Multi-organization tenancy VMware Aria Automation configurations rely on a coordinated configuration between several products, and you must ensure that DNS settings and certificates are configured correctly in order for your multi-organization tenancy configuration to function.
- VMware Aria Suite Lifecycle
- Workspace ONE Access Identity Manager
- VMware Aria Automation
Also, it assumes that you are starting with a default tenant, which is your provider organization, and creating two sub-tenants, called tenant-1 and tenant-2.
You can create and apply certificates using the Locker service in VMware Aria Suite Lifecycle or you can use another mechanism. VMware Aria Suite Lifecycle also enables you to replace or re-trust certificates on VMware Aria Automation or Workspace ONE Access.
DNS Requirements
- Create both main A type records for each system component and for each of the tenants that you will create when you enable multi-tenancy.
- Create multi-tenancy A type records for each of the tenants you will create as well as for the primary tenant.
- Ccreate multi-tenancy CNAME type records for each of the tenants you will create, not including the primary tenant.
Certificate requirements for single node multi-tenancy deployment
You must create two Subject Alternative Name (SAN) certificates, one for Workspace ONE Access and one for VMware Aria Automation.
- The VMware Aria Automation certificate lists the hostname of the VMware Aria Automation server and the names of the tenants you will create.
- The Workspace ONE Access certificate lists the hostname of the Workspace ONE Access server and the tenant names you are creating.
- If you use dedicated SAN names, certificates must be updated manually when you add or delete hosts or change a hostname. You must also update DNS entries for tenants. As an option to simplify configuration, you can use wildcards for the Workspace ONE Access and VMware Aria Automation certificates. For example,
*.example.com
and*.vra.example.com
.Note: VMware Aria Automation supports wildcard certificates only for DNS names that match the specifications in the Public Suffix list at https://publicsuffix.org. For example,*.myorg.com
is a valid name while*.myorg.local
is invalid.
Note that VMware Aria Suite Lifecycle does not create separate certificates for each tenant. Instead it creates a single certificate with each tenant hostname listed. For basic configurations, the tenant's CNAME uses the following format: tenantname.vrahostname.domain. For high availability configurations, the name uses the following format: tenantname.vraLBhostname.domain.
Summary
The following table summarizes DNS and certificate requirements for a single node Workspace ONE Access and single node VMware Aria Automation deployment.
DNS Requirements | SAN Certificate Requirements |
---|---|
Main A Type Records lcm.example.com WorkspaceOne.example.com vra.example.com |
Workspace ONE AccessCertificate Host Name: WorkspaceOne.example.com, default-tenant.example.com, tenant-1.vra.example.com, tenant-2.vra.example.com |
Multi-tenancy A Type Records default-tenant.example.com tenant-1.example.com tenant-2.example.com |
|
Multi-Tenancy CNAME Type Records tenant-1.vra.example.com tenant-2.vra.example.com |
VMware Aria Automation Certificate Host Name: vra.example.com, tenant-1.vra.example.com, tenant-2.vra.example.com |