You can set up multi-organization tenancy for VMware Aria Automation by using VMware Aria Suite Lifecycle.
The following is a high level description of the procedure to set up multi-tenancy for VMware Aria Automation including configuring DNS and certificates. It focuses on a single node deployment but includes notes for a clustered configuration.
For related information and a video demonstration of configuring VMware Aria Automation multi-organization multi-tenancy, see this VMware blog.
Prerequisites
- Install and configure Workspace ONE Access.
- Install and configure VMware Aria Suite Lifecycle.
Procedure
- Create the required A and CNAME Type DNS records.
- For your primary tenant and each sub-tenant, you must create and apply a SAN certificate.
- For single node deployments, the VMware Aria Automation FQDN points to the VMware Aria Automation appliance, and the Workspace ONE Access FQDN points to the Workspace ONE Access appliance.
- For clustered deployments, both the Workspace ONE Access and VMware Aria Automation tenant-based FQDNs must point to their respective load balancers. Workspace ONE Access is configured with SSL Termination, so the certificate is applied on both the Workspace ONE Access cluster and load balancer. The VMware Aria Automation load balancer uses SSL passthrough, so the certificate is applied only on the VMware Aria Automation cluster.
See Managing certificates and DNS configuration under single-node multi-organization deployments and Managing certificate and DNS configuration in clustered VMware Aria Automation deployments for more details.
- Create or import the required multi-domain (SAN) certificates for both Workspace ONE Access and VMware Aria Automation.
You can create certificates in
VMware Aria Suite Lifecycle by using the Locker service. The Locker service allows you to create certificates licenses, and passwords. Alternatively, you can use a CA server or some other mechanism to generate certificates.
If you need to add or create additional tenants, you must recreate and apply your VMware Aria Automation and Workspace ONE Access tenants.
After you create your certificates, you can apply them within VMware Aria Suite Lifecycle by using the Lifecycle Operations feature. You must select the environment and product and then select the Replace Certificate option. Then you can select the product. When you replace a certificate, you must re-trust all associated products in your environment.
Wait for the certificate to be applied and all services to restart before proceeding to the next step.
See Managing certificates and DNS configuration under single-node multi-organization deployments and Managing certificate and DNS configuration in clustered VMware Aria Automation deployments for more details.
- Apply the Workspace ONE Access SAN certificate on the Workspace ONE Access instance or cluster.
- In VMware Aria Suite Lifecycle, run the Enable Tenancy wizard to enable multi-tenancy and create an alias for the default primary tenant.
Enabling tenancy requires that you create an alias for the provider organization primary tenant or default tenant. After you enable tenancy, you can access
Workspace ONE Access via the primary tenant FQDN.
For example, if the existing Workspace ONE Access FQDN is idm.example.local
and you create an alias of default-tenant, after tenancy is enabled, the Workspace ONE Access FQDN changes to default-tenant.example.local
, and all clients communicating with Workspace ONE Access would now communicate through default-tenant.example.local
.
- Apply the VMware Aria Automation SAN certificates on the VMware Aria Automation instance or cluster.
You can apply SAN certificates through the
VMware Aria Suite Lifecycle Lifecycle Operations service. Display details of the environment and then select
Replace Certificates. You must wait for the certificate replacement task to complete before adding tenants. As part of certificate replacement,
VMware Aria Automation services will restart.
- In VMware Aria Suite Lifecycle, run the Add Tenants wizard to configure the desired tenants.
You add tenants by using the
VMware Aria Suite Lifecycle
Tenant Management page located under
Identity and Tenant Management. You can only add tenants for which you have previously configured certificates and DNS settings.
When creating a tenant, you must designate a tenant administrator and you can select the Active Directory connections for this tenant. Available connections are based on those configured in your default or primary tenant. You must also select the product or product instance to which the tenant will be associated.
What to do next
After you create tenants, you can use the VMware Aria Suite Lifecycle Tenant Management page located under Identity and Tenant Management to change or add tenant administrators, add Active Directory directories to the tenant and change product associations for the tenant.
You can also log in to your Workspace ONE Access instance to view and validate your tenant configuration.