vRealize Automation Archives - Page 2 of 2

Rubrik Dynamic Day2Operation with vRealize Automation

In my previous blog we created a dynamic populated drop-down list with all available Rubrik SLA domain names. This drop-down list was used in a standard vRA IaaS request form when requesting a new virtual machine.

After doing some testing at my customers environment, we discovered that our current approach for facilitating backups with Rubrik through vRealize Automation was not efficient enough.

This was caused by the behavior of how Rubrik can include a virtual machine into backup. Before a newly deployed virtual machine is available for assigning a SLA domain name, it needs to be recognized by Rubrik. To be recognized by Rubrik, we needed to force a Rubrik discovery of vCenter objects after every virtual machine deployment with vRealize Automation.

This resulted in long virtual machine deployment times because every deployment needed to wait on a task for Rubrik discovery of vCenter objects. To make it even worse, multiple tasks for Rubrik discovery of vCenter objects get queued when more virtual machines are requested frequently or simultaneously. Eventually this resulted in failed virtual machine deployments because the vRO actions used in the Rubrik vRO workflows are receiving a time-out.

However, out-of-the-box, a Rubrik discovery of vCenter objects task is triggered a couple of times per hour. With the knowledge that you can assign a default SLA domain on vCenter objects (vCenter Server, vCenter Cluster or vCenter ESXi Host), we decided to change our backup strategy.

We are now assigning a default SLA domain name on the vCenter Cluster level, so every requested virtual machine with vRA will be automatically in backup. Instead of asking the SLA domain name on the the vRA request form, we are now offering a vRA Day2Operation to dynamically change the Rubrik SLA domain name. This blog reveals how we configured this vRA Day2Operation.

First we created a copy/duplicate of the Rubrik vRO workflow “Rubrik Assign VM to SLA Domain”. Name this new workflow “Rubrik Change SLA Domain”.
Edit the “Rubrik Change SLA Domain” workflow. Go to the presentation tab and add a property of the type “predefined answers” to the input parameter “slaDomainName”.
Assign the action “rubrikGetAllSLA” (The one we created in my previous blog post) as a value to this new property.
Save the new workflow and it is ready to be used as a Day2Operation in vRealize Automation.
Now create a resource action in vRA based on the newly created vRO workflow “Rubrik Change SLA Domain”.
Next, publish the resource action and assign it to your entitlement.
When you now select your provisioned virtual machines under Items in vRA, you will see your newly created Day2Operation “Rubrik Change SLA Domain”.
Now lets test the new available vRA Day2Operation. After you select it, it will ask you for the new Rubrik SLA domain name. Make you choice, change the Rubrik SLA domain name of your virtual machine and click Submit.
Thats’s it! You now have changed the Rubrik SLA domain name of your virtual machine. Enjoy consuming Rubrik through vRA.

All available Rubrik SLA domain names dynamically populated in standard vRA IaaS Request Forms

Anyone familiar with Rubrik? Rubrik Cloud Data Management delivers automated backup, instant recovery, offsite replication, and data archival in a simple, scale out platform built for hybrid cloud. For more information go to https://www.rubrik.com/product/overview/

My current customer is using Rubrik as a backup solution for their vSphere managed virtual machines. They are also using vRealize Automation 7.x as their preferred private cloud solution.

With vRA 7 they automated the deployment of their Windows and Linux virtual servers. As part of their deployment process, they needed an automated integration with Rubrik. They asked me to dynamically populate a drop-down list on a vRA 7 request form with all available SLA domain names from their Rubrik environment. These SLA domain names must be based on actual “live” information. One of the good things about Rubrik, is that it ships with a REST API. This blog reveals how I full-filled my customer use case.

To start the integration with Rubrik into vRealize Automation, I downloaded the latest version of vRealize Orchestrator package for Rubrik. This package is compatible for Rubrik v3.0 API calls. You can download this package from the following location: https://github.com/rubrikinc/vRO-Workflow/releases/tag/3.0.0
Now import this vRO package into your vRO environment. It contains the following workflows and actions, a configuration element and a rubrik logo.
To configure the Rubrik integration into vRealize Orchestrator, you have to run the vRO workflow “Rubrik Add Cluster Instance”. This will add a the Rubrik appliance as a REST Host to the vRO Inventory section and will also store the required Rubrik information in a vRO configuration element.
To address my customer requirements, I needed to create a vRO action that combined a couple of the Rubrik library actions including a slightly modified Rubrik library action. On top of this I needed to remove any input requirements for these vRO actions to simplify the integration into vRealize Automation. The populated vRO configuration element with all the required Rubrik information was very helpful for this challenge.
I created a copy of the Rubrik Library action “rubrikGetSLAID” and named it “rubrikGetAllSLA”. Inside the “rubrikGetAllSLA” action, I stored the values of the required Rubrik configuration element attributes into local variables to feed the inputs of the called out Rubrik Library actions “rubrikGetToken” and “base64Encode_1”. As a result of this, I was able to run the modified Rubrik Library action “rubrikGetSLAID” which returns an array of strings containing the available Rubrik SLA domain names.

The contents of the vRO action “rubrikGetAllSLA” is shown below.

// Read Attribute Values from Rubrik configurationElement
var category = Server.getConfigurationElementCategoryWithPath("Library/Rubrik");
var elements = category.configurationElements;
 
System.log("category : "+category);
System.log("elements : "+elements);
 
for each(var ce in elements)
{
if(ce.name == "Rubrik")
                {
                               rubrikHost = ce.getAttributeWithKey("rubrikHost").value;
                               api_url = ce.getAttributeWithKey("api_url").value;
                               query_limit = ce.getAttributeWithKey("query_limit").value;
                               username = ce.getAttributeWithKey("username").value;
                               password = ce.getAttributeWithKey("password").value;
                }
}
 
// Re-used vRO Action rubrikGetToken from package com.rubrik.library.rest.package
token = System.getModule("com.rubrik.library.rest").rubrikGetToken(rubrikHost,username,password,query_limit,api_url) ;
// Re-used vRO Action base64Encode_1 from package com.rubrik.library.rest.package
tokenBase64 = System.getModule("com.rubrik.library.rest").base64Encode_1(token) ;
 
// Modified vRO Action rubrikGetSLAID from package com.rubrik.library.rest.package
//
// NAME             - TYPE                - DESCRIPTION
// ----------------------------------------------------
// <INPUT PARAMETERS>
// tokenBase64      - string              - Rubrik authentication token
// rubrikHost       - REST:REST Host      - Rubrik REST host
// slaDomainName    - string              - SLA Domain Name
// query_limit                   - number                                              - Query limit
// api_url                                            - string                                   - API URL
//
// <RETURN VALUE>
// N/A              - string              - SLA Domain ID
 
//Construct REST call
var method = "GET";
var url = api_url + "sla_domain?limit=" + query_limit;
var content = null;
var request = rubrikHost.createRequest(method, url, content);
var token2 = ("Basic " + tokenBase64);
request.contentType = "application\/json";
request.setHeader("Accept", "application/json");
request.setHeader("Authorization", token2);
 
//Log REST Call Info
System.log("token = " + token2);
System.log("REST URL = " + request.fullUrl);
System.log("REST Content = " + content);
 
//Execute REST Call
try {
                var response = request.execute();
}
catch (ex) {
                System.error("REST call failed");
                throw "Stopping Execution";
}
 
//Evaluate REST Response
var statusCode = response.statusCode;
if (statusCode == 200) {
                System.log("REST Execution Successful");
}
else {
                System.log("ERROR Executing REST operation");
                System.error("Status Code = " + statusCode);
                throw "Stopping Execution";
}
 
//Loop Through SLA Domains to populate array with all available SLA Domains
var json = (JSON.parse(response.contentAsString)).data;
var slaDomainNames = Array();
 
for(var i = 0; i < json.length; i++) {
                var obj = json[i];
                System.log("slaDomainName = "+obj.name);
                slaDomainNames.push(obj.name);
}
 
return slaDomainNames;

// Read Attribute Values from Rubrik configurationElement

var category = Server.getConfigurationElementCategoryWithPath("Library/Rubrik");

var elements = category.configurationElements;

System.log("category : "+category);

System.log("elements : "+elements);

for each(var ce in elements)

{

if(ce.name == "Rubrik")

{

rubrikHost = ce.getAttributeWithKey("rubrikHost").value;

api_url = ce.getAttributeWithKey("api_url").value;

query_limit = ce.getAttributeWithKey("query_limit").value;

username = ce.getAttributeWithKey("username").value;

password = ce.getAttributeWithKey("password").value;

}

// Re-used vRO Action rubrikGetToken from package com.rubrik.library.rest.package

token = System.getModule("com.rubrik.library.rest").rubrikGetToken(rubrikHost,username,password,query_limit,api_url) ;

// Re-used vRO Action base64Encode_1 from package com.rubrik.library.rest.package

tokenBase64 = System.getModule("com.rubrik.library.rest").base64Encode_1(token) ;

// Modified vRO Action rubrikGetSLAID from package com.rubrik.library.rest.package

// NAME - TYPE - DESCRIPTION

// ----------------------------------------------------

// <INPUT PARAMETERS>

// tokenBase64 - string - Rubrik authentication token

// rubrikHost - REST:REST Host - Rubrik REST host

// slaDomainName - string - SLA Domain Name

// query_limit - number - Query limit

// api_url - string - API URL

// <RETURN VALUE>

// N/A - string - SLA Domain ID

//Construct REST call

var method = "GET";

var url = api_url + "sla_domain?limit=" + query_limit;

var content = null;

var request = rubrikHost.createRequest(method, url, content);

var token2 = ("Basic " + tokenBase64);

request.contentType = "application\/json";

request.setHeader("Accept", "application/json");

request.setHeader("Authorization", token2);

//Log REST Call Info

System.log("token = " + token2);

System.log("REST URL = " + request.fullUrl);

System.log("REST Content = " + content);

//Execute REST Call

try {

var response = request.execute();

}

catch (ex) {

System.error("REST call failed");

throw "Stopping Execution";

}

//Evaluate REST Response

var statusCode = response.statusCode;

if (statusCode == 200) {

System.log("REST Execution Successful");

}

else {

System.log("ERROR Executing REST operation");

System.error("Status Code = " + statusCode);

throw "Stopping Execution";

}

//Loop Through SLA Domains to populate array with all available SLA Domains

var json = (JSON.parse(response.contentAsString)).data;

var slaDomainNames = Array();

for(var i = 0; i < json.length; i++) {

var obj = json[i];

System.log("slaDomainName = "+obj.name);

slaDomainNames.push(obj.name);

}

return slaDomainNames;

The result of the vRO action “rubrikGetAllSLA” is shown below.
To dynamically populate a drop-down list in a vRA 7 standard IaaS request form with all available Rubrik SLA domain names, I needed to create a custom property with the name “Vm.RubrikSLADomain” on the standard IaaS blueprints for the Windows and Linux deployments. Secondly I needed to create a vRA property definition based on an external value, which is in fact the vRO action that I created before. Below is my example of this vRA property definition.
Finally, when I request a new virtual machine with vRealize Automation 7.x, it looks like the screenshot below. (The below example is based on a deployment for a Linux virtual machine).
Enjoy using vRA, vRO and Rubrik 😉

How to consume the vRO 7.x API with Oauth2.0 Authentication

Most of us know that vRO has a REST API and that every request to this Orchestrator REST API must be authorized by an authenticated user.
Depending on whether you configure Orchestrator with LDAP,vCenter Single Sign-On or Oauth2.0, the authentication scheme for the Orchestrator REST API is different.

The most commonly way to consume the Orchestrator REST API, is based on LDAP Authentication. The downside of this approach is, that you must apply the Basic HTTP authentication scheme on the vRO virtual appliance or on the vRA virtual appliance when using the embedded vRO instance.

To apply the Basic HTTP authentication scheme, you need to add the following property to vmo.properties configuration file:

com.vmware.o11n.sso.basic-authentication.enabled = true

The vRO API documentation can be found on:

https://<fqdn-vro-virtual-appliance>:8281/vco/api/docs/index.html

https://<fqdn-vra-virtual-appliance>/vco/api/docs/index.html

HOWEVER, if Orchestrator is configured with vIDM you can use an oauth bearer access token to access system objects in Orchestrator through the REST API. This also removes the requirement to apply the Basic HTTP authentication scheme. vIDM Authentication is THE recommended authentication mechanism when using vRO 7.x together with vRA 7.x !

This blogpost reveals how to consume the vRO 7.x REST API with Oauth2.0 Authentication!

First you need to lookup the client id. You can do this by logging into the vRA virtual appliance with your favorite SSH client. The <CLIENT_ID> can be found in /etc/vcac/solution-users.properties. For this request to work you will need the cafe_cli client. The following script should print it in the console. (grep -i cafe_cli= /etc/vcac/solution-users.properties | sed -e ‘s/cafe_cli=//’)

Secondly write down the following prerequisites <vRA VA>, <TENANT>, <USERNAME> and <PASSWORD>. Please note that the <USERNAME> must be entered the same way it is entered on the login page. The <DOMAIN> is the fully qualified name of the domain of the user. You can find it by searching for the user in ‘Administration -> Users & Groups -> Directory Users and Groups’.

In my example I used the following values:

<vRA VA> = pb0vrava03.flexlab.local
<TENANT> = vsphere.local
<CLIENT_ID> = cafe_cli-7q28CXzOJA
<USERNAME> = adm_dennis
<PASSWORD> = Password!
<DOMAIN> = flexlab.local

In my example I used the following values:

<vRA VA> = pb0vrava03.flexlab.local

<TENANT> = vsphere.local

<CLIENT_ID> = cafe_cli-7q28CXzOJA

<USERNAME> = adm_dennis

<PASSWORD> = Password!

<DOMAIN> = flexlab.local

Now you have gathered all the prerequisites, you can request the bearer token with the following REST API call.

Url:
POST --> https://pb0vrava03.flexlab.local/SAAS/t/vsphere.local/auth/oauthtoken?grant_type=password
 
Header:
Content-Type --> application/x-www-form-urlencoded
 
Request Body:
username=adm_dennis&password=Password!&client_id=cafe_cli-7q28CXzOJA&domain=flexlab.local
 
Response Body:
{
  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJhMTgxNWVjOC1kNTEwLTQyMTktYWY5NS1iYWQ0NjBlNjQ5NzEiLCJwcm4iOiJhZG1fZGVubmlzQFZTUEhFUkUuTE9DQUwiLCJkb21haW4iOiJmbGV4bGFiLmxvY2FsIiwidXNlcl9pZCI6IjE5MiIsImF1dGhfdGltZSI6MTQ4NTE3OTM1OCwiaXNzIjoiaHR0cHM6Ly92cmE3cG9ydGFsLmZsZXhsYWIubG9jYWwvU0FBUy90L3ZzcGhlcmUubG9jYWwvYXV0aCIsImF1ZCI6Imh0dHBzOi8vdnJhN3BvcnRhbC5mbGV4bGFiLmxvY2FsL1NBQVMvdC92c3BoZXJlLmxvY2FsL2F1dGgvb2F1dGh0b2tlbiIsImN0eCI6Ilt7XCJtdGRcIjpcInVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0XCIsXCJpYXRcIjoxNDg1MTc5MzU4LFwiaWRcIjo0fV0iLCJzY3AiOiJ1c2VyIiwiaWRwIjoiMCIsImVtbCI6ImRkZXJrc0B2bXdhcmUuY29tIiwiY2lkIjoiY2FmZV9jbGktN3EyOENYek9KQSIsImRpZCI6IiIsIndpZCI6IiIsImV4cCI6MTQ4NTIwODE1OCwiaWF0IjoxNDg1MTc5MzU4LCJzdWIiOiJkZGY2YWE3NC05NjM2LTQ2NWMtOTliMS01YmEwM2MzY2Y1YzkiLCJwcm5fdHlwZSI6IlVTRVIifQ.PS0AaoDJfUta8mV437zssDeVkKn-9TuVCPH7fBi4gjknu4r2ba0K04vkELbT2Ivpl1uy4snZkvmQVNTnWlsh6ZpIvvRkjo1bqY1uG1qAcgR2Yd6Pw-U09ppmQrKqBhPS1jUyh_3gJsm21jq4c_zeKrknoLxUx_HiPOzAfcjH1ro",
  "token_type": "Bearer",
  "expires_in": 28799,
  "scope": "user"
}

Url:

POST --> https://pb0vrava03.flexlab.local/SAAS/t/vsphere.local/auth/oauthtoken?grant_type=password

Header:

Content-Type --> application/x-www-form-urlencoded

Request Body:

username=adm_dennis&password=Password!&client_id=cafe_cli-7q28CXzOJA&domain=flexlab.local

Response Body:

{

"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJhMTgxNWVjOC1kNTEwLTQyMTktYWY5NS1iYWQ0NjBlNjQ5NzEiLCJwcm4iOiJhZG1fZGVubmlzQFZTUEhFUkUuTE9DQUwiLCJkb21haW4iOiJmbGV4bGFiLmxvY2FsIiwidXNlcl9pZCI6IjE5MiIsImF1dGhfdGltZSI6MTQ4NTE3OTM1OCwiaXNzIjoiaHR0cHM6Ly92cmE3cG9ydGFsLmZsZXhsYWIubG9jYWwvU0FBUy90L3ZzcGhlcmUubG9jYWwvYXV0aCIsImF1ZCI6Imh0dHBzOi8vdnJhN3BvcnRhbC5mbGV4bGFiLmxvY2FsL1NBQVMvdC92c3BoZXJlLmxvY2FsL2F1dGgvb2F1dGh0b2tlbiIsImN0eCI6Ilt7XCJtdGRcIjpcInVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0XCIsXCJpYXRcIjoxNDg1MTc5MzU4LFwiaWRcIjo0fV0iLCJzY3AiOiJ1c2VyIiwiaWRwIjoiMCIsImVtbCI6ImRkZXJrc0B2bXdhcmUuY29tIiwiY2lkIjoiY2FmZV9jbGktN3EyOENYek9KQSIsImRpZCI6IiIsIndpZCI6IiIsImV4cCI6MTQ4NTIwODE1OCwiaWF0IjoxNDg1MTc5MzU4LCJzdWIiOiJkZGY2YWE3NC05NjM2LTQ2NWMtOTliMS01YmEwM2MzY2Y1YzkiLCJwcm5fdHlwZSI6IlVTRVIifQ.PS0AaoDJfUta8mV437zssDeVkKn-9TuVCPH7fBi4gjknu4r2ba0K04vkELbT2Ivpl1uy4snZkvmQVNTnWlsh6ZpIvvRkjo1bqY1uG1qAcgR2Yd6Pw-U09ppmQrKqBhPS1jUyh_3gJsm21jq4c_zeKrknoLxUx_HiPOzAfcjH1ro",

"token_type": "Bearer",

"expires_in": 28799,

"scope": "user"

}

Finally we can use our bearer token to consume the vRO REST API ! See below for an example when using the external vRO virtual appliance.

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

Url:

GET --> https://pb0vravro701.flexlab.local:8281/vco/api/workflows

Header:

Accept --> application/json

Content-Type --> application/json

Authorization --> Bearer LCJhbGciOiJSUzI1NiJ9.eyJqdGkiOiJhMTgxNWVjOC1kNTEwLTQyMTktYWY5NS1iYWQ0NjBlNjQ5NzEiLCJwcm4iOiJhZG1fZGVubmlzQFZTUEhFUkUuTE9DQUwiLCJkb21haW4iOiJmbGV4bGFiLmxvY2FsIiwidXNlcl9pZCI6IjE5MiIsImF1dGhfdGltZSI6MTQ4NTE3OTM1OCwiaXNzIjoiaHR0cHM6Ly92cmE3cG9ydGFsLmZsZXhsYWIubG9jYWwvU0FBUy90L3ZzcGhlcmUubG9jYWwvYXV0aCIsImF1ZCI6Imh0dHBzOi8vdnJhN3BvcnRhbC5mbGV4bGFiLmxvY2FsL1NBQVMvdC92c3BoZXJlLmxvY2FsL2F1dGgvb2F1dGh0b2tlbiIsImN0eCI6Ilt7XCJtdGRcIjpcInVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOlBhc3N3b3JkUHJvdGVjdGVkVHJhbnNwb3J0XCIsXCJpYXRcIjoxNDg1MTc5MzU4LFwiaWRcIjo0fV0iLCJzY3AiOiJ1c2VyIiwiaWRwIjoiMCIsImVtbCI6ImRkZXJrc0B2bXdhcmUuY29tIiwiY2lkIjoiY2FmZV9jbGktN3EyOENYek9KQSIsImRpZCI6IiIsIndpZCI6IiIsImV4cCI6MTQ4NTIwODE1OCwiaWF0IjoxNDg1MTc5MzU4LCJzdWIiOiJkZGY2YWE3NC05NjM2LTQ2NWMtOTliMS01YmEwM2MzY2Y1YzkiLCJwcm5fdHlwZSI6IlVTRVIifQ.PS0AaoDJfUta8mV437zssDeVkKn-9TuVCPH7fBi4gjknu4r2ba0K04vkELbT2Ivpl1uy4snZkvmQVNTnWlsh6ZpIvvRkjo1bqY1uG1qAcgR2Yd6Pw-U09ppmQrKqBhPS1jUyh_3gJsm21jq4c_zeKrknoLxUx_HiPOzAfcjH1ro

Response Body:

{

"link": [

{

"attributes": [

{

"value": "https://pb0vravro701.flexlab.local:8281/vco/api/workflows/DF8080808080808080808080808080808980808001297259131125b940b51f82d/",

"name": "itemHref"

{

"value": "true",

"name": "canExecute"

{

"value": "true",

"name": "canEdit"

{

"value": "Copy an SNMP query",

"name": "name"

{

"value": "Copies an SNMP query from one device to another.",

"name": "description"

{

"value": "DF8080808080808080808080808080808980808001297259131125b940b51f82d",

"name": "id"

{

"value": "https://pb0vravro701.flexlab.local:8281/vco/api/catalog/System/WorkflowCategory/8a81807c52a26a7c0152a26b23d00017/",

"name": "categoryHref"

{

"value": "Workflow",

"name": "type"

{

"value": "0.0.3",

"name": "version"

{

"value": "Query Management",

"name": "categoryName"

{

"value": "false",

"name": "customIcon"

}

"href": "https://pb0vravro701.flexlab.local:8281/vco/api/workflows/DF8080808080808080808080808080808980808001297259131125b940b51f82d/",

"rel": "down"

{

"attributes": [

{

"value": "https://pb0vravro701.flexlab.local:8281/vco/api/workflows/B98080808080808080808080808080808080808001297259131125b940b51f82d/",

"name": "itemHref"

{

"value": "true",

"name": "canExecute"

{

"value": "true",

"name": "canEdit"

{

"value": "Unregister an SNMP device",

"name": "name"

{

"value": "Unregisters an SNMP device from the plug-in's inventory.",

"name": "description"

{

"value": "B98080808080808080808080808080808080808001297259131125b940b51f82d",

"name": "id"

{

"value": "https://pb0vravro701.flexlab.local:8281/vco/api/catalog/System/WorkflowCategory/8a81807c52a26a7c0152a26b2419001c/",

"name": "categoryHref"

{

"value": "Workflow",

"name": "type"

{

"value": "0.0.2",

"name": "version"

{

"value": "Device Management",

"name": "categoryName"

{

"value": "false",

"name": "customIcon"

}

"href": "https://pb0vravro701.flexlab.local:8281/vco/api/workflows/B98080808080808080808080808080808080808001297259131125b940b51f82d/",

"rel": "down"

{

"attributes": [

{

"value": "https://pb0vravro701.flexlab.local:8281/vco/api/workflows/E28080808080808080808080808080808F80808001297259131125b940b51f82d/",

"name": "itemHref"

{

"value": "true",

"name": "canExecute"

{

"value": "true",

"name": "canEdit"

{

"value": "Get bulk SNMP values",

"name": "name"

}

etc. etc..

Have fun with the vRO REST API 😉

vRA 7.1 brings us a nice OOTB UI for REST API calls

vRA 7.1 comes with a very nice out of the box user interface which brings us unattended installation features and more. All of this is provided via “guided commands” in the form of REST API calls. This new cool feature is accessible via the config page of the vRA virtual appliance VAMI interface.

This blog article describes how to use this new cool functionality.

In my example I am going to prepare my first vRA IaaS server from scratch, create my vRA IaaS SQL database on a remote SQL server and do the vRA IaaS web server installation. This all happens on a guided approach and will be fully automated and unattended.

[Prerequisites]

Deploy and configure a vRA 7.1 virtual appliance.
Deploy and configure a fresh new Windows 2012 R2 server.
Apply the latest MS Hotfixes on this new Windows server.
Install the vRA Management Agent with the credentials of your vRA IaaS service account on this new Windows server.
Give your vRA IaaS Service account local administrator rights on this new Windows server.
Make sure there is a remote SQL server available where your vRA IaaS Service account has been granted the sysadmin role and where MSDTC has been configured properly.

Open the config page from the vRA virtual appliance VAMI interface. eg. https://pb0vrava07.flexlab.local:5480/configThe red marked commands will be used in this example.
First we need to know the NodeId of the management agent running on the new deployed Windows server. To gather that information we are going to execute the GET /node/list command.Click on the Try it out! button and provide the root credentials of the vRA virtual appliance.If everything went OK, you see a Response Code of 200 and you can read the NodeId in the Response Body as shown below.

Now we have the NodeId of the vRA IaaS server, we can prepare this Windows server for the installation of vRA IaaS components. To achieve this we are going to execute the PUT /execute/command/run-prereq/node/{nodeId} command.

Before we are going to execute this command we need to provide the nodeId in here as also the correct parameters. When providing the parameters, make sure that the property ValidationMode is set to True. On this way we can validate the command upfront! If the Response code returns a 200 you are fine. This is also the signal that you can change the property ValidationMode to False and really execute the command. The [nodeid] and [parameters] I used for this command are:

[nodeid]
7DBC582E-D1FD-46AD-B9F3-64ED3F8839B6
 
[parameters]
{
  "ValidationMode": "True",
  "Components": "Database;Website;ManagerService;Dem;Agent",
  "ApplyFixes": "True"
}

[nodeid]

7DBC582E-D1FD-46AD-B9F3-64ED3F8839B6

[parameters]

{

"ValidationMode": "True",

"Components": "Database;Website;ManagerService;Dem;Agent",

"ApplyFixes": "True"

}

Now it’s time to click on the Try it out! button and check the Response Body and Response Code.

As you can see the Response Code returns a 200. Now change ValidationMode to False in the parameters section and click again on the Try it out! button. When the Response Body returns a Status: COMPLETED, the prerequisite command has been finished.

Reboot the vRA IaaS Server and proceed to the following command. We are now going to execute the PUT /execute/command/install-db/node/{nodeId} command. This time, the [nodeid] and [parameters] I used are:

[nodeid]
7DBC582E-D1FD-46AD-B9F3-64ED3F8839B6

[parameters]
{
"ValidationMode":"true",
"UseExistingDatabase":"false",
"UseWindowsAuthentication":"true",
"UseEncryption":"false",
"LogPath":"",
"SqlUser":"",
"SqlServer":"pb0vrasql01.flexlab.local",
"DataPath":"",
"DatabaseName":"vRAIAAS03",
"SqlUserPassword":"",
"InstallationPath":"C:\\Program Files (x86)\\VMware\\vCAC"
}

[nodeid]

7DBC582E-D1FD-46AD-B9F3-64ED3F8839B6

[parameters]

{

"ValidationMode":"true",

"UseExistingDatabase":"false",

"UseWindowsAuthentication":"true",

"UseEncryption":"false",

"LogPath":"",

"SqlUser":"",

"SqlServer":"pb0vrasql01.flexlab.local",

"DataPath":"",

"DatabaseName":"vRAIAAS03",

"SqlUserPassword":"",

"InstallationPath":"C:\\Program Files (x86)\\VMware\\vCAC"

}

Again, if the Response Code returns a 200, change ValidationMode to False and click again on the Try it out! button. When the Response Body returns a Status: COMPLETED, the vRA IaaS Database Component Installation command has been finished.

[Response Body]
Parent command with id='c8f08cc9-36b0-4f51-90dd-90620678ae57' was created.
Waiting all child commands to complete.......
Command execution result:
Command id: 5f20ea59-65ba-43e3-b01b-033947632027
   Type: install-db
   Node id: 7DBC582E-D1FD-46AD-B9F3-64ED3F8839B6
   Node host: pb0vraiaas03.flexlab.local
   Result: The command was successfully executed.
   Result description:
   Status: COMPLETED
 
[Resonse Code]
200

[Response Body]

Parent command with id='c8f08cc9-36b0-4f51-90dd-90620678ae57' was created.

Waiting all child commands to complete.......

Command execution result:

Command id: 5f20ea59-65ba-43e3-b01b-033947632027

Type: install-db

Node id: 7DBC582E-D1FD-46AD-B9F3-64ED3F8839B6

Node host: pb0vraiaas03.flexlab.local

Result: The command was successfully executed.

Result description:

Status: COMPLETED

[Resonse Code]

200

Lastly we are going to execute the PUT /execute/command/install-web/node/{nodeId} command. This time, the [nodeid] and [parameters] I used are:

[nodeid]
7DBC582E-D1FD-46AD-B9F3-64ED3F8839B6

[parameters]
{
"VidmAdminPassword":"MyPassword!",
"ValidationMode":"true",
"UseExistingDatabase":"true",
"UseWindowsAuthentication":"true",
"WebCertificate":"",
"IaaSWebAddress":"pb0vraiaas03.flexlab.local",
"ServiceUserPassword":"MyPassword!",
"UseEncryption":"false",
"VraAddress":"pb0vrava07.flexlab.local",
"SqlUser":"",
"SqlServer":"pb0vrasql01.flexlab.local",
"DatabaseName":"vRAIAAS03",
"DefaultTenant":"vsphere.local",
"VidmAdminUser":"administrator@vsphere.local",
"ServiceUser":"FLEXLAB\\svcvraiaas",
"HttpsPort":"443",
"WebsiteName":"Default Web Site",
"VraWebCertificateThumbprint":"B9D040861416E60DE83E93121AF93F0A0CBFD23C",
"SecurityPassphrase":"FlexPass!",
"SqlUserPassword":"",
"InstallationPath":"C:\\Program Files (x86)\\VMware\\vCAC"
}

[nodeid]

7DBC582E-D1FD-46AD-B9F3-64ED3F8839B6

[parameters]

{

"VidmAdminPassword":"MyPassword!",

"ValidationMode":"true",

"UseExistingDatabase":"true",

"UseWindowsAuthentication":"true",

"WebCertificate":"",

"IaaSWebAddress":"pb0vraiaas03.flexlab.local",

"ServiceUserPassword":"MyPassword!",

"UseEncryption":"false",

"VraAddress":"pb0vrava07.flexlab.local",

"SqlUser":"",

"SqlServer":"pb0vrasql01.flexlab.local",

"DatabaseName":"vRAIAAS03",

"DefaultTenant":"vsphere.local",

"VidmAdminUser":"administrator@vsphere.local",

"ServiceUser":"FLEXLAB\\svcvraiaas",

"HttpsPort":"443",

"WebsiteName":"Default Web Site",

"VraWebCertificateThumbprint":"B9D040861416E60DE83E93121AF93F0A0CBFD23C",

"SecurityPassphrase":"FlexPass!",

"SqlUserPassword":"",

"InstallationPath":"C:\\Program Files (x86)\\VMware\\vCAC"

}

Again, if the Response Code returns a 200, change ValidationMode to False and click again on the Try it out! button. When the Response Body returns a Status: COMPLETED, the vRA IaaS Web Component Installation command has been finished.

Enjoy Automating vRA

How to use a dynamic populated drop-down list with vRA 7 default IaaS blueprints

With vRA 7, the functionality of the default IaaS blueprints are dramatically improved. One of the new cool features is the usage of dropdown lists populated by a vRealize Orchestrator action. This is something we have only seen before in ASD/XaaS blueprints.

This blog article describes how to use this new cool feature.

In my example I am going to create a drop-down list which query’s a specific vCenter folder for existing vSphere templates and returns them in the drop-down list on the request form.

Create your IaaS Blueprint and drag one vsphere virtual machine on the design canvas.
Select the vsphere virtual machine now and you will see the General tab of it’s configuration.
Click on the Build Information tab and specify your vsphere template as below example. I have chosen for template name TMPL-CENTOS-VRAS because selecting a template is required in this type of blueprint. Even when it is not my intention to use this template at all.
Click on the Properties tab and next click on the Custom Properties sub tab. Add a new custom property with the name cloneFrom and make sure you have enabled the check box Show in Request. Otherwise you will not see this custom property on the request form.
You are now done with the IaaS blueprint so click Finish.
Next make your blueprint available as a catalog item in your service catalog. (publish your blueprint, assign a service for this new catalog item and make sure it is part of your end users entitlement.)
When you request your catalog item now, it will look like the below screenshot.
Now it’s time to create your vRO action. So lets open your vRO client, navigate to the action section, select a folder (for where to store your action in), click on create a new action, give it a name (in my example the name is displayTemplatesFromFolderId) and click Ok.

Go to the Scripting tab of your new vRO action. 1. Set your Return type to Array/string 2. Create two attributes. Name one attribute sdkConnection and name the other attribute vcFolderId 3. Make sure the new attributes are of the type string 4. Provide the following JavaScript code:

// find sdkConnection of the type VC:SdkConnection. Provide fqdn of vCenter server 
var sdk = Server.findForType("VC:SdkConnection",sdkConnection);
// Search for vcfolder with the id of vcFolderId
var vcfolder = sdk.getAllVmFolders(null,"xpath:id='"+vcFolderId+"'");
// vcfolder contains an array of folders. The first element of this array will be stored in theVmFolder as a VcVmFolder object
var theVmFolder = vcfolder[0];
// Stores the vm name
var vmsInFolder = theVmFolder.vm;
// Array to store the vms with the status template from a vcfolder
var templatesInFolder = [];
// Temporary variable to find out if one of the vms in the vcfolder has the status of a template
var vmsAvailable = 0;

// Checks if the vcfolder is empty
if (theVmFolder.vm == 0 && vmsAvailable == 0){
System.log("NO VMs in Folder at all");
templatesInFolder.push("NO TEMPLATES");
} else {

// Loops through all vms in the vcfolder and stores only vms with the status template in an array of strings
if (vmsInFolder[0].config.template != null){
	for (i = 0; i < vmsInFolder.length; i++) {
		if (vmsInFolder[i].config.template == true) {
    		System.log("VM : "+vmsInFolder[i].name+" Is a template");
    		templatesInFolder.push(vmsInFolder[i].name);
			}
		else {
    		System.log("VM : "+vmsInFolder[i].name+" Is not a template");
			vmsAvailable = 1;
			} 
	}
}

// Check if none of the available vms in the vcfolder have the status template
if (templatesInFolder[0] == null && vmsAvailable == 1){
System.log("No Templates in Folder");
templatesInFolder.push("NO TEMPLATES");
}
}

// Resturns and Array of strings with includes all vms in the vcfolder with the status template
return templatesInFolder;

// find sdkConnection of the type VC:SdkConnection. Provide fqdn of vCenter server

var sdk = Server.findForType("VC:SdkConnection",sdkConnection);

// Search for vcfolder with the id of vcFolderId

var vcfolder = sdk.getAllVmFolders(null,"xpath:id='"+vcFolderId+"'");

// vcfolder contains an array of folders. The first element of this array will be stored in theVmFolder as a VcVmFolder object

var theVmFolder = vcfolder[0];

// Stores the vm name

var vmsInFolder = theVmFolder.vm;

// Array to store the vms with the status template from a vcfolder

var templatesInFolder = [];

// Temporary variable to find out if one of the vms in the vcfolder has the status of a template

var vmsAvailable = 0;

// Checks if the vcfolder is empty

if (theVmFolder.vm == 0 && vmsAvailable == 0){

System.log("NO VMs in Folder at all");

templatesInFolder.push("NO TEMPLATES");

} else {

// Loops through all vms in the vcfolder and stores only vms with the status template in an array of strings

if (vmsInFolder[0].config.template != null){

for (i = 0; i < vmsInFolder.length; i++) {

if (vmsInFolder[i].config.template == true) {

System.log("VM : "+vmsInFolder[i].name+" Is a template");

templatesInFolder.push(vmsInFolder[i].name);

}

else {

System.log("VM : "+vmsInFolder[i].name+" Is not a template");

vmsAvailable = 1;

}

// Check if none of the available vms in the vcfolder have the status template

if (templatesInFolder[0] == null && vmsAvailable == 1){

System.log("No Templates in Folder");

templatesInFolder.push("NO TEMPLATES");

}

// Resturns and Array of strings with includes all vms in the vcfolder with the status template

return templatesInFolder;

5. Click Save and close

Make a note of your values for sdkConnection (fqdn of your vCenter Server) and vcFolderId (the vCenter folder group-id). In my example, I can find this information in the vRO Inventory section.My value for sdkConnection = pb0vcsa01.flexlab.local My value for vcFolderId = group-v279
Now lets create a new vRA Property Definition
Follow the detailed steps below 1. Name your Property Definition cloneFrom (This is exactly the name as you used for your custom property configured on the IaaS blueprint) 2. For Label type Select Template 3. For Data type select String 4. For Required select Yes 5. For Display advice select Dropdown
Instead of selecting Predefined values in the Value section, select External values.
A new window will open where you have to select your newly created vRO action. When selected click Ok.
Next populate the values for the Input parameters which have been captured in step 6 and finally click Ok.
When you now request your catalog item it will look like the below screenshot.
Enjoy using vRA 7 !

How to find the vRO workflow used for your XaaS Service Blueprint in vRA 7

With vRA 7 we can create XaaS Service Blueprints. These type of blueprints can be used for almost any request you can think about. But what if you need to modify or update this type of service blueprint, how can you find the correct vRO workflow which has been used for this service blueprint ?

This blog article explains how to find it.

Make sure you have a working vRA 7 environment where you have published a XaaS Service Blueprint to your Service Catalog. In this example I am using the XaaS Service Blueprint “Create logical switch“. Now lets find the belonging vRO workflow.
Start your vRO client and navigate to the Inventory Tab. Next unfold your Xaas Service Blueprints, they are located in the folder: vRealize Automation –> <your vrealize virtual appliance> –> Administration –> XaaS Service Blueprints Select the corresponding XaaS Service Blueprint (In my example “Create logical switch“) and make a note of the workflowId (see screenshot).
Now lets create a new simple vRO workflow. In my case the name is “Find my Workflow by ID“.
Go to the Inputs tab and create a new parameter with the Name workflowId and the Type string.
Go to the Ouputs tab and create a new parameter with the Name workflowLocation and the Type Workflow. Create a second new parameter with the Name workflowName and the Type string.
Go to the Schema tab and drag a Scriptable task into your workflow schema.
Select the Scriptable task and click on yellow pencil for edit. Next give it a logical name like Find my Workflow.
Go to the IN tab and click on the create new binding button.
Mark the checkbox workflowId and click Select.
Go to the OUT tab and click on the create new binding button. Mark the checkboxes workflowLocation and workflowName and click Select.
Now go to the Scripting tab and type the following JavaScript code: var workflowLocation = Server.getWorkflowWithId(workflowId);
var workflowName = workflowLocation.name;
If you did everything properly the IN and OUT attributes will change to the color purple in your JavaScript code (as displayed in above screenshot).
The Visual Binding tab will look like the screenshot below. You can now click on Close.
Now Click on Validate to check your workflow for errors. When everything is OK, you will see the message “Workflow is valid!“. Close the validation window and click Save and close.
Click Continue anyway if you don’t want to change the workflow version number. This is the first version of your workflow so this will be fine.
Start your new workflow now and lets see if we can find our XaaS Service Blueprint “Create logical switch“.
Please enter the workflowId you have found in step 2 and click Submit.
If your workflow can find the workflowId you provided, it will succeed successfully. Like the below screenshot.
Now go to the Variables tab and click on the info button of the workflowLocation Value. In here it will reveal the name and the location of your vRO workflow used for your XaaS Service Blueprint “Create logical switch“.

How to configure Kerberos Authentication with vRA 7

With vRealize Automation 7, you can now login into the vRA 7 portal without providing credentials. The vRA portal will automatically use the credentials of the user who is logged in into the Windows server or desktop system. This behaviour is called login via Kerberos Authentication (Only supported on Windows Operating Systems).

This blog article describes how to set this up.

I assume that a directory already has been configured. I my case this is a directory of the type Active Directory with IWA (Integrated Windows Authentication)
Now go to Administration –> Directories Management –> Connectors. Here you can find your Connectors. By default only Password Authentication has been configured.
Click on the Worker link in your connector configuration.
Navigate to the Auth Adapters tab. Here you can see that the KerberosIdpAdapter is Disabled.
Click on the KerberosIdpAdapter link and provide the Directory UID Attribute. In my case it is sAMAccountName. Also enable the checkbox “Enable Windows Authentication” and Click “Save”.
Now you can see that the KerberosIdpAdapter has been enabled.
Go back to the vRA portal where your connector has been configured. As you can see both Authentication Methods “Kerberos and Password” are now available.
Now lets configure the priority of these Authentication Methods. Go to Administration –> Directories Management –> Policies. Here you can see that only the Authentication Method “Password” has been configured for Device Type “Web Browser” in the default_access_policy_set.
Click now on the default_access_policy_set link.
Click on the configured Authentication Method of the Device Type “Web Browser”.
Change the policy rule by configuring kerberos as the primary authentication method and configure password as the fallback authentication method. Next save the updated policy rule. default_access_policy_set.
Now you can see that the Authentication Method of the Device Type “Web Browser” has been configured for Kerberos. Click Save again.
Go to Administration –> Directories Management –> Identity Providers. Click on the Identity Provider link. In my case WorkspaceIDP__1
Click on the Identity Provider link. In my case WorkspaceIDP__1 and find the configured IdP Hostname. Remember the IdP Hostname because you need it to configure your web browsers.
Finally we need to configure the web browser for kerberos authentication. For Internet Explorer and Google Chrome do the following. Open Internet Explorer and go to Internet Options and select the Security Tab.
Select Local Intranet and click Sites.
Click Advanced and Click Add this website to the zone. The configured IdP Hostname is expected in here. Click Close.
Now close your Internet Explorer and Google Chrome Web Browsers and test your vRA Portal with kerberos authentication.
For the Firefox Web Browser it works a little bit different. Open Firefox and type in the address bar “config:about“. Click on the button “I’ll be careful, I promise!”.
In the search bar type “network.neg“
Populate the Preference Name “network.negotiate-auth.trusted-uris” with the configured IdP Hostname.
Now close your Firefox Web Browser and test your vRA Portal with kerberos authentication.

How to configure “Connect using SSH” for Linux virtual machines with vRA 7

With vRealize Automation you can configure an Action (Day 2 Operation) named “Connect using SSH”. This blog article describes how to set this up.

First you need to include the action “Connect using SSH” into your entitlement.

Next you need to assign the following custom properties to your blueprint.

VMware.VirtualCenter.OperatingSystem = centos64Guest
Machine.SSH = True

In my example I am going to use CentOS 6.3. The value of custom property VMware.VirtualCenter.OperatingSystem must be the corresponding VirtualMachineGuestOsIdentifier which is in this scenario centos64Guest

I am using a Property Group named CentOS for this, which contains the required custom properties. This Property Group is added to my blueprint.

This should be all and we can test this functionality now. However if your web browser is now aware of SSH you will end up in the following situation.