vCAC 6.1 (vRA) Distributed Architecture Installation Guide Made easy –[Part –01]

I should start using official rename now. It is vRealize Automation (vRA). This blog post is an attempt to make distributed architecture of vRA 6.1 simpler to install and configure. Please note this tested in lab. Recommendation is purely for lab testing before you try out in production

Below slide explains the high level procedure you must follow for successful installation of distributed architecture

SNAGHTML7557bca

I’m not including vCenter SSO and Postgres SQL database installation and configuration procedure, as they have been very well document.

References

  1. Postgres SQL database in distributed model is very well explained by Brian here
  2. vCenter SSO is explained in detailed in this white paper here

Primary intention I’m posting this blog is

  1. Help me remember and refer in future
  2. Detailed documentation is missing on this and available at many places. This is an attempt to collate all information in this blog post

I must admit this blog has been inspired from this blog. I have used this post for Configure vCNS based load balancing. Please follow the entire post. Once you are done, come here and  ensure firewall is opened as shown below.

image

And if you wish to load balance at configuration portal which runs at 5480, you have to make two changes. First change in Load balance services shown below

image

Second change in Virtual pool

image

Before we proceed, let me explain the architecture I’m aiming install and configure

image

Creating Certificates

There are several resources available to create certificates. I must admit certificate creation & Implementation process is very simple in vCAC compared to vSphere suite. Below I’m giving a high level view but it can be automated. Let’s create certificates. Refer above figure for reference.

To repeat I’m not configuring High availability of Identity Appliance. Detailed documentation is available here

Certificate creation procedure for Identity Appliance

My Identity Appliance Name – idapp.pzarelab.com.

Create configuration file and save it as idapp.cfg. Below is template for the same. This template is also explained in KB – 2044696

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS:idapp, IP:192.168.1.225, DNS:idapp.pzarelab.com

[ req_distinguished_name ]

countryName = IN

stateOrProvinceName = MH

localityName = Pune

0.organizationName = NSCL

organizationalUnitName = IDAPP

commonName = idapp.pzarelab.com

Text mark in yellow is the text you need to change. Yellow highlighted texts are IP address of your appliance and FQDN name of your Identity appliance.

Download SSL Certificate Automation Tool 5.5 from here. Extract the tool to your favorite directory. I have extracted it in I: directory

1. I:ssl-certificate-updater-tool-1308332toolsopensslopenssl.exe req -new -nodes -out rui.csr -keyout rui-orig.key -config idapp.cfg

In above line, your only input is idapp.cfg which is configuration file we created earlier

2. I:ssl-certificate-updater-tool-1308332toolsopensslopenssl.exe rsa -in rui-orig.key -out rui.key

Copy and paste these lines as it is in command prompt

CA Administrator’s Tasks

Request CA Administrator to create a template based on this KB Article 2062108

Give rui.csr file to CA Administrator created in step 1

Instruct CA Administrator to create Certificate Chain

  • Logon to the Microsoft CA Web Interface (http://ca-server/CertSrv) homepage of the certificate server and click “Download a CA certificate, certificate chain or CRL”.
  • Select the “Base64 encoded” option.
  • Click the “Download a CA Certificate Chain” link.
  • Save the certificate chain as cachain.p7b in your desired location.
  • Double click the cachain.p7b file and navigate to yourlocationcachain.p7b > Certificates
  • Right click the root certificate and select “All Actions > Export” and then click Next.
  • Select Base64-encoded X.509 (.CER) and click Next.
  • Save the export to your location/Root64.cer and click Next.

You will receive file from CA  Administrator as rui.cer rename it to rui.crt.

3. I:ssl-certificate-updater-tool-1308332toolsopensslopenssl.exe pkcs12 -export -in rui.crt -inkey rui.key -certfile Root64.cer -name rui -passout pass:Vmware1! -out rui.pfx

When you run above command output will be rui.pfx file

4. I:ssl-certificate-updater-tool-1308332toolsopensslopenssl.exe pkcs12 -nokeys -in rui.pfx -inkey rui.key -out rui.pem –nodes

When you run above command output will be rui.pem file

NB: Starting in vCAC/vRA 6.1 in line 4, there is little change made. You must use “-nokeys” highlighted in grey. If you do not use this distributed architecture will fail.

Similar steps must be followed for remaining components

vCAC Appliance

Here is how vCAC appliance would look like. My Load balancer will have vcacapp.pzarelab.com entry and will be re-directed to vcacapp01 and or vcacapp02

image

  1. vacapp.pzarelab.com (VIP : 192.168.1.180)
  2. vcacapp01.pzarelab.com (IP : 192.168.1.181)
  3. vcacapp02.pzarelab.com (IP : 192.168.1.181)

Open the notepad, paste the following lines and change all yellow fields as per your requirement and save as vcacapp.cfg.

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS:vcacapp, IP:192.168.1.180, DNS:vcacapp.pzarelab.com, DNS:vcacapp01, IP:192.168.1.181, DNS:vcacapp01.pzarelab.com, DNS:vcacapp02, IP:192.168.1.182, DNS:vcacapp02.pzarelab.com

[ req_distinguished_name ]

countryName = IN

stateOrProvinceName = MH

localityName = Pune

0.organizationName = NSCL

organizationalUnitName = vcacapp

commonName = vcacapp.pzarelab.com

NB: Please give special attention to subjectAltName, it is referred as SAN or subject alternate name.Yellow highlighted texts are IP address of your appliance and FQDN name of your vCAC appliances

In my case I have three subject alternative name, along with their ip addresses, short dns name

  1. vcacapp.pzarelab.com
  2. vcacapp01.pzarelab.com
  3. vcacapp02.pzarelab.com

vCACIaaS + Model Manager + DEM-Orchestrator

My Load balancer will have vcacIaaS.pzarelab.com entry and will be re-directed to vcacIaaS01 and or vcacIaaS02.

vCACIaaS appliance will be installed as mentioned below.

image

  1. vcaciaas.pzarelab.com (VIP : 192.168.1.190)
  2. vcaciaas01.pzarelab.com (IP : 192.168.1.191)
  3. vcaciaas02.pzarelab.com (IP : 192.168.1.191)

Open the notepad, paste the following lines and change all yellow fields as per your requirement and save as iaas.cfg

[ req ]

default_bits = 2048

default_keyfile = rui.key

distinguished_name = req_distinguished_name

encrypt_key = no

prompt = no

string_mask = nombstr

req_extensions = v3_req

[ v3_req ]

basicConstraints = CA:FALSE

keyUsage = digitalSignature, keyEncipherment, dataEncipherment, nonRepudiation

extendedKeyUsage = serverAuth, clientAuth

subjectAltName = DNS:vcaciaas, IP:192.168.1.190, DNS:vcaciaas.pzarelab.com, DNS:vcaciaas01, IP:192.168.1.191, DNS:vcaciaas01.pzarelab.com, DNS:vcaciaas02, IP:192.168.1.192, DNS:vcaciaas02.pzarelab.com

[ req_distinguished_name ]

countryName = IN

stateOrProvinceName = MH

localityName = Pune

0.organizationName = NSCL

organizationalUnitName = vcaciaas

commonName = vcaciaas.pzarelab.com

Yellow highlighted texts are IP address of your appliance and FQDN name of your IaaS component.

Automated Procedure

I have repeatedly used the script to do several times. I have automated the entire procedure. All you have to do is change path for openssl.exe in the batch file to your location. In batch file I’m assuming openssl.exe is available at I: drive

Create three folders by name (folder name is your choice)

  1. Identityapp
  2. vCAC
  3. IaaS

clip_image002

Create 4 batch files. These batch files are the four yellow lines 1,2,3 and 4 mentioned. They are named as below and can be seen in below screen

  1. 01csrrequest.bat
  2. 02rsaformat.bat
  3. 03pfxfile.bat
  4. 04pemfile.bat

Create cfg for identity appliance, vCAC Appliance and Iaas Component

Guidance on creating configuration file is explained in KB Article here 2044696 under “Creating the OpenSSL configuration files manually” section

Copy cfg, Root64 and copy 4 batch files in respective folders

image

In above figure I have highlighted 4 batch files, followed by idapp.cfg and Root64.cer file. Other files are created as part of running 4 files

clip_image002[6]

Figure: File structure for vCAC Appliance

Run the four batch files. Just keep name of configuration file as vcacapp.cfg. Root64 file is copied there

clip_image004

Figure: File structure for IaaS and Model Manager Component

Run the four batch files. Just ensure configuration file is named as iaas.cfg. Root64 file is copied there

Below is high level overview on create certificate files

clip_image006

Figure Certificate creation request

Please find link to download batch files here

In next part of I will be focusing on

  1. Installing and configuring Identity Appliance
  2. Installing and configuring vCAC Appliance
  3. Installing and configuring IaaS Component

Happy Learning !!!

One thought on “vCAC 6.1 (vRA) Distributed Architecture Installation Guide Made easy –[Part –01]”

  1. Have you had any issues when trying to apply the rui.pem/rui.key to the identity appliance? It seems like no matter what I do, I get an error Unable to create SSL Key store.

Comments are closed.