VMware vRealize Suite Lifecycle Manager – The tale of SSO and RBAC

Introduction

Recently I was asked to deliver a solution for VMware vRealize Suite Lifecycle Manager (vRSLCM) 1.2 for a customer to support their requirement for content management between VMware vRealize Automation 7.3.1 environments.

The reason we decided to use vRSLCM rather than VMware vRealize CodeStream Management Pack for IT DevOps (AKA Houdini) was we wanted to future proof the solution.  If you didn’t know, from VMware vRealize Automation 7.4 onward, the Houdini functionality has been deprecated and is not supported.

This definitely wasn’t as easy as it should have been and so I wanted to share some of the issues I came up against when configuring vRSLCM with VMware Identity Manager (VIDM).

What is VMware vRSLCM?

If you don’t know what vRSLCM is, then its a new Life cycle management product from VMware that is bundled with the VMware vRealize Suite license.  The product has two main functions:

  1. Environment Lifecycle Management – manage the deployment/upgrade of vRealize Suite Components (vRealize Automation, vRealize Log Insight, vRealize Operations and vRealize Network Insight)
  2. Content Lifecycle Management – manage (capture & release) content (such as blueprints, workflows, dashboards and templates) within and between deployments (including version control with GitLab).

What is VIDM?

VMware Identity Manager is VMware’s Single Sign-On (SSO) solution that normally comes as part of the VMware Horizon View or Workspace ONE solution.  VIDM essentially enables one or more sets of users (directories) to log into a portal and access published applications that they have been allocated.  When they open the application, the user information is sent to the application meaning the user only has to sign on once.

For more information see VMware’s Documentation Site.

Why do you need VIDM with vRSLCM?

Without VIDM you can only log into vRSLCM with the in-built admin account (admin@localhost) or via SSH using root.  Currently, there is no native capability within vRSLCM to support/enable Single Sign-On (SSO) with any type of Direcotry Service (such as Active Directory) or to configure Role Based Access Control (RBAC) to assign different users or groups with different access levels.

There are 4 roles that can be configured within vRSLCM:

  • LCM Admin
  • LCM Cloud Admin
  • Release Manager – responsible for reviewing and approving requests.
  • Content Developer – responsible for creating content.

Issues

I eventually got everything configured but this wasn’t without raising a PR or two.  In most cases, the issue has been resolved at a newer version which we were not able to deploy due to constraints around the project.

Below are the top 4 issues I encountered in my interactions with vRSLCM so far:

Issue #1 – vIDM Safeguard – AD Group Limit

During the first attempt at configuration of VIDM via vRSLCM, we hit the following error in vRSLCM:

LCMVIDM70010: Failed to configure AD on vIDM

Error

com.vmware.vrealize.lcm.common.exception.LcmException: Failed to add group DN to directory, on vIDMServer{host=<vrslcm.server> tenant=null}: {“errors”:[{“code”:”message.mappedGroupsLimitReached”,”message”:”The number of groups found exceeds the threshold of 1000. Refine your search to select fewer groups at one time.”,”parameters”:{“response”:”The number of groups found exceeds the threshold of 1000. Refine your search to select fewer groups at one time.”}}]} 

Whether deploying vIDM independently or through vRSLCM, when you configure the AD over LDAP connection from within vRSLCM you need to ensure that the number of AD Groups in the target Group OU is less than 1000 because there is a vIDM safeguard that will cause the configuration task to fail.

Issue #2 – vIDM User Attributes cause synchronisation issues

By default, vIDM will only synchronise AD accounts that have a username, first name, last name and email address attributes set.

If you choose to deploy VIDM through vRSLCM, this default configuration cannot be changed until VIDM has been deployed and the vRSLCM Active Directory configuration request has failed.  Once the request has failed, VIDM will (in my experience) already be deployed, so you can log in and change which User Attributes are required.

Once this has been completed you need to synchronise the Directory to ensure all accounts have been synchronized.

You can then Retry the Active Directory configuration in vRSLCM and it should complete successfully (if there are no other issues!)

Issue #3 – Active Directory configuration synchronization with vIDM

When configuring the AD over LDAP connection from with vRSLCM and once the configuration has been completed successfully there is no way to change the configuration from within vRSLCM.  The configuration CAN be changed in vIDM but these changes will not be reflected back into vRSLCM.  This may cause an issue with diagnosing any issues with the groups/users synchronised.  Therefore, just remember once configuration is completed, vIDM is the single source of truth for the AD over LDAP configuration.

Note: From within vRSLCM, you can update the password for the admin account used to synchronise the AD settings.

Issue #4 – You cannot remove Roles from Users/Groups (vRSLCM v1.2)

When deploying vRSLCM 1.2 and configuring SSO and RBAC with vIDM, once you have assigned a role to a synchronised user/group, you cannot remove that assignment.  This is fixed in version 1.3.  The reason I feel it is worth highlighting is that the latest VMware Validated Design (4.3) deploys vRSLCM 1.2 (which is currently a N-2 version). However it is also important to note that the implementation within VVD is for Environment Lifecycle Management not Content Lifecycle Management.

Conclusion

For me, vRSLCM is a welcome addition to the VMware vRealize Suite Cloud Management platform.

However, I find the implementation and integration of RBAC and VIDM a little clunky.  I was surprised to discover there was no internal SSO solution.  I am also surprised that when you use VIDM & vRSLCM together, you have to log into VIDM to to get access to vRSLCM.

If your deploying any components of the vRealize Suite, make sure you check out vRSLCM.