November 17th, 2017 by axel

Just a little reminder about the configuration of vRA


Tenant creation (System administrator privilege required for this operation)

  • Create local users and assign Tenant Admin permission

Tenant configuration (Tenant administrator privilege required for this action)

  •  Add a directory to bind an AD domain
    • To enable HA, add a Identity Provider using this time the second vRA node as a connector and the VIP of the vRA node as the new hostname.
  • Create custom groups (System or tenant administrator privilege required for this action)
  • Assign IaaS All needed rights (including tenant admin, IaaS archi, at least)
  • Provide IaaS administrator privilege to the newly created custom group
  • If needed, plan access policies (to set network range to allow authentication etc…)

Create endpoint (tenant administrator privilege required for this action)

  • name must match with the agent name installed on IaaS server
  • Restart vcac vCenter agent to force an inventory of vCenter resources
  • Compute resource must be available once data have been collected

Make sure that no error appears in IaaS logs :

  • On the server in c:\program files (x86)\vmware\vcac\server\logs\error.log
  • On the portal, as a IaaS admin, you can go to Infrastructure > Monitoring > Log
Tips : If cluster storage does not appear, you can think about an issue with MSDTC between SQL and IaaS


  • Create a Fabric Group (IaaS administrator privilege required for this action)
    • Select Fabric group administrators
  • Create a Machine Prefix (Fabric Group administrator privilege required for this action)
  • Create a business group (Tenant administrator privilege required for this action)
  • Create a reservation for the business group (Fabric Group administrator privilege required for this action)
    • Make sure this new reservation is enabled (it is by default)
    • Provide a machine quota, RAM, Storage, Network

Blueprint creation (IaaS Architecte privilege required for this action)

  • Publish it to make it visible as a catalog item

Catalog creation (Tenant administrator privilege required for this action)

    • Create a catalog service
      • Make sure it is active (by default)
    • Add a catalog item
      • Select a blueprint to make it available to link it to the proper service
    • Entitle users for the new catalog
      • Make sure the status is active (draft by default)
      • Select a business group (revert no permitted on this setting once the entitlement has been saved)
      • Select group and users
      • Select service, catalog items and allowed actions on them

Test and enjoy 🙂

Posted in Cloud computing, Virtualization Tagged with: ,

October 12th, 2017 by axel

This post is just a kind reminder of the installation steps of VRA in a distributed mode.

What you will have to do

  • Deploy (not configure) the vRA appliance instances
  • Configure the load balancer for vRA in a minimal mode (TCP monitoring and only one  server active in pools in order to freeze the network flows between  the same vRA and IaaS instance)
  • Create certificates with a SAN containing all the FQDNs used in your architecture :
    • vra vip
    • iaas web vip
    • iaas manager vip
    • vra instances
    • iaas web instances
    • iaas manager instances
    • orchrestrator if used
  • Configure the first vRA appliance :
    • NTP
    • Certificates
      • Import successfull but certificate attached to default web site is still the default one (issued byVMware).
    • SSO (administrator password)
      • At this step, vRA default web site is created and a license can added.
      • log can be found in /var/log/vcac/vcac-config.log
      • web services start-up can be tracked in catalina.out log file.
      • At this step, vcac website must be available and vra node must respond on 443 port.
    • License
    • Disable CEIP in telemetry tab
    • At this step and according to vRA installation guide, vRA website should be available (with or without any license). Not in my case.
      • Error 400
        • All services are started !
        • Shutdown node 1. Started node 2 and run the same configuration steps : certificates (this  time not  in lb mode and with self-signed certificate), NTP, SSO.
        • Ok, default  tenant  website  available.
        • After some troubleshooting, it turned out that my edge was misconfigured on the LB part. See this post.
      • Blank page
        • Just forgot,as an idiot, to enable Load balancer feature before configuring it.
  • Add the second vRA node (appliance) :
    • Configure the NTP with the same settings than the one provided for the first node.
    • In the LB configuration, enable the second node in the vRA pool
    • Power ON the first node and wait for the startup of the services
    • Join the cluster by providing the FQDN of the first node otherwise you will get an error on port 5480.
      • Once the node has been added to the cluster, web requests can be load balanced.
      • Disabling one server after the other does not prevent from accessing the vcac portal available
  • Disable useless services
      • vRO embedded server can be disabled.

    A few months ago, we used to read that vRO embedded could’nt run in production environments however I recently read that VMware now recommends embedded version for small/medium sized deployments. (found in vRO Cookbook second edition)

  • Install first IaaS node
    • Install signed certificates (import pfx in trusted root store + IIS => Do not bind so 443 port can be used by the installer)
    • download installation software from vRA
    • create db
      • Log can be found under IaaS node : C:\Program Files (x86)\VMware\vCAC\InstallLogs
    • Check related LB settings (no monitoring !, only one node active)
    • install IaaS Website et Model Manager
        • Failed : Certificate issue. At this step, just keep in mind that the LB certificate was in the Personal folder of the iaas and NOT in the Trusted Root one (was only visible in non-friendly view)
          • Retry with this certificate in both Personal and Trusted Root folders and under ServiceAccount session : ok
        • Help may be found there
        • At this step, you will need to use the vip for IaaS Web.

      VMware vCloud Automation Center Server and VMware vCloud Automation Center WAPI are now installed

    • Install Manager Service
      • Once again, the vip for IaaS Web will be required.
    • Install DEM (worker and orchestrator)
      • Here, vip will be needed for IaaS Web and IaaS Service Manager
  • Install necessary agent
    • Use strictly the same name on each IaaS node the agent will be installed on.


Somes considerations regarding vRA load balancing


vRA virtual appliances run concurrently in active/active mode.

For IaaS components, things go a bit different :

IaaS component LB Mode
Web site active/active
Model Manager Data  N/A just one instance, installed on the first (installed) Web site
Service Manager active/passive (however, a manual startup of the service on the second is necessary)
DEM Worker  active/active
DEM Orchestrator  active/active


Posted in Cloud computing Tagged with: ,