In vRealize Automation (formerly known as vCloud Automation Center) 6.0.x, 90 days after deployment of a template you experience issues similar to:
When attempting to log in to tenant, a blank page is displayed with a Submit button in the upper left corner.
You receive a System Exception error when accessing the tenant identity store configuration page and the identity store configuration has disappeared.
Cannot log in to a tenant using an LDAP account.
Unable to add a new identity store configuration to the affected tenant.
The tenant identity store disappears from the SSO Administrator login.
In thecatalina.outlogfile, located at/var/log/vmware/vcac/, you see entries similar to:
12:40:49,190 [tomcat-http--34] [authentication] INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.handleFaultCondition:922 - Failed trying to retrieve token: ns0:RequestFailed: Error occured looking for solution user :: Insufficient access YYYY-03-18 12:40:49,201 [tomcat-http--34] [authentication] ERROR com.vmware.vcac.platform.service.rest.resolver.ApplicationExceptionHandler.handleUnexpectedException:820 - Failed trying to retrieve token: ns0:RequestFailed: Error occured looking for solution user :: Insufficient access com.vmware.vim.sso.client.exception.InternalError: Failed trying to retrieve token: ns0:RequestFailed: Error occured looking for solution user :: Insufficient access
In themessages.logfile on the Identity Appliance, located at/var/log/, you see entries similar to:
T16:50:18-05:00 lsassd: GSSAPI Error: The referenced context has expired (Unknown error) T08:34:41-06:00 vmdird: t@139870073485056: Lockout policy check - password expired. (cn=tenantadmin,cn=users,dc=tenant) T11:58:03-06:00 lsassd: GSSAPI Error: The referenced context has expired (Unknown error) .....
Account "cn=tenantadmin,cn=users,dc=qic" password expired and caused login/bind from IDM to fail. YYYY-03-18T11:38:46-06:00 denqca3vcacid01 vmdird: t@140689332778752: LoginBlocked DN (cn=tenantadmin,cn=users,dc=tenant), error (9239)(Account access blocked)
This issue occurs due to expiry of password after 90 days.
By default, the SSO internal tenant admin password expires in 90 days. This password expiration value can be changed or password expiration disabled. After the password expires, the authentication server cannot log in with the old password.
Note: This issue is internal to vRealize related SSO authentication and does not affect external OpenLDAP, Active Directory, or other LDAP configurations.
The current workflow User Interface does not provide any notification when the password is to expire.
Note: This issue can persist if an in-place upgrade is done from vRealize Automation (formerly known as vCloud Automation Center) 6.0 to vRealize Automation 6.1. If this is the case, re-apply the workaround mentioned below.
To work around this issue, disable password expiration for the tenant admin account.
Note: If you are not sure about performing the steps below, file a support request with VMware Technical Support and note this Knowledge Base article ID (2075011) in the problem description. For more information on filing a Support Request, seeFiling a Support Request in My VMware (2006985).
VMware vRealize Automation (formerly known as vCloud Automation Center) using vCenter Single Sign-On (SSO) for tenant authentication
If VMware vRealize Automation is using vCenter Single Sign-On (SSO) for tenant authentication, perform these steps to disable password expiration:
Note: Replacetenant_namewith the URL name of your tenant.
Open an SSH connection to vCenter Server.
Disable password expiration by running this command:
When prompted, enter the password forAdministrator@vsphere.local.
Current work around resets theuserAccountControlflag and also modifies the values that determine the length of time for the SSO tenant admin account password to expire. The workaround sets that internal service account password to never expire.
To be alerted when this article is updated, clickSubscribe to Documentin the Actions box.
Creating a blueprint for VCHS has a few pieces to it that are a little different that creating a standard vSphere blueprint. We need to start by creating a component blueprint that will then be utilized by the blueprint that we will publish to the catalog. The reason for this so you could potentially create multi-component application blueprints that can be requested from your users. If you use the vCloud Director integration you will recognize the similarities. This article provides a brief run through of creating a basic VCHS blueprint that can be provisioned against VMware’s VCHS cloud service.
Creating the VCHS Blueprint
Start by going to Infrastructure -> Blueprints -> Blueprints and select New Blueprint -> Cloud -> vApp Component(vCloud Director).
Next give the component blueprint a name. I recommend giving it a name that identifies it as a component blueprint to make it easier to differentiate. You will also need to select a Machine Prefix to utilize of leave it as the Group Default.
Next on the build information tab we need to complete a number of items that will be familiar if you have created a vSphere blueprint. We need to set the blueprint type to “Server”, Action to ‘Clone” and the Provisioning Workflow should be ‘vAppCloneWorkflow”. You will also select the VCHS template to clone form by clicking the dialog box next to the field as depicted in the second image below. Then you will need to Set the minimum and optionally the maximum for CPU, Memory, & Storage. Finally add additional storage if you need.
Next go to the properties tab and set any needed properties for your configuration.
Finally go to the actions tab and select the actions that you want to make available for the blueprint and click OK to save the component blueprint.
We now need to create another blueprint that will be the vApp blueprint that is published to the catalog. Go to Infrastructure -> Blueprints -> Blueprints and select New Blueprint -> Cloud -> vApp (vCloud Director).
Once the new blueprint dialog opens give the blueprint a name, select the prefix to be utlized for the service and set the archive days.
Next on the Build Information click the dialog box next to clone from and select the template that you have created a component blueprint for. It’s important that these are the same. Once you select the template, the template name will be populated under components.
Next click the pencil next to the template name and from the blueprint drop down dialog select the component blueprint that you created earlier. and select the green checkbox once complete.
Next add any needed properties on the property tab.
Finally select the actions you want to make available for the service and click ok to save the blueprint.
Once complete and you can see your blueprint in the list over over the blueprint and select publish to publish the blueprint.
VCHS reservations are very similar to creating a vSphere reservation as you may expect. You are going to assign it to a Tenant and business group, you are going to reserve memory and storage, and determine what networks are available just like you would do when creating a vSphere reservation. There is really on one minor difference. You don’t have to manage and maintain the underlying hardware. In my mind that is a huge plus.
Creating a VCHS reservation
Start by going to Infrastructure -> Reservations -> Reservations and from the “New Reservations” menu select Cloud and then vApp(vCloud Director).
On the New reservation screen screen there is a few fields you will need to fill out. First select the Compute resource you would like to create the resource against. Next select the tenant you would like to assign the reservation to as well as the business group within the tenant. Finally you must set a priority for the reservation.
Next on the resources tab you will select the amount of memory you want to reserve as well as the datastores you would like to reserve capacity capacity against along with the amount of disk space to reserve. You will also need to set a priority for each datastore you enable and reserve capacity against.
Next on the network tab you can select the networks you would like to make available to the reservation. On this screen you also have the ability to assign a network profile to the selected network. For more information on network profiles please send the network profile tutorial.
Finally if you click on the alerts tab and configure your desired thresholds and notification email address(es) and click ok to save the reservation.
1. We start by going to theInfrastructure tab, then choosingEndpointsfrom the side menu and thenEndpointsagain. Once therehoverover theNew Endpointitem on the right side of the page.
2. Once the menu slides down selectCloudand thenvApp (vCloud Director).
3. Give your EndPoint a “Name” and then input the vCHS API Address in to the “Address” field.
3a. To locate the API Address for your vCHS account, login to your vCHS account athttps://vchs.vmware.com/and select one of your Virtual Data Centers.
3b. Once the page loads for the selected Virtual Data Center select “vCloud Director API URL” on the right side of the page under “Related Links”.
3c. Your vCloud Director API URL is now displayed. Copy this url for use in the Endpoint Setup.
4. Your url will look something like this https://host1111.vchs.vmware.com:443/cloud/org/M741965660-4568/. For the address filed in vCAC you only need to enter the FQDN like https://host1111.vchs.vmware.com:443. You would then add the org M741965660-4568 to the “Organization” field.
5. Then select the appropriatecredentialsfrom the picker and clickok.
6. Click “Ok” and save the new EndPoint.
*Important– Don’t forget to add your vCHS Organization to an existing or new Fabric Group. Once you add the Organization to a Fabric Group vCAC will perform a data collection against the Organization and a compute resource will be available in the “Compute Resource” section of vCAC. If you do not add your organization to a Fabric Group you will not be able to create any reservation against it.
Physical blueprints are a bit different than Virtual Blueprints because you can’t give users the ability to define the exact makeup of the machine they want. They can’t decide they want to add additional storage to a physical machine like they can a virtual. They also can’t select which network they want the machine placed on (without customization) like a virtual machine.
What they can do however is tell you how many CPU’s and how much RAM they would like in the physical machine they are requesting. I know what do you mean they can tell me what they want? vCAC can’t magically add CPU’s or memory, but what it can do is look for a match, or the closest match to what they user needs. You have the ability to set a maximum and minimum number of CPU’s and amount of RAM a user can request from the blueprint. You can also determine how you want to allocate for each of them. You can have vCAC look for an exact match to the request, or look for an “At Least” match to find a server that meets the needs of the request.
* This tutorial is meant to show you the basics of creating a Physical HP server blueprint. I will be publishing a number of more complete physical provisioning tutorials and this article will be utilized as a reference.
Creating a Physical HP Blueprint
Go to infrastructure -> Blueprints -> Blueprints and select New Blueprint -> Physical -> HP iLO.
On the blueprint information tab give the blueprint a name and select the Machine Prefix to utilize. One thing you won’t see here that existed in previous releases of vCAC is the ability to select a Business Group. This is now handled through the catalog entitlements.
Next on the Build Information tab the type should be Server and the workflow should be PhysicalProvisioningWorkflow. Here is wher eyou can set the min and max for CPU, memory, & lease. It’s also where you determine how to find a match for the resource.
I’m going to skip over the properties tab for now and we will go to the actions tab. Here you can select what actions can be performed against this blueprint. Click ok to create the Blueprint. I will cover information regarding the properties for physical provisioning when I cover the type of physical provisioning based on operating system in another post.
Once you have created the blueprint hover over it in the list and select “Publish”. This is a step that did not exist in previous versions of vCAC.