Virtualjad-Vcac 6 Poc Guide 6.0-1.1

vCloud Automation Center 6.
0
Proof of Concept and Detailed Implementation Guide
Version 6.0-1.1 (updated 06-21-14)
Jad El-Zein
Principal Engineer
jelzein@vmware.com
virtualjad.com |
@virtualjad
2014 VMware Inc. All rights reserved.
Introduction
This [unofficial] Proof of Concept and Detailed Installation guide is provided, with
no guarantees (or support), to help with the implementation of vCloud Automation
Center 6.0 in a pre-configured vSphere 5.x environment.
The guide walks through in plenty of detail vCAC 6.0s deployment, concepts,
technologies, and features as they would be used in a real-world implementation.
This document can also double as an unofficial hands-on training guide which
covers:
New Features in vCAC 6.0.x
Deployment Architecture
Implementation on VMware platforms (vSphere)
IaaS and XaaS Service Configuration
Usage and Navigation
Advanced Concepts | XaaS
Please provide any feedback to jelzein@vmware.com
vCloud Automation Center 6.0 POC Guide

v6.0-1.1 by Jad El-Zein
EZLAB Logical Architecture

vCAC 6.0 Install & Config Workflow
Define Fabric
Group
Prerequisites
Review
1.
10.
11.
Add vSphere
Endpoint
Deploy vCAC
ID VA (SSO)
2.
9.
12.
Create initial
Tenant
Deploy
vCAC VA
3.
8.
Configure IaaS
Prereqs
4.
Define
Business
Group
Create
Reservation
Policy
Create Network
Profile
13.
Admin Portal
Config
7.
14.
XaaS Sample
Use Case
vCO
Configuration
20.
Governance &
Approvals
XaaS
Entitlements
19.
IaaS
Entitlements
END!
18.
Create
Resource
Reservation
Manage
Catalog Items
17.
Deploy / Config
IaaS Config
Run IaaS
Prereq Checker
5.
Create IaaS
Blueprints
Install vCAC
IaaS Services
6.

15.
Add Catalog
Services
XaaS Config
16.
Prerequisites Review
Before You Begin | Provisioning Requirements

IaaS & XaaS Provisioning Requirements

For vSphere Provisioning:
Fully configure vCenter + vSphere
environment per best practices

At least 1 vSphere HA+DRS Cluster
At least 1 Datastore
At least 1 Virtual Switch (standard or dvs
acceptable)
For XaaS Service Provisioning:

vCenter Orchestrator 5.5 (the vCAC VA
ships with vCO embedded, but you can

optionally use an external instance)
Appropriate vCO Plugins, configured
An Imagination and/or real use case
examples (well take a look at a DaaS use

case)
vMotion properly configured

Roles & Permissions appropriately set (in
vSphere 5.5, use LDAP vs. SSO)

Ensure at least 1 template is available for
blue print creation

Optional: Create a Resource Pool for vCAC
machine placement (no reservations or

limits)
Optional: VM with a snapshot for Linked
Clone blueprints

Deploying vCAC 6 Virtual Appliances

vCAC Identity VA (SSO), vCAC Core VA

Deploying vCAC Identity VA

Deploy OVF Template
Deploying vCAC ID OVF

Ensure you have downloaded the
appropriate vCAC 6.0.x Virtual
Appliances (OVAs) from vmware.com
and make them accessible ahead of the
install.
vCAC ID VA (SSO) - VMware-IdentityAppliance-2.0.1.0-1545089_OVF10.ova
vCAC VA - VMware-vCACAppliance-6.0.1.0-1569764_OVF10.ova
The IaaS installer (.exe) is embedded in
the appliance and does not require a
separate download.
Log into the vSphere Web Client
Right-click on the appropriate cluster
and select Deploy OFV Template
from the menu


Select OVA Source
Select Local file button

Click on Browse and locate the
previously downloaded OVA file:
VMware-IdentityAppliance-2.0.1.0-1545089_OVF10.o
va
Click Next to continue


Review OVA Details
Verify you are deploying the

appropriate OVA.

10

Accept EULA
Read (scan) VMwares EULA


11

Select name and folder
Enter a VM name (this is the name

that shows up in vCenter Inventory)
Select an appropriate VM folder or
available datacenter

12

Select storage
Select an optional VM Storage Policy

(if available)
Select an available Datastore (using
vsanDatastore in this example)

13

Setup networks
Map the VAs source network to an

available Destination network. You
can select any available standard or
distributed port group, just as long
as it is accessible by vCenter and
the Hosts.
Keep IPv4 Selected for IP protocol

14

Customize template
Enter details for all required fields:
Enter/Confirm root password
Hostname (*FQDN REQUIRED*)
Default Gateway
DNS (comma separated)
Network IP Address / Subnet
Note: Be sure a DNS record exists

before continuing. Also make sure you
use the FQDN hostname.

15

Review settings
Review all your inputs and make any

necessary changes by clicking the
Back button
Click Finish to deploy.
The ID VA will deploy in a matter of

minutes. Give it an opportunity to boot
and start its services prior to moving to
the next step

16

Log into SSOs Virtual Appliance Management Interface (VAMI)
Once deployed, log into the Virtual

Appliance Management Interface
(VAMI) to configure SSO services
Go to https://<IDVA_FQDN>:5480
Username: root
Password: <configured pw>
Click Login

17

VAMI: Configure System Settings
Go to the System tab

In the Time Zone section, select your
appropriate time zone from the dropdown
Click Save Settings

18

VAMI: SSO configuration
The ID VA is preconfigured with a default

System Domain vsphere.local and a
default admin account
administrator@vsphere.local. This
account will be used for initial
configuration.
Navigate to the SSO tab

In the SSO subsection, enter a
password for the System Domain
admin account
Click Apply

Validate SSO is initialized (it can take

a couple of minutes for the service to
initialize)
19

VAMI: SSO Host Settings
Navigate to the Host Settings

section of the SSO tab
The SSO Host Settings should be
pre-populated with the VAs FQDN
address
Append :7444 to the end of the
FQDN
Cick Apply
Note: be sure the FQDN is displayed

here. If not, you can adjust the
hostname in the Network tab.

20

VAMI: SSO SSL Settings
Navigate to the SSL section of the

SSO tab
The ID VA ships with a self-signed
SSL certificate you can change or
replace the certificate here. For the
sake of this setup, keep the existing
certificate

21

VAMI: Active Directory Configuration
To configure native Active Directory

connection, enter the appropriate
settings:
Domain Name: <domain fqdn>
Domain User: <domain acct>
Password: <pw>
Click Join AD Domain

Note: this step is optional and is

intended to create a native Active
Directory connection from the SSO
engine. A native AD connection provides
increased performance and scale and
only applies to the default System
Domain (vsphere.local).
22
Deploying vCAC Core VA

Select OVA source
Select Local file button

Click on Browse and locate the
previously downloaded OVA file:
VMware-vCACAppliance-6.0.1.0-1569764_OVF10.o
va

23

Verify OVA details
Verify you are deploying the

appropriate OVA.

24

Accept EULAs
Read (scan) VMwares EULA


25

Select name and folder
Enter a VM name (this is the name

that shows up in vCenter Inventory)
Select an appropriate VM folder or
available datacenter

26

Select storage
Select an optional VM Storage Policy

(if available)
Select an available Datastore (using
VSAN in this example)

27

Setup networks
Map the VAs source network to an

available Destination network. You
can select any available standard or
distributed port group
Keep IPv4 Selected for IP protocol

28

Customize OVA
Enter details for all required fields:
Enter/Confirm root password
Hostname (*FQDN REQUIRED*)
Default Gateway
DNS (comma separated)
Network IP Address / Subnet
Note: Be sure a DNS record exists

before continuing. Also make sure you
use the FQDN hostname.

29

Ready to complete
Review all your inputs and make any

necessary changes by clicking the
Back button
Click Finish to deploy
The vCAC VA will deploy in a matter of

minutes. Give it an opportunity to boot
and start its services prior to moving to
the next step

30

Log into vCACs Virtual Appliance Management Interface (VAMI)
Once deployed, log into the Virtual

Appliance Management Interface
(VAMI) to configure vCACs services
Go to https://<IDVA_FQDN>:5480
Username: root
Password: <configured pw>
Click Login

31

VAMI: System Settings
Go to the System tab

In the Time Zone section, select your
appropriate time zone from the dropdown
Click Save Settings

32

VAMI: vCAC Host Settings
Navigate to the Host Settings

section under the vCAC Settings
tab
Click Resolve Host Name to initiate
a DNS query and automatically fill in
the hostname (this step validates an
FQDN exists if anything other than
a the FQDN is return, double-check
your DNS settings. The hostname
can manually adjusted from the
Network tab)
Click Save Settings

33

VAMI: SSL Certificate
Navigate to the SSL section under

the vCAC Settings tab (Note: unlike
the SSO appliance, the vCAC
Appliance does not come with a selfsigned certificate this step
configured one)
From the Choose Action drop-down,

select Generate Self-Signed
Certificate
Enter the appropriate details:
Common Name
Organization
Organizational Unit
Country Code
Click Replace Certificate

34

VAMI: SSO Settings
Now we will plug the vCAC VA into the

SSO service previously configured in the
vCAC Identity Appliance.
Enter the ID VAs FQDN and Port as
shown <ID_FQDN>:7444 (do not
use https)
The SSO Default Tenant is auto-filled

with the default System Domain
vsphere.local
Enter the SSO Admin User
administrator
Enter the Admin Password

<configured pw> (this password is
created during SSO initialization
see slide 20)
Click Save Settings (be patient
this may take up to 10 minutes)
Note: for the sake of this guide, I have

chosen to use the stand-alone Identity
Server for SSO services. Since the
release of vCenter 5.5b, you can
optionally use that SSO service instead.
In that case, you would plug in the
FQDN of that service here instead.
35

VAMI: Licensing
Navigate to the Licensing section

under the vCAC Settings tab
Enter a valid vCAC or vCloud Suite
license key
Click Submit Key. Keep this key
handy -- you will use it again in a
later step during IaaS configuration.
Log out of the VAMI once the License
is validated
At this point you have completed ID/

SSO and vCAC appliance
configurations. The next sections dive
into the prerequisites and installation
configuration of the vCAC IaaS services,
which are installed on a dedicated
Windows 2008 R2 or 2012 VM.

36
Installing vCAC IaaS Services

IaaS Prerequisites | IaaS Service Install

37
Before You Begin

vCACs IaaS engine is a .NET-based application and requires to be installed on a dedicated Windows
machine (2008 R2 or 2012). The following steps walk you configuration of prerequisites and service
dependencies and are executed locally on the IaaS server (via RDP, console session, etc).
Be sure to start with a clean Windows Server 2008 R2 image (vCAC 6.0 supports Windows 2012, but I
use Windows 2008 R2 in this guide)

2 vCPU
4-8GB vRAM
30GB Disk
Use a dedicated Active Directory service account with local admin privileges during setup and install of
all components I use LAB\vcacsrvc for IaaS Setup.
Run Windows Update and ensure the host VM is up to date with all recommended patches
Disable Windows Firewall on all vCAC VMs
Microsoft .NET Framework 4.5. Note that .NET 4.5.1 is NOT supported on Windows 2008 R2 or 2012
implementations -- use the installer that is packaged with the vCAC VA.
Ensure all other prerequisites have been implemented
Have the vCAC 6.0 Installation and Operations guides handy for reference

38
IaaS Installation Prerequisites
Internet Information Services (IIS) modules:
Windows Authentication
Static Content
Default Document
ASPNET
ISAPI Extensions
ISAPI Filter
vCAC IaaS Services Requirements:

Microsoft Distributed Transaction Coordinator
Service (MS DTC) enabled
Ensure there are no firewalls between vCAC

Server and Database Server or web server
IIS Authentication:
Windows Authentication enabled
Anonymous Authentication disabled
Negotiate Provider enabled
NTLM Provider enabled
Windows Authentication Kernel Mode enabled
Windows Authentication Extended Protection disabled
IIS Windows Process Activation Service roles:
Configuration API
Net Environment
Process Model
WCF Activation
HTTP Activation
Non-HTTP Activation

Enable and Start the Secondary Logon Service

on the vCAC server
Microsoft .NET Framework 4.5

Secondary Log On Service enabled (set to
manual or automatic start)
Ensure there are no firewalls between vCAC

Server and Database Server or web server
Database Requirements:
MS SQL Server 2008 (or higher) or MS SQL
Express 2010 (or higher)
Ensure the vCAC Service account has dbo

and sysadmin rights to the SQL Server
Instance
NOTE: it is recommended to be logged in
using the service account during the install
39
Install Prerequisite Services IIS

Install Web Server (IIS) Server Role
From Server Manager, select Roles
Select Add Roles
In the Select Server Roles diaglog,
select Web Server (IIS)
Click Next

Install Prerequisite Services IIS (cont.)

Install Web Server (IIS) Server Role (cont.)
Click Next to select Role Services
In Role Services dialog, select all the roles displayed
below
Click Install

Add Service Features

Install Windows Process Activation Services
& .NET Framework Features
Open Server Manager
Select Features from the menu pane
Select Add Features on the right
Ensure the features below are selected
Click Next
Click Install

Configure IIS Authentication Services

Enable IIS Server Windows Authentication
Under Web Server (IIS) role click on internet
Information Services (IIS) Manager
Expand [server name]
Expand Sites folder
Click on the Default website (or where
vCAC will be installed)
Under IIS section, double-click on

Authentication
Right-click on Windows Authentication
and select Enable

Configure IIS Authentication Services (cont.)
Disable IIS Server Anonymous

Authentication
Expand Sites folder
Click on the Default website (or where
vCAC will be installed)
Under IIS section, double-click on

Authentication
Right-click on Anonymous Authentication
and select Disable

Configure IIS Authentication Services (cont.)

Disable IIS Server Windows Authentication
Extended Protection & Enable Kernel-mode
Expand Sites folder
Click on the Default website (or where vCAC will
be installed)
Select Windows Authentication then click on
Advanced Settings on the right
Ensure that Extended Protection is set to Off
Ensure Enable Kernel-mode authentication is
checked
Click OK to exit
NOTE: even if these settings are already configured

(by default), you may need to toggle them and reset
IIS to make sure services register

Configure IIS Registering .NET

Register .NET 4.5 with IIS
Once youve completed all the configurations, you may
need to register .NET 4.5 with the IIS service to ensure
vCACs web services are using the appropriate version
From the Start menu, right-click Command
Prompt and select Run as administrator
Navigate to C:\Windows\Microsoft.Net
\Framework64\v4.0.30319
Type aspnet_regiis -i, hit enter
Reset IIS
From the Start menu, right-click
Command Prompt and select Run as
administrator
Type iisreset, hit enter
(you can also restart IIS Admin service from
the Services admin)

Configure MS DTC
Configure MS Distributed Transaction
Coordinator (DTC) to allow DTC
communications to/from your DB server
Open Component Services from
Administrative Tools
Expand Component Services ->
Computers -> My Computer ->
Distributed Transaction
Right-click Local DTC and select
Properties
In the Security tab, make sure the
following are checked:
Network DTC Access
Allow Remote Clients
Allow Remote Administration
Allow Inbound
Allow Outbound
Mutual Authentication Required
Click OK
NOTE: make sure your DB server is also
set to allow these communications. And
make sure there are no firewall policies
blocking any needed network traffic

Configure Local Security Policies

Configure Local Security Policies for
vCACs Service Account

Open Local Security Policy from the
Administrative Tools
Expand Local Policies
Select the User Rights Assignment
sub folder
In the right hand pane, double-click
Log on as a batch job

Click Add User or Group button and
add the vCAC service account to the

list
Click OK
Repeat these steps for the Log on as a
service policy
Once complete, reboot the VM


Download the IaaS Installer
Log into the vCAC IaaS Server

(RDP / VMRC) using the vCAC
Service Account (be sure the service
account has local admin privileges)
Launch your web browser of choice
and connect to the vCAC VAs file
download page:
https://<vCAC_FQDN>:5480/Installer
Click the download link for setup.exe

under IaaS Installation
Save the installer to the desktop (or
any local path)
Once saved, you can close or
minimize the browser window
(notice the download link automatically
appends a string to the .exe that is used
for initial configuration by the installation
wizardspecifically, vCACs FQDN and
VAMI port)

49

Launch the IaaS installer
Locate the saved setup.exe file on

your desktop (or wherever you saved
it)
Right-click and select Run as

administrator

Click Next after carefully reading

the Welcome message
50

End-User License Agreement
Read and accept the VMware EULA


51

Log into vCAC VAMI
Enter the Username and Password of

the vCAC VAMI (this is the same PW
used to log into vCAC VA
management):
User name: root
Password: <root_pw>

52

Installation Type
Select Complete Install to install

and configure all vCAC IaaS
components on this machine
Note: the same installer is used to install

vCACs individual IaaS components for
distributed installs, reinstallation, etc.
Use Custom Install option to install
individual IaaS components:
Manager Service
Model Manager Web Service
Model Manager Data
IaaS Admin Portal
DEM Orchestrator
DEM Worker
vSphere Endpoint Agent
Web API

53

Verify Prerequisites
The Prerequisites checker runs through

the system configuration to verify all
prereqs have been completed.
Verify all the Prereqs display a green
arrow. Not that the MSSQLSERVER
check will fail if SQL or SQL Express
are not installed on the local
machine. You can safely ignore this
by clicking the Bypass button while
the warning is highlighted.
If any of the prerequisites fail to be
verified, review the prereqs section to
ensure all pre-installation tasks have
been completed. Not having prereqs
installed in the most common cause
of a failed installation.

54

Server and Account Settings
Enter all the appropriate information

in the fields:
Username: <vcac service acct>

(entered as DOMAIN\UN)
PW: <pw>
Passphrase: <any_text>
SQL DB Info
Server: <sql fqdn>
DB name: <new db name>
Select Use Windows auth
Note: vCACs installer automatically

creates the DB instance in SQL do not
pre-create it unless youre planning on
manually using the DB script for
installation (hint: let the installer do it)
Using Windows Authentication assumes
youre logged in with a domain account
(preferably a dedicated service
account), which as dbo and sys_admin
rights to the SQL Server. If not, youll
need to enter the appropriate credentials
here. SQL permissions can be adjusted
after the install.
55

DEM Configuration
vCAC installs Distributed Execution

Managers (DEMs) to execute IaaS
workflows and tasks. Two DEMs are
installed by default: the DEM Worker
and DEM Orchestrator. The Worker role
is responsible for executing IaaS
workflows and the Orchestrator role is
responsible for monitoring DEM Worker
instances, pre-processing workflows for
execution, and scheduling workflows.
The setup wizard automatically
configures and installed the DEMs
on the local machine accept the
default names:
The Endpoint name MUST match the endpoint configured in

vCAC IaaS. I prefer to use the vCenter shortname here.
Worker: DEM
Orchestrator: DEO
Agents are the integration points for the

supported Endpoints, in this case its
vSphere (vCenter):
Ensure Install and configure
vSphere agent is checked
vSphere Agent Details:
Agent name: vSphereAgent
Endpoint name: <vcenter_name>

56

IaaS Component Registry
Component Registry:
Server: <vcacva_fqdn>
SSO Default Tenant: vsphere.local

(clicking Load will auto fill this)
Certificate: click on Download to

download the self-signed certificate
from vCAC
Click Accept Certificate
SSO Admin Credentials:
UN: administrator@vsphere.local
PW: <admin pw> (created during

SSO initialization see slide 20)
IaaS
IaaS Server: <local server FQDN>
Click Test where applicable to

validate the configuration

57

Ready to Install
Review the installation tasks

Click Install when ready

58

Installing
Sit back as the installer deploys and

configures each IaaS component.
Be patient, this can take up to 10
minutes to complete

59

Installation complete
Done!
Uncheck Guide me well step
through all the configuration steps in
the next section.
Click Finish to exit the installer
You can log out from the IaaS server
At this point the vCAC installation is

complete. You should allow an additional
5-10 minutes for all the IaaS services to
register to the vCAC VA.
Take a quick break then move on to the
next section, IaaS Configuration

60
Admin Portal Config

Global Settings | Creating Initial Tenant

61
Administration Portal
Logging in for the first time
After giving IaaS components ample

time to register with vCAC, log into to
the admin portal to complete admin
configuration tasks, including
Add / Update Tenants
Add / Modify Roles & Permissions
Branding
SMTP Preferences
vCO Integration
Open your browser of choice (Firefox

preferred) and enter vCACs Admin
Portal URL:
https://<vcacva_fqdn>/shell-ui-app
Log in to vCAC using the Default

(system) Domain UN and PW. The
default domain is vsphere.local
UN: administrator@vsphere.local
PW: <admin_pw>
Click Login
https://<vcacva_fqdn>/shell-ui-app

62
Creating Initial Tenant

Administration Portal Add Tenant
A Tenant is created to provide access to

vCACs services to a specific group of
users/consumers. Each tenant may
have unique authentication sources,
policies, and services. Create a new
tenant vs using vsphere.local.
Navigate to Tenants in the
Administration tab.
Click
+ to add a new Tenant (you
should only see the system tenant,

vsphere.local, at this point)
Enter a Name and Description for the
new tenant
Enter a URL Name. The URL name is
the alias that will be appended to
vCACs URL when tenant users log
in. Choose something short yet
descriptive of the tenant. In this
example I selected ops for the
Cloud Operations tenant. Once
created, users will log in to https://
<FQDN>/shell-ui-app/org/ops to
access their tenant portal.
Enter a Tenant Contact email
address
Click Submit and Next to continue

63

Identity Stores
In the Identity Storage tab, click +
to add a new authentication source
Enter the required information:
Name: name of the auth source
Type: Active Directory (or LDAP)
URL: ldap://<ad_fqdn>:389
Domain: Domain DN
Domain alias: enter an alias that

users can use to log in to vCAC in
additional to the domain DN. In this
example, a user can log in using
username@lab.elzein.com or
username@elzein.com. The alias
cannot be the same as the Tenant
URL used in the previous screen.
Login user DN: enter the full DN for

the vCAC service account (this can
be copied directly from AD)
Password: service account PW
Group base DN: enter your domains

root DN
User base DN: enter your domains

root DN
Click Test Connection to validate

the config
Click Add to continue
64

Administrators
Select Tenant and Infrastructure
Administrator roles by typing/
searching for AD users and groups in
each column.
Tenant Administrators are

responsible for overall
administration of a named Tenants
users, groups, and policies
Infrastructure Administrators are

responsible for managing IaaS
resources and policies from the
Tenants Infrastructure tab
Click Add to complete the tenant

configuration

65

Administration Portal Creating a Tenant
Verify the new Tenant has been

added to the Tenants list
Repeat the previous steps to add
additional tenants
Once Tenant configuration is complete,

you are ready to move on to configuring
other global settings, such as Branding
and SMTP preferences (up next)

66
Branding - Header
Branding
Branding allows Administrators change
the look/feel of the vCAC portal,
including adding custom header
graphics, changing visible text, and
customizing colors.
Navigate to the Branding section of
the Administration tab
To customize these settings, uncheck
the Use default option
In the Header tab, select Browse
in the Header Logo: field to select a
custom logo file. (NOTE: the logo file
should be no larger than 800 x 52px
and in .PNG format. Use a
transparent background for best
appearance)
Change remaining fields to reflect
your desired look
Company Name
Product name
Background color
Text color
Click Next to go to Footer tab

67
Branding - Footer
Fill in the Footer fields to reflect your

desired settings:
Copyright notice
Privacy policy link
Contact link
Click Update to save Branding

settings

68
Email Servers Outbound SMTP
Email Servers
vCAC uses SMTP servers to external
communications such as Alerting,
Approvals, Provisioning Status, etc.
SMTP servers can be global or perTenant. Here we will create an
outbound SMTP server to be used by
all Tenants
Navigate to the Email Servers
section under the Administration tab
Click + next to Email Servers title to
add a new server
In to Add Email Server pop-up
window, select Email Outbound,
then click OK

69
Email Servers Outbound SMTP
Configure all the appropriate settings

for your SMTP server:
Name
Description
Server Name (address)
Encryption
Server Port
Authentication
Auth User Name
Auth Password
Sender Address
If your server requires SSL or TLS,

be sure to select Accept Self Signed
Certificates to avoid communications
issues
Test Connection to validate
Click Add to save SMTP settings

70
IaaS Endpoints
Business Groups
Fabric Groups
Network Policies
Resource Reservations
IaaS Configuration
Tenant IaaS Services
Reservations Policies
Blueprints
Catalog Services
Entitlements

71
Tenant IaaS Configuration

Tenant Portal
Tenant Portal
Log in to the new Tenants unique
URL. The URL is created using the
URL name when creating the
Tenant. In this example, the URL
name used was ops, so the URL to
the Tenant is: https://<FQDN>/shellui-app/org/ops
Log in to the Tenant Portal using an
account that was granted the Tenant
Administrator and Infrastructure
Administrator roles during setup.
UN: username@example.com
PW: <account_pw>
Click Login

72

Home
Home Tab
At first login, users are taken to the
Home section, which displays
information unique the user. The Home
screen can be customized by adding
Portlets. vCAC ships with several admin
and user portlets that can provide useful
information.
By default only the My Inbox portlet is
displayed click on the edit icon circled
in red to add additional portlets

73

Administration User Roles
Navigate to the Administration tab

and click on Users
vCAC provides several predefined
admin roles that entitle users to various
roles within a Tenant. During Tenant
config, we gave the current user,
jelzein, the Tenant Administrator and
Infrastructure Administrator roles. Now
Id like to add the remaining roles. The
roles available in a basic deployment
are:
Approval Administrator
IaaS Administrator
Service Architect
Tenant Administrator
Search for the user whos role you

want to edit by entering the name or
alias into the search field.
Click on the desired account to edit
Add all the additional roles available
on the right, noting the grated
permissions with each role
Click Update
NOTE: This can also be done for AD or
LDAP Groups in the Groups section
74

Licensing
IaaS Licensing
Navigate to the Infrastructure tab
then select Administration
Click on Licensing
Click + to add a new vCAC license
In the Add Licenses window, enter a
valid vCAC or vCloud Suite license.
Various IaaS functions are exposed
based on the license used. In this
example, Im enter a vCloud Suite
Enterprise license
Click OK to apply

75
Adding a vSphere Endpoint

Endpoints
Endpoints
Endpoints are managed resources,
clouds, physical infrastructure, etc. that
are defined in vCAC to provide a
destination for machine deployments.
Any supported platform that will be used
to deploy machines must be added as
an Endpoint. In this example, we will be
configuring vSphere (vCenter) endpoint.
vCenter Orchestrator is also a supported
endpoint. vCO adds a significant amount
extensibility and automation to a vCAC
environment through external actions
independent of the Advanced Service
Designer.
In this step we will create a single
vSphere (vCenter) Endpoint.
Select + New Endpoint -> Virtual ->
and click on vSphere (vCenter)
Note: notice that only vCloud and

vSphere Endpoints are visible. This is
due to the vCloud Suite license that was
entered in the previous step. vCACs
standalone licenses will enable all
supported endpoints.
76

Endpoint Configuration
Endpoint Details
Name: Enter the endpoint name
(NOTE: this name MUST be the
same as the endpoint name entered
in during IaaS installation)
Description: Enter a description that
makes sense
Address: Enter the full vCenter URL
in the Address: field. Example:
https://<vcenter_FQDN>/sdk
Credentials: Use the pop-out menu to
select existing or create vSphere
Credentials that will be used to
access this Endpoint. It is a best
practice to use a dedicate service
account for this. Details for creating
Credentials are on the next page
Note: the Endpoint Name MUST match

the name that was entered during IaaS
Service Installation (see page 57 for
details). The default name is vCenter
I prefer using the vCenters shortname,
ezlab-vc01 in this example.

77

Endpoint Credentials
Configure Endpoint Credentials

Enter a name and description that
identifies the credential (ex: the
endpoint or account name).
In the Username field, enter the
account name that will be used to
access vCenter (typically a vCenter
service account). Make sure this
account has appropriate access to
vCenter and its inventory. Enter this
account in username@domain
format.
In this example, a dedicated vCenter
service account,
vcsrvc@lab.elzein.com, is specified
for access to the vCenter endpoint
managing the vSphere hosts.
Enter and verify the service account
password
Click the green check when
complete
Click OK to submit

78
Defining a Fabric Group

Fabric Groups
Define a Fabric Group

Fabric Groups are created to manage a
set of compute resources that are
collected from an Endpoint inventory.
Fabric Administrators (a set of users or
groups) are then assigned to manage
those resources.
Navigate to Infrastructure tab ->
Groups -> Fabric Groups
Click + to create a new Fabric
Group from the menu
Provide a Name and detailed
Description for the group
Add the appropriate Users and/or
Groups in Fabric Administrators
section in DN format
Select a set of resources that will be
managed by this group (here you see
available vSphere Clusters collected
during Endpoint discovery).
Note: If no compute resources are available for selection, you either have an Endpoint configuration issue or
you need to wait a bit for inventory to complete. Check the Log Viewer (Infrastructure tab -> Administration ->
Monitoring) for any obvious errors

Click OK
79
Defining a Business Group

Business Groups
Define a Business Group

Business Groups are the consumers of
IaaS resources. Business Groups
typically represents a business unit or
function, or any other organizational
container. Users must belong to a
Business Groups User role before
they can be entitled to IaaS services.
Groups -> Business Groups
Click + to create a new Business
Group
Group managers and Support Users can
request and manage machines on behalf
of machine owner. Group managers can
also be required to approve all
provisioning requests from this group.
Users in the User role are the actual

members of this group and will be granted
access to the User Portal and available
for Entitlements.
Provide a Name and Description

Enter one or more users for the
Group Manager role (see definitions)
Attach an existing machine prefix or
create a new one (details on the next
page)
Enter the OU string for new computer
objects (see note)
Note: the Active Directory container field does not apply to blueprints for cloning or external cloud provisioning.
While it is required to put something there, you can type any string in that field to satisfy the form validation.
Enter one or more Users or Groups

in the User role
Click OK

80

Machine Prefixes
Create Machine Prefixes

Machine prefixes are used to
automatically generate names for
provisioned machines by a particular
Business Group. The prefix created
should help identify the machine.
You will define the prefixes here and use
them in the Provisioning Group
configuration later.
While configuring a Business Group,
select Default Machine Prefix field
Click + to create a New Machine
Prefix
Enter the desired prefix
Enter the number of digits that will be
automatically appended to the prefix
Enter the Next (starting) number
Click the green check to accept the
new prefix
Note: vCACs default naming conventions are fairly basic, but functional. There are several external resources
available for greater customization of hostnames. The custom property Hostname can also be used to allow
users to manually enter a machine name.

Click OK to continue (this prefix will

be entered in the Business Groups
default prefix field)
81

Business Groups
Verify and repeat the previous steps for

all desired Business Groups. Once
youre done, you must refresh your
browser or log out / in so new group
roles can take effect. In my example,
the currently logged in user, jelzein,
was granted the Fabric Group
Administrator and Business Group
Manager roles, enabling this account to
manage resources and groups for this
tenants users. Roles can get very
granular with greater separation of
permissions. For a POC environment its
much easier to effectively create a
superuser with all the roles.
After refreshing the browser, you will see
additional options in the left
management pane, specifically:
Reservations
Compute Resources
Blueprints
If you dont see these options, be sure

you have granted the appropriate roles
to the logged-in user.
YOU MUST REFRESH YOUR BROWSER FOR NEW ROLES TO TAKE EFFECT

Next, we will configure Reservations
82
Creating a vSphere Reservation Policy

Reservation Policies
Create a Reservation Policy (optional)

Reservation policies are created and
attached to Reservations and Blueprints
(later) to restrict the provisioning of
machines to a specific set of rules.
Example: setting a vSphere Reservation
Policy so that a particular machine
blueprint can only be provisioned into a
vSphere cluster.
Reservation Policies can also be
created for storage resources to define
tiers, locations, etc.
Reservations -> Reservation
Policies
Click + to create a New
Reservation Policy or Storage
Reservation Policy
Enter a Name and Description for
each Reservation Policy desired. The
description should clearly articulate
the purpose of each policy
Click the green check mark after
each policy is defined

83
Creating a Network Profile

Network Profiles
Create a Network Profile

Network Profiles are defined when the
use of static IP assignment is preferred
over simply using DHCP (default). Its
not quite IPAM, but gives you some
granularity for vSphere deployments.
Once configured, Network Profiles are
bound to the Network Path(s) of a
vSphere Resource Reservation. Greater
network functionality is possible when
incorporating NSX to the mix, including
support for dynamically-provisioned
NAT, Private, and Routed networks. In
this case, well simply create an External
network profile, which does not require
NSX or vCNS integration.
Reservations -> Network Profiles
Click the + to create a New
Network Profile
Select External from the network
drop-down list

84

New Network Profile
In the Network Profile Information

tab, complete all the required fields.
These settings will be applied to
vSphere machines that are deployed
to the corresponding network:
Name* enter a name that clearly

identifies this profile, such as a
scope ID
Description enter a detailed

description for the profile
Subnet Mask*
Gateway
Primary DNS
Secondary DNS
DNS suffix
DNS search suffix
Preferred WINS
Alternate WINS
(* required fields)
When done, click on the IP Ranges
tab

85

New Network Profile - IP Ranges
Add an IP Range
Once a Network Profile is created, you
can add a static IP range to the profile to
allocate a specific set of IPs when
provisioning machines bound to the
corresponding network.
From the IP Ranges tab, click + to
create a New IP Range
Enter the required information:
Name*
Description
Starting IP address*
Ending IP address*
(* required field)
Click OK to apply

86

Review IP Range
Once the IP Range is applied, a list of

available IP address will be displayed.
You can create several IP Ranges in a
single Network Profile.
As machines bound to this Network
Profile are provisioned, they will show
up in the list next to the allocated IP
address. This will help in identifying IP
address allocation as the environment
scales.
Note: In previous versions of vCAC, admins had to manually enable Static IP Services prior to configuring
Network Profiles. This is now a default capability.

87
Creating a Resource Reservation

Reservations
Create a vSphere Reservation

Reservations are a defined set of
resource allocations provided by the
endpoints to which machines will be
provisioned. vCACs Reservations are
similar to the Virtual DataCenter (or
VDC) concept. Reservations are created
for each Cloud, Physical, and Virtual
resource. A single vSphere (Virtual)
Endpoint was previously configured
next we will create a Reservation to
allocate some or all of that Endpoints
resources.
The previously configured Reservation
Policies and Network Profiles will be
utilized in this Reservation.
Reservations
Click + New Reservation then
select Virtual -> vSphere (vCenter)
to create a New Reservation
Note: Use Virtual to configure vSphere reservations as well as any other hypervisor-based reservation
(Hyper-V, KVM, XEN, etc). The Cloud selection is used for Amazon EC2, OpenStack, and vCloud-based
provisioning (incl vCHS). Physical is used to configure all supported physical hardware provisioning (Dell, HP,
UCS, etc). Since a vCloud Suite license was used during setup, only applicable Endpoints are available.
88

New Reservation vSphere (vCenter)
Create a vSphere Reservation (cont)

From the Compute Resource dropdown, select a set of Resources to be
used. For vSphere reservations
select the desired vSphere Cluster
here we select Mgmt, which
corresponds to the Mgmt cluster
discovered during Endpoint Inventory
collection

89


The reservation Name will
automatically be created, but you can
change/edit it if preferred
Select a Business Group that will be
permitted to provision machines to
the selected set of resources (if only
one group exists, it will automatically
be selected)
Optional: apply the pre-defined
Reservation Policy to bind the
Reservation to the selected policy
Optional: set a machine quota or
leave blank for unlimited
Set a resource Priority of 0 or 1 for
this reservation (highest priority is 0).
Ensure the reservation is Enabled
Select the Resources tab to
continue configuration

90


Resources are defined as part of a
Reservation to allocate a subset of total
available compute resources. Here we
identify a set of Memory, Storage, and
Network resources as part of this
Reservation.
Memory: configure total memory (in
GB) to be allocated to this
Reservation
Storage: check one or more vSphere
Datastores and set the storage
capacity (in GB) and Priority (1) for
each machines will be balanced
across all selected datastores based
on the entered Priority (vCAC 6
supports SDRS clusters and VSAN
Datastores)
Resource pool (Optional): from the
drop-down, select an available
vSphere Resource Pool in which to
place provisioned machines
Click the Network tab to continue
configuration

91


In the Network tab, check one or
more vSphere networks (port groups)
that will be allocated to provisioned
machines. vCAC supports Standard
and Distributed Port Groups as well
as vCNS/NSX-backed networks
(vWires)
(Optional) Select a corresponding
Network Profile for the selected
Network Path
Click OK to complete this
Reservation
(Note: you can optionally enable and

configure resource threshold
notifications in the Alerts tab)

92

Reservations
The vSphere Endpoint in my

environment contains two clusters
Mgmt and Cloud Resources. The
previous steps are repeated to create an
additional Reservation using the Cloud
Resources cluster. Since each cluster
contains unique resources (Networks,
Storage Paths, etc.), the configuration
with vary slightly.
Here you see the completed
configuration of both Reservations.
Note: more than one Reservation can be created from a single Compute Resource (i.e. vSphere Cluster). This
can be done to over-provision resources or to create several sub-allocations of a single Compute Resource.

93
(Optional) Applying Storage Resource Policies

Compute Resources
Storage Policies
In previous steps, a Resource Policy
was created and [optionally] bound to a
resource Reservation. The Resource
Policy acts like a tag and will logically tie
together all resources using the tag. So
far, weve created a policy and tied it to
a Reservation. We will now apply the
Storage Policies to the appropriate
Datastores (Storage Paths) in each
Compute Resource.
(Resource Policies are Optional)
Compute Resources
Hover over the desired Compute
Resource and select Edit

94
(Optional) Applying Storage Resource Policies

Edit Compute Resources
Storage Policies (cont)

Select the Configuration tab
Click the pencil icon next to each
Storage Path (Datastore) to edit it
Use the Storage Reservation Policy
drop-down menu to select the
appropriate Reservation Policy
Click the green check to save
Repeat for each Storage Path in all
Compute Resources
Click OK to apply the changes

95
Creating IaaS Blueprints

Blueprints
Create a vSphere Blueprint

Blueprints define the resources and
attributes associated with the
provisioning of a virtual, physical, or
cloud machine. Blueprints are
configured for any machine (VM, vApp,
Physical, Cloud) or a combination (multimachine blueprint) that will be available
for provisioning in the portal. A unique
Blueprint has to be created per platform
(vSphere, vCloud, EC2, Hyper-V, KVM,
Physical, etc).
In this section we will create two
vSphere blueprints a Linked Clone
and a traditional template-based clone
Blueprints
Click + New Blueprint then select ->
Virtual -> vSphere (vCenter) to create
a new Blueprint based on the
available vSphere Endpoint

96

New Blueprint Linked Clone, vSphere (vCenter)
Create a vSphere Blueprint (cont)

In the Blueprint Information tab,
enter a Name and detailed
Description to identify the blueprint
(entering a detailed description will
help make sense of of it during
provisioning)
Check Shared Blueprint to share
this blueprint across this Tenants
Business Groups
(Optional) Select a Reservation
Policy to lock provisioning down to a
specified resource
Select an available prefix or use the
group default
(Optional) Set Maximum per user
quota
Set Archive days (days stored postexpiration)
(Optional) Set a daily cost associated
to append to total cost
Select the Build Information tab

97


Blueprint type: Server
Action: Linked Clone (Linked
Clones are uber-efficient delta copies
that are based on a machine
snapshot and require an available
snapshot prior to configuring. You
can optionally select Clone to
create a new machine off of a
traditional template)
Provisioning workflow:
CloneWorkflow (auto-selected)
Clone from: click on to browse
available snapshots (or templates)
and select the appropriate one (a
win2k8 snapshot is used in this
example)
Enter Min / Max settings for the
following:

# CPUs
Memory (MB)
Storage (GB)
Lease (days)
NOTE: the Minimum field is auto filled

based on the template config keep
that in mind when building the template
98


For Linked-Clone based Blueprints,
click on to browse available
snapshots (or templates) and select
the appropriate one (a win2k8
snapshot is used in this example)
Click Finish to continue
Note: VM snapshots are discovered

during an Endpoint Inventory collection,
and therefore have to exist ahead of that
collection in order for them to be
available during this selection. In other
words, plan accordingly.

99


Select the Properties tab
The Properties tab allows you to apply
Build Profiles and Custom Properties
unique to this blueprint for advanced
functionality, integration with external
systems, identification of resources, etc.
Add any available Build Profiles or
desired Custom Properties you want
to append to this Blueprint see the
vCAC 6.0 Operations Guide for more
details. Neither will be used in this
example.
Select the Actions tab

100


Machine Operations: Keep the
default settings (all selected). These
settings determine what users are
permitted to do to the provisioned
machine for Day-2 operations.
However, these are legacy settings
and will be overridden when Entitling
this Blueprint in a later step.
Configure Snapshots: Yes / No
Allow Reconfigure: Yes / No
Click OK to complete Blueprint
configuration

101

New Blueprint Clone, vSphere (vCenter)
Create [another] vSphere Blueprint

In the Blueprint Information tab,
enter a Name and detailed
Description to identify the blueprint
Check Shared Blueprint to share
this blueprint across this Tenants
Business Groups
(Optional) Select a Reservation
Policy to lock provisioning down to a
specified compute resource
Select an available prefix or use the
group default
(Optional) Set Maximum per user
quota
Set Archive days (days stored postexpiration)
(Optional) Set a daily cost associated
to append to total cost
Select the Build Information tab

102

New Blueprint Clone, vSphere (vCenter)
Create [another] vSphere Blueprint

(cont)
Blueprint type: Server
Action: Clone (basic templatebacked clone)
Provisioning workflow:
CloneWorkflow (auto-selected)
Clone from: click on to browse
available vCenter templates and
select the appropriate one (a CentOS
template is used in this example)
Enter Min / Max settings for the
following:
# CPUs
Memory (MB)
Storage (GB)
Lease (days)
Click OK to complete configuration

of this Blueprint

103

Publish Blueprints
Publish Configured Blueprints

Once Blueprints are built, you must
Publish them to make them available to
vCACs service catalogs. Once
Published, these Blueprints will be
marked as Catalog Items and made
available for Entitlements (next section)
Hover over each configured Blueprint
and select Publish from the
submenu
Note: you cannot un-publish a Blueprint!
Next up: Catalog Services

104
Catalog Services
Services | Catalog Items | Entitlements

105
Adding Catalog Services

Services
Catalog Services
vCACs Service Catalog provides a way
to organize and deliver the various
catalog items into related offerings. For
example, a Service can be created fore
each major service offering (IaaS, XaaS,
etc) or by sub-category (Windows,
Linux, etc). Services can contain IaaS
and XaaS Catalog Items (Blueprints).
Use Services to organize your vCAC
catalog however you see fit for your
environment.
Navigate to Administration tab ->
Services
Click + to create a new Service

106

Add Service (#1)
Create an IaaS Catalog Service

Complete all the required fields:
Name: enter a name for this Service

Catalog (e.g. IaaS Services)
Description: enter a detailed

description for the service. This will
show up in the users portal
Icon: (optional) click Browse to

locate an icon to use for this
Service. You may select any
appropriately-sized .png file. Icons
that are less than 200 x 200 px work
best.
Status: set to Active from the dropdown menu
Hours: (optional) select service

hours
Owner: service owner, automatically

filled based on logged-in user
account
Support Team: (optional) enter a

group to allow manageability of this
Service.
Click Add to add the new Service

107

Add Service (#2)
Create an XaaS Catalog Service

Complete all the required fields:
Name: enter a name for this Service

Catalog (e.g. IaaS Services)

description for the service. This will
show up in the users portal

locate an icon to use for this
Service. You may select any
appropriately-sized .png file. Icons
that are less than 200 x 200 px work
best.
Status: set to Active from the dropdown menu
Hours: (optional) select service

hours
Owner: service owner, automatically

filled based on logged-in user
account
Support Team: (optional) enter a

group to allow manageability of this
Service.
Click Add to add the new Service

108

Services - Review
Review Catalog Services

Repeat the previous steps for all
additional desired Services
Once Services are created, you can

associate Catalog Items to them. This
will be covered in the next section

109
Managing Catalog Items

Catalog Items
Add Catalog Items to Services

Catalog Items
Select one of the available Catalog
Items these are IaaS Blueprints
that have been published

110

Configure Catalog Item (#1)
Add Catalog Items to Services (Win2k8)

Complete the required fields (most of
the fields will be pre-populated):

select an available .png file
Status: set to Active using the

drop-down menu
Service: use the drop-down menu to

select a configured Service catalog
Click Update to apply

111

Configure Catalog Item (#2)
Add Catalog Items to Services (CentOS)

Complete the required fields (most of
the fields will be pre-populated):

select an available .png file

drop-down menu
Service: use the drop-down menu to

select a configured Service catalog
(Optional) Select New and

noteworthy to display this Catalog
Item to the New and Noteworthy
Portlet on the users home page
Click Update to apply

112
IaaS Entitlements
Add Entitlement
Entitlements
The final step in making a catalog item
available to users is to Entitle it.
Entitlements are created to manage
user and group access to services,
catalog items, and resource actions
within business groups of a Tenant. This
provides additional granularity and
allows for controls over who can see
what. Entitlements are also used to add
governance (approvals) to a particular
item this will be covered later
Entitlements
Click + to add a new Entitlement
Complete the required fields:
Enter a Name and detailed

Description for the Entitlement.
Set Status to Active
Search for Users & Groups to entitle

to these items
Click Next
Note: For added granularity, Entitlements can be based on individual catalog items or entire services. In this
example, an Entitlement is created for all IaaS services.

113
IaaS Entitlements
Add Entitlement
Items & Approvals

In the Items & Approvals tab, add
the desired items, actions, and
approvals (covered later)
Entitled Services click + and

select the previously-configured
IaaS Service catalog from the list
Entitled Catalog Items click +
and select the desired IaaS Catalog
Items (Blueprints) from the list (see
note)
Entitled Actions click + to add all
the desired resource Actions to this
Entitlement. Actions are day 2
operations that determine which
actions users can perform on a
machine after it has been
provisioned. (These actions override
the operations configured at the
Blueprint level)
Click Add to add this Entitlement
Next Up: Adding Governance to service

requests
Note: For added granularity, Entitlements can be based on individual catalog items or entire services. In this
example, an Entitlement is created for all IaaS services.

114
Governance & Approvals

Creating Self-Service Approval Policies

115
Adding Approval Policies

Approval Policies
Approval Policies
Approval Policies are created by Tenant
Administrators or Approval
Administrators to require any service
request to go through a pre- or postapproval process. Once created,
Approval Policies are applied to Service
Catalogs, Catalog Items, or postprovisioning (day-2) actions. Tenant
Admins and Business Groups Managers
can apply Approval Policies to service
items.
Approval Policies can be static (on/off)
or based on a condition. Conditionbased policies allow you to create
triggers based on a characteristic of the
request. In this exercise we will create a
condition-based approval policy
Approval Policies
Click + to add a new Approval
Policy

116

Add Approval Policy
Create an Approval Policy

In the Policy Type drop-down,
select Service Catalog Catalog
Item Request this policy can be
applied to individual Catalog Items
within an Entitlement

117

Add Approval Policy
Create an Approval Policy

Name: enter a name that represents

this policy

description

drop-down menu
Click + next to Levels in the PreApproval tab
Note: a Pre Approval level is applied

ahead of provisioning the associated
catalog item. Post Approval levels
occur post-provisioning.

118

Add Approval Policy Approval Level
Create an Approval Level Based on a

Condition
Name: enter a name for this

approval Level

description of the approval (more
detail is better)
Required?: select Required based

on conditions
In the Conditions sub-menu, create

a condition to trigger the policy. In
this example, approvals are required
if a user requests a catalog item for
greater than 90 days
Approvers?: select Specific Users

and Groups then search and add
desired approvers from the list
Approval Type:
Anyone can Approve requires any

(at least 1) of the selected groups or
users to approve
All must approve requires all users

and groups to approve the request
Click Add to add the approval

level

119

Apply Approval Policy to Entitlement
Applying Approval Policies

Once an Approval Policy is created, it is
added to an Entitled Service, Catalog
Item, or Action by editing the associated
Entitlement(s)
Entitlements
Select one of the available
Entitlements to edit
Locate the Entitled Service and/or
Catalog Items that you want to add
the approval policy to
Click on the arrow next to each item
and select Modify Policy
In the Modify Policy window, select
the previously-created Approval
Policy from the drop-down
Click OK to accept
Repeat for all desired items
Click Update to save the changes

120
IaaS Entitlements
Reviewing the IaaS Service Catalog
Reviewing the IaaS Catalog

Navigate to the Catalog tab to view
the entitled services (for the currently
logged in user)
Verify that the Catalog Items selected
in the Entitlement are available.
Since both Catalog Items (i.e.
Blueprints) were added to the same
Entitlement, they should both show
up here.
Also notice at this point only the IaaS
Catalog is visible thats because no
catalog items have been added to the
other Service Catalogs at this point.
Once added, additional Service
Catalogs will be displayed along the
left side.
Next Up: a fun XaaS Use Case

121
XaaS Use Case

DaaS with vCAC XaaS and Horizon View

122
Introduction
vCloud Automation Center 6.0's XaaS feature will allow admins to utilize any prepackaged, new, or
existing vCenter Orchestrator workflow and deliver it as a Self-Serviced, Entitled, Governed, and Lifecyclemanaged service.
VMware will be shipping a more integrated View/vCAC DaaS solution by Q214. Until then we have to
improvise to come up with a DaaS-like solution that will help fill in the gap until the products are natively
integrated. vCACs Advanced Service Designer (ASD) provides a quick-fix for an important function using
unsophisticated means.
DaaS Use Case Objectives:
Allow cloud users to request a Horizon View Desktop machine from vCACs Service Catalog to add
Self-Service, Governance, and Entitlement to existing View Environments

Use vCACs Advanced Service Designer to create a Custom Service to deliver DaaS
Configure a Governance (Approval) policy for VDI Desktop Requests
Utilize vCOs built-in Active Directory plug-in and a simple workflow to do the magic

XaaS DaaS Overview

Horizon View
View is configured with 2 Desktop Pools:
Floating Desktop Pool: DaaS-Engineering
Dedicated Desktop Pool: DaaS-Operations
Both pools are configured to pre-provision 20 desktops and always have 5 desktops available
(unused) in the pool

Each pool is entitled to an existing Active Directory Security Group
DaaS-Engineering -> DaaS-Eng
DaaS-Development-> DaaS-Ops
For DaaS options, users log into vCAC and click on the Service Catalog called Desktop Services
Users Select from the appropriate pool
Once requested, approvals are invoked to ensure user is authorized
XaaS and vCO take over

vCO Configuration
Configuring the Active Directory Plug-In

Configure the Active Directory Plug-In

vCO 5.5 uses an included workflow to configure the Active Directory plugin. You might want to log into vCO
configuration to ensure no existing AD Plugin settings exist
Log into vCenter Orchestrators configuration UI (https://hostfqdn:8283). Note that if you are using the embedded vCO node, the
FQDN will be the same as your vCAC server.
Click on the Active Directory plugin in the left pane to check its status
Note: the vCO configuration service on the vCAC VA is stopped by default, run service vco-configurator start to start it. This step can
also be completed using vCACs ASD Endpoint configuration

Log into vCO using the vCO Client
Use the vCO Client to log into the vCO instance (serverfqdn:8281)
By default, vCACs embedded vCO instance uses the same administrator@vsphere.local account and password configured during
vCAC setup.


Run the Active Directory Configuration Workflow
Once logged in, ensure youre in Run mode and select the Workflows tab
Drill down and expand Library -> Microsoft -> Active Directory -> Configuration
Right-click Configure Active Directory server and select Start workflow

Enter all the required fields

Click Next


Click Yes for Use a shared session to use a single service account for this connection
Enter the UN (DOMAIN\usrname) and PW (be sure this account has appropriate AD permissions).
Click Submit

Wait while the workflow runs

Once successfully completed, the last step should turn green (look for the green check next to the workflow instance as well)
You can now check the vCO configuration to verify the AD plugin was successfully configured
XaaS | DaaS Configuration

Configuring the logic in vCAC Advanced Service Designer


Add a Service Blueprint
Once logged in, go to the Advanced Services tab

Click the green + to add a new Service blueprint


Choose the vCO Workflow
Expand the Orchestrator and drill down to the Microsoft library

Select vCO -> Library -> Microsoft -> Active Directory -> User -> Add a user to a user group

Enter Service Details
In the Details tab, enter a Name and Description for this Blueprint
Name: Desktop Request (NOTE: this is what show up in the self-service portal)
Description: Enter something that describes this blueprint

Configure Blueprint Form
The Blueprint Forms designer will allow you to change the default page/form titles and vCO input attributes to something that makes
sense to the users requesting this form.
First, click the pencil icon next to Add a user to a user group to edit the Form page name


Change the From page Heading to something that makes sense for this use case (e.g. Assign User to Desktop Pool), then click
Submit


Edit the group attribute so it reads Select Desktop Pool, or something similar
Edited the user attribute so it reads Select User, or something similar

Edit Form to something that reflects the use case (e.g. Request Desktop). This is the title heading that will be visible to users when
they select this service.
Keep Screen types selection unchanged

Click Submit to commit the changes

Click the pencil icon to the right of the Select Desktop Pool (the group attribute) text field
Change the Type field to Drop-down
The drop down type will allow you to add constraint Values to the field, Search does not (bug?) well come back here and change this
back to Search once the Values are added.

Select the Value tab (the tab shows up after changing Type to drop-down in the previous step
Enter the AD Group names you created that correspond with the appropriate View Pools one at a time
Click Submit

Back in the Details tab, change the Type back to Search (notice the Values tab disappears)
Note: this is required due to a bug/feature in the forms designer that does properly use the Drop-down or Radio button types with Value
constraints. Doing it this way allows us to add the appropriate constraints while still using the working type (Search).


The Provisioned Resource tab allows you to associate this Service Blueprint with a resource type for post-provisioning (day 2)
operations. Since this is just a request blueprint (i.e. no management after requesting), we will not associate it way any resource type.
Click Add to add the Blueprint.


Publish Service Blueprint
Your new Service Blueprint Desktop Request will show up in the list as a draft
From the Actions menu, select Publish
At this point the Service Blueprint is published and ready to be added to a Catalog and Entitled

Add a DaaS Service Catalog
We will now create a new Service Catalog to organize our DaaS catalog items.
Navigate to Services from the Administration tab

Click the green + next to Services

Add a DaaS Service Catalog
Enter a Name and Description for this service (e.g. Desktop Services) and, optionally, you can select a unique icon for this service
catalog

Click Add when finished

Add a DaaS Service Catalog - Review
Once added, the new Desktop Services catalog will show up in you Services list.
Next we will add the appropriate catalog item(s) to this catalog


Configure the DaaS Catalog Item
Navigate to Catalog Items in the Administration tab

Locate and click on the newly-created Desktop Request item (you can click on the item or select edit from the Actions menu)


Configure the DaaS Catalog Item
In the Configure Catalog Item screen, click on Browse to select a unique icon for this item
Change Status to Active
From the Service drop down, select the Desktop Services service catalog created in the previous steps
Select Update to continue
XaaS | Entitlements
Add Entitlement
Entitlements are used to assign a Service, Catalog Item, or Action to specific users or groups. We need to entitle the new DaaS Service
and Desktop Request catalog item to tenant users.
While in the Administration tab, navigate to Entitlements

Click the green + next to the Entitlements header
XaaS | Entitlements
Add Entitlement
Enter a Name and Description for this Entitlement (e.g. VDI Desktop or Win 7 Desktop, etc)
Add Users and/or Groups to Entitle to this item (NOTE: you can enter a blank space in the search field to list all available users), then
click Next to continue
XaaS | Entitlements
Add Entitlement
From the Items & Approvals tab, click on the green + next to the Entitled Services header
Select the Service to Entitle (in this case, its the Desktop Service previously created)
Click OK to apply
XaaS | Entitlements
Add Entitlement
From the Items & Approvals tab, click on the green + next to the Catalog Items header
Select the Catalog Item to Entitle (in this case, its the Desktop Request item previously created)
Click OK to apply
XaaS | Entitlements
Add Entitlement Review Configuration
In the previous steps we added a Service and Catalog Item entitlement to the Users & Groups defined in the Details tab. In practice,
you have the option to entitle just the Service Catalog, which will automatically apply to all catalog items assigned to that service.
However, this method gives you more granularity.
Click Add to commit the entitlement

XaaS | DaaS
Verify Service and Catalog Item Availability
Navigate to the Catalog tab and select the newly-created service catalog from the left menu pane
Verify that the Desktop Request catalog item is visible
(NOTE: be sure you entitle the logged-in account to this service. If not, log in using an account that was entitlement)

END
[virtualjad.com]!


Virtualjad-Vcac 6 Poc Guide 6.0-1.1

Загружено:

Сведения о документе

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Virtualjad-Vcac 6 Poc Guide 6.0-1.1

Загружено:

Авторское право:

Доступные форматы

vCloud Automation Center 6.

Please provide any feedback to jelzein@vmware.com

vCloud Automation Center 6.0 POC Guide

EZLAB Logical Architecture

vCloud Automation Center 6.0 POC Guide

vCAC 6.0 Install & Config Workflow

vCloud Automation Center 6.0 POC Guide

vCloud Automation Center 6.0 POC Guide

IaaS & XaaS Provisioning Requirements

environment per best practices

For XaaS Service Provisioning:

ships with vCO embedded, but you can

examples (well take a look at a DaaS use

vMotion properly configured

vSphere 5.5, use LDAP vs. SSO)

blue print creation

machine placement (no reservations or

vCloud Automation Center 6.0 POC Guide

Deploying vCAC 6 Virtual Appliances

vCloud Automation Center 6.0 POC Guide

Deploying vCAC Identity VA

Deploying vCAC ID OVF

vCloud Automation Center 6.0 POC Guide

Deploying vCAC Identity VA

Select Local file button

vCloud Automation Center 6.0 POC Guide

Deploying vCAC Identity VA

Verify you are deploying the

vCloud Automation Center 6.0 POC Guide

Deploying vCAC Identity VA

Read (scan) VMwares EULA

vCloud Automation Center 6.0 POC Guide

Deploying vCAC Identity VA

Enter a VM name (this is the name

vCloud Automation Center 6.0 POC Guide

Deploying vCAC Identity VA

Select an optional VM Storage Policy

vCloud Automation Center 6.0 POC Guide

Deploying vCAC Identity VA

Map the VAs source network to an

vCloud Automation Center 6.0 POC Guide

Deploying vCAC Identity VA

Enter details for all required fields:

Enter/Confirm root password

Hostname (*FQDN REQUIRED*)

DNS (comma separated)

Network IP Address / Subnet

Click Next to continue

Note: Be sure a DNS record exists

vCloud Automation Center 6.0 POC Guide

Deploying vCAC Identity VA

Review all your inputs and make any

The ID VA will deploy in a matter of

vCloud Automation Center 6.0 POC Guide

Deploying vCAC Identity VA

Once deployed, log into the Virtual

Password: <configured pw>

vCloud Automation Center 6.0 POC Guide

Deploying vCAC Identity VA

Go to the System tab

vCloud Automation Center 6.0 POC Guide

Deploying vCAC Identity VA

The ID VA is preconfigured with a default

Navigate to the SSO tab

Hostname (FQDN REQUIRED)

Hostname (FQDN REQUIRED)