Prepare the VMware Cloud Foundation Instance for VMware Aria Operations Service for Cloud-Based Intelligent Operations

Begin the implementation of the Cloud-Based Intelligent Operations for VMware Cloud Foundation validated solution by preparing your VMware Cloud Foundation instance for connecting to the VMware Aria Operations service.

Assign SDDC Manager Role to a Service Account for Cloud-Based Intelligent Operations for VMware Cloud Foundation

To integrate VMware Aria Operations with VMware Cloud Foundation, you assign a service account a role in SDDC Manager with the required privileges.

UI Procedure

Log in to SDDC Manager at https://<sddc_manager_fqdn> with a user assigned the Admin role.
For VMware Cloud Foundation 4.4 or earlier, in the navigation pane, click Administration > Users
For VMware Cloud Foundation 4.5 or later, in the navigation pane, click Administration > Single sign on
On the Manage users page, click the Add user or group button.
On the Add user or group page, in the Search user text box, enter the name of the service account according to the VMware Cloud Foundation Planning and Preparation Workbook.
In the table, under the User / group name column, select the check box next to the service account.
In the Role column, from the Choose role drop-down menu, select the Admin role and click Add.

PowerShell Procedure

Start Windows PowerShell.

Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$domainFqdn = "sfo.rainpole.io"
$domainBindUser = "svc-vsphere-ad"
$domainBindPass = "VMw@re1!"

$cboServiceAccount = "svc-cbo-vcf"

Perform the configuration by running the command in the PowerShell console.

Add-SddcManagerRole -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $domainFqdn -domainBindUser $domainBindUser -domainBindPass $domainBindPass -principal $cboServiceAccount -role ADMIN -type user

Define a Custom Role in vSphere for Cloud-Based Intelligent Operations for VMware Cloud Foundation

To integrate VMware Aria Operations with vSphere, you create a custom vSphere role with the required privileges in the vSphere client.

UI Procedure

Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
From the vSphere Client Menu, select Administration.
In the left pane, select Access control > Roles.
From the Roles provider drop-down menu, select vsphere.local.

Create a role for VMware Aria Operations in vSphere.

Click New.
In the Role name text box, enter Aria Operations to vSphere Integration.

Configure the privileges, and click Create.


Category	Privilege
Datastore	Allocate space
Datastore	Browse datastore
Extension	Register extension
	Unregister extension
	Update extension
External stats provider	Update
	Register
	Unregister
Global	Global tag
	Health
	Manage custom attributes
	System tag
	Set custom attribute
Host	Inventory.Modify Cluster
Performance	Modify intervals
Profile-driven storage	Profile-driven storage view
Resource	Assign virtual machine to resource pool
	Migrate powered off virtual machine
	Migrate powered on virtual machine
Storage views	View
Virtual machine	Change Configuration.Change CPU Count
	Change Configuration.Change Memory
	Change Configuration.Change Resource
	Edit Inventory.Move
	Edit Inventory.Remove
	Guest Operations.Guest Operation alias modification
	Guest Operations.Guest Operation alias query
	Guest Operations.Guest Operation modifications
	Guest Operations.Guest Operation program execution
	Guest Operations.Guest Operation queries
	Interaction.Power Off
	Interaction.Power On
	Interaction.Reset
	Service configuration.Manage service configurations
	Service configuration.Modify service configuration
	Service configuration.Query service configurations
	Service configuration.Read service configuration
	Snapshot Management.Create Snapshot
	Snapshot Management.Remove Snapshot
vSphere stats privileges	Collect stats data
	Modify stats configuration
	Query stats data

PowerShell Procedure

Start Windows PowerShell.

Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$cboVsphereRoleName = "Aria Operations to vSphere Integration"

Perform the configuration by running the command in the PowerShell console.

Add-vSphereRole -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $sddcDomainName -roleName $cboVsphereRoleName

In the dialog box that opens, navigate to the vSphereRoles folder and open the operations-vsphere-integration.role file.
The default path for the vSphereRoles folder is C:\Program\Files\WindowsPowerShell\Modules\PowerValidatedSolutions\<powervalidatedsolutions_version>\vSphereRoles.

Configure Service Account Permissions for vSphere Integration for Cloud-Based Intelligent Operations for VMware Cloud Foundation

To provide the necessary privileges to the service account for VMware Aria Operations to vSphere integration, you assign the custom role to the integration service account in vCenter Server.

UI Procedure

Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
From the vSphere Client Menu, select Administration.
In the left pane, select Access control > Global permissions, and click the Add.
In the Add permission dialog box, configure the values for the VMware Aria Operations service account from your VMware Cloud Foundation Planning and Preparation Workbook, select the Propagate to children check box, and click OK.

PowerShell Procedure

Start Windows PowerShell.

Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$domainFqdn = "sfo.rainpole.io"
$domainBindUser = "svc-vsphere-ad"
$domainBindPass = "VMw@re1!"

$cboVsphereRoleName = "Aria Operations to vSphere Integration"
$cboServiceAccount = "svc-cbo-vsphere"

Perform the configuration by running the command in the PowerShell console.

Add-vCenterGlobalPermission -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -sddcDomain $sddcDomainName -domain $domainFqdn -domainBindUser $domainBindUser -domainBindPass $domainBindPass -principal $cboServiceAccount -role $cboVsphereRoleName -propagate true -type user

Create a Virtual Machine and Template Folder for Cloud Proxy Appliances for Cloud-Based Intelligent Operations for VMware Cloud Foundation

To group the Cloud Proxy appliances, you create a virtual machine folder on the management domain vCenter Server.

UI Procedure

Log in to the management domain vCenter Server at https://<management_vcenter_server_fqdn>/ui by using an account with Administrator privileges.
In the VMs and templates inventory, navigate to the default management data center, right-click the data center, and select New folder > New VM and template folder.
In the New folder dialog box, enter a name for the folder according to the VMware Cloud Foundation Planning and Preparation Workbook, and click OK.

PowerShell Procedure

Start Windows PowerShell.

Replace the values in the sample code with values from your VMware Cloud Foundation Planning and Preparation Workbook and run the commands in the PowerShell console.

$sddcManagerFqdn = "sfo-vcf01.sfo.rainpole.io"
$sddcManagerUser = "administrator@vsphere.local"
$sddcManagerPass = "VMw@re1!"

$sddcDomainName = "sfo-m01"

$cboFolder = "sfo-m01-fd-cbo"

Perform the configuration by running the command in the PowerShell console.

Add-VMFolder -server $sddcManagerFqdn -user $sddcManagerUser -pass $sddcManagerPass -domain $sddcDomainName -folderName $cboFolder

Prepare the NSX to VMware Aria Operations Service Integration for Cloud-Based Intelligent Operations for VMware Cloud Foundation

To integrate NSX with VMware Aria Operations service, you create a certificate and private key and use them to configure a principal identity in NSX Manager.

Procedure

Log in to SDDC Manager at <sddc_manager_fqdn>:22 as the vcf user by using a Secure Shell (SSH) client.
Switch to the super user.
```
su
```
Create the certificate and private key.
```
openssl req -newkey rsa:2048 -sha256 -x509 -days 365 -subj "/CN=nsx_local_manager_cluster_hostname" -extensions usr_cert -nodes -keyout nsx_local_manager_cluster_hostname.key -out nsx_local_manager_cluster_hostname.cer
```
Note:
You use the nsx_local_manager_cluster_hostname.key and nsx_local_manager_cluster_hostname.cer contents to create a principal identity in NSX Manager and create a credential in VMware Aria Operations service.
Log in to NSX Manager at https://<nsx_manager_fqdn>/login.jsp?local=true as admin.
On the main navigation bar, click System.
In the left pane, click SettingSettings > User management.
For NSX 3.2 or earlier on the User management page, from the Add drop-down menu, select Principal identity with role.
For NSX 4.1 or later on the User management page, click Add principal identity.
In the Certificate PEM text box, paste the contents of the the nsx_local_manager_cluster_hostname.cer certificate file.
Configure the remaining settings according to the values in your VMware Cloud Foundation Planning and Preparation Workbook and click Save.
Repeat this procedure for each VI workload domain in the VMware Cloud Foundation instance.