Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
VMware vRealize Orchestrator Cookbook

You're reading from   VMware vRealize Orchestrator Cookbook Over 90 recipes to satisfy all your automation needs and leverage vRealize Orchestrator 7.1 for your projects

Arrow left icon
Product type Paperback
Published in Nov 2016
Publisher Packt
ISBN-13 9781786462787
Length 556 pages
Edition 2nd Edition
Arrow right icon
Author (1):
Arrow left icon
Daniel Langenhan Daniel Langenhan
Author Profile Icon Daniel Langenhan
Daniel Langenhan
Arrow right icon
View More author details
Toc

Table of Contents (14) Chapters Close

Preface 1. Installing and Configuring Orchestrator FREE CHAPTER 2. Optimizing Orchestrator Configuration 3. Distributed Design 4. Programming Skills 5. Visual Programming 6. Advanced Programming 7. Interacting with Orchestrator 8. Better Workflows and Optimized Working 9. Essential Plugins 10. Built-in Plugins 11. Additional Plugins 12. Working with vSphere 13. Working with vRealize Automation

Configuring external authentication

To use Orchestrator to its fullest possibilities we should configure it with an external authentication.

Getting ready

We need an up and running Orchestrator and access to the Control Center (root account). Also see, the recipe Deploying the Orchestrator appliance in this chapter.

You should have an AD/LDAP group for your Orchestrator Administrators with at least one user in it. I will use the AD group vroAdmins with its member vroAdmin and my domain is called mylab.local. My PSC/SSO is on vcenter.mylab.local.

If you are using AD/LDAP, then you need only to know the LDAP path to your vroAdmin user and group.

If you are using SSO or vSphere(PSC), you should either have configured SSO to use AD or created a local SSO group and user.

How to do it...

We are splitting the recipe into multiple parts, one for each authentication method.

vSphere (PSC) and vRealize Automation (vRA)

For both vSphere 6 and vRA7, the entry forms look alike and follow the same pattern. However, there are some really important considerations to take into account for both. Please see the How it works... section of this recipe.

To set either vSphere (PSC) or vRealize Automation (vIDM), follow these steps:

  1. Open the Control Center and click on Configure Authentication Provider.
  2. Choose vSphere or vRealize Automation.
  3. Enter the host name of your vSphere PSC or vRA.
  4. After clicking on Connect, you may need to accept the SSL certificate.
  5. You are now asked to enter the User name and Password of an SSO administrator.
  6. Clicking on Configure licenses will automatically configure Orchestrator licensing with the vCenter license.
  7. Enter the default tenant of your SSO and click on Register:

    vSphere (PSC) and vRealize Automation (vRA)

  8. After the registration, you are asked for the admin group. Enter the name of your admin group (or the first letters, such as vro) and click on Search.
  9. Select your admin group from the drop-down menu, such as mylab.local\vroAdmins. In vRA, there is a preconfigured group called vsphere.local\vcoAdminis.
  10. Click on Save Changes and restart the Orchestrator service.

SSO (legacy)

If you are using vRO7 with vSphere 5.5 (minimum update 2) you need to use the SSO configuration:

  1. Open the Control Center and click on Configure Authentication Provider.
  2. Choose SSO (legacy).
  3. Enter the following for Admin URL: https://vcenter.mylab.local:7444/sso-adminserver/sdk/vsphere.local.
  4. Enter the following for STS URL: https://vcenter.mylab.local:7444/sts/STSService/vsphere.local.
  5. Click on Save Changes.
  6. You will now need to accept the SSL certificate of your SSO server (not shown in the following picture).
  7. After you have accepted the certificate you will be asked to enter an SSO admin account and its password, followed by the Default tenant, which is vsphere.local for all 5.5 systems.
  8. Click on Register.
  9. If everything is fine you will now be asked to restart the Orchestrator service. However, we can ignore that for the moment:

    SSO (legacy)

  10. Now you need to choose admin group. Enter the name of your admin group (or the first letters, such as vro) and click on Search.
  11. Select your admin group from the drop-down menu, such as mylab.local\vroAdmins. SSO 5.5 has a preconfigured Orchestrator group called vcoAdministrators@vsphere.local.
  12. Click on Save Changes and restart the Orchestrator service again.

LDAP

Please note LDAP will be discontinued in further Orchestrator releases and should not be used anymore. Furthermore, using LDAP won't allow Orchestrator to use all its awesome features.

If you are using LDAP, you can choose from the In-process LDAP (ApacheDS), the built-in LDAP, Active Directory, or OpenLDAP.

Please note that LDAP entries are case sensitive. To configure Orchestrator with Active Directory, follow these steps:

  1. Open the Control Center and click on Configure Authentication Provider.
  2. Choose LDAP and then Active Directory.
  3. Enter the domain name of your AD and set the port to 389.
  4. As root, enter your domain in LDAP dc=mylab,dc=local.
  5. Enter the username in LDAP and then the password. Be mindful that in AD, the folder Users is not an OU but a CN, cn=vroAdmin,cn=Users,dc=mylab,dc=local.
  6. It is easiest to set the user and group lookup base to the root of your domain, for example, dc=mylab,dc=local. However, if your AD or LDAP is large, it might be better performance-wise to choose a different root.
  7. Enter the Orchestrator admin group in LDAP, cn=vroAdmins,cn=Users,dc=mylab,dc=local.
  8. Click on Save Changes.
  9. If everything is fine you will be asked to restart the Orchestrator service.

    LDAP

How it works...

Configuring Orchestrator to work with an external authentication enables AD users to log in to the Orchestrator Client. The alternative would be to either have only one user using it or adding users to the embedded LDAP. However, for a production Orchestrator, the embedded LDAP solution is not viable.

PSC/vIDM/SSO is a highly integrated part of vSphere, it can proxy multiple AD and/or LDAP domains and lets you integrate Orchestrator directly into vCenter as well as other corner pieces of VMware software offerings.

If you are using vSphere or vRealize Automation authentication, you have the additional benefit of having Orchestrator automatically licensed. If you are using LDAP or SSO you have to assign a license to Orchestrator.

When using SSO or vSphere, Orchestrator will register in SSO as a Solution User with the prefix vCO.

vRealize Automation and vSphere Authentication

The entry masks look the same, however, they are not. vSphere uses SSO and vRA 7 uses vIDM and those are very different beasts indeed.

When you register Orchestrator with vRealize Automation or you use the vRA embedded Orchestrator you will not be able to use a per-user session with vCenter as the SSO token and the vIDM token are incompatible at this time. I have been informed that the ability to configure the vRA embedded Orchestrator version will not be able to use PSC configuration anymore. The best way to solve this is to use a secondary Orchestrator.

Test login

With the test login, you can test if you can log on to Orchestrator using the Control Center:

Test login

If you get a reply in yellow saying Warning: The user does not have administrative rights in vRealize Orchestrator. Login to the Orchestrator client depends on the user view permissions, it means that the user has been found by Orchestrator but he is not a member of the Orchestrator admin group. See also, the recipe User management in Chapter 7, Interacting with Orchestrator.

Internal LDAP

The internal LDAP has the following preconfigured entries:

Username

Password

Group membership

vcoadmin

vcoadmin

vcoadmins

vcouser

vcouser

vcousers

The LDAP installation is protected to only allow local access to it. Using the internal LDAP is not recommended at all.

There's more...

Changing the Authentication Provider is quite easy. If you choose LDAP and now want to change it to something else, just select the new provider.

If you chose vSphere SSO or vRealize Automation you need to first unregister the existing Authentication Provider. To do this, follow these steps:

  1. Open the Control Center and click on Configure Authentication Provider.
  2. Click on Unregister and then enter the SSO admin's password and click Unregister.
  3. Now you can select another Authentication mode.

    There's more...

See also

Recipes in Chapter 11, Additional Plugins, depict which authentication is the most preferable for the plugins discussed there.

You have been reading a chapter from
VMware vRealize Orchestrator Cookbook - Second Edition
Published in: Nov 2016
Publisher: Packt
ISBN-13: 9781786462787
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image