You must coordinate the certificate and DNS configuration between all applicable components to set up a multi-organization clustered VMware Aria Automation deployment.

In a typical clustered configuration, there are three Workspace ONE Access appliances and three VMware Aria Automation appliances as well as a single VMware Aria Suite Lifecycle appliance.

This configuration assumes clustered deployments for the following components:
  • Workspace ONE Access Identity Manager appliances:
    • idm1.example.com
    • idm2.example.com
    • idm3.example.com
    • idm-lb.example.com
  • VMware Aria Automation appliances:
    • vra-1.example.com
    • vra-2.example.com
    • vra-3.example.com
    • vra-lb.example.com
  • VMware Aria Suite Lifecycle appliance

DNS Requirements

You must create both main A type records for each component and for each of the tenants that you will create when you enable multi-tenancy. In addition, you must create multi-tenancy CNAME type records for each of the tenants you will create, not including the master tenant. Finally, you must also create Main A Type records for the Workspace ONE Access and VMware Aria Automation load balancers.

  • Create A type records for the three Workspace ONE Access appliances, and for the VMware Aria Automation appliances that point to their respective FQDNs.
  • In addition, create A type records for the Workspace ONE Access load balancer and the VMware Aria Automation load balancer that point to their respective FQDNs.
  • Create multi-tenancy A Type records for the default tenant and for tenant-1 and tenant-2 that point to the IP address of the Workspace ONE Access load balancer.
  • Create CNAME records for tenant-1 and tenant-2 that point to the IP address of the VMware Aria Automation load balancer.

Subject Alternative Name (SAN) Certificate Requirements

You must create two Workspace ONE Access certificates, one that applies on the cluster appliances and one that applies on the load balancer. In addition, create a certificate that applies to the VMware Aria Automation appliances, the tenants you are creating, excluding the default tenant, and the load balancer.
  • Create a certificate for the Workspace ONE Access appliances that list the FQDNs of the Workspace ONE Access appliances as well as the default tenant and other tenants you create. This certificate should include the IP addresses of the Workspace ONE Access appliances.
  • As a best practice, create an SSL termination on the load balancer. To support this capability, create a certificate for the Workspace ONE Access load balancer that lists the FQDN of the Workspace ONE Access load balancer as well as the default tenant and all other tenants you create. This certificate should include the IP address of the load balancer.
  • You must create a certificate for VMware Aria Automation that lists the host names of the three VMware Aria Automation appliances as well as the related load balancer and the tenants you are creating. In addition, it should list the IP addresses of the three VMware Aria Automation appliances.
  • As an option, to simplify configuration, you can use wildcards for the Workspace ONE Access and VMware Aria Automation certificates. For example, *.example.com, *.vra.example.com, and *.vra-lb.example.com.
    Note: VMware Aria Automation supports wildcard certificates only for DNS names that match the specifications in the Public Suffix list at https://publicsuffix.org. For example, *.myorg.com is a valid name .

If you are using a clustered Workspace ONE Access configuration, note that VMware Aria Suite Lifecycle cannot update the load balancer certificates, so you must update them manually. Also, if you need to re-register products or services that are external to VMware Aria Suite Lifecycle, this is a manual process.

Summary of DNS entries and certificates for a clustered multi-organization configuration

The following tables outlines DNS Main A Type Records and C Name Type records and certificate requirements for a clustered Workspace ONE Access and clustered VMware Aria Automation multi-organization deployment.

DNS Requirements SAN Certificate Requirements
Main A Type Records
  • lcm.example.com
  • WorkspaceOne-1.example.com
  • WorkspaceOne-2.example.com
  • WorkspaceOne-3.example.com
  • Workspace.One-lb.example.com
  • vra-1.example.com
  • vra-2.example.com
  • vra-3.example.com
  • vra-lb.example.com
Workspace ONE Access Certificate
Host Name:
  • WorkspaceOne-1.example.com
  • WorkspaceOne-2.example.com
  • WorkspaceOne-3.example.com
  • default-tenant.example.com
  • tenant-1.example.com
  • tenant-2.example.com
Multi-Tenancy A Type Records
  • default-tenant.example.com
  • tenant-1.vra.example.com
  • tenant-2.vra.example.com
Note: All of the multi-tenancy A Type records must point to the vIDM/WS1A load balancer IP address.
Workspace ONE Access LB Certificate (LB Terminated)
Host Name:
  • WorkspaceOne-lb.example.com
  • default-tenant.example.com
  • tenant-1.example.com
  • tenant-2.example.com
Multi-Tenancy CNAME Type Records
  • tenant-1.vra-lb.example.com - vra-lb.example.com
  • tenant-2.vra-lb.example.com - vra-lb.example.com
VMware Aria Automation Certificate
Host Name:
  • vra-1.example.com
  • vra-2.example.com
  • vra-3.example.com
  • vra-lb.example.com
  • tenant-1.example.com
  • tenant-2.example.com

No certificate is required on the VMware Aria Automation load balancer as it uses SSL passthrough.

Note: Each additional tenant that you add must be listed separately in the VMware Aria Automation Certificate, Multi-tenancy CNAME records, Multi-tenancy Type A records, Workspace ONE Access Certificate and Workspace ONE Access LB Certificate.
Note: The *.com file names are for example use only. They may not be applicable to most business environments.