You must coordinate the certificate and DNS configuration between all applicable components to set up a multi-organization clustered vRealize Automation deployment.
In a typical clustered configuration, there are three Workspace ONE Access appliances and three vRealize Automation appliances as well as a single Lifecycle Manager appliance.
- Workspace ONE Access Identity Manager appliances:
- idm1.example.com
- idm2.example.com
- idm3.example.com
- idm-lb.example.com
- vRealize Automation appliances:
- vra-1.example.com
- vra-2.example.com
- vra-3.example.com
- vra-lb.example.com
- Lifecycle Manager appliance
DNS Requirements
You must create both main A type records for each component and for each of the tenants that you will create when you enable multi-tenancy. In addition, you must create multi-tenancy CNAME type records for each of the tenants you will create, not including the master tenant. Finally, you must also create Main A Type records for the Workspace ONE Access and vRealize Automation load balancers.
- Create A type records for the three Workspace ONE Access appliances, and for the vRealize Automation appliances that point to their respective FQDNs.
- In addition, create A type records for the Workspace ONE Access load balancer and the vRealize Automation load balancer that point to their respective FQDNs.
- Create multi-tenancy A Type records for the default tenant and for tenant-1 and tenant-2 that point to the IP address of the Workspace ONE Access load balancer.
- Create CNAME records for tenant-1 and tenant-2 that point to the IP address of the vRealize Automation load balancer.
Subject Alternative Name (SAN) Certificate Requirements
- Create a certificate for the Workspace ONE Access appliances that list the FQDNs of the Workspace ONE Access appliances as well as the default tenant and other tenants you create. This certificate should include the IP addresses of the Workspace ONE Access appliances.
- As a best practice, create an SSL termination on the load balancer. To support this termination, create a certificate for the Workspace ONE Access load balancer that lists the FQDN of the Workspace ONE Access load balancer as well as the default tenant and all other tenants you create. This certificate should include the IP address of the load balancer.
- You must create a certificate for vRealize Automation that lists the host names of the three vRealize Automation appliances as well as the related load balancer and the tenants you are creating. In addition, it should list the IP addresses of the three vRealize Automation appliances.
- As an option, to simplify configuration, you can use wildcards for the Workspace ONE Access and vRealize Automation certificates. For example,
*.example.com
,*.vra.example.com
, and*.vra-lb.example.com
.Note: vRealize Automation supports wildcard certificates only for DNS names that match the specifications in the Public Suffix list at https://publicsuffix.org. For example,*.myorg.com
is a valid name .
If you are using a clustered Workspace ONE Access configuration, note that Lifecycle Manager cannot update the load balancer certificates, so you must update them manually. Also, if you need to re-register products or services that are external to Lifecycle Manager, this is a manual process.
Summary of DNS entries and certificates for a clustered multi-organization configuration
The following tables outlines DNS Main A Type Records and C Name Type records and certificate requirements for a clustered Workspace ONE Access and clustered vRealize Automation multi-organization deployment.
DNS Requirements | SAN Certificate Requirements |
---|---|
Main A Type Records
|
Workspace One Certificate
Host Name:
|
Multi-Tenancy A Type Records
Note: All of the multi-tenancy A Type records must point to the vIDM/WS1A load balancer IP address.
|
Workspace One LB Certificate (LB Terminated)
Host Name:
|
Multi-Tenancy CNAME Type Records
|
vRealize Automation Certificate
Host Name:
No certificate is required on the vRealize Automation load balancer as it uses SSL passthrough. |