Introduction
This multi-part blog focuses on deploying vRA 8.1 HA, vIDM 3.3.2 HA using an F5 BIG-IP LTM load balancer. The context for the material is to call out pitfalls, direction and resolution to issues with an HA vRA 8.1 deployment. Specifically, these blogs call out additional configuration for vIDM HA scale out with vRA 8.1 HA. This content is broken into four parts:
- Part 1: Pre-work with F5 BIG-IP LTM
- Part 2: vRA HA install
- Part 3: Post vRA and vIDM HA install configurations
- Part 4: vIDM HA scale out
Prerequisites
F5 BIG-IP LTM (F5) 11.x, 12.x, 13.x, 14.x, 15.x. Load Balancer. For validation of content, this blog uses version 15.1.0.2.
VMware vRealize Suite Lifecycle Manager (vRSLCM) 8.1.0 Easy Installer / vra-lcm-installer-15996863.iso / Release Date: 2020-04-14 / Build Number: 15996863
- Deploying vRSLCM 8.1, you’ll automated the deployment of VMware Identity Manager (vIDM) 3.3.2 also referred to as VMware Workspace ONE Access and vRealize Automation (vRA) 8.1
DNS FQDN (IP, Forward “A” and Reverse “PTR”) for the following
- 1 x vRSLCM FQDN/IP
- 3 x vRA FQDN/IP
- 1 x vRA F5 VIP FQDN/IP
- 3 x vIDM FQDN/IP
- 1 x vIDM F5 VIP FQDN/IP
- Configuring naming scheme, beware of upper vs. lower case, recommend to use all lowercase to prevent installation issues.
vIDM Delegate IP
- 1 vIDM IP only for “Delegate IP” – this Delegate IP is used with vIDM cluster configuration. It must be a free available IP that is used internally as a database Load-Balancer IP for Proxying to the vIDM Postgress master. ***IMPORTANT*** This is not the same as the one used to load-balance the application.
SSL Certs (with subject alt names)
- 1 x vRSLCM cert with subject alt name
- 1 x vRA cert with subject alt names for vRA nodes
- 1 x vIDM cert with subject alt names for vIDM nodes
- SSL Certs Common name should be the VIP FQDN or Host name FQDN
- While wild cards might be used, its recommended to create the individual certs with Subject Alt Names.
- Subject Alt Names includes FQDN for each node and F5 VIP. For example with vIDM, use F5 VIP FQDN: usvidm00.ilab.int and vIDM nodes: usvidm01.ilab.int, usvidm02.ilab.int, usvidm03.ilab.int
Assumptions
- This four-part posts assume the use of an F5 BIG-IP LTM vs. other load balancers.
- This four-part post assumes the use of vRA embedded vRealize Orchestrator Server.
- This four-part post assumes when referencing to Workspace One Access is the same as Identity Manager.
- This four-part post focuses on standing up vRA 8.1 and vIDM 3.3 HA, post install configuration of vRA 8.1 is deferred to other blog postings in the future.
Additional Reading
This four part series is based on documents provided by F5 and VMware. Feel free to review and use these four documents a guide with vRA 8.1, LCM 8.1, vIDM 3.3 and F5 specifically to deploying HA. Note, there are redundant, un-needed and/or un-clarified steps contained in each document (as it relates to vRA/vIDM HA). Its for this reason why these blog posts are important.
- https://f5.com/portals/1/pdf/partners/f5-big-ip-vmware-workspaceone-integration-guide.pdf
- https://docs.vmware.com/en/VMware-Workspace-ONE-Access/3.3/vidm-install.pdf
- Check out Ch 4, Advanced Configuration for the VMware Identity Manager Appliance
- https://docs.vmware.com/en/vRealize-Automation/8.1/vrealize-automation-reference-architecture.pdf
- https://docs.vmware.com/en/vRealize-Automation/8.1/vrealize-automation-load-balancing-guide.pdf
Pre-work with F5 BIG-IP LTM
We will begin with configuration of the F5 Load Balancer. We are configuring for both vRA and vIDM F5 virtual servers (VIP). There are seven steps shown below
- Import vIDM SSL Cert used later with Client SSL Profile
- Configure Custom Persistence Profile for Workspace ONE Access (vIDM)
- Configure Monitors
- Configure F5 Server Pools
- Configure F5 Virtual Servers
- Configure a Client SSL Profile – this relates to vIDM HA configuration
- Configure a HTTP Profile – this relates to vIDM HA configuration
1.) Import vIDM SSL Cert used later with (vIDM) Client SSL Profile
We will want to start by importing vIDM Cert Key and Certificates Chain. We will use the vIDM cert for the F5 ClientSSL Profile later on. Its important to call out the F5 Client SSL profile is specific to vIDM Load Balancer configuration. vRA HA does not require this configuration and recommends pass-through configuration.
- Navigate to System > Certificate Management > Traffic Certificate Management > SSL Certificate List > Import SSL Certificates and Keys.
- Continue to either upload or paste SSL cert to complete the import process.
- Import SSL Certs for vIDM Server (VIP).
2.) Configure Custom Persistence Profile for Workspace ONE Access (vIDM)
- Navigate to Local Traffic > Profiles > Persistence and Click Create.
- Enter a name and select Source Address Affinity from the drop-down menu.
- Enable custom mode.
- Set the Timeout to 36,000 seconds and click Finished
3.) Configure Monitors
- Navigate to Local Traffic > Monitor.
- Click Create and configure the monitor as outlined in this table. Use the default value if nothing is specified.
| Name | Type | Interval | Timeout | Send String | Receive String. | Alias Service Port |
| vRealize Automation | HTTP | 3 | 10 | GET /health HTTP/1.0\r\n\r \n | HTTP/1\.(0|1) (200) | 8008 |
| Workspace ONE Access / Identity Manager | HTTPS | 3 | 10 | GET / SAAS/API/1.0/ REST/system/ health/ heartbeat | ok$ | 443 |
For convenience, the send and receive strings are shown below
- vRA Send String:
GET /health HTTP/1.0\r\n\r\n - vRA Receive String:
HTTP/1.(0|1) (200) - vIDM Send String:
GET /SAAS/API/1.0/REST/system/health/heartbeat - vIDM Receive String:
OK$
4.) Configure F5 Server Pools
- Navigate to Local Traffic > Pools.
- Click Create and configure the pool as outlined in this table. Use the default value if nothing is specified.
| Name | Health Monitors | Load Balancing Method | Node Name | Address | Service Port |
| vRealize Automation | vRealize Automation | Least Connections (member) | VA1 VA2 VA3 | IP Address | 443 |
| Workspace ONE Access / Identity Manager | Workspace ONE Access | Least Connections (member) | VA1 VA2 VA3 | IP Address | 443 |
5.) Configure F5 Virtual Servers
- Navigate to Local Traffic > Virtual Servers.
- Click Create and configure the virtual server as outlined in this table. Use the default value if nothing is specified.
| Name | Type | Destination Address | Service Port | Source Address Translation | Default Pool | Default Persistence Profile |
| vRealize Automation | Performance (Layer 4) | IP Address | 443 | Auto Map | vRealize Automation | None |
| Workspace ONE Access / Identity Manager | Performance (Layer 4) | IP Address | 443 | Auto Map | Workspace ONE Access | Workspace ONE Access |
6.) Configure a Client SSL Profile for vIDM
Its important to call out the F5 Client SSL profile is specific to vIDM Load Balancer configuration. vRA HA does not require this configuration and recommends pass-through configuration.
- Navigate to Local Traffic menus go to Profiles > SSL > Client > (+) plus icon to create a new SSL Client Profile
- Configure a new name and select Parent Profile clientssl
- In the Configuration section, click the Custom check box
- Click Add for SSL Certificate to Key Chain
- Add the SSL Certificate to Key Chain popup
- Certificate: Select the certificate with the FQDN that you uploaded to the BIG-IP earlier.
- Key: Select the certificate key that corresponds with the certificate.
- Chain: Select the primary or root CA/certificate chain that corresponds with the certificate.
- Click the Add button to add the certificate key chain to the SSL profile
- Click Finished (not shown)
7.) Configure a HTTP Profile for vIDM
**UPDATE (06/08/20)** – great feedback suggested clarity on this section. Upon creating the HTTP profile for vIDM, you’ll need to assign the HTTP profile to the F5 Virtual Server. (see second screen shot below)
Its important to call out the F5 HTTP profile is specific to vIDM Load Balancer configuration. vRA HA does not require this configuration.
Navigate to Local Traffic > Profiles > Services > HTTP (+) and/or in Services click Create
- Name: Provide a unique name for the instance
- Insert X-Forwarded-For: Click the Custom checkbox and change to Enabled
- Scroll to the bottom and click Finished
** Important ** You must enable X-Forwarded-For headers on your BIG-IP system. Identity Manager identifies the source IP address in the X-Forwarded-For headers. Identity Manager determines which authentication method to provide based on this IP address.
- This screen print below shows selected HTTP Profile in the Virtual Server
Summary
In Part 1, we reviewed the pre-work on an F5 BIG-IP LTM Load Balancer to support vRA 8.1 and vIDM HA deployment. Next, in Part 2: we’ll deploy vRA 8.1 (x 3 nodes) and vIDM 3.3 (x 1 node) via vRLCM easy installer.
VMW.Solutions 