Home > Blogs > VMware Consulting Blog > Tag Archives: vCloud Automation Center

Tag Archives: vCloud Automation Center

vCAC 5.2 to 6.x Construct Mappings

By Eiad Al-Aqqad

Eiad Al-AqqadThis post originally appeared on Eiad’s Virtualization Team blog.

vCloud Automation Center (vCAC) 5.x admins and architects might get surprised by vCAC 6.x construct naming, thinking VMware has abandoned the constructs vCAC used in the past. After a closer look, you will notice the construct functionalities are still the same as they used to be in 5.x. They were just renamed to fit the wider audience vCAC is currently addressing, and to be better aligned with broader functionality. The main difference is that a new Tenant Construct that did not exist in 5.2 was introduced in vCAC 6.x, as vCAC 5.2 did not support multi-tenancy.

I get asked quite often about the construct mapping between vCAC 5.2 and 6.x. The longer I deliver just vCAC 6.x engagements, the more I forget the construct mapping between vCloud Automation Center 5.2 and 6.x, so I decided to document it as a reference for myself and anyone else who needs it. Below is the best diagram I was able to find that highlights the construct mapping between vCAC 5.2 and vCAC 6.x:

vCAC Construct Mapping

 

Hope this help those of you familiar with vCAC 5.2 jump on 6.x with confidence.


Eiad Al-Aqqad is a Senior Consultant within the SDDC Professional Services practice. He has been an active consultant using VMware technologies since 2006. He is VMware Certified Design Expert (VCDX#89), as well as an expert in VMware vCloud, vSphere, and SRM. Read more from Eiad at his blog, Virtualization Team, and follow him on Twitter @VirtualizationT.

Cloud Automation Requirements from the Field

By Jung Hwang, Enterprise Solutions Architect, VMware

Jung HwangIT organizations adopt private cloud solutions for two main reasons: to gain agility and to improve efficiency of the services they offer. VMware’s vCloud Automation Center (vCAC) solution offers workload lifecycle capabilities that help IT organizations automate and centrally manage IT tasks that were traditionally done manually. Although vCAC has robust out-of-the-box (OOTB) capabilities that address many of these manual processes, enabling business and IT logic on top of the OOTB capabilities has helped many of our customers to reach their goals and realize the true value of automation. Below we’ll explore three requirements we have seen enabled on top of the vCAC OOTB capabilities.

Generate Custom Host Names
Although this seems to be a straightforward process, maintaining consistent host names can be challenging, especially in the private cloud environment where the virtual machine provisioning is automated without any IT staff’s involvement.

Within vCAC, administrators have some ability to add a prefix and a suffix to host names, but many customers need more custom fields, such as the environment (Prod/Dev/QA), type (Application/Web/DB), location (NA/EMEA), and incremental numbers (00X). (For example, a host name could be PROD-SQL-NA-001.) Every customer has a unique naming standard – because of this, VM host name assignment should be automated in vCAC to further minimize the manual intervention.

Active Directory Organization Unit (OU) Placement
Related to the host names issue, vCAC can integrate with Active Directory and will place VMs in a default computer object container within Active Directory. Our customers often have complex Active Directory Organizational Unit (OU) structures. Based on the host name assigned by vCAC, customers want to place the VM in the specific Active Directory OU. This will minimize unnecessary steps required to associate automatically provisioned VMs by vCAC. Moving VMs from the default computer object container to other containers can be as easy as a drag and drop operation, but when 10s or even 100s of VMs are provisioned via a self-service portal, placing a VM to the right OU based on the host name becomes an important task.

Configuration Management Database (CMDB) Integration and Configuration Item (CI) Management
Another common requirement is integrating vCAC with CMDB. Traditionally, updating and maintaining CIs were manual tasks, but they would be extremely difficult to do manually in a private cloud environment when VMs are provisioned and decommissioned based on the policy. The consumer of the vCAC solution will also be able to make changes with VM specifications so the integration with CMDB is another important area. Since the VMs will be requested via vCAC, vCAC can capture the VM specifications to create and update CIs in CMDB. The integration and automation can be enabled during the provisioning (when VMs are initially deployed), management (when VM specifications are changed by the owner), and decommissioning (when VMs are deleted).

The key to success and further identifying automation opportunities is understanding the customer’s end-to-end processes and translating them to new, private cloud processes. As we listen to our customers we can bring them more of what they need.


Jung I. Hwang is an Enterprise Solutions Architect and a member of VMware’s Services organization. Jung is responsible for creating solution roadmaps and execution plans with VMware’s products and services portfolio to solve customers’ business and technology challenges and initiatives.

vCloud Automation Center 6 Certificates A to Z

By Eiad Al-Aqqad, Senior Consultant, VMware Professional Services

Eiad Al-AqqadWhile working on delivering vCAC 6 engagements, I have noticed that getting all the required certificates in place has always involved jumping across different information sources, from VMware documentation and blogs to other consultants’ work. I have created the following guide to make the process easier. This is the first of three posts that cover the certificates process for a new vCAC 6.x installation from A-Z, beginning with how to install your own CA and continuing through assigning the certificates to each component.

First, I have to give credit where it is due. This document includes information from the following sources:

While I have used a lot of material from the above sources, I have also applied these steps at various customer sites, and carried out the full process in my lab. I hope you will find it useful.

Before You Begin
There are some important recommendations and requirements before you get started.

  1. VMware recommends a domain certificate or a wildcard domain certificate for a distributed installation.
  2. The certificate must be in PFX (for Windows) and PEM (for Appliances and Load Balancer) formats. (See table below.)

Certificates needed

While this post focuses on generating and using certificates for a new vCAC 6 installation, if you have an existing installation and vCAC 6 setup and you want to replace your self-signed certificates with signed certificates, you need to consider the following:

  1. Update components certificates in the following order:
    1. Identity Appliance
    2. vCloud Automation vCenter Appliance
    3. IaaS components

Note: With one exception, changes to later components do not affect earlier ones. For example, if you import a new certificate to a vCloud Automation Center Appliance, you must register this change with the IaaS server, but not with the Identity Appliance. The exception is that an updated certificate for IaaS components must be registered with vCloud Automation Center Appliance.

The table below shows registration requirements when you update a certificate.

Registration requirements

Step 1: Installing Domain CA
This section documents how to create the Domain Certificate Authority that you will later use to generate your certificates.

      1. In the Select Server Roles screen, click to select Install Active Directory Certificate Services.Select Server Roles screen
      2. In the Select Role Services screen, click to select both Certification Authority and Certifications Authority Web Enrollment.
        Select Role Services screen
      3. In the Specify Setup Type screen, click to select Enterprise.
        Specify Setup Type screen
      4. If this is your first CA, in the Specify CA Type screen, click to select Root CA.
        Specify CA Type screen
      5. In the Set Up Private Key screen, click to select Create a new private key.
        Set Up Private Key screen
      6. In the Configure Cryptography for CA screen, make the selections as shown in the below screenshot.
        Configure Cryptography for CA screen
      7. In the Configure CA Name screen, type in the name of your CA.
        Configure CA Name screen
      8. In the Set Validity Period screen, use the drop-down menu to select the appropriate period for the certificate generated by this CA.
        Set Validity Period screen

Step 2: Creating vCAC Certificate Templates
To allow for export of the certificate key, you need to create a non-standard certificate template, which is a modified copy of the standard web server template. In addition, the Microsoft CA will be updated to allow for Subject Alternative Names (SANs) as specified in the attributes.

To create a new, non-standard default template:

      1. Connect to the Root CA server or Subordinate CA server via RDP.
      2. Click Start > Run, type certtmpl.msc, and click OK. The Certificate Template Console opens.
      3. In the middle pane, under Template Display Name, locate Web Server.
      4. Right-click Web Server and click Duplicate Template.
      5. In the Duplicate Template window, select Windows Server 2003 Enterprise for backward compatibility.
      6. Click the General tab.
      7. In the Template Display Name field, enter vCAC Certificate as the name of the new template.
      8. Click the Extensions tab.
      9. Select Key Usage and click Edit.
      10. Select the Signature is proof of origin (nonrepudiation) option.
      11. Select the Allow encryption of user data option.
      12. Click OK.
      13. Select Application Policies and click Edit.
      14. Click Add.
      15. Select Client Authentication.
      16. Click OK.
      17. Click OK again.
      18. Click the Subject Name tab.
      19. Ensure that the Supply in the request option is selected.
      20. Click the Request Handling tab
      21. Ensure that the Allow private key to be exported option is selected
      22. Click OK to save the template.

 

To add a new template to certificate templates:

      1. Connect to the Root CA server or Subordinate CA server via RDP.
        Note: Connect to the CA server in which you intend to perform your certificate generation.
      2. Click Start > Run, type certsrv.msc, and click OK. The Certificate Server console opens.
      3. In the left pane, if collapsed, expand the node by clicking the [+] icon.
      4. Right-click Certificate Templates and click New > Certificate Template to Issue.
      5. Locate vCAC Certificate under the Name column.
      6. Click OK.

A new template option is now created in your Active Directory Certificate Services node. This new template can be used in the place of Web Server for the vSphere 5.x CA certificate.

Step 3: Installing OpenSSL version 0.9.8.
Use the following steps to install OpenSSL, which will be used to request the required certificates.

Important: Ensure that you are using OpenSSL version 0.9.8. If you do not use this version, the SSL implementation will fail.

To set up OpenSSL:

      1. Ensure that the Microsoft Visual C++ 2008 Redistributable Package (x86) is installed on the system on which you want to generate the requests. To download the package, see the Microsoft Download Center.
      2. Download the Shining Light Productions installer for OpenSSL x86 version 0.98r or later at http://www.slproweb.com/products/Win32OpenSSL.html. This software was developed by the OpenSSL Project.
      3. Launch the installer, proceed through the installation, and note the appropriate directory for later use. By default, it is located at c:\OpenSSL-Win32.

This tutorial includes two additional posts, which you can find on my blog at the following links:

Post 2: Generating Certificates for the identity Appliance/vCAC Appliance
Post 3: Generating Certificates for vCAC 6 IaaS Web Server & Manager Service


Eiad Al-Aqqad is a Senior Consultant within the SDDC Professional Services practice. He has been an active consultant using VMware technologies since 2006. He is VMware Certified Design Expert (VCDX#89), as well as an expert in VMware vCloud, vSphere, and SRM. Read more from Eiad at his blog, Virtualization Team, and follow him on Twitter @VirtualizationT.

New Technology Implementation Plan: Start by Stepping Back

Jeremy Carter headshotBy Jeremy Carter, VMware Senior Consultant

I’ve been working on a customer engagement recently that takes advantage of vCloud Automation Center (vCAC), which is designed to centralize and automate key IT activities, freeing the organization to focus on the needs of internal and external customers.

In our deployment of vCAC, I’ve been reminded of a key principal of IT and business transformation: The technology is only part of the process. Often a shift in technology requires a period of assessment and realignment that is as valuable as the technology itself.

When the VMware Professional Services team is brought in for an engagement, the company wants to get the best return on its investment, so the IT team is receptive to our schedule of meetings and stock-taking. But every IT organization will benefit by starting their new technology implementation plan by stepping back to survey the systems in place before integrating a new one.

We put a lot of emphasis on investigating how things are currently done, often starting by asking the teams to draw their processes, for creating a virtual machine, for instance. Frequently we find they have two or three different processes in place, depending on who’s making request. This is especially common in government and higher education, where each department is likely to have it’s own IT team and strategy.

The unfortunate fact is that automation still scares people, thinking they’re going to be out of a job. On the contrary, if you look at any IT organization out there, you’ll see that it’s overwhelmed with tasks, many of which are never getting done. Automation can give them time back to focus on what’s important to their customers.

A new implementation is a perfect opportunity to look at which processes are working the best and align all the teams to them. When a team sees that they’ll be able to provide a better experience and quicker turnaround, their resistance to automation often fades.

And luckily vCAC provides enough flexibility that users don’t have to adopt exactly the same systems across the organization. With a college I worked with recently, we were able to build on what teams are already doing. Next we focused on handoff systems to cut down on the number of emails flying around: one for DNS, another to install the OS, etc.

This process—of assessing current processes, building in automation and consistency, and then refocusing on customer needs—is undeniably valuable. But it does take time. It’s worth putting these reassessments on the calendar every 6 or 12 months; if that doesn’t work, I recommend taking the opportunity presented by the implementation of a new technology to keep moving toward the best your organization can be.


Jeremy Carter is a Senior Consultant with VMware and is focused on the Software Defined Data Center (SDDC). He has special expertise in cloud infrastructure and automation, and BCDR. Over his 14 years in IT he has gained a variety of experience as an architect, DBA, and developer. Prior to joining VMware, Jeremy was a Principal Architect at one of the largest VMware service providers. 

 

4 Ways To Overcome Resistance to the Cloud

By Brett Parlier, Solutions Architect, VMware Professional Services

There’s a lot of excitement about cloud computing right now, but I also run into an equal amount of trepidation. In particular, networking pros are worried that increasingly advanced automation will soon put them out of a job.

This is just one of several common points of resistance to the big changes happening in IT. I want to talk about four of them and provide some advice on how to reframe the discussion for clients, colleagues, and possibly yourself.

1. You’re going to automate my job away!

I heard this a lot after the announcement of VMware’s NSX network virtualization platform in August. My response? That’s the same thing all the server guys said 10 years ago when virtualization came out. It just doesn’t happen. Continue reading

The Snowden Leak: A Windfall for Hybrid Cloud?

By Richard ReesSecurity & Compliance Architect, VMware Professional Services

Interest in hybrid cloud has risen since Edward Snowden’s leak in May revealing vast surveillance operations by the US government, according to VMware CEO Pat Gelsinger and COO Carl Eschenbach during a VMworld Q&A last week.

That’s not surprising, since hybrid clouds allow businesses to keep their data in their own house and out of the prying eyes of government. That’s undoubtedly attractive for foreign companies doing business with or in the United States, since the US government was revealed to be focusing their monitoring efforts on emails sent to or received from another country.

Even if you aren’t worried about the NSA, I’m guessing you’d prefer the government not to have access to your business’s (or your customers’) information without your knowledge.

Hybrid: The best of both clouds

Enter the hybrid cloud. With a hybrid platform, businesses get the convenience and flexibility of a public cloud, but all access to sensitive data is handled through the organization’s private cloud. Continue reading