You can set up multi-organization tenancy for vRealize Automation using vRealize Suite Lifecycle Manager.

The following is a high level description of the procedure to set up multi-tenancy for vRealize Automation including configuring DNS and certificates. It focuses on a single node deployment but includes notes for a clustered configuration.

See https://vmwarelab.org/2020/04/14/vrealize-automation-8-1-multi-tenancy-setup-with-vrealize-suite-lifecycle-manager-8-1/ for more information and a video demonstration of configuring a vRealize Automation multi-organization configuration.

Prerequisites

  • Install and configure Workspace ONE Accessversion 3.3.2.
  • Install and configure vRealize Suite Lifecycle Manager version 8.1.

Procedure

  1. Create the required A and CNAME Type DNS records.
    • For your master tenant and each sub-tenant, you must create and apply a SAN certificate.
    • For single node deployments, the vRealize Automation FQDN points to the vRealize Automation appliance, and the Workspace ONE Access FQDN points to the Workspace ONE Access appliance.
    • For clustered deployments, both the Workspace ONE Access and vRealize Automation tenant-based FQDNs must point to their respective load balancers. Workspace ONE Access is configured with SSL Termination, so the certificate is applied on both the Workspace ONE Access cluster and load balancer. The vRealize Automation load balancer uses SSL passthrough, so the certificate is applied only on the vRealize Automation cluster.

    See Managing certificates and DNS configuration under single-node multi-organization deployments and Managing certificate and DNS configuration under clustered vRealize Automation deployments for more details.

  2. Create or import the required multi-domain (SAN) certificates for both Workspace One 3.3.2 and vRA 8.1.
    You can create certificates in Lifecycle Manager using the Locker service that enables you to create certificates licenses, and passwords. Alternatively, you can use a CA server or some other mechanism to generate certificates.

    If you need to add or create additional tenants, you must recreate and apply your vRealize Automation and Workspace ONE Access tenants.

    After you create your certificates, you can apply them within Lifecycle Manager using the Lifecycle Operations feature. You must select the environment and product and then the Replace Certificate option on the righthand menu. Then you can select the product. When you replace a certificate, you must re-trust all associated products in your environment.

    You must wait for the certificate to be applied and all services to restart before proceeding to the next step.

    See Managing certificates and DNS configuration under single-node multi-organization deployments and Managing certificate and DNS configuration under clustered vRealize Automation deployments for more details.

  3. Apply the Workspace One SAN certificate on the Workspace ONE Access instance or cluster.
  4. In vRealize Suite Lifecycle Manager 8.1, run the Enable Tenancy wizard to enable mult-tenancy and create an alias for the default master tenant.
    Enabling tenancy requires that you create an alias for the provider organization master tenant or default tenant. After you enable tenancy, you can access Workspace ONE Access via the master tenant FQDN.

    For example, if the existing Workspace ONE Access FQDN is idm.example.local and you create an alias of default-tenant, after tenancy is enabled, the Workspace ONE Access FQDN changes to default-tenant.example.local, and all clients communicating with Workspace ONE Access would now communicate through default-tenant.example.local.

  5. Apply the vRealize Automation SAN certificates on the vRealize Automation instance or cluster.
    You can apply SAN certificates through the Lifecycle Manager Lifecycle Operations service. You need to view the details of the environment and then select Replace Certificates on the right menu. You must wait for the certificate replacement task to complete before adding tenants. As part of certificate replacement, vRealize Automation services will restart.
  6. In Lifecycle Manager, run the Add Tenants wizard to configure the desired tenants.
    You add tenants using the Lifecycle Manager Tenant Management page located under Identity and Tenant Management. You can only add tenants for which you have previously configured certificates and DNS settings.

    When creating a tenant, you must designate a tenant administrator and you can select the Active Directory connections for this tenant. Available connections are based on those configured in your default or master tenant. You must also select the product or product instance to which the tenant will be associated.

What to do next

After you create tenants, you can use the Lifecycle Manager Tenant Management page located under Identity and Tenant Management to change or add tenant administrators, add Active Directory directories to the tenant and change product associations for the tenant.

You can also log in to your Workspace ONE Access instance to view and validate your tenant configuration.