IOM-VROPS-CFG-001

Deploy vRealize Operations Manager as a cluster of three nodes - one primary, one primary replica, and one data node, in the default management vSphere cluster.

• Provides the scale capacity required for monitoring of up to 10,000 virtual machines / 12,500 objects.

• Supports scale-up with additional data nodes.

You must size all nodes identically, which increases the resource requirements in the SDDC.

IOM-VROPS-CFG-002

Deploy two remote collector nodes in the default management vSphere cluster.

Removes the load from the analytics cluster from collecting metrics from local-instance applications.

You must assign a collector group when configuring the monitoring of a solution.

IOM-VROPS-CFG-003

To deploy vRealize Operations Manager , use the vRealize Suite Lifecycle Manager instance in the corresponding VMware Cloud Foundation instance.

• For VMware Cloud Foundation 4.3 and earlier: the vRealize Operations Manager install bundle is synchronized from SDDC Manager ensuring interoperability with VMware Cloud Foundation.

• For VMware Cloud Foundation 4.4 and later: vRealize Suite Lifecycle Manager manages the vRealize Operations Manager product binaries. The version of vRealize Operations Manager is determined by the VMware interoperability matrix and SDDC Manager.

• When vRealize Suite Lifecycle Manager is in VMware Cloud Foundation mode, during the deployment, SDDC Manager configures the load balancer for the analytics cluster.

You must deploy vRealize Suite Lifecycle Manager.

IOM-VROPS-CFG-004

Protect all vRealize Operations Manager nodes by using vSphere High Availability.

Supports the availability objective for vRealize Operations Manager without requiring manual intervention during a failure event.

None.

IOM-VROPS-CFG-005

Apply a vSphere Distributed Resource Scheduler (DRS) anti-affinity rule to the vRealize Operations Manager analytics cluster.

Using vSphere DRS prevents the vRealize Operations Manager analytics cluster virtual machines from running on the same ESXi host and risking the high availability of the cluster.

• You must perform additional configuration to set up an anti- affinity rule.

• If additional data nodes are added, you must update the anti-affinity rule.

• For a default management vSphere cluster that consists of four ESXi hosts, you can put in maintenance mode only a single ESXi host at a time.

IOM-VROPS-CFG-006

Apply a vSphere Distributed Resource Scheduler (DRS) anti-affinity rule to the vRealize Operations Manager remote collector group.

Using vSphere DRS prevents the vRealize Operations Manager remote collector virtual machines from running on the same ESXi host and risking the high availability of the cluster.

You must perform additional configuration to set up an anti-affinity rule.

IOM-VROPS-CFG-007

Place the vRealize Operations Manager analytics cluster virtual machines in a dedicated virtual machine folder.

Provides an organization of the vRealize Operations Manager analytics cluster virtual machines in the management domain inventory.

You must create the virtual machine folder during or after the deployment.

IOM-VROPS-CFG-008

Place the vRealize Operations Manager remote collector virtual machines in a dedicated virtual machine folder.

Provides an organization of the vRealize Operations Manager remote collector virtual machines in the management domain inventory.

You must create the virtual machine folder during or after the deployment.

IOM-VROPS-CFG-009

When using two availability zones, add the vRealize Operations Manager virtual machines to the first availability zone VM group.

Ensures that, by default, the vRealize Operations Manager virtual machines are powered on within the first availability zone hosts group.

If vRealize Operations Manager is deployed after the creation of the stretched cluster for management domain availability zones, you must update the VM group for the first availability zone virtual machines to include the vRealize Operations Manager virtual machines.

IOM-VROPS-CFG-010

In an environment with multiple VMware Cloud Foundation instances, deploy two remote collector nodes in the default management vSphere cluster in each VMware Cloud Foundation instance by using the same vRealize Suite Lifecycle Manager instance and environment in the first VMware Cloud Foundation instance.

Removes the load from the analytics cluster from collecting metrics from local-instance applications.

You must assign a collector group when configuring the monitoring of a solution.

IOM-VROPS-CFG-011

In an environment with multiple VMware Cloud Foundation instances, place the vRealize Operations Manager remote collector virtual machines in each instance, in a dedicated virtual machine folder.

Provides an organization of the vRealize Operations Manager remote collector virtual machines in the management domain inventory.

You must create the virtual machine folder during or after the deployment.

IOM-VROPS-CFG-012

In an environment with multiple VMware Cloud Foundation instances, apply a vSphere Distributed Resource Scheduler (DRS) anti-affinity rule to the vRealize Operations Manager remote collector group.

Using vSphere DRS prevents the vRealize Operations Manager remote collector virtual machines from running on the same ESXi host and risking the high availability of the cluster.

You must perform additional configuration to set up an anti-affinity rule.

IOM-VROPS-CFG-013

Deploy each node in the analytics cluster as a medium-size appliance.

• Provides enough capacity for the metrics and objects generated by up to 12,500 objects while having high availability in the analytics cluster activated. Metrics are collected from the following components:

  • vCenter Server instances

  • ESXi hosts

  • NSX-T Data Center components

  • vRealize Automation

  • vRealize Log Insight

• If you use fewer large-size vRealize Operations Manager analytics cluster nodes, you must increase the minimum host memory size to handle the increased performance that is the result from stretching NUMA node boundaries.

• The ESXi hosts in the default management vSphere cluster must have physical CPUs with a minimum of 8 cores per socket. In total, the vRealize Operations Manager analytics cluster uses 24 vCPUs and 96 GB of memory in the default management vSphere cluster.

• When you exceed 12,500 objects, you must scale up the analytics cluster nodes size by using vRealize Suite Lifecycle Manager.

IOM-VROPS-CFG-014

If the number of SDDC objects exceeds 12,500, scale up the analytics cluster nodes size by using vRealize Suite Lifecycle Manager.

Ensures that the analytics cluster has enough capacity to meet the SDDC object and metric growth.

• The capacity of the physical ESXi hosts must be enough to accommodate virtual machines that require 32 GB RAM without bridging NUMA node boundaries.

• The default management vSphere cluster must have enough ESXi hosts so that vRealize Operations Manager can run according to the vSphere DRS anti-affinity rule.

• The number of analytics cluster nodes must not exceed the number of ESXi hosts in the default management vSphere cluster minus one. For example, if the default management vSphere cluster contains six ESXi hosts, you can deploy up to five vRealize Operations Manager nodes in the analytics cluster.

IOM-VROPS-CFG-015

Increase the initial storage of each vRealize Operations Manager analytics cluster node by 1 TB.

• Supports the storage requirements for monitoring up to 12,500 objects.

• Supports projected growth of 20%.

• Supports data retention of six months.

None.

IOM-VROPS-CFG-016

Deploy each remote collector node as a standard-size appliance.

• Provides metric collection for the expected number of objects in the SDDC when at full capacity.

• Remote collector nodes do not perform analytics operations or store data on disk, therefore no additional storage is required.

You must provide 4 vCPUs and 8 GB of memory in the default management vSphere cluster in each VMware Cloud Foundation instance.

IOM-VROPS-CFG-017

Configure vRealize Operations Manager to use an outbound SMTP mail server to route notifications for system events.

Integrates vRealize Operations Manager system events notifications to users by email to provide an enhanced user experience.

You must maintain an SMTP server.

IOM-VROPS-CFG-018

Configure the correct currency in the vRealize Operations Manager global options.

Ensures accurate costing in the correct currency.

The currency cannot be changed after the initial configuration.

IOM-VROPS-NET-001

Place the vRealize Operations Manager analytics nodes on the cross-instance NSX network segment.

Provides a consistent deployment model for management applications and a potential to extend to a second VMware Cloud Foundation instance for disaster recovery.

You must use an implementation of NSX-T Data Center to support this network configuration.

IOM-VROPS-NET-002

Place the vRealize Operations Manager remote collector nodes on the local-instance NSX network segment.

Supports collection of metrics locally per VMware Cloud Foundation instance.

You must use an implementation in NSX-T Data Center to support this networking configuration.

IOM-VROPS-NET-003

In an environment with multiple VMware Cloud Foundation instances, place the vRealize Operations Manager remote collector nodes in each instance on the local-instance NSX segment.

Supports collection of metrics locally per VMware Cloud Foundation instance.

You must use an implementation in NSX-T Data Center to support this networking configuration.

IOM-VROPS-NET-004

Allocate statically assigned IP addresses and host names from the cross-instance NSX segment to the vRealize Operations Manager analytics cluster nodes and the NSX-T Data Center load balancer.

Ensures stability across the SDDC, and makes it simpler to maintain and easier to track.

Requires precise IP address management.

IOM-VROPS-NET-005

Allocate statically assigned IP addresses and host names from the local-instance NSX segment to the vRealize Operations Manager remote collector nodes.

Ensures stability across the SDDC, and makes it simpler to maintain and easier to track.

Requires precise IP address management.

IOM-VROPS-NET-006

In an environment with multiple VMware Cloud Foundation instances, allocate statically assigned IP addresses and host names from each local-instance NSX segment to the corresponding vRealize Operations Manager remote collector nodes in the instance.

Ensures stability across the SDDC, and makes it simpler to maintain and easier to track.

Requires precise IP address management.

IOM-VROPS-NET-007

Configure forward and reverse DNS records for all vRealize Operations Manager nodes and for the NSX-T Data Center load balancer virtual IP address.

All nodes are accessible by using fully qualified domain names instead of by using IP addresses only.

You must provide DNS records for the vRealize Operations Manager nodes.

IOM-VROPS-NET-008

Use the small-size load balancer that is configured by SDDC Manager on a dedicated NSX-T Data Center Tier-1 gateway in the management domain to load balance the clustered Workspace ONE Access nodes, to also load balance the connections across the vRealize Operations Manager analytics cluster members.

Required to deploy a vRealize Operations Manager analytics cluster deployment type with distributed user interface access across members.

You must use the NSX-T Data Center load balancer that is configured by SDDC Manager to support this network configuration.

IOM-VROPS-NET-009

Do not use a load balancer for the vRealize Operations Manager remote collector nodes.

• vRealize Operations Manager remote collector nodes must directly access the systems that they are monitoring.

• vRealize Operations Manager remote collector nodes do not require access to and from the public network.

None.

IOM-VROPS-NET-010

Configure NTP on each vRealize Operations Manager node.

vRealize Operations Manager depends on time synchronization.

None.

IOM-VROPS-NET-011

Configure the timezone of vRealize Operations Manager to use UTC.

You must use UTC to provide the integration with vRealize Automation , because vRealize Automation supports only UTC.

If you are in a timezone other than UTC, timestamps appear skewed.

IOM-VROPS-LCM-001

• For VMware Cloud Foundation 4.4, use vRealize Suite Lifecycle Manager to perform the life cycle management of vRealize Operations Manager .

• For VMware Cloud Foundation 4.3.1 and earlier, use SDDC Manager and vRealize Suite Lifecycle Manager to perform the life cycle management of vRealize Operations Manager .

• For VMware Cloud Foundation 4.4, vRealize Suite Lifecycle Manager manages the product binaries and vRealize Operations Manager upgrades.

• For VMware Cloud Foundation 4.3.1 and earlier, SDDC Manager provides the upgrade bundles to vRealize Suite Lifecycle Manager and manages vRealize Operations Manager upgrades through the integration with vRealize Suite Lifecycle Manager.

• You must deploy vRealize Suite Lifecycle Manager by using SDDC Manager.

• vRealize Suite Lifecycle Manager manages patches, updates, and hot fixes for vRealize Operations Manager .

IOM-VROPS-CFG-019

Configure a vCenter Server cloud account for each vCenter Server instance in the SDDC.

Provides the vRealize Operations Manager integration with and data collection from all vCenter Server instances in the SDDC.

The vCenter Server cloud account uses the administrator@vsphere.local user account for application-to-application communication from vRealize Operations Manager to vSphere. While you can update the cloud account to use a custom user, the password rotation feature in SDDC Manager for administrator@vsphere.local reverts the configuration.

IOM-VROPS-CFG-020

Connect each VI workload domain to vRealize Operations Manager by using SDDC Manager.

SDDC Manager provides a workflow to add the VI workload domain vCenter Server cloud account in vRealize Operations Manager .

None.

IOM-VROPS-CFG-021

Configure each vCenter Server cloud account to use the remote collector group for its VMware Cloud Foundation instance.

Local-instance components are configured to use the remote collector group. This configuration offloads data collection for local management components from the analytics cluster.

None.

IOM-VROPS-CFG-022

Activate the vSAN integration in the vCenter Server cloud accounts.

Provides the vRealize Operations Manager integration with and data collection from all vSAN instances in the SDDC.

The vSAN adapter uses the administrator@vsphere.local user account for application-to-application communication from vRealize Operations Manager to vSphere. While you can update the adapter to use a custom user, the password rotation feature in SDDC Manager for administrator@vsphere.local reverts the configuration.

IOM-VROPS-CFG-023

In an environment with multiple VMware Cloud Foundation instances, configure a vCenter Server cloud account for each vCenter Server instance in each VMware Cloud Foundation instance.

Provides the vRealize Operations Manager integration with and data collection from all vCenter Server instances in the SDDC.

None.

IOM-VROPS-CFG-024

In an environment with multiple VMware Cloud Foundation instances, manually connect each VI workload domain in each additional VMware Cloud Foundation instance to vRealize Operations Manager .

vRealize Operations Manager is integrated with SDDC Manager only in the first VMware Cloud Foundation instance.

You must configure the cloud account manually.

IOM-VROPS-CFG-025

In an environment with multiple VMware Cloud Foundation instances, configure each vCenter Server cloud account to use the remote collector group for its VMware Cloud Foundation instance.

Local-instance components are configured to use the remote collector group. This configuration offloads data collection for local management components from the analytics cluster.

None.

IOM-VROPS-CFG-026

In an environment with multiple VMware Cloud Foundation instances, activate the vSAN integration in the vCenter Server cloud accounts.

Provides the vRealize Operations Manager integration with and data collection from all vSAN instances in the SDDC.

None.

IOM-VROPS-CFG-027

Install the VMware Identity Manager management pack for vRealize Operations Manager .

Provides the ability of vRealize Operations Manager to communicate with Workspace ONE Access endpoints.

The management pack is installed by SDDC Manager.

None.

IOM-VROPS-CFG-028

Configure a VMware Identity Manager adapter instance for the clustered Workspace ONE Access instance.

Provides the vRealize Operations Manager integration and data collection from the clustered Workspace ONE Access instance.

The adapter is configured by SDDC Manager.

None.

IOM-VROPS-CFG-029

Configure the clustered Workspace ONE Access adapter to use the default collector group.

Cross-instance components are configured to use the default collector group.

The load on the analytics cluster, though minimal, increases.

IOM-VROPS-CFG-030

Configure an NSX-T adapter instance for each NSX Manager instance.

Provides the vRealize Operations Manager integration and data collection from NSX-T Data Center.

In an environment with NSX-T Federation, only NSX-T Local Managers are supported at this time.

IOM-VROPS-CFG-031

Configure each NSX-T adapter to use the remote collector group.

Local-instance components are configured to use the remote collector group. This offloads data collection for local management components from the analytics cluster.

None.

IOM-VROPS-CFG-032

Install the SDDC Health management pack for vRealize Operations Manager .

Provides aggregated dashboards for VMware Cloud Foundation.

You must install the management pack manually.

IOM-VROPS-CFG-033

Activate the native Ping management pack in vRealize Operations Manager .

Provides metrics on the availability of endpoints.

You must activate the management pack manually.

IOM-VROPS-CFG-034

Add Ping adapters for the vRealize Operations Manager nodes.

Provides metrics on the availability of vRealize Operations Manager nodes.

You must add the adapter instances manually.

IOM-VROPS-CFG-035

Configure each Ping adapter for the vRealize Operations Manager nodes to use the default collector group.

Cross-instance components are configured to use the default collector group.

The load on the analytics cluster, though minimal, increases.

IOM-VROPS-CFG-036

Add a Ping adapter for the clustered Workspace ONE Access nodes.

Provides metrics on the availability of the clustered Workspace ONE Access nodes.

You must add the adapter instances manually.

IOM-VROPS-CFG-037

Configure the Ping adapter for the clustered Workspace ONE Access nodes to use the default collector group.

Local-instance components are configured to use the remote collector group.

This configuration offloads data collection for local management components from the vRealize Operations Manager analytics cluster.

IOM-VROPS-SEC-001

Activate vRealize Operations Manager integration with your corporate identity source by using the clustered Workspace ONE Access deployment.

Allows authentication, including multi-factor, to vRealize Operations Manager by using your corporate identity source.

Allows authorization through the assignment of organization and cloud services roles to enterprise users and groups defined in your corporate identity source.

You must deploy and configure a Workspace ONE Access cluster to establish the integration between vRealize Operations Manager and your corporate identity sources.

IOM-VROPS-SEC-002

Assign the default Administrator role in vRealize Operations Manager to an active directory security group.

Provides the following access control features:

• Access to vRealize Operations Manager administration is granted to a managed set of individuals that are members of the security group.

• You can introduce improved accountability and tracking organization owner access to vRealize Operations Manager .

You must maintain the life cycle and availability of the security group outside of the SDDC stack.

IOM-VROPS-SEC-003

Assign the default ContentAdmin role in vRealize Operations Manager to an active directory security group.

Provides the following access control features:

• Access to the vRealize Operations Manager user interface is granted to a managed set of individuals that are members of the security group.

• You can introduce improved accountability and tracking organization owner access to vRealize Operations Manager .

You must maintain the life cycle and availability of the security group outside of the SDDC stack.

IOM-VROPS-SEC-004

Assign the default ReadOnly role in vRealize Operations Manager to an active directory security group.

Provides the following access control features:

• Access to the vRealize Operations Manager user interface is granted to a managed set of individuals that are members of the security group.

• You can introduce improved accountability and tracking organization owner access to vRealize Operations Manager .

You must maintain the life cycle and availability of the security group outside of the SDDC stack.

IOM-VROPS-SEC-005

Configure the endpoint of the NSX-T management pack for vRealize Operations Manager to use the NSX-T Data Center local system domain admin account.

Provides integration and data collection of all NSX-T Data Center instances in the SDDC in vRealize Operations Manager .

You must manage the password life cycle of this endpoint.

IOM-VROPS-SEC-006

Configure a Workspace ONE Access management pack adapter instance for the clustered Workspace ONE Access instance using the local system domain admin account.

• Provides integration and data collection of the clustered Workspace ONE Access instance in vRealize Operations Manager

• Integration between vRealize Operations Manager and Workspace ONE Access is only supported with the local admin account.

You must manage the password life cycle of this endpoint.

IOM-VROPS-SEC-007

Rotate the vRealize Operations Managerroot password on a recurring or event-initiated schedule by using the SDDC Manager user interface or API.

• By default, the password for the vRealize Operations Managerrootaccount expires every 365 days.

• When vRealize Operations Manager is deployed into a VMware Cloud Foundation environment in vRealize Suite Lifecycle Manager, the root password is managed from the SDDC Manager user interface or API, not vRealize Suite Lifecycle Manager.

By using SDDC Manager, you manage the password change or automated password rotation schedule for the vRealize Operations Managerrootaccount in accordance with your organizational policies and regulatory standards.

IOM-VROPS-SEC-008

Rotate the vRealize Operations Manageradmin password on a recurring or event-initiated schedule by using the SDDC Manager user interface or API.

• By default, the password for the vRealize Operations Manageradminaccount expires every 60 days.

• When vRealize Operations Manager is deployed into a VMware Cloud Foundation environment in vRealize Suite Lifecycle Manager, the admin password is managed from the SDDC Manager user interface or API, not vRealize Suite Lifecycle Manager.

By using SDDC Manager, you manage the password change or automated password rotation schedule for the vRealize Operations Manageradminaccount in accordance with your organizational policies and regulatory standards.

IOM-VROPS-SEC-009

Use a CA-signed certificate containing the analytics and remote collector nodes in the SAN attributes, when deploying vRealize Operations Manager .

Configuring a CA-signed certificate ensures that the communication to the externally facing Web UI and API for vRealize Operations Manager , and cross-product, is encrypted.

• Using CA-signed certificates from a certificate authority might increase the deployment preparation time as certificate requests are generated and delivered.

• Each time a node is added the certificate must be replaced to include the new node.

IOM-VROPS-SEC-010

Use a SHA-2 or higher algorithm when signing certificates.

The SHA-1 algorithm is considered less secure and has been deprecated.

Not all certificate authorities support SHA-2.

IOM-VROPS-LOG-001

Use the vRealize Log Insight content pack for vRealize Operations Manager .

Provides additional granular monitoring on the virtual infrastructure.

The content pack for vRealize Operations Manager is installed by default in vRealize Log Insight.

None.

IOM-VROPS-LOG-002

Configure the vRealize Log Insight agent for the vRealize Operations Manager nodes to forward logs to vRealize Log Insight in their corresponding VMware Cloud Foundation instance.

Simplifies configuration of log sources in the SDDC that are prepackaged with the vRealize Log Insight agent.

You must configure the vRealize Log Insight agent to forward logs to the vRealize Log Insight VIP.

IOM-VROPS-LOG-003

Configure vRealize Operations Manager to send logs to the vRealize Log Insight cluster in the corresponding VMware Cloud Foundation instance.

Allows logs from vRealize Operations Manager to be forwarded to a vRealize Log Insight cluster.

None.

IOM-VROPS-LOG-004

Communicate with the vRealize Log Insight using the default Ingestion API (cfapi) port 9000and ssl=no.

Supports disaster recovery of vRealize Operations Manager in the SDDC. During the failover, the DNS records for vRealize Log Insight in Region A are updated to redirect to the instance in Region B to ensure the log collection remains operational. The ssl=no setting must be used when there is a certificate mismatch post failover.

Transmission traffic for logs is not encrypted.

IOM-VROPS-LOG-005

Configure a dedicated Photon OS agent group and assign the vRealize Operations Manager Cluster and Remote Collector Node FQDNs.

• Provides a standardized configuration to all vRealize Log Insight agents in each of the groups.

• Defines the vRealize Log Insight agent configuration for log collection and parsing in the context of the SDDC components, such as specific log directories, files, and formats.

Adds minimal load to the vRealize Log Insight cluster.