Re: vRA Identity Appliance behind a VIP

RebeccaW · ‎03-03-2015

Good news: After all the posts here and several vmware tickets we did wind up getting that distributed lab of vRA 6.2 build.

Have a ticket open on this situation but thought I'd also bounce it off people here to see if you've done something similar.

Situation: Our distributed install uses the vRA Identity Appliance. The hostname is the FQDN of the appliance and that FQDN is also the SSO Host listed on the two vRA Virtual Appliances. This works as expected from an administrative jump-host. You hit the URL of the tenant (which uses the vip\pool dns name), it takes you to the SSO fqdn, you log in, your URL bar is back to the the vip\pool of the Virtual Appliances). Network Security has not opened 7444 directly to the Identity Appliance from the general user block (stating security concerns having users connect directly to the SSO server, understandable). Instead a VIP rule was created (on the same vip\pool dns name as our Virtual Appliances) to forward traffic over to 7444 on the Identity Appliance. No config changes on our appliances so as expected from the user block one cannot get to the vRA portal because they can't hit SSO.

Query: We had a weird issue in our 6.1 non-distributed lab where vSphere SSO was rebuilt and wound having to rebuild all of 6.1 to get connected back (quirk, who knows) so we are hesitant to go and just update the SSO Host setting on the 6.2 Virtual Appliances. Presuming it works we'd also need to change the Identity Appliance certificate to include the additional name in the SAN (Network Security did say they are not tied to using the same dns name we have for our Virtual Appliance pool and just want it to be not the real fqdn of the appliance...right now it just seems odd to try and put the same name in for Host Name and SSO Host on those virtual appliances despite the VIP rules). Has anyone else set up their vRA SSO Host as something other than the fqdn of the SSO server (specifically Identity Appliance in our case but vSphere SSO as well)? Basically just wondering (a) if it would function in an already built environment and (b) if it would work for an environment being built so we can just start out with an alias\VIP name when we build our prod vRA. Like I said the whole issue we had in our non-distributed has me leery of just experimenting and hoping worst case it will just take the original setting and carry on happily.

Edited to add: So basically like how in "Configuring VMware® vCenter SSO High Availability for VMware vRealize Automation: Deployment Guide for High-Availability Configurations: Version 6.1 and Later" on page 44 "Configure vRA to Use vCenter SSO and you put the FQDN of the load balancer name for SSO Host can you do something similar [ie a load balancer name that behind it is an Identity Appliance and not HA vSphere SSO] and do it after the whole environment is already built out. It *sounds* pretty straight forward but then again with this thing I am very over making any assumptions. :smileylaugh: Would also presume on the Identity Appliance at the least a cert update would be needed on the SSL tab, not 100% on updating its Host Name setting to the load balancer name.

sbeaver · ‎03-03-2015

Let me tell you some things that I have tried and some lessons that I have learned. Currently I am using the Identity Appliance in FT mode behind vShield Edge. I also create a clone of the appliance as an extra backup since NetBackup does not play with FT at all.

When I was originally setting things up I tried to attached vCAC to a three node Windows SSO deployment behind a load balancer and was having all sorts of issues during the install in where from what I could tell during the IaaS install IaaS attempts to get the SSO certificate from the Identity appliance. This SSO cert is not the certificate you configure in the documented setup but rather a self-signed certificate for SSO. Take a look at /etc/vmware-sso/keys/ssoserverSign.crt ssoserver.crt and ssoserverRoot.crt. I have not played with it any further but that was something that I discovered.

Steve

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**

RebeccaW · ‎03-03-2015

When you went from the Windows 3-Node SSO to the Identity Appliance did you wind up having to do anything other than update the SSO Host on your Virtual Appliances? Everything is already installed in our case and I'd hate to have to redeploy it all. Sounds like you made the switch in an existing setup, was that the case? Or did all the install issues you had initially prevent you from having a full environment with the 3-node SSO?

With our non-distributed lab I can't quite recall just why we had to redeploy the whole thing when the vSphere SSO was rebuilt. Quite possible it was just a low experience thing. Just remember we wound up using the IP rather than the name to match the SAML metadata on the SSO. Which then makes me wonder if that metadata file on the Identity Appliance will update to the new name since I presume it will need to have SSO Hostname updated to the load balancer name in addition to updating the certificate.

While we wait on our support case response we may actually use that non-distributed environment to test a little and make sure it takes well to having the SSO Hostname setting changed. One has to change it sometimes to match the SAML metadata so I'm guessing it is fine but we've just had too many issues lately for me to feel good guessing/assuming. One of those situations were it would have been helpful going in knowing they didn't want us to use the FQDN so we could have started with it as a load balancer name a month ago. All our docs had it with just the server FQDN since it was only one system.

Good to know you have success with the Identity Appliance behind vShield Edge.

sbeaver · ‎03-03-2015

It was at an early stage in the setup and I know I have rebuilt a few times along the way. One of the reason I have everything behind the vShield Edge is that if I need to replace something it is a heck of a lot easier to replace something behind the loadbalancer as long as the CA certificates are consistent and the same. There is a few KB articles on how to replace the certificated and how to repoint each of the different servers to the new cert. My VIP names will not change which helps greatly along with that I have the NSX plugin pointing to the vShield Edge so I can make changes to the loadbalancer via a VCO workflow

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**

GrantOrchardVMw · ‎03-03-2015

Getting a *little* bit ahead of myself but you will see the new vSphere 6 Platform Services Controller (which includes SSO) as a supported Identity Appliance shortly. This supports replication between nodes (unlike the current identity VA) which will give you another option here.

Grant

Grant http://grantorchard.com

sbeaver · ‎03-03-2015

Outstanding!!!

Steve Beaver
VMware Communities User Moderator
VMware vExpert 2009 - 2020
VMware NSX vExpert - 2019 - 2020
====
Co-Author of "VMware ESX Essentials in the Virtual Data Center"
(ISBN:1420070274) from Auerbach
Come check out my blog: [www.virtualizationpractice.com/blog|http://www.virtualizationpractice.com/blog/]
Come follow me on twitter http://www.twitter.com/sbeaver

**The Cloud is a journey, not a project.**