vRO Prereqs for SovLabs

Automate Configure vRO Steps

SovLabs is providing an sov_vro_config.sh script to automate the following steps:

  • Step 2.1 - Modify the vmo.properties and js-io-rights files and set permissions on the vRO server.
  • Step 2.2 - Create the krb5.conf file for Kerberos Authentication
  • Step 2.3 - Increase the vRO configurator Max Heap Size
The sov_vro_config.sh script is provided for convenience. Please review the script thoroughly, pay very close attention to the prompts and carefully enter values when prompted.

If used improperly, the results could be detrimental to the functioning of vRO.

Perform Configure vRO steps 2.1-2.3 manually if unsure.

Steps

1. Download the sov_vro_config.sh

2. Copy the sov_vro_config.sh script to your vRO appliance in the /tmp folder

3. Make the script executable: chmod +x sov_vro_config.sh

4. Execute the script from the command line and follow the prompts

sov_vro_config script output - vRO fig. 1 Screenshot

5. If you have more than one vRO (or vRA if using embedded vRO), run this script on all of them

  • Make sure to enter the prompted values exactly the same

6. Skip to Step 2.4 - Create vRO vRA Host


Modify files and set permissions

# Step Location Notes
2.1 Modify vmo.properties and js-io-rights files and set permissions vRO server  

Manual Steps

Modify vmo.properties

This configuration change is necessary in order for vRO to execute external applications and perform actions such as ping.

1. SSH as user root to the vRO server (e.g. SSH via PuTTy)

2. Make a backup copy of vmo.properties file

cp /etc/vco/app-server/vmo.properties /etc/vco/app-server/vmo.properties.bak

3. Modify the vmo.properties file:

vi /etc/vco/app-server/vmo.properties

4. Press the i key on the keyboard to edit the file

5. Copy & paste the following line to the end file:

com.vmware.js.allow-local-process=true

6. Press the esc key on the keyboard

7. Type in :wq and press the Enter key to save the file

8. Repeat if you have more than one vRO (or vRA if using embedded vRO)


Modify js-io-rights.conf to set permissions

This configuration change is necessary to allow vRO workflows to write temporary files to the vRO filesystem.

1. SSH as user root to the vRO server (e.g. SSH via PuTTy)

2. Make a backup copy of js-io-rights.conf file

cp /etc/vco/app-server/js-io-rights.conf /etc/vco/app-server/js-io-rights.conf.bak

3. Stop the vRO Configurator service:

service vco-configurator stop

4. Modify the js-io-rights.conf file:

vi /etc/vco/app-server/js-io-rights.conf

5. Press the i key on the keyboard to edit the file

6. Copy & paste the following line to the end file:

+rwx /tmp

7. Press the esc key on the keyboard

8. Type in :wq and press the Enter key to save the file

9. Ensure that the file has the appropriate permissions

cd /etc/vco/app-server
chown vco:vco js-io-rights.conf
chmod 640 js-io-rights.conf

10. If using vRA/vRO 7.4, the following needs to be performed for the modifications to be permanent:

/var/lib/vco/tools/configuration-cli/bin/vro-configure.sh sync-local

11. Start vRO Configuration service:

service vco-configurator start

12. Restart the vRO server

service vco-server restart

13. Repeat if you have more than one vRO (or vRA if using embedded vRO)


Configure Kerberos

This allows vRO to authenticate via Kerberos to a Windows VM.

This is typically only needed if using the Ansible Tower, Puppet Enteprise or Puppet Open Source SovLabs vRA Extensibility modules
# Step Location Notes
2.2 Create krb5.conf for Kerberos Authentication to Windows VMs, if needed vRO server Set permission on krb5.conf to 0644

1. Copy and paste the block below into a text editor to replace all instances of EXAMPLE.COM and example.com to YOURDOMAIN.COM and yourdomain.com (case sensitive)

Single Domain krb5.conf example

[libdefaults]
  default_realm = EXAMPLE.COM
  udp_preferences_limit = 1 
[realms] 
  EXAMPLE.COM = {
    kdc = example.com
    default_domain = example.com
  }
[domain_realm] 
  .example.com=EXAMPLE.COM
  example.com=EXAMPLE.COM
[logging] 
  kdc = FILE:/var/log/krb5/krb5kdc.log
  admin_server = FILE:/var/log/krb5/kadmind.log
  default = SYSLOG:NOTICE:DAEMON

Multiple Domains krb5.conf example

[libdefaults]
  default_realm = EXAMPLE1.COM
  udp_preferences_limit = 1 
[realms] 
  EXAMPLE1.COM = {
    kdc = example1.com
    default_domain = example1.com
  }
  EXAMPLE2.COM = {
    kdc = example2.com
    default_domain = example2.com
  }
[domain_realm] 
  .example1.com=EXAMPLE1.COM
  example1.com=EXAMPLE1.COM
  .example2.com=EXAMPLE2.COM
  example2.com=EXAMPLE2.COM
[logging] 
  kdc = FILE:/var/log/krb5/krb5kdc.log
  admin_server = FILE:/var/log/krb5/kadmind.log
  default = SYSLOG:NOTICE:DAEMON 

2. SSH as user root to the vRO server (e.g. SSH via PuTTy)

3. Make a backup copy of krb5.conf file

cp /usr/java/jre-vmware/lib/security/krb5.conf /usr/java/jre-vmware/lib/security/krb5.conf.bak

4. Make the new krb5.conf.new file

vi /usr/java/jre-vmware/lib/security/krb5.conf.new

5. Copy & paste the contents of your text editor into the new file

6. Press the esc key on the keyboard

7. Type in :wq and press the Enter key to save the file

8. Copy krb5.conf.new to krb5.conf to overwrite the existing krb5.conf file

cp /usr/java/jre-vmware/lib/security/krb5.conf.new /usr/java/jre-vmware/lib/security/krb5.conf

9. Ensure that the file has the appropriate permissions

chmod 644 /usr/java/jre-vmware/lib/security/krb5.conf

10. Repeat if you have more than one vRO (or vRA if using embedded vRO)


Configuration Notes

  • For the [realms] section, you may put a domain in the kdc = line, or you may specify one or more specific domain controllers by FQDN.
  • If you configure the kdc as a Domain, a Domain Controller will be resolved from the domain automatically.
  • For a lab or non-production environment, or for a very large network with DCs spanning multiple geographical locations, it might be beneficial to specify your kdcs as specific Domain Controllers. However, if you specify DCs by name, if you remove DCs or the names change, the configuration here would have to change. Please consider these factors in your decision.

Example of multiple kdcs as individual domain controllers:

[realms]
  EXAMPLE.COM = {
   kdc = domaincontroller01.example.com
   kdc = domaincontroller02.example.com
   kdc = domaincontroller03.example.com
   default_domain = example.com
  }

Increase vRO Max Heap Size

This is needed to prevent Out of Memory error when installing the SovLabs plugin in Control Center.

# Step Location Notes
2.3 Increase vRO Max Heap to 768m for vco-configurator service vRO server  

1. SSH as user root to the vRO server (e.g. SSH via PuTTy)

2. Make a backup copy of setenv.sh file

cp /var/lib/vco/configuration/bin/setenv.sh /var/lib/vco/configuration/bin/setenv.sh.bak

3. Modify the setenv.sh file:

vi /var/lib/vco/configuration/bin/setenv.sh
Be sure to edit the setenv.sh in configuration/bin and not in app-server/bin. This file is specific to the vRO Configurator (vRO Control Center)

4. Press the i key on the keyboard to edit the file

5. Find the #MEM_OPTS= section and replace 512 with 768:

Before

-Xmx512m

After

-Xmx768m

6. Press the esc key on the keyboard

7. Type in :wq and press the Enter key to save the file

8. Restart vRO Configurator Service:

9. Repeat if you have more than one vRO (or vRA if using embedded vRO)

service vco-configurator restart

Create vRO vRA Host

# Step Location Notes
2.4 Create a vRA Host via vRO workflow vRO client The default vRA host will not work for the SovLabs plugin.

The vRA Host must be Shared Session mode.

If using the vsphere.local tenant, the name must begin with sovlabs_

1. Login to the vRO client

2. In the Workflows tab, go to: Library > vRealize Automation > Configuration > Add a vRA Host

Add vRA Host - vRO fig. 1 Screenshot

3. Right-click the workflow and click Start workflow and fill out the form:

Field Value Note
Host Name Name to use for vRA Host endpoint If installing the SovLabs Plugin in vsphere.local tenant,
begin the hostname with sovlabs_

(e.g. sovlabs_vra01.example.com)
Host URL vRA URL

(e.g. https://vra01.example.com)
No port number
Automatically install SSL certificates? Yes  
Connection Timeout Keep default  
Operation Timeout Keep default  
Maximum page size… Keep default  
Add vRA Host - vRO fig. 2 Screenshot

4. Click Next in the form wizard:

Field Value Note
Session mode Shared Session *Must be Shared Session, not Per User
Tenant vRA tenant in which SovLabs Modules will be installed This is case-sensitive!
Authentication Username vRA Service Account user Use sov_admin@vsphere.local (or other vRA user setup in Step 1.1)
Authentication Password vRA Service Account user’s password  
Add vRA Host - vRO fig. 3 Screenshot

5. Click Submit in the form wizard

6. The workflow should finish successfully

Add vRA Host - vRO fig. 4 Screenshot
New inventory item for the vRA host will be in Inventory tab in the vRO client
vRA Host in Inventory - vRO fig. 1 Screenshot

Create vRO vRA IaaS Host

# Step Location Notes
2.5 Create vRA IaaS Host via vRO workflow vRO client The vRA IaaS Host may already exist
You will need the Service Account that was used to configure your vRA service on the IaaS Server.
IaaS Host credentials Screenshot

1. Login to the vRO client

2. In the Workflows tab, go to: Library > vRealize Automation > Configuration > Add an Iaas host of a vRA Host

Create IaaS Host - vRO fig. 1 Screenshot

3. Right-click the workflow and click Start workflow and fill out the form:

Field Value Note
vCAC Host Choose the appropriate vRA host in the list Created in Step 2.4
Create IaaS Host - vRO fig. 2 Screenshot

4. Click Next for Host Properties and accept the defaults. The fields should all be auto-filled

Create IaaS Host - vRO fig. 3 Screenshot

5. Click Next for Proxy settings

Field Value Note
Use Proxy No unless your installation uses a proxy  

6. Click Next for User credentials

Field Value Note
Host’s authentication type NTLM If using an embedded vRO, you should be able to select SSO
Authentication User Username only, no domain Service Account used in the VMware Cloud Automation Center service on your IaaS server
Authentication Password Type in username’s password  
Create IaaS Host - vRO fig. 4 Screenshot

6. Click Next for Domain and Workstation

Field Value Note
Workstation Leave blank unless otherwise needed  
Domain Type the domain for the Service Account  
Create IaaS Host - vRO fig. 5 Screenshot

7. Click Submit


SovLabs Plugin - New Install