Академический Документы
Профессиональный Документы
Культура Документы
0
Proof of Concept and Detailed Implementation Guide
Version 6.0-1.1 (updated 06-21-14)
Jad El-Zein
Principal Engineer
jelzein@vmware.com
virtualjad.com |
@virtualjad
2014 VMware Inc. All rights reserved.
Introduction
This [unofficial] Proof of Concept and Detailed Installation guide is provided, with
no guarantees (or support), to help with the implementation of vCloud Automation
Center 6.0 in a pre-configured vSphere 5.x environment.
The guide walks through in plenty of detail vCAC 6.0s deployment, concepts,
technologies, and features as they would be used in a real-world implementation.
This document can also double as an unofficial hands-on training guide which
covers:
New Features in vCAC 6.0.x
Deployment Architecture
Implementation on VMware platforms (vSphere)
IaaS and XaaS Service Configuration
Usage and Navigation
Advanced Concepts | XaaS
Define Fabric
Group
Prerequisites
Review
1.
10.
11.
Add vSphere
Endpoint
Deploy vCAC
ID VA (SSO)
2.
9.
12.
Create initial
Tenant
Deploy
vCAC VA
3.
8.
Configure IaaS
Prereqs
4.
Define
Business
Group
Create
Reservation
Policy
Create Network
Profile
13.
Admin Portal
Config
7.
14.
XaaS Sample
Use Case
vCO
Configuration
20.
Governance &
Approvals
XaaS
Entitlements
19.
IaaS
Entitlements
END!
18.
Create
Resource
Reservation
Manage
Catalog Items
17.
Deploy / Config
IaaS Config
Run IaaS
Prereq Checker
5.
Create IaaS
Blueprints
Install vCAC
IaaS Services
6.
15.
Add Catalog
Services
XaaS Config
16.
Prerequisites Review
Before You Begin | Provisioning Requirements
acceptable)
Clone blueprints
10
11
12
13
14
Default Gateway
15
16
Username: root
Click Login
17
18
19
20
21
Password: <pw>
22
23
24
25
26
27
28
Default Gateway
29
30
Username: root
Click Login
31
32
33
Common Name
Organization
Organizational Unit
Country Code
34
35
36
37
Use a dedicated Active Directory service account with local admin privileges during setup and install of
Run Windows Update and ensure the host VM is up to date with all recommended patches
Disable Windows Firewall on all vCAC VMs
Microsoft .NET Framework 4.5. Note that .NET 4.5.1 is NOT supported on Windows 2008 R2 or 2012
implementations -- use the installer that is packaged with the vCAC VA.
Ensure all other prerequisites have been implemented
Have the vCAC 6.0 Installation and Operations guides handy for reference
38
Windows Authentication
Static Content
Default Document
ASPNET
ISAPI Extensions
ISAPI Filter
IIS Authentication:
Configuration API
Net Environment
Process Model
WCF Activation
HTTP Activation
Non-HTTP Activation
Database Requirements:
MS SQL Server 2008 (or higher) or MS SQL
Express 2010 (or higher)
39
Reset IIS
From the Start menu, right-click
Command Prompt and select Run as
administrator
Type iisreset, hit enter
(you can also restart IIS Admin service from
the Services admin)
Configure MS DTC
Configure MS Distributed Transaction
Coordinator (DTC) to allow DTC
communications to/from your DB server
Open Component Services from
Administrative Tools
Expand Component Services ->
Computers -> My Computer ->
Distributed Transaction
Right-click Local DTC and select
Properties
In the Security tab, make sure the
following are checked:
Allow Inbound
Allow Outbound
Click OK
NOTE: make sure your DB server is also
set to allow these communications. And
make sure there are no firewall policies
blocking any needed network traffic
Administrative Tools
Expand Local Policies
Select the User Rights Assignment
sub folder
In the right hand pane, double-click
service policy
Once complete, reboot the VM
https://<vCAC_FQDN>:5480/Installer
49
50
51
Password: <root_pw>
52
53
54
PW: <pw>
Passphrase: <any_text>
SQL DB Info
55
Worker: DEM
Orchestrator: DEO
56
Component Registry:
Server: <vcacva_fqdn>
UN: administrator@vsphere.local
IaaS
57
58
59
Done!
Uncheck Guide me well step
through all the configuration steps in
the next section.
Click Finish to exit the installer
You can log out from the IaaS server
60
61
Administration Portal
Logging in for the first time
Branding
SMTP Preferences
vCO Integration
https://<vcacva_fqdn>/shell-ui-app
UN: administrator@vsphere.local
PW: <admin_pw>
Click Login
https://<vcacva_fqdn>/shell-ui-app
62
Identity Stores
In the Identity Storage tab, click +
to add a new authentication source
Enter the required information:
URL: ldap://<ad_fqdn>:389
Domain: Domain DN
64
Administrators
Select Tenant and Infrastructure
Administrator roles by typing/
searching for AD users and groups in
each column.
65
66
Administration Portal
Branding - Header
Branding
Branding allows Administrators change
the look/feel of the vCAC portal,
including adding custom header
graphics, changing visible text, and
customizing colors.
Navigate to the Branding section of
the Administration tab
To customize these settings, uncheck
the Use default option
In the Header tab, select Browse
in the Header Logo: field to select a
custom logo file. (NOTE: the logo file
should be no larger than 800 x 52px
and in .PNG format. Use a
transparent background for best
appearance)
Change remaining fields to reflect
your desired look
Company Name
Product name
Background color
Text color
67
Administration Portal
Branding - Footer
Copyright notice
Contact link
68
Administration Portal
Email Servers Outbound SMTP
Email Servers
vCAC uses SMTP servers to external
communications such as Alerting,
Approvals, Provisioning Status, etc.
SMTP servers can be global or perTenant. Here we will create an
outbound SMTP server to be used by
all Tenants
Navigate to the Email Servers
section under the Administration tab
Click + next to Email Servers title to
add a new server
In to Add Email Server pop-up
window, select Email Outbound,
then click OK
69
Administration Portal
Email Servers Outbound SMTP
Name
Description
Encryption
Server Port
Authentication
Auth Password
Sender Address
70
IaaS Endpoints
Business Groups
Fabric Groups
Network Policies
Resource Reservations
IaaS Configuration
Tenant IaaS Services
Reservations Policies
Blueprints
Catalog Services
Entitlements
71
Tenant Portal
Log in to the new Tenants unique
URL. The URL is created using the
URL name when creating the
Tenant. In this example, the URL
name used was ops, so the URL to
the Tenant is: https://<FQDN>/shellui-app/org/ops
Log in to the Tenant Portal using an
account that was granted the Tenant
Administrator and Infrastructure
Administrator roles during setup.
UN: username@example.com
PW: <account_pw>
Click Login
72
Home Tab
At first login, users are taken to the
Home section, which displays
information unique the user. The Home
screen can be customized by adding
Portlets. vCAC ships with several admin
and user portlets that can provide useful
information.
By default only the My Inbox portlet is
displayed click on the edit icon circled
in red to add additional portlets
73
Approval Administrator
IaaS Administrator
Service Architect
Tenant Administrator
74
IaaS Licensing
Navigate to the Infrastructure tab
then select Administration
Click on Licensing
Click + to add a new vCAC license
In the Add Licenses window, enter a
valid vCAC or vCloud Suite license.
Various IaaS functions are exposed
based on the license used. In this
example, Im enter a vCloud Suite
Enterprise license
Click OK to apply
75
Endpoints
Endpoints are managed resources,
clouds, physical infrastructure, etc. that
are defined in vCAC to provide a
destination for machine deployments.
Any supported platform that will be used
to deploy machines must be added as
an Endpoint. In this example, we will be
configuring vSphere (vCenter) endpoint.
vCenter Orchestrator is also a supported
endpoint. vCO adds a significant amount
extensibility and automation to a vCAC
environment through external actions
independent of the Advanced Service
Designer.
In this step we will create a single
vSphere (vCenter) Endpoint.
Select + New Endpoint -> Virtual ->
and click on vSphere (vCenter)
76
Endpoint Details
Name: Enter the endpoint name
(NOTE: this name MUST be the
same as the endpoint name entered
in during IaaS installation)
Description: Enter a description that
makes sense
Address: Enter the full vCenter URL
in the Address: field. Example:
https://<vcenter_FQDN>/sdk
Credentials: Use the pop-out menu to
select existing or create vSphere
Credentials that will be used to
access this Endpoint. It is a best
practice to use a dedicate service
account for this. Details for creating
Credentials are on the next page
77
78
Note: If no compute resources are available for selection, you either have an Endpoint configuration issue or
you need to wait a bit for inventory to complete. Check the Log Viewer (Infrastructure tab -> Administration ->
Monitoring) for any obvious errors
Click OK
79
Note: the Active Directory container field does not apply to blueprints for cloning or external cloud provisioning.
While it is required to put something there, you can type any string in that field to satisfy the form validation.
80
Note: vCACs default naming conventions are fairly basic, but functional. There are several external resources
available for greater customization of hostnames. The custom property Hostname can also be used to allow
users to manually enter a machine name.
81
Reservations
Compute Resources
Blueprints
82
83
84
Subnet Mask*
Gateway
Primary DNS
Secondary DNS
DNS suffix
Preferred WINS
Alternate WINS
(* required fields)
When done, click on the IP Ranges
tab
85
Add an IP Range
Once a Network Profile is created, you
can add a static IP range to the profile to
allocate a specific set of IPs when
provisioning machines bound to the
corresponding network.
From the IP Ranges tab, click + to
create a New IP Range
Enter the required information:
Name*
Description
Starting IP address*
Ending IP address*
(* required field)
Click OK to apply
86
Note: In previous versions of vCAC, admins had to manually enable Static IP Services prior to configuring
Network Profiles. This is now a default capability.
87
Note: Use Virtual to configure vSphere reservations as well as any other hypervisor-based reservation
(Hyper-V, KVM, XEN, etc). The Cloud selection is used for Amazon EC2, OpenStack, and vCloud-based
provisioning (incl vCHS). Physical is used to configure all supported physical hardware provisioning (Dell, HP,
UCS, etc). Since a vCloud Suite license was used during setup, only applicable Endpoints are available.
vCloud Automation Center 6.0 POC Guide
v6.0-1.1 by Jad El-Zein
88
89
90
91
92
Note: more than one Reservation can be created from a single Compute Resource (i.e. vSphere Cluster). This
can be done to over-provision resources or to create several sub-allocations of a single Compute Resource.
93
Storage Policies
In previous steps, a Resource Policy
was created and [optionally] bound to a
resource Reservation. The Resource
Policy acts like a tag and will logically tie
together all resources using the tag. So
far, weve created a policy and tied it to
a Reservation. We will now apply the
Storage Policies to the appropriate
Datastores (Storage Paths) in each
Compute Resource.
(Resource Policies are Optional)
Navigate to Infrastructure tab ->
Compute Resources
Hover over the desired Compute
Resource and select Edit
94
95
96
97
# CPUs
Memory (MB)
Storage (GB)
Lease (days)
99
100
101
102
# CPUs
Memory (MB)
Storage (GB)
Lease (days)
103
104
Catalog Services
Services | Catalog Items | Entitlements
105
Catalog Services
vCACs Service Catalog provides a way
to organize and deliver the various
catalog items into related offerings. For
example, a Service can be created fore
each major service offering (IaaS, XaaS,
etc) or by sub-category (Windows,
Linux, etc). Services can contain IaaS
and XaaS Catalog Items (Blueprints).
Use Services to organize your vCAC
catalog however you see fit for your
environment.
Navigate to Administration tab ->
Services
Click + to create a new Service
106
107
108
109
110
111
112
IaaS Entitlements
Add Entitlement
Entitlements
The final step in making a catalog item
available to users is to Entitle it.
Entitlements are created to manage
user and group access to services,
catalog items, and resource actions
within business groups of a Tenant. This
provides additional granularity and
allows for controls over who can see
what. Entitlements are also used to add
governance (approvals) to a particular
item this will be covered later
Navigate to Administration tab ->
Entitlements
Click + to add a new Entitlement
Complete the required fields:
Click Next
Note: For added granularity, Entitlements can be based on individual catalog items or entire services. In this
example, an Entitlement is created for all IaaS services.
113
IaaS Entitlements
Add Entitlement
114
115
Approval Policies
Approval Policies are created by Tenant
Administrators or Approval
Administrators to require any service
request to go through a pre- or postapproval process. Once created,
Approval Policies are applied to Service
Catalogs, Catalog Items, or postprovisioning (day-2) actions. Tenant
Admins and Business Groups Managers
can apply Approval Policies to service
items.
Approval Policies can be static (on/off)
or based on a condition. Conditionbased policies allow you to create
triggers based on a characteristic of the
request. In this exercise we will create a
condition-based approval policy
Navigate to Administration tab ->
Approval Policies
Click + to add a new Approval
Policy
116
117
118
Approval Type:
119
120
IaaS Entitlements
Reviewing the IaaS Service Catalog
121
122
Introduction
vCloud Automation Center 6.0's XaaS feature will allow admins to utilize any prepackaged, new, or
existing vCenter Orchestrator workflow and deliver it as a Self-Serviced, Entitled, Governed, and Lifecyclemanaged service.
VMware will be shipping a more integrated View/vCAC DaaS solution by Q214. Until then we have to
improvise to come up with a DaaS-like solution that will help fill in the gap until the products are natively
integrated. vCACs Advanced Service Designer (ASD) provides a quick-fix for an important function using
unsophisticated means.
DaaS Use Case Objectives:
Allow cloud users to request a Horizon View Desktop machine from vCACs Service Catalog to add
For DaaS options, users log into vCAC and click on the Service Catalog called Desktop Services
Users Select from the appropriate pool
Once requested, approvals are invoked to ensure user is authorized
XaaS and vCO take over
vCO Configuration
Configuring the Active Directory Plug-In
Log into vCenter Orchestrators configuration UI (https://hostfqdn:8283). Note that if you are using the embedded vCO node, the
FQDN will be the same as your vCAC server.
Click on the Active Directory plugin in the left pane to check its status
Note: the vCO configuration service on the vCAC VA is stopped by default, run service vco-configurator start to start it. This step can
also be completed using vCACs ASD Endpoint configuration
vCloud Automation Center 6.0 POC Guide
v6.0-1.1 by Jad El-Zein
Use the vCO Client to log into the vCO instance (serverfqdn:8281)
By default, vCACs embedded vCO instance uses the same administrator@vsphere.local account and password configured during
vCAC setup.
Once logged in, ensure youre in Run mode and select the Workflows tab
Drill down and expand Library -> Microsoft -> Active Directory -> Configuration
Right-click Configure Active Directory server and select Start workflow
vCloud Automation Center 6.0 POC Guide
v6.0-1.1 by Jad El-Zein
Click Yes for Use a shared session to use a single service account for this connection
Enter the UN (DOMAIN\usrname) and PW (be sure this account has appropriate AD permissions).
Click Submit
vCloud Automation Center 6.0 POC Guide
v6.0-1.1 by Jad El-Zein
In the Details tab, enter a Name and Description for this Blueprint
Name: Desktop Request (NOTE: this is what show up in the self-service portal)
Description: Enter something that describes this blueprint
Click Next to continue
vCloud Automation Center 6.0 POC Guide
v6.0-1.1 by Jad El-Zein
The Blueprint Forms designer will allow you to change the default page/form titles and vCO input attributes to something that makes
sense to the users requesting this form.
First, click the pencil icon next to Add a user to a user group to edit the Form page name
Change the From page Heading to something that makes sense for this use case (e.g. Assign User to Desktop Pool), then click
Submit
Edit the group attribute so it reads Select Desktop Pool, or something similar
Edited the user attribute so it reads Select User, or something similar
Click Next to continue
vCloud Automation Center 6.0 POC Guide
v6.0-1.1 by Jad El-Zein
Edit Form to something that reflects the use case (e.g. Request Desktop). This is the title heading that will be visible to users when
they select this service.
Click the pencil icon to the right of the Select Desktop Pool (the group attribute) text field
Change the Type field to Drop-down
The drop down type will allow you to add constraint Values to the field, Search does not (bug?) well come back here and change this
back to Search once the Values are added.
vCloud Automation Center 6.0 POC Guide
v6.0-1.1 by Jad El-Zein
Select the Value tab (the tab shows up after changing Type to drop-down in the previous step
Enter the AD Group names you created that correspond with the appropriate View Pools one at a time
Click Submit
vCloud Automation Center 6.0 POC Guide
v6.0-1.1 by Jad El-Zein
Back in the Details tab, change the Type back to Search (notice the Values tab disappears)
Note: this is required due to a bug/feature in the forms designer that does properly use the Drop-down or Radio button types with Value
constraints. Doing it this way allows us to add the appropriate constraints while still using the working type (Search).
The Provisioned Resource tab allows you to associate this Service Blueprint with a resource type for post-provisioning (day 2)
operations. Since this is just a request blueprint (i.e. no management after requesting), we will not associate it way any resource type.
Your new Service Blueprint Desktop Request will show up in the list as a draft
From the Actions menu, select Publish
At this point the Service Blueprint is published and ready to be added to a Catalog and Entitled
vCloud Automation Center 6.0 POC Guide
v6.0-1.1 by Jad El-Zein
We will now create a new Service Catalog to organize our DaaS catalog items.
Enter a Name and Description for this service (e.g. Desktop Services) and, optionally, you can select a unique icon for this service
catalog
Once added, the new Desktop Services catalog will show up in you Services list.
Next we will add the appropriate catalog item(s) to this catalog
In the Configure Catalog Item screen, click on Browse to select a unique icon for this item
Change Status to Active
From the Service drop down, select the Desktop Services service catalog created in the previous steps
Select Update to continue
vCloud Automation Center 6.0 POC Guide
v6.0-1.1 by Jad El-Zein
XaaS | Entitlements
Add Entitlement
Entitlements are used to assign a Service, Catalog Item, or Action to specific users or groups. We need to entitle the new DaaS Service
and Desktop Request catalog item to tenant users.
XaaS | Entitlements
Add Entitlement
Enter a Name and Description for this Entitlement (e.g. VDI Desktop or Win 7 Desktop, etc)
Set Status to Active
Add Users and/or Groups to Entitle to this item (NOTE: you can enter a blank space in the search field to list all available users), then
click Next to continue
vCloud Automation Center 6.0 POC Guide
v6.0-1.1 by Jad El-Zein
XaaS | Entitlements
Add Entitlement
From the Items & Approvals tab, click on the green + next to the Entitled Services header
Select the Service to Entitle (in this case, its the Desktop Service previously created)
Click OK to apply
vCloud Automation Center 6.0 POC Guide
v6.0-1.1 by Jad El-Zein
XaaS | Entitlements
Add Entitlement
From the Items & Approvals tab, click on the green + next to the Catalog Items header
Select the Catalog Item to Entitle (in this case, its the Desktop Request item previously created)
Click OK to apply
vCloud Automation Center 6.0 POC Guide
v6.0-1.1 by Jad El-Zein
XaaS | Entitlements
Add Entitlement Review Configuration
In the previous steps we added a Service and Catalog Item entitlement to the Users & Groups defined in the Details tab. In practice,
you have the option to entitle just the Service Catalog, which will automatically apply to all catalog items assigned to that service.
However, this method gives you more granularity.
XaaS | DaaS
Verify Service and Catalog Item Availability
Navigate to the Catalog tab and select the newly-created service catalog from the left menu pane
Verify that the Desktop Request catalog item is visible
(NOTE: be sure you entitle the logged-in account to this service. If not, log in using an account that was entitlement)
END
[virtualjad.com]!