You must assign a new IP address to each cloned virtual appliance before you power it on. The IP address must be resolvable in DNS. If the address is not in the reverse DNS, you must also assign the host name.

Procedure

  1. In the vSphere Client or the vSphere Web Client, select the cloned virtual appliance.
  2. In the Summary tab, under Commands, click Edit Settings.
  3. Select Options and in the vApp Options list, select Properties.
  4. Change the IP address in the IP Address field.
  5. If the IP address is not in the reverse DNS, add the host name in the HostName text box.
  6. Click OK.
  7. Power on the cloned appliance and wait until the blue login screen appears in the Console tab.
    Important:

    Before you power on the cloned appliance, ensure that the original appliance is fully powered on.

What to do next

  • Wait for a few minutes until the Elasticsearch cluster is created before adding the cloned virtual appliance to the load balancer.

    Elasticsearch, a search and analytics engine, is embedded in the virtual appliance.

    1. Log in to the cloned virtual appliance.

    2. Check the Elasticsearch cluster:

      curl -XGET 'http://localhost:9200/_cluster/health?pretty=true'

      Verify that the result matches the number of nodes.

  • Add the cloned virtual appliance to the load balancer and configure the load balancer to distribute traffic. See your load balancer vendor documentation for information.

  • If you had joined a domain in the original service instance, then you need to join the domain in the cloned service instances.

    1. Log in to the VMware Identity Manager administration console.

    2. Select the Identity & Access Management tab, then click Setup.

      The connector component of each of the cloned service instances is listed in the Connectors page.

    3. For each connector listed, click Join Domain and specify the domain information.

    For more information about Active Directory, see Integrating with Active Directory.

  • For directories of type Integrated Windows Authentication (IWA), you must do the following:

    1. For the cloned service instances, join the domain to which the IWA directory in the original service instance was joined.

      1. Log in to the VMware Identity Manager administration console.

      2. Select the Identity & Access Management tab, then click Setup.

        The connector component of each of the cloned service instances is listed in the Connectors page.

      3. For each connector listed, click Join Domain and specify the domain information.

    2. Save the IWA directory configuration.

      1. Select the Identity & Access Management tab.

      2. In the Directories page, click the IWA directory link.

      3. Click Save to save the directory configuration.

  • If you had manually updated the /etc/krb5.conf file in the original service instance, for example, to resolve View synchronization failure or slowness, you must update the file in the cloned instance after the cloned instance is joined to the domain. In all the cloned service instances, perform the following tasks.

    1. Edit the /etc/krb5.conf file and update the realms section to specify the same domain-to-host values that are used in the /usr/local/horizon/conf/domain_krb.properties file. You do not need to specify the port number. For example, if your domain_krb.properties file has the domain entry example.com=examplehost.example.com:389, you would update the krb5.conf file to the following.

      [realms]
      GAUTO-QA.COM = {
      auth_to_local = RULE:[1:$0\$1](^GAUTO-QA\.COM\\.*)s/^GAUTO-QA\.COM/GAUTO-QA/
      auth_to_local = RULE:[1:$0\$1](^GAUTO-QA\.COM\\.*)s/^GAUTO-QA\.COM/GAUTO-QA/
      auth_to_local = RULE:[1:$0\$1](^GAUTO2QA\.GAUTO-QA\.COM\\.*)s/^GAUTO2QA\.GAUTO-QA\.COM/GAUTO2QA/
      auth_to_local = RULE:[1:$0\$1](^GLOBEQE\.NET\\.*)s/^GLOBEQE\.NET/GLOBEQE/
      auth_to_local = DEFAULT                                                          
      kdc = examplehost.example.com
      }

      Note:

      It is possible to have multiple kdc entries. However, it is not a requirement as in most cases there is only a single kdc value. If you choose to define additional kdc values, each line will have a kdc entry which will define a domain controller.

    2. Restart the workspace service.

      service horizon-workspace restart

  • Enable the authentication methods configured for connector on each of the cloned instances. See the VMware Identity Manager Administration Guide for information.

The VMware Identity Manager service virtual appliance is now highly available. Traffic is distributed to the virtual appliances in your cluster based on the load balancer configuration. Authentication to the service is highly available. For the directory sync feature of the service, however, in the event of a service instance failure, you will need to manually enable directory sync on a cloned service instance. Directory sync is handled by the connector component of the service and can only be enabled on one connector at a time. See Enabling Directory Sync on Another Instance in the Event of a Failure.