vRA comes with an installed and configured Orchestrator. While VMware now recommends using the embedded vRO in production systems, this primarily applies to small-/medium-sized infrastructure deployments. In much larger enterprise deployments, it may be beneficial to use an external vRO cluster.
Another example is if you require a different vRO for a given tenant.
Please make sure you read the introduction to vRA at the beginning of this chapter. We need a functional and configured vRA.
This recipe has three parts. First, we will configure the Orchestrator, bind it to vRA, and then we will clean up the vRA appliance.
To attach an external Orchestrator, we first need an Orchestrator that we can connect to:
- Install the Orchestrator appliance (refer to the Deploying the Orchestrator appliance recipe in Chapter 1, Installing and Configuring Orchestrator).
- You may want to configure Orchestrator with an external DB (refer to the Configuring an external database recipe in Chapter 1, Installing and Configuring Orchestrator).
- Configure the appliance for vRealize Automation authentication (or vSphere, see the How it works... section); refer to the Configuring an external Authentication recipe in Chapter 1, Installing and Configuring Orchestrator.
- Tune the appliance by disabling LDAP and the local DB (refer to the Tuning the appliance recipe in Chapter 2, Optimizing Orchestrator Configuration).
If you want to build an Orchestrator cluster, you should check out Chapter 3, Distributed Design.
To configure an external Orchestrator as a default for all tenants, follow these steps:
- Log in to the vRA default Tenant as a System Administrator, such as
[email protected]. - Click on Administration | Advanced Service | Server Configuration and select Use an external Orchestrator server.
- Continue with section Connecting the external Orchestrator.
If you want to connect one specific Orchestrator for each Tenant, follow these steps:
- Log in to vRA Tenant as an Infrastructure or Tenant admin.
- Click on Administration | vRO Configuration | Server Configuration and select Use an external Orchestrator server.
- Continue with section Connecting the external Orchestrator.
In this section, we will discuss the connection settings:
Perform the following steps:
- Select a name under which you would like to store this configuration and description.
- In the Host field, enter the FQDN or IP of the Orchestrator or the Orchestrator cluster.
- The default port is
8281. - Choose either Single Sign-On or Basic authentication (see this section's How it works... for more details).
- Test the connection, and when successful, click on OK.
- After you click on OK, you can be notified that the existing endpoints will be deleted. These are the existing Orchestrator endpoints. Accept and then add new endpoints. Follow recipe Adding an Orchestrator endpoint in this chapter.
The vRA appliance has Orchestrator installed in it, the same way as in the Orchestrator appliance. The initial configuration of vRA is done to use the internal Orchestrator. VMware no longer recommends using Orchestrator as an external server or using an external DB. In fact, VMware now recommends using an embedded DB and an embedded vRO for production use.
The two different methods of authentication are quite important:
- Single Sign-on: This requires Orchestrator and vRA to be in the same SSO domain, meaning the external Orchestrator should use vRealize Automation authentication configured with the vRA. Starting with vRA, 7.0 vIDM is used; however, vCenter still (as of 6.0 U2) uses SSO (also see the recipe Configuring an external Authentication in Chapter 1, Installing and Configuring Orchestrator). This can currently lead to some problems. This functions the same way as the shared connection in Orchestrator that we have discussed several times previously.
- Basic: This uses one account to connect and execute workflows. The account used must be a member of the Orchestrator administrator group. You could configure the external orchestrator with any kind of authentication; this may especially make sense for some plugins that depend on vCenter SSO, such as Horizon Replication and SRM.
This is a problem for the time being as vCenter and vRA do not use the same authentication base (vIDM versus SSO).
You can define a workflow folder per-tenant. This enables you to expose different workflows to different tenants. The default value is the base folder.
- Log in to the vRA default Tenant as a System Administrator, such as
[email protected]. - Navigate to the Administration | Advanced Services | Default vRO folder.
- Select the Tenant you want to assign a base folder to and click on Edit.
- Browse to the Orchestrator workflow folder and then click on Add.