You can use vRealize Suite Lifecycle Manager to enable multi-tenancy on premises on VMware Identity Manager 3.3.7 with vReallize Automation 8.x.

For vReallize Automation 8.x, multi-tenancy is enabled by default with tenant-in-host-name mode, as opposed to tenant-in-path mode.

With tenant-in-host-name mode, you must use a URL of the tenant's fully qualified domain name (FQDN) to access tenants. A load balancer URL or the VMware Identity Manager URL will not work. For example:

  • URL before multi-tenancy is enabled: https://load-balancer.vmwareidentity.com/SAAS/t/tenant1
  • URL after multi-tenancy is enabled: https://tenant1.vmwareidentity.com

Be prepared to re-register existing vRealize products after you enable multi-tenancy on the load-balanced VMware Identity Manager deployment.

The following figure illustrates valid URLs and invalid URLs. The figure also provides examples of load balancer and DNS configurations.

Figure 1. Example Tenant-In-Host Name Multi-Tenancy Deployment
VMware Identity Manager with VMware vRealize Automation using tenant-in-host name multi-tenancy

Prerequisites

Create the appropriate DNS entries:

Single Node or Clustered Action
For a single node VMware Identity Manager deployment Create DNS entries to resolve the fully qualified domain name for each tenant to the VMware Identity Manager IP address.
For a clustered VMware Identity Manager deployment Create DNS entries to resolve the fully qualified domain name for each tenant to the load balancer IP address.

Procedure

  • Use vRealize Suite Lifecycle Manager to enable multi-tenancy.

    See information about creating tenants in the vRealize Suite Lifecycle Installation, Upgrade, and Management Guide.

    Important: Adhere to the following guidelines when you enable multi-tenancy.
    • When configuring SSL certificates, the best practice is to use a wildcard Subject Alternative Name (SAN) certificate, preferably signed by a public Certificate Authority (CA). However, you can also use a self-signed certificate with a wildcard SAN.

      Ensure that the certificate includes fully qualified domain names as SANs for the load balancer, nodes, and default-tennat alias.

      Note: If you use a certificate without a wildcard SAN, perform the following steps as applicable.
      • Add all the tenant fully qualified domain names as SANs to the certificate.
      • Whenever you create a tenant, ensure that the new tenant FQDN is added as a SAN to the VMware Identity Manager certificate. A certificate update requires a restart of the Horizon service.
    • The following VMware Identity Manager Connector information applies.
      • For a child tenant, the connector does not appear by default on the Connectors page. The Connectors page in the VMware Identity Manager console lists a connector instance only after the enterprise directory is created using that connector instance.
      • Always perform domain join operations from the primary tenant.
      • If you choose to create an IWA directory for a different domain on the child tenant, use different external Windows connector instances.
        • The external connector instance activated against any child tenant is only used against that tenant.
        • The external connector instance activated against a primary tenant can be used across all the child tenants.
      • During the upgrade, the VMware Identity Manager service generates the cluster-hostname-conn-timestamp.enc file for all connector instances. The cluster-hostname-conn-timestamp.enc file contains embedded-connector configuration information.

What to do next

You must re-register the existing vRealize products, such as VMware vRealize Operations, VMware vRealize Automation, and VMware vRealize Log Insight with the primary-tenant alias fully qualified domain name. See the vRealize Suite Lifecycle Manager documentation.