Pages

Monday, 30 November 2015

VMware vRealize Automation 6.0.x tenants are inaccessible and identity stores disappear (2075011)

Symptoms

In vRealize Automation (formerly known as vCloud Automation Center) 6.0.x, 90 days after deployment of a template you experience issues similar to:
  • When attempting to log in to tenant, a blank page is displayed with a Submit button in the upper left corner.
  • You receive a System Exception error when accessing the tenant identity store configuration page and the identity store configuration has disappeared.
  • Cannot log in to a tenant using an LDAP account.
  • Unable to add a new identity store configuration to the affected tenant.
  • The tenant identity store disappears from the SSO Administrator login.
  • In the catalina.out log file, located at /var/log/vmware/vcac/, you see entries similar to:

    12:40:49,190 [tomcat-http--34] [authentication] INFO com.vmware.vim.sso.client.impl.SecurityTokenServiceImpl$RequestResponseProcessor.handleFaultCondition:922 - Failed trying to retrieve token: ns0:RequestFailed: Error occured looking for solution user :: Insufficient access
    YYYY-03-18 12:40:49,201 [tomcat-http--34] [authentication] ERROR com.vmware.vcac.platform.service.rest.resolver.ApplicationExceptionHandler.handleUnexpectedException:820 - Failed trying to retrieve token: ns0:RequestFailed: Error occured looking for solution user :: Insufficient access
    com.vmware.vim.sso.client.exception.InternalError: Failed trying to retrieve token: ns0:RequestFailed: Error occured looking for solution user :: Insufficient access

  • In the messages.log file on the Identity Appliance, located at /var/log/, you see entries similar to:

    T16:50:18-05:00 lsassd[2913]: GSSAPI Error: The referenced context has expired (Unknown error)
    T08:34:41-06:00 vmdird: t@139870073485056: Lockout policy check - password expired. (cn=tenantadmin,cn=users,dc=tenant)
    T11:58:03-06:00 lsassd[2943]: GSSAPI Error: The referenced context has expired (Unknown error)
    .....

    Account "cn=tenantadmin,cn=users,dc=qic" password expired and caused login/bind from IDM to fail.
    YYYY-03-18T11:38:46-06:00 denqca3vcacid01 vmdird: t@140689332778752: LoginBlocked DN (cn=tenantadmin,cn=users,dc=tenant), error (9239)(Account access blocked)

Cause

 This issue occurs due to expiry of password after 90 days. 
 
By default, the SSO internal tenant admin password expires in 90 days. This password expiration value can be changed or password expiration disabled. After the password expires, the authentication server cannot log in with the old password.

Note: This issue is internal to vRealize related SSO authentication and does not affect external OpenLDAP, Active Directory, or other LDAP configurations.

The current workflow User Interface does not provide any notification when the password is to expire.

Resolution

This issue is resolved in vRealize Automation 6.1 available at VMware Downloads. For more information, refer to the VMware vCloud Automation Center 6.1 Release Notes.

Note: This issue can persist if an in-place upgrade is done from vRealize Automation (formerly known as vCloud Automation Center) 6.0 to vRealize Automation 6.1. If this is the case, re-apply the workaround mentioned below.

To work around this issue, disable password expiration for the tenant admin account.

Note: If you are not sure about performing the steps below, file a support request with VMware Technical Support and note this Knowledge Base article ID (2075011) in the problem description. For more information on filing a Support Request, see Filing a Support Request in My VMware (2006985).

VMware vRealize Automation (formerly known as vCloud Automation Center) using vCenter Single Sign-On (SSO) for tenant authentication

If VMware vRealize Automation is using vCenter Single Sign-On (SSO) for tenant authentication, perform these steps to disable password expiration:

Note: Replace tenant_name with the URL name of your tenant.

  1. Open an SSH connection to vCenter Server.
  2. Disable password expiration by running this command:

    /opt/likewise/bin/ldapmodify -H ldap://localhost:11711 -x -D "cn=administrator,cn=users,dc=vsphere,dc=local" -W <<EOF
    dn: cn=DCAdmins,cn=builtin,dc=vsphere,dc=local
    changetype: modify
    add: member
    member: cn=administrator,cn=users,dc=tenant_name
    EOF

    Response: modifying entry "cn=DCAdmins,cn=builtin,dc=vsphere,dc=local"

    Note: You are prompted for the administrator@vsphere.local password when running this command.
  3. Run this command to reset the account control flag:

    /opt/likewise/bin/ldapmodify -H ldap://localhost:11711 -x -D "cn=administrator,cn=users,dc=vsphere,dc=local" -W <<EOF
    dn: cn=administrator,cn=users,dc=tenant_name
    changetype: modify
    replace: userAccountControl
    userAccountControl: 0
    EOF

    Response: modifying entry "cn=administrator,cn=users,dc=tenant_name."


    Note: You are prompted for the administrator@vsphere.local password when running this command.

Using SSO in the VMware vRealize Automation (formerly known as vCloud Automation Center) Identity Appliance

If you are using SSO in the VMware vRealize Automation Identity Appliance, perform these steps to disable password expiration:

  1. Download the attached file, kb_2075011_identity_appliance.tar.gz , to your workstation
  2. Using an SCP client, upload kb_2075011_identity_appliance.tar.gz  to /tmp of the VMware vRealize Automation Identity Appliance
  3. Open an SSH connection to the VMware vRealize Automation Identity Appliance.
  4. Navigate to the temp directory on the Identity Appliance by running cd /tmp command.
  5. Extract the contents of kb_2075011_identity_appliance.tar.gz into /tmp by running this command:

    tar zxvf kb_2075011_identity_appliance.tar.gz
  6. After contents are extracted, execute 0_run_me script on the Identity Appliance :

    ./0_run_me tenant_name

    Note: Replace tenant_name with the URL name of your tenant. Use this command as a model:


    ./0_run_me vmware
  7. When prompted, enter the password for Administrator@vsphere.local.

VMware vRealize Automation (formerly known as vCloud Automation Center) using Windows installation of vCenter SSO for tenant authentication

If VMware vRealize Automation is using a Windows installation of vCenter Single Sign-On for tenant authentication, perform these steps to disable password expiration:
  1. Open an elevated command prompt.
  2. Create a temporary directory by running the command:

    mkdir c:\temp
  3. Change directories by running the command:

    cd c:\temp
  4. Create the UserAccountControl.ldif file in Notepad by running the command:

    notepad UserAccountControl.ldif
  5. Copy and paste the content below into the file:

    dn: cn=tenantadmin,cn=users,dc=tenant_name
    changetype: modify
    replace: userAccountControl
    userAccountControl: 0 

    -

    Notes:
    • Replace tenant_name with the URL name of your tenant.
    • Ensure you include the hyphen on the last line. (In other words, do not omit the hyphen.)
  6. Save and close the UserAccountControl.ldif file.
  7. Create the PasswordExpiration.ldif file in Notepad by running the command:

    notepad PasswordExpiration.ldif
  8. Copy and paste the content below into the file:

    dn: cn=DCAdmins,cn=builtin,dc=vsphere,dc=local
    changetype: modify
    add: member
    member: cn=tenantadmin,cn=users,dc=tenant_name
    -


    Notes:
    • Replace tenant_name with the URL name of your tenant.
    • Ensure you include the hyphen on the last line. (In other words, do not omit the hyphen.)
  9. Save and close the PasswordExpiration.ldif file.
  10. To modify the user account control configuration and password expiration using the files created earlier in this procedure, run these commands:

    Note: If the ldifde executable is not available, run this command to install:

    ServerManagerCmd -i RSAT-ADDS-Tools

    Note: ServerManagerCmd has been deprecated, and is not available in Windows Server 2012. For more information, see Microsoft TechNet.

    The preceding link was correct as of September 18, 2014. If you find the link is broken, provide feedback and a VMware employee will update the link.


    1. To modify the password expiration, run the command:

      ldifde -i -f PasswordExpiration.ldif -s localhost -t 11711 -a "cn=Administrator,cn=Users,dc=vsphere,dc=local" *

      When prompted, enter the password for Administrator@vsphere.local.
    2. To modify the user account control configuration, run the command:

      ldifde -i -f UserAccountControl.ldif -s localhost -t 11711 -a "cn=Administrator,cn=Users,dc=vsphere,dc=local" *

      When prompted, enter the password for Administrator@vsphere.local.

Impact/Risks

Current work around resets the userAccountControl flag and also modifies the values that determine the length of time for the SSO tenant admin account password to expire. The workaround sets that internal service account password to never expire.

Additional Information

To be alerted when this article is updated, click Subscribe to Document in the Actions box.

See Also

Attachments

Source:-
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2075011&src=vmw_so_vex_ragga_1012

Friday, 27 November 2015

How to Modify the Session Time Out for vCloud Automation Center 6.x a.k.a vRA 6.x?

The default timeout value for the vCAC web console is 30 minutes. You might find this not long enough or too long, whatever your reasons are, if you want to change it you can.
Access the vCAC Appliance through SSH (with Putty for example) or access the virtual appliance console directly to modify this file:
for 6.0  /usr/lib/vcac/server/webapps/shell-ui-app/WEB-INF/web.xml
for 6.2  /usr/lib/vcac/server/webapps/vcac/WEB-INF/web.xml
Use vi or another editor to modify the default 30 minutes in another value or use -1 to disable the timeout completely. (instructions to use vi)
<!-- 30 minutes session expiration time -->
<session-config>
          <session-timeout>30</session-timeout>
          <tracking-mode>COOKIE</tracking-mode>
</session-config>
After this modification restart the vCAC service:
/etc/init.d/service/vcac-server restart
Or restart the entire appliance.

Thursday, 26 November 2015

Reverting to a previous version of ESXi (1033604)

Purpose

This article provides steps to revert to a previous version of ESXi.

Resolution

To revert to a previous version of ESXi:
 
Notes
  • Back up your configuration data before making any changes.
  • Altbootbank is overwritten with a copy of bootbank every 60 minutes.
  1. In the console screen of the ESXi host, press Ctrl+Alt+F2 to see the Direct Console User Interface (DCUI) screen.
  2. In the DCUI screen, press F12 to view the shutdown options for the ESXi host.
  3. Press F11 to reboot.
  4. When the Hypervisor progress bar starts loading, press Shift+R. You see a pop-up with a warning:

    Current hypervisor will permanently be replaced
    with build: X.X.X-XXXXXX. Are you sure? [Y/n]

  5. Press Shift+Y to roll back the build.
  6. Press Enter to boot.
Source:-

Wednesday, 25 November 2015

Adding vCHS/vCloud Air Endpoints in vCAC a.k.a vRA 6.x Creating Blueprints - Part 3

Creating a blueprint for VCHS has a few pieces to it that are a little different that creating a standard vSphere blueprint. We need to start by creating a component blueprint that will then be utilized by the blueprint that we will publish to the catalog. The reason for this so you could potentially create multi-component application blueprints that can be requested from your users. If you use the vCloud Director integration you will recognize the similarities. This article provides a brief run through of creating a basic VCHS blueprint that can be provisioned against VMware’s VCHS cloud service.

Creating the VCHS Blueprint

  1. Start by going to Infrastructure -> Blueprints -> Blueprints and select New Blueprint -> Cloud -> vApp Component(vCloud Director).
  2. vcac601vchsbp-0
  3. Next give the component blueprint a name. I recommend giving it a name that identifies it as a component blueprint to make it easier to differentiate. You will also need to select a Machine Prefix to utilize of leave it as the Group Default.
  4. vcac601vchsbp-1
  5. Next on the build information tab we need to complete a number of items that will be familiar if you have created a vSphere blueprint. We need to set the blueprint type to “Server”, Action to ‘Clone” and the Provisioning Workflow should be ‘vAppCloneWorkflow”. You will also select the VCHS template to clone form by clicking the dialog box next to the field as depicted in the second image below. Then you will need to Set the minimum and optionally the maximum for CPU, Memory, & Storage. Finally add additional storage if you need.
  6. vcac601vchsbp-3
    vcac601vchsbp-2
  7. Next go to the properties tab and set any needed properties for your configuration.
  8. vcac601vchsbp-4
  9. Finally go to the actions tab and select the actions that you want to make available for the blueprint and click OK to save the component blueprint.
  10. vcac601vchsbp-5
  11. We now need to create another blueprint that will be the vApp blueprint that is published to the catalog. Go to Infrastructure -> Blueprints -> Blueprints and select New Blueprint -> Cloud -> vApp (vCloud Director).
  12. vcac601vchsbp-6
  13. Once the new blueprint dialog opens give the blueprint a name, select the prefix to be utlized for the service and set the archive days.
  14. vcac601vchsbp-7
  15. Next on the Build Information click the dialog box next to clone from and select the template that you have created a component blueprint for. It’s important that these are the same. Once you select the template, the template name will be populated under components.
  16. vcac601vchsbp-8
  17. Next click the pencil next to the template name and from the blueprint drop down dialog select the component blueprint that you created earlier. and select the green checkbox once complete.
  18. vcac601vchsbp-9
  19. Next add any needed properties on the property tab.
  20. vcac601vchsbp-11
  21. Finally select the actions you want to make available for the service and click ok to save the blueprint.
  22. vcac601vchsbp-12
  23. Once complete and you can see your blueprint in the list over over the blueprint and select publish to publish the blueprint.
Source:-
        http://flcloudlabs.com/

Adding vCHS/vCloud Air Endpoints in vCAC a.k.a vRA 6.x Creating Reservation - Part 2

VCHS reservations are very similar to creating a vSphere reservation as you may expect. You are going to assign it to a Tenant and business group, you are going to reserve memory and storage, and determine what networks are available just like you would do when creating a vSphere reservation. There is really on one minor difference. You don’t have to manage and maintain the underlying hardware. In my mind that is a huge plus.

Creating a VCHS reservation

  1. Start by going to Infrastructure -> Reservations -> Reservations and from the “New Reservations” menu select Cloud and then vApp(vCloud Director).
  2. vcac601vchsres-0

  3. On the New reservation screen screen there is a few fields you will need to fill out. First select the Compute resource you would like to create the resource against. Next select the tenant you would like to assign the reservation to as well as the business group within the tenant. Finally you must set a priority for the reservation.
  4. vcac601vchsres-1
  5. Next on the resources tab you will select the amount of memory you want to reserve as well as the datastores you would like to reserve capacity capacity against along with the amount of disk space to reserve. You will also need to set a priority for each datastore you enable and reserve capacity against.
  6. vcac601vchsres-2
  7. Next on the network tab you can select the networks you would like to make available to the reservation. On this screen you also have the ability to assign a network profile to the selected network. For more information on network profiles please send the network profile tutorial.
  8. vcac601vchsres-3
  9. Finally if you click on the alerts tab and configure your desired thresholds and notification email address(es) and click ok to save the reservation.
  10. vcac601vchsres-4

Source:-
http://flcloudlabs.com/

Adding vCHS/vCloud Air Endpoints in vCAC a.k.a vRA 6.x - Part 1

1. We start by going to the Infrastructure tab, then choosing Endpoints from the side menu and then Endpoints again. Once therehover over the New Endpoint item on the right side of the page.
vcac601vchsep-8

2. Once the menu slides down select Cloud and then vApp (vCloud Director).
vcac601vchsep-3
3. Give your EndPoint a “Name” and then input the vCHS API Address in to the “Address” field.
vcac601vchsep-0
3a. To locate the API Address for your vCHS account, login to your vCHS account at https://vchs.vmware.com/ and select one of your Virtual Data Centers.
vcac601vchsep-5
3b. Once the page loads for the selected Virtual Data Center select “vCloud Director API URL” on the right side of the page under “Related Links”.
vcac601vchsep-6
3c. Your vCloud Director API URL is now displayed. Copy this url for use in the Endpoint Setup.
vcac601vchsep-7
4. Your url will look something like this https://host1111.vchs.vmware.com:443/cloud/org/M741965660-4568/. For the address filed in vCAC you only need to enter the FQDN like https://host1111.vchs.vmware.com:443. You would then add the org M741965660-4568 to the “Organization” field.
vcac601vchsep-0
5. Then select the appropriatecredentials from the picker and click ok.
vcac601vchsep-4
6. Click “Ok” and save the new EndPoint.
*Important – Don’t forget to add your vCHS Organization to an existing or new Fabric Group. Once you add the Organization to a Fabric Group vCAC will perform a data collection against the Organization and a compute resource will be available in the “Compute Resource” section of vCAC. If you do not add your organization to a Fabric Group you will not be able to create any reservation against it.
Source:-http://flcloudlabs.com/

Adding Physical HP Endpoints in vCAC a.k.a vRA 6.x Creating Blueprint - Part 3

Physical blueprints are a bit different than Virtual Blueprints because you can’t give users the ability to define the exact makeup of the machine they want. They can’t decide they want to add additional storage to a physical machine like they can a virtual. They also can’t select which network they want the machine placed on (without customization) like a virtual machine.
What they can do however is tell you how many CPU’s and how much RAM they would like in the physical machine they are requesting. I know what do you mean they can tell me what they want? vCAC can’t magically add CPU’s or memory, but what it can do is look for a match, or the closest match to what they user needs. You have the ability to set a maximum and minimum number of CPU’s and amount of RAM a user can request from the blueprint. You can also determine how you want to allocate for each of them. You can have vCAC look for an exact match to the request, or look for an “At Least” match to find a server that meets the needs of the request.
* This tutorial is meant to show you the basics of creating a Physical HP server blueprint. I will be publishing a number of more complete physical provisioning tutorials and this article will be utilized as a reference.

Creating a Physical HP Blueprint

  1. Go to infrastructure -> Blueprints -> Blueprints and select New Blueprint -> Physical -> HP iLO.
  2. vcac601phpbp-0
  3. On the blueprint information tab give the blueprint a name and select the Machine Prefix to utilize. One thing you won’t see here that existed in previous releases of vCAC is the ability to select a Business Group. This is now handled through the catalog entitlements.
  4. vcac601phpbp-1
  5. Next on the Build Information tab the type should be Server and the workflow should be PhysicalProvisioningWorkflow. Here is wher eyou can set the min and max for CPU, memory, & lease. It’s also where you determine how to find a match for the resource.
  6. vcac601phpbp-2
  7. I’m going to skip over the properties tab for now and we will go to the actions tab. Here you can select what actions can be performed against this blueprint. Click ok to create the Blueprint. I will cover information regarding the properties for physical provisioning when I cover the type of physical provisioning based on operating system in another post.
  8. vcac601phpbp-3
  9. Once you have created the blueprint hover over it in the list and select “Publish”. This is a step that did not exist in previous versions of vCAC.
Part 1
Part 2

Source:-
http://flcloudlabs.com/