
So here I created the configuration file in order to create the csr
[ req ] default_bits = 2048 default_keyfile = rui.key distinguished_name = req_distinguished_name encrypt_key = no prompt = no string_mask = nombstr req_extensions = v3_req [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation extendedKeyUsage = serverAuth, clientAuth subjectAltName = DNS:vra, DNS:vra.www.open902.com, DNS:vrb, DNS:vrb.www.open902.com, DNS:iaas, DNS:iaas.www.open902.com [ req_distinguished_name ] countryName = GB stateOrProvinceName = GB localityName = Ely 0.organizationName = Open902 organizationalUnitName = vRealize Automation commonName = vra.www.open902.com
On a PC / Server with OpenSSL installed, create the csr
Michaels-MBP:vra.www.open902.com mike$ openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config vra.cfg Generating a 2048 bit RSA private key .....+++ .................................+++ writing new private key to 'rui-orig.key' ----- Michaels-MBP:vra.www.open902.com mike$
Next, decrypt the newly created private key
Michaels-MBP:vra.www.open902.com mike$ openssl rsa -in rui-orig.key -out rui.key writing RSA key Michaels-MBP:vra.www.open902.com mike$
Now browse to your certification authority
http://ca.www.open902.com/certsrv/certrqxt.asp
Paste the content of your csr (rui.csr) and select the VMware Template.
Click Submit
Tick Base 64 encoded and click Download certificate
Download the certificate certnew.cer and copy it as rui.cer onto a PC / Server with OpenSSL installed
Next, download the Root certificate.
Click Home
Click Download a CA certificate, certificate chain or CRL
Tick Base 64 and click Download CA certificate chain
Open the certificate certnew.p7b
The certmgr will open. Browse to Certificates, right-click the certificate and then All Tasks > Export …
Go through the wizard. Select Base-64-encoded X.509 (.CER)
Save it as Root64.cer
Now move the file to a server / pc with OpenSSL installed as well
You should now have the following files on your OpenSSL station
- Root64.cer
- rui-orig.key
- rui.cer
- rui.csr
- rui.key
- vra.cfg
Create the PFX file
Michaels-MBP:vra.www.open902.com mike$ openssl pkcs12 -export -in rui.cer -inkey rui.key -certfile Root64.cer -name “vra.www.open902.com” -passout pass:SomePassword -out rui.pfx Michaels-MBP:vra.www.open902.com mike$
Now create the PEM file
Michaels-MBP:vra.www.open902.com mike$ openssl pkcs12 -in rui.pfx -inkey rui.key -out rui.pem -nodes Enter Import Password: MAC verified OK Michaels-MBP:vra.www.open902.com mike$
There are now two files required for vRA – and any other VMware product in fact, the Key Files and the actual certificate.
- rui.key (Key)
- rui.pem (Certificate)
Another pre-requisite we can get out of the way before running the vRA installation wizard is the installation of the Management Agent. This agent will be used to install the pre-requisites on the IaaS server(s) and install the required certificates.
So from your IaaS server, browse to your vRA appliance
http://vra.www.open902.com:5480/i
Enter the appliance details, accept the certificate and click Next
Enter your Service Account details. Make sure the account has local admin rights.
Now finally browse to your appliance VAMI interface
http://vra.www.open902.com:5480
and login using root and the password configured during the OVA upload
The wizard should start automatically
Accept the EULA
Here I am going for the Minimal Deployment
Here you can see that it requires the installation of the Agent – which we have done already.
Ensure you set a proper NTP server and that the IaaS server is in time sync with the appliance
Click Change Time Settings and ensure the settings are applied successfully
Click Run to run the pre-req checker
My Windows Server is as clean as a whistle – so the pre-requisites are certainly not met.
Click Fix (That is why the service account needs local admin rights)
This may take a while
Once the pre-reqs have been installed, run the checker again
Reason: Even though above shows all green , a re-run shows it isn’t quite right … yet
Here’s why
One increase / reboot later and Run again, it should all be green now
Assuming your reverse DNS works, the host name should resolve automatically
Set a secure password
Enter your IaaS Server details and enter a Security Passphrase. Click Validate
Assuming your service account has local admin rights, this should be a no-brainer
Enter your SQL details.
As the note says – ensure your service account is sysadmin rights. Click Validate
Again ensure the validation succeeds
Select the appropriate server for the DEMs, here I only got one. Click Validate
Ensure it all validates
Same for the agent, ensure it all validates. Either give the Endpoint a different name or leave it as default.
Note: Take note of the Endpoint name – this will be required later (CasEsENsiTivE)
Here enter the previously created certificate
- RSA Private Key
- File: rui.key
- Certificate Chain
- File: rui.pem
- Password
- Above Example: SomePassword
Click Save Imported Certificate
Ensure the certificate imports correctly
You can check the Serial via openSSH to ensure it is the correct certificate
Do the same for the Web Server
Now hit Validate. It should all be green
DO IT !
Hit Install. This can take a while
Installation should eventually finish
Enter a valid license key
Join .. or not .. the Customer Experience Improvement Program
I don’t want to create the Initial Content (creation of local admin / workflows etc.).
I will create a local admin later and configure vRA manually
Done
You should now be able to browse to vRA and see that there is a valid certificate installed
https://vra.www.open902.com/vcac