Multi-organization tenancy vRealize Automation configurations rely on a coordinated configuration between several products, and you must ensure that DNS settings and certificates are configured correctly in order for your multi-organization tenancy configuration to function.
- Lifecycle Manager
- Workspace ONE Access Identity Manager
- vRealize Automation
Also, it assumes that you are starting with a default tenant, which is your provider organization, and creating two sub-tenants, called tenant-1 and tenant-2.
You can create and apply certificates using the Locker service in vRealize Suite Lifecycle Manager or you can use another mechanism. Lifecycle manager also enables you to replace or re-trust certificates on vRealize Automation or Workspace ONE Access.
DNS Requirements
- Create both main A type records for each system component and for each of the tenants that you will create when you enable multi-tenancy.
- Create multi-tenancy A type records for each of the tenants you will create as well as for the master tenant.
- Ccreate multi-tenancy CNAME type records for each of the tenants you will create, not including the master tenant.
Certificate requirements for single node multi-tenancy deployment
You must create two Subject Alternative Name (SAN) certificates, one for Workspace ONE Access and one for vRealize Automation.
- The vRealize Automation certificate lists the hostname of the vRealize Automation server and the names of the tenants you will create.
- The Workspace ONE Access certificate lists the hostname of the Workspace ONE Access server and the tenant names you are creating.
- If you use dedicated SAN names, certificates must be updated manually when you add or delete hosts or change a hostname. You must also update DNS entries for tenants. As an option to simplify configuration, you can use wildcards for the Workspace ONE Access and vRealize Automation certificates. For example,
*.example.com
and*.vra.example.com
.Note: vRealize Automation 8.x supports wildcard certificates only for DNS names that match the specifications in the Public Suffix list at https://publicsuffix.org. For example,*.myorg.com
is a valid name while*.myorg.local
is invalid.
Note that Lifecyle Manager does not create separate certificates for each tenant. Instead it creates a single certificate with each tenant hostname listed. For basic configurations, the tenant's CNAME uses the following format: tenantname.vrahostname.domain. For high availability configurations, the name uses the following format: tenantname.vraLBhostname.domain.
Summary
The following table summarizes DNS and certificate requirements for a single node Workspace ONE Access and single node vRealize Automation deployment.
DNS Requirements | SAN Certificate Requirements |
---|---|
Main A Type Records lcm.example.com WorkspaceOne.example.com vra.example.com |
Workspace One Certificate Host Name: WorkspaceOne.example.com, default-tenant.example.com, tenant-1.vra.example.com, tenant-2.vra.example.com |
Multi-tenancy A Type Records default-tenant.example.com tenant-1.example.com tenant-2.example.com |
|
Multi-Tenancy CNAME Type Records tenant-1.vra.example.com tenant-2.vra.example.com |
vRealize Automation Certificate Host Name: vra.example.com, tenant-1.vra.example.com, tenant-2.vra.example.com |