You must coordinate the certificate and DNS configuration between all applicable components to set up a multi-organization clustered vRealize Automation deployment.

In a typical clustered configuration, there are three Workspace ONE Access appliances and three vRealize Automation appliances as well as a single Lifecycle Manager appliance.

This configuration assumes clustered deployments for the following components:
  • Workspace ONE Access Identity Manager appliances:
    • idm1.example.local
    • idm2.example.local
    • idm3.example.local
    • idm-lb.example.local
  • vRealize Automation appliances:
    • vra-1.example.local
    • vra-2.example.local
    • vra-3.example.local
    • vra-lb.example.local
  • Lifecycle Manager appliance

DNS Requirements

You must create both main A type records for each component and for each of the tenants that you will create when you enable multi-tenancy. In addition, you must create multi-tenancy CNAME type records for each of the tenants you will create, not including the master tenant. Finally, you must also create Main A Type records for the Workspace ONE Access and vRealize Automation load balancers.

  • Create A type records for the three Workspace ONE Access appliances, and for the vRealize Automation appliances that point to their respective FQDNs.
  • In addition, create A type records for the Workspace ONE Access load balancer and the vRealize Automation load balancer that point to their respective FQDNs.
  • Create multi-tenancy A Type records for the default tenant and for tenant-1 and tenant-2 that point to the IP address of the Workspace ONE Access load balancer.
  • Create CNAME records for tenant-1 and tenant-2 that point to the IP address of the vRealize Automation load balancer.

Subject Alternative Name (SAN) Certificate Requirements

You must create two Workspace ONE Access certificates, one that applies on the cluster appliances and one that applies on the load balancer. In addition, create a certificate that applies to the vRealize Automation appliances, the tenants you are creating, excluding the default tenant, and the load balancer.
  • Create a certificate for the Workspace ONE Access appliances that list the FQDNs of the Workspace ONE Access appliances as well as the default tenant and other tenants you create. This certificate should include the IP addresses of the Workspace ONE Access appliances.
  • As a best practice, create an SSL termination on the load balancer. To support this ternination, create a certificate for the Workspace ONE Access load balancer that lists the FQDN of the Workspace ONE Access load balancer as well as the default tenant and all other tenants you create. This certificate should include the IP address of the load balancer.
  • You must create a certificate for vRealize Automation that lists the host names of the three vRealize Automation appliances as well as the related load balancer and the tenants you are creating. In addition, it should list the IP addresses of the three vRealize Automation appliances.
  • As an option, to simplify configuration, you can use wildcards for the Workspace ONE Access and vRealize Automation certificates. For example, *.example.com, *.vra.example.com, and *.vra-lb.example.com.
    Note: vRealize Automation 8.x supports wildcard certificates only for DNS names that match the specifications in the Public Suffix list at https://publicsuffix.org. For example, *.myorg.com is a valid name while *.myorg.local is invalid.

If you are using a clustered Workspace ONE Access configuration, note that Lifecycle Manager cannot update the load balancer certificates, so you must update them manaully. Also, if you need to re-register products or services that are external to Lifecycle Manager, this is a manual process.

Summary of DNS entries and certificates for a clustered multi-organization configuration

The following tables outlines DNS Main A Type Records and C Name Type records and certificate requirements for a clustered Workspace ONE Access and clustered vRealize Automation multi-organization deployment.

DNS Requirements SAN Certificate Requirements
Main A Type Records
  • lcm.example.local
  • WorkspaceOne-1.example.local
  • WorkspaceOne-2.example.local
  • WorkspaceOne-3.example.local
  • Workspace.One-lb.example.local
  • vra-1.example.local
  • vra-2.example.local
  • vra-3.example.local
  • vra-lb.example.local
Workspace One Certificate
Host Name:
  • WorkspaceOne-1.example.local
  • WorkspaceOne-2.example.local
  • WorkspaceOne-3.example.local
  • default-tenant.example.local
  • tenant-1.example.local
  • tenant-2.example.local
Multi-Tenancy A Type Records
  • default-tenant.example.local
  • tenant-1.vra.example.local
  • tenant-2.vra.example.local
Note: All of the multi-tenancy A Type records must point to the vIDM/WS1A load balancer IP address.
Workspace One LB Certificate (LB Terminated)
Host Name:
  • WorkspaceOne-lb.example.local
  • default-tenant.example.local
  • tenant-1.example.local
  • tenant-2.example.local
Multi-Tenancy CNAME Type Records
  • tenant-1.vra-lb.example.local - vra-lb.example.local
  • tenant-2.vra-lb.example.local - vra-lb.example.local
vRealize Automation Certificate
Host Name:
  • vra-1.example.local
  • vra-2.example.local
  • vra-3.example.local
  • vra-lb.example.local
  • tenant-1.example.local
  • tenant-2.example.local

No certificate is required on the vRealize Automation load balancer as it uses SSL passthrough.

Note: Each additional tenant that you add must be listed separately in the vRealize Automation Certificate, Multi-tenancy CNAME records, Multi-tenancy Type A records, Workspace One Certificate and Workspace One LB Certificate.
Note: The *.local file names are for example use only. They may not be applicable to most business environments.