vRealize Business for Cloud API Authentication

vRealize Business for Cloud (vRBC) can be used to meter vSphere, NSX and vCloud Director endpoints. I have struggled a bit to obtain necessary metering data via API due to very brief documentation, so let me describe step by step how to do so.

Although vRBC supports local accounts, this is only for testing purposes. In production you should always use VMware Identity Manager (VIDM) authentication. VIDM appliance deployment is not hard and the integration with vRBC is quite simple through vRBC VAMI UI.

Now to use vRBC API you first need to obtain authentication token from VIDM. Go to vRBC appliance and from /usr/local/tomcat/itbm-server/conf/itfm-oauth.properties  retrieve client.id and client.secret values.

These values are used to retrieve the authentication token from VIDM. You will get it with:

POST https:// <vidm-IP> /SAAS/API/1.0/oauth2/token?grant_type=client_credentials

and provide the BASE64 encoded credentials in Authorization header.

Now copy the access_token from the response and use it in your API call to retrieve metering reports from vRBC:

Advertisements

vCloud Director Federation with VMware Identity Manager

Although in the past I have already blogged about vCloud Director federation with VMware Workspace and Microsoft AD FS I still have not wrote a guide how to achieve organization federation with VMware Identity Manager.

VMware Identity Manager (VIDM) is Single Sign-On solution that integrates with multiple identity providers (such as Active Directory) and offers App Store like access to multiple subscribed services with adaptive access (including multi factor authentication such as VMware Verify, DUO or RSA SecurID).

Users can easily log in into multiple different cloud services from a single page thanks to SSO. One such service can be vCloud Director and this article describes how to achieve this.

VIDM is provided as virtual appliance that can be deployed in  a load balanced distributed or simple configuration with external Microsoft SQL database or for evaluation purposes with embedded PostgreSQL. It is also provided as a cloud service.

I have deployed in my lab VIDM 3.2 in a single embedded database configuration and connected it to my lab Active Directory. VIDM also provides its own internal IdP (System Domain) so can be used also without an external AD/LDAP.

  1. In vCloud Director Organization enable Federation by setting Entity ID to Org Name (or any other unique string), generate fresh certificate and download Metadata from the link provided (file spring_saml_metadata.xml). This can be done as system or Organization Administrator.
  2. In VIDM go to Catalog and create new web application. You have to be logged in as VIDM Administrator. Write application name, description and upload nice icon and choose category. 
  3. In the next screen keep Authentication Type SAML 2.0 and paste the xml metadata from step #1 into the URL/XML window. Scroll down to Advanced Properties. 
  4. In Advanced Properties we will keep the defaults but add Custom Attribute Mappings which describe how VIDM user attributes will translate to VCD user attributes. Here is the list:
Name                                                               Value
-------------------------------------------------------------------------------------
UserName                                                           ${user.userName}
EmailAddress                                                       ${user.email}
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname      ${user.lastName}
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname    ${user.firstName}
Groups                                                             CokeAdmins
Roles                                                              ${user.employeeID}

Format is always basic and namespace is blank. Let me explain what is going on here. The first two mappings should be clear. UserName specify how will the user be recognized by vCloud Director and EmailAddress will be his/her email address for notifications. The next two parameters contain given name and surname which VCD will combine into full name. Not sure why the assertion name needs to be specified in such long format but only this way it worked for me. In theory you could also pass ‘fullname’ if you have field in your directory that contains full name (my Active Director does not).

Next we have Groups. I do not know how to pass AD groups in a dynamic way, so this is a hardcoded example – all users who use this SaaS definition will belong to CokeAdmins group. You can obviously omit this if you will only import users by name.

The last property is Role – again this is optional and should be used only if we want to manage roles in IdPs and not in VCD, where we would import the user with Defer to Identity Provider role – see here for more details. I am using here unused AD Employee ID field. 

  1. Now we can finish the wizard by clicking next, select access policy (keep default) and reviewing the Summary on the next screen. As last step we can click Save & Assign, where we are presented to select users that should have this newly created App in their catalog.
  2. Next we need to retrieve metadata configuration of VIDM – this is by going back to Catalog (all the way up) and clicking Settings. From SAML Metadata download Identity Provider (IdP) metadata. 
  3. Now we can finalize SAML configuration in vCloud Director. Still on Federation page click Use SAML Identity Provider checkbox and import the downloaded metadata (idp.xml) with Browse and Upload buttons and click Apply. 
  4. From now on, login screen will default to SAML authentication, but you can always revert to local authentication with: https://<vcloud_fqdn>/cloud/org/<org-name>/login.jsp
    However, we first need to import some users/groups to be able to use SAML. You might need to re-login to see the option to add SAML users and groups. You can import VIDM users by their user name or group (the hardcoded name CokeAdmins). We can assign role or optionally leverage Defer to IdP (if you have role field populated in AD). 
  5. Login to VIDM and click on the application tile to be logged straight into VCD Organization (the Flex legacy UI). 

You can also directly enter the Flex or HTML 5 URL and you will be redirected to VIDM login screen.

As mentioned in step 4, I am managing user roles from Active Directory so I just need to import one group into VCD with Defer to IdP role and I am done with user management in VCD. The role field that VIDM uses is EmployeeID, however that field in AD can have only numerical value and VCD expects role as text string. The workaround I am using is that in AD I actually use User Description field and then in VIDM I have changed the mapping. So lets first have a look how it looks in AD:

Here is my VIDM custom AD IdP mapping:

 

vCloud Director on AWS

My colleague Lyubomir Lyubenov from VMware OneCloud team (OneCloud is internal huge vCloud Director based cloud for field enablement) recently published VCDonAWS CloudFormation templates with which you can deploy vCloud Director management components under 30 minutes on AWS.

I have seen customer (Service Providers) asking what is it for and what it means for the vCloud Director future. Let me give you my own view.

What is it?

vCloud Director is one of a few VMware products that is not provided in form of virtual appliances. The vCloud Director binaries can be installed on any compatible Linux virtual or physical machine and that means it can be installed anywhere – even on EC2 instances running on AWS. The VCDonAWS project in a clever way uses AWS resources (not VMC on AWS!) to deploy vCloud Director management stack from a single CloudFormation template. It leverages VPC (optionally stretched across 2 availability zones) for the networking, EC2 instances for jumphosts and vCloud Director cells, PostgreSQL RDS for vCloud Director database, S3 (S3FS) for vCloud Director transfer share (although this will be in the future replaced with Elastic File System for better performance), Elastic Load Balancers (for UI/API and ConsoleProxy cells) and even Auto Scaling Groups to automatically deploy additional VCD cells. The certificates are provided with AWS Certificate Manager.

The following picture taken from the VCDonAWS website shows the overall architecture.

What is it not?

As you can see above it only deploys the vCloud Director management components. You will still need to attach resource vCenter Servers/NSX Manager pairs and these obviously cannot be running on (native) AWS. You cannot even use VMC on AWS instances (at least not yet) as they have RBAC and VC/NSX inventory access limitations which prevent vCloud Director from working properly.

Cassandra VM metric datastore and RabbitMQ messaging bus optional components are not deployed either although I see no reason why they should not run on AWS.

Is it supported?

No. The deployment uses unsupported OS – Amazon Linux (the CentOS deployment option is not working at the time of writing).

Why?

Beside the OneCloud team use case which I cannot speak here about I see it as a very nice proof of concept of how VCD deployment can be automated. How simply it can be done with infrastructure as code approach. And obviously once VMC on AWS restrictions will be resolved these two can be used together to provide multitenant VMware platform IaaS.

Try it yourself!

If you have AWS account try it yourself and really in about an hour you can have a deployed vCloud Director instance.

Here are some tips:

  • Use only US regions as the provided templates do not have AMI mappings for other regions
  • Use Amazon Linux HVM as base operating system for Bastion and cell hosts (CentOS option is not working)
  • For VCD installation ID do not use 7-9 due to bug in verification regex.
  • You will need VCD binary uploaded in an S3 bucket. I used VCD 9.1 GA bits. You will also need working license key.
  • You will need certificate (even self signed) uploaded to Certification Manager.
  • And lastly generate key pair  for accessing bastion hosts and cells.
Cloud Formation Input Dialog

 

 

Stack Deployment

 

vCloud Director Cells

Limit Maximum vCPU/RAM Configuration of vCloud Director VM

Some times ago I wrote about an undocumented feature that allows to limit maximum disk size for VM in vCloud Director. I was asked numerous times if there is similar setting for vCPU and RAM maximums. Today I discovered there is, however it should be considered an experimental feature. I still find it useful as misconfigured VM with extremely large number of vCPUs or huge RAM will impact the host it is running on and cause excessive swapping or high CPU ready times so it is in best interest of the vCloud Director system administrator to prevent it. The other option is to use blocking tasks as described here: CPU and Memory Limit enforcement for vCloud Director and in a blog here.

The limit is set with cell-management-tool command on any cell. Restart of the cell is not necessary.

$VCLOUD_HOME/bin/cell-management-tool manage-config -n vmlimits.memory.limit -v 65536
$VCLOUD_HOME/bin/cell-management-tool manage-config -n vmlimits.cpu.numcpus -v 16

The settings in the example above will limit maximum size of a VM to 16 vCPUs and 64 GB RAM.

Some observations:

  • The limit is vCloud Director instance wide and also applies to system administrators
  • VM with resources set above the limit will fail to be powered on with an error:
    The operation could not be performed, because there are no more CPU resources
    or
    The operation could not be performed, because there are no more Memory resources
  • It can be cheated by using CPU or memory hot add and adding resource beyond the limits to an already powered on VM

Again, consider it an experimental feature and use at your own risk.

What’s New in vCloud Director 9.1

vCloud Director version 9.1 has been released. It has been just 6 months since the previous release (9.0) so VMware is delivering on its promise of multiple yearly releases in 6 months cadence.

In this whitepaper you can find  high level overview of some of the new features. Let me summarize them and also provide additional ones here below.

H5 UI Enhancements

In iterative process the HTML 5 UI is slowly replacing legacy Flex UI. The tenant portion now includes vApp, Catalog and Networking management functionality, OVF/ISO download/uploads without the need for Client Integration Plugin (hooray!) and support for standalone VMware Remote Console.

Associated organizations from multiple or single (new in 9.1) vCloud Director instances now have aggregated view of all Org VDCs with seamless UI redirections between instances.

SDK for UI Extensibility has been released which means the service provider can extend the UI with additional sections to provide access to new services. The SDK includes very simple example of a static page extension (e.g. terms of service, links to other services or price lists) and upcoming vCAT-SP whitepaper will show how to do more complex ones.

The H5 UI is now also used in provider context but only for new features related to vRealize Orchestrator extensibility configuration.

Both legacy UIs (provider and tenants) are still available until the full feature parity is achieved.

vRealize Orchestrator Integration

Updated vRealize Orchestrator plugin has been released. This means both providers and tenants can automate and orchestrate repeating tasks in vCloud Director.

What is completely new is the ability to integrate any vRealize Orchestrator workflows into vCloud Director UI and essential provide XaaS (anything as a service). Similar to vRealize Automation XaaS.

External Tools

Not specifically tied with vCloud Director 9.1 but fully supported now are:

  • vcd-cli Linux command line tool to easily trigger or script common vCloud Director tasks (both for provider and tenant).
  • Container Service Extension Ability to extend vCloud Director to be target for deployment of Kubernetes clusters for tenants and simple management through CLI.
  • Object Extensibility SDK
  • Security Hardening Guide (long overdue update): PDF HTML

Other Features and Changes

  • Org VDC network disconnection and connection from Org VDC Edge Gateway. This allows movements of network between Edges without impact on the connected VMs.
  • NFV features (SR-IOV, Large Page VMs, and guaranteed sensitivity support).
  • FIPS mode can be enabled on Org VDC Edge Gateways
  • vCloud Director 9.1 maximums now include support for 150 ms RTT latency between management components (vCloud cells, vSphere, NSX) and 2000 Edges in single vCloud Director instance
  • VM monitoring metrics now via API provide also roll up metrics for vApp, Org VDC and Org objects.
  • Multisite enhancements: associations of orgs within the same vCloud Director instance, multisited API queries and rollup calls
  • Removed support for old vCloud API versions (1.5, 5.1): make sure you update your scripts or applications to use at least version 5.5 APIs (e.g. Usage Meter).
  • vCloud Director no longer registers itself as an extension to resource vCenter Servers (upgraded instances will not delete the extension registration).