www.open902.com

My own Knowledge Base made public ..

vRealize Automation 7.2 – Installation

This is pretty much identical with the previous 7.x installs, but as I am rebuilding my vRA lab anyway – I may as well take some screenshots 🙂

The initial deployment is identical to any other OVA deployment. Using your webclient – deploy the OVA

open920-0115

Browse to the OVA

open920-0116

The ‘usual’ stuff

open920-0117

Accept the EULA

open920-0118

Select a location

open920-0119

Select a datastore

open920-0120

.. the network too

open920-0121

Enter a complex password and enable SSH if you wish. Set the hostname.

open920-0122

And of course the network details

open920-0123

Hit Finish if you are happy with the details (may as well power on when done)

open920-0124

And wait until the deployment has finished (here you can see I deploy vRB too)

open920-0135

Once the appliance has been deployed, make sure that name resolution is working – both forward and reverse

open920-0136

Next thing to do is running the installation wizard – but before I do – I will create the certificates to be used by vRA / vRB

Due to the new browser constraints – SHA1 is no longer supported – and will likely throw all sorts of errors. I therefore created a Microsoft CA with SHA512 / 2048 length instead. That hopefully keeps the browsers quiet.

open920-0149

So here I created the configuration file in order to create the csr

[ req ]
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req

[ v3_req ]
basicConstraints = CA:FALSE
keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:vra, DNS:vra.www.open902.com, DNS:vrb, DNS:vrb.www.open902.com, DNS:iaas, DNS:iaas.www.open902.com

[ req_distinguished_name ]
countryName = GB
stateOrProvinceName = GB
localityName = Ely
0.organizationName = Open902
organizationalUnitName = vRealize Automation
commonName = vra.www.open902.com

On a PC / Server with OpenSSL installed, create the csr

Michaels-MBP:vra.www.open902.com mike$ openssl req -new -nodes -out rui.csr -keyout rui-orig.key -config vra.cfg 
Generating a 2048 bit RSA private key
.....+++
.................................+++
writing new private key to 'rui-orig.key'
-----
Michaels-MBP:vra.www.open902.com mike$

Next, decrypt the newly created private key

Michaels-MBP:vra.www.open902.com mike$ openssl rsa -in rui-orig.key -out rui.key
writing RSA key
Michaels-MBP:vra.www.open902.com mike$

Now browse to your certification authority

http://ca.www.open902.com/certsrv/certrqxt.asp

Paste the content of your csr (rui.csr) and select the VMware Template.

Click Submit

open920-0146

Tick Base 64 encoded and click Download certificate

open920-0147

Download the certificate certnew.cer and copy it as rui.cer onto a PC / Server with OpenSSL installed

open920-0148

Next, download the Root certificate.

Click Home

open920-0137

Click Download a CA certificate, certificate chain or CRL

open920-0138

Tick Base 64 and click Download CA certificate chain

open920-0139

Open the certificate certnew.p7b

open920-0142

The certmgr will open. Browse to Certificates, right-click the certificate and then All Tasks > Export …

open920-0143

Go through the wizard. Select Base-64-encoded X.509 (.CER)

open920-0144

Save it as Root64.cer

open920-0145

Now move the file to a server / pc with OpenSSL installed as well

You should now have the following files on your OpenSSL station

  • Root64.cer
  • rui-orig.key
  • rui.cer
  • rui.csr
  • rui.key
  • vra.cfg

Create the PFX file

Michaels-MBP:vra.www.open902.com mike$ openssl pkcs12 -export -in rui.cer -inkey rui.key -certfile Root64.cer -name “vra.www.open902.com” -passout pass:SomePassword -out rui.pfx
Michaels-MBP:vra.www.open902.com mike$

Now create the PEM file

Michaels-MBP:vra.www.open902.com mike$ openssl pkcs12 -in rui.pfx -inkey rui.key -out rui.pem -nodes
Enter Import Password:
MAC verified OK
Michaels-MBP:vra.www.open902.com mike$

There are now two files required for vRA – and any other VMware product in fact, the Key Files and the actual certificate.

  • rui.key (Key)
  • rui.pem (Certificate)

Another pre-requisite we can get out of the way before running the vRA installation wizard is the installation of the Management Agent. This agent will be used to install the pre-requisites on the IaaS server(s) and install the required certificates.

So from your IaaS server, browse to your vRA appliance

http://vra.www.open902.com:5480/i

open920-0150

Enter the appliance details, accept the certificate and click Next

open920-0151

Enter your Service Account details. Make sure the account has local admin rights.

open920-0152

Now finally browse to your appliance VAMI interface

http://vra.www.open902.com:5480

and login using root and the password configured during the OVA upload

open920-0153

The wizard should start automatically

open920-0154

Accept the EULA

open920-0155

Here I am going for the Minimal Deployment

open920-0156

Here you can see that it requires the installation of the Agent – which we have done already.

Ensure you set a proper NTP server and that the IaaS server is in time sync with the appliance

open920-0158

Click Change Time Settings and ensure the settings are applied successfully

open920-0159

Click Run to run the pre-req checker

open920-0160

My Windows Server is as clean as a whistle – so the pre-requisites are certainly not met.

Click Fix (That is why the service account needs local admin rights)

open920-0162

This may take a while

open920-0163

Once the pre-reqs have been installed, run the checker again

open920-0165

Reason: Even though above shows all green open920-0167, a re-run shows it isn’t quite right … yet

open920-0166

Here’s why

open920-0168

One increase / reboot later and Run again, it should all be green now

open920-0169

Assuming your reverse DNS works, the host name should resolve automatically

open920-0170

Set a secure password

open920-0171

Enter your IaaS Server details and enter a Security Passphrase. Click Validate

open920-0172

open920-0172

Assuming your service account has local admin rights, this should be a no-brainer

open920-0173

Enter your SQL details.

open920-0175

As the note says – ensure your service account is sysadmin rights. Click Validate

open920-0174

Again ensure the validation succeeds

open920-0175

Select the appropriate server for the DEMs, here I only got one. Click Validate

open920-0177

Ensure it all validates

open920-0178

Same for the agent, ensure it all validates. Either give the Endpoint a different name or leave it as default.

Note: Take note of the Endpoint name – this will be required later (CasEsENsiTivE)

open920-0179

Here enter the previously created certificate

  • RSA Private Key
    • File: rui.key
  • Certificate Chain
    • File: rui.pem
  • Password
    • Above Example: SomePassword

Click Save Imported Certificate

open920-0180

Ensure the certificate imports correctly

open920-0181

You can check the Serial via openSSH to ensure it is the correct certificate

open920-0185

Do the same for the Web Server

open920-0187

Now hit Validate. It should all be green

open920-0189

DO IT !

open920-0191

open920-0190

Hit Install. This can take a while

open920-0192

Installation should eventually finish

open920-0193

Enter a valid license key

open920-0194

Join .. or not .. the Customer Experience Improvement Program

open920-0195

I don’t want to create the Initial Content (creation of local admin / workflows etc.).

I will create a local admin later and configure vRA manually

open920-0196

Done

open920-0197

You should now be able to browse to vRA and see that there is a valid certificate installed

https://vra.www.open902.com/vcac

open920-0198