My first Blog entry will cover an quite simple topic, but we will do a little bit more then the OVA Deployment 🙂
I will cover the lastest version of vRealize Orchestrator (vRO), which is vRealize Orchestrator Appliance 7.2 | 22 Nov 2016 | Build 4629837.
Before we start the deployment of the OVA, we need a IP, which way you prefer depends on your personal way, I will use an DHCP reservation, related to my working experience I prefer DCHP because it makes your life much easier in an IP migration scenario. Second one we have to create the DNS Entry (Host A and Reverse Entry). Please don’t skip this step, I often have seen that Customer do not have an working DNS Resolution and this leads to various wrong behaviors (for example vCenter Registration fails).
To verify that our IP Setup is correct we just need a Command-Box and type nslookup  <HOSTNAMEofyourVRO> after this type nslookup <IPofyourVRO> and verify if you get the right IP and Hostname back from your DNS server.
After having a working DNS Resolution we can move forward to the OVA deployment. Since it is a quite simple deployment I will not cover the deployment of vRO with screenshots or anything, except one personal recommendation. The default value for enable SHH is disabled, I would strongly recommend to enable SSH while you are doing the setup and after the Setup you can disable it in the Web-Interface, but yes you can also enable SSH after the deployment in the Webinterface. 🙂  Also out of the box the vRO OVA came in VM Hardware Version 7, I would recommend to upgrade the HW Version to the latest possible. 10 for ESXi 5.5, 11 for ESXi 6 and 12 for ESXi 6.5. After the Deployment is finished – you can lean back because you have deployed your first vRO – just start to use it – No just kiding I have a little but more for you.
So from my point of View, what should be our next Steps?
1.)Â Basic Setup – Appliance
2.)Â NTP
3.) Basic Setup – vRO
4.)Â Certificates
4.) Certificates
4.) Certificates
Before some of you no think, what is wrong with this guy? – Let me explain it. vRO uses 3 Certificates on for the Connection from your Browser/vRO Client, one for signing the Workflows and one for the Appliance Management (VAMI). Since I know that there are enough Blogs about vRO (Setup, Working with, etc.) I will always cover Certificate Management in my Posts, do have a little bit of a differentiation to other blog.
So first we will Basic Setup, do to this just call der VAMI (Virtual Appliance Management Interface) https://<HOSTNAMEofyourVRO>:5480 Username is root and the Password you provided due the OVA Deployment. My fist Tasks are setting up the Time Zone, Proxy Setup if you have one, Update Settings – vRO Appliance can check for Updates over the Internet or via specified Repository or via virtual CDROM drive and, and this is my preferred way, via vCenter Update Manager. Why via Update Manager? – From the Design and Operating point of view, you have one central Management for all your appliances. And then we move on to the Admin Tab – Time Settings. I will not discuss why we are using NTP, because I think the Topic has already often been discussed, so we are just configuring our NTP Server – the same one that all our ESXi, vCenter and Active Directory Controller are using.
We have now finished the Basic Setup of the vRO Appliance and our NTP Configuration, now lets move on to the Basic Setup of our vRO. In the Browser Session we go to https://<HOSTNAMEofyourVRO:8281/vco/ or just enter http://<HOSTNAMEofyourVRO> which will redirect you to Port 8281. Then we need the Orchestrator Control Center which is located in the middle of the Page. The link will open a new Tab, we have to login with our Root User and the Password. First we will configure our Authentication Provider, it depends what you want to use, the important Information right now use, please don’t use LDAP anymore – it will be obsolete in the next releases. vRO supports 3 Authentication Providers: vRealize Automation, vSphere (Plattform Service Controller) and SSO (legacy). IMPORTANT: SOO (legacy) vCenter 5.5 Update 2 and higher is required. More about this you can find here. We will use our vCenter – Plattform Service Controller, select vSphere as Authentication mode and enter the <FQDNofyourPSC> and press connect. You will asked for accepting the Certificate of your PSC, just press the ACCEPT CERTIFICATE button, after accepting we must enter the Identity Information of our PSC. (Username and Password). Then, after saving the Information, our vRO is asking for the Administrator Group – with a Warning Message. Before we can fix this we have to restart the Orchestrator  server, so just click on the “Startup Options” link an restart your Orchestrator server. After the Server Service has restarted we can go back to Configure Authentication Provider and configure the Admin group. Just enter the Active Directory or SSO Group you want to permit and press SEARCH. After finding the Admin group we can finish the task via SAVE Changes. Hint: If you are not sure, you can verify your Configuration via Test Login. – Last step restart the Server Service again.
Now we start the funny part, move on to Certificates. You will see that our Orchestrator has already imported some Certificates, this is related to our Identity Source Configuration, vRO imports all Certificate from our PSC up to the Root Certificate authority when you configure the Identity source. So in my case there is on Certificate missing, in my Lab Environment I have 1 Offline RootCA running on Windows, 1 Issuing CA also known as Enterprise CA on Windows, my Plattform Service Controller acts as SubCA from my Enterprise CA. The get an overview just have a short look on this Screenshot. So in my case first I will import the RootCA Cert, just press the Import Button and select import from a PEM-encoded file, browse to the location you have saved your RootCA Certificate in DER or Base64 Format, please do not provide any private Key information you will just need the Certificate without any private key. So we have just finished the import now lets move on to the tricky part, if you have a look on the Orchestrator Server SSL Certificate you will see that you just can import a Certificate or Generate a new Self-Signed Certificate, well lets say it in an political correct way, this is not really what we want, we want a CA-signed Certificate on our VRO. Ok then lets do this. 🙂
I have already created an Template based on this KB from Vmware. So first we need our Certificate, since I really like the way of using Subject Alternative Names (SAN) I prefer the DigiCert Util to create a CSR. Just provide the tool with all of you Information and generate the CSR. Copy your CSR and request the Certificate. After you get back your Certificate just open it an press Install Certificate and Select Local Machine. After importing the Certificate just verify if you have an Private Key for your Certificate. Ok so we have now our Certificate that’s the good news, the bad news are it is on the wrong machine and we can only export it in an format our vRO does not support. So first we will fix the wrong machine, just use your MMC and export your Certificate, please select “Yes, export the private key” and on the second page “Include all certificates in the certification path if possible” and “Export all extended properties” for security reasons I would recommend also to select “Delete private key if the export is successful” but you can also delete the Certificate after the Installation is finished. On the last screen enter a password for your Private Key protection. Next we need to convert the .pfx file to an .pem File. There are many ways to do this, also here it depends on your personal feelings and more or less on you security concerns, you can do the convert online for example here or with Openssl on your machine. Just run this command if you have a working Openssl installation openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\vro.pem. So now since we have our pem Certificate and a working CA Chain we can change our VRO Certificate, to do this we go back to our Control Center -> Certificate -> Orchestrator Server SSL Certificate and select Import. Browse to your .pem File enter your Private Key password and select import. After you checking your Input the Control Center shows you your current certificate and the new one, just press import again, then the certificate will be replaced. To finish the replacement we must restart the Orchestrator Appliance, NOT ONLY the Server Service. You restart your VRO via VAMI or in your vCenter. After the reboot just verify the Certificate Chain. Boom – vRO Webservice Certificate changed.
