Using the vRSLCM API to Deploy vRealize Automation SaltStack Config (Single Node)


vRSLCM API vRA-SSC

Published on 5 January 2023 by Christopher Lewis. Words: 3220. Reading Time: 16 mins.

In this post, we will look at how we can use the VMware vRealize Suite Lifecycle Manager (vRSLCM) API to deploy vRealize Automation SaltStack Config (vRASSC) in a single node deployment configuration into both a new and an existing vRSLCM environment.

We are going to be using API calls to complete the following operational tasks:

  • Create an SSL Certificate for vRealize Automation SaltStack.
  • Download the vRealize Automation SaltStack Config OVA from MyVMware (AKA VMware Customer Connect).
  • Create a new Environment and deploy VMware vRealize Automation SaltStack Config (single node).
  • Adding a VMware vRealize Automation SaltStack Config to an existing vRSLCM Environment.

This post is a part of a series that covers how we can install, configure and manage the vRealize Suite using the vRSLCM API.

Prerequisites

The following prerequisites are required for this blog post:

  • vRSLCM 8.6.x (or above) has been deployed successfully within the environment.
  • vRSLCM local administrator (admin@local) credentials.
  • The Global Environment (globalenvironment) has been configured within vRSLCM - see Using the vRSLCM API to Create the Global Environment with VMware Identity Manager (Cluster Deployment) .
  • The license for vRealize Automation SaltStack Config (vRASSC) (or vRealize Automation Standard Plus) has been configured within vRSLCM
  • All forward and reverse DNS entries for vROps appliances have be configured.

Walkthrough

Create an SSL Certificate for vRealize Automation SaltStack Config

Overview

In this section we are going to use the vRSLCM API to create a self-signed certificate for the vRASSC single-node deployment. Self-signed certificates can be easily generated and used during the installation of the vRealize Suite components if no CA-signed certificate is available. If required, post-deployment, a CA-signed certificate can be generated and replace the self-signed certificate using vRSLCM.

API Request

The following REST API request is required:

  • Request Type: POST
  • Request URL: https://{vrslcm.fqdn}/lcm/locker/api/v2/certificates
  • Request Header(s):
    • Accept: application/json
    • Content-Type: application/json
    • Authorization: Basic {insert credential hash}
  • Request Body Values:
    • alias - the user friendly name for the certificate in the UI.
    • cN - the fqdn of the vip, such as vrops.thecloudxpert.local.
    • ip - (OPTIONAL) a list of IP addresses that should be included in the certificate.
    • host - a list of the fqdns of each host that should be included in the certificate.
    • oU - the Organizational Unit value for the SSL certitifcate.
    • size - the Key Length of the certificate, either 2048 or 4096.
    • o - the Organization value for the SSL certitifcate.
    • l - the Location value for the SSL certificate.
    • sT - the State value for the SSL certificate.
    • c - the Country Code value for the SSL certificate.

Note:
It is a strong recommendation not to include IP addresses in SSL Certificates unless strictly necessary because it removes the flexibility of easily changing IP addresses of appliances.

API Example

An example cURL command for this REST API is:

curl --location --request POST 'https://{vrslcm.fqdn}/lcm/locker/api/v2/certificates' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic {admin@local credential hash}' \
--data-raw '{
    "alias": "vRealize Automation SaltStack Config",
    "cN": "ssc.thecloudxpert.local",
    "ip": [],
    "host": [
        "ssc.thecloudxpert.local"
        ],
    "oU": "thecloudxpert",
    "size": "2048",
    "o": "thecloudxpert",
    "l": "London",
    "sT": "United Kingdom",
    "c": "GB"
  }'

Note:
The –insecure flag is also required in the cURL command if you are using self-signed SSL certificates.

API Response

The response returned from a successful request (Status Code=200 OK) will be something like:

{
    "alias": "vRealize Automation SaltStack Config",
    "key": "{privateKey}",
    "certChain": "{chainCert}",
    "leafCert": "{leafCert}",
    "validations": [],
    "validity": {
        "period": "1 year, 11 months and 28 days",
        "expiresOn": "2024-05-28T11:40:48.000+0000",
        "issuedOn": "2022-05-29T11:40:48.000+0000",
        "healthy": true
    },
    "certInfo": {
        "subject": "CN=ssc.thecloudxpert.local,OU=thecloudxpert,O=thecloudxpert,L=London,ST=United Kingdom,C=GB",
        "issuer": "CN=vRealize Suite Lifecycle Manager Locker CA,O=VMware,C=IN",
        "san": "DNS: ssc.thecloudxpert.local",
        "algorithm": "SHA256WITHRSA",
        "keyAlgorithm": "RSA",
        "keyLength": 2048,
        "sha256": "{sha256 fingerprint}",
        "sha1": "{sha1 fingerprint}"
    }
}

For more information on Managing SSL Certificates in vRSLCM, see Using the vRealize Suite Lifecycle Manager (vRSLCM) API for vRSLCM Day 2 Operations - Managing SSL certificates .

Download the vRealize Automation SaltStack Config OVA from MyVMware (AKA VMware Customer Connect)

Overview

In this section we are going to be using an API request to download the vRealize Automation SaltStack Config installation Product Binaries (OVA) from My VMware (AKA VMware Customer Connect) to the vRSLCM appliance.

POST API Request

The following REST API request is required:

  • Request Type: POST
  • Request URL: https://{vrslcm.fqdn}/lcm/lcops/api/v2/settings/my-vmware/product-binaries/download
  • Request Header(s):
    • Accept: application/json
    • Content-Type: application/json
    • Authorization: Basic {insert credential hash}
  • Request Body Values:
    • productId - The ID (or shortcode) for the specific product, in this instance we are going to be using vssc.
    • producName - The Name for the specific product, in this instance we are going to be using vRealize Automation SaltStack Config.
    • productVersion - The supported Version of the product, in this instance we are going to be using 8.6.0.
    • productBinaryType - The Binary Type, in this instance we are going to be using Install.
    • productBinaryPath - This should be set to null when downloading from My VMware.
    • componentName - This should be set to null when downloading from My VMware.
    • mappingType - This should be set to null when downloading from My VMware.
    • requestId - This should be set to null as it is generated as part of the API request.
    • removeBinary - This should be set to null when downloading from My VMware.

API Example

An example cURL command for this REST API is:

curl --location --request POST 'https://{vrslcm.fqdn}/lcm/lcops/api/v2/settings/my-vmware/product-binaries/download' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic {admin@local credential hash}' \
--data-raw '[
    {
    "productId": "vssc",
    "productVersion": "8.6.0",
    "productBinaryType": "Install",
    "productBinaryPath": null,
    "componentName": null,
    "mappingType": null,
    "productName": "vRealize Automation SaltStack Config",
    "requestId": null,
    "removeBinary": null
    }
]'

Note:
The –insecure flag is also required in the cURL command if you are using self-signed SSL certificates.

API Response

When submitting that request, a request is created and the API response should be a request ID for you to track. Something similar to:

{
    "requestId": "68ad91d7-8df5-4316-8a05-46d0875437dc"
}

Remeber we can track the progress of requests via the API too! Check out Using the vRealize Suite Lifecycle Manager (vRSLCM) API to track vRSLCM Requests for more information!

Create a new Environment and deploy VMware Automation SaltStack Config (Standalone Deployment)

Overview

We are going use API calls to create a new vRSLCM Environment (called Production vROps) and deploy vRealize Operations in a standard deployment (single node) configuration. As we can see there is a lot of information required within the REST API body. This is because we are, essentially, creating an answer file for the deployment wizard we would be stepping through if we did this via the UI.

API Request

The following REST API request is required:

  • Request Type: POST
  • Request URL: https://{vrslcm.fqdn}/lcm/lcops/api/v2/environments
  • Request Header(s):
    • Accept: application/json
    • Content-Type: application/json
    • Authorization: Basic {admin@local credential hash}
  • Request Body Values:
    • environmentName - the friendly name of the environment when seen in the vRSLCM UI.
    • Infrastructure:
      • Properties:
        • dataCenterVmid - the target datacenter vmid in vRSLCM, see Using the vRealize Suite Lifecycle Manager (vRSLCM) API for vRSLCM Day 2 Operations - Managing Datacenters
        • vCenterName - the user friendly name of the vCenter Server.
        • vCenterHost - the FQDN of the vcenter server.
        • vcUsername - the vCenter username that has been assigned a role with sufficient priviliges in vCenter Server.
        • vcPassword - the password for the vCenter username. This can be specified as a credential stored in vRSLCM locker (using the format locker:password:{vmid}:{alias}) OR as a plain text password).
        • acceptEULA - a boolean value to accept the EULA.
        • enableTelemetry - a boolean value to accept / deny the Customer Experience Improvement Program (CEIP).
        • defaultPassword - the default password for the deployment. This can be specified as a credential stored in vRSLCM locker (using the format locker:password:{vmid}:{alias}) OR as a plain text password).
        • certificate - the default password for the deployment. This can be specified as a certificate stored in vRSLCM locker (using the format locker:certificate:{vmid}:{alias}).
        • cluster - the datacenter & cluster where the appliances will be installed (using the format {datacenter}#{cluster}).
        • storage - the name of the target datastore.
        • diskMode - The decision on wether to provision using thick or thin disks.
        • network - The name of the virtual switch port group for the network interface.
        • dns - A comma delimited list of DNS server IP Addresses.
        • domain - The DNS Domain for the virtual machine.
        • gateway - The IPv4 Gateway address for the vIDM network interface.
        • netmask The IPv4 Subnet Mask (such as 255.255.255.0).
        • searchpath - A comma separated list of the DNS Search domains.
        • timeSyncMode - This is either host or ntp. If we choose ntp then we also need to provide the FQDN or IPv4 address of the NTP servers in the ntp key/value pair.
    • Products:
      • id - The short code for the vRealize Suite product being installed. In this instance we are using vssc.
      • version - The version of the vRealize Suite product being installed. In this instance we are using 8.6.0 but it could be anything upto the latest version depending on what is supported in the vRSLCM we are running.
      • Properties:
        • certificate - The default password for the deployment. This can be specified as a certificatestored in vRSLCM locker (using the format locker:certificate:{vmid}:{alias}).
        • productPassword - The default password for VRA. This can be specified as a credential stored in vRSLCM locker (using the format locker:password:{vmid}:{alias}) OR as a plain text password).
        • tenantid - The tenant within vRealize Automation Saltstack config - in this instance it is Standalone vRASSC.
        • licenseRef - The vRSLCM locker reference for the product license (using the format locker:license:{vmid}:{alias}).
        • fipsMode - A boolean value on whether Federal Information Processing Standard (FIPS) should be enabled. Once enabled this cannot be disabled.
        • timeSyncMode - This is either host or ntp. If we choose ntp then we also need to provide the FQDN or IPv4 address of the NTP servers in the ntp key/value pair.
        • ntp - Assuming the timeSyncMode is set to ntp, this is the ip address/FQDN of the ntp servers.
        • deployOption - The size of the VIDM node(s) to be deployed. We’re going to be using xsmall.
        • isCaEnabled - Is vRealize Operations being configured for Continuous Availability? No.
      • ClusterVIP:
        • Not required for this example.
      • Nodes:
        • type - In a single node deployment this is always of node type vssc-raas.
        • Properties:
          • vmName - The friendly name for the vRASSC appliance in vCenter Server.
          • hostName - The fqdn of the vRASSC appliance.
          • ip - The IPv4 address of the vRASSC appliance.
      • Collector Groups
        • Not required for this example.

API Example

An example cURL command for this REST API is:

curl --location --request POST 'https://{vrslcm.fqdn}/lcm/lcops/api/v2/environments' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic {admin@local credential hash}'
--data-raw '{
  "environmentName": "Production SaltStack",
  "infrastructure": {
    "properties": {
      "dataCenterVmid": "{dataCenterVmid}",
      "regionName": "",
      "zoneName": "",
      "vCenterName": "{vcenter.name}",
      "vCenterHost": "{vcenter.fqdn}",
      "vcUsername": "{vcenter.username}",
      "vcPassword": "{vcenter.password}",
      "acceptEULA": "true",
      "enableTelemetry": "true",
      "defaultPassword": "locker:password:{default.password.vmid}:{default.password.alias}",
      "certificate": "locker:certificate:{ssc.cert.vmid}:{ssc.cert.alias}",
      "cluster": "{vcenter.datacenter}#{vcenter.cluster}",
      "storage": "vmNFS02",
      "folderName": "",
      "resourcePool": "",
      "diskMode": "thin",
      "network": "{network}",
      "masterVidmEnabled": "true",
      "dns": "{dnsServer1},{dnsServer2}",
      "domain": "thecloudxpert.local",
      "gateway": "{ipv4Gateway}",
      "netmask": "255.255.255.0",
      "searchpath": "thecloudxpert.local",
      "timeSyncMode": "ntp",
      "ntp": "{ntpServer1},{ntpServer2}",
      "isDhcp": "false"
    }
  },
  "products": [
    {
      "id": "vssc",
      "version": "8.6.0",
      "properties": {
        "certificate": "locker:certificate:{ssc.cert.vmid}:{ssc.cert.alias}",
        "productPassword": "locker:password:{default.password.vmid}:{default.password.alias}",
        "tenantId": "Standalone vRASSC",
        "licenseRef": "locker:license:{ssc.license.vmid}:{ssc.license.alias}",
        "fipsMode": "false",
        "contentLibraryItemId": "",
        "masterVidmEnabled": "false",
      "patchHistory": null,
      "snapshotHistory": null,
      "logHistory": null,
      "clusterVIP": {
        "clusterVips": []
      },
      "nodes": [
        {
          "type": "vssc-raas",
          "properties": {
            "vmName": "ssc",
            "hostName": "ssc.thecloudxpert.local",
            "ip": "{Ipv4Address}"
          }
        }
      ],
      "collectorGroups": null
      }
    }
  ]
}'

Note:
Remember, the –insecure flag is also required in the cURL command if you are using self-signed SSL certificates.

API Response

When submitting a successful request (Status Code = 200 OK), you should receive a response that shows the request id:

{
    "requestId": "39aed909-0525-4f1f-99f5-f74d8882aeed"
}

We can track the progress of vRSLCM requests via the API. Check out Using the vRealize Suite Lifecycle Manager (vRSLCM) API to track vRSLCM Requests for more information.

Note:
During the installation of vRASSC, the request failed because of error LCMVSSC10009. A quick google led me to KB84029 which resolved the issue and allowed the request to get past the failed stage.

Once the state of the vRSLCM request is COMPLETED then the installation of vRASSC will have finished.

Adding VMware vRealize Automation SaltStack Config to an existing vRSLCM Environment

Overview

We are going use API calls to add a new deployment of vRealize Operations (standard deployment/single node) to an existing vRSLCM Environment (that has vRealize Automation (standard deployment/single node) already deplyed into it). This is a subtly different API call to the previous API call we completed to create a vRSLCM environment and deploy vRASSC into it. As we can see, just like the previous API call to cretae a new environment, there is a lot of information required within the REST API body. This is because we are, essentially, creating an answer file for the deployment wizard we would be stepping through if we did this via the UI.

Note:
In the previous section we deployed a standalone vRASSC appliance. In this seciton we are deploying a vRA-integrated VRASSC appliance. We could, if desired, install a standalone vRASSC appliance into the Production vRSLCM environment, but as we already have vRA deployed it makes sense to integrate them.

API Request

The following REST API request is required:

  • Request Type: POST
  • Request URL: https://{vrslcm.fqdn}/lcm/lcops/api/v2/environments/{environmentId}/products
    • environmentId is the GUID used to represent the environment.
  • Request Header(s):
    • Accept: application/json
    • Content-Type: application/json
    • Authorization: Basic {admin@local credential hash}
  • Request Body Values:
    • environmentName - the friendly name of the environment when seen in the vRSLCM UI.
    • Infrastructure:
      • Properties:
        • dataCenterVmid - the target datacenter vmid in vRSLCM, see Using the vRealize Suite Lifecycle Manager (vRSLCM) API for vRSLCM Day 2 Operations - Managing Datacenters
        • vCenterName - the user friendly name of the vCenter Server.
        • vCenterHost - the FQDN of the vcenter server.
        • vcUsername - the vCenter username that has been assigned a role with sufficient priviliges in vCenter Server.
        • vcPassword - the password for the vCenter username. This can be specified as a credential stored in vRSLCM locker (using the format locker:password:{vmid}:{alias}) OR as a plain text password).
        • acceptEULA - a boolean value to accept the EULA.
        • enableTelemetry - a boolean value to accept / deny the Customer Experience Improvement Program (CEIP).
        • defaultPassword - the default password for the deployment. This can be specified as a credential stored in vRSLCM locker (using the format locker:password:{vmid}:{alias}) OR as a plain text password).
        • certificate - the default password for the deployment. This can be specified as a certificate stored in vRSLCM locker (using the format locker:certificate:{vmid}:{alias}).
        • cluster - the datacenter & cluster where the appliances will be installed (using the format {datacenter}#{cluster}).
        • storage - the name of the target datastore.
        • diskMode - The decision on wether to provision using thick or thin disks.
        • network - The name of the virtual switch port group for the network interface.
        • dns - A comma delimited list of DNS server IP Addresses.
        • domain - The DNS Domain for the virtual machine.
        • gateway - The IPv4 Gateway address for the vIDM network interface.
        • netmask The IPv4 Subnet Mask (such as 255.255.255.0).
        • searchpath - A comma separated list of the DNS Search domains.
        • timeSyncMode - This is either host or ntp. If we choose ntp then we also need to provide the FQDN or IPv4 address of the NTP servers in the ntp key/value pair.
    • Products:
      • id - The short code for the vRealize Suite product being installed. In this instance we are using vssc.
      • version - The version of the vRealize Suite product being installed. In this instance we are using 8.6.0.
      • Properties:
        • certificate - The default password for the deployment. This can be specified as a certificatestored in vRSLCM locker (using the format locker:certificate:{vmid}:{alias}).
        • productPassword - The default password for VRA. This can be specified as a credential stored in vRSLCM locker (using the format locker:password:{vmid}:{alias}) OR as a plain text password).
        • tenantid - The tenant within vRealize Automation that is to be integrated with - in this instance it is Standalone vRASSC.
        • licenseRef - The vRSLCM locker reference for the product license (using the format locker:license:{vmid}:{alias})
        • fipsMode - A boolean value on whether Federal Information Processing Standard (FIPS) should be enabled. Once enabled this cannot be disabled.
        • timeSyncMode - This is either host or ntp. If we choose ntp then we also need to provide the FQDN or IPv4 address of the NTP servers in the ntp key/value pair.
        • ntp - Assuming the timeSyncMode is set to ntp, this is the ip address/FQDN of the ntp servers.
        • deployOption - The size of the VIDM node(s) to be deployed. We’re going to be using xsmall.
        • isCaEnabled - Is vRealize Operations being configured for Continuous Availability? No.
      • ClusterVIP:
        • Not required for this example.
      • Nodes:
        • type - In a single node deployment this is always of node type vssc-raas.
        • Properties:
          • vmName - The friendly name for the vRASSC appliance in vCenter Server.
          • hostName - The fqdn of the vRASSC appliance.
          • ip - The IPv4 address of the vRASSC appliance.
      • Collector Groups
        • Not required for this example.

Note:
As we are deploying a vRA-integrated instance of vRASSC, we need to specify the vRealize Suite / vRealize Automation license key and NOT the vRealize Automation SaltStack Config key.

API Example

An example cURL command for this REST API is:

curl --location --request POST 'https://{vrslcm.fqdn}/lcm/lcops/api/v2/environments' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Basic {admin@local credential hash}'
--data-raw '{
  "environmentId": "{environemntId}",
  "environmentName": "Production",
  "infrastructure": {
    "properties": {
      "dataCenterVmid": "{dataCenterVmid}",
      "regionName": "",
      "zoneName": "",
      "vCenterName": "vcs01",
      "vCenterHost": "vcs01.thecloudxpert.local",
      "vcUsername": "{vcUsername}",
      "vcPassword": "{vcPassword}",
      "acceptEULA": "true",
      "enableTelemetry": "false",
      "defaultPassword": "locker:password:{vmid}:{alias}",
      "certificate": "locker:certificate:{vmid}:{alias}",
      "cluster": "{datacenter}#{cluster}",
      "storage": "{vcDatastore}",
      "folderName": "",
      "resourcePool": "",
      "diskMode": "thin",
      "network": "{network}",
      "masterVidmEnabled": "true",
      "dns": "{dnsServer1},{dnsServer2}",
      "domain": "thecloudxpert.local",
      "gateway": "{ipv4Gateway}",
      "netmask": "255.255.255.0",
      "searchpath": "thecloudxpert.local",
      "timeSyncMode": "ntp",
      "ntp": "{ntpServer1},{ntpServer2}",
      "isDhcp": "false"
    }
  },
   "products": [
    {
      "id": "vssc",
      "version": "8.6.0",
      "patchHistory": null,
      "snapshotHistory": null,
      "logHistory": null,
      "clusterVIP": {
        "clusterVips": []
      },
      "nodes": [
        {
          "type": "vssc-raas",
          "properties": {
            "vmName": "ssc",
            "hostName": "ssc.thecloudxpert.local",
            "ip": "172.16.50.160"
          }
        }
      ],
      "collectorGroups": null,
      "properties": {
        "certificate": "locker:certificate:{ssc.cert.vmid}:{ssc.cert.alias}",
        "productPassword": "locker:password:{default.password.vmid}:{default.password.alias}",
        "tenantId": "Standalone vRASSC",
        "licenseRef": "locker:license:{ssc.license.vmid}:{ssc.license.alias}",
        "fipsMode": "false",
        "contentLibraryItemId": "",
        "masterVidmEnabled": "false"
      }
    }
  ]
}'

Note:
Remember, the –insecure flag is also required in the cURL command if you are using self-signed SSL certificates.

API Response

When submitting a successful request (Status Code = 200 OK), you should receive a response that shows the request id:

{
    "requestId": "74b67c6a-fca7-4538-8a63-5326d8226d33"
}

We can track the progress of vRSLCM requests via the API. Check out Using the vRealize Suite Lifecycle Manager (vRSLCM) API to track vRSLCM Requests for more information.

Once the state of the vRSLCM request is COMPLETED then the installation of vRASSC will have finished.

Note:
During the installation of vRASSC, the request failed because of error LCMVSSC10009. A quick google led me to KB84029 which resolved the issue and allowed the request to get past the failed stage.

Assuming everything went successfully, vRASSC should now be installed into the existing Production vRSLCM environment along side vRealize Automation!

Wrapping It All Up!

In this post we used the vRSLCM API to deploy vRASSC 8.6.0 in a standard (single node) deployment model. To enable us to do this, we created a self-signed SSL certificate and added the vROps OVA into vRSLCM so it could be used as a source of the deployment. When deploying vRASSCs, we looked at the two different ways to do this, either creating a new vRSLCM environment and deploying a standalone vRASSC appliance or adding a vRA-integrated vRASSC appliance to an existing vRSLCM environment.

If this API this snippet has been helpful, make sure you checkout the rest of the series !

Published on 5 January 2023 by Christopher Lewis. Words: 3220. Reading Time: 16 mins.