With November 2015 public CAs do not issue new certificates that uses internal names or reserved IP addresses in
subjectAltName or in
commonName. Furthermore such certificates will be revoked on October 1st, 2016.
Internal names are hostnames that do not end with an Top Level Domain ending (.com, .de, …). For example: .local, .internal. Also NetBIOS names without any domain extension are affected.
Reserved IP addresses are defined by Internet Assigned Numbers Authority (IANA). You can look reservations for IPv4 here (RFC 1918 range) and IPv6 here (RFC 4193 range).
If you are using an internal CA you are not affected. For more information about this change of public CAs click here. For more information about VMware products click here.
- Multiple parallel workflows
- Workflows can be interactive
- a lot of (<500) predefined workflows are already implemented
- vCO workflows can to integrated into vSphere Web Client
- Integrated vCO in vCAC Appliance can be used. Good practice is to use a stand-alone vCO Appliance.
- Endpoint necessary.
- Install vCAC plug-in in vCO.
- There are also workflows implemented to configure vCAC (e.g. manage SSL certificates).
- vCAC Hosts have to be added to vCO (using a workflow).
- You can create custom menu operation and assign to a blueprint and its machines (e.g. “Install AV Agent”).
Install integrated vCO
- Start service (using putty):
service vco-configuration start
- Log in to vCO Configuration:
https://url:8283 (user/PW: vmware/vmware)
- Import SSL certificate for vCenter, Iaas and vCAC Servers/Appliances by “vCenter 5.5 Server” in left panel
- Add vCenter Server
- Install vCenter License
- Check Startup Options
- Add credentials for vCO endpoint in vCAC
- Add vCO endpoint (Link:
- do not forget custom property VMware.VCenterOrchestrator.Priority. If you forget this, you get a nice notification which you can use to copy and paste the property.
- Install Orchestrator Client on Windows
- Configure vCenter Orchestrator Plug-Ins (AD, vCAC)
- Add AD certificates by use of workflow: Library > Microsoft > Active Directory > Configuration > Manage SSL certificates
- Add AD Domain by use of workflow: Library > Microsoft > Active Directory > ConfigureActiveDirectoryServer
- Add vCAC certificates by use of workflow: Library > vCloudAutomationCenter > Configuration > Manage SSL Certificates
- Add vCAC and Iaas Server by use of workflow: Library > vCloudAutomationCenter > Configuration > Add a vCAC host
VMware IT Business Management (ITBM)
- ITBM comes in form of an appliance.
- It is not optimized for WAN connections!
- ITBM accesses data out of a global Reference Database. So it show financial values after the installation.
- For MS Azure and Amazon AWS the system updates actual prices from the provider. These are list prices, no special prices for the specific customer can be considered.
- This DB can be downloaded, so no internet access is necessary afterwards.
- Data in Reference Database comes from ITBM installations.
- A local installation do not have to provide data for the warehouse.
- You can set a specific currency (only one currency).
- By default the system supposes a amortization period of 3 years. This can’t be changes at this time.
- One single method to deploy an environment, independently of the platform (amazon, Microsoft, VMware, Citrix)
- Application Marketplace
Advanced Service Designer
If you want to use just this feature, you can order the smallest available pack of vCAC Advanced.
Monitoring and Reclamation
Administrators/Manager can start request a reclamation. The owner of the machine has to approve the request to release for reclamation or mark the machine as in use.
- A really powerful framework to control workflow using built-in and self created custom properties.
- Custom properties are case sensitive!
- Use custom properties to customize machine through these stages
- You should create an own namespace for properties to avoid conflicts with built-in properties.
- VMware provides Custom Property Reference Guides at:
- Built-in properties are executed automatically. For example VMware.VirtualCenter.Folder puts the vSphere VM into the defined folder during a clone action.
- Property can by encrypted.
- A user can be prompted to enter a value during request process
- Values are not check by system so there should be a workflow that validates the entered values.
- Properties and their values can be used to:
- Customize OS (sysprep, …)
- Provide additional build information
- Define disk provisioning (thin, thick)
- Auditing and reporting information (e.g. machine ID)
- Integrate a machine with systems like HP SIM, …
- A vCO workflow can use, create and set such properties
- Custom properties can be defined for these objects
- Business groups
- Build profiles
- Compute resources
(This is also the override-order when the same properties are defined on different levels of vCAC)
- Pre Approval: must be approved before deployment starts.
- Post Approval: deployment starts, but the user gets the created objects after the approval.
- Approval policy can’t be changed. You can copy the policy and apply it.
- Notification can be sent by mail.
Available options are:
- vCloud Automation Center Designer [deprecated]
- vCenter Orchestrator
- Advanced Services Desinger (XaaS)
- Development Toolkit (Cloud Development Kit is needed)
- System Administrator
- Installs vCAC
- Manages tenants
- IaaS Administrator
- Manages endpoints and credentials
- Creates fabric groups
- Fabric Administrator
- Manages physical and compute resources within a fabric group
- Manages reservations and reservation policies
- Manages build profiles and machine prefixes
- Tenant Administrator
- Manages and configures the tenant
- Manages users and groups
- Manages catalog services
- Manages entitlements
- Creates approval policies
- Manages blueprints
- Service Architect
- Creates custom service blueprints and publishes them in Advanced Service Designer
- Approval Administrator
- Creates and applies approval policies
Business Group Roles
- Business Group Manager
- Manage machine blueprints, items and entitlements
- Is able to monitor resource usage
- Business User
- Support User
- Is able to perform tasks in the name of others
It is important to understand that privileges are not inherited from a higher to a lower level. So by default a system administrator does not have privileges within a tenant.
By the way: just because there are that much roles, you don’t have to use all of them – keep it simple!
The fabric is the sum of all resources collected by endpoints. For resource provisioning the fabric is partitioned in fabric groups. Fabric groups are created within a tenant. These groups consume resources out of the fabric. So the group is within a tenant but the resources itself are not directly attached to the tenant.
Global Machine Prefix
- Provides a kind of failback for VM naming, in case there is no naming configuration within workflows
- In every business group a default machine prefix is defined
- Is a group of services and resources that is associated with organisation unit/department
- It is created by a tenant administrator
- Business group manager can see machines in business group and can manage group blueprints
- Users can see (published) blueprints in service catalog
- Machines will be deployed on business groups
Do not mix up reservation in vSphere and reservation in vCAC, they are not related to each other! In vCAC reservation is more like a commitment than a guarantee! Reservation in vCAC can be seen as a maximum.
“A machine blueprint is a complete specification for a virtual, cloud, or physical machine that defines resources, attributes, policies, and method of provisioning for the new system”
There are different kind of machine blueprints to deploy different types of machines. Each consists of a different set of parameters.
To enable users to request a machine out of a blueprint, it has to be published
Configuration of blueprints
- Blueprints can be a Master so it can be copied by a tenant administrator
- It can be shared across all business groups
- Location information can be displayed on request
- Location are defined in
C:\Program Files (x86)\VMware\vCAC\Server\Website\XmlData\DataCenterLocations.xml
- Reservation policy
- Archive Period: Number of days a expired machine can be reactivated. Zero means the machine will be deleted upon expiration. Expired machines get archived; after archive period it will be deleted.
- Daily cost for basic charge management
Build Information (options vary by type of blueprint)
- Type of machine (Server, Desktop or Hypervisor)
- Action to create the machine; here are for example the actions for vSphere:
- NetApp FlexClone
- TIP: If the snapshot of the selected LinkedClone-Master is not visible for selection, perform a Data Collection on the compute resource!
- Provisioning Workflow
The selection depends on the type of machine (cloud, physical, virtual), the OS and the action to create
- Customization spec to provide an answer file during provisioning (case sensitive!)
- Machine resources
Specified by a rang from minimum to maximum. Values within minimum and maximum can be requested for approval.
Additional machine information can be set. These information can be used in workflow during provisioning. More of custom properties in part 3 of this series.
- Possible actions can be selected. It can be used as kind of permissions.
- As good practice: do not customize permission in blueprint; customize them in service catalog as item actions. Otherwise troubleshooting will be difficult because you can add item actions in service catalog that are disabled in blueprint.
- Combination of more than one blueprint
- Can combine different types of machines
- There are different settings compared to other type of blueprints. Additional are:
- Startup and shutdown order
- Network settings: transport zone, network profile and reservation policy
- scripting: defining provisioning-, startup-, shutdown-scripts
A table of blueprints that can be presented to user for requesting. Users can deploy machines out of these blueprints organized in Service Catalogs.
- The word “service” could be misleading. Here services are a list of options a user can select of. Services can be:
- Machine blueprints
- A service consists of catalog entries that could contain for example a blueprint.
- Change Window
vCAC will do maintainance tasks within this window
- A user must be entitled to see a service in portal
- Entitlement includes the definition of allows item actions
Requesting and Deploying Services
- Depending on the configuration of the blueprint, a user can customize these parameter of a machine
- Number of machines
- Number of CPUs
- Reason for the request
- Custom Properties that are set to PromptUser
- You can define basic costs for compute and storage resources by using cost profiles
- A user that requests services can monitor the state of these requests
- A tenant administrator can/should change the “own by” filter when checking items
- Entitled users can take allowed item action on machines in vCAC portal. These includes creating snapshots, expire, reset, reprovision, …
- For multimachine blueprint: actions, settings, and entitlements specified for the multimachine blueprint override settings in the component blueprints. But just for the multimachine!
- For Snapshots you can use custom properties:
Snapshot.Policy.AgeLimit to control number of snapshots
- vSphere VMs can be reconfigured on CPU and memory by users
This series of posts will be a overview of vCAC in note style. There will be hints and tips besides to design considerations and basic information about the product itself. If you don’t know vCAC at all, you will still have to read manuals and guides!
vCAC enables IT to provide a self-service portal for users or just for IT department itself. With vCAC a company gets the tool to implement predefined workflows or build and develop own workflows to automate common tasks or provision a whole infrastructure for software development department or just well defined VMs.
- vCloud Director is not necessary for vCAC
- SQL Server is necessary; Express edition is supported
- vCAC Appliance is Linux based; IaaS Components are installed on Windows platform
- You need a license key for installation, at least a trial key
Important components of vCAC 6.0
For authentication vCAC can use:
- Identity Appliance (can’t communicate with other Identity Appliances)
- SSO (vSphere 5.5 U1 and later)
- Linux based
- includes vCenter Orchestrator [vCO] (new name is vRealize Orchestrator [vRO])
- includes PostgreSQL
- Runs on Windows
- Components of IaaS
- Web site. Provides a part of the front-end for users.
- Distributed Execution Manager (DEM)
Used for provisioning and managing machines
- vCD, vCHS
- physical servers (HP, Dell, Cisco)
- DEM Orchestrator
Preprocesses and schedules workflows; also monitors DEM Worker
- DEM Worker
- Executing workflows; should be as near as possible to the infrastructure it execute tasks
- Communicates with DEM Orchestrator and external resources. Sends its status and resources it manages to DEM Orchestrator. The Orchestrator submits tasks suitable Workers.
- A Worker can talk to just one endpoint. Use more Worker to talk to the same endpoint to provide redundancy.
- Hypervisor (Hyper-v, vSphere, Citrix, XenServer) as proxy agent
- External provisioning infrastructure (EPI)
- Model Manager
- Manager Service
coordinates communicates between AD, Agents and SQL
Advanced Service Designer
- With Advanced Service Designer you can build a front-end for Service Portal out of every vCO workflow
- The workflow can return a object
e.g. a workflow for creating a user returns the new user, so another workflow can reset the password of that user
Application Director can help software development departments. Developer can use Application Director to deploy the software into the infrastructure available for development. For testing, the software can be deploy into the infrastructure available for testing by using the abstracted workflows of Application Director. So the development cycle can use different platforms (AWS, Hyper-V, vSphere, …) to step further from development to production.
Types of deployment
Minimal Deployment Architecture (for PoC or small environments)
Not suitable for lager environment because it is difficult to scale respectively to upgrade to distributed architecture. Installation contains:
- vCAC Appliance
- SQL Server
These components are not redundantly installed. All components of IaaS are installed in one VM.
Distributed Deployment Architecture (no SOPF)
- vCAC Load Balancer
- redundant vCAC Appliance
- PostgreSQL Cluster
- SQL Cluster
- IaaS Web Load Balancer
- IaaS Manager Service Load Balancer
- Agents, DEM Workers
- Here is a prerequisite verification script available
- If hardware workflows are planed (for HP, Dell, Cisco), check hardware requirements
- DNS (forward, reserve)
- Time synchronization is very important (time have to be in sync with just seconds in difference)
- DB Server (PostgreSQL or SQL); there are scripts to create the DB
- IaaS requirements (DB, ports)
- Network ports according to installation guide
- Compute Requirements (check in documentation according to the size of the environment)
- IaaS Manager Service Requirements
- .NET 4.5 (do not use 4.5.1!)
- PowerShell 2.0 for Windows 2008 respectively 3.0 for 2012
- User accounts (vCenter service account, for IaaS installation, IaaS DB and service user)
Check privileges in installation guide; do not use local administrator account
Self signed certificates will be created, check installation guide to deploy CA certificates to use SAN or wildcard certificates
Tips for OVF-Deployment
- Settings entered in deployment wizard are implemented during installation using virtual CD-Rom. So do not remote CD-Rom from appliance! If you have already remove the drive, you will have the option to run a script within the appliance to deploy the settings manually. Therefore open the console of the appliance, you will see the absolute path to the script.
- During basic configuration of the appliance using the browser at port 5480, wait until “Requesting Information” is finished. Do not enter information or change tabs before “Requesting Information” is done.
- Before generating self signed SSL certificate, check all entries for correctness! Use FQDN of vCAC Appliance for Common Name.
- Saving SSO Settings can take up to 15 minutes. When there is no activity after 20 minutes, close the browser and try it again.
Tips for IaaS Installation
- Use Links for software download during Installation (https://VCAC_Server_FQDN:5480/installer) for setup.exe, .NET 4.5
- Do not rename setup-files!
- root-user for vCAC Appliance is just for downloading files, it is not used for constant connection
- For single-installation use complete-installation
- SQL Server Express could have problems using FQDN, use just the hostname instead
- to keep it simple, use default naming. If you want to change the defaults, note naming in your documentation!
- Default tenant is vsphere.local
- firstname.lastname@example.org should just be used to manage tenants
- It is OK to use just the default tenant. If you create additional tenants, you can not merge them afterwards.
- SSO is just used by default tenant. Additional tenants uses AD/LDAP/other Directory-Connections.
- Link for tenants:
Endpoints are infrastructure components like vCenter, vCO, vCD, physical machines, OpenStack, … vCAC communicates with endpoints by using DEMs and agents.
- vCAC does not talk directly to Hyper-V, SCVMM is needed
- For PoC you can use AWS to show compatibility to 3rd Party products
- check VMware videos for HowTo
- simple to configure
- a AWS test account is for free
- Storage Endpoints: just NetApp (FlexClone technology)
- vSphere Endpoint
- For Address use “/sdk” at the end!
- The entries are not checked at this time. Look at logs to check for errors.
TIPS for endpoints:
- You can perform a Data Collection on endpoints manually. So you don’t have to wait until the data is refresh a the schedule
- Create the endpoints before installing the agents
- You organize credentials for endpoint access