Building an advanced lab using VMware vRealize Automation – Part 9: Deploy and configure the IaaS platform

20150630 - vRAIn part 8 we installed and configured the vRealize Automation Appliance into the lab.

In this part we deploy and configure the IaaS platform.  This will involve building a Windows Server VM and installing the requisite components.  Once done, we will secure the platform with an SSL certificate from our Certificate Authority.

Other posts in this series

  1. Intro
  2. Physical infrastructure – storage
  3. Physical infrastructure – networking
  4. Physical infrastructure – compute
  5. Authentication services
  6. Deploy and configure the vCenter Server Appliance
  7. Configure vCenter Server Appliance SSL certificates
  8. Deploy and configure the vRA Appliance
  9. Deploy and configure the IaaS platform
  10. Configure tenants
  11. Configure endpoint & fabric/business groups
  12. onfigure blueprints (coming soon)
  13. Configure entitlements (coming soon)
  14. Configure policies (coming soon)
  15. Integration with vCloud Air (coming soon)
  16. Tidy up (coming soon)

Build the Iaas Server

Create the following script and save it as build_iaas.ps1:

# Variables

$vc = ""
$credential = Get-Credential
$cluster = "London_Lab"
$vmName = ""
$numCPU = "2"
$numMem = "4096"
$numDisk = "51200"
$ds = "iSCSI"
$vmdkFormat = "Thick"
$net = "London Management VMs"
$guestOS = "windows8Server64Guest"
$ver = "v10"
$iso = "en_windows_server_2012_r2_with_update_x64_dvd_4065220.iso"
$cdpath = "[$ds] $iso"

Connect-VIServer $vc -credential $credential

$myCluster = Get-Cluster -Name $cluster

#Create VM
New-VM -name $vmName -ResourcePool $myCluster -numcpu $numCPU -memoryMB $numMem -DiskMB $numDisk -datastore $ds -DiskStorageFormat $vmdkFormat -Network $net -guestID $guestOS -cd -Version $ver

# Set network adapter to VMXNET3
Get-NetworkAdapter -VM $vmName | Set-NetworkAdapter -Type vmxnet3 -Confirm:$false

# Add CD drive with ISO
Get-CDDrive -VM $vmName | Set-CDDrive -IsoPath $cdpath -StartConnected $true -Confirm:$false

Disconnect-VIServer $vc -confirm:$false

Open PowerCLI, set the execution policy and run the script:

Set-ExecutionPolicy Unrestricted

Install Windows Server 2012 R2 . Set the Administrator password, patch the OS and assign an IP address. For the LAN address I have used, with a subnet mask of

Domain Account

On the domain controller, create a service account for vRealize Automation using the following:

dsadd user cn=sa_vra_iaas,cn=users,dc=lab,dc=mdb-lab,dc=com -disabled no -pwd * -acctexpires never

Back on the IaaS server, add the user account to the local administrators group:

net localgroup Administrators /ADD

Windows Pre-requisites

Once the server has rebooted, login and download Brian Graf‘s vRealize Automation (vRA) 6.2 Pre-Req Automation Script and save as prereqs.ps1.  This can be found at

Run the script:

Set-ExecutionPolicy Unrestricted

This will install the necessary components to support an IaaS installation:

20150727 - 1

Press 2 then enter:

20150727 - 2

Press 2 and then enter:

20150727 - 3

Enter “LAB\sa_vra_iaas” (minus quotes) and press enter (substitute accordingly):

20150727 - 4

Press 2 and then enter:

20150727 - 5

The script has now finished.

IaaS Installer

Once the components have been installed, download the IaaS installer from the vRealize Automation Appliance.  Using PowerShell:

$url = ""
$path = "C:\Temp\"
(New-Object System.Net.WebClient).DownloadFile($url, $path)

Do not rename the saved file – the installer is very picky on what it is called.

Run the saved file:

20150727 - 6

Click Next >

20150727 - 7

Check the I accept the terms in the license agreement box and click Next >

20150727 - 8

Type root in the User name box and the password you set previously.  Check the box Accept certificate:

20150727 - 9

Click Next >

20150727 - 10

Click Next >

20150727 - 11

All tests should report as being satisfied.  If not, remediate as necessary.  Click Next >

20150727 - 12

Enter the domain account we created previously in the User name box, along with the password twice.  Type a passphrase in the box below, and again to confirm.

If you’re using an external SQL server, type the name of the server in the Server box along with the necessary credentials.  If you wish to use SQL Server Express then no further details are necessary.

20150727 - 13

Click Next >

20150727 - 14

Click Next >

20150727 - 15

Click Load and then click Download, followed by Accept Certificate:

20150727 - 16

Enter Administrator@vsphere.local in the User name box, along with the password twice.  Click Test:

20150727 - 17

Click the second Test button:

20150727 - 18

Click Next >

20150727 - 19

Click Install.

20150727 - 20

Click Next >

20150727 - 21

Untick the Guide me through the initial system configuration box  and then click Finish.

SSL Certificate

On your workstation/laptop, create the following configuration file and save as C:\Certs\iaas.cfg:

[ req ]
default_md = sha512
default_bits = 2048
default_keyfile = rui.key
distinguished_name = req_distinguished_name
encrypt_key = no
prompt = no
string_mask = nombstr
req_extensions = v3_req
input_password = VMware1!
output_password = VMware1!

[ v3_req ]
basicConstraints = CA:false
keyUsage = digitalSignature, keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth, clientAuth
subjectAltName = DNS:iaas, IP:, DNS:

[ req_distinguished_name ]
countryName = UK
stateOrProvinceName = London
localityName = London
0.organizationName = virtualhobbit
organizationalUnitName = VMware vRealize
commonName =

Create a certificate signing request:

C:\OpenSSL\bin\openssl req -new -nodes -out C:\Certs\iaas.csr -keyout C:\Certs\iaas-orig.key -config C:\Certs\iaas.cfg

Convert the private key to the appropriate RSA format required by the appliance:

C:\OpenSSL\bin\openssl rsa -in C:\Certs\iaas-orig.key -out C:\Certs\iaas.key

Submit the CSR to the Certificate Authority to generate the certificate:

certreq -submit -config "\ Issuing CA" -attrib "CertificateTemplate:VMwareSSL" C:\Certs\iaas.csr C:\Certs\iaas.crt

Create PFX file:

C:\OpenSSL\bin\openssl pkcs12 -export -in C:\Certs\iaas.crt -inkey C:\Certs\iaas.key -certfile C:\Certs\cachain.pem -name “rui” -passout pass:VMware1! -out C:\Certs\iaas.pfx

Copy the PFX file across to the IaaS server.  Import the certificate:

certutil -p VMware1! -importPFX iaas.pfx

Change the IIS bindings to use the new certificate. Using the following PowerShell code:

$thumb = (Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.FriendlyName -match "rui"}).Thumbprint
Import-Module WebAdministration
cd IIS:\SslBindings
Get-Item Cert:\LocalMachine\My\$thumb | Set-Item!443

Verify the new certificate is in place by opening a web browser and navigating to  You will receive a 401 error, but that can be ignored.

20150727 - 22

Navigate to the Cafe directory:

cd "C:\Program Files (x86)\VMware\vCAC\Server\Model Manager Data\Cafe"

Register the endpoint address:

Vcac-Config.exe RegisterEndpoint --EndpointAddress --Endpoint ui -v

Register the endpoint address for the Model Manager Web Server:

Vcac-Config.exe RegisterEndpoint --EndpointAddress --Endpoint repo -v

Register the endpoint address for the WAPI server:

Vcac-Config.exe RegisterEndpoint --EndpointAddress --Endpoint wapi -v

Register the address for the status endpoint:

Vcac-Config.exe RegisterEndpoint --EndpointAddress --Endpoint status -v

Restart the service:

sc stop "VMware vCloud Automation Center Service"
sc start "VMware vCloud Automation Center Service"

Coming up

In this part we installed and configured the vRealize Automation IaaS platform. We installed all the necessary pre-requisites before using the installer to configure the software. Finally we secured the platform with a proper SSL certificate.

In part 10 we configure the default tenant and create a new one for our lab users.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.