Using the vRSLCM API to Deploy vRealize Automation (Standard Deployment)



vRSLCM API vRA

Published on 25 August 2022 by Christopher Lewis. Words: 2054. Reading Time: 10 mins.

In this post, we will look at how we can use the VMware vRealize Suite Lifecycle Manager (vRSLCM) API to deploy vRealize Automation (vRA) in a Standard (single node) deployment configuration into an existing deployment of vRSLCM that has already been configured with a Global Environment that includes VMware Identity Manager (VIDM).

We are going to be using cURL to complete API calls to complete the following operational tasks:

  • Create an SSL Certificate for vRealize Automation
  • Download the vRealize Automation OVA from MyVMware (AKA Customer Connect).
  • Create a new Environment and deploy VMware vRealize Automation 8.6.x (Standard Deployment).

This post is a part of a series that covers how we can install, configure and manage the vRealize Suite using the vRSLCM API.

Note:
Typically, in a greenfield environment, we deploy vRA using the VMware vRealize Automation Easy Installer so that we deploy vRSLCM, VMware Identity Manager (VIDM) and vRA together. However, it is feasible that someone may already have a vRSLCM deployed with a Global Environment (globalenvironment) already configured if they have other vRealize Suite products deployed.

Prerequisites

The following prerequisites are required for this blog post:

Note:
Typically a Standard Deployment (single node) of VIDM is used in conjunction with a Standard Deployment (single node) of vRA. However we can also use the vRSLCM API to deploy a globalenvironment with a VIDM cluster, see Using the vRSLCM API to Create the Global Environment with VMware Identity Manager (Cluster Deployment) . This combination has not been tested as part of this blog series.

Walkthrough

Create an SSL Certificate for vRealize Automation

Overview

In this section we are going to use the vRSLCM API to create a self-signed certificate. Self-signed certificates can be easily generated and used during the installation of the vRealize Suite if no CA-signed certificate is available. If required, a CA-signed certificate can be generated and replace the self-signed certificate using vRSLCM.

API Request

The following REST API request is required:

  • Request Type: POST
  • Request URL: https://{vrslcm.fqdn}/lcm/locker/api/v2/certificates
  • Request Header(s):
    • Accept: application/json
    • Content-Type: application/json
    • Authorization: Basic {insert credential hash}
  • Request Body Values:
    • alias - the user friendly name for the certificate in the UI.
    • cN - the fqdn of the product, such as vra.thecloudxpert.local.
    • ip - (OPTIONAL) a list of IP addresses that should be included in the certificate.
    • host - a list of the fqdns of each host that should be included in the certificate.
    • oU - the Organizational Unit value for the SSL certitifcate.
    • size - the Key Length of the certificate, either 2048 or 4096.
    • o - the Organization value for the SSL certitifcate.
    • l - the Location value for the SSL certificate.
    • sT - the State value for the SSL certificate.
    • c - the Country Code value for the SSL certificate.

Note:
It is a strong recommendation not to include IP addresses in SSL Certificates unless strictly necessary because it removes the flexibility of easily changing IP addresses of appliances.

API Example

An example cURL command for this REST API is:

curl --location --request POST 'https://{vrslcm.fqdn}/lcm/locker/api/v2/certificates' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic {admin@local credential hash}' \
--data-raw '{
    "alias": "vRealize Automation",
    "cN": "vra.thecloudxpert.local",
    "ip": [],
    "host": [
        "vra.thecloudxpert.local"
        ],
    "oU": "thecloudxpert",
    "size": "2048",
    "o": "thecloudxpert",
    "l": "London",
    "sT": "United Kingdom",
    "c": "GB"
  }'

Note:
The –insecure flag is also required in the cURL command if you are using self-signed SSL certificates.

API Response

The response returned from a successful request (Status Code=200 OK) will be something like:

{
    "alias": "VMware vRealize Automation",
    "key": "{privateKey}",
    "certChain": "{chainCert}",
    "leafCert": "{leafCert}",
    "validations": [],
    "validity": {
        "period": "1 year, 11 months and 28 days",
        "expiresOn": "2024-05-28T11:40:48.000+0000",
        "issuedOn": "2022-05-29T11:40:48.000+0000",
        "healthy": true
    },
    "certInfo": {
        "subject": "CN=vra.thecloudxpert.local,OU=thecloudxpert,O=thecloudxpert,L=London,ST=United Kingdom,C=GB",
        "issuer": "CN=vRealize Suite Lifecycle Manager Locker CA,O=VMware,C=IN",
        "san": "DNS: vra.thecloudxpert.local",
        "algorithm": "SHA256WITHRSA",
        "keyAlgorithm": "RSA",
        "keyLength": 2048,
        "sha256": "{sha256 fingerprint}",
        "sha1": "{sha1 fingerprint}"
    }
}

For more information on Managing SSL Certificates in vRSLCM, see Using the vRealize Suite Lifecycle Manager (vRSLCM) API for vRSLCM Day 2 Operations - Managing SSL certificates .

Download the vRealize Automation OVA from MyVMware

Overview

In this section we are going to be using an API request to download the vRealize Automation installation Product Binaries (OVA) from My VMware (AKA Customer Connect) to the vRSLCM appliance.

POST API Request

The following REST API request is required:

  • Request Type: POST
  • Request URL: https://{vrslcm.fqdn}/lcm/lcops/api/v2/settings/my-vmware/product-binaries/download
  • Request Header(s):
    • Accept: application/json
    • Content-Type: application/json
    • Authorization: Basic {insert credential hash}
  • Request Body Values:
    • productId - The ID (or shortcode) for the specific product, in this instance we are going to be using vra.
    • producName - The Name for the specific product, in this instance we are going to be using VMware vRealize Automation.
    • productVersion - The supported Version of the product, in this instance we are going to be using 8.6.0.
    • productBinaryType - The Binary Type, in this instance we are going to be using Install.
    • productBinaryPath - This should be set to null when downloading from My VMware.
    • componentName - This should be set to null when downloading from My VMware.
    • mappingType - This should be set to null when downloading from My VMware.
    • requestId - This should be set to null as it is generated as part of the API request.
    • removeBinary - This should be set to null when downloading from My VMware.

API Example

An example cURL command for this REST API is:

curl --location --request POST 'https://{vrslcm.fqdn}/lcm/lcops/api/v2/settings/my-vmware/product-binaries/download' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic {admin@local credential hash}' \
--data-raw '[
    {
    "productId": "vra",
    "productVersion": "8.6.0",
    "productBinaryType": "Install",
    "productBinaryPath": null,
    "componentName": null,
    "mappingType": null,
    "productName": "VMware vRealize Automation",
    "requestId": null,
    "removeBinary": null
    }
]'

Note:
The –insecure flag is also required in the cURL command if you are using self-signed SSL certificates.

API Response

When submitting that request, a request is created and the API response should be a request ID for you to track. Something similar to:

{
    "requestId": "68ad91d7-8df5-4316-8a05-46d0875437dc"
}

Remeber we can track the progress of requests via the API too! Check out Using the vRealize Suite Lifecycle Manager (vRSLCM) API to track vRSLCM Requests for more information!

Create a new Environment and deploy VMware vRealize Automation 8.6.x (Standard Deployment)

Overview

We are going use API calls to create a new vRSLCM Environment and deploy vRealize Automation in a standard deployment (single node) configuration. As we can see there is a lot of information required within the REST API body. This is because we are, essentially, creating an answer file for the deployment wizard we would be stepping through if we did this via the UI.

API Request

The following REST API request is required:

  • Request Type: POST
  • Request URL: https://{vrslcm.fqdn}/lcm/lcops/api/v2/environments
  • Request Header(s):
    • Accept: application/json
    • Content-Type: application/json
    • Authorization: Basic {admin@local credential hash}
  • Request Body Values:
    • environmentName - the friendly name of the environment when seen in the vRSLCM UI.
    • Infrastructure:
      • Properties:
        • dataCenterVmid - the target datacenter vmid in vRSLCM, see Using the vRealize Suite Lifecycle Manager (vRSLCM) API for vRSLCM Day 2 Operations - Managing Datacenters
        • vCenterName - the user friendly name of the vCenter Server.
        • vCenterHost - the FQDN of the vcenter server.
        • vcUsername - the vCenter username that has been assigned a role with sufficient priviliges in vCenter Server.
        • vcPassword - the password for the vCenter username. This can be specified as a credential stored in vRSLCM locker (using the format locker:password:{vmid}:{alias}) OR as a plain text password).
        • acceptEULA - a boolean value to accept the EULA.
        • enableTelemetry - a boolean value to accept / deny the Customer Experience Improvement Program (CEIP).
        • defaultPassword - the default password for the deployment. This can be specified as a credential stored in vRSLCM locker (using the format locker:password:{vmid}:{alias}) OR as a plain text password).
        • certificate - the default password for the deployment. This can be specified as a certificate stored in vRSLCM locker (using the format locker:certificate:{vmid}:{alias}).
        • cluster - the datacenter & cluster where the appliances will be installed (using the format {datacenter}#{cluster}).
        • storage - the name of the target datastore.
        • diskMode - The decision on wether to provision using thick or thin disks.
        • network - The name of the virtual switch port group for the network interface.
        • dns - A comma delimited list of DNS server IP Addresses.
        • domain - The DNS Domain for the virtual machine.
        • gateway - The IPv4 Gateway address for the vIDM network interface.
        • netmask The IPv4 Subnet Mask (such as 255.255.255.0).
        • searchpath - A comma separated list of the DNS Search domains.
        • timeSyncMode - This is either host or ntp. If we choose ntp then we also need to provide the FQDN or IPv4 address of the NTP servers in the ntp key/value pair.
    • Products:
      • id - The short code for the vRealize Suite product being installed. In this instance we are using vra.
      • version - The version of the vRealize Suite product being installed. In this instance we are using 8.6.0 but it could be anything upto the latest version depending on what is supported in the vRSLCM we are running.
      • Properties:
        • certificate - The default password for the deployment. This can be specified as a certificatestored in vRSLCM locker (using the format locker:certificate:{vmid}:{alias}).
        • productPassword - The default password for VRA. This can be specified as a credential stored in vRSLCM locker (using the format locker:password:{vmid}:{alias}) OR as a plain text password).
        • nodeSize - The size of the VIDM node(s) to be deployed. This is a value of medium or xlarge. A value of large is recommended for vRealize Automation deployments.
        • fipsMode - A boolean value on whether Federal Information Processing Standard (FIPS) should be enabled. Once enabled this cannot be disabled.
        • timeSyncMode - This is either host or ntp. If we choose ntp then we also need to provide the FQDN or IPv4 address of the NTP servers in the ntp key/value pair.
        • ntp - Assuming the timeSyncMode is set to ntp, this is the ip address/FQDN of the ntp servers.
        • licenseRef - The vRSLCM locker reference for the product license (using the format locker:license:{vmid}:{alias}).
      • Cluster VIP:
        • Not required in a standard deployment.
      • Nodes:
        • nodeType - In a standard deployment the first node is always of node type vrava-primary.
        • Properties:
          • vmName - The friendly name for the vRA appliance in vCenter Server.
          • hostName - The fqdn of the vRA deployment.
          • ip - The IPv4 address of the vRA appliance.

API Example

An example cURL command for this REST API is:

curl --location --request POST 'https://{vrslcm.fqdn}/lcm/lcops/api/v2/environments' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic {admin@local credential hash}'
--data-raw '{
  "environmentId": "",
  "environmentName": "Production",
  "infrastructure": {
    "properties": {
      "dataCenterVmid": "{dataCenterVmid}",
      "regionName": "",
      "zoneName": "",
      "vCenterName": "vcs01",
      "vCenterHost": "vcs01.thecloudxpert.local",
      "vcUsername": "{vcUsername}",
      "vcPassword": "{vcPassword}",
      "acceptEULA": "true",
      "enableTelemetry": "false",
      "defaultPassword": "locker:password:{vmid}:{alias}",
      "certificate": "locker:certificate:{vmid}:{alias}",
      "cluster": "{datacenter}#{cluster}",
      "storage": "{vcDatastore}",
      "folderName": "",
      "resourcePool": "",
      "diskMode": "thin",
      "network": "{network}",
      "masterVidmEnabled": "false",
      "dns": "{dnsServer1},{dnsServer2}",
      "domain": "thecloudxpert.local",
      "gateway": "{ipv4Gateway}",
      "netmask": "255.255.255.0",
      "searchpath": "thecloudxpert.local",
      "timeSyncMode": "ntp",
      "ntp": "{ntpServer1},{ntpServer2}",
      "isDhcp": "false"
    }
  },
  "products": [
    {
      "id": "vra",
      "version": "8.6.0",
      "properties": {
        "certificate": "locker:certificate:{vmid}:{alias}",
        "contentLibraryItemId": "",
        "productPassword": "locker:password:{vmid}:{alias}",
        "nodeSize": "medium",
        "vraK8ServiceCidr": "",
        "vraK8ClusterCidr": "",
        "fipsMode": "false",
        "ntp": "{ntpServer1},{ntpServer2}",
        "timeSyncMode": "ntp",
        "licenseRef": "locker:license:{vmid}:{alias}"
      },
      "clusterVIP": {
        "clusterVips": []
      },
      "nodes": [
        {
          "type": "vrava-primary",
          "properties": {
            "vmName": "vra",
            "hostName": "vra.thecloudxpert.local",
            "ip": "{vmIpv4Address}"
          }
        }
      ]
    }
  ]
}'

Note:
Remember, the –insecure flag is also required in the cURL command if you are using self-signed SSL certificates.

API Response

When submitting a successful request (Status Code = 200 OK), you should receive a response that shows the request id:

{
    "requestId": "74b67c6a-fca7-4538-8a63-5326d8226d33"
}

We can track the progress of vRSLCM requests via the API. Check out Using the vRealize Suite Lifecycle Manager (vRSLCM) API to track vRSLCM Requests for more information.

Once the state of the vRSLCM request is COMPLETED then we have finished.

Wrapping It All Up!

In this post we used the vRSLCM API to create a new vRSLCM environment and deploy vRA 8.6 in a standard deployment topology (aka single node). In doing this, we also created a self-signed certificate for vRA and also downloaded the required vRA install binaries.

If this API this snippet has been helpful, make sure you checkout the rest of the series !

Published on 25 August 2022 by Christopher Lewis. Words: 2054. Reading Time: 10 mins.