IBM Cloud Identity is a cloud SaaS Single Sign-On solution supporting multifactor authentication and identity governance. In this article I will describe how to integrate it with vCloud Director, where vCloud Director acts as a service provider and IBM Cloud Identity as an identity provider.
IBM Cloud Identity is a SaaS service and can be for free set up in a few minutes. It is pretty straight forward and I will skip that part.
As usual, in vCloud Director as Organization Administrator we must prepare the organization for federation. It means making sure that in the in the Administration > Settings > Federation the Entity ID is not empty and up-to-date certificate is generated that will be used to trust and secure the SAML2 assertion exchange between IdP and vCloud Director. The vCloud Director autogenerated self-signed certificate has always 1 year validity, which means once a year it must be regenerated (and the IdP reconfigured). The Organization Administrator is alerted via email when the expiration date is approaching. With vCloud API it is possible to provide your own publicly trusted certificate (with possibly longer validity).
Now we can download the metadata XML from the link provided on the same screen. As mentioned above we unfortunately cannot just upload it to IBM Cloud Identity, instead we need to manually retrieve the correct information from the downloaded spring_saml_metadata.xml file.
We will need the federation certificate (<ds:X509Certificate>) saved as properly formated PEM file: —–BEGIN CERTIFICATE—– … —–END CERTIFICATE—–
Now in IBM Cloud Identity we can set up the application:
Upload the vCloud Director federation certificate in Settings > Certificates > Add Signer Certificate:
Create new application in Applications > Add > Custom Application and set up General details like Description, icon and Application Owners.
Now in Sign-On submenu we can enter all details we have collected from vCloud Director:
– Sign-on Method: SAML2.0
– Provider ID: <EntityID>
– Assertion Consumer Service URL
– optionally check Use identity provider initiated single sign-on checkbox and provide Target URL in BASE64 encoded string (in my case I used H5 tenant endpoint URL: https://vcloud.fojta.com/tenant/ibm which base64 encoded translates to: aHR0cHM6Ly92Y2xvdWQuZm9qdGEuY29tL3RlbmFudC9pYm0
– Service Provider SSO URL (same as Assertion Consumer Service URL)
– check Sign authentication response and pick Signature Althorithm RSA_SHA256
– check Validate SAML request signature and pick the certificate from step #1
– optionally check Encrypt assertion
– Name Identifier: preferred_username
– NameID Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
During the last weekend my vCloud Director lab died. And the reason was PostgreSQL DB filled up all the disk space. How could that happen in my small lab with one running vApp?
PostgreSQL database when updating rows actually creates new ones and does not immediately delete the (now dead) old rows. That is done in a separate process called vacuuming.
vCloud Director has one pretty busy table named activity_parameters that is continuously updated. And as you can see from the below screenshot (as reported by pgAdmin table statistics) the table size is 26 MB but it is actually taking 24 GB of hard disk space due to the dead rows.
Another quick way to check DB size via psql CLI is:
Vacuuming takes times and therefore it can be tuned in postgresql.conf via a few parameters which VMware documents specifically for vCloud Director here or here. Make sure you apply them (I did not). Another issue that could prevent vacuuming to happen is a stale long running transaction on the table.
short term: add more disk space
long term: make sure postgresql.conf is properly configured autovacuum = on track_counts = on autovacuum_max_workers = 3 autovacuum_naptime = 1min autovacuum_vacuum_cost_limit = 2400
manually vacuum the activity_parameters table with the following psql CLI command: VACUUM VERBOSE ANALYSE activity_parameters;
And do not forget to monitor free disk space on your PostgreSQL host.
The reference table below summarizes how different vCloud Director Org VDC allocation types consume vSphere resources. In other words: how a choice of allocation model for a particular Org VDC and its parameters (allocation, guarantees, quota, vCPU speed) translate to resource pool and VM resource settings (CPU/RAM) – reservations and limits.
valid for vCloud Director 9.5 and older (down to 5.5)
RP … resource pool
Elastic … Org VDC can be divided across multiple RPs across clusters
Although there are currently only three Org VDC allocation types the Allocation Pool can be elastic or non-elastic based on vCloud Director instance wide setting in General Settings
vCloud Director version 9.5 is the first release to provide networking IPv6 support. In this article I want to go into little bit more detail on the level of IPv6 functionality than was in my What’s New in vCloud Director 9.5 post.
IPv6 functionality is mostly driven by the underlying networking platform support which is provided by NSX. The level of IPv6 support in NSX-V is changing from release to release (for example NAT64 feature was introduced in NSX version 6.4). Therefore my feature list assumes the latest NSX 6.4.4 is used.
Additionally it should be noted that vCloud Director 9.5 also supports in very limited way NSX-T. Currently no Layer 3 functionality is supported for NSX-T based Org VDC networks which are imported based on pre-existing logical switches as isolated networks with IPv4 only subnets.
Here is the feature list (vCloud Director 188.8.131.52 and NSX 6.4.4).
Create External network with IPv6 subnet (provider only). Note: mixing of IPv4 and IPv6 subnets is supported.
Create Org VDC network with IPv6 subnet (direct or routed). Note: distributed Org VDC networks are not supported with IPv6
Use vCloud Director IPAM (static/manual IPv6 assignments via guest customization)
IPv6 (static only) routing via Org VDC Edge Gateway
IPv6 firewall rules on Org VDC Edge Gateway or Org VDC Distributed Firewall via IP Sets
NAT 64 (IPv6-to-IPv4) on Org VDC Edge Gateway
Load balancing on Org VDC Edge Gateway: IPv6 VIP and/or IPv6 pool members