You must coordinate the certificate and DNS configuration between all applicable components to set up a multi-organization clustered VMware Aria Automation deployment.
In a typical clustered configuration, there are three Workspace ONE Access appliances and three VMware Aria Automation appliances as well as a single VMware Aria Suite Lifecycle appliance.
- Workspace ONE Access Identity Manager appliances:
- VMware Aria Automation appliances:
- VMware Aria Suite Lifecycle appliance
You must create both main A type records for each component and for each of the tenants that you will create when you enable multi-tenancy. In addition, you must create multi-tenancy CNAME type records for each of the tenants you will create, not including the master tenant. Finally, you must also create Main A Type records for the Workspace ONE Access and VMware Aria Automation load balancers.
- Create A type records for the three Workspace ONE Access appliances, and for the VMware Aria Automation appliances that point to their respective FQDNs.
- In addition, create A type records for the Workspace ONE Access load balancer and the VMware Aria Automation load balancer that point to their respective FQDNs.
- Create multi-tenancy A Type records for the default tenant and for tenant-1 and tenant-2 that point to the IP address of the Workspace ONE Access load balancer.
- Create CNAME records for tenant-1 and tenant-2 that point to the IP address of the VMware Aria Automation load balancer.
Subject Alternative Name (SAN) Certificate Requirements
- Create a certificate for the Workspace ONE Access appliances that list the FQDNs of the Workspace ONE Access appliances as well as the default tenant and other tenants you create. This certificate should include the IP addresses of the Workspace ONE Access appliances.
- As a best practice, create an SSL termination on the load balancer. To support this capability, create a certificate for the Workspace ONE Access load balancer that lists the FQDN of the Workspace ONE Access load balancer as well as the default tenant and all other tenants you create. This certificate should include the IP address of the load balancer.
- You must create a certificate for VMware Aria Automation that lists the host names of the three VMware Aria Automation appliances as well as the related load balancer and the tenants you are creating. In addition, it should list the IP addresses of the three VMware Aria Automation appliances.
- As an option, to simplify configuration, you can use wildcards for the Workspace ONE Access and VMware Aria Automation certificates. For example,
*.vra-lb.example.com.Note: VMware Aria Automation supports wildcard certificates only for DNS names that match the specifications in the Public Suffix list at https://publicsuffix.org. For example,
*.myorg.comis a valid name .
If you are using a clustered Workspace ONE Access configuration, note that VMware Aria Suite Lifecycle cannot update the load balancer certificates, so you must update them manually. Also, if you need to re-register products or services that are external to VMware Aria Suite Lifecycle, this is a manual process.
Summary of DNS entries and certificates for a clustered multi-organization configuration
The following tables outlines DNS Main A Type Records and C Name Type records and certificate requirements for a clustered Workspace ONE Access and clustered VMware Aria Automation multi-organization deployment.
|SAN Certificate Requirements
|Main A Type Records
|Workspace ONE Access Certificate
|Multi-Tenancy A Type Records
Note: All of the multi-tenancy A Type records must point to the vIDM/WS1A load balancer IP address.
|Workspace ONE Access LB Certificate (LB Terminated)
|Multi-Tenancy CNAME Type Records
|VMware Aria Automation Certificate
No certificate is required on the VMware Aria Automation load balancer as it uses SSL passthrough.