Tuesday, June 16, 2015

List of Reserved (vRA) vCAC VM Prperties be used during the BuildingMachine Workflow

Welcome: To stay updated with all my Blog posts follow me on Twitter @arunpande !
In multiple vRealize Automation (vRA) design & implementation engagements, I have often come across customer requirements where OOB functionality and features do not meet their requirements. These requirements may vary from intial provisioning to certain day 2 operation. In this blog post I will discuss about the reserved vCAC VM properties that can be used in the initial provisioning state. For example, I have received following customization requests in one of the engagements:
  • Change the Name of the VM provisioned dynamically using vCAC [VirtualMachine.LeaseDays]
The requirement was to assign the name of the VM dynamically based on the user inputs. To achieve this we created  a vCO workflow to dynamically update the value of VirtualMachine.LeaseDays.


  • Allow users to choose a specifc or unlimited lease for a VM provisioned from the same blueprint [VirtualMachine.LeaseDays]
Here, a vCO workflow was used to let the user select if he wants Unlimtied or specific Lease duration, the same value was updated to the VirtualMachine.LeaseDays. Note that when the value of this property is set to 0 the lease duration is unlimited.
I would like to thank Sonal Jain, for his expertise in designing the above workflows.
There are other workflows available which allows user to change the CPU & Memory values using the below properties.
  • VirtualMachine.CPU.Count
  • VirtualMachine.Memory.Size
In this blog post, I have also tried to capture the key properties used in the ExternalWFStubs.BuildingMachine workflow.
Next time when you receive any customization request from the customer that is applicable to the building machine stub, search for the custom property from the below list. Next, create a vCO workflow using the custom property and assign it to the Blueprint.
VirtualMachine.Admin.TotalDiskUsage : 61440
VirtualMachine.CPU.Count : 1
VirtualMachine.Disk0.IsClone : true
VirtualMachine.Disk0.Size : 60
VirtualMachine.Disk0.Storage : EMC-VNX5600-2TB-01
VirtualMachine.Disk0.Storage.Cluster.ExternalReferenceId : group-p129
VirtualMachine.Disk0.Storage.Cluster.Name : EMC-DS-CLS-VNX5600-01
VirtualMachine.LeaseDays : 0
VirtualMachine.Memory.Size : 4096
VirtualMachine.Network0.Address : 10.X.X.X
VirtualMachine.Network0.DnsSearchSuffixes : apd.com
VirtualMachine.Network0.DnsSuffix : apd.com
VirtualMachine.Network0.Gateway : 10.X.X.X
VirtualMachine.Network0.Name : eth-9
VirtualMachine.Network0.NetworkProfileName : VLAN-916
VirtualMachine.Network0.PrimaryDns : 10.X.XX
VirtualMachine.Network0.PrimaryWins :
VirtualMachine.Network0.SecondaryDns : 10.X.XX
VirtualMachine.Network0.SecondaryWins :
VirtualMachine.Network0.SubnetMask : 255.255.255.0
VirtualMachine.Network1.Address : 10.X.XX
VirtualMachine.Network1.DnsSearchSuffixes : apd.com
VirtualMachine.Network1.DnsSuffix : apd.com
VirtualMachine.Network1.Gateway :
VirtualMachine.Network1.Name : eth-8
VirtualMachine.Network1.NetworkProfileName : Backup
VirtualMachine.Network1.PrimaryDns : 10.X.XX
VirtualMachine.Network1.PrimaryWins :
VirtualMachine.Network1.SecondaryDns : 10.X.XX
VirtualMachine.Network1.SecondaryWins :
VirtualMachine.Network1.SubnetMask : 255.255.255.0
VirtualMachine.Request.Layout : vcacvm.customname.os.dmz
VirtualMachine.Storage.Cluster.ExternalReferenceId : group-p129
VirtualMachine.Storage.Cluster.Name : EMC-DS-CLS-VNX5600-01
VirtualMachine.Storage.Name : EMC-VNX5600-2TB-01
Vrm.ProxyAgent.Uri : https://iaas-mgr.apd.com/VMPS2Proxy
__Legacy.Workflow.ImpersonatingUser :
__Legacy.Workflow.User : vcac@apd.com
__Notes : This is test VM.
__api.request.id : 5d14685b-22f8-4b22-b2ec-8377922f0a3e
__clonefrom : windows-2008-R2-template
__clonefromid : def1171a-7fd7-4b69-a623-bbfd7e0d34a0
__clonespec : windows-join-ad
__displayLocationToUser : False
__menusecurity_connect : true
__menusecurity_connectVdi : true
__menusecurity_connectVmrc : false
__menusecurity_destroy : true
__menusecurity_expire : true
__menusecurity_reprovision : true
__menusecurity_snapshotmanagement : true
__menusecurity_turnoff : true
__menusecurity_turnon : true
__request_reason :
If you need more information about the methods and functions for these properties you can use API explorer to search the property name and will also list most commonly used property name for your reference.
  • Use API Explorer
  • When you login to the vRO Client, click Tools > API Explorer




  • Enter the name of the element and view the results

Hope This Helps!!

Monday, May 18, 2015

If you don't want to use user@domain.com in vRA Login page, configure SSO wisely!

I have been working on various vRealize Automation consulting engagements and have come across customers who don’t want to use the login name in UPN format i.e. user@domain.com when logging in the vRA portal. They prefer using other traditional methods like domain\user or AD user id.
In this blog post I will try to cover all those options that you may use or recommend to your customer so that they don’t have to use the format user@domain.com when logging into the vRA portal.
Following are your options:
  1. vCenter Single Sign On
If you haven’t implemented vRA yet and currently in the design phase, you may suggest customer to use vCenter Single Sign On instead of using vRealize Identity Appliance. However there are some pros and cons of using vCenter SSO over Identity Appliance which you must be aware of when taking this decision, I will rather cover that in a different blog post.
We know that if you vCenter SSO the default domain is Local OS hence you have to set your Windows Active Directory as Default Domain in order to avoid using @domain.com in the login name.
  1. Add Identity Store using Active Directory
If you are going to propose using Identity Appliance in your solution, when you add an Identity Store use Active Directory and enter the NTLM name of the domain in the Domain alias field. This would allow you to login using domain\user.
  1. Client Integration Plugin
With the Client Integration Plugin you can login using “Use Windows session authentication” option available on the vRA login page. This will enable the user to use his existing Windows session for logging into vRA. If you are using vRA 6.2 and you click on the “Download Client Integration Plugin” link it may not work however if you have a vCenter Server you may download the Client Integration Plugin from its login page and use the same for Identity Appliance SSO.
If you have installed the Client Integration Plugin and the login fails using error “Windows Session Authentication login has failed as a result of an error caused by the VMware Client Integration Plugin” then follow the instructions in VMware KB http://kb.vmware.com/kb/2090617.
Once the Client Integration Plugin is setup correctly you would be able to login using “Use Windows session authentication” and hence won’t have to use @domain.com.
  1. Change default Identity Store using JXplorer (UNSUPPORTED)
In the first option, we saw how we can configure a default Identity Store for vCenter SSO using the Web Client. Unfortunately we don’t have a similar option for Identity Appliance SSO. To workaround this, you may use JXplorer to enable a default Identity Store for Identity Appliance.
  1. First Download & Installer JXplorer, the installer is available at http://jxplorer.org/downloads/
  2. Launch JXplorer and connect to the Identity Appliance SSO. Click on File > Connect


  1. Enter the following details:
  • Host – Identity Appliance SSO FQDN or IP
  • Level – User + Password
For all other options use the values provided in the screenshot
  1. Once you have connected to the SSO, navigate to local > vsphere > Services > Identity Manager > Tenants > select vsphere.local
  2. Click on Table Editor and search for vmwSTSDefaultIdentityProvider and enter the domain name in the value section.

NOTE: This option is not supported by VMware GSS and if you run into any issues you would have to revert the value of vmwSTSDefaultIdentityProvider to local os. Its recommended that you evaluate other options before implementing this in production.

Thursday, April 16, 2015

Troubleshooting MSDTC when vCenter Storage & Network is not detected by vRealize Automation

Welcome: To stay updated with all my Blog posts follow me on Twitter @arunpande !

I am currently working on vRealize Automation 6.2 implementation where I have completed the distributed install. When. Post the installation I started the basic configuration where I added the vCenter server, Fabric & Business Groups.
However when I was creating the reservations I noticed that the Storage & Network details were not detected. This was not new, I had faced this issue earlier but it was not an easy fix this time as the Windows firewall was enabled on the Windows database & IaaS servers and it could not be disabled.
In this blog post I would like to share the different troubleshooting steps that I have performed to troubleshoot and fix this issue.
Step 1 – Have a clear understanding about the problem statement.
In this case the Storage Paths and Network was not detected when creating the Reservations for Business Groups.
Note that at least one data collection should be completed successfully for the Compute Resource before this data is populated in the Reservations.
Step 2 – Investigating the cause & FIX the issue
Look at the status of the vSphere Endpoint make sure that it’s OK. To confirm this, navigate to Infrastructure > Compute Resources > Compute Resource.
Next navigate to Infrastructure > Monitoring > Log to check the errors. In this case the below errors were reported.
Error
2/4/2015 7:55 PM
Manager Service
Manager Service
XXXXX
XXXXX
DataBaseStatsService: ignoring exception: Error executing query usp_SelectAgent Inner Exception: Error executing query usp_SelectAgentCapabilities
https://mycloud.vsnl.co.in/vcac/Images/icon_error.pngError
2/4/2015 7:55 PM
Manager Service
Manager Service
XXXXX
XXXXX
Error processing ping response Error executing query usp_SelectAgent Inner Exception: Error executing query usp_SelectAgentCapabilities
https://mycloud.vsnl.co.in/vcac/Images/icon_error.pngError
2/4/2015 7:54 PM
Manager Service
Manager Service
XXXXX
XXXXX
DataBaseStatsService: ignoring exception: Error executing query usp_SelectAgent Inner Exception: Error executing query usp_SelectAgentCapabilities
https://mycloud.vsnl.co.in/vcac/Images/icon_error.pngError
2/4/2015 7:54 PM
Manager Service
Manager Service
XXXXX
XXXXX
Error processing ping response Error executing query usp_SelectAgent Inner Exception: Error executing query usp_SelectAgentCapabilities


While the above errors indicate a possible issue with the IaaS database for detailed information, check the Manager Service logs that is located in C:\Program Files (x86)\VMware\vCAC\Server\Logs.
NOTE – If you have multiple servers with manager service installed, check the logs in the server which is Active. You can either check this from the Load balancer to check which node is Active or you can log into the Server and check the status of the below service, it would be running on the Active server.
Here is the snip of the errors reported in the ALL.txt file
System.ApplicationException: Error executing query usp_SelectManagementEndpoint  ---> System.ApplicationException: Error executing query usp_SelectEntityProperties  ---> System.Transactions.TransactionManagerCommunicationException: Network access for Distributed Transaction Manager (MSDTC) has been disabled. Please enable DTC for network access in the security configuration for MSDTC using the Component Services Administrative tool. ---> System.Runtime.InteropServices.COMException: The transaction manager has disabled its support for remote/network transactions. (Exception from HRESULT: 0x8004D024)
  at System.Transactions.Oletx.IDtcProxyShimFactory.ReceiveTransaction(UInt32 propgationTokenSize, Byte[] propgationToken, IntPtr managedIdentifier, Guid& transactionIdentifier, OletxTransactionIsolationLevel& isolationLevel, ITransactionShim& transactionShim)
  at System.Transactions.TransactionInterop.GetOletxTransactionFromTransmitterPropigationToken(Byte[] propagationToken)
  --- End of inner exception stack trace ---


This clearly indicates that the MSDTC between the SQL Server & the Web Server was not working. However the MSDTC settings have been configured as per the vRA documentation:
The next thing I tried to do was a DTCPing from the Database Server to the Web Server. DTCPing is a tool provided by Microsoft to troubleshoot MSDTC. The tool is available for free download from http://www.microsoft.com/en-in/download/details.aspx?id=2868.
Once you have downloaded DTCPing.exe, run the installer and extract the files in a folder.



You will now see the following files in the folder after extracting the executable.

Repeat the same steps on the Web Server.
Launch the Dtcping on both servers
Sine the communication is initiated from the Web Server to the DB server enter DB server hostname in the MSDTC Simulation window launched on the Web Server
Check the status of the DTCPing command. In my case it initially received an error “RPC Server is unavailable”.  To fix the MSDTC issue, I performed the following steps:
Make sure that the MSDTC is enabled between all the servers so if you have a distributed install of vRA and have multiple Web Servers ensure that MSDTC is enabled.
There shouldn’t be any firewalls between this servers, in case there is a firewall and make sure that the MSDTC ports are open.
IMPORTANT – Disable the Windows firewall on the Web Servers & SQL Database. If this is against customer compliance and security policies you can enable the Windows firewall but create appropriate rules which allows the communication between the two host.
Launch the Windows firewall and click on Advanced Settings > Click on Inbound Rules and click on New Rule.
In Rule Type select Program
Enter the complete path of msdtc.exe
HINT – To find the location, open the task manager and click in Details
Right click on the msdtc.exe application and click on Properties
In Properties window for msdtc.exe you will find the
Now back to our firewall rule. Enter the correct path the msdtc.exe application and click Next
Click on Allow the connection and click Next
I chose the default options
Enter a name and description of the rule and click Finish to create this rule.
Login to the server with Manager Service installed. NOTE: In distributed install, Manager Service is installed in Active/Passive mode, to check the Active node login to the Load balancer.
Restart the below service
To confirm the status, check the server logs located at C:\Program Files (x86)\VMware\vCAC\Server\Logs.
If the issue persists, perform the below steps on both the Database & IaaS Servers
  • Uninstall MSDTC from Windows Command prompt using msdtc –uninstall command.
  • Reboot the Manager Service server
  • Install MSDTC on the server using command msdtc –install from the command prompt
  • Reboot the Manager Service server
  • Make sure MSDTC is enabled as per the below screenshot

UPDATE - set the MSDTC service startup type to Automatic after reinstalling, as it defaults to manual:
sc config msdtc start= auto
sc start msdtc