Secure Private Cloud Administration and Operations Guide

SecurePrivateCloud
AdministrationandOperationsGuide
Secure Private Cloud 2.2 and Higher
July 2012 3850 6804–007
unisys

NO WARRANTIES OF ANY NATURE ARE EXTENDED BY THIS DOCUMENT. Any product or related information
described herein is only furnished pursuant and subject to the terms and conditions of a duly executed agreement to
purchase or lease equipment or to license software. The only warranties made by Unisys, if any, with respect to the
products described in this document are set forth in such agreement. Unisys cannot accept any financial or other
responsibility that may be the result of your use of the information in this document or software material, including
direct, special, or consequential damages.
You should be very careful to ensure that the use of this information and/or software material complies with the laws,
rules, and regulations of the jurisdictions with respect to which it is used.
The information contained herein is subject to change without notice. Revisions may be issued to advise of such
changes and/or additions.
Notice to U.S. Government End Users: This is commercial computer software or hardware documentation developed at
private expense. Use, reproduction, or disclosure by the Government is subject to the terms of Unisys standard
commercial license for the products, and where applicable, the restricted/limited rights provisions of the contract data
rights clauses.
Unisys is a registered trademark of Unisys Corporation in the United States and other countries.
Linux is a registered trademark of Linus Torvalds.
SUSE is a registered trademark of SUSE LINUX AG, a Novell business.
Red Hat is a trademark or registered trademark of Red Hat, Inc. in the U.S. and other countries.
VMware is a registered trademark of VMware, Inc. in the U.S. and other countries.
All other brands and products referenced in this document are acknowledged to be the trademarks or registered
trademarks of their respective holders.

Contents
Section 1. Installation and Configuration Data
Section 2. Introduction
1.1. Completing Worksheets for Installation and Configuration. . . 1–1
1.1.1. Workbook Organization. . . . . . . . . . . . . . . . . . . . . . . . 1–1
1.1.2. Implementing the Workbook . . . . . . . . . . . . . . . . . . . . 1–2
1.1.3. Expanding the Workbook to Include Tenants . . . . . . . . 1–3
1.1.4. Adding Tenant Blueprints and Projects . . . . . . . . . . . . . 1–3
1.1.5. Validating the Workbook . . . . . . . . . . . . . . . . . . . . . . . 1–4
1.1.6. Exporting the Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–5
1.1.7. Preserving Configuration Data . . . . . . . . . . . . . . . . . . . 1–6
1.2. Cloud Provider Data Worksheet. . . . . . . . . . . . . . . . . . . . . . 1–6
1.2.1. Cloud Provider Environment, License, and Network
Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–6
1.2.2. Management VM Infrastructure. . . . . . . . . . . . . . . . . . 1–7
1.2.3. VMware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–7
1.2.4. Notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8
1.2.5. High Availability Cluster. . . . . . . . . . . . . . . . . . . . . . . . 1–8
1.2.6. Virtual Office as a Service . . . . . . . . . . . . . . . . . . . . . . 1–8
1.2.7. Virtual LAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–9
1.2.8. vCenter Supplied by the Cloud Provider . . . . . . . . . . . . 1–9
1.3. Tenant Data Worksheet. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–9
1.3.1. Tenant Information . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10
1.3.2. Tenant VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10
1.3.3. RBADB Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10
1.3.4. Stealth Onboarding . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11
1.3.5. Tenant Blueprints . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11
1.3.6. Tenant Projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–12
1.3.7. Virtual Office as a Service Session Manager . . . . . . . . 1–12
2.1. Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–1
2.2. Accessing Architecture and Networking Information. . . . . . . 2–2
2.3. Administrator and Operator Responsibilities . . . . . . . . . . . . . 2–3
2.4. Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–3
2.5. Default and Updated Environment Credentials . . . . . . . . . . . 2–5
2.6. URLs for Web-Based UIs . . . . . . . . . . . . . . . . . . . . . . . . . . 2–7
2.7. Completing and Exporting Tenant Worksheets . . . . . . . . . . . 2–8
3850 6804–007 iii

Contents
2.8. Understanding Tenants Accounts and Secure Private
Cloud Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–8
2.8.1. XYZ Company Example (Single Tenant) . . . . . . . . . . . . 2–9
2.8.2. Acme Company Example (Multi-tenant) . . . . . . . . . . . . 2–9
2.8.3. Projects, Departments, Accounts, and SubAccounts. . 2–10
2.8.4. Naming Guidelines for Components in the Cloud
Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–12
Section 3. Initial Configuration Tasks
3.1. Configuring a Workstation to Configure the Secure
Private Cloud Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–1
3.2. Inserting the Secure Private Cloud Portal Terms of Use. . . . . 3–4
Section 4. Creating VMware Template Gold Images
4.1. Using Unisys Provided VMware Templates for Windows. . . . 4–1
4.1.1. Importing Unisys Provided Templates into vCenter . . . . 4–2
4.1.2. Preinstalling Required Applications . . . . . . . . . . . . . . . 4–4
4.1.3. Converting to a Template . . . . . . . . . . . . . . . . . . . . . . 4–4
4.2. Creating Custom Windows VMware Templates and
Creating Linux VMware Templates. . . . . . . . . . . . . . . . . . 4–4
4.2.1. Moving Template Configuration Images Folder . . . . . . . 4–5
4.2.2. Configuring a Windows Target Template . . . . . . . . . . . 4–5
Setting Firewall Exceptions for Windows Server
2003 and Windows XP . . . . . . . . . . . . . . . . . . . . 4–7
Setting Firewall Exceptions for Windows Server
2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–7
Verifying the Remote Desktop Connection . . . . . . . . 4–8
Preinstalling Required Applications . . . . . . . . . . . . . 4–8
Making a Windows Template Stealth Ready . . . . . . . 4–8
VNIC Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . 4–9
Converting to a Template . . . . . . . . . . . . . . . . . . . . 4–9
Testing the Windows Target Template . . . . . . . . . . . 4–9
4.2.3. Configuring a Red Hat Enterprise Linux Target
Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–10
Making a Red Hat Enterprise Linux Template
Stealth Ready . . . . . . . . . . . . . . . . . . . . . . . . . . 4–12
VNIC Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . 4–13
Preinstalling Required Applications. . . . . . . . . . . . . 4–13
Converting to a Template. . . . . . . . . . . . . . . . . . . . 4–14
Testing the Red Hat Enterprise Linux Target
Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–14
4.2.4. Configuring a SUSE Linux Target Template . . . . . . . . . 4–15
VNIC Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . 4–17
Preinstalling Required Applications. . . . . . . . . . . . . 4–18
iv 3850 6804–007

Deleting MAC Addresses . . . . . . . . . . . . . . . . . . . 4–18
Converting to a Template. . . . . . . . . . . . . . . . . . . . 4–19
Testing a SUSE Linux Target Template . . . . . . . . . . 4–19
4.3. Preparing an Existing Virtual Machine or Template for a
Stealth-Enabled VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . 4–20
4.3.1. VNIC Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–20
4.3.2. Preparing a Windows Virtual Machine or Template
for a Stealth-Enabled VLAN . . . . . . . . . . . . . . . . . . 4–20
4.3.3. Preparing a Red Hat Enterprise Linux Virtual
Machine or Template for a Stealth-Enabled VLAN . . 4–23
4.4. Importing Tenant VLAN Network Appliance and Load
Balancer Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–25
4.5. Installing VMware Tools 5.0 in the Tenant VLAN Network
Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–26
4.6. Preparing the vCenter Server to Sysprep the Target
Template (Windows Server 2003 and Windows XP
Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–28
Section 5. Implementing a New Tenant VLAN
Contents
5.1. Configuring a DNS or Alternative for the Tenant . . . . . . . . . . 5–2
5.1.1. Configuring the Tenant DNS . . . . . . . . . . . . . . . . . . . . 5–3
5.1.2. Configuring the uChargeback Management VM if
Tenants Do Not Have a DNS . . . . . . . . . . . . . . . . . . 5–3
5.2. Configuring Workload Servers for VLAN Networking. . . . . . . 5–5
5.2.1. Understanding Workload Server Networking
Connection Options . . . . . . . . . . . . . . . . . . . . . . . . 5–6
5.2.2. Configuring Access to Tenant VLAN Networks and
Tenant Interconnect . . . . . . . . . . . . . . . . . . . . . . . . 5–6
Option 1: Using a Dedicated Physical NIC to
Access a Tenant VLAN Network or Tenant
Interconnect. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–7
Option 2: Using a Distributed Switch to Access a
Tenant VLAN Network or Tenant Interconnect . . . 5–8
Option 3: Creating vSwitch Virtual Machine Port
Groups to Access a Tenant VLAN Network or
Tenant Interconnect . . . . . . . . . . . . . . . . . . . . . . 5–9
5.3. Deploying a New Tenant VLAN Using a New or Existing
Tenant VLAN Network Appliance . . . . . . . . . . . . . . . . . . 5–11
5.3.1. Deploying a New Tenant VLAN Network Appliance
and VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–11
5.3.2. Adding a New VLAN to an Existing Tenant VLAN
Network Appliance . . . . . . . . . . . . . . . . . . . . . . . . 5–18
5.4. Configuring the Management Network Appliance for a
New Tenant VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–19
5.4.1. Configuring the Virtual Management Network
Appliance for a New VLAN . . . . . . . . . . . . . . . . . . 5–19
3850 6804–007 v

Contents
5.4.2. Configuring a Physical Management Network
Appliance for a New VLAN . . . . . . . . . . . . . . . . . . 5–20
5.5. Configuring the Cloud Orchestrator and uChargeback
Management VMs to Communicate with Tenant VLAN. . 5–23
5.6. Configuring the Tenant VLAN Network Appliance to be
Monitored by the Nagios Collector. . . . . . . . . . . . . . . . . 5–24
5.7. Additional Nagios Collector Configuration Information . . . . . 5–24
5.8. Configuring External Servers to Communicate with
Tenant VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–25
Section 6. Creating and Managing Tenant Configurations
6.1. Updating Cloud Provider or Adding Tenant Information in
the Secure Private Cloud Environment . . . . . . . . . . . . . . . 6–1
6.2. Configuring Stealth-Enabled VLANs . . . . . . . . . . . . . . . . . . . 6–3
6.3. Understanding Blueprints and General Blueprint
Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–6
6.4. Creating Blueprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–9
6.5. Virtual Machine Attributes and Values . . . . . . . . . . . . . . . . 6–11
6.5.1. Virtual Machine General Configuration . . . . . . . . . . . . 6–11
6.5.2. Virtual Machine Resource Balancer . . . . . . . . . . . . . . 6–14
6.5.3. Virtual Machine Operating System Customization. . . . 6–15
6.5.4. Virtual Machine Additional Instructions. . . . . . . . . . . . 6–20
6.6. Virtual Desktop Attributes and Values. . . . . . . . . . . . . . . . . 6–21
6.6.1. Virtual Desktop General Configuration . . . . . . . . . . . . 6–22
6.6.2. Virtual Desktop Additional Instructions . . . . . . . . . . . . 6–23
Section 7. Onboarding Tenants, Creating Users, and Assigning Roles
7.1. Understanding User Roles. . . . . . . . . . . . . . . . . . . . . . . . . . 7–1
7.2. Adding Tenants, Projects, and User Roles to the Secure
Private Cloud Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7–3
7.2.1. Tenant Onboarding Overview . . . . . . . . . . . . . . . . . . . 7–3
7.2.2. Onboarding a New Tenant. . . . . . . . . . . . . . . . . . . . . . 7–3
7.3. Creating Secure Private Cloud Users in Active Directory . . . . 7–4
7.4. Assigning Cloud Provider and Tenant Users to Roles, and
Assigning Tenant Users to Projects . . . . . . . . . . . . . . . . . 7–5
7.5. Checkpoint: Commissioning a Resource . . . . . . . . . . . . . . . 7–7
Section 8. Additional Networking Configuration
8.1. Enabling Stealth for an Existing Tenant VLAN . . . . . . . . . . . . 8–1
8.2. Configuring Network Appliances for Inbound Internet
Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–2
8.2.1. Disabling Internet Access for Tenant Virtual
Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–3
vi 3850 6804–007

8.2.2. Understanding Inbound Connection Limitations . . . . . . 8–3
8.2.3. Providing a Public Source IP Address in Outbound
Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–4
8.2.4. Enabling Inbound Internet Connections . . . . . . . . . . . . 8–5
Shared Public IP Address Example. . . . . . . . . . . . . . 8–6
Unique Public IP Address Example . . . . . . . . . . . . . 8–8
8.3. Configuring an HAProxy Load Balancer for Web
Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–10
8.3.1. Deploying a New HAProxy Virtual Machine. . . . . . . . . 8–10
8.3.2. Configuring the HAProxy Configuration File . . . . . . . . 8–12
8.4. Configuring Tenant VLAN Firewall Exceptions. . . . . . . . . . . 8–15
8.4.1. Enabling Selected Tenant VLANs to Communicate . . . 8–15
8.4.2. Enabling All Tenant VLANs to Communicate . . . . . . . . 8–17
8.5. Changing the Predefined IP Address on the Intercom
Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–18
8.5.1. Configuring the Jump Box, SQL Server, Portal,
WSUS, Active Directory, and vCenter Server
Management VMs to Use a New Intercom
Network IP Address . . . . . . . . . . . . . . . . . . . . . . . 8–18
8.5.2. Configuring the uAdapt Controller Management VM
to Use a New Intercom Network IP Address . . . . . 8–19
8.5.3. Configuring the uChargeback Management VM to
Use a New Intercom Network IP Address . . . . . . . 8–20
8.5.4. Configuring the Cloud Orchestrator Management
VM to Use a New Intercom Network IP Address . . 8–21
8.5.5. Configuring the Management Network Appliance to
Use a New Intercom Network IP Address . . . . . . . 8–23
8.5.6. Configuring a Tenant VLAN Network Appliance to
Use a New Intercom Network IP Address . . . . . . . 8–25
8.5.7. Configuring the Stealth Components to Use a New
Intercom Network IP Address . . . . . . . . . . . . . . . . 8–25
8.5.8. Updating RBADB to Use the New Intercom
Network IP Address . . . . . . . . . . . . . . . . . . . . . . . 8–27
8.5.9. Checkpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–28
Section 9. Changing Credentials and Performing Final Installation
Tasks
Contents
9.1. Recording Updated Credentials . . . . . . . . . . . . . . . . . . . . . . 9–1
9.2. Prerequisites to Changing Credentials . . . . . . . . . . . . . . . . . 9–1
9.3. Procedures for Changing Credentials . . . . . . . . . . . . . . . . . . 9–2
9.3.1. VMware ESXi Management Interface . . . . . . . . . . . . . 9–3
9.3.2. uAdapt Controller Management VM. . . . . . . . . . . . . . . 9–3
9.3.3. Windows Management VMs Administrator
Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–3
9.3.4. uAdapt Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–4
3850 6804–007 vii

Contents
9.3.5. SQL Server Database Administrator. . . . . . . . . . . . . . . 9–7
9.3.6. RBADB Database Passwords . . . . . . . . . . . . . . . . . . . 9–7
9.3.7. vCenter Database Administrator . . . . . . . . . . . . . . . . . 9–8
9.3.8. Cloud Orchestrator Database Administrator . . . . . . . . . 9–9
9.3.9. Secure Private Cloud Portal Database Administrator . . 9–10
9.3.10. Tomcat Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–11
9.3.11. RBADB Administrator Interface . . . . . . . . . . . . . . . . . 9–11
9.3.12. Unisys-Supplied Domain Controllers. . . . . . . . . . . . . . 9–12
9.3.13. uChargeback Services Domain Account . . . . . . . . . . . 9–13
9.3.14. Secure Private Cloud Liferay Administrator. . . . . . . . . 9–15
9.3.15. Virtual Management Network Appliance
Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–15
9.3.16. Tenant VLAN Network Appliance Administrator . . . . . 9–16
9.3.17. uChargeback vCenter User . . . . . . . . . . . . . . . . . . . . 9–16
9.3.18. Cloud Orchestrator vCenter User . . . . . . . . . . . . . . . . 9–18
9.3.19. Changing VMware Update Manager Database User
Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–19
9.3.20. HAProxy Load Balancer for Web Applications . . . . . . . 9–20
9.3.21. Stealth Infrastructure VMs, Administration
Application, and Dynamic Licensing Web
Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–21
Stealth Configuration Machine, Stealth Transfer
Machine, Stealth Proxy Server, and Stealth
Relay Server Infrastructure VMs . . . . . . . . . . . . 9–21
Virtual Stealth Gateway Infrastructure VM . . . . . . . 9–22
Dynamic Licensing Web Interface . . . . . . . . . . . . . 9–23
9.4. Restoring Users’ Connection to the Portal After
Credentials Have Been Changed . . . . . . . . . . . . . . . . . . 9–24
9.5. Performing a Final Commissioning Checkpoint . . . . . . . . . . 9–24
9.6. Installing Virtual Office as a Service . . . . . . . . . . . . . . . . . . 9–24
Section 10. Cloud Portal Operations
10.1. Understanding How Requests are Processed . . . . . . . . . . . 10–1
10.2. Responding to Virtual Machine Requests . . . . . . . . . . . . . . 10–1
10.3. Managing Expired Virtual Machines . . . . . . . . . . . . . . . . . . 10–3
10.4. Responding to Physical Server Requests . . . . . . . . . . . . . . 10–3
10.4.1. Commissioning New Physical Servers . . . . . . . . . . . . 10–3
10.4.2. Starting or Stopping Physical Servers . . . . . . . . . . . . . 10–6
10.4.3. Decommissioning Physical Servers (Releasing
Physical Server Resources) . . . . . . . . . . . . . . . . . . 10–7
Stopping the Persona . . . . . . . . . . . . . . . . . . . . . . 10–8
Managing the Storage LUN . . . . . . . . . . . . . . . . . . 10–8
Moving the Persona to the Inactive Server Pool . . . 10–8
10.5. Responding to Virtual Desktop Requests . . . . . . . . . . . . . . 10–9
viii 3850 6804–007

Contents
10.5.1. Commissioning New Virtual Desktops . . . . . . . . . . . . 10–9
10.5.2. Starting, Stopping, and Deleting Virtual Desktops . . . . 10–9
10.6. Responding to Requests Using the Operator Prompts
Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–10
10.7. Managing Tenant Users. . . . . . . . . . . . . . . . . . . . . . . . . . 10–11
10.7.1. Updating a Tenant User’s E-mail Address . . . . . . . . . 10–11
10.7.2. Moving a User from One Tenant Organization to
Another . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–11
10.7.3. Deactivating or Reactivating Tenant Users . . . . . . . . 10–12
10.7.4. Deleting Tenant Users and User Roles . . . . . . . . . . . 10–13
10.8. Editing Blueprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–14
10.9. Deleting Blueprints or Projects from the Cloud
Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–14
10.9.1. Deleting Blueprints from the Secure Private Cloud
Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–15
10.9.2. Deleting Projects or Blueprints from RBADB . . . . . . 10–15
Restrictions When Deleting Items in RBADB . . . . 10–15
Verifying that Commissioned Resources Are Not
Associated with Tenants, Projects, or
Blueprints. . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–16
Removing a Blueprint from a Contract and
Deleting a Blueprint. . . . . . . . . . . . . . . . . . . . . 10–17
Deleting a Project . . . . . . . . . . . . . . . . . . . . . . . . 10–17
10.9.3. Removing Projects from uOrchestrate . . . . . . . . . . . 10–18
10.9.4. Archiving Projects in uChargeback . . . . . . . . . . . . . . 10–18
10.10. Configuring Snapshot Limits and Managing Snapshots . . . 10–19
10.10.1. Configuring Snapshot Limits . . . . . . . . . . . . . . . . . . 10–19
10.10.2. Managing Snapshots. . . . . . . . . . . . . . . . . . . . . . . . 10–20
Creating New Snapshots . . . . . . . . . . . . . . . . . . . 10–20
Reverting to a Different Snapshot . . . . . . . . . . . . 10–20
Deleting a Snapshot . . . . . . . . . . . . . . . . . . . . . . 10–21
10.11. Using the Resource Utilization Dashboard . . . . . . . . . . . . 10–21
10.12. Configuring Resource Utilization Ranges . . . . . . . . . . . . . 10–23
10.13. Managing the Lifecycle Database. . . . . . . . . . . . . . . . . . . 10–24
10.14. Creating uChargeback Criteria Specifications . . . . . . . . . . 10–25
10.15. Importing Existing Virtual Machines . . . . . . . . . . . . . . . . . 10–26
10.15.1. Prerequisites for Importing Virtual Machines. . . . . . . 10–27
10.15.2. Utility Components and Layout . . . . . . . . . . . . . . . . 10–27
10.15.3. Using the Import Utility . . . . . . . . . . . . . . . . . . . . . . 10–29
10.15.4. Operational Considerations . . . . . . . . . . . . . . . . . . . 10–31
10.15.5. Inspecting Logs and Troubleshooting . . . . . . . . . . . . 10–32
10.16. Configuring Tenant-Dedicated Workload Servers Manually. 10–34
10.16.1. Creating Workload Server Clusters with HA and
DRS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–34
10.16.2. Completing Additional HA Tasks. . . . . . . . . . . . . . . . 10–35
3850 6804–007 ix

Contents
10.16.3. Configuring a vMotion Interface for each Workload
Server in each Cluster . . . . . . . . . . . . . . . . . . . . . 10–35
10.16.4. Adding Tenants . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–36
10.16.5. Configuring Resource Groups and Datastores. . . . . . 10–36
10.16.6. Best Practices for Datastore and Resource Pool
Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–36
10.16.7. Moving Workload Servers Between Clusters . . . . . . 10–38
10.17. Updating the Cloud Name in the Secure Private Cloud
Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–39
10.18. Stealth for Secure Private Cloud Operations . . . . . . . . . . . 10–40
10.18.1. Adding COI Sets and Modifying COI Set Members . . 10–40
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–40
Required Files for Adding or Modifying COI Sets. . 10–41
Using Dia to Add and Modify COI Sets . . . . . . . . . 10–42
Finalizing COI Set Changes . . . . . . . . . . . . . . . . . 10–44
Updating the Workbook and Deleting Unneeded
Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . 10–46
10.18.2. Viewing Stealth Licenses in the Secure Private
Cloud Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–46
10.18.3. Accessing Logs and Monitoring Tunnels Using the
Administration Application . . . . . . . . . . . . . . . . . . 10–47
10.18.4. Viewing and Configuring Stealth Licensing Options. . 10–47
10.18.5. Increasing the License Count for Stealth for Secure
Private Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–52
10.18.6. Enabling Stealth for Secure Private Cloud After
Initial Implementation . . . . . . . . . . . . . . . . . . . . . 10–53
10.19. Important Operational Restrictions. . . . . . . . . . . . . . . . . . 10–53
Section 11. Removing Tenants and Components from the Cloud
Environment
11.1. Stopping and Decommissioning Virtual Machines . . . . . . . . 11–1
11.2. Stopping and Decommissioning Physical Machines . . . . . . 11–2
11.3. Removing the Tenant Virtual Components in vCenter . . . . . 11–3
11.4. Removing Management-Side Tenant Infrastructure in
vCenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11–5
11.5. Deleting Tenant Account Entities . . . . . . . . . . . . . . . . . . . . 11–8
11.5.1. Deleting Tenant Users and User Roles . . . . . . . . . . . . 11–8
11.5.2. Removing a Tenant User Group from the Secure
Private Cloud Portal. . . . . . . . . . . . . . . . . . . . . . . . 11–9
11.5.3. Deleting Blueprints from the Secure Private Cloud
Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11–9
11.5.4. Deleting a Tenant Organization. . . . . . . . . . . . . . . . . 11–10
11.6. Removing a Tenant Contract and Tenant from RBADB. . . . 11–10
11.7. Removing Tenants from uOrchestrate . . . . . . . . . . . . . . . 11–11
x 3850 6804–007

11.8. Removing Tenant Resources and Departments from
uChargeback. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11–11
11.9. Removing a Stealth-Enabled VLAN from the Tenant
Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11–12
Section 12. Troubleshooting
Contents
12.1. Troubleshooting Errors When Using a Secure Private
Cloud Workbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–1
12.2. Troubleshooting Signing In to the Secure Private Cloud
Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–3
12.3. Handling Suspended, Failed, and Aborted Jobs. . . . . . . . . . 12–3
12.4. Troubleshooting Machine Names. . . . . . . . . . . . . . . . . . . . 12–4
12.5. Troubleshooting Physical Server Resources . . . . . . . . . . . . 12–4
12.6. Configuring the Virtual Management Network Appliance
with a VMware License Restriction . . . . . . . . . . . . . . . . 12–5
12.6.1. Configuring the Virtual Management Network
Appliance for a New VLAN (with a VMware
License Restriction) . . . . . . . . . . . . . . . . . . . . . . . 12–5
12.6.2. Configuring the Virtual Management Network
Appliance to Use a New Intercom Network IP
Address (with a VMware License Restriction). . . . . 12–6
12.7. Troubleshooting Onboarding Tenants and Users . . . . . . . . . 12–7
12.7.1. Troubleshooting Sign In Problems Due to an
Unknown E-mail Suffix . . . . . . . . . . . . . . . . . . . . . 12–7
12.7.2. Verifying and Updating the E-mail Suffixes for an
Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–8
12.7.3. Verifying and Updating the Default Role for an
Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–8
12.7.4. Updating the Default Project for a Tenant . . . . . . . . . . 12–9
12.7.5. Troubleshooting Tenant Permissions in the Secure
Private Cloud Portal. . . . . . . . . . . . . . . . . . . . . . . 12–10
12.8. Resolving Secure Private Cloud Portal Messages . . . . . . . 12–13
12.9. Restoring a Closed Pane in the Secure Private Cloud
Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–17
12.10. Log Files Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . 12–17
12.11. Reporting Problems to Unisys . . . . . . . . . . . . . . . . . . . . . 12–18
12.12. Troubleshooting Datastore Filter and ResourcePoolFilter
Constants. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–18
12.13. Disconnecting Users from the Secure Private Cloud
Portal and Enabling Maintenance Mode . . . . . . . . . . . . 12–18
12.14. Troubleshooting Configuring Stealth-Enabled VLANs . . . . . 12–18
12.15. Identifying the Secure Private Cloud Software Version . . . 12–21
12.16. Troubleshooting Articles on the Unisys Product Support
Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–22
3850 6804–007 xi

Contents
Appendix A. Incorporating an External Server into the Cloud
Management Environment
A.1. Requirements for Incorporating an External Server. . . . . . . . A–1
A.2. Configuring the Management Server Intercom Network
Connection to Communicate with External Servers . . . . . A–1
A.2.1. Using a Dedicated Network Adapter . . . . . . . . . . . . . . A–2
A.2.2. Using a Shared Network Adapter . . . . . . . . . . . . . . . . A–2
A.3. Updating the Hosts File on All Management VMs and
External Servers Running Windows. . . . . . . . . . . . . . . . . A–3
A.4. Updating the Hosts File on uAdapt Management VM and
External Servers Running Linux. . . . . . . . . . . . . . . . . . . . A–4
A.5. Configuring External Servers. . . . . . . . . . . . . . . . . . . . . . . . A–4
xii 3850 6804–007

Figures
2–1. Projects, Departments, Accounts, and SubAccounts . . . . . . . . . . . . . . . . . . 2–11
2–2. Comparison of Secure Private Cloud, uChargeback, and RBADB Entities . . . . 2–12
5–1. Logical VLAN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–2
6–1. Operations Console Populator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–2
10–1. Unisys Cloud Import Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–28
3850 6804–007 xiii

Figures
xiv 3850 6804–007

Tables
1–1. Cloud Provider Site Environment Information. . . . . . . . . . . . . . . . . . . . . . . . . 1–6
1–2. Cloud Provider License Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–6
1–3. General Networking Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–6
1–4. Cloud Management Environment Network Addresses . . . . . . . . . . . . . . . . . . 1–7
1–5. Networking for Management VMs and Management Server. . . . . . . . . . . . . . 1–7
1–6. LDAP Values for Secure Private Cloud Portal . . . . . . . . . . . . . . . . . . . . . . . . . 1–7
1–7. Cloud Management Environment Certificate Details. . . . . . . . . . . . . . . . . . . . 1–7
1–8. Secure Private Cloud Portal Community Information. . . . . . . . . . . . . . . . . . . . 1–7
1–9. Runbook Automation Database (RBADB) Cloud Properties . . . . . . . . . . . . . . . 1–7
1–10. uChargeback Domain Account and Configuration Information . . . . . . . . . . . . 1–7
1–11. Datacenter Workload Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–7
1–12. VMware Sysprep Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8
1–13. VMware Resource Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8
1–14. E-mail Notification Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8
1–15. BMC Remedy/ITSM Adapter Notification Information. . . . . . . . . . . . . . . . . . 1–8
1–16. High Availability (HA) Management Server Information . . . . . . . . . . . . . . . . . 1–8
1–17. Clustered Workload Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8
1–18. Virtual Office Server Network Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8
1–19. Virtual Office Server Failover Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–9
1–20. Management Server VLAN Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . 1–9
1–21. Switchport Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–9
1–22. Distributed Virtual Network Switch Properties . . . . . . . . . . . . . . . . . . . . . . . 1–9
1–23. Cloud Provider-supplied vCenter Configuration. . . . . . . . . . . . . . . . . . . . . . . 1–9
1–24. Secure Private Cloud Portal Tenant Organization and Global Roles. . . . . . . . 1–10
1–25. Tenant VLAN Network Appliance Information. . . . . . . . . . . . . . . . . . . . . . . 1–10
1–26. Tenant VLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10
1–27. Tenant Internal Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10
1–28. Account Contract Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10
1–29. Runbook Automation Database (RBADB) Account Properties . . . . . . . . . . . 1–10
1–30. RBADB Account VLAN Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10
1–31. Stealth Infrastructure Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11
1–32. Stealth Tenant Infrastructure Configuration . . . . . . . . . . . . . . . . . . . . . . . . 1–11
1–33. COI Sets and Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11
1–34. Virtual Machine Blueprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11
1–35. Virtual Machine Blueprint Attributes and Values . . . . . . . . . . . . . . . . . . . . . 1–11
1–36. Physical Server Blueprints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11
1–37. Physical Server Blueprint Attributes and Values . . . . . . . . . . . . . . . . . . . . . 1–11
3850 6804–007 xv

Tables
1–38. Virtual Desktop Blueprints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11
1–39. Virtual Desktop Blueprint Attributes and Values . . . . . . . . . . . . . . . . . . . . . 1–12
1–40. Secure Private Cloud Portal Information for Tenant Projects . . . . . . . . . . . . 1–12
1–41. Project Contract Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–12
1–42. Virtual Office as a Service Session Manager Configuration . . . . . . . . . . . . . 1–12
2–1. Default and Updated Environment Credentials . . . . . . . . . . . . . . . . . . . . . . . . 2–5
2–2. URLs for Web-Based UIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–8
6–1. Virtual Machine Basic Attributes and Values. . . . . . . . . . . . . . . . . . . . . . . . . 6–11
6–2. Virtual Machine General Configuration Attributes and Values. . . . . . . . . . . . . 6–11
6–3. Virtual Machine Resource Balancer Attributes and Values . . . . . . . . . . . . . . . 6–14
6–4. Virtual Machine Operating System Customization Attribute and Values . . . . . 6–15
6–5. Virtual Machine Operating System Attributes and Values . . . . . . . . . . . . . . . 6–15
6–6. Virtual Machine Network Configuration Attributes and Values . . . . . . . . . . . . 6–18
6–7. Virtual Machine Additional Instruction Attributes and Values . . . . . . . . . . . . . 6–20
6–8. Resource Pre-Expiration Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–21
6–9. Virtual Desktop Basic Attributes and Values . . . . . . . . . . . . . . . . . . . . . . . . . 6–22
6–10. Virtual Desktop General Configuration Attributes and Values . . . . . . . . . . . . 6–22
6–11. Virtual Desktop Additional Instruction Attributes and Values . . . . . . . . . . . . 6–23
6–12. Resource Pre-Expiration Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–24
10–1. Example Criteria Specification, Page 1 Data . . . . . . . . . . . . . . . . . . . . . . . 10–25
10–2. Example Criteria Specification, Page 2 Data . . . . . . . . . . . . . . . . . . . . . . . 10–26
12–1. Tenant Role Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–11
xvi 3850 6804–007

Section 1
Installation and Configuration Data
The procedures in this guide assume a configuration in which the Unisys service
consultant configures a cloud datacenter at a cloud provider site, and the cloud provider
then supplies virtual machine, physical server, or virtual desktop usage to its tenants (the
cloud provider’s customers).
A tenant is an individual entity for whom you supply virtual machine, physical server, or
virtual desktop usage from the cloud datacenter. Tenants are your customers or your
subsidiaries or departments. If the cloud datacenter is intended to be used only by your
own personnel, the environment can be treated as a single-tenant environment, or each
organizational tier can be treated as a tenant (a multi-tenant environment).
For information on networking and environment architecture, see 2.2 Accessing
Architecture and Networking Information.
1.1. Completing Worksheets for Installation and
Configuration
The Secure Private Cloud workbook (a Microsoft Excel workbook) contains the data that
describes your environment and that of any tenants (internal and external customers). One
set of tables contains data for the infrastructure. Separate sets of tables contain data for
the tenants, one set for each tenant account. After the solution is implemented at your
site, obtain the completed workbook from the Unisys service consultant and use it to add
tenants to your environment.
Note: Microsoft Excel 2007 or 2010 is required to use the Secure Private Cloud
workbook.
1.1.1. Workbook Organization
The Secure Private Cloud workbook has the following worksheets:
• Table of contents, which shows the overall organization and contains the following:
- Links to cloud provider tables
- Structure of tenant tables
- Links to credentials and URLs tables
- Buttons perform actions: Add Tenant, Validate, Export, Import
3850 6804–007 1–1

Installation and Configuration Data
Note: These actions are discussed in the following subsections.
• Credentials and URLs worksheet, which contains the following:
- Table 2–1
- Table 2–2
Note: In the workbook, these tables are numbered Table 3-1, “Default and Updated
Environment Credentials” and Table 5-1, “URLs for Web-Based UIs.”
• Cloud provider worksheet, in 1.2 Cloud Provider Data Worksheet, which is organized
as follows:
- 1.2.1 Cloud Provider Environment, License, and Network Information
- 1.2.2 Management VM Infrastructure
- 1.2.3 VMware
- 1.2.4 Notification
- 1.2.5 High Availability Cluster
- 1.2.6 Virtual Office as a Service
- 1.2.7 Virtual LAN
- 1.2.8 vCenter Supplied by the Cloud Provider
• Tenant template worksheet, in 1.3 Tenant Data Worksheet, which is organized as
follows:
- 1.3.1 Tenant Information
- 1.3.2 Tenant VLAN
- 1.3.3 RBADB Accounts
- 1.3.4 Stealth Onboarding
- 1.3.5 Tenant Blueprints
- 1.3.6 Tenant Projects
- 1.3.7 Virtual Office as a Service Session Manager
1.1.2. Implementing the Workbook
Edit the tables in the cloud provider worksheet to describe the provider’s site
configuration. Create a tenant worksheet for each tenant environment and edit the tables
to describe each tenant environment. Refer to 1.1.3 Expanding the Workbook to Include
Tenants and 1.1.4 Adding Tenant Blueprints and Projects.
The workbook automatically validates much of the data you enter and fills some cells,
using values in other cells. Refer to 1.1.5 Validating the Workbook.
In some tables, IP address ranges are defined using Classless Inter-Domain Routing
(CIDR) notation, which includes a base network IP address and a network mask. For
example, the CIDR notation ″192.68.100.0/24″ refers to the address range from
192.68.100.1 through 192.68.100.255.
1–2 3850 6804–007

The table headings in 1.2 Cloud Provider Data Worksheet and 1.3 Tenant Data Worksheet
reflect the same hierarchy as the Secure Private Cloud workbook. They are included in this
document to resolve references in the procedures. When you see a reference to a table,
refer to the Secure Private Cloud workbook for the data.
Note: Refer to 12.1 Troubleshooting Errors When Using a Secure Private Cloud
Workbook for help if you receive error messages when using the workbook.
1.1.3. Expanding the Workbook to Include Tenants
A tenant is an individual entity for whom you supply virtual machine, physical server, or
virtual desktop usage from the cloud datacenter. Tenants are your customers or your
subsidiaries or departments. If the cloud datacenter is intended to be used only by your
own personnel, the environment can be treated as a single-tenant environment, or each
organizational tier can be treated as a tenant (a multi-tenant environment).
Create a tenant worksheet in the Secure Private Cloud workbook for each tenant account,
as follows:
1. Open the workbook and select the Table of Contents tab.
The Installation and Configuration Worksheets Table of Contents
worksheet is displayed.
Note: The organization is the same as 1.1.1 Workbook Organization.
2. Click Add Tenant.
The Add Tenant dialog box opens.
3. Enter a name for the new tenant in the box, and click OK.
Note: This name is configured as the folder in the Secure Private
Cloud portal hierarchy in a later procedure in this guide.
A new tenant worksheet is created in the workbook from the template.
Repeat this procedure to create a separate worksheet for each tenant.
1.1.4. Adding Tenant Blueprints and Projects
Adding Tenant Blueprints
Installation and Configuration Data
Enter tenant blueprint data in Table 1–34, Table 1–36, or Table 1–38. For each blueprint
name that you enter, the blueprint attributes and default values are initialized in
Table 1–35, Table 1–37, or Table 1–39, and an Edit link is made available in the
Properties column of the names table. Double-click the Edit link to jump to the column
for that blueprint in the attributes and values table, and then update the attributes and
values for that blueprint.
If you need to enter more blueprints for a tenant than Table 1–34, Table 1–36, or
Table 1–38 allows, click Add Blueprints to insert a group of six blank rows at the bottom
of the table. You can insert as many groups of blank rows as needed.
3850 6804–007 1–3

Installation and Configuration Data
To delete a blueprint, clear its name in the names table. You are asked if you also want to
clear the attributes and values for the blueprint. Click Yes to clear its values in the
attributes and values table.
Adding Tenant Projects
Enter tenant project data in Table 1–40.
In the Contract Limits column, double-click Edit to open an interface that enables you
to edit the contract limits of the blueprints associated with the project.
If you need to enter more projects for a tenant than Table 1–40 allows, click Add Project
to insert a blank row at the bottom of the table. You can insert as many blank rows as
needed.
To delete a project, select the Project Name and click Delete Project.
1.1.5. Validating the Workbook
Data in individual cells is validated as much as possible while you enter the data. However,
more extensive validation is needed after you complete all the cloud provider and tenant
worksheets to make sure that the overall configuration is consistent. Perform this
validation and correct any errors before exporting the data.
Caution
Invalid data can cause unexpected and critical errors when you are configuring
the cloud environment.
Validate the worksheets, as follows:
1. Open the workbook and select the Table of Contents tab.
2. If prompted, enable macros and set the macro security level to medium or higher.
3. Click Validate.
The Worksheet Selection dialog box opens with the following validation options:
• Only the cloud provider worksheet
• All worksheets in the workbook
• One tenant worksheet
4. Select the worksheets that you want to validate, and then click OK.
The Validation Results dialog box opens and lists each error and location. Click
Open Log to view the validation results in a log file, if desired.
1–4 3850 6804–007

Repeat the following steps as often as necessary to correct all errors:
a. Navigate to the cells that contain errors, using the links in the results list, and
correct the errors.
b. Click Revalidate after correcting one or more cells to update the error list.
Click OK to close the Validation Results dialog box when you are finished reviewing
the results.
1.1.6. Exporting the Data
The automated procedures in this guide are initiated from the jump box management VM
to the other management VMs that are configured (refer to the In Use column in
Table 1–5). The automated procedures require certain data in XML format as input. After
entering all data in all worksheets in the Secure Private Cloud workbook, you can create
the necessary XML files, as follows.
Note: For security reasons, the exported data does not include the values of any updated
credentials in Table 3-1, ″Default and Updated Environment Credentials.″
1. Open a copy of the workbook that contains all the data, and select the Table of
Contents tab.
2. If prompted, enable macros and set the macro security level to medium or higher.
3. Click Export.
A Worksheet Selection dialog box opens with the following export options:
• Only the cloud provider worksheet
• All worksheets in the workbook
• One tenant worksheet
4. Select the worksheets that you want to export, and then click OK.
The data is validated first.
• If no validation errors are detected, the Chose a folder to export to dialog box
appears. Navigate to the folder where you want to save the XML files and click
OK. When the export process completes, you see a message that the export was
successful. Click OK.
The cloud provider file is named
CloudProvider.xml
Each tenant has its own tenant XML file named
Tenant-.xml
Installation and Configuration Data
• If validation errors are detected, a Continue Export? dialog box is displayed
advising you to correct the errors. Click Cancel.
The Export Cancelled message box appears, and XML files are not created.
You can correct errors and try exporting again. Refer to 1.1.5 Validating the
Workbook.
3850 6804–007 1–5

Installation and Configuration Data
Note: If the data contains errors but you still want to export the files, click OK on
the Continue Export? dialog box. The XML files are created, but errors can occur
when configuring your Secure Private Cloud environment.
5. Copy all XML files that you created to the following folder on the jump box
management VM:
C:\ProgramData\Unisys\SPC-Automation\xml
1.1.7. Preserving Configuration Data
The cloud provider worksheet in the Secure Private Cloud workbook must be kept up-todate
with configuration data changes. Store the workbook and XML files in a secure
location for future use when updating the cloud configuration or onboarding tenants.
Snapshots of management VMs that were taken during the configuration process and are
no longer needed should be deleted.
1.2. Cloud Provider Data Worksheet
Use Table 1–1 through Table 1–23 to gather data that applies to the cloud provider in this
environment.
Only the categories, table headers, and a short description from the Secure Private Cloud
workbook are included to provide references throughout this document. The details of
each table are in the Secure Private Cloud workbook.
1.2.1. Cloud Provider Environment, License, and Network
Information
Table 1–1. Cloud Provider Site Environment Information
Contains site environment information, including default values that cannot be changed, default
values that can be changed, and values that apply to the cloud provider’s specific environment.
Table 1–2. Cloud Provider License Information
Contains information about the cloud provider’s licenses.
Table 1–3. General Networking Information
Contains information about the cloud provider’s network, including DNS servers and domains,
as it applies to the Secure Private Cloud implementation.
1–6 3850 6804–007

Table 1–4. Cloud Management Environment Network Addresses
Contains information about the networks that are used in the Secure Private Cloud
management environment.
Table 1–5. Networking for Management VMs and Management Server
Contains networking values for the management VMs and management server.
1.2.2. Management VM Infrastructure
Table 1–6. LDAP Values for Secure Private Cloud Portal
Contains information that is needed if you are using LDAP to validate credentials using a domain
or to integrate with a cloud provider-supplied Active Directory.
Table 1–7. Cloud Management Environment Certificate Details
Contains information about the certificates that are used to secure certain management VMs.
Table 1–8. Secure Private Cloud Portal Community Information
Contains information that is needed for the Secure Private Cloud portal user community.
Table 1–9. Runbook Automation Database (RBADB) Cloud Properties
Contains information about the Runbook Automation Database (RBADB) cloud properties.
Table 1–10. uChargeback Domain Account and Configuration Information
Contains information about at least one domain user who is the uChargeback administrator.
1.2.3. VMware
Installation and Configuration Data
Table 1–11. Datacenter Workload Server Information
Contains information about the datacenter workload server, which supports virtual machines for
users.
3850 6804–007 1–7

Installation and Configuration Data
Table 1–12. VMware Sysprep Configuration
Contains information that is needed for VMware Sysprep configuration.
Table 1–13. VMware Resource Balancer
Contains information that is needed for VMware resource balancer configuration.
1.2.4. Notification
Table 1–14. E-mail Notification Information
Contains information that is needed to send notifications using e-mail messages.
Table 1–15. BMC Remedy/ITSM Adapter Notification Information
Contains information that is needed to send notifications using BMC Remedy tickets.
1.2.5. High Availability Cluster
Table 1–16. High Availability (HA) Management Server Information
Contains information that is needed to enable the management server High Availability (HA)
capability.
Table 1–17. Clustered Workload Server Information
Contains information that is needed to define clusters for the workload servers, such as
enabling DRS or High Availability capabilities for the workload servers.
1.2.6. Virtual Office as a Service
Table 1–18. Virtual Office Server Network Addresses
Contains network address information that is needed to configure the Virtual Office as a Service
capability.
1–8 3850 6804–007

Table 1–19. Virtual Office Server Failover Cluster
Contains network information that is needed to configure Virtual Office servers as a failover
cluster.
1.2.7. Virtual LAN
Table 1–20. Management Server VLAN Configuration
Contains information that is needed in a multi-tenant environment to implement virtual LANs
(VLAN) to isolate the network traffic for each tenant from all other tenants.
Table 1–21. Switchport Configuration
Contains information that is needed to support workload servers, either clustered or standalone.
Table 1–22. Distributed Virtual Network Switch Properties
Contains information that is needed to support the distributed virtual network switches in the
Secure Private Cloud Virtual Center server datacenter.
1.2.8. vCenter Supplied by the Cloud Provider
Table 1–23. Cloud Provider-supplied vCenter Configuration
Contains information that is needed if the vCenter in the Secure Private Cloud environment is
supplied by the cloud provider.
1.3. Tenant Data Worksheet
Installation and Configuration Data
Use Table 1–24 through Table 1–42 to gather data that applies to each tenant in this
environment.
Only the categories, table headers, and a short description from the Secure Private Cloud
workbook are included to provide references throughout this document. The details are in
the Secure Private Cloud workbook.
3850 6804–007 1–9

Installation and Configuration Data
1.3.1. Tenant Information
Table 1–24. Secure Private Cloud Portal Tenant Organization and Global
Roles
Contains the global data for defining the tenant in the provider’s cloud.
1.3.2. Tenant VLAN
Table 1–25. Tenant VLAN Network Appliance Information
Contains information about the virtual LAN (VLAN) in a multi-tenant environment that isolates
the network traffic for each tenant from all other tenants.
Table 1–26. Tenant VLAN Configuration
Contains data for configuring the tenant VLAN network appliance for the tenant.
Table 1–27. Tenant Internal Configuration
Contains data for configuring this tenant.
1.3.3. RBADB Accounts
Table 1–28. Account Contract Details
Contains data for configuring RBADB with information about the tenant and the tenant’s
blueprints.
Table 1–29. Runbook Automation Database (RBADB) Account Properties
Contains data for configuring RBADB with information about the tenant.
Table 1–30. RBADB Account VLAN Configuration
Contains data for configuring RBADB with information about the tenant’s VLAN.
1–10 3850 6804–007

1.3.4. Stealth Onboarding
Table 1–31. Stealth Infrastructure Virtual Machines
Contains information about the Stealth infrastructure virtual machines that are created for each
tenant Stealth-enabled VLAN.
Table 1–32. Stealth Tenant Infrastructure Configuration
Contains the global data for configuring the infrastructure for the tenant Stealth environment.
Table 1–33. COI Sets and Access
Contains information for defining groups of virtual machines that can communicate with one
another, with other components in the cloud, and with the Public Network, also known as
Communities of Interest (COI).
1.3.5. Tenant Blueprints
Table 1–34. Virtual Machine Blueprints
Contains information about the tenant’s virtual machine blueprints.
Table 1–35. Virtual Machine Blueprint Attributes and Values
Contains information about the attributes and values for the tenant’s virtual machine blueprints.
Table 1–36. Physical Server Blueprints
Contains information about the tenant’s physical server blueprints.
Table 1–37. Physical Server Blueprint Attributes and Values
Contains information about the attributes and values for the tenant’s physical server blueprints.
Table 1–38. Virtual Desktop Blueprints
Contains information about the tenant’s virtual desktop blueprints.
Installation and Configuration Data
3850 6804–007 1–11

Installation and Configuration Data
Table 1–39. Virtual Desktop Blueprint Attributes and Values
Contains information about the attributes and values for the tenant’s virtual desktop blueprints.
1.3.6. Tenant Projects
Table 1–40. Secure Private Cloud Portal Information for Tenant Projects
Contains information about the tenant’s projects.
Table 1–41. Project Contract Limits
Contains optional limits for the number of virtual machines that can be commissioned from
each blueprint in a tenant project.
1.3.7. Virtual Office as a Service Session Manager
Table 1–42. Virtual Office as a Service Session Manager Configuration
Contains information that is needed to configure Session Manager to support the Virtual Office
as a Service capability for the tenant.
1–12 3850 6804–007

Section 2
Introduction
This document is intended for Unisys service consultants initially implementing the Unisys
Secure Private Cloud solution as well as the administrators and operators who maintain
the solution.
In this library, a tenant is defined as an individual entity with whom the cloud provider has a
contract to provide virtual machine, virtual desktop, or physical server usage from the
cloud datacenter. These tenants might be the cloud provider’s customers, or they might
be the provider’s subsidiaries or departments that should be treated as separate entities.
Depending on the cloud provider’s needs, you can configure a single-tenant or a multitenant
environment.
This document describes the processes required to administer and operate a cloud
environment, including how to add new VMware templates to create new blueprints for
tenants, how to handle user requests for new virtual machines, virtual desktops, and
physical servers, and how to troubleshoot issues with the Secure Private Cloud portal.
Note: This document does not describe the procedures performed to initially configure
the Secure Private Cloud environment; those procedures are described in the Secure
Private Cloud Implementation Guide (3850 6846), which is available only to Unisys
service consultants.
2.1. Documentation Updates
This document contains all the information that was available at the time of publication.
Changes identified after release of this document are included in problem list entry (PLE)
18886286. To obtain a copy of the PLE, contact your service representative or access the
current PLE from the product support Web site:
http://www.support.unisys.com/all/ple/18886286
Note: If you are not logged into the product support site, you will be asked to do so.
3850 6804–007 2–1

Introduction
2.2. Accessing Architecture and Networking
Information
Detailed architectural and networking information is available in Section 2 of the Secure
Private Cloud Overview and Planning Guide. If you have a current connection to the
Internet, you can access this information directly from the following link:
http://www.support.unisys.com/spc/docs/spc-2.2/38506796-007.pdf#architecture
Section 2 of the Overview and Planning Guide includes the following:
• A detailed description of the following Secure Private Cloud solution hardware:
- Cloud Management Environment
One or more management virtualization servers, which run VMware ESXi and are
part of the Cloud Management Environment. These servers are called
management servers in this document. Each management server hosts multiple
management VMs. A management VM is a specialized virtual machine that
performs management functions for the Secure Private Cloud.
The Overview and Planning Guide describes the required and optional
management VMs and the infrastructure VMs (which provide infrastructure
services for each tenant).
- Workload environment
One or more workload servers that host your data and your tenants’ data, as well
as tenant-commissioned virtual machines, virtual desktops, and physical servers.
VMware ESX or ESXi workload virtualization servers are known simply as
virtualization servers and host virtual machines running Windows server operating
systems or Linux operating systems.
If your environment includes the Virtual Office as a Service, Virtual Office servers
run Windows Server 2008 R2 with the Hyper-V role enabled. If your environment
includes uAdapt, physical servers host uAdapt personas.
• Overview of the Cloud Management domain and configuring domain controllers
• Overview of logical network configurations
• Requirements for configuring a highly available (HA) environment
• Detailed networking considerations for isolating tenant networks using virtual LANs
(VLANs), including example VLAN architecture,
• Directions for including the Stealth for Secure Private Cloud feature in one or more
tenant environments
• Requirements for designing domain name system (DNS)
• Overview of network connections and communication paths (single tenancy or multitenancy
and non-highly available, or high availability configurations)
• Guidelines for combining physical networks (non-highly available or high availability
configurations)
• Examples of using physical switches versus virtual network appliances
2–2 3850 6804–007

• Details on using hybrid configurations (a combination of physical and virtual
components, such as a physical switch in the Cloud Management Environment and
virtual network appliances in the workload environment), including configuring high
network isolation, high routing, and configuring an enterprise private cloud
• Instructions for incorporating an external server into the Cloud Management
Environment
• An overview of multi-tenant networking considerations, including tenant VLAN swich
requirements, managing overlapping tenant IP address and domain names, and
Network Address Translation (NAT) overview
2.3. Administrator and Operator Responsibilities
Personnel in the cloud provider’s organization are designated as administrators and
operators of the Secure Private Cloud. If there are a small number of users, one person
might be designated to complete both administration and operation tasks; if there are a
large number of users, groups of administrators and operators might be designated to
perform specific procedures.
Administrators and operators generally have the following responsibilities:
• Add new tenants and users to the Secure Private Cloud portal.
• Perform any required manual operations, including responding to end user requests
sent through e-mail, through Remedy tickets, or through both.
• Use the Secure Private Cloud portal to authorize commissioning requests when any
required manual operations are complete.
• Operate the Secure Private Cloud portal, the uChargeback interface, and other user
interfaces, as required.
• Perform routine database maintenance on the SQL Server database.
• Work with Unisys service consultants to expand, change, or troubleshoot the
environment, as required
2.4. Before You Begin
Before you begin administering and operating the Secure Private Cloud solution, you
should review the following documents:
• Unisys Secure Private Cloud Overview and Planning Guide (3850 6796)
This document provides an overview of the Secure Private Cloud environment and its
features.
• Unisys Secure Private Cloud Interface Help (8207 3115)
Introduction
This document describes how end users sign in and navigate the Secure Private Cloud
portal. It also describes how end users request, start, stop, and decommission (delete)
virtual machines, virtual desktops, and physical servers.
3850 6804–007 2–3

Introduction
Most administrative and operational tasks involve reacting to user requests and
problems, and so you should review this document carefully to ensure that you
understand your end users’ experience.
• uChargeback Installation, Configuration, and Operations Guide (3843 3801)
uChargeback is a set of tools that help you collect and manage resource usage data for
both consolidated application servers and virtual machines. uChargeback determines
the IT resources that each application uses. Review this document to familiarize
yourself with the uChargeback functionality.
• uAdapt User’s Guide and Reference
uAdapt enables physical server commissioning; in the Secure Private Cloud
environment, administrators and operators must perform manual actions when end
users request physical servers. Review this document to familiarize yourself with the
uAdapt interface. uAdapt provides important functionality for the Secure Private
Cloud.
First, determine which version of uAdapt is supported with your version of the Secure
Private Cloud. To do so
1. On the Unisys Product Support Web site www.support.unisys.com, expand
Infrastructure Management, and then click Secure Private Cloud.
2. On the Secure Private Cloud Support Site, click Releases.
3. On the System Release Information page, click your Secure Private Cloud release.
4. In the Supported System Releases table, locate the supported uAdapt level.
The uAdapt documentation is available from the following locations:
- On the Unisys Product Support Web site (www.support.unisys.com).
Click Documentation in the left menu, and then agree to the terms of use. In
the documentation libraries list, under Infrastructure Management, expand
Infrastructure Management, expand uAdapt, and then click the appropriate
uAdapt release.
- On the uAdapt installation media.
ISO images of these media are available on your Unisys Secure Private Cloud
Management System, on the Datastore1 datastore, in the uAdapt Images
folder. In the ISO image, the documentation is located in the getting_started
folder.
- From the uAdapt Console.
After the uAdapt Controller is installed and configured, use Internet Explorer to
access the uAdapt Console URL. After you log in, click Help, and then click
Documentation.
Note: Your licenses for the uAdapt software, uOrchestrate software, and uChargeback
software (which are all installed on the management server) are for use within the Secure
Private Cloud environment only. These products contain many features and capabilities
that can simplify the operation of other areas of your datacenter as well. Contact your
Unisys sales representative if you want to purchase these products for use with servers
that are not part of the Secure Private Cloud.
2–4 3850 6804–007

2.5. Default and Updated Environment Credentials
Software is configured using the default credentials in Table 2–1. Use these credentials as
necessary during the integration process.
After you complete the initial implementation and update the credentials, use the new
credentials instead.
This table is Table 3-1 in the online Excel version. Refer to 1.1 Completing Worksheets for
Installation and Configuration.
Note: For some components, you can only update the password. If the user name
cannot be updated, it is listed in the far-right column.
Table 2–1. Default and Updated Environment Credentials
Product Description
Management server Credentials for the server hosting
the management VMs.
Linux
(operating system
for uAdapt
management VM)
Windows
(operating system
for other
management VMs)
Management
Network Appliance
Tenant VLAN
network appliances
Administrator account credentials
for the uAdapt Controller.
Non-administrator account
credentials for the uAdapt
Controller. This is a user on the
Linux system, but this account is
not used.
Local administrator account
credentials.
Local administrator account
credentials that enable you to
configure the Management
Network Appliance management
VM.
Local administrator account
credentials that enable you to
configure the tenant VLAN
network appliances.
uAdapt Console Credentials that enable you to log
on to the uAdapt Console.
Default User Name
Default Password
root
U*spc2341
root
U*spc2341
user1
User4Me
Administrator
U*spc2341
vyatta
U*spc2341
vyatta
U*spc2341
admin
admin
Updated User Name
Updated Password
root
root
root
vyatta
vyatta
admin
Introduction
3850 6804–007 2–5

Introduction
Table 2–1. Default and Updated Environment Credentials (cont.)
Product Description
SQL Server
Database
Administrator
Credentials for SQL Server
authentication.
Default User Name
sa
Default Password
U*spc2341
vCenter Database Credentials for vCenter database. vpxuser
vCenter
Administrator
Stealth for Secure
Private Cloud
Dynamic Licensing
Web interface
Credentials for the vCenter user in
the vCenter Administrator role.
Note: If you are using the
vCenter server supplied by Unisys
(the management VM), use these
credentials to initially log on. If you
are using a provider-supplied
vCenter server, use the providersupplied
credentials from
Table 1–23.
Credentials for the Dynamic
Licensing Web interface for Stealth
for Secure Private Cloud, if Stealth
is included in your environment.
Tomcat Manager Credentials for the Web server on
uChargeback management VM.
RBADB Credentials for Runbook
Automation Database
administration.
uOrchestrate
Operations Console
Credentials for the uOrchestrate
Operations Console.
Liferay administrator Credentials for the Liferay
administrator user in the Secure
Private Cloud portal that is allowed
to access the Control Panel.
SSL certificate The certificate password for the
Secure Private Cloud portal, Cloud
Orchestrator, and uChargeback
management VMs.
Cloud Orchestrator
vCenter user
Credentials for a user who is
assigned to the Cloud Orchestrator
role in vCenter for runbook usage.
U*spc2341
Administrator
U*spc2341
admin
U*spc2341
admin
U*spc2341
admin
U*spc2341
uco@example.com
(no password)
uco@example.com
U*spc2341
(no user name)
U*spc2341
UCOUser
U*spc2341
Updated User Name
sa
Updated Password
vpxuser
Administrator
admin
admin
admin
uco@example.com
(no password)
uco@example.com
2–6 3850 6804–007

uChargeback
vCenter user
Table 2–1. Default and Updated Environment Credentials (cont.)
Product Description
Virtual Office as a
Service
administrator
VMware Update
Manager Database
(VUMDB)
Cloud Orchestrator
Lifecycle database
Secure Private Cloud
portal database
Credentials for a user who is
assigned a read-only role in
vCenter. If you are using a domain
account, specify the domain name,
followed by a backslash, followed
by the user name. For example,
enter
mydomain\myuser
Credentials for a Virtual Office as a
Service administrator.
Credentials that enable you to log
on to the VUMDB.
Credentials for Cloud Orchestrator
Lifecycle database
(uorch_lifecycle).
Credentials for the Secure Private
Cloud portal database (PortalDB).
Default User Name
Default Password
uChrgUser
U*spc2341
Administrator
U*spc2341
vumuser
U*spc2341
lifecycle-dbadmin
U*spc2341
Portal-dbadmin
U*spc2341
Updated User Name
Updated Password
vumuser
lifecycle-dbadmin
Portal-dbadmin
Note: During the implementation of the Secure Private Cloud environment, you are
required to create new domain accounts (for example, for the uChargeback administrator)
or use existing domain accounts (for example, for the Active Directory management VM).
These credentials are not listed in Table 2–1, because there are no default values, but they
are listed in the cloud provider workbook tables. You create and update these values using
the standard domain credential management process for your environment. See the
workbook for more information about these required domain administrator accounts.
2.6. URLs for Web-Based UIs
Configuration instructions often reference the URLs in Table 2–2.
Note: This table is Table 5-1 in the online Excel version.
Introduction
3850 6804–007 2–7

Introduction
Table 2–2. URLs for Web-Based UIs
User Interface URL
Secure Private Cloud portal https://user-facing-fully-qualified-name-of-Secure-Private-Cloud-portal
Note: This is the FQN of the Secure Private Cloud portal Web page, not
the FQN of the Secure Private Cloud portal management VM.
RBADB https://current-fully-qualified-name-of-uChargeback-mgmt-VM
:8443/RBADB
Note: “RBADB” must be uppercase in the URL.
uAdapt Console http://IP-address-of-uAdapt-Console
uOrchestrate Operations
Console
uChargeback License Activation
Web site
Secure Private Cloud
Troubleshooting
Session Manager virtual
machine
Note: This is applicable only for
tenants that have virtual
desktops enabled through the
Virtual Office as a Service
solution.
https://localhost:8443
Note: You must be logged in to the Cloud Orchestrator management
VM to access the Operations Console.
https://www.support.unisys.com/public/licenseActivator/login.aspx
http://www.support.unisys.com/common/search/FaqSearch.aspx?
pla=SPC&nav=SPC&dt=kb&action=doit&key=trouble-shooting&
title=Secure+Private+Cloud+Trouble+Shooting
http://localhost:1780
or, if accessing remotely
http://current-fully-qualified-domain-name-of-session-mgr-VM:1780
2.7. Completing and Exporting Tenant Worksheets
Before performing the procedures in this book for a new implementation or a new tenant,
you should complete and export the Cloud Provider worksheet and complete and export
the worksheets for any tenants. See 1.1 Completing Worksheets for Installation and
Configuration.
2.8. Understanding Tenants Accounts and Secure
Private Cloud Interfaces
You can configure the Secure Private Cloud portal for the following types of access:
2–8 3850 6804–007

• Single tenant
One tenant exists in the environment.
• Multi-tenant
One or more tenants coexist in the same environment. Each tenant is configured its
own set of administrators, users, projects, and blueprints. A multi-tenant environment
in which only one tenant is defined is a single-tenant environment.
Tenants can have one or more projects. Projects are used to further subdivide the tenant
organization. You can configure projects based on the needs of a tenant environment. For
example, you could configure one project for each tenant department or each
subdepartment, or you could configure projects based on user responsibilities in the
organization.
Each project folder can contain one or more blueprints. A blueprint defines the resource
type—virtual machine, physical server, or virtual desktop—that users can commission and
its associated attributes, such as operating system type and memory allocation. If you
want users of multiple projects to commission resources using one blueprint, you can
save the same blueprint in multiple projects. Alternatively, you can isolate one blueprint in
one project, so that only users assigned to a certain project can access specific blueprints.
2.8.1. XYZ Company Example (Single Tenant)
The XYZ Company is a hypothetical company that serves as an example of a single tenant
environment. The Secure Private Cloud for the XYZ Company has the following structure:
• For billing purposes, the Secure Private Cloud portal tracks the following projects:
- Billing
- Inventory
- Sales
• All blueprints are available to the users, and the name of each blueprint helps to
describe the blueprint. For example, W2K3x64–VM is a Windows Server 2003 x64
operating system for a virtual machine. The following are examples of blueprints:
- W2K3x64–VM
- W2K3x86–P
- W2K8x64–VM
- W2K8x86–P
2.8.2. Acme Company Example (Multi-tenant)
Introduction
The Acme Company, a hypothetical company, is an example of a multi-tenant
environment. The Acme Company hosts a cloud in which other tenants (TPA tenant and
Widget tenant) coexist in the environment.
Note: In the following examples, TPA and Widget are tenants in the same multi-tenant
system.
3850 6804–007 2–9

Introduction
The Secure Private Cloud for the Acme Company has the following structure:
• TPA
- Billing
- Inventory
- Sales
• Widget
- Billing
- Manufacturing
- Human Resources
All blueprints are grouped by tenant, and all blueprint names must be unique, as follows:
• TPA
- TPA_W2K3x64–VM
- W2K3x86–Phys
• Widget
- Widg_W2K8x64–VM
- W2K8x86–Phys
2.8.3. Projects, Departments, Accounts, and SubAccounts
The user interfaces associated with the Secure Private Cloud solution include the Secure
Private Cloud portal, uChargeback, and the Runbook Automation Database (RBADB).
The Secure Private Cloud portal is your interface for refining new blueprints and your
tenants’ interface for deploying new virtual machines, physical servers, and virtual
desktops. uChargeback includes a set of tools that help you collect and manage resource
usage data for both physical servers and virtual machines. RBADB stores the tenant- and
account-based information that supports various functions in the cloud environment,
including the following:
• Equating values between the Secure Private Cloud portal and uChargeback, enabling
these interfaces to be coordinated.
• Enforcing contract limits
• Enforcing snapshot limits
• Mapping tenant-side machine names and IP addresses to their management-side
machine name and IP address equivalents.
These interfaces use slightly different terms for tenants and projects, as shown in
Figure 2–1.
2–10 3850 6804–007

Figure 2–1. Projects, Departments, Accounts, and SubAccounts
Introduction
Tenant (Account) names must be unique across your entire cloud environment. (Tenants
cannot share a name with another tenant or with any project.)
Configuration data is added to the RBADB database, uChargeback, and the Secure Private
Cloud portal when you execute the Populator addTenant effector. This data is retrieved
from the tenant data worksheet. When you make changes, such as adding blueprints,
accounts, or projects, you must update the appropriate worksheet and run the Populator
updateTenant effector. Refer to Section 6, Creating and Managing Tenant Configurations,
for more information.
In the Secure Private Cloud portal, two tenants can use the same Project (SubAccount)
name, but uChargeback requires that all names be unique. RBADB serves as a link
between the portal and uChargeback. As shown in the previous example, when two or
more tenant Projects (SubAccounts) share the same name, the Populator automatically
adds a numerical suffix to the end of each duplicate project name. The version of the
Project name that includes the numerical suffix appears only in RBADB and uChargeback.
(In the Secure Private Cloud portal, the numerical suffix does not appear.) For example,
TenantA has a project named Accounting, while TenantB has a project named
Accounting01, and TenantC has a project named Accounting02.
Figure 2–2 illustrates the relationships between the Secure Private Cloud, uChargeback,
and RBADB in more detail.
3850 6804–007 2–11

Introduction
Figure 2–2. Comparison of Secure Private Cloud, uChargeback, and RBADB
Entities
2.8.4. Naming Guidelines for Components in the Cloud
Environment
Components in the cloud environment—including tenant, project, blueprint, and snapshot
names, as well as blueprint attributes for template names and OS type names—can
contain only the following characters.
Note: Host names for management VMs and physical servers and user names (including
COI Set names, if Stealth for Secure Private Cloud is included in your environment) are
more restrictive. Follow the guidelines in the Secure Private Cloud workbook when
creating host names, COI Set names, and user names.
• Alpha-numeric characters
• The following special characters:
- Space
- Hyphen (-)
- Underscore (_)
- Period (.)
2–12 3850 6804–007

- Ampersand (&)
- At sign (@)
Names can be no longer than 128 characters in length.
Introduction
3850 6804–007 2–13

Introduction
2–14 3850 6804–007

Section 3
Initial Configuration Tasks
Perform the procedures in this section to initially configure workstations to access the
Secure Private Cloud portal and also to configure the Secure Private Cloud portal Virtual
Host value.
3.1. Configuring a Workstation to Configure the
Secure Private Cloud Portal
To configure a workstation that can access and configure the Secure Private Cloud portal,
you must
• Configure the network connections
• Install the vSphere Client
• Install or configure a supported Web browser
• Optimizing the screen resolution
In addition, you might need to configure Windows File Explorer to view hidden files and
protected operating system files.
Configuring the Network Connections
To access and configure the Secure Private Cloud portal, the workstation must have direct
or indirect access to the Public Network. Additionally, the workstation must be able to
resolve the user-facing FQN of the Secure Private Cloud portal to the Public Network IP
address of the Secure Private Cloud portal. For example, the workstation could be
configured to use a DNS where the user-facing FQN of the Secure Private Cloud portal has
been registered. This is described in the Secure Private Cloud Implementation Guide.
Note: You must ensure that any workstation that end users use to access the Secure
Private Cloud portal must have direct or indirect access to the Public Network and be able
to resolve the user-facing FQN of the Secure Private Cloud portal.
To be able to connect to the management server and the vCenter server, the configuration
workstation must have direct or indirect access to the VMware Management Network.
For an overview of the networks in the Cloud Management Environment, see the
architectural and networking discussion in the Overview and Planning Guide (http://
www.support.unisys.com/spc/docs/spc-2.2/38506796-007.pdf#architecture).
3850 6804–007 3–1

Initial Configuration Tasks
Installing the vSphere Client
To configure the Secure Private Cloud portal, you must install the VMware vSphere Client
on the workstation so that you can connect to the management server and the vCenter
server to perform configuration tasks. To install this software, do the following:
1. Open a browser window and connect to the management server.
You see a Security Warning indicating that the certificate is untrusted.
2. Do one of the following:
• Ignore this warning and continue to the Web page.
• View the certificate.
• Install the certificate.
3. On the VMware ESXi Server Welcome page, click the link to download the vSphere
Client.
Installing or Configuring a Supported Web Browser
Ensure that one of the following browsers is installed on any workstation that accesses
the Secure Private Cloud portal:
• Internet Explorer 8.0 or 9.0
• Mozilla Firefox 3.6 or higher
If you are using Internet Explorer 8.0 or 9.0, configure the following settings:
Note: Mozilla Firefox does not require additional configuration.
1. Ensure that Compatibility View is not selected on the Tools menu. (That is,
ensure that a check mark does not appear next to Compatibility View.) If Compatibility
View is selected, clear it.
2. Click Compatibility View Settings on the Tools menu. Do the following on the
Compatibility View Settings dialog box:
a. Verify that the URL of the Secure Private Cloud portal does not appear in the
″Websites you’ve added to Compatibility View″ box.
b. Clear all of the check boxes on the dialog box.
c. Click Close.
3. Add the URL for the Secure Private Cloud portal to your Trusted Sites list, as follows:
a. Click Internet Options on the Tools menu.
The Internet Options dialog box opens.
b. Select the Security tab, select Trusted sites, and click Sites.
The Trusted sites dialog box opens.
c. Enter the fully qualified name of the Secure Private Cloud portal (without the
protocol HTTP or HTTPs) from Table 2–2, and then click Add.
3–2 3850 6804–007

For example, enter SPC-Portal.Example.com, and then click Add.
d. Click Close.
4. Enable custom settings, as follows:
a. On the Security tab, select Trusted sites, and then click Custom level.
b. Scroll to the ActiveX controls and plug-ins category.
c. Ensure that the Enable check box for the following settings is selected:
• Binary and script behaviors
• Run ActiveX controls and plug-ins
• Script ActiveX controls marked safe for scripting
d. Scroll to the Scripting category.
e. Ensure that the Enable check box for Active scripting is selected.
f. Click OK.
5. If you are using Internet Explorer 8, close all open Internet Explorer windows to save
your changes.
If you are using Internet Explorer 9.0, configure the following additional settings:
a. Select Developer Tools on the Tools menu.
The Developer Tools page opens.
b. Clear the Script option in the Disable list.
c. Verify that the Browser Mode is set to IE9.
If it is not, select Internet Explorer 9 from the Browser Mode list.
Note: Do not select Internet Explorer 9 Compatibility View.
d. Verify that the Document Mode is set to IE9 standards.
If it is not, select Internet Explorer 9 standards from the Document Mode
list.
e. Clear Developer Tools on the Tools menu.
The Developer Tools page closes.
f. Close all open Internet Explorer windows to save your changes.
Optimizing the Screen Resolution
Initial Configuration Tasks
The Secure Private Cloud portal is optimized to work with the workstation screen
resolution set to 1024 × 768.
3850 6804–007 3–3

Initial Configuration Tasks
3.2. Inserting the Secure Private Cloud Portal Terms
of Use
A Terms of use link appears on the lower right of each Secure Private Cloud portal page.
This link should direct portal users to a document, which is issued by the Portal
Administrator entity, that outlines the acceptable usage and conduct on the portal.
To insert a Terms of Use document, do the following:
1. Open a console to the Secure Private Cloud portal management VM, and log in using
administrator credentials.
2. Using Windows Explorer, navigate to the following directory: C:\Unisys\liferay-portal-
6.0.6\tomcat-6.0.29\webapps\unisys-spg-portlet\WebHelp.
3. Map a network drive to the location of your TermsAndCondition.htm file.
4. Copy the file to the C:\Unisys\liferay-portal-6.0.6\tomcat-6.0.29\webapps\unisysspgportlet\WebHelp
folder.
5. Disconnect the network drive that you mapped
6. Log off the management VM.
For any workstation that you used to access the Secure Private Cloud portal previously,
you must clear your browser history, cache, cookies, and all other browser records.
CHECKPOINT:
1. From your workstation, sign in to the portal using cloud administrator credentials.
2. Click the Terms of Use link at the bottom right of the page, and verify that you see
the new terms of use.
3–4 3850 6804–007

Section 4
Creating VMware Template Gold Images
VMware template gold images are used by the Secure Private Cloud portal blueprints to
instantiate virtual machines for end users. This section describes how to use the VMware
templates provided by Unisys or how to create your own custom templates based on
various operating systems (Windows, Red Hat Enterprise Linux, or SUSE Linux).
The VMware templates you use must contain the required components and initial
configuration settings to enable blueprints to be successfully clone, customized, and
commissioned in the Secure Private Cloud environment.
To complete the procedures in this section, you must be familiar with the vSphere Client
virtual machine creation wizard. See the help provided with VMware vCenter for more
information. You should also be knowledgeable about the following:
• Assigning the number of virtual CPUs
• Designating memory size
• Assigning Vdisk capacity
• Attaching a VNIC to the appropriate VLAN
Note: Each virtual machine template must include only one VNIC.
• Creating an Administrator account
• Installing and configuring any additional software that is required for this template
4.1. Using Unisys Provided VMware Templates for
Windows
The Unisys Secure Private Cloud solution provides a set of Windows VMware templates
that can be used as a base for creating gold images. On these templates, the operating
system is installed and the firewall is configured.
Notes:
• Two templates are provided: one for Windows Server 2003 and one for Windows
Server 2008. If Stealth for Secure Private Cloud is included in your environment, two
additional Stealth-enabled templates are provided for Windows Servers 2003 and
Windows Server 2008. These Stealth-enabled templates are deployed during initial
implemenation by the Unisys service consultant.
• Unisys does not provide templates for Linux. You can create Red Hat Enterprise Linux
3850 6804–007 4–1

Creating VMware Template Gold Images
or SUSE Linux templates by performing the procedures in 4.2 Creating Custom
Windows VMware Templates and Creating Linux VMware Templates.
Perform the procedures in this topic to use the Unisys provided VMware templates.
4.1.1. Importing Unisys Provided Templates into vCenter
Perform the following procedure to import the Unisys provided VMware templates into
vCenter:
1. From the Management Server datastore, navigate to the Recovery Images folder.
2. Download the Target Templates folder to the workstation.
Wait until the download is complete before proceeding, and then close the datastore
window.
3. Launch the vSphere Client, connect to the vCenter server using its current host name
or IP address, and log in using the administrator user credentials in Table 2–1, for a
Unisys-supplied vCenter server, or Table 1–23, if you are using an existing vCenter
server in your environment that you provide.
4. Point to Deploy OVF Template on the File menu, and then click Deploy from
file.
The Deploy OVF Template wizard starts.
a. Click Browse, select one of the OVA files that you downloaded in step 2, and
then click Next.
b. Complete each page of the wizard, using the following guidelines:
• On the Name and Location page, select the inventory location using the
datacenter name from Table 1–11.
• On the Host / Cluster page, select the desired workload server or cluster.
• On the Resource Pool page, select the desired workload server or cluster.
Note: It is recommended that you do not select a resource pool.
• On the Datastore page, select a datastore that is visible to all the workload
servers where the template is intended to be used.
• On the Disk Format page, select Thin provisioned format.
• On the Network Mapping dialog, select the desired network.
c. On the Ready to Complete page, verify the selections, and then click Finish to
deploy the template.
5. Repeat the previous step to deploy additional templates or to deploy the templates to
additional workload servers or clusters.
6. If you are using the Windows Server 2003 template, do the following to prepare the
operating system:
a. If required, convert the template to a virtual machine.
b. Select the deployed virtual machine, click Edit Settings, select the Hardware
4–2 3850 6804–007

tab, click Network adapter 1, and ensure that the following settings are
accurate:
• Connect at Power on is enabled.
• Public Network is selected in the Network Connection list.
c. Power on the virtual machine, and then open a console to it.
The Windows Setup wizard starts.
d. Provide a valid volume license key so that the virtual machine can be used as a
template.
Note: This key should be supplied by the cloud provider and the value recorded
in Table 1–35 of the tenant worksheet.
Wait for the Windows Setup wizard to complete and Windows to start.
e. Log in to the Windows operating system when prompted.
Note: The password for the local administrator user in the Windows Server 2003
template is blank. Ensure that this password remains blank.
f. Apply all necessary Windows updates and patches.
g. Verify that the VMware Tools package is the latest available, and update this
package if required.
h. Shut down the virtual machine.
You now can clone the virtual machine for further customization.
7. If Stealth is included in your environment and you want to use the Stealth-enabled
Windows Server 2003 template, repeat the previous step to prepare the operating
system for that template.
Note: This template was deployed during initial implementation by the Unisys
service consultant.
8. If you are using the Windows Server 2008 template, prepare the operating system as
follows:
a. If required, convert the template to a virtual machine.
b. Select the deployed virtual machine, click Edit Settings, select the Hardware
tab, click Network adapter 1, and ensure that the following settings are
accurate:
• Connect at Power on is enabled.
• Public Network is selected in the Network Connection list.
c. Power on the virtual machine.
The Windows Setup wizard starts.
Creating VMware Template Gold Images
d. Log in to the operating system, using the Windows Administrator user password
from Table 2–1.
e. Apply all necessary Windows updates and patches. (You might be prompted to
activate your Windows operating system in order to complete these updates.)
3850 6804–007 4–3

Creating VMware Template Gold Images
f. Verify that the VMware Tools package is the latest available, and update this
package if required.
g. Shut down the virtual machine.
You now can clone the virtual machine for further customization.
9. If Stealth is included in your environment and you want to use the Stealth-enabled
Windows Server 2008 template, repeat the previous step to prepare the operating
system for that template.
Note: This template was deployed during initial implementation by the Unisys
service consultant.
4.1.2. Preinstalling Required Applications
An important goal is to shorten the amount of time that it takes to provide an operational
commissioned server. Therefore, in addition to installing and configuring the operating
system, you should generally preinstall and configure some set of applications on your
template. For example, this could be Apache Tomcat or Web services.
However, before installing any application software, you should first clone your existing
template and then install and configure the application software on the new clone. This
new clone becomes a new template for the specific application. The existing template is
retained in its original form for use with other application clones.
4.1.3. Converting to a Template
Do the following to convert the virtual machine to a template:
1. Shut down the operating system.
2. Click Edit Settings, set the CD/DVD device to use the Client Device, and then
click OK.
3. Right-click the virtual machine, and select Convert to Template under Template.
4.2. Creating Custom Windows VMware Templates
and Creating Linux VMware Templates
If you want to create custom Windows VMware templates for your environment (rather
than using the Unisys provided VMware templates), or if you want to create Red Hat
Enteprise Linux or SUSE Linux templates, perform the procedures in this topic.
4–4 3850 6804–007

4.2.1. Moving Template Configuration Images Folder
In preparation for creating your own template, do the following to move the configuration
images folders from the cloud management environment to the workload environment:
1. From a vSphere Client connected to the management server, browse to the datastore,
and download the Template Configuration Images folder to the workstation.
2. From a vSphere Client connected to the vCenter server, browse to the datastore, and
upload the Template Configuration Images folder.
Repeat as necessary to ensure that the folder is visible to all workload servers.
4.2.2. Configuring a Windows Target Template
Do the following to configure a new Windows target template using the Windows
installation media:
1. Do the following to create a virtual machine as VMware target template:
a. Using your vSphere Client, connect to the vCenter running on the vCenter server.
b. On one of the workload servers in Table 1–11, create a virtual machine that is to
become the template.
The template virtual machine must have a vNIC on your Public Network, which is
labeled the Public Network.
2. On the newly created virtual machine, select Edit Settings.
3. Connect a CD/DVD drive containing the Windows .iso image.
4. Select the Connect at power on check box.
5. Select the network adapter in the Hardware list on the left, ensure that Connect at
Power on is enabled, and then select the Public Network from the Network
Connection list on the right.
6. Power on the virtual machine and open a console to it.
The Windows Install wizard starts.
7. Complete the installation of the operating system, using the wizard. Note the
following key points.
a. Change the host name to a descriptive name.
b. Create a blank administrator password that will be used in the runbook.
Note: If you are loading Windows Server 2008, you cannot leave the password
blank. You can use any password for Windows Server 2008.
c. Enter a volume license key.
This key should be supplied by the cloud provider and the value recorded in
Table 1–35.
d. Leave the template out of a domain.
8. Disconnect the CD drive from the virtual machine.
Creating VMware Template Gold Images
3850 6804–007 4–5

Creating VMware Template Gold Images
9. Restart the virtual machine.
10. Log on to the virtual machine.
Note: The password for Windows Server 2003 virtual machines should be blank.
11. Apply all necessary Windows updates and patches.
12. Ensure that the Administrator user does not have the User cannot change
password option selected.
13. Install anti-virus software.
14. Install VMware Tools from Virtual Client. Do a complete installation of the VMware
tools (not a typical installation).
15. For environments in which one or more VLANs are configured and enabled, perform
the following depending on your environment:
For Windows Server 2003 and Windows XP
Copy the dns-setup.vbs script from the datastore to the root of the C:\ drive.
The dns-setup.vbs script is in the Win_2k3_Config.iso image, which is on the
datastore in the Template Configuration Images folder that was uploaded in
4.2.1 Moving Template Configuration Images Folder.
For Windows Server 2008
a. Edit the network adapter settings for the LAN connection attached to the VLAN
and ensure that the following two options are enabled (on the Advanced settings
DNS tab):
Register this connection’s addresses in DNS
Use this connection’s DNS suffix registration
Note: Ensure that the DNS suffix for this connection box is blank
b. Disable IPv6, as follows:
• Edit the network connection and ensure that Internet Protocol Version 6
(TCP/IPv6) is not selected.
• Run regedit and edit the following registry entry:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services
\TCPIP6\Parameters]
“DisabledComponents”=dword:ffffffff
c. If the optional Key Management Service (KMS) server role is set up in the
Secure Private Cloud environment, do the following:
• Copy the activate.vbs script from the datastore to the root of the C:\ drive.
The activate.vbs script is in the W2K8_Config.iso image, which is on the
datastore in the Template Configuration Images folder that was uploaded in
4.2.1 Moving Template Configuration Images Folder.
• Edit this script to contain the correct KMS server name.
16. Reboot the virtual machine if necessary.
4–6 3850 6804–007

Setting Firewall Exceptions for Windows Server 2003 and Windows XP
To set Firewall Exceptions for Windows Server 2003 or Windows XP, open a command
prompt, and enter the following commands:
• To enable ping commands:
netsh firewall set icmpsetting type=8
mode=ENABLE profile=ALL
• To enable Remote Desktop:
netsh firewall set service type=REMOTEDESKTOP
mode=ENABLE profile=ALL
Setting Firewall Exceptions for Windows Server 2008
For the Windows Server 2008 template, create and enable custom firewall exceptions for
ICMPv4 and ICMPv6 Echo Requests, as follows:
1. In the Windows Firewall with Advanced Security snap-in, click Inbound Rules in the
tree, and click New Rule in the Actions pane.
2. Click Custom, and then click Next.
3. Click All programs, and then click Next.
4. For Protocol type, select ICMPv4.
5. Click Customize next to Internet Control Message Protocol (ICMP)
settings.
6. Click Specific ICMP types.
7. Click Echo Request, click OK, and then click Next.
8. Under Which local IP address does this rule match? and For which remote
IP address does this rule match?, click either of the following:
• Any IP address
• These IP addresses
This value represents a set of IP addresses to which the instantiated virtual
machine will respond, if those IP addresses ping the virtual machine. The virtual
machine does not respond to pings from other IP addresses.
If you click These IP addresses, specify the IP addresses to which the virtual
machine will respond, click Add, and then click Next.
9. Verify that Allow the connection is selected, and then click Next.
10. Under When does this rule apply?, ensure that Domain, Private, and Public
are selected, and then click Next.
11. In the Name box, type a name for this rule. It is recommended that you create a rule
name that indicates that Echo has been enabled for ICMPv4 networks.
In the Description box, type an optional description.
12. Click Finish.
Creating VMware Template Gold Images
3850 6804–007 4–7

Creating VMware Template Gold Images
13. From the predefined Inbound Rules list, enable Remote Desktop for all profiles.
14. If your tenants require a template that consists of more than just the base operating
system, install and configure any additional software at this time.
Verifying the Remote Desktop Connection
Verify that the Remote Desktop Connection is enabled in the template.
Preinstalling Required Applications
An important goal is to shorten the amount of time that it takes to provide an operational
commissioned server. Therefore, in addition to installing and configuring the operating
system, you should generally preinstall and configure some set of applications on your
template. For example, this could be Apache Tomcat or Web services.
However, before installing any application software, you should first clone your existing
template and then install and configure the application software on the new clone. This
new clone becomes a new template for the specific application. The existing template is
retained in its original form for use with other application clones.
Making a Windows Template Stealth Ready
Note: This procedure is not required for the Unisys provided Stealth-enabled template.
If Stealth for Secure Private Cloud is included in your environment, and if you want to
make a custom Windows template Stealth ready, do the following:
1. Point to the CD/DVD icon on the tool bar, point to CD/DVD Drive 1, and click
Connect to ISO image on a datastore.
The Browse Datastores dialog box appears.
2. Browse to the datastore specified in the “Connection information for Workload
vCenter” section of Table 1–9, select the Stealth-Tenant-Server-Windowstemplate-.iso
file in the Stealth for SPC Configuration Images
folder, and then click OK.
Close the Autoplay dialog box, if it appears.
3. Open a command prompt, and enter the following commands:
D:
Run_SetUpTenantVM.bat
The setup file runs, restarts the template, and the login dialog box appears.
4. Enter the appropriate user name and password to sign into the virtual machine.
The Windows Activation dialog box appears.
5. Click Cancel.
Note: Do not enter a product key.
The virtual machine desktop appears.
4–8 3850 6804–007

6. Open File Explorer, browse to the C: drive, and then open the Results file using
Notepad.
The last line of the file has the following message:
Tenant VM setup complete.
7. Click the Drive icon on the toolbar, point to CD/DVD drive and click Disconnect
from datastore image.
The Disconnect Device dialog box opens.
8. Click Yes.
9. Shut down the virtual machine.
VNIC Restrictions
Each virtual machine template must include only one VNIC. This maintains network
security in your environment by preventing bridging across multiple network connections.
Converting to a Template
Do the following to convert the virtual machine to a template:
1. Shut down the operating system.
2. Click Edit Settings, set the CD/DVD device to use the Client Device, and then
click OK.
3. Right-click the virtual machine, and select Convert to Template under Template.
Testing the Windows Target Template
Note: Perform the following test if you have a flat network; otherwise, perform this test
after configuring the VLANs.
Do the following to test the template:
1. Unmount any CD image that is in the CD drive.
Creating VMware Template Gold Images
2. Shut down the virtual machine, set the CD/DVD device to Use Client Device, and
convert it to a template.
3. Deploy a virtual machine from the template, using the Deploy Template wizard. Enter
your preferred values in each page of the wizard using values from Table 1–27, except
that you must fill out the following pages as follows:
• On the Guest Customization page, select Customize Using the
Customization Wizard.
• On the Computer Name page, select Use the Virtual Machine Name, and
enter the tenant DNS domain name from Table 1–27 in the Domain Name box.
• On the DNS and Domain Settings page, enter the IP address for the tenant
Domain Name Server from Table 1–27 in the Primary DNS box, enter the tenant
3850 6804–007 4–9

Creating VMware Template Gold Images
DNS domain name from Table 1–27 in the DNS Search Path box, and then click
Add.
4. After the template deployment completes open a VMware console to the desktop of
the new virtual machine and wait until the log-on screen appears (this can take a few
minutes).
5. Log in using the default credentials.
4.2.3. Configuring a Red Hat Enterprise Linux Target Template
Do the following to configure a new Red Hat Enterprise Linux target template using the
installation media:
Note: The startup scripts for the Linux templates perform nonsecure DNS registration. If
the tenant-side DNS server requires secure DNS registration, you must modify the startup
scripts as appropriate for the tenant’s needs.
1. Do the following to create a virtual machine as VMware target template:
a. Using your vSphere Client, connect to the vCenter running on the vCenter server.
b. On one of the workload servers in Table 1–11, create a virtual machine that is to
become the template.
c. Assign the following attributes to the new virtual machine:
• A vNIC on your Public Network, which is labeled the Public Network
• At least 5 GB of disk space
• Guest Operating System value of Linux
• Version Red Hat Enterprise Linux 5 (32-bit) or Red Hat Enterprise Linux 5
(64-bit)
• Thin Provisioning enabled
Do not start the virtual machine at this time.
2. Select the deployed virtual machine, click Edit Settings, and do the following:
a. Select the network adapter on the Hardware tab, and select the desired network
for the virtual machine in the Network Label list.
b. Ensure that Connect at Power on is enabled.
c. Select the CD/DVD drive and click Client Device.
d. Click the Options tab, select Boot Options, and enter10,000 in the
Power-on Boot Delay box.
e. Click OK.
3. Open a console to the virtual machine, and then power on the virtual machine.
4. Click in the black area inside the console window, and press Esc to enter the boot
menu.
5. Press Ctrl+Alt to release the cursor.
4–10 3850 6804–007

6. Click the CD icon on the console, and select either CD image or ISO image as the
connection to the Red Hat installation media.
7. Click in the black area inside the console window, select CD-ROM Drive using the
down arrow, and then press Enter.
The Red Hat installation wizard begins.
8. Follow the wizard instructions to complete the installation of the operating system,
noting the following key points:
• Select Skip Entering Installation Number when prompted for an installation
number.
• Do the following on the Network Devices page:
a. Click Edit.
The Edit Interface dialog box appears.
b. Clear the IPv6 support check box, and then click OK.
The Edit Interface dialog box closes.
c. Select Manually under the Hostname label, and then enter a descriptive
host name, a period, and localdomain, as in the following example:
rh53x64-tmp.localdomain
• Set the root user’s password to the SysPrepVMAdminPwd value in
Table 1–12.
• When the Congratulations, the installation is complete message
appears, click the CD icon on the console, disconnect the CD or ISO image, and
then click Reboot.
• On the Set Up Software Updates page, select the No, I’d prefer to
register at a later time check box.
A prompt appears, asking Are you sure you don’t want to connect....
Select the No thanks, I’ll connect later check box.
• On the Create User page, leave the boxes blank and click Forward.
• When the It is highly recommended that a personal user account be
created warning appears, click Continue.
9. Log on to the virtual machine.
10. Install VMware Tools, as follows:
Creating VMware Template Gold Images
a. In the vSphere Client, right-click the virtual machine, point to Guest, click
Install/Upgrade VMware Tools, and then click OK.
The VMware Tools folder appears in the virtual machine desktop.
Note: Newer versions of VMware have automated the installation of the
VMware Tools. The remainder of this step applies only to older versions of
VMware.
b. In the VMware Tools folder, double-click the VMwareTools-.targ.gz file.
The VMwareTools-.tar.gz dialog box appears.
3850 6804–007 4–11

Creating VMware Template Gold Images
c. Click Extract.
The Extract dialog box appears.
d. Select Desktop in the Extract in Folder list, and then click Extract.
e. Close the VMwareTools-.targ.gz dialog box.
f. Run the Terminal application and enter the following command:
cd /root/Desktop/vmware-tools-distrib
g. Enter the following command:
./vmware-install.pl
The VMware Tools installation begins.
h. Accept all installation defaults until you see the prompt for the display size, and
then select the desired display size for your environment.
i. Delete the vmware-tools-distrib folder from the desktop.
j. Restart the virtual machine.
11. Configure the system to support your desired remote access technology, such as
SSH or VNC.
12. Reboot the virtual machine, if necessary.
13. Use vCenter to mount the RHEL_Config.iso file in the CD drive for the Red Hat
system.
The RHEL_Config.iso file is in the Template Configuration Images folder. Refer to
4.2.1 Moving Template Configuration Images Folder.
14. Copy the rc.local file from the CD to the folder /etc/rc.d, replacing the rc.local file that
already exists.
15. Ensure that the Allow executing file as a program permission is enabled for
the file, as follows:
a. Right-click the file, and then click Properties.
b. Select the Execute check box on the Permissions tab, and then click Close.
Making a Red Hat Enterprise Linux Template Stealth Ready
If Stealth for Secure Private Cloud is included in your environment, and if you want to
make a Red Hat Enterprise Linux template Stealth ready, do the following:
1. Click Applications on the task bar, point to Accessories, and click Terminal.
The username@host window opens.
2. Click the Drive icon on the toolbar (the rightmost icon), point to CD/DVD drive and
click Connect to ISO image on a datastore.
The Browse Datastores dialog box opens.
3. Browse to the datastore specified in the “Connection information for Workload
vCenter” section of Table 1–9, and open the Stealth for SPC Configuration
Images folder.
4–12 3850 6804–007

4. Browse to the following file, and click OK:
Stealth-Tenant-Server-RedHat-template-.iso
The CD/DVD drive icon appears on the desktop.
5. Double-click the CD/DVD drive icon.
A dialog box for the .iso file opens, showing the contents of the file.
6. In the Terminal window, enter the following command:
mount /dev/cdrom /mnt/cdrom
A message appears that the CD-ROM is write-protected and mounted as read-only.
Note: If this fails, create a mount directory using the following command, and then
repeat the previous step:
mkdir /mnt/cdrom/SetUpTenantVM.py
7. Enter the following command:
python /mnt/cdrom/SetUpTenantVM.py
The script runs and displays messages.
Wait for the setup process to complete.
8. Enter the following command to dismount the CD-ROM:
umount /mnt/cdrom
9. Close the CD/DVD drive window and close the Terminal window.
10. Right-click the CD/DVD icon on the desktop, and select Eject.
11. Click the Drive icon on the toolbar, point to CD/DVD drive and click Disconnect
from datastore image.
VNIC Restrictions
Each virtual machine template must include only one VNIC. This maintains network
security in your environment by preventing bridging across multiple network connections.
Preinstalling Required Applications
Creating VMware Template Gold Images
An important goal is to shorten the amount of time that it takes to provide an operational
commissioned server. Therefore, in addition to installing and configuring the operating
system, you should generally preinstall and configure some set of applications on your
template. For example, this could be Apache Tomcat or Web services.
However, before installing any application software, you should first clone your existing
template and then install and configure the application software on the new clone. This
new clone becomes a new template for the specific application. The existing template is
retained in its original form for use with other application clones.
3850 6804–007 4–13

Creating VMware Template Gold Images
Converting to a Template
Do the following to convert the virtual machine to a template:
1. Shut down the operating system.
2. Click Edit Settings, set the CD/DVD device to use the Client Device, and then
click OK.
3. Right-click the virtual machine, and select Convert to Template under Template.
Testing the Red Hat Enterprise Linux Target Template
Note: Perform the following test if you have a flat network; otherwise, perform this test
after configuring the VLANs.
Do the following to test the template:
1. Deploy a virtual machine from the template, using the Deploy Template wizard. Enter
your preferred values in each page of the wizard using values from Table 1–27, except
that you must fill out the following pages as follows:
• On the Guest Customization page, select Customize Using the
Customization Wizard.
• On the Computer Name page, select Use the Virtual Machine Name, and
enter the tenant DNS domain name from Table 1–27 in the Domain Name box.
• On the DNS and Domain Settings page, enter the IP address for the tenant
Domain Name Server from Table 1–27 in the Primary DNS box, enter the tenant
DNS domain name from Table 1–27 in the DNS Search Path box, and then click
Add.
• On the Ready to Complete page, disable the Power on this virtual
machine after creation option.
2. After the template deployment completes
a. Go to Edit Settings for the new virtual machine, and set the network adapter to
the tenant VLAN network label in Table 1–26.
b. Power on the new virtual machine.
c. Open a VMware console to the desktop of the new virtual machine and wait until
the log-on screen appears (this can take a few minutes), and then log in as root
using the SysPrepVMAdminPwd value from Table 1–12.
d. In the /etc/rc.d folder, open the runonce.log file and check for error messages. If
the DNS registration was successful, the file should have a line that includes the
following phrase:
status: NOERROR
3. Verify that the system was registered in the tenant-side DNS or in the uChargeback
DNS if the tenant did not supply a DNS.
4–14 3850 6804–007

If the tenant is using a Windows DNS, or if you are using the uChargeback DNS,
then you can verify registration as follows:
a. On the DNS, run DNS on the Administrative Tools menu.
b. In the left pane, expand the DNS host name node, expand the Forward
Lookup Zones node, and expand the domain name node.
c. In the right pane, verify that the host name for the Red Hat virtual machine
appears.
Note: If you were already running the DNS administrative tool, you might need
to refresh the computer list by clicking the domain name in the left pane and then
clicking Refresh on the Action menu.
4. Power down the virtual machine, and delete the virtual machine from the disk.
4.2.4. Configuring a SUSE Linux Target Template
Do the following to configure a new SUSE Linux target template using the installation
media:
Notes:
• The startup scripts for the Linux templates perform nonsecure DNS registration. If the
tenant-side DNS server requires secure DNS registration, you have to modify the
startup scripts as appropriate for the tenant’s needs.
• Stealth for Secure Private Cloud is not supported with SUSE Linux. If you want to
create a Stealth-enabled Linux template, you must use Red Hat Enterprise Linux. See
4.2.3 Configuring a Red Hat Enterprise Linux Target Template.
1. Do the following to create a virtual machine as VMware target template:
a. Using your vSphere Client, connect to the vCenter running on the vCenter server.
b. On one of the workload servers in Table 1–11, create a virtual machine that is to
become the template.
c. Assign the following attributes to the new virtual machine:
• A vNIC on your Public Network, which is labeled the Public Network
• At least 5 GB of disk space
• Guest Operating System value of Linux
• Version SUSE Linux Enterprise 10 or SUSE Linux Enterprise 11, 32-bit or
64-bit
• Thin Provisioning enabled
Do not start the virtual machine at this time.
2. Select the deployed virtual machine, click Edit Settings, and do the following:
a. Select the network adapter on the Hardware tab, and select the Public
Network for the virtual machine in the Network Label list.
b. Select the CD/DVD drive and click Client Device.
Creating VMware Template Gold Images
3850 6804–007 4–15

Creating VMware Template Gold Images
c. Click the Options tab, select Boot Options, and enter10,000 in the
Power-on Boot Delay box.
d. Click OK.
3. Open a console to the virtual machine, and then power on the virtual machine.
4. Click in the black area inside the console window, and press Esc to enter the boot
menu.
5. Press Ctrl+Alt to release the cursor.
6. Right-click the CD icon on the console, and select either CD image or ISO image as
the connection to the SUSE Linux installation media.
7. Click in the black area inside the console window, select CD-ROM Drive using the
down arrow, and then press Enter.
The SUSE Linux installation wizard begins.
8. Follow the wizard instructions to complete the installation of the operating system,
noting the following key points:
• On the Password for the System Administrator ″root″ page, set the
password to the value for SysPrepVMAdminPwd in Table 1–12.
• On the Hostname and Domain Name page, change the host name to a
descriptive name, but leave the domain name unchanged.
• On the Network Configuration page, clear the IPv6 check box.
• On the Test Internet Connection page, select the No, Skip This Test if the
virtual machine is not currently connected to a network with Internet access.
• On the User Authentication method page, select Local.
• On the New Local User page, leave the boxes blank and click Next.
• When the Empty User Login prompt appears, click Yes.
9. Log on to the virtual machine.
10. Install VMware Tools, as follows:
a. In the vSphere Client, right-click the virtual machine, point to Guest and then
Install/Upgrade VMware Tools, click Interactive Install, and then click
OK.
The VMware_Tools File Browser appears on the virtual machine desktop.
b. In the VMware_Tools folder, double-click the VMwareTools-.targ.gz file.
The VMwareTools-.targ.gz dialog box appears.
c. Click Extract.
The Extract dialog box appears.
d. Select Desktop in the Extract in Folder list, and then click Extract.
e. Close the VMwareTools-.tar.gz dialog box.
f. Run the Terminal application and enter the following command:
cd /root/Desktop/vmware-tools-distrib
4–16 3850 6804–007

g. Enter the following command:
./vmware-install.pl
The VMware Tools installation begins.
h. Accept all installation defaults until you see the prompt for the display size, and
then select the desired display size for your environment.
i. Delete the vmware-tools-distrib folder from the desktop.
j. Restart the virtual machine.
11. Configure the system to support your desired remote access technology, such as
SSH or VNC.
12. Reboot the virtual machine, if necessary.
13. Use vCenter to mount the SLES_Config.iso file in the CD drive for the SUSE Linux
system.
The SLES_Config.iso file is in the Template Configuration Images folder. Refer to
4.2.1 Moving Template Configuration Images Folder.
14. Copy the example spc_dns file from the CD to the folder /etc/init.d.
15. Run the Gnome Terminal and enter the following command:
cd /etc/init.d
16. Enter the following command to make the spc_dns script executable:
chmod 755 spc_dns
17. Enter the following command to cause the spc_dns script to run automatically after
every reboot:
insserv spc_dns
18. If you are using SUSE Linux Enterprise 10, then perform the following workaround
for the name resolution problem with “.local” domains, as follows:
VNIC Restrictions
Note: This is a known problem with Novell SUSE Linux 10. Do not perform this
workaround on SUSE Linux 11. Refer to the following link for more information:
http://www.novell.com/support/dynamickc.do?cmd=show&forward=nonthreadedKC
&docType=kc&externalId=3794674&sliceId=1
a. Using a text editor, open the file /etc/host.conf.
b. Insert a line with the following value:
mdns off
c. Save and close the file.
Creating VMware Template Gold Images
Each virtual machine template must include only one VNIC. This maintains network
security in your environment by preventing bridging across multiple network connections.
3850 6804–007 4–17

Creating VMware Template Gold Images
Preinstalling Required Applications
An important goal is to shorten the amount of time that it takes to provide an operational
commissioned server. Therefore, in addition to installing and configuring the operating
system, you should generally preinstall and configure some set of applications on your
template. For example, this could be Apache Tomcat or Web services.
However, before installing any application software, you should first clone your existing
template and then install and configure the application software on the new clone. This
new clone becomes a new template for the specific application. The existing template is
retained in its original form for use with other application clones.
Deleting MAC Addresses
Use the following steps to modify the network adapter configuration so that it does not
specify a MAC address. Otherwise, when a virtual machine is cloned from this template,
Linux renames the network adapter and the spc_dns script is unable to register in DNS.
To delete MAC addresses
1. In the folder /etc/sysconfig/network, locate a file with the name ifcfg-eth-id-
(such as ifcfg-eth id-00:50:56:8a:09:83) and change the filename to
ifcfg-eth0.
2. Edit the ifcfg-eth0 file. If the file includes a DEVICE assignment, change the value to
’eth0’. For example, if the assignment is
DEVICE=’eth2’
Change the assignment to
DEVICE=’eth0’
3. Open the following file for editing, if it exists:
/etc/udev/rules.d/30-net_persistent_names.rules
4. Delete any rules that are present in this file (that is, any statements that are not
preceded by a # comment character).
5. Delete the following file, if it exists:
/etc/udev/rules.d/70-persistent_net.rules
6. Immediately after performing step 5, shut the system down and convert it to a
template.
Note: If you mistakenly reboot the system after performing step 5, then you must
perform steps 3 through 5 again, because the rules in 30 net_persistent_names.rules
and 70-persistent_net.rules are regenerated automatically after each reboot.
4–18 3850 6804–007

Converting to a Template
Do the following to convert the virtual machine to a template:
1. Shut down the operating system.
2. Click Edit Settings, set the CD/DVD device to use the Client Device, and then
click OK.
3. Right-click the virtual machine, and select Convert to Template under Template.
Testing a SUSE Linux Target Template
Note: Perform the following test if you are not using VLANs to isolate tenant resources;
otherwise, perform this test after configuring the VLANs.
Do the following to test the template:
1. Deploy a virtual machine from the template, using the Deploy Template wizard. Enter
your preferred values in each page of the wizard using values from Table 1–27, except
that you must fill out the following pages as follows:
• On the Guest Customization page, select Customize Using the
Customization Wizard.
• On the Computer Name page, select Use the Virtual Machine Name, and
enter the tenant DNS domain name from Table 1–27 in the Domain Name box.
• On the DNS and Domain Settings page, enter the IP address for the tenant
Domain Name Server from Table 1–27 in the Primary DNS box, enter the tenant
DNS domain name from Table 1–27 in the DNS Search Path box, and then click
Add.
• On the Ready to Complete page, disable the Power on this virtual
machine after creation option.
2. After the template deployment completes
a. Go to Edit Setting for the new virtual machine, and set the network adapter to
the tenant VLAN network label in Table 1–26.
b. Power on the new virtual machine.
c. Open a VMware console to the desktop of the new virtual machine and wait until
the log-on screen appears (this can take a few minutes), and then log in as root
using the SysPrepVMAdminPwd value from Table 1–12.
d. In the /etc/init.d folder, open the spc_dns.log file and check for error messages. If
the DNS registration was successful, the file should have a line that includes the
following phrase:
status: NOERROR
Creating VMware Template Gold Images
3. Verify that the system was registered in the tenant-side DNS.
3850 6804–007 4–19

Creating VMware Template Gold Images
If the tenant is using a Windows DNS, then you can verify registration as follows:
a. On the domain controller, run DNS on the Administrative Tools menu.
b. In the left pane, expand the DNS host name node, expand the Forward
Lookup Zones node, and expand the domain name node.
c. In the right pane, verify that the host name for the SUSE Linux virtual machine
appears.
Note: If you were already running the DNS administrative tool, you might need
to refresh the computer list by clicking the domain name in the left pane and then
clicking Refresh on the Action menu.
4. Power down the virtual machine, and delete the virtual machine from the disk.
4.3. Preparing an Existing Virtual Machine or
Template for a Stealth-Enabled VLAN
Perform the following procedures to prepare an existing Windows or Red Hat Enterprise
Linux virtual machine or virtual machine template to run on a Stealth-enabled VLAN.
Note: Perform this procedure if you have an existing template in your environment that
meets the requirements of Secure Private Cloud but that has not yet been Stealthenabled.
(If you are using a Unisys provided template, do not perform this procedure;
instead, use the Unisys provided Stealth-enabled template. If you already performed the
procedure in Making a Windows Template Stealth Ready or Making a Red Hat Enterprise
Linux Template Stealth Ready, do not perform this procedure, since your template is
already Stealth ready.)
4.3.1. VNIC Restrictions
Each virtual machine template must include only one VNIC. This maintains network
security in your environment by preventing bridging across multiple network connections.
4.3.2. Preparing a Windows Virtual Machine or Template for a
Stealth-Enabled VLAN
You can prepare an existing Windows virtual machine or virtual machine template to run on
a Stealth-enabled VLAN (that is, make the template Stealth ready). Before starting the
following procedure, you can make a clone of the virtual machine or template if you want
to preserve it in its original form.
Notes:
• Making a virtual machine or template Stealth ready does not install Stealth for Secure
Private Cloud software. Instead, the procedure copies the files necessary for Stealth
for Secure Private Cloud software to be installed and configured.
• For Windows Server 2003 operating systems, ensure that the password for the local
administrator account on the virtual machine template is blank.
4–20 3850 6804–007

1. Open a vSphere Client, and log on to vCenter.
2. In the vSphere Client, select the Windows virtual machine or template that you want
to prepare for Stealth for Secure Private Cloud, and do the following:
a. Click Convert to a virtual machine in the Basic Tasks list.
The Convert Template to Virtual Machine dialog box opens.
b. Expand Host/Cluster, select the specific host, select the IP address, and click
Next.
The Resource Pool page appears.
c. Verify that a “validation succeeded” message appears in the Compatibility box,
and then click Next.
The Ready to Complete page appears.
d. Click Finish.
3. In the vSphere Client, select the Windows virtual machine, and click Power On the
virtual machine in the Basic Tasks list.
The virtual machine is powered on and the task changes to Power Off the virtual
machine.
4. Right-click the Windows virtual machine in the left pane, and do the following:
a. Click Open Console.
The Windows Template window opens and shows the virtual machine starting.
A progress bar appears and shows the startup steps.
When the startup process finishes, a login prompt appears, followed by the login
dialog box.
b. Enter the appropriate user name to sign into the virtual machine.
The Windows Activation dialog box appears.
c. Click Cancel.
Note: Do not enter a product key.
A restart message box appears.
d. Click Restart Later.
5. Set up directories and copy files for making the virtual machine or template Stealth
ready, as follows:
a. Point to the CD/DVD icon on the tool bar, point to CD/DVD Drive 1, and click
Connect to ISO image on a datastore.
The Browse Datastores dialog box appears.
Creating VMware Template Gold Images
b. Browse to the Stealth for SPC Configuration Images folder on the desired
datastore, and click the desired template ISO file.
c. If the Autoplay dialog box appears, click Run_SetUpTenantVM.bat.
Note: On some versions of Windows, this .bat file runs automatically.
3850 6804–007 4–21

Creating VMware Template Gold Images
The setup file runs, restarts the template, and the log in dialog box appears.
d. Enter the appropriate user name and password to sign into the virtual machine.
e. If the Windows Activation dialog box appears, click Cancel.
Note: Do not enter a product key.
The virtual machine desktop appears.
f. CHECKPOINT:
Open Windows Explorer, browse to the C: drive, and then open the Result.txt
file using Notepad.
Verify that the last line of the file displays the following message:
Tenant VM setup complete.
Close the Result.txt file.
g. Click the Drive icon on the toolbar, point to CD/DVD drive and click
Disconnect from datastore image.
The Disconnect Device dialog box opens.
h. Click Yes.
i. Click the Start menu, point to Log off, and click Shut down.
6. Configure the virtual machine, as follows:
a. Click Edit Settings on the VM menu.
The Virtual Machine Properties dialog box opens.
b. Click CD/DVD Drive 1 in the Hardware list in the left pane, and then click
Client Device in the right pane.
CD/DVD Drive 1 appears as edited in the left pane, with Client Device in
the Summary list.
c. Click Floppy drive 1 in the Hardware list in the left pane, and then click
Client Device in the right pane.
Floppy drive 1 appears as edited in the left pane, with Client Device in the
Summary list.
d. Click OK.
7. Close the console to the Windows virtual machine.
8. Right-click the Windows virtual machine in the left pane, point to Template, and
then click Convert to Template.
The Windows template is ready to be run or used for provisioning virtual machines running
the Windows operating system on a Stealth-enabled VLAN.
4–22 3850 6804–007

4.3.3. Preparing a Red Hat Enterprise Linux Virtual Machine or
Template for a Stealth-Enabled VLAN
You can prepare an existing Red Hat Enterprise Linux virtual machine or virtual machine
template to run on a Stealth-enabled VLAN (that is, make the template Stealth ready).
Before starting the following procedure, you can make a clone of the virtual machine or
template if you want to preserve it in its original form.
Note: Making a virtual machine or template Stealth ready does not install Stealth for
Secure Private Cloud software. Instead, the procedure copies the files necessary for
Stealth for Secure Private Cloud software to be installed and configured.
1. Open a vSphere Client, and log on to vCenter.
2. In the vSphere Client, select the Red Hat Enterprise Linux virtual machine or template
that you want to prepare for Stealth for Secure Private Cloud, and do the following:
a. Click Convert to a virtual machine in the Basic Tasks list.
The Convert Template to Virtual Machine dialog box opens.
b. Expand Host/Cluster, select the specific host, select the IP address, and click
Next.
The Resource Pool page appears.
c. Verify that a “validation succeeded” message appears in the Compatibility box,
and then click Next.
The Ready to Complete page appears.
d. Click Finish.
3. In the vSphere Client, select the Red Hat Enterprise Linux virtual machine, and click
Power On the virtual machine in the Basic Tasks list.
The virtual machine is powered on and the task changes to Power Off the virtual
machine.
4. Right-click the Red Hat Enterprise Linux virtual machine in the left pane, and do the
following:
a. Click Open Console.
The Red Hat Template window opens and shows the virtual machine starting.
A progress bar appears and shows the startup steps.
Creating VMware Template Gold Images
When the startup process finishes, a login prompt appears, followed by the login
window.
b. Enter the appropriate user name, followed by the appropriate password, to sign
into the virtual machine.
3850 6804–007 4–23

Creating VMware Template Gold Images
5. Set up directories and copy files for making the virtual machine or template Stealth
ready, as follows:
a. Click Applications on the task bar, point to Accessories, and click Terminal.
The username@host window opens.
b. Click the Drive icon on the toolbar (the rightmost icon), point to CD/DVD drive
and click Connect to ISO image on a datastore.
The Browse Datastores dialog box opens.
c. Browse to the “Stealth for SPC Configuration Images” folder on the datastore
referenced in the Connection Information for Workload vCenter section of
Table 1–9.
d. Select the Stealth-Tenant-Server-RedHat-template-.iso file,
and then click OK
The CD/DVD drive icon appears on the desktop.
e. Double-click the CD/DVD drive icon.
A dialog box for the .iso file opens, showing the contents of the file.
f. Enter the following command:
mount /dev/cdrom /mnt/cdrom
A message appears that the CD-ROM is write-protected and mounted as readonly.
Note: If this fails, create a mount directory using the following command:
mkdir /mnt/cdrom
g. Enter the following command:
python /mnt/cdrom/SetUpTenantVM.py
The script runs and displays messages.
Wait for the setup process to complete.
h. Enter the following command to dismount the CD-ROM:
umount /mnt/cdrom
i. Click the Drive icon on the toolbar, point to CD/DVD drive, and then click
Disconnect from datastore image.
6. Configure the virtual machine, as follows:
a. Click Edit Settings on the VM menu.
The Virtual Machine Properties dialog box opens.
b. Click CD/DVD Drive 1 in the Hardware list in the left pane, and then click
Client Device in the right pane.
CD/DVD Drive 1 appears as edited in the left pane, with Client Device in
the Summary list.
c. Click Floppy drive 1 in the Hardware list in the left pane, and then click
Client Device in the right pane.
4–24 3850 6804–007

Floppy drive 1 appears as edited in the left pane, with Client Device in the
Summary list.
d. Click OK.
7. Close the Red Hat Template window.
The Virtual Machine Question dialog box appears.
8. Click Yes to disconnect, and then click OK.
9. In the vSphere Client, select the Red Hat Enterprise Linux virtual machine in the left
pane, click Shut Down Guest in the Basic Tasks list, and then click Yes to
confirm.
The virtual machine is powered off.
10. Select the Red Hat Enterprise Linux template in the left pane, click Convert to a
template in the Basic Tasks list.
The Red Hat Enterprise Linux virtual machine or template is ready to be run or used for
provisioning virtual machines running the Linux operating system on a Stealth-enabled
VLAN.
4.4. Importing Tenant VLAN Network Appliance and
Load Balancer Templates
Specialized virtual machine templates are provided with the Secure Private Cloud
environment to isolate tenant traffic using VLANs and to enable load balancing. You can
import these templates, depending on your cloud environment.
Do the following to import these templates:
Creating VMware Template Gold Images
1. Locate the following templates in the “Recovery Images\Tenant VLAN Appliances”
folder on the management server datastore or the SAN:
• A tenant VLAN network appliance template, which enables you to isolate tenant
network traffic using VLANs (Tenant-VLAN-NetAppliance.ova)
• A template for load balancing Web applications (Tenant-Load-Balancer.ova)
2. Download the .ova file or files to the configuration workstation.
3. Using vSphere, connect to the vCenter server that is managing the workload servers.
4. To deploy the tenant VLAN network appliance template, do the following:
a. On the vSphere File menu, point to Deploy OVF Template.
b. Browse to the Tenant-VLAN-NetAppliance.ova file that you downloaded to the
configuration workstation.
3850 6804–007 4–25

Creating VMware Template Gold Images
c. Complete each page of the wizard, supplying appropriate values when prompted.
• At the prompt for a datastore, select the datastore to which you want to
deploy the appliance.
The best practice is to deploy to a SAN storage datastore. Select a datastore
that can be accessed from all the workload servers.
Note: If there is only one datastore, you are not prompted to select a
datastore.
• At the prompt for a disk format, select Thin Provisioned Format.
• On the Network Mapping dialog box, accept all the default values.
These settings are modified when you deploy a tenant VLAN network
appliance later in the configuration process.
d. Click Next several times, and then click Finish.
The import process begins.
5. To deploy the template for load balancing Web applications, do the following:
a. On the vSphere File menu, point to Deploy OVF Template.
b. Browse to the Tenant-Load-Balancer.ova file that you downloaded to the
configuration workstation.
c. Answer any prompts as appropriate for your environment.
6. For each network adapter, use the Edit Settings option to ensure that the network
adapters do not have the “Connect at power on” option enabled.
7. If you are deploying the tenant VLAN network appliance (Tenant-VLAN-
NetAppliance.ova), and if your workload servers are running VMware ESXi 5.x, then
you must install the VMware Tools 5.0 in this template. Perform the procedure in
4.5 Installing VMware Tools 5.0 in the Tenant VLAN Network Appliance, and then
return to this procedure.
Note: If you are only deploying the Tenant-Load-Balancer.ova, you do not need to
install the VMware Tools 5.0. If your workload servers are running VMware ESX or
ESXi 4.x or earlier, you do not need to install the VMware Tools 5.0. Simply proceed to
the next step.
8. Use vSphere to convert the virtual machines into templates.
You use these templates to deploy a new tenant VLAN network appliance (as described in
Section 5, Implementing a New Tenant VLAN), or to deploy a tenant load balancer (as
described in 8.3 Configuring an HAProxy Load Balancer for Web Applications).
4.5. Installing VMware Tools 5.0 in the Tenant VLAN
Network Appliance
Note: Perform this procedure if the workload servers are running VMware ESXi 5.x.
4–26 3850 6804–007

Do the following to install the VMware Tools 5.0 in the tenant VLAN network appliance:
1. Open a vSphere Client, and log on to vCenter.
2. Open a console to the tenant VLAN network appliance (Tenant-VLAN-NetAppliance),
power it on, and log in using the credentials from Table 2–1.
3. Enter the following command to uninstall the existing version of the VMware Tools:
sudo /home/vyatta/vmware-tools-distrib/bin
/vmware-uninstall-tools.pl
4. Accept the default values for any prompts you receive.
5. Enter the following command to completely delete the existing version of the
VMware Tools installation software:
sudo rm –rf VMwareTools-8.6.5-621624.tar.gz
vmware-tools-distrib
6. Enter the following command to reboot the tenant VLAN network appliance:
sudo reboot
7. After the tenant VLAN network appliance reboots, on the VM menu, point to
Guest, and then click Install/Upgrade VMware Tools.
8. If the Install/Upgrade Tools dialog box appears, select Interactive Tools
Upgrade, and then click OK.
9. Return to the console for the tenant VLAN network appliance, and log in again using
the credentials from Table 2–1.
10. Enter the following command to create a mount point for the ISO image that
VMware has connected to the virtual CD-ROM drive:
sudo mkdir /mnt/tools
11. Enter the following command to mount the CD-ROM ISO image:
sudo mount /dev/cdrom /mnt/tools
12. Enter the following command to change the working directory to the Vyatta home
directory:
cd /home/vyatta
13. Enter the following command to extract the VMware Tools 5.0 installation directory
from the tar.gz file on the CD-ROM ISO image:
tar -xvf /mnt/tools/VMwareTools-*.tar.gz
Note: Entering the wildcard character (*) in the command simplifies the installation,
because you do not have to enter the exact version of VMware ESXi running on the
workload server.
14. Enter the following command to change to the VMware Tools installation directory:
cd /home/vyatta/vmware-tools-distrib
15. Enter the following command to run the VMware Tools installer program:
sudo ./vmware-install.pl
16. Accept the default values for any prompts you receive.
Creating VMware Template Gold Images
3850 6804–007 4–27

Creating VMware Template Gold Images
17. Use the sudo vi text editor to edit the /etc/pam.d/vmtoolsd file, and replace the
entire contents of that file with the following three lines:
#%PAM-1.0
auth required /lib/security/pam_unix.so shadow nullok
account required /lib/security/pam_unix.so
18. CHECKPOINT:
Do the following:
a. Return to the vSphere Client.
b. Click Tenant-VLAN-NetAppliance in the left pane, and then select the
Summary tab in the right pane.
The value for VMware Tools under General should now be Running
(Current). .
19. Return to the VMware console for the tenant VLAN network appliance, and enter the
following command to copy the saved config.boot file into the Vyatta configuration
folder:
cp /etc/Unisys/config.boot.orig
/opt/vyatta/etc/config/config.boot
20. Enter the following command to shut down and power off the tenant VLAN network
appliance:
sudo shutdown –hP now
21. Edit the virtual machine settings and set the CD/DVD device to Client Device.
22. Use vSphere to convert the virtual machine into a template.
4.6. Preparing the vCenter Server to Sysprep the
Target Template (Windows Server 2003 and
Windows XP Only)
Note: Sysprep tools are included with Windows Server 2008, Windows Vista, and
Windows 7 operating systems, so you can skip this procedure if you are configuring these
types of virtual machines.
If you are using an existing vCenter server that you provided, you must perform this
procedure from that vCenter server’s desktop. If you are using a Unisys-supplied vCenter
with a vSphere Client connected to the management server, open a console to the
vCenter server management VM. Do the following:
1. Access the VMware knowledge base article ″Sysprep file locations and versions″ at
the following URL: http://kb.vmware.com/kb/1005593.
2. Follow the directions in that article to install the Sysprep files for the versions of
Windows Server 2003 or Windows XP that you plan to use on your virtual machines.
4–28 3850 6804–007

Notes:
Creating VMware Template Gold Images
• For Windows XP x64 operating systems, you must use the Windows Server 2003
x64 Sysprep files.
• For Windows Server 2003 operating systems, ensure that the password for the local
administrator account on the virtual machine template is set to blank (″”).
3850 6804–007 4–29

Creating VMware Template Gold Images
4–30 3850 6804–007

Section 5
Implementing a New Tenant VLAN
This topic describes the procedures required to implement a new tenant VLAN, including
the manual configuration that must be performed on the Management Network Appliance
(the network appliance for the management server) and on the tenant VLAN network
appliance.
Each tenant can have one or more tenant VLAN network appliances; tenants cannot share
appliances. (All VLANs on a single appliance must belong to the same tenant.) Each tenant
VLAN network appliance can support up to seven different VLANs. Traffic on each VLAN is
isolated from all the other VLANs, even those connected to the same appliance.
When you add a new VLAN for an existing tenant, you have the option of adding a new
tenant VLAN network appliance or adding the new VLAN to one of the tenant’s existing
appliances.
Perform the procedures in this section to create VLANs for new tenants or to create new
VLANs for existing tenants.
3850 6804–007 5–1

Implementing a New Tenant VLAN
Figure 5–1 shows logical VLAN connections and IP addresses. Use this example when
configuring a new VLAN.
Figure 5–1. Logical VLAN Connections
5.1. Configuring a DNS or Alternative for the Tenant
A tenant might or might not have a DNS. A DNS in the cloud environment must support
nonsecure dynamic DNS updates. Refer to Table 1–27 to determine whether a particular
tenant has its own DNS, and then perform one of the following procedures:
• 5.1.1 Configuring the Tenant DNS
If the tenant has a DNS, refer to this procedure for an example of how to complete this
configuration.
• 5.1.2 Configuring the uChargeback Management VM if Tenants Do Not Have a DNS
If a tenant does not have a DNS, or if the tenant DNS cannot support nonsecure
dynamic DNS updates, perform this procedure to configure the uChargeback
management VM to act as the DNS for the tenant VLAN.
5–2 3850 6804–007

Note: If you previously configured the uChargeback management VM to act as the
DNS for another tenant and you want to use the same zone for the new tenant, you
might not have to perform this procedure.
5.1.1. Configuring the Tenant DNS
To enable the target virtual machines to register with the tenant’s internal DNS, the
tenant’s internal DNS must provide a forward lookup zone for the tenant and must support
nonsecure dynamic DNS updates.
For example, if the tenant’s internal DNS is a Windows Server 2008 system, then you can
configure it as described in the following procedure. Adapt this procedure for the tenant’s
specific type of DNS.
Do the following:
1. Launch DNS Manager by clicking Start, pointing to Administrative Tools, and
then clicking DNS.
2. In the left pane, expand the DNS node, expand the node, and
expand the Forward Lookup Zones node.
3. Under ForwardLookupZones, check to see if the tenant DNS domain name from
Table 1–27 is already listed.
4. If the domain name is not listed, do the following:
a. Right-click ForwardLookupZones and add the new zone.
b. In the New Zone Wizard, on the Dynamic Update page, select Allow both
nonsecure and secure dynamic updates.
c. Complete the New Zone Wizard.
If the domain name is already listed, then do the following:
a. Right-click the node, and click Properties.
b. Click the General tab.
c. Select Nonsecure and Secure in the Dynamic Updates list.
d. Click OK.
Implementing a New Tenant VLAN
5.1.2. Configuring the uChargeback Management VM if Tenants
Do Not Have a DNS
If the tenant you are configuring does not supply a DNS that can support secure and
nonsecure dynamic updates, you must configure a tenant-side DNS zone in the
uChargeback management VM to provide this functionality for the tenant commissioned
virtual machines to use. Perform the following procedure for each tenant, or once for all
tenants that do not provide a DNS.
3850 6804–007 5–3

Implementing a New Tenant VLAN
Note: The best practice is to configure one DNS zone per tenant. (This enables easier
debugging and tenant offboarding, if necessary.) This zone is not accessible from the
tenant’s home network.
Caution
The tenant-side DNS zone is required. The tenant virtual machines might not
use the DNS zone directly, and the management VMs do not use the DNS zone
directly, but it is required for the management-side DNS zone (which enables
communication between management VMs and commissioned machines) to
be updated properly.
If any tenants do not have a DNS, or if any tenant DNS cannot support nonsecure dynamic
DNS updates, do the following.
Note: To determine if the tenant has a DNS, see Table 1–27.
1. On the uChargeback management VM, open the DNS manager.
2. Add a new zone to DNS on the uChargeback management VM using values from
Table 1–27, as follows:
a. Right-click Forward Lookup Zones in the left pane, and click New Zone. Do
the following:
• Enter a Primary zone, using the tenant DNS domain name.
For example, the primary zone name might be NoDNS.TenantName.Local.
Note: The zone name
- Must match the Tenant DNS Domain name in Table 1–27
- Must contain at least one period character
- Must not be a zone that could be resolved externally
• Select the Allow both nonsecure and secure dynamic updates
option.
Wait for the zone to be created and appear in the left pane.
b. Select the new zone in the left pane, right-click the zone, and click New Host in
the Options list.
The New Host dialog box opens. Do the following:
• Enter the host name of the uChargeback management VM.
• Enter the IP address of the uChargeback management VM on the Intercom
Network, using the value in Table 1–27.
• Do not create an associated PTR record.
c. Click Add Host to create the host record.
5–4 3850 6804–007

d. Click Done to exit the New Host dialog box.
3. Set the properties of the new zone, as follows:
a. Right-click the new zone in the left pane, and click Properties.
The Properties dialog box opens.
b. Click the Start of Authority (SOA) tab, click the Primary server box, and
enter the host name of the uChargeback management VM with the DNS suffix of
the new zone.
For example, enter my-uChrg.NoDNS.TenantName.Local.
c. Click the Name Servers tab, click the name that is displayed, and then click
Edit.
d. Click the Server Fully Qualified Domain Name (FQDN) box, and enter the
same name as you entered on the Start of Authority (SOA) tab.
e. Click the IP Address box, and enter the Intercom IP address of the uChargeback
management VM in Table 1–27, and then press Enter.
Note: Enter the same IP address as when you added the uChargeback
management VM to this DNS zone previously.
The address should appear under your entry with a green check mark.
f. Click OK to exit the Properties dialog box.
4. Exit the DNS manager.
The new zone name is
Implementing a New Tenant VLAN
• Added to the tenant properties in RBADB when you perform the procedure in
6.1 Updating Cloud Provider or Adding Tenant Information in the Secure Private Cloud
Environment
• Set as the DNS suffix in the virtual machines that are commissioned for this tenant
5.2. Configuring Workload Servers for VLAN
Networking
You must configure each workload server on which the new tenant virtual machines will
run to connect to the new tenant VLAN and to the Tenant Interconnect port group. (The
Tenant Interconnect port carries traffic to and from each tenant’s own internal network.)
You might do this for all workload servers in the environment or only those servers in a
particular cluster.
Note: If the tenant has multiple VLANs, they all share the same Tenant Interconnect. If
you previously created a Tenant Interconnect for this tenant, you do not have to create
another Tenant Interconnect.
3850 6804–007 5–5

Implementing a New Tenant VLAN
5.2.1. Understanding Workload Server Networking Connection
Options
There are several ways that you can configure workload servers to access these
networks, as follows:
• By dedicating a physical NIC (or team of NICs) per workload server to a network
• By defining VLANs and sharing use of a physical NIC (or team of NICs)
When VLANs are defined, the following are two main ways the VLANs can be
configured using VMware:
- Distributed virtual network switch (formerly known as vNetwork Distributed
Switch)
This procedure is the preferred method, because it enables you to configure the
port groups across multiple workload servers at one time. However, you can
perform this procedure only on workload servers with vSphere 4.0 or higher that
have the license feature “Distributed Virtual Switch.” (This feature requires the
vSphere Enterprise Plus license.)
Note: You can create distributed virtual network switches only for workload
servers with free physical network adapters; that is, network adapters that are not
already used by virtual switches. If the workload server has a hardware limitation
on the number of physical adapters, and the same physical adapter is used to
connect to the Management Access Network, the Public Network, tenant VLANs,
and the Tenant Interconnect, then you can use the same distributed virtual
network switch to create port groups to access all these networks.
- vSwitch virtual machine port groups
This procedure is an alternate method to create vSwitch virtual machine port
groups. It is not the preferred method, because it requires you to perform the
same procedure on each workload server, which can be time-consuming and
error-prone.
5.2.2. Configuring Access to Tenant VLAN Networks and Tenant
Interconnect
Perform one of the following procedures for each tenant VLAN network and for the Tenant
Interconnect.
Notes:
• If the tenant has multiple VLANs, they all share the same Tenant Interconnect. If you
previously created a Tenant Interconnect for this tenant, you do not have to create
another Tenant Interconnect.
• If you are using Stealth for Secure Private Cloud in your environment, then for each
tenant VLAN that is Stealth-enabled, you must create an associated clear text VLAN
using the Stealth clear text VLAN ID and Stealth encrypted network label values from
Table 1–26. You are directed to do this in the following procedures.
5–6 3850 6804–007

• For a physical NIC: Option 1: Using a Dedicated Physical NIC to Access a Tenant VLAN
Network or Tenant Interconnect
• For a VLAN using a distributed virtual network switch (formerly known as vNetwork
Distributed Switch): Option 2: Using a Distributed Switch to Access a Tenant VLAN
Network or Tenant Interconnect
• For a VLAN using workload server-specific vSwitch virtual machine port groups:
Option 3: Creating vSwitch Virtual Machine Port Groups to Access a Tenant VLAN
Network or Tenant Interconnect
You can use different methods when configuring each network. For example, you can
configure one network with a physical NIC and then configure a Distributed Virtual
Network Switch for another network.
Option 1: Using a Dedicated Physical NIC to Access a Tenant VLAN
Network or Tenant Interconnect
If you want to use a dedicated physical NIC to configure access to a tenant VLAN network
or the Tenant Interconnect, do the following for each network you want to use a physical
NIC on each workload server in Table 1–26.
Note: If you want to use a Distributed Virtual Network Switch or workload server-specific
vSwitch virtual machine port groups instead, you can skip this procedure.
1. Using vSphere, connect to the vCenter server.
2. Select the workload server in the left pane, and select the Configuration tab in the
right pane.
3. Select Networking.
4. Locate the switch that connects to the physical NIC you want to use.
5. Select Properties.
6. Select VM Network and click Edit.
7. For a tenant VLAN network, change the Network Label to the tenant VLAN network
label from Table 1–26. For the Tenant Interconnect, change the Network Label to
Interconnect.
8. Click OK and then Close.
Implementing a New Tenant VLAN
9. For each Stealth-enabled tenant VLAN, repeat this procedure for the clear text VLAN
associated with this tenant VLAN, which is specified in Table 1–26.
10. Repeat this procedure for the other workload servers that have access to this
network.
3850 6804–007 5–7

Implementing a New Tenant VLAN
Option 2: Using a Distributed Switch to Access a Tenant VLAN
Network or Tenant Interconnect
If you want to use a distributed virtual network switch to configure access to a tenant
VLAN network or the Tenant Interconnect, do the following for each network you want to
use a distributed switch. You can create a new distributed switch or add additional port
groups to an existing distributed switch.
Notes:
• If you already performed the previous procedure to use a physical NIC, or if you want
to use workload server-specific vSwitch virtual machine port groups instead, you can
skip this procedure.
• The distributed virtual network switch was formerly known as vNetwork Distributed
Switch in VMware. In this procedure, it is simply referred to as a distributed switch.
1. Using vSphere, connect to the vCenter Server that is managing the workload servers
for which you want to create a distributed switch or add additional port groups to an
existing switch.
2. If you want to add additional port groups to an existing distributed switch, skip to the
next step.
If you want to create a new distributed switch, do the following:
a. Point to Inventory on the View menu, and click Networking.
The Networking Inventory page appears.
b. In the left pane, select the datacenter where the workload servers are located.
c. Point to Datacenter on the Inventory menu, and click New vSphere
Distributed Switch.
The Create vSphere Distributed Switch wizard appears.
d. If you are prompted for the distributed switch version, select 4.0, 4.1.0, or
5.0.0.
All these levels are supported.
e. In the Name box, enter a name for the new distributed switch in Table 1–22.
f. In the Number of dvUplink Ports box, select the number of ports in
Table 1–22, and then click Next.
Each dvUplink port represents one physical network adapter. Set the value to
represent the number of physical network adapters for all workload servers that
you want to include in the distributed switch.
g. Select Add now, and select the check boxes for each workload server and
physical adapter that you want to add to the distributed switch.
Note: You can add only free physical adapters (that is, network adapters that are
not already used by virtual switches) to a distributed switch.
h. Click Next.
i. Clear the Automatically create a default port group check box.
5–8 3850 6804–007

j. Click Finish.
3. From the vSphere Client connected to the vCenter Server, in the Networking View,
right-click the distributed switch node in the left pane and click New Port Group.
The Create Distributed Virtual Port Group dialog box appears.
4. Enter a name for the port group in the Name box, as follows:
• If you are configuring the tenant VLAN, use the Tenant VLAN network label
value in Table 1–26.
Note: It is recommended that you include the VLAN ID as part of the name, so
that you can easily identify the port group with which it is associated.
• If you are configuring the Tenant Interconnect, type
Interconnect.
5. Adjust the value in the Number of ports box to indicate the number of virtual
machines that can connect to this VLAN, according to the tenant’s requirement.
The number of ports is listed in Table 1–26.
For the Tenant Interconnect, set this number to a value at least as large as the number
of tenant VLANs that will be associated with the network appliance multiplied by 7,
plus 2. (For example, for three network appliances, set this number to 23 or higher.)
Note: Each vCenter has a limitation of 30,000 distributed virtual network switch
ports.
6. Select VLAN in the VLAN type list.
7. Enter the VLAN ID. If you are configuring the tenant VLAN, use the Tenant VLAN
ID value in Table 1–26. If you are configuring the Tenant Interconnect, use the Tenant
interconnect VLAN ID value in Table 1–27.
8. Click Next and then Finish.
Implementing a New Tenant VLAN
9. For each Stealth-enabled tenant VLAN, repeat Steps 3 through 8 for the clear text
VLAN associated with this tenant VLAN, which is specified in Table 1–26.
Note: The Create Distributed Virtual Port Group dialog box allows you to specify
only limited configuration. You can modify additional configuration after the dvPort group is
created by right clicking the port group in the left pane and editing its settings.
Option 3: Creating vSwitch Virtual Machine Port Groups to Access a
Tenant VLAN Network or Tenant Interconnect
If you want to use a vSwitch virtual machine port group to configure access to a tenant
VLAN or the Tenant Interconnect network do the following for each network you want to
use a vSwitch virtual machine port group on each workload server in Table 1–11.
Note: If you already performed the previous procedures to use a physical NIC or
distributed virtual network switch, you can skip this procedure.
3850 6804–007 5–9

Implementing a New Tenant VLAN
1. Do the following to open the Networking configuration view for the workload server:
a. In the vSphere Client, connect to the vCenter server.
b. From the View menu, click Inventory, then click Hosts and Clusters.
c. In the left pane, select a workload server.
d. In the right pane, click the Configuration tab.
e. In the Hardware group, click Networking.
2. If the vSwitch you want to use does not exist, do the following to create a new switch
and configure it.
Note: If the vSwitch already exists, do not perform this step. Perform the following
step instead.
a. Click Add Networking, which is located near the top right of the right pane.
The Add Network Wizard opens.
b. On the Connection Type page, choose Virtual Machine.
c. On the Virtual Machines – Network Access page, choose Create a
virtual switch, and select the check box next to an available virtual machine NIC
(vmnic).
d. On the Virtual Machines – Connection Settings page, enter a name for the
VLAN in the Network Label box, as follows:
• If you are configuring the tenant VLAN, use the Tenant VLAN network
label value in Table 1–26.
Note: It is recommended that you include the VLAN ID as part of the name,
so that you can easily identify the port group with which it is associated.
• If you are configuring the Tenant Interconnect, type
Interconnect.
e. Enter the VLAN ID. If you are configuring the tenant VLAN, use the Tenant
VLAN ID value in Table 1–26. If you are configuring the Tenant Interconnect, use
the Tenant interconnect VLAN ID value in Table 1–27.
f. On the Ready to Complete page, click Finish.
3. If the vSwitch you want to use already exists, on the Networking Configuration tab, do
the following.
Note: If the vSwitch you want to use does not already exist, perform the preceding
step instead to create and configure a new switch.
a. Click Properties for the vSwitch.
The vSwitch Properties dialog box appears.
b. Click Add.
The Add Networking Wizard appears.
c. On the Connection Type page, choose Virtual Machine.
5–10 3850 6804–007

d. On the Virtual Machines – Connection Settings page, enter a name for the
VLAN in the Network Label box, as follows:
• If you are configuring the tenant VLAN, use the Tenant VLAN network
label value in Table 1–26.
Note: It is recommended that you include the VLAN ID as part of the name,
so that you can easily identify the port group with which it is associated.
• If you are configuring the Tenant Interconnect, type
Interconnect, using the Tenant Name value from Table 1–24.
e. Enter the VLAN ID. If you are configure the tenant VLAN, use the Tenant
VLAN ID value in Table 1–26. If you are configuring the Tenant Interconnect, use
the Tenant interconnect VLAN ID value in Table 1–27.
f. On the Ready to Complete page, click Finish.
g. Click Close to close the vSwitch Properties dialog box.
Implementing a New Tenant VLAN
h. For each Stealth-enabled tenant VLAN network, repeat this procedure for the clear
text VLAN associated with this tenant VLAN, which is specified in Table 1–26.
4. Repeat this procedure for the other workload servers that have access to this
network.
Note: You must configure the physical switches that connect the workload servers and
the physical switch that protects the tenant’s private access point to allow this new VLAN.
5.3. Deploying a New Tenant VLAN Using a New or
Existing Tenant VLAN Network Appliance
To deploy a new tenant VLAN, you use a Unisys-supplied tenant VLAN network appliance.
The following procedures describe how to configure a new tenant VLAN using a new or
existing tenant VLAN network appliance, as follows:
• If you are adding a new tenant (and a new VLAN), then you must deploy a new tenant
VLAN network appliance for that tenant. Perform the steps in 5.3.1 Deploying a New
Tenant VLAN Network Appliance and VLAN.
• If you are adding a new VLAN for an existing tenant, you have the option to configure
the new VLAN on one of the tenant’s existing tenant VLAN network appliances, as
described in 5.3.2 Adding a New VLAN to an Existing Tenant VLAN Network
Appliance. Each tenant VLAN network appliance can support up to seven VLANs.
5.3.1. Deploying a New Tenant VLAN Network Appliance and
VLAN
Note: Before beginning this procedure, ensure that the cloud provider and tenant XML
files on the jump box management VM are up-to-date.
3850 6804–007 5–11

Implementing a New Tenant VLAN
Perform the following procedure to deploy a new tenant VLAN network appliance and
VLAN:
1. Run the vSphere Client and connect to the vCenter server.
2. If you are performing this procedure as directed in 5.3.2 Adding a New VLAN to an
Existing Tenant VLAN Network Appliance or when the tenant VLAN network appliance
virtual machine already exists, skip to the following step.
Otherwise, do the following to deploy a new tenant VLAN network appliance:
a. From the VMs and Templates view, select the Tenant VLAN
NetAppliance template that you imported in 4.4 Importing Tenant VLAN
Network Appliance and Load Balancer Templates, right-click, and then click
Deploy Virtual Machine from this Template to deploy a new virtual
machine to act as the tenant VLAN network appliance in Table 1–26.
b. Name the virtual machine using the host name value from Table 1–25.
This name is case-sensitive.
Caution
You must name this tenant VLAN network appliance using the host name
value, spelling and capitalizing the name exactly as it appears in Table 1–25.
c. Select the following options during deployment:
• Ignore any warnings you receive that state that a virtual Ethernet card network
adapter is not supported. You might receive multiple warnings.
• Do not use the same resource pools as the ones that will be used for the end
user virtual machines; these resource pools are specified in Table 1–13. (You
can create a separate resource pool for each tenant’s infrastructure VMs.)
• Select Thin provisioned format for the Disk Format option.
• Select Do not customize for the Guest Customization option.
• Make sure the Power on this virtual machine after creation option is
cleared.
3. Perform this step to configure the virtual machine Network Adapter settings only if all
of the following conditions apply:
• Your vCenter Server is running vCenter Server 5.x.
Note: The Unisys supplied vCenter Server management VM is running vCenter
Server 5.0.
• The workload server—on which the tenant VLAN network appliance is running—is
running VMware ESX or ESXi version 4.1.
• One or more of the port groups—which you want to be assigned as the networks
for the network adapters on the tenant VLAN network appliance—belongs to a
distributed virtual network switch (as opposed to a standard switch).
5–12 3850 6804–007

If all of these conditions do not apply, proceed to the next step (power on the virtual
machine).
If all of these conditions do apply, do the following:
a. When the new virtual machine is created, right-click the virtual machine, and then
click Edit Settings.
b. Configure the virtual machine Network Adapter settings as follows.
Notes:
• The network connection labels must already exist on the workload server.
• The Ethernet Interface column is for reference only to indicate the ethernet
interface that is used by the network appliance software.
Network
Adapter Connected at Power On
1 Enable, if any of the
following properties in
Table 1–25 are set to Yes:
• Internet Access –
Outgoing
• Internet Access –
Incoming
• Able to respond to a
ping command?
Implementing a New Tenant VLAN
Network Connection Network
Label
Public Network eth0
2 Enable If the VLAN is not Stealth-enabled,
the tenant VLAN network label for
VLAN[1] in Table 1–26.
If the VLAN is Stealth-enabled, the
Stealth clear text network label for
VLAN[1] in Table 1–26.
Ethernet
Interface
eth1
3 Enable Management Access Network eth2
4 Enable Interconnect eth3
3850 6804–007 5–13

Implementing a New Tenant VLAN
Network
Adapter Connected at Power On
5-10 If additional tenant VLANs
are being supported with
this appliance, Enable.
Otherwise, Disable.
Network Connection Network
Label
For network adapters that are in
use by additional tenant VLANs,
choose one of the following, based
on whether the VLAN is Stealthenabled:
• If the VLAN is not
Stealth-enabled, the tenant
VLAN network label for
VLANs[2] to [n-3] in Table 1–26.
• If the VLAN is Stealth-enabled,
the Stealth clear text network
label for VLANs[2] to [n-3] in
Table 1–26.
For network adapters that are not
in use by additional tenant VLANs,
enter
Interconnect.
For example, if you have one
additional tenant VLAN, configure
Network Adapter 5 for that VLAN.
Then, configure Network Adapters
6–10 as
Interconnect.
Ethernet
Interface
eth4 to
ethn-1
Note: The range of available network adapters for extra VLANs begins at
Network Adapter 5. For example, if this Tenant VLAN Network Appliance supports
three tenant VLANs, you must enable two extra network adapters: numbers 5 and
6.
c. Click OK to save the Network Adapter settings.
4. Power on the virtual machine.
5. Open a console to the tenant VLAN network appliance, and wait until the log-on
prompt appears.
6. After the log-on prompt appears, close the console to the tenant VLAN network
appliance.
7. Open a console to the jump box management VM.
8. Enter one of the following commands in the Windows PowerShell (x86) command
window:
• If you are adding a new tenant VLAN network appliance and a new VLAN, enter
the following command:
.\Config-TVNA.ps1 –tenant -new
Where is the tenant name listed in Table 1–24. If the tenant
name contains spaces, enclose the name in quotation marks in the command.
5–14 3850 6804–007

If the workload server is running VMware ESX or ESXi 4.x or earlier, and the
vCenter Server that is managing the workload servers is running vCenter Server
5.x, you must add the following parameters to this command.
Note: The Unisys supplied vCenter Server management VM is running vCenter
Server 5.0.
-vCenter
-vCenterUser -vCenteruserPw
Use the information in Table 1–11 for the workload server that hosts the tenant
VLAN network appliance you are configuring.
If you added these three vCenter parameters to the command, and if you
already configured the virtual machine Network Adapter settings (by performing
the step earlier in this topic), then add the following argument to the command.
(You were instructed to configure the Network Adapter settings if your vCenter
Server is running vCenter Server 5.x, if the tenant VLAN network appliance is
running on a VMware ESX or ESXi 4.1 workload server, and if one or more of the
port groups is using a distributed virtual network switch.) Add the following to
the command:
-skipNICs
• If you are running this command to add a new VLAN to an existing tenant VLAN
network appliance, enter the following command:
.\Config-TVNA.ps1 –tenant
Where is the tenant name listed in Table 1–24. If the tenant
name contains spaces, enclose the name in quotation marks in the command.
If the workload server is running VMware ESX or ESXi 4.x or earlier, and the
vCenter Server that is managing the workload servers is running vCenter Server
5.x, you must add the following parameters to this command.
Note: The Unisys supplied vCenter Server management VM is running vCenter
Server 5.0.
-vCenter
-vCenterUser -vCenteruserPw
Use the information in Table 1–11 for the workload server that hosts the tenant
VLAN network appliance you are configuring.
If you added these three vCenter parameters to the command, and if you
already configured the virtual machine Network Adapter settings (by performing
the step earlier in this topic), then add the following argument to the command.
(You were instructed to configure the Network Adapter settings if your vCenter
Server is running vCenter Server 5.x, if the tenant VLAN network appliance is
running on a VMware ESX or ESXi 4.1 workload server, and if one or more of the
port groups is using a distributed virtual network switch.) Add the following to
the command:
Notes:
-skipNICs
Implementing a New Tenant VLAN
• In 5.2.2 Configuring Access to Tenant VLAN Networks and Tenant Interconnect,
you were instructed to create a Tenant Interconnect named
3850 6804–007 5–15

Implementing a New Tenant VLAN
Interconnect. This command searches for the string
Interconnect and Interconnect (no space). If the command
cannot identify the Tenant Interconnect using these strings, a dialog box
appears; enter the Tenant Interconnect name to proceed.
• If a warning is displayed for the server certificate, ignore it.
The script performs the following actions:
• Sets a new password for the vyatta account.
Note: The next time you log onto the tenant VLAN network appliance, you must
use the new password for user vyatta from Table 1–25.
• Sets the host name.
• Configures the first four network adapter interfaces.
• Configures the MAC address information for the remaining six network adapter
interfaces to ensure that the assigned MAC addresses are correct.
• Assigns the uChargeback management VM as the netflow collector, using the
uChargeback IP address on the Intercom Network.
• Configures the DNS server addresses to which all DNS requests will be
forwarded.
• If the Intercom address range is nonstandard, updates that range in the
MGMT_VMS firewall group and the static route.
• If the tenant does not have a DNS of their own, then enables access to the DNS
server on the uChargeback management VM.
To enable this access, the script adds the addresses of the uChargeback
management VM on the Cloud Management Network and the uAdapt Server
Control Network to the MGMT_VMS firewall group, and also creates static routes
to ensure that traffic to those addresses is forwarded through the Management
Network Appliance.
• If pings from the Internet are not allowed, then modifies the
ALLOW_ESTABLISHED firewall to prevent such pings.
• If either outgoing or incoming Internet access is allowed, then configures a
system gateway address.
• For each tenant VLAN supported by this Tenant VLAN Network Appliance,
- Configures an IP address on the network adapter interface for that tenant
VLAN.
- Configures DHCP settings for the tenant VLAN, including the start and stop
addresses, the address of the default router, the address of the DNS server,
and the DNS domain name.
- Adds the tenant VLAN address range to the TENANT_VLAN_NETWORKS
firewall group.
- If outgoing Internet access is allowed, configures a masquerade NAT rule on
eth0 for traffic originating from this tenant VLAN.
5–16 3850 6804–007

- Configures an SNAT rule for traffic from the tenant VLAN to the management
VMs.
This rule translates the source address of any packets from the tenant-side
address to the management-side address.
- Configures a DNAT rule for traffic from the management VMs to the tenant
VLAN.
This rule translates the destination address of any packets from the
management-side address to the tenant-side address.
- Configures a static route for traffic from the tenant VLAN to the Tenant
Internal Network, ensuring that such traffic passes through the Tenant Internal
Router on the Tenant Interconnect.
- If you are using the Active Directory management VMs provided with the
Secure Private Cloud, configures the NTP service to synchronize with the time
servers on the Active Directory management VMs.
- Reboots the tenant VLAN network appliance.
- Assigns the network adapters to the correct external networks. If this is the
initial configuration of the tenant VLAN network appliance, then all ten
network adapters are assigned to the correct networks. If this is a later
configuration (you are adding one or more VLANs to an existing tenant VLAN
network appliance), then only the corresponding network adapters are
reassigned.
9. Wait until the Config-TVNA script stops displaying messages.
10. Verify that the script completed successfully
If the command was successful, the script does the following:
• Displays the message ″Completed normally,″ along with information about the log
location
• Displays a message indicating that the password for the vyatta user is being
modified.
• Displays one or more messages indicating that network adapters have been
assigned to VMware networks.
• Reboots the tenant VLAN network appliance.
Implementing a New Tenant VLAN
If unsuccessful, the script displays an error message. Typically the message indicates
an error in the data in one of the XML files. For example, the message might indicate
that an invalid subnet mask was specified for a certain address. To correct such a
problem, do the following:
a. Make corrections to the configuration worksheet and export the XML files to the
jump box management VM again.
b. Rerun the command in the PowerShell (x86) command window.
To correct any other problems, refer to the troubleshooting document for Secure
Private Cloud on the Unisys Support Web site (www.support.unisys.com).
3850 6804–007 5–17

Implementing a New Tenant VLAN
CHECKPOINT:
1. After the tenant VLAN network appliance has rebooted, open a console to the tenant
VLAN network appliance virtual machine that you just deployed, and log in using the
user name vyatta and the New password for user vyatta in Table 1–25 of the
tenant’s workbook.
Note: If there is no new password specified, use the Default password for user
vyatta in Table 1–25 instead.
2. Ping the IP address of the Management Network Appliance on the Management
Access Network, as specified in Table 1–5.
3. Verify that the ping is successful.
5.3.2. Adding a New VLAN to an Existing Tenant VLAN Network
Appliance
If you have previously deployed a tenant VLAN network appliance for a certain tenant, you
can configure additional VLAN connections on the same appliance. Each tenant VLAN
network appliance can support seven VLANs.
Perform the following procedure to add a new VLAN to an existing tenant VLAN network
appliance.
Note: Use this procedure only if you are adding a new (and previously unplanned) tenant
VLAN to a tenant VLAN network appliance that you already configured.
However, if you had previously planned to have multiple tenant VLANs, then you do not
need to perform this procedure. (The procedure in 5.3.1 Deploying a New Tenant VLAN
Network Appliance and VLAN configured multiple tenant VLANs on the tenant VLAN
network appliance.)
1. Revise the worksheet for this tenant by filling out an additional VLAN column in
Table 1–26.
2. Export the worksheet for this tenant to an XML file, as described in 1.1.6 Exporting the
Data.
3. Perform the previous procedure, 5.3.1 Deploying a New Tenant VLAN Network
Appliance and VLAN, except that you must skip step 2 (deploying the tenant VLAN
network appliance from a template) because the virtual machine already exists.
To configure more than seven VLANs for the same tenant, you must configure an
additional tenant VLAN network appliance. See 5.3.1 Deploying a New Tenant VLAN
Network Appliance and VLAN.
5–18 3850 6804–007

5.4. Configuring the Management Network
Appliance for a New Tenant VLAN
When you deploy a new tenant VLAN, you must configure the Management Network
Appliance. Use one of the following procedures, depending on whether you are using a
virtual Management Network Appliance or a physical router. If you are using a virtual
Management Network Appliance, refer to the Network Appliance management VM
information in Table 1–5.
5.4.1. Configuring the Virtual Management Network Appliance
for a New VLAN
1. Open a console to the jump box management VM.
2. Ensure that the cloud provider XML file on the jump box management VM is up-to-date.
3. Ensure that a PowerShell (x86) window is open on the jump box management VM.
If it is not already open, from the Start menu, point to All Programs, Accessories,
and then Windows PowerShell, and click Windows PowerShell (x86).
4. Enter the following command from the PowerShell (x86) window on the jump box
management VM:
.\Config-TenantOnMNA.ps1
If necessary, include the following parameters in the command:
• If high availability (HA) is enabled, include the following:
- If the name of the vCenter server administrator user has been updated,
include
-hostUser
- If the password for the vCenter server administrator user has been updated,
include
-hostUserPw
Note: These additional parameters are required regardless of whether the
vCenter Server is provided by Unisys or the cloud provider.
• If HA is not enabled, and the root user on the management server is using an
updated password, include
-hostUserPw
• If the vyatta user on the Management Network Appliance is using an updated
password, include
-vmUserPw
You are prompted to browse to the location of the XML file. Be sure to browse
to the appropriate tenant XML file and not to the cloud provider XML file.
For example, enter the following command for a tenant with updated credentials for
the vyatta user on the Management Network Appliance:
.\Config-TenantOnMNA.ps1 -vmUserPw myNewPw
Implementing a New Tenant VLAN
3850 6804–007 5–19

Implementing a New Tenant VLAN
The script performs the following actions:
• Adds static routes to the management-side tenant VLAN ranges by way of the
tenant VLAN network appliance address on the Management Access Network.
• Adds the management-side tenant VLAN ranges to the TARGET_VM firewall
network group.
• If the tenant is not supplying their own DNS, adds NAT rules to enable traffic to
reach the DNS server on the uChargeback management VM.
Wait until the script stops displaying messages.
Note: If you receive a warning message that there are limitations in your VMware
ESX license, this means that the script cannot be completed because the required
VMware license is not installed on the management server. If you receive this
warning, you can either install the required VMware license or perform the steps in
12.6.1 Configuring the Virtual Management Network Appliance for a New VLAN (with
a VMware License Restriction).
CHECKPOINT:
Verify that the script completed successfully.
If successful, the script displays the message ″Completed normally,″ along with some
information about the log location. In this case, open a command prompt on the Cloud
Orchestrator management VM, enter the following command, and verify that the
tenant VLAN network appliance responds:
ping
If unsuccessful, the script displays an error message. Typically, the message
indicates an error in the data in one of the XML files. For example, the message
might indicate that an invalid subnet mask was specified for a certain address. To
correct such a problem,
a. Make corrections to the configuration worksheet.
b. Export the Cloud Provider XML file to the jump box management VM.
c. Repeat this procedure from the beginning.
To correct any other problems, refer to the troubleshooting document for Secure
Private Cloud on the Unisys support Web site at http://www.support.unisys.com
5. Close the PowerShell (x86) window.
5.4.2. Configuring a Physical Management Network Appliance
for a New VLAN
Notes:
• The following procedure uses commands appropriate for Cisco switches. If you have
another brand of switch, you must adapt these commands for that switch.
• The following examples assume that the VLAN ID is 402, that it has an IP range
192.168.102.0/24, and that the Management Access Network IP address range is
172.31.2.0/24.
5–20 3850 6804–007

1. Log in to the switch in privileged mode by typing enable, and then responding to the
password prompt.
The prompt changes to end with #. (For example, it changes from MySwitch> to
MySwitch#.)
2. Type the following command to enter configuration mode:
configure terminal
The prompt changes to end with (config)#. (For example, it changes from MySwitch#
to MySwitch(config)#.)
3. Declare the VLANs by entering the following commands.
Note: If you want to use extended VLAN IDs (numbers higher than 1005), you must
set vtp mode to transparent.
vlan
exit
Where VLAN ID list is the list of VLAN IDs that you want to be accessible to the
workload server. (If the workload server is in a cluster, the list should be identical for
every workload server in the cluster.) The VLAN IDs are listed in Table 1–20.
For example, enter
vlan 402
exit
4. Enter the following commands to create an access list that enables the virtual
machines running on the tenant VLAN to access the management VMs running on
the Management Access Network:
access-list permit
For example, enter
access-list 402 permit ip 192.168.102.0 0.0.0.255
172.31.1.0 0.0.0.255
5. Enter the following commands to create an access list to enable the management
VMs to access the tenant virtual machines using the Management Access
Network VLAN:
access-list permit any
For example, enter
Implementing a New Tenant VLAN
access-list 402 permit ip any 172.31.2.0 0.0.0.255
6. Enter the following commands to enable the management VMs to access the
tenant VLAN:
access-list permit
3850 6804–007 5–21

Implementing a New Tenant VLAN
For example, enter
access-list 402 permit ip 172.31.1.0 0.0.0.255
192.168.102.0 0.0.0.255
7. Enter the following commands to prevent a tenant VLAN from sending any
traffic to ports 61132 and 61133, which are used by the Cloud Orchestrator
management VM:
access-list deny udp
host eq
For example, enter
access-list 402 deny udp 192.168.102.0 0.0.0.255 host
172.31.1.6 eq 61132
access-list 402 deny udp 192.168.102.0 0.0.0.255 host
172.31.1.6 eq 61133
8. Enter the following commands to create an access group to apply the
access lists to the tenant VLAN:
interface
ip access-group in
ip access-group out
For example, enter
interface vlan 400
ip access-group 402 in
ip access-group 402 out
9. Enter the following commands to add a static route to the new tenant VLAN
network appliance:
ip route
For example, enter
ip route 192.168.102.0 255.255.255.0 172.31.2.102
10. If the tenant does NOT have a DNS server, NAT rules must be created to
ensure that the tenant VLAN can communicate with the DNS on the
uChargeback management VM. Use ip nat commands to configure the
following.
Note: A physical switch must support NAT to perform these commands.
Refer to the documentation for your switch for more information on NAT and
the specific commands that apply.
5–22 3850 6804–007

a. Configure the management access network VLAN interface as the
network subject to inside NAT translation.
b. Configure NAT rules to translate the and destination
addresses to the address.
11. Enter the following command to verify the configuration:
show running-config
12. Save the configuration by entering the following command:
copy running-config startup-config
You see the following: Destination Filename [startup-config]?
13. Press Enter.
CHECKPOINT:
You see the response [OK].
Enter the following command and verify that the tenant VLAN network appliance
responds:
ping
5.5. Configuring the Cloud Orchestrator and
uChargeback Management VMs to
Communicate with Tenant VLAN
Perform the following procedure to enable communication between a tenant VLAN and
the Management Access Network and Intercom Network.
Notes:
• Ensure that the XML files on the jump box management VM are up to date.
1. Open a console to the jump box management VM.
2. Enter the following command from the PowerShell command window:
.\Configure-Routes.ps1 –tenantName
“”
3. Enter the credentials if prompted.
Implementing a New Tenant VLAN
The script uses information in the cloud provider XML file and a tenant XML file (which
were exported from the configuration workbook in 2.7 Completing and Exporting Tenant
Worksheets) to configure static routes that allow communication to the new VLAN from
the following:
3850 6804–007 5–23

Implementing a New Tenant VLAN
• Cloud Orchestrator management VM
• uChargeback management VM
• Jump box management VM
• Stealth Licensing management VM (if Stealth for Secure Private Cloud is enabled)
5.6. Configuring the Tenant VLAN Network
Appliance to be Monitored by the Nagios
Collector
Note: Perform this procedure on each tenant VLAN network appliance for VLANs with
tenant servers that will be monitored by the Nagios Collector software, if it is included in
your environment.
1. Using a vSphere Client that is connected to the vCenter server, open the console to
the tenant VLAN network appliance.
2. Log in, using the vyatta user credentials, and enter the following command:
configure
3. Enter the following command to create a static DNS entry in the appliance, using
values provided by your Unisys service consultant:
set system static-host-mapping
host-name
inet
This static DNS entry enables the Nagios agent to communicate with Nagios
Collector over the Intercom Network.
4. Enter the following commands:
commit
save
exit
5.7. Additional Nagios Collector Configuration
Information
Consider the following additional configuration information for the Nagios collector
software as you add new components to your environment and perform ongoing
operations:
• Configure the firewall on Windows virtual machines to enable monitoring for all
profiles.
• It is recommended to use the value specified in to reference the collector when configuring the agent on the
workload servers. This name was configured by your Unisys service consultant during
the initial implementation.
• Nagios profiles are defined in the Nagios Collector, which is not part of the Secure
5–24 3850 6804–007

Private Cloud product and must be implemented separately. Nagios profiles are
created when the Nagios Collector is implemented.
When commissioning a resource, enter the name of an applicable Nagios profile as
the Nagios Profile parameter of the blueprint used to commission the resource.
5.8. Configuring External Servers to Communicate
with Tenant VLANs
Use the procedure in this section if the Secure Private Cloud environment is configured to
use VLANs for tenant isolation and the external server requires communication with
commissioned tenant resources on the tenant VLANs. You must add static route
statements on the external server to properly route traffic to the tenant VLANs using the
Management Network Appliance as the gateway.
Skip this section if the external server does not require communication with tenant
resources.
Procedure for Windows External Servers
1. Start the Windows Command Prompt using the Run as administrator option.
2. Enter the follow command to add static routes:
route -p add mask
where
is the management-side tenant VLAN subnet from Table 1–25.
is the VLAN netmask from Table 1–25.
is the Management Network Appliance IP address on the Intercom
Network from Table 1–5.
3. Repeat this command for each tenant VLAN as required.
Example
route -p add 10.3.1.0 mask 255.255.255.0 172.31.1.200
CHECKPOINT:
Verify that the external server is able to communicate with a tenant resource on the
tenant’s VLAN, using the FQDN of the tenant resource. If the tenant VLAN is configured,
use the management side FQN of the tenant resource. For example,
ping tenant-0003.managed.spc.local
Implementing a New Tenant VLAN
3850 6804–007 5–25

Implementing a New Tenant VLAN
5–26 3850 6804–007

Section 6
Creating and Managing Tenant
Configurations
This section describes how to create and manage tenant configurations using the Excel
workbook, the Populator service, and the Secure Private Cloud portal. When you export
data from the Excel workbook and run the appropriate Populator effector, the tenant,
projects, and unrefined blueprints are created in the Secure Private Cloud portal and in
RBADB, and departments for the tenant and projects are created in uChargeback. Perform
the procedures in this section to add these components and refine blueprints so that they
can be used by tenants.
When you onboard a new tenant, add new projects for an existing tenant, or create a new
blueprint, you must perform the appropriate procedures as described in this section. If you
are adding multiple tenants, repeat the procedures for the next tenant, using the XML data
file for that tenant.
6.1. Updating Cloud Provider or Adding Tenant
Information in the Secure Private Cloud
Environment
Perform the following procedure to do the following in the Secure Private Cloud
environment:
• Update cloud provider information
• Add new tenants
• Update existing tenants
When you perform this procedure for a tenant, you also automatically add or update all
tenant projects and create new blueprints that can be refined.
Use the appropriate XML data file for the cloud provider or for the tenant you are adding or
updating.
1. If you have not already done so, export the updated cloud provider or tenant data
configuration XML file and save it to the jump box management VM.
Note: See 1.1 Completing Worksheets for Installation and Configuration for more
information on exporting this file.
2. Open a console to the jump box management VM.
3850 6804–007 6–1

Creating and Managing Tenant Configurations
3. Enter the following command from the PowerShell command window:
.\Copy-Directory.ps1 –vmlist uco
This script copies the XML files from the jump box management VM to the Cloud
Orchestrator management VM.
4. Open a console to the Cloud Orchestrator management VM.
5. Launch a Web browser, and access the uOrchestrate Operations Console using the
URL in Table 2–2.
6. Log in to the Operations Console using the credentials in Table 2–1.
7. If you receive a message that the Operations Console has stopped polling, click OK.
8. In the Service Organization pane on the left, click the Populator service (refer
to Figure 6–1).
Note: The position of the Populator service in the list can vary.
Figure 6–1. Operations Console Populator
9. Expand Effectors in the right pane to view the effectors.
6–2 3850 6804–007

10. Under All Effectors, click one of the following effectors:
• If you are adding a new tenant, click addTenant.
This effector adds one tenant, including projects and unrefined blueprints for that
tenant. It requires an XMLFileName parameter to identify the XML data file for the
tenant. Use the filename from step 1, including the extension.
If you are adding more than one tenant, you must complete this procedure for
each tenant individually.
• If you are making modifications to an existing tenant, click updateTenant.
This effector updates one tenant, including projects and unrefined blueprints for
that tenant. It requires an XMLFileName parameter to identify the XML data file
for the tenant. Use the filename from step 1, including the extension.
• If you are updating the cloud properties, click updateCloudProperties.
This effector updates the cloud properties in RBADB.
Note: You do not need to enter a value for the XMLFileName parameter. The
default value CloudProvider.xml is used.
11. Click Execute.
12. Check the result in the Result pane.
You should see the message “Completed” when the process is complete.
13. Expand Logs in the right pane to view the log messages.
Status and error messages from the Populator service are recorded both under Logs
and in the following file:
\Unisys\SPC-Automation\logs\Configuration.log
Notes:
• In the Operations Console, you can either filter the messages by level or check the
level of each message to determine if any errors are being reported.
• If you see an error that states the Cloud folder does not exist, then you logged into
the Operations Console using the wrong credentials. You must use the credentials
for the uOrchestrate Operations Console in Table 2–1.
14. If errors are reported, do the following:
a. Make the appropriate corrections in the cloud provider or tenant data worksheet
and export the file.
b. Repeat this procedure.
Creating and Managing Tenant Configurations
Note: If you are updating a tenant, run the updateTenant effector (rather than
the addTenant effector).
6.2. Configuring Stealth-Enabled VLANs
Perform the following procedure one time for each Stealth-enabled VLAN:
3850 6804–007 6–3

Creating and Managing Tenant Configurations
1. For the Stealth-enabled VLAN that you are configuring, verify that the information
specified in Table 1–31 matches the vCenter configuration, as follows:
• Folder name – Verify that the folder name specified in Table 1–31 exists in vCenter
(when viewed using the VMs and Templates view in the vSphere Client). If a folder
with this name does not exist in vCenter, access the VMs and Templates view in
vSphere Client, and create the folder under the Datacenter specified in
Table 1–11.
Note: The name of this folder must be unique within vCenter. The same folder
can be shared by different tenants or by different Stealth-enabled VLANs, but the
folder must have a unique name.
• Resource pool – Verify the resource pool specified in Table 1–31 exists in vCenter
in the appropriate workload server or cluster (the server or cluster where the
infrastructure VMs should be created). If the resource pool does not exist, create it
in the appropriate workload server or cluster.
• Datastore name – Verify the datastore name value matches one of the storage
names that is accessible by the workload servers or the cluster. If the datastore
name is incorrect, make the appropriate correction.
Notes:
- If the value in the workbook is updated, re-export the tenant worksheet and
copy it to the jump box management VM. See 1.1.6 Exporting the Data for
more information.
- If the same storage is being used for commissioned virtual machines, the
name of the storage should be compatible with the value defined in
Table 1–13.
• Folder within the datastore – Verify that the folder name in the “Connection
information for Workload vCenter” section of Table 1–9 exists in the datastore
specified in the previous bullet. If this folder does not exist in that datastore, then
create the folder and upload the master.flp file to it.
2. Open a console to the jump box management VM.
3. Enter the following command from the Powershell command window:
.\Generate-OnBoardingXML.ps1
–tenantName “”
Note: Quotation marks are required around the tenant name if the contains spaces.
This script produces one XML file for each Stealth-enabled VLAN for the specified
tenant. The XML files are located in C:\ProgramData\Unisys\SPC-Automation\XML,
and the file names have the following format: OnBoarding_.xml.
The command also generates a Job Groups XML file named
“StealthOnBoardingJobs-restartable.xml,” and several other supporting XML files.
These files are located in the C:\Unisys\Stealth\_ folder,
where is the name of the tenant being onboarded from Table 1–24
and the is the identifier for the Stealth-enabled tenant VLAN specified in
Table 1–26.
6–4 3850 6804–007

4. Open a command prompt window, and type the following command:
cd C:\Unisys\Stealth
5. In the command prompt window, type the following command:
java -jar AutomationClient.jar C:\Unisys\Stealth\
_\StealthOnBoardingJobs-restartable.xml
where the and are the folder names generated earlier in
this procedure as a result of running the Generate-OnBoardingXML command.
The java -jar command starts the onboarding process for the specified Stealthenabled
VLAN. This process takes about one and a half hours to complete.
6. Verify the following registry entries exist on the Stealth Proxy Server and Stealth
Relay Server infrastructure VMs, as follows:
a. Open a console to the Stealth Proxy Server infrastructure VM.
The Stealth Proxy Server VM name, user name, and password are listed in
Table 1–31.
b. On the Start menu, click Run, enter regedit in the Open box, and then click
OK.
c. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\Software\SaberNet.
d. Verify that a REG_SZ registry entry named Syslog exists, which contains the IP
address of the Stealth Relay Server.
If this registry entry does not exist, do the following:
• Right-click SaberNet, point to New, and then click String Value.
• Name the value Syslog.
• Right-click Syslog, and click Modify.
• In the Edit String dialog box, in the Value Data box, enter the IP address of
the Stealth Relay Server from Table 1–31.
• Click OK to close the Edit String dialog box.
e. Close the Registry Editor.
f. Close the console to the Stealth Proxy Server infrastructure VM.
g. Restart the Stealth Proxy Server infrastructure VM.
Creating and Managing Tenant Configurations
h. Open a console to the Stealth Relay Server infrastructure VM.
The Stealth Relay Server VM name, user name, and password are listed in
Table 1–31.
i. On the Start menu, click Run, enter regedit in the Open box, and then click
OK.
j. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\Software\SaberNet.
k. Verify that a REG_SZ registry entry named Syslog exists and contains the value
of the Stealth Licensing management VM FQN from Table 1–32.
3850 6804–007 6–5

Creating and Managing Tenant Configurations
If this registry entry does not exist, do the following:
• Right-click SaberNet, point to New, and then click String Value.
• Name the value Syslog.
• Right-click Syslog, and click Modify.
• In the Edit String dialog box, in the Value Data box, enter the value of the
Stealth Licensing management VM FQN from Table 1–32.
• Click OK to close the Edit String dialog box.
l. Close the Registry Editor.
m. Close the console to the Stealth Relay Server infrastructure VM.
n. Restart the Stealth Relay Server infrastructure VM.
7. Repeat the previous two steps for each Stealth-enabled VLAN XML for the tenant.
Note: If you experience any problems, see 12.14 Troubleshooting Configuring Stealth-
Enabled VLANs.
CHECKPOINT:
1. Open a console to the Stealth Licensing management VM.
2. Verify the log information in Syslog.
6.3. Understanding Blueprints and General
Blueprint Guidelines
A blueprint defines the resources that users can commission using the Secure Private
Cloud portal. When users commission resources, they provide values for a set of
parameters, based on constraints that the administrator or operator configures. Each
blueprint is specific to a type of resource—virtual machine, physical server, or virtual
desktop—and its associated attributes.
The types of resources that can be created and managed by users are determined by the
blueprints that you create.
6–6 3850 6804–007

Understanding Base Blueprints, Unrefined Blueprints, and Refined
Blueprints
Blueprints can be categorized as base blueprints, unrefined blueprints, and refined
blueprints, as follows:
• Base blueprints are default blueprints that cannot be changed or cannot be used to
commission resources. There is one base blueprint for each type of resource: virtual
machine, physical server, and virtual desktop.
When you update the tenant worksheet with information about the blueprints that you
want to create and then run the Populator addTenant or updateTenant effector, the
base blueprints are automatically copied and saved with the name of your new
blueprint. These copies are then edited to create more specific instances of a type of
resource: this process is called blueprint refinement.
• Unrefined blueprints
When the Populator addTenant or updateTenant effector is run, unrefined blueprints
are created using the blueprint name and description specified in the tenant
worksheet. Unrefined blueprints must be refined before they can be used to
successfully commission resources.
Note: When you run the updateTenant effector, any blueprints you already created
and refined remain unchanged, and any new blueprints you added to the workbook are
created in the Secure Private Cloud portal and in RBADB.
• Refined blueprints
Refined blueprints are blueprints that administrators or operators have refined. Users
can use these blueprints to successfully commission resources.
When a user commissions a resource from a blueprint, the values saved in the refined
blueprint and the values entered by the user are copied to the resource. A resource is
always associated with the blueprint that was used to commission it, but if you later
modify the blueprint values, those changed values are not copied to the resource.
You can refine all attributes associated with a blueprint, except the blueprint resource type
(virtual machine, physical server, or virtual desktop).
The following guidelines apply to refining blueprints.
Blueprint Name
Blueprints should have unique and meaningful names to enable end users to easily
recognize the type of platform they are creating when they select a blueprint. The
recommended blueprint naming convention is to indicate certain key attributes about the
environment, such as
• The operating system type and version
Creating and Managing Tenant Configurations
• The functionality of the resource (such as a Web server, database server, and so forth)
or application stack included with the resource
• Whether the blueprint is for a virtual machine, physical server, or virtual desktop
3850 6804–007 6–7

Creating and Managing Tenant Configurations
For example, W2K3x64Exchange–VM indicates a Windows Server 2003 virtual machine
that is used as an Exchange server. W2K3x86SQL2005–P indicates a Windows Server
2003 physical machine that is used as an SQL server. VOaaSGoldImageA-1024 indicates a
virtual desktop using the file gold image named goldimageA.VHD with 1024 MB of
memory.
Setting Constraints
As you configure blueprints, you can set constraints for each attribute. As the
administrator, you configure each attribute to display for the user, as follows:
• Configure user access and visibility to the attribute using one of the following values:
- Read-write – The user commissioning a resource can see the attribute and can
select from a list of values or type a value.
- Read-only – The user commissioning a resource can see the attribute and selected
value, but cannot change the value. If you set an attribute to read-only, and if a
value is required for the resource to be successfully commissioned, you must
specify a default value.
For example, an OS Type is required for each resource, and so if you set the OS
Type to read-only, you must specify an OS Type. In contrast, a Resource Pool
Override attribute is not required, and so you can set this value to read-only and
leave it blank. As you create blueprints, you are given specific guidelines as to
which blueprint attributes are required and which attributes should be set to
read-only.
- Hidden – The user cannot see (or change) the attribute or the value you selected. If
you set an attribute to hidden, and if a value is required for the resource to be
successfully commissioned, you must specify a default value.
For example, an OS Type is required for each resource, and so if you set the OS
Type to hidden, you must specify an OS Type. In contrast, a Resource Pool
Override attribute is not required, and so you can set this value to hidden and leave
it blank. As you create blueprints, you are given specific guidelines as to which
blueprint attributes are required and which attributes should be set to hidden.
For some attributes, you can select the access type you want to use, but for some
other attributes, you are directed to set the access to read-only or hidden.
• Fix the value of an attribute.
To fix the value of an attribute, set the default value that you want to use, and then set
the access to read-only or hidden so that the user cannot change it.
• Provide a default value.
If the attribute access is set to read-write, the default value for a blueprint property is
the value that is suggested to the commissioning user. However, the user can change
the value. (If the attribute access is set to read-only or hidden, the default value is the
value used for the commissioned resource and the user cannot change it.)
If you do not want to suggest a default value (if the user must pick a value based on a
specific situation), you do not have to specify a default unless you are specifically
instructed to do so. However, if the value is required, the user must specify a value in
order to successfully commission a resource.
6–8 3850 6804–007

Example
For example, an OS Type for each resource is required, and so if you set that value to
read-write and do not provide a default, the user must specify an OS Type. In contrast,
Operator Action Instructions (additional actions that users request for their resources)
is not required, and so you can set this value to read-write and not specify a default,
and the user can leave it blank. As users commission blueprints, they are given
directions on which values are required.
• Provide a list of values (known as a ″One Of″ list) from which the user can select a
value for an attribute.
When you provide a One Of list, you set the access to read-write so that the user can
select from the list of values. You can also set a default value to be initially suggested.
You select the Refined check box to create a list.
• Specify further constraints that limit a user’s data entry.
If you want the user to enter values that meet certain criteria, you can select One Of or
Regular Expression under Further Constraints. For example, if the name the user
enters for a virtual machine must begin with “VM,” you can select the Regular
Expression option and then enter “VM.*” in the Regular Expression box.
Note: If you are setting access to an attribute as read-only or hidden, do not
configure any Further Constraints. The user cannot enter any values for the attributes,
and the Further Constraints are therefore meaningless.
For example, if the resource type is a virtual machine and you want users to be able to
commission a Windows Server 2008 with a fixed number of CPUs and a variable amount
of memory, you could refine the blueprint parameters as follows:
• CPU: In the Default list, select 1. Set the Access to read-only.
The user sees the value CPU: 1 but cannot change it.
• Memory: From the One Of list, select only the 2048 and 4096 check boxes (because
Windows Server 2008 requires at least 2 GB of memory). Set the Default to 2048 to
suggest that the user use less memory. Set the Access to read-write.
The user sees a list with the choices 2048 and 4096. The value 2048 is selected, but
the user can change the value to 4096.
• Template: In the Default list, select the template for Windows Server 2008. Set the
Access to hidden.
The user does not see the template.
• OS Type: In the Default list, select Windows Server 2008. Set the Access to read-only.
The user sees the OS Type: Windows Server 2008 but cannot change it.
6.4. Creating Blueprints
Creating and Managing Tenant Configurations
Do the following to create a new virtual machine or virtual desktop blueprint.
Note: Only Unisys service consultants can refine new physical server blueprints using
3850 6804–007 6–9

Creating and Managing Tenant Configurations
the procedures in the Secure Private Cloud Implementation Guide (3850 6846).
1. Meet the prerequisites for the type of the blueprint you are creating, as follows:
• For new virtual machines blueprints, you must have created VMware vCenter
Server templates for virtual machine commissioning, as described in
Section 4, Creating VMware Template Gold Images).
• For virtual desktops, configure the Virtual Office as a Service solution, as
described in the Secure Virtual Office as a Service Implementation and Best
Practices Guide.
2. Create unrefined blueprints and add them to the Secure Private Cloud portal as
follows:
Note: If you are onboarding a new tenant, you should have already entered the
blueprint names in the worksheet, exported the worksheet, and run the Populator
addTenant effector as part of the onboarding process. If you did so, you have already
created unrefined blueprints, and you can skip to the next step.
a. Access the tenant worksheet and enter information for blueprints. The worksheet
for each tenant includes data in Table 1–24 through Table 1–42. When the
procedures in this section refer to any of these tables, be sure to use the data
from the correct worksheet for the tenant.
b. Export the worksheet as described in 1.1.6 Exporting the Data.
c. Run the appropriate Populator effector as described in 6.1 Updating Cloud
Provider or Adding Tenant Information in the Secure Private Cloud Environment.
The Populator effectors create the unrefined blueprints in the Secure Private
Cloud portal and in RBADB.
3. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and your cloud administrator credentials.
4. Click Administration, and then click Manage Blueprints.
5. Under Manage Blueprints, select the project associated with the blueprint you
want to refine.
The Blueprint pane is updated to list all blueprints associated with the project.
6. Under Blueprints, select the blueprint you want to refine, and then click Edit
Blueprint.
The blueprint name and description appear in the blueprint by default, based on the
values you entered in the tenant worksheet. You must refine all other values to match
the values you entered in the tenant worksheet.
7. Enter the values for each blueprint attribute based on the resource type and using the
values in the tenant worksheets, as follows:
• For virtual machines, the tenant worksheet is Table 1–35. See 6.5 Virtual Machine
Attributes and Values for detailed information on each attribute and value.
• For virtual desktops, the tenant worksheet is Table 1–39. See 6.6 Virtual Desktop
Attributes and Values for detailed information on each attribute and value.
Note: If you are creating a virtual machine blueprint, you see the Performance
Monitoring category with Nagios Profile and the Migrate VM attributes. These
6–10 3850 6804–007

attributes are intended for Unisys service consultants who are configuring custom
Nagios monitoring or migrating virtual machines from earlier versions of the Secure
Private Cloud, respectively. Customer administrators and operators should set the
access for these attributes to Hidden and make no other changes to the values.
8. Enter values for each group of attributes, and then click Next.
9. After you enter values for all attributes, click Apply.
6.5. Virtual Machine Attributes and Values
This topic describes the details of all available virtual machine attributes and values.
6.5.1. Virtual Machine General Configuration
Table 6–1. Virtual Machine Basic Attributes and Values
Attribute Name
and Description Values
Blueprint
Name
Blueprint
Description
The name of the blueprint, which is displayed to administrators, operators, and users.
You enter this value in the tenant worksheet, and when you run the Populator addTenant
or updateTenant effector, this name is used in the Secure Private Cloud portal.
Notes:
• If you update this value in the Secure Private Cloud portal, you must also update it in
the tenant worksheet.
• Blueprint names must following the guidelines in 2.8.4 Naming Guidelines for
Components in the Cloud Environment.
A description of the blueprint, which is displayed only to administrators and operators.
Table 6–2. Virtual Machine General Configuration Attributes and Values
Attribute Name
and Description Values
Name
Descriptive name
for the resource
being
commissioned (not
the blueprint name).
• Default: Leave this box blank so that the user can enter a name for the
commissioned resource.
• Access: Select Read-Write.
Creating and Managing Tenant Configurations
Note: This user-configured value is used only for display and tracking purposes. It is
not related to the virtual machine host name.
3850 6804–007 6–11

Creating and Managing Tenant Configurations
Table 6–2. Virtual Machine General Configuration Attributes and Values (cont.)
Attribute Name
and Description Values
CPUs
Number of CPUs.
Memory
Memory size in
megabytes (MB).
• One Of: Select the CPU values that you want the user to be able to select from.
You can select one or more values.
• Default: If you want the user to select from a list of number of CPUs, you can
set a default or select none.
If you want to force the user to use a specific number of CPUs, select the specific
value in the Default list.
Note: The Default value must be one of the values selected in the One Of box.
• Access: If you want the user to select the number of CPUs, select Read-Write.
If you want to force the user to use a specific number of CPUs, select Read-
Only or Hidden.
Note: All memory must be entered in multiples of 512 MB.
• Default: If you want to force the user to use a specific amount of memory, enter
it in this box. Or, if you want the user to select from a range or list of memory, you
can set a default value in this box.
If you do not want to set a specific amount of memory or a default amount of
memory, leave this box blank.
• Further Constraints:
- None: If you want to force the user to use a specific amount of memory,
enter that amount in the Default box, and then set the Further Constraints
to None.
- One Of: If you want the user to select from a list of specific values, set the
Further Constraints to One Of, and then enter the values in the One Of box.
Separate the values you enter with commas. If you enter a value in the
Default box, you must also enter that same value in the One Of box.
- Range: If you want the user to select from a range of values (using a slider
bar), set the Further Constraints to Range, and then enter the minimum and
maximum values and the increment for the slider bar.
The Minimum and Maximum values must be multiples of 512 MB. The
Increment value must equal 512 MB.
• Access: If you want the user to select the amount of memory, select Read-
Write.
If you want to force the user to use a specific amount of memory, select Read-
Only or Hidden.
6–12 3850 6804–007

Table 6–2. Virtual Machine General Configuration Attributes and Values (cont.)
Attribute Name
and Description Values
Template
Template to be
used by the
VMware clone and
customization
process.
OS Type
Operating system
installed in the
target template.
Note: The Template value must match the OS Type value. Therefore, if you want to
provide a list of templates for the user to choose from, it is highly recommended that
they all have the same operating system.
• Refined: If you select this check box, the One Of list appears, and you can
create a list of templates from which the end user can select.
• Default: If you want the user to select from a list of templates, you can set a
default or select none.
If you want to force the user to use a specific template, select it in the Default list.
• Access: If you want the user to select from a list of templates, select Read-
Write.
Notes:
Creating and Managing Tenant Configurations
If you want to force the user to use a specific template, select Read-Only or
Hidden.
• The OS Type must match the operating system installed in the template.
Therefore, you should only configure a list of operating systems if you provide a
list of templates. It is highly recommended that you select one operating system
and set the value to Read-Only or Hidden.
• If you are a Unisys service consultant migrating a blueprint from a previous
version of the Secure Private Cloud, select the operating system type that is
closest to the one previously used for the blueprint. (Do not use Other for a
Windows Server 2008 blueprint type, as you did in previous releases.)
• Refined: If you select this check box, the One Of list appears, and you can
create a list of operating systems from which the end user can select.
• Default: If you want the user to select from a list of operating system, you can
set a default or select none.
If you want to force the user to use a specific operating system, select it in the
Default list.
• Access: If you want the user to select from a list of operating systems, select
Read-Write.
If you want to force the user to use a specific template, select Read-Only or
Hidden.
3850 6804–007 6–13

Creating and Managing Tenant Configurations
6.5.2. Virtual Machine Resource Balancer
Table 6–3. Virtual Machine Resource Balancer Attributes and Values
Attribute Name
and Description Values
Resource Pool
Override
A regular
expression that
limits the resource
pools that are
considered to host
the commissioned
virtual machine.
This value overrides
the standard
system-wide
resource pool filter.
Datastore
Override
A regular
expression that
limits the
datastores that are
considered to host
the commissioned
virtual machine.
This value overrides
the standard
system-wide
datastore filter.
If you want to override the standard system-wide resource pool filter and manually
limit the resource pools that are used to host commissioned virtual machines, enter
the following values. Otherwise, skip this attribute.
• Default: Enter an expression that you want to use to limit the resource pools
used for the commissioned virtual machines and that matches resource pools in
your environment.
For example, if you want to limit the resource pools to pools that begin with the
word “Windows,” then enter “Windows.*” in this box.
• Access: Set this value to Read-Only or Hidden.
Note: Do not set any Further Constraints. This value should be read-only or hidden
from the user, and so further constraints are meaningless.
If you want to override the standard system-wide datastore filter and manually limit
the resource pools that are used to host commissioned virtual machines, enter the
following values. Otherwise, skip this attribute.
• Default: Enter an expression that you want to use to limit the datastores used
for the commissioned virtual machines and that matches the datastores in your
environment.
For example, if you want to limit the datastores to datastores that begin with the
word “Windows,” then enter “Windows.*” in this box.
• Access: Set this value to Read-Only or Hidden.
Note: Do not set any Further Constraints. This value should be read-only or hidden
from the user, and so further constraints are meaningless.
6–14 3850 6804–007

6.5.3. Virtual Machine Operating System Customization
Table 6–4. Virtual Machine Operating System Customization Attribute and Values
Attribute Name
and Description Values
Customize OS
Enables
customization of
the virtual machine
operating system.
• Default: Select True.
• Access: Select Hidden.
Note: You must select these values. If you change the Default value to None or
False, or if you allow the user to change it, none of the custom values you enter are
configured in the virtual machine operating system.
Table 6–5. Virtual Machine Operating System Attributes and Values
Attribute Name
and Description Values
Machine Name
Source
Algorithm used to
assign a name to a
commissioned
resource.
• Refined: Do not select this check box.
Creating and Managing Tenant Configurations
• Default: Select one of the following machine name sources:
- Generated: The system assigns a name based on the HostNamePrefix
property set during initial implementation in the VMware Sysprep
Configuration .
- UserAssigned: The user assigns the host name. The host name must be
between one and 15 characters; must include only letters, numbers, and
hyphens; must begin and end with a letter or number; and must not consist
entirely of numbers.
- UseDefault: The system assigns a value for Machine Name Source based
on the UserProvidedMachineName property set during initial
implementation in the VMware Sysprep Configuration. If the
UserProvidedMachineName property is True, then the UserAssigned
Machine Name Source is used. If the UserProvidedMachineName property
is False, then the Generated Machine Name Source is used.
- MCP: If you are configuring a blueprint for an MCP server, select this value.
• Access: Set this value to Read-Only or Hidden.
3850 6804–007 6–15

Creating and Managing Tenant Configurations
Table 6–5. Virtual Machine Operating System Attributes and Values (cont.)
Attribute Name
and Description Values
Host Name
Input into the
generation of the
virtual machine
operating system
host name.
Windows
License Key
The license key for
a Window operating
system.
Random
Password
Determines if a
random
administrative
password is
assigned for
additional security.
This value enables the user to enter a unique host name, if either of the following is
configured:
• The Machine Name Source value is UserAssigned.
• The Machine Name Source value is UseDefault, and the
UserProvidedMachineName is set to True during initial implementation in the
VMware Sysprep Configuration .
If the Machine Name Source value is Generated or MCP, this value is ignored.
• Default: Leave this box blank.
• Access: If the user should enter a host name, set this value to Read-Write. If
the user does not enter a host name, set this value to Hidden.
• Default:
- For non-Windows operating systems, leave this box blank.
- For Windows operating systems, type the Windows operating system
product key.
• Access: Set the value to Hidden.
• One Of: Select one or more of the following values:
- Yes: A randomly generated Administrator (for Windows) or root (for Linux)
password will be assigned to the newly commissioned virtual machine.
- No: A predefined password is assigned, based on the
SysPrepVMAdminPwd property set during initial implementation in the
VMware Sysprep Configuration table.
- UseDefault: The system assigns a value for Random Password based on
the SysPrepRandomAdminPwd property set during the initial
implementation in the VMware Sysprep Configuration table. If the
SysPrepRandomAdminPwd property is True, then a random password is
assigned (same as value Yes). If the SysPrepRandomAdminPwd property is
False, then a predefined password is assigned, based on the
SysPrepVMAdminPwd property set during initial implementatin in the
VMware Sysprep Configuration table (same as value No).
• Default: If you want the user to choose whether to implement a random
administrator password, you can set a default or select none. If you want to
force the user to use a particular option, select it in the Default list.
• Access: If you want the user to be able to configure this attribute, set this value
to Read-Write. If not, set this value to Read-Only or Hidden.
6–16 3850 6804–007

Table 6–5. Virtual Machine Operating System Attributes and Values (cont.)
Attribute Name
and Description Values
Auto Logon
Count
For Windows
operating systems,
defines how many
times the operating
system performs an
automatic log on
during or after
Sysprep.
Run Once
Command
Defines a “run once
command” for
Windows virtual
machine operating
systems; this
command is
executed during
Sysprep
processing.
Note: For non-Windows operating systems, skip this attribute.
• Default: Enter 1.
• Access: Set this value to Read-Only or Hidden.
Note: For non-Windows operating systems, skip this attribute.
• Default: Depending on the Windows operating system, enter one of the
following values:
- For Windows Server 2003 or Windows XP, enter
C:\dns-setup.vbs
- For Windows Vista and Windows 7 operating systems, enter
shutdown /r /f /t 0
The shutdown constant causes the virtual machine operating system to be
restarted, so it is logged out after Sysprep is complete.
- For Windows Server 2008 environments with the optional Key Management
Service (KMS) server, enter
C:\activate.vbs
Creating and Managing Tenant Configurations
The script specifies the name of the KMS host to contact and activates
Windows.
• Access: Set this value to Read-Only or Hidden.
3850 6804–007 6–17

Creating and Managing Tenant Configurations
Table 6–6. Virtual Machine Network Configuration Attributes and Values
Attribute Name
and Description Values
DHCP
If this setting is
true, the virtual
machine is
configured to use
DHCP for all
network adapters. If
this setting is false,
the first network
adapter is
configured with the
fixed address
information
specified in the
commission
request and any
other network
adapters are
configured for
DHCP.
IPv4 Address
If DHCP is False,
this is the fixed IP
address to use for
the first network
adapter in the
virtual machine.
This setting should
be left blank if using
DHCP.
Subnet Mask
If DHCP is False,
this is the subnet
mask to use for the
fixed IP address.
Gateway
If DHCP is False,
this is the default
gateway to use for
the fixed IP
address.
• Default:
- Select None if you do not want to set a default.
- Select True if you want the virtual machine to use DHCP by default.
- Select False if you want the virtual machine to set a static IP address by
default.
• Access: Set this value to Read-Write if you want to allow the user to select the
address type, or set this value to Read-Only or Hidden if you want the virtual
machine to use a specific address type.
Note: If you set the Default to None, you must set the Access to Read-Write.
• Default: Leave this box blank.
• Access:
- Set this value to Read-Write if DHCP is False or if you allowed the user to
specify the DHCP setting.
- Set this value to Read-Only or Hidden if DHCP is True.
• Default: Leave this box blank.
• Access:
- Set this value to Read-Write if DHCP is False or if you allowed the user to
specify the DHCP setting.
- Set this value to Read-Only or Hidden if DHCP is True.
• Default: Leave this box blank.
• Access:
- Set this value to Read-Write if DHCP is False or if you allowed the user to
specify the DHCP setting.
- Set this value to Read-Only or Hidden if DHCP is True.
6–18 3850 6804–007

Table 6–6. Virtual Machine Network Configuration Attributes and Values (cont.)
Attribute Name
and Description Values
Port Group
Network Name
This setting is used
for VLANs. The Port
Group Network
Name is also known
as the Tenant VLAN
Network Label; it
identifies the
tenant’s VLAN on
the workload
server. The first
virtual machine
network adapter is
assigned to the
value specified in
the blueprint.
COI Set
This setting is used
if your environment
includes Stealth for
Secure Private
Cloud. The COI Set
determines which
other components
this virtual machine
can communicate
with.
• Refined: Ensure this check box is not selected.
• Default:
- If you are not using VLANs, select Unchanged.
- If you are using VLANs, select the VLAN that matches the Tenant VLAN
network label in Table 1–26.
• Access: Set this value to Read-Only or Hidden.
Note: These settings are recommended for a normal configuration. However, if your
tenant has multiple VLANs and has end users who are knowledgeable about
networking (for example, if you are configuring a test environment for a group of
software developers) you could allow these users to choose their own VLAN selecting
the Refined check box, select multiple VLANs in the Default list, and set the Access to
Read-Write.
Virtual machines commissioned from this template will include this Stealth for Secure
Private Cloud COI Set.
• Default:
Creating and Managing Tenant Configurations
- Enter one COI Set Name from Table 1–33 in the tenant worksheet.
- If Stealth for Secure Private Cloud is not included in your environment, leave
this box blank.
• Access: For security, set this value to Hidden.
Note: Do not set any Further Constraints. This value should be read-only or hidden
from the user, and so further constraints are meaningless.
3850 6804–007 6–19

Creating and Managing Tenant Configurations
6.5.4. Virtual Machine Additional Instructions
Table 6–7. Virtual Machine Additional Instruction Attributes and Values
Attribute Name
and Description Values
Operator Action
Required
Determines
whether additional
operator actions
can be requested.
Operator Action
Instructions
Lists all required
operator actions.
VM Migration
Specifies whether a
virtual machine
should be migrated
from an earlier
version of the
Secure Private
Cloud.
• Default:
- Select None if you do not want to set a default.
- Select True if you want to specify that additional operator actions can be
requested by default.
- Select False if you want to specify that additional operator actions cannot be
requested by default.
• Access: Set this value to Read-Write if you want to allow the user to select
whether additional operator actions can be requested, or set this value to
Hidden if you want to specify whether additional operator actions can be
requested.
Note: If you set the Default to None, you must set the Access to Read-Write.
If Operator Action Required is True, this text box provides a place for the user to enter
required actions.
• Default: Leave this box blank, or enter parameters that help the user to enter
meaningful operator actions. For example, enter:
Additional required disk size (in GB):
Additional software:
Additional memory (in GB):
Note: The user can overwrite any text you enter.
• Access:
- Set this value to Read-Write if Operator Action Required is True or if you
allowed the user to specify this setting.
- Set this value to Hidden if Operator Action Required is False.
Unisys service consultants use this attribute to migrate virtual machines from earlier
versions of the Secure Private Cloud environment.
Note: Unless you are a Unisys service consultant migrating virtual machines from an
earlier version of the Secure Private Cloud, you must not change these values.
• Default: Enter True if you are migrating a virtual machine.
• Access: Select Hidden.
6–20 3850 6804–007

Table 6–7. Virtual Machine Additional Instruction Attributes and Values (cont.)
Attribute Name
and Description Values
Migration VM
Name
Specifies the name
of the virtual
machine to be
migrated.
Unisys service consultants use this attribute to list the name of the virtual machine
being migrated from an earlier version of the Secure Private Cloud environment.
Note: Unless you are a Unisys service consultant migrating virtual machines from an
earlier version of the Secure Private Cloud, you must not change these values.
Default: If VM Migration is True, enter the name of the VMware virtual machine that
you want to migrate. Otherwise, leave this box blank.
Access: Select Hidden.
Table 6–8. Resource Pre-Expiration Notification
Attribute Name
and Description Values
Provide Lease
Details
Specifies
whether the user
should be notified
in advance when
the resource
lease will expire.
Creating and Managing Tenant Configurations
• Lease pre-expiration notification: Select one of the following values:
- Do not send pre-expiration notifications: The user does not receive
notice before the resource expires.
- 1 Day: The user receives notice one day before the resource expires.
- 1 Week: The user receives notice one week before the resource expires.
- Custom: Type a Date Value and select a Date Option to determine when
the user should receive notice that the resource will expire.
Enter the Date Value as a whole number, and then select the Date Option as
either Day, Week, Month, or Hour.
For example, enter 12 as the Date Value and select Hour as the Date Option to
notify the user 12 hours before the resource expires.
6.6. Virtual Desktop Attributes and Values
This topic describes the details of all available virtual desktop attributes and values.
3850 6804–007 6–21

Creating and Managing Tenant Configurations
6.6.1. Virtual Desktop General Configuration
Table 6–9. Virtual Desktop Basic Attributes and Values
Attribute Name
and Description Values
Blueprint
Name
Blueprint
Description
The name of the blueprint, which is displayed to administrators, operators, and users.
You enter this value in the tenant worksheet, and when you run the Populator addTenant
or updateTenant effector, this name is used in the Secure Private Cloud portal.
Notes:
• If you update this value in the Secure Private Cloud portal, you must also update it in
the tenant worksheet.
• Blueprint names must following the guidelines in 2.8.4 Naming Guidelines for
Components in the Cloud Environment.
A description of the blueprint, which is displayed only to administrators and operators.
Table 6–10. Virtual Desktop General Configuration Attributes and Values
Attribute Name
and Description Values
Name
Descriptive name
for the resource
being
commissioned (not
the blueprint name).
Assign to User
The name of the
user who will use
the virtual desktop.
• Default: Leave this box blank so that the user can enter a name for the
commissioned resource.
• Access: Select Read-Write.
Note: This user-configured value is used only for display and tracking purposes. It is
not related to the virtual desktop host name.
• Default: Leave this box blank so that the person commissioning the virtual
desktop can enter the user name.
Notes:
- An operator might commission multiple virtual desktops on behalf of a group
of users.
- This value must match the user name as it is configured in Session Manager
during the Virtual Office as a Service deployment.
• Access: Select Read-Write.
6–22 3850 6804–007

6.6.2. Virtual Desktop Additional Instructions
Table 6–11. Virtual Desktop Additional Instruction Attributes and Values
Attribute Name
and Description Values
Operator Action
Required
Determines
whether additional
operator actions
can be requested.
Operator Action
Instructions
Lists all required
operator actions.
• Default:
- Select None if you do not want to set a default.
- Select True if you want to specify that additional operator actions can be
requested.
- Select False if you want to specify that additional operator actions cannot be
requested.
• Access: Set this value to Read-Write if you want to allow the user to select
whether additional operator actions can be requested, or set this value to
Hidden if you want to specify whether additional operator actions can be
requested.
Note: If you set the Default to None, you must set the Access to Read-Write.
If Operator Action Required is True, this text box provides a place for the user to enter
required actions.
• Default: Leave this box blank, or enter parameters that help the user to enter
meaningful operator actions. For example, enter:
Additional software:
Note: The user can overwrite any text you enter.
• Access:
Creating and Managing Tenant Configurations
- Set this value to Read-Write if Operator Action Required is True or if you
allowed the user to specify this setting.
- Set this value to Hidden if Operator Action Required is False.
3850 6804–007 6–23

Creating and Managing Tenant Configurations
Table 6–12. Resource Pre-Expiration Notification
Attribute Name
and Description Values
Provide Lease
Details
Specifies
whether the user
should be notified
in advance when
the resource
lease will expire.
• Lease pre-expiration notification: Select one of the following values:
- Do not send pre-expiration notifications: The user does not receive
notice before the resource expires.
- 1 Day: The user receives notice one day before the resource expires.
- 1 Week: The user receives notice one week before the resource expires.
- Custom: Type a Date Value and select a Date Option to determine when
the user should receive notice that the resource will expire.
Enter the Date Value as a whole number, and then select the Date Option as
either Day, Week, Month, or Hour.
For example, enter 12 as the Date Value and select Hour as the Date Option to
notify the user 12 hours before the resource expires.
6–24 3850 6804–007

Section 7
Onboarding Tenants, Creating Users,
and Assigning Roles
Perform the procedures in this section to onboard new tenants, create users in Active
Directory, and assign users to roles.
Note: If you experience problems with any of the procedures in this section, see
12.7 Troubleshooting Onboarding Tenants and Users.
7.1. Understanding User Roles
A user role is associated with a set of privileges. When a cloud administrator assigns a
user to a role, the user receives the privileges corresponding to that role. A user can be
assigned to multiple roles.
The user roles are predefined in the Secure Private Cloud portal, but cloud administrators
are responsible for assigning users to roles.
The following are the predefined Secure Private Cloud user roles.
Liferay Administrator
A user in this role has administrative privileges for Liferay, which is the software
foundation of the Secure Private Cloud portal. The Liferay administrator can access the
Liferay menu bar and perform advanced operations.
You should sign on as the Liferay Administrator only when directed, and when you are
done performing the specific operation, you should immediately sign out and sign back in
using your regular administrator credentials.
Cloud Administrator
A user in this role has administrative privileges within the cloud environment to monitor
and manage the cloud on behalf of the cloud provider. For example, cloud administrators
create tenants, monitor tenant usage, and configure tenant and project information in the
Secure Private Cloud portal and other cloud interfaces (for example, the Secure Private
Cloud workbook and RBADB).
Cloud administrators can also define roles and projects for tenant users.
3850 6804–007 7–1

Onboarding Tenants, Creating Users, and Assigning Roles
Cloud administrators receive notifications (by e-mail, by Remedy ticket, or by both) when
any action occurs in the Secure Private Cloud portal. This includes when resources are
commissioned, when operational changes take place, and if any errors occur during the
commissioning process.
Cloud Operator
Cloud User
A user in this role performs any required manual operations for resources being
commissioned and then uses the Secure Private Cloud portal to authorize commissioning
requests. Cloud operators receive notifications (by e-mail, by Remedy ticket, or by both)
when any action occurs in the Secure Private Cloud portal. This includes when resources
are commissioned, when operational changes take place, and if any errors occur during
the commissioning process.
A user in this role does not have privileges to perform actions in the Secure Private Cloud
portal and can only view the resources on the portal. This is a default role for users in the
cloud provider organization who sign in to the portal for the first time. Existing cloud
administrators can assign users in this role to become new cloud administrators or cloud
operators, as appropriate.
Tenant Administrator and Tenant Operator
Tenant User
Users in either of these roles have administrator privileges that are restricted to resources
belonging to the tenant. Tenant administrators and tenant operators can use the Secure
Private Cloud portal to create commissioning requests for the tenant.
Tenant administrators can also define roles and projects for tenant users.
A user in this role can see the tenant data and commission resources using the Secure
Private Cloud portal. As part of the commissioning process, the user making the
commissioning request also receives notifications about the request status.
Machine Owner
A user cannot be assigned to this role, because this role is dedicated to users that either
initially created a resource or had the ownership of a resource transferred to them.
A machine owner commissions a resource and is responsible for deciding when any
associated actions should be performed, including starting, stopping, taking snapshots,
and so on. The machine owner is also responsible for the maintenance of the applications
that run on the machine. The machine owner remains in this role as long as the
commissioned resource exists and ownership is not transferred to another user.
7–2 3850 6804–007

7.2. Adding Tenants, Projects, and User Roles to the
Secure Private Cloud Portal
Perform the procedures in this topic to onboard new tenant organizations in the Secure
Private Cloud portal.
7.2.1. Tenant Onboarding Overview
Use the Onboard New Tenant function, which is available from the Secure Private Cloud
Administration tab, to onboard new tenants and configure the following:
• Tenant organization name and organization alias
• Default user role
• User roles and permissions
• Tenant projects
7.2.2. Onboarding a New Tenant
To onboard a new tenant, do the following:
1. Sign in to the Secure Private Cloud portal using your cloud administrator credentials.
2. Ensure that the tenant workbook file (Tenant-.xml) is accessible from
the system that you are using to access the Secure Private Cloud portal.
3. Select the Administration tab, click Onboard Tenants and then click Browse.
The Choose File to Upload dialog box appears.
4. Navigate to the XML file of the new tenant that you want to onboard and click Open.
5. Click Onboard New Tenant.
A confirmation message appears.
6. Click OK to confirm.
When you upload the Tenant-.xml file, it is validated. An error
message appears if a tenant with the same name already exists.
CHECKPOINT:
Onboarding Tenants, Creating Users, and Assigning Roles
• Do the following to verify that the tenant organization appears correctly in the Secure
Private Cloud portal:
1. Sign in to the Secure Cloud Portal using the URL from Table 2–2 and the Liferay
administrator credentials from Table 2–1.
2. Click OK when you receive one or more errors that there has been an error
processing your request or that you do not have permission to view requests.
3. At the top of the window, directly below the browser address bar, select
Manage, and then click Control Panel.
4. In the left pane, under Portal, click Organizations.
3850 6804–007 7–3

Onboarding Tenants, Creating Users, and Assigning Roles
The Organization names for each tenant are displayed.
5. Ensure that Regular Organization is displayed in the Type column for each
organization.
6. Click the tenant name for the tenant you onboarded. The detail page appears.
7. Click Custom Fields in the right pane.
8. Verify that the fields are populated with the values from Table 1–24. This includes
the Default Role Name (in the worksheet, Tenant initial logon role), Organization
Alias (Tenant email suffix), and Default Project (Tenant initial logon project).
• Do the following to verify that the roles have been created for the new tenant and that
the permissions have been set appropriately in the Secure Private Cloud portal:
1. In the left pane of the Control Panel, under Portal, click Roles.
2. Verify that the following roles exist for each tenant:
- _Administrators
- _Operators
- _Users
- _MachineOwner
7.3. Creating Secure Private Cloud Users in Active
Directory
Perform the following procedure to create Secure Private Cloud users in Active Directory.
This includes cloud provider users (who you want to administer and operate the cloud
environment), as well as tenant administrators, operators, and users.
Do the following:
1. Access Active Directory Users and Computers.
2. To create one or more users, do the following:
a. Right-click Users, point to New, and then click User.
The New Object – User page appears.
b. In the First name box, enter the first name of the user.
c. In the Last name box, enter the last name of the user.
d. In the User Logon name box, enter a name that will be used to identify this user
in Active Directory.
Note: The User Logon name cannot contain any spaces or special characters,
or the user will not be able to sign in to the Secure Private Cloud portal.
e. Click Next.
f. In the Password box, enter a password that will be used to sign into the Secure
Private Cloud portal.
g. In the Confirm password box, reenter the password.
7–4 3850 6804–007

Note: Ensure that the User must change password at next logon check
box is not selected. If the check box is selected, the user will not be able to sign in
to the Secure Private Cloud portal.
h. Click Next.
i. Click Finish.
j. Right-click the user that you just created, and select Properties.
k. Enter the e-mail address in the Email box.
Notes:
Onboarding Tenants, Creating Users, and Assigning Roles
• The e-mail address you enter will be used to sign in to the Secure Private
Cloud portal.
• The e-mail address can contain special characters (such as a hyphen);
however, an alphanumeric character must appear both before and after each
special character.
• If you are entering a cloud provider user, the e-mail address suffix that you
enter must match the cloud provider “E-mail suffix” in Table 1–8. If you are
entering a tenant user, the e-mail address suffix that you enter must match
the “Tenant E-mail Suffix” in Table 1–24.
l. Click Apply, and then click OK.
3. Repeat the previous steps to create additional users.
4. Only if you are adding a cloud administrator or operator or tenant administrator or
operator, sign in to the Secure Private Cloud portal using the URL from Table 2–2 and
the e-mail address and password you configured in Active Directory.
After signing in successfully, you can immediately sign out and then sign in as the next
administrator or operator.
Note: Do not perform this step for tenant users.
7.4. Assigning Cloud Provider and Tenant Users to
Roles, and Assigning Tenant Users to Projects
When a new user signs in to the Secure Private Cloud portal for the first time, the
credentials are validated using Active Directory, and then the user is assigned to the
default user role for the organization (based on the e-mail address suffix used to sign in).
For example, if the e-mail suffix for the cloud provider is cloudprovider.com as configured
in Table 1–8, a new user who signs in as john.doe@cloudprovider.com is automatically
assigned to the default cloud provider user role.
New tenant users who sign in to the portal for the first time are assigned to the default role
and default project for their tenant organization in the same way, based on the tenant
e-mail suffix in Table 1–24.
3850 6804–007 7–5

Onboarding Tenants, Creating Users, and Assigning Roles
Assigning Users to Roles
Do the following to assign the cloud administrators and operators, as well as tenant
administrators and operators, to their appropriate role:
1. Sign in to the Secure Private Cloud portal using the URL in Table 2–2 and your cloud
administrator credentials.
Note: During the initial implementation, your Unisys service consultant configured
one cloud administrator, based on the Cloud Administrator user information for the
initial cloud administrator user in Table 1–8. This initial cloud administrator can assign
other cloud users to the cloud administrator role.
2. Select the Administration tab, and then select Role and Project Membership
in the left pane.
The Role Membership Tenant, Folders & Projects portlet appears.
3. To assign a cloud provider user to a cloud administrator or operator role, click Cloud
under Tenant, Folders & Projects.
To assign a tenant user to a tenant administrator, operator, or user role, click the tenant
name under Tenant, Folders & Projects.
The list of users associated with the cloud provider or tenant organization appears
under Users.
4. Click Assign to Role.
The Assign Role dialog box appears.
5. Assign the users to the appropriate role by selecting the appropriate check box next to
the user name.
Note: If appropriate, you can assign multiple roles to a user.
6. Click Save.
If necessary, use this procedure to update a user’s assigned role.
Assigning Tenant Users to Projects
Do the following to assign tenant users to projects.
Note: Cloud administrators and cloud operators are not assigned to projects, because
they are able to administer all tenants and projects.
1. On the Role Membership Tenant, Folders & Projects portlet, select a tenant project.
Under Users, you see a list of all users currently assigned to the project.
2. Click Assign to Project.
The Assign Projects dialog box appears. The Assign Projects dialog box includes all
tenant users, whether or not they are assigned to the particular project.
3. Select the check box next to the user name to assign a user to that project, or clear the
check box next to the user name to remove a tenant from a project.
7–6 3850 6804–007

Note: If you want to assign all of the tenant users to a project, select the check box in
the heading (next to the Last Name label).
4. Click Save.
Onboarding Tenants, Creating Users, and Assigning Roles
If necessary, use this procedure to update a user’s assigned project.
7.5. Checkpoint: Commissioning a Resource
Do the following to verify that you can commission a resource:
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and log in as a user who has permission to commission a
resource.
Note: It is recommended that you log in as a user, not as an administrator or
operator.
2. Click Commission and Manage, and then click Commission Resources in the
left pane.
3. Under Projects, select the project associated with the blueprint you want to
commission.
The Blueprint pane is updated to list all blueprints associated with the project.
4. Under Blueprints, select the blueprint you want to commission, and then click
Commission.
5. Enter values for the blueprint attributes that were marked as Read-Write during the
blueprint creation, and click Next to advance to the next set of blueprint attributes.
At minimum, you must enter a Name for the virtual machine on the General
Configuration page. (This is a name that you designate and use for your own
reference; it is not the virtual machine host name.)
See the Secure Private Cloud Interface Help (8207 3115) for more information about
the values that users should enter when commissioning a blueprint.
6. Click Finish to begin the process of commissioning the virtual machine.
7. To monitor the progress of the virtual machine commissioning, do the following:
a. Select Manage Requests in the left pane.
b. Select the request in the Request Overview pane, and view details and status
in the Request Details and Request Status tables.
8. When you receive notification that the new resource is available, connect to the virtual
machine using the remote access method specified in the template (for example,
using Remote Desktop, VNC, or SSH).
If you are using tenant VLANs to isolate tenant resources, and if you have not
configured Public Network access for this resource, you must connect from the
tenant’s home site or from the console of another virtual machine associated with the
same tenant.
Verify that you can log on using the credentials specified in the e-mail message or
ticket.
3850 6804–007 7–7

Onboarding Tenants, Creating Users, and Assigning Roles
Note: If you access the virtual machine before the commissioning is finalized, you
might see the Sysprep process in action. Do not respond to these dialog boxes,
because they are handled automatically during the Sysprep process.
When complete, decommission the virtual machine using the Secure Private Cloud portal,
to ensure that you do not use an operating system license.
Note: The Secure Private Cloud portal is the only interface you should use to
decommission (delete) virtual machines.
7–8 3850 6804–007

Section 8
Additional Networking Configuration
This section includes additional networking configuration, including directions on Stealthenabling
existing tenant VLANs, enabling inbound connections from the Internet for tenant
VLANs, configuring the load balancer included with the Secure Private Cloud, and setting
tenant VLAN firewall exceptions for VLANs belonging to the same tenant. These
procedures are optional. Perform them as appropriate for your network environment.
8.1. Enabling Stealth for an Existing Tenant VLAN
You can enable Stealth on an existing tenant VLAN if there are no resources running on the
VLAN.
If there are resources running on the VLAN that you do not need to keep, use the Secure
Private Cloud portal to decommission these resources before continuing with this topic.
See 11.1 Stopping and Decommissioning Virtual Machines or 11.2 Stopping and
Decommissioning Physical Machines for more information. If there are resources running
on the VLAN that cannot be decommissioned, contact your Unisys service consultant.
Note: You do not need to perform this procedure if you are configuring a new tenant
VLAN that you have already identified as Stealth-enabled in the tenant workbook when
you perform the procedures in Section 5, Implementing a New Tenant VLAN. Only
perform this procedure if you want to Stealth-enable a VLAN that you have already
configured as non-Stealth-enabled.
Do the following to modify a configured tenant VLAN to be Stealth enabled:
1. Modify the tenant worksheet to enable Stealth for the VLAN by entering the
appropriate information in the following tables:
a. Table 1–26
b. Table 1–31
c. Table 1–32
d. Table 1–34 and Table 1–35
2. Validate and export the tenant worksheet. See 1.1.5 Validating the Workbook and
1.1.6 Exporting the Data for more information.
As instructed in 1.1.6 Exporting the Data, copy the Tenant-.xml file to
the jump box management VM in the C:\ProgramData\Unisys\SPC-Automation\xml
directory.
3850 6804–007 8–1

Additional Networking Configuration
3. Use a vSphere Client to connect to the vCenter server that is managing the workload
servers.
4. Create the clear text VLAN associated with this tenant VLAN using one of the options
in 5.2.2 Configuring Access to Tenant VLAN Networks and Tenant Interconnect.
Use the information in Table 1–26 to create the clear text VLAN.
5. Locate the tenant VLAN network appliance that is connected to the existing tenant
VLAN. The name of the tenant VLAN network appliance is the Host name value in
Table 1–25.
6. Select the tenant VLAN network appliance in the left pane, and then click Edit
Settings under Commands.
The Properties dialog box appears.
7. Select the Network adapter that is connected to this tenant VLAN in the left pane.
8. In the right pane, under Network Connection, change the Network label from the
existing tenant VLAN to the clear text VLAN associated with this tenant VLAN.
9. Click OK to close the Virtual Machine Properties dialog box.
10. Prepare Stealth-enabled versions of any templates that you want to use on the
Stealth-enabled VLAN, as described in 4.3 Preparing an Existing Virtual Machine or
Template for a Stealth-Enabled VLAN.
11. Perform the following procedures in Section 6, Creating and Managing Tenant
Configurations:
a. Update the tenant information, as described in 6.1 Updating Cloud Provider or
Adding Tenant Information in the Secure Private Cloud Environment.
b. Configure the Stealth-enabled VLAN, as described in 6.2 Configuring Stealth-
Enabled VLANs.
c. Refine blueprints for the Stealth-enabled VLAN, as described in 6.4 Creating
Blueprints and 6.5 Virtual Machine Attributes and Values.
8.2. Configuring Network Appliances for Inbound
Internet Connections
Note: Perform this procedure if Table 1–25 indicates that Internet Access – Incoming is
Yes for this tenant.
Tenant VLANs commonly use IP address ranges to which messages from the Internet
cannot be routed. These include
• Addresses that are defined as non-routable (any addresses in the ranges
192.168.0.0/16, 10.0.0.0/8, or 172.16.0.0 through 172.31.255.255)
• Addresses that are outside of those ranges but are effectively non-routable if they are
misplaced relative to their expected location in the Internet network topology
Users on the Internet cannot initiate an inbound connection to any Secure Private Cloud
virtual machines that have a non-routable address on the tenant VLAN.
8–2 3850 6804–007

However, if the tenant requires inbound Internet connections (for example, if the tenant is
running a Web application on the VLAN) then the tenant’s Internet users must be able to
initiate connections to the appropriate Web sites. To enable these types of connections,
you must configure the tenant VLAN network appliance to enable selected inbound
connections to reach that application. This configuration involves Network Address
Translation (NAT) forwarding rules and firewall rules.
For the NAT forwarding rules to work properly, any tenant virtual machines that are running
Web servers must have a static IP address on the tenant VLAN. This is necessary
because the NAT rules are based on IP addresses rather than on host names.
To plan the static IP addresses for your Web servers, refer to Table 1–26. Select static IP
addresses in the tenant VLAN subnet range for the tenant VLAN, making sure to avoid
addresses in the DHCP range. Record the static IP address that you assign so you do not
reuse them for any other virtual machines.
8.2.1. Disabling Internet Access for Tenant Virtual Machines
If the tenant does not have any requirement for inbound Internet connections, you can
disable the eth0 adapter to prevent all Internet connections. Do the following:
1. Run the vSphere Client and connect to the vCenter server that is managing the
workload servers.
2. From the View menu, point to Inventory, and then click VMs and Templates.
3. In the left pane, right-click the tenant VLAN network appliance, and click Edit
Settings.
4. On the Virtual Machine Properties dialog box, click the Hardware tab, and then click
the network adapter used to enable Internet access.
By default, this is Network Adapter 1. In Linux operating systems, this adapter is
referred to as eth0.
5. In the right pane, clear the Connected check box, and clear the Connect at Power
On check box.
6. Click OK.
Additional Networking Configuration
8.2.2. Understanding Inbound Connection Limitations
The pre-supplied tenant VLAN network appliance template has firewall settings configured
to disallow new inbound connections. The CUST_PUBLIC_IN firewall rule set includes the
clause default-action drop, which means that all traffic is blocked unless otherwise
specified. The CUST_PUBLIC_IN rule set is assigned as an in-filter of the Internet adapter
(eth0). An in-filter affects all traffic that enters through the Internet adapter and traverses
the network appliance to another destination.
In the tenant VLAN network appliance template, the CUST_PUBLIC_IN also includes an
exception to allow inbound traffic for sessions that were originally initiated by the tenant
virtual machines. This exception is implemented in rule 100, as follows:
3850 6804–007 8–3

Additional Networking Configuration
name CUST_PUBLIC_IN {
default-action drop
rule 100 {
action accept
state {
established enable
}
}
}
8.2.3. Providing a Public Source IP Address in Outbound
Packets
By default, network packets include the IP address of the source that created the packet.
This means that outbound packets include the IP address of the tenant virtual machines.
Since this IP address is usually non-routable, it would be impossible for any response to
find its way back to the virtual machine.
To enable two-way traffic, the source IP address of any outbound packets must be
translated into a public IP address of the network appliance. The tenant VLAN network
appliance might have already been configured with this NAT masquerade rule when it was
deployed.
CHECKPOINT:
To verify this rule, or to configure the rule if needed, do the following:
1. Using vSphere, connect to the vCenter server, and launch a console to the tenant
VLAN network appliance.
2. Log on using the credentials for the tenant VLAN network appliance.
3. Enter the following command:
configure
4. Enter the following command:
show service nat
5. Review the output to determine if there is a rule with its type set to masquerade and
a source IP address range for the tenant VLAN.
If the rule is present, it looks like the following:
Rule 90 {
outbound-interface eth0
source {
address 192.168.103.0/23
}
type masquerade
}
If the rule is defined, no further action is required.
8–4 3850 6804–007

If you need to configure the rule, do the following:
a. Assuming that the tenant VLAN addresses are in the range 192.168.103.0, enter
the following commands:
set service nat rule outbound-interface eth0
set service nat rule source address 192.168.103.0/24
set service nat rule type masquerade
Note: The rule number must meet the following requirements:
• It must be the same in all three commands.
• It must be a rule number that is not currently in use.
• It should be separated by other rule values by at least 10.
b. Enter the following command:
commit
c. Enter the following command:
save
6. Enter the following command to exit configuration mode:
exit
8.2.4. Enabling Inbound Internet Connections
Additional Networking Configuration
Some of your tenants might require inbound Internet connections, for example for a Web
application such as an E-store. These types of Web applications must allow inbound
connections to be initiated by Internet end users. To configure access to these types of
Web applications, you must do the following:
1. Optionally, configure an additional IP address on the public NIC of the tenant VLAN
network appliance.
2. Configure a NAT rule to forward traffic from the network appliance to the virtual
machine hosting the Web application.
3. Configure a firewall rule to allow traffic to reach the virtual machine hosting the Web
application.
NAT rules and firewall rules can optionally be configured to specify port numbers in
addition to IP addresses. The use of port numbers enables more precise control over how
the target virtual machine can be accessed. If the tenant is running multiple Web
applications on the same VLAN, these applications can be accessed through a shared IP
address with distinct port numbers, or through distinct public IP addresses on the network
appliance.
The following examples describe configurations that use shared and unique public IP
addresses. Use this information to help configure Web application routing, as appropriate
for your Secure Private Cloud environment.
3850 6804–007 8–5

Additional Networking Configuration
Shared Public IP Address Example
In this example, a tenant is running a Web application on a virtual machine. This application
is named PetStore.
If you want end users to access the PetStore Web site URL using the public IP address of
the tenant VLAN network appliance with a port number as part of the Web address, you
can use this type of configuration. Typically, you should choose a port number in the range
of 49152–65535, which is the range defined by the Internet Assigned Numbers Authority
(IANA) for dynamic or private ports.
For the PetStore example, end users enter http://192.59.196.38:49152, assuming that
192.59.196.38 is the public IP address of the tenant VLAN network appliance and 49152 is
the port number that identifies the PetStore Web application. The PetStore Web server is
a target virtual machine with the address 192.168.100.101, and the PetStore Web
application uses the default port for HTTP traffic (port 80) and the default port for HTTPS
traffic (port 443).
To enable access to the PetStore Web site using the shared public IP address and port
number, do the following:
1. Access the virtual machine that is hosting the PetStore Web application, and log on to
Windows.
2. Use the standard Windows method to configure a fixed IP address on the tenant
VLAN (private IP address). For example, set the IP address to 192.168.100.101.
3. Using vSphere, connect to the vCenter server, and launch a console to the tenant
VLAN network appliance.
4. Log on using the credentials for the tenant VLAN network appliance.
5. Enter the following command:
configure
6. Enter the following command to list the existing NAT rules:
show service nat
Make a note of the highest rule number that is currently in use. Add at least 10 to
this number to determine the rule number that you create in the next step.
7. To configure a forwarding rule for inbound traffic (in this example, rule 100) from the
public IP address (in this example, 192.59.196.38:49152) to the private IP address (in
this example, 192.168.100.101:80), enter the following commands:
set service nat rule 100 type destination
set service nat rule 100 protocol tcp_udp
set service nat rule 100 inbound-interface eth0
set service nat rule 100 destination address
192.59.196.38
set service nat rule 100 destination port 49152
set service nat rule 100 inside-address address
192.168.100.101
set service nat rule 100 inside-address port
8–6 3850 6804–007

Use a rule number that is not currently in use, and use appropriate IP addresses for
your environment. Use the appropriate port if your Web application uses HTTP (80)
or HTTPS (443), and it accepts both HTTP and HTTPS, perform this step twice (once
using each port number).
8. Enter the following command to display the current set of rules for the
CUST_PUBLIC_IN firewall group:
show firewall name CUST_PUBLIC_IN
Make a note of the highest rule number in use by this firewall group.
9. If your Web application uses HTTP traffic, enter commands in the following format to
set a firewall exception:
set firewall name CUST_PUBLIC_IN rule
protocol tcp_udp
set firewall name CUST_PUBLIC_IN rule
action accept
set firewall name CUST_PUBLIC_IN rule
destination address
set firewall name CUST_PUBLIC_IN rule
destination port
For the , use a number at least 10 higher than the highest rule
number that is currently in use. For the , use the IP address
of the Web server (192.168.100.101, in the PetStore example). For the , use the port number that the Web server expects for HTTP traffic (port 80,
in the Pet Store example).
10. If your Web application uses HTTPS traffic, enter commands in the following format
to set a firewall exception:
set firewall name CUST_PUBLIC_IN rule
protocol tcp_udp
set firewall name CUST_PUBLIC_IN rule
action accept
set firewall name CUST_PUBLIC_IN rule
destination address
set firewall name CUST_PUBLIC_IN rule
destination port
For the , use a number at least 10 higher than the highest rule
number that is currently in use. For the , use the IP address
of the Web server (192.168.100.101, in the PetStore example). For the , use the port number that the Web server expects for HTTPS traffic (port
443, in the Pet Store example).
11. Enter the following command:
commit
12. Enter the following command:
save
Additional Networking Configuration
3850 6804–007 8–7

Additional Networking Configuration
If you need to map additional Web applications to use the public IP addresses on the
tenant VLAN network appliance, repeat the previous procedure with a different port
number for the public IP address (49152 in the previous example) and a different private IP
address (192.168.100.101 in the previous example).
Unique Public IP Address Example
In this example, a tenant is running a Web application on a virtual machine. This application
is named AutoParts.
If you want to simplify the AutoParts Web site URL and prevent end users from having to
enter a port number as part of the Web address, you can assign an additional public IP
address to the public (eth0) NIC on the network appliance. Then, you can configure
forwarding from this IP address to the virtual machine that is hosting the AutoParts Web
application, as follows:
1. Access the virtual machine that is hosting the AutoParts Web application, and log on
to Windows.
2. Use the standard Windows method to configure a fixed IP address on the tenant
VLAN (private IP address). For example, set the IP address to 192.168.100.102.
3. Using vSphere, connect to the vCenter server, and launch a console to the tenant
VLAN network appliance.
4. Log on using the credentials for the tenant VLAN network appliance.
5. Enter the following command:
configure
6. Add a public IP address for the virtual machine that is hosting the AutoParts Web
application by entering the following command:
set interfaces ethernet eth0 address 192.59.196.39/24
In this example, the IP address is 192.59.196.39/24. Use an appropriate IP address
for your environment.
7. Enter the following command to list the existing NAT rules:
show service nat
Make a note of rule numbers that are not in use.
8. To configure a forwarding rule for inbound traffic (in this example, rule 110) from the
public IP address (in this example, 192.59.196.39) to the private IP address (in this
example, 192.168.100.102), enter the following commands:
set service nat rule 110 type destination
set service nat rule 110 protocol tcp_udp
set service nat rule 110 inbound-interface eth0
set service nat rule 110 destination address
192.59.196.39
set service nat rule 110 inside-address address
192.168.100.102
8–8 3850 6804–007

Use a rule number that is not currently in use, and use appropriate IP addresses for
your environment.
9. Depending on whether your Web application uses HTTP or HTTPS traffic, enter the
following commands to set a firewall exception. If you want to use HTTP, enter 80
for the port in the following commands, and if you want to use HTTPS,
enter 443 for the port .
If your Web application accepts both HTTP and HTTPS, enter the following
commands twice. The first time you enter these commands, use rule 300 and port
80. The second time you enter these commands, use a different rule number and
port 443.
Enter the following commands:
set firewall name CUST_PUBLIC_IN rule 300
protocol tcp_udp
set firewall name CUST_PUBLIC_IN rule 300
action accept
set firewall name CUST_PUBLIC_IN rule 300
destination address 192.168.100.102
set firewall name CUST_PUBLIC_IN rule 300
destination port
set interfaces ethernet eth0 firewall in
name CUST_PUBLIC_IN
Note: Regardless of whether you enter these commands once or twice, use a rule
number that is not currently in use, and use the appropriate IP addresses for your
environment.
Use the appropriate destination IP address for your environment, which is the static IP
address of the Web application on the tenant VLAN network. Do not use the public IP
address, because the destination NAT rule translates the destination IP address before
the packet reaches the firewall.
10. To change the source address of outbound traffic from the Auto Parts Web server so
the source appears to be the public address (in this example, 192.59.196.39), enter
the following commands:
set service nat rule 5 type source
set service nat rule 5 outbound-interface eth0
set service nat rule 5 source address
192.168.100.102
set service nat rule 5 outside-address address
192.59.196.39
Use appropriate IP addresses for your environment.
Note: The rule number for this rule must be lower than the number of the
masquerade rule that you established previously, as discussed in 8.2.3 Providing a
Public Source IP Address in Outbound Packets. Otherwise, the masquerade rule
would take precedence.
11. Enter the following command:
commit
12. Enter the following command:
Additional Networking Configuration
3850 6804–007 8–9

Additional Networking Configuration
save
If you need to map additional Web applications to other public IP addresses on the tenant
VLAN network appliance, repeat the previous procedure with a different public IP address
(192.59.196.39 in the previous example) and a different private IP address
(192.168.100.102 in the previous example).
8.3. Configuring an HAProxy Load Balancer for Web
Applications
The following topics describe how to configure a new HAproxy load balancer for Web
applications. These instructions are for the open source HAproxy load balancer
(http://haproxy.1wt.eu/).
The load balancer virtual machine and all Web servers that use the load balancer must be
configured with static IP addresses. To plan the static IP addresses, refer to Table 1–26.
Select static IP addresses in the tenant VLAN subnet range for the tenant VLAN, making
sure to avoid addresses in the DHCP range. Record the static IP address that you assign
so you do not to reuse them for any other virtual machines.
8.3.1. Deploying a New HAProxy Virtual Machine
To deploy a new HAProxy virtual machine, do the following:
1. Deploy a new virtual machine from the HAproxy Load Balancer template.
(4.4 Importing Tenant VLAN Network Appliance and Load Balancer Templates
describes how to import this template.)
a. Using vSphere, connect to the vCenter server that is managing the workload
servers.
b. Deploy a virtual machine using the HAproxy Load Balancer template. Select the
following options when deploying the virtual machine:
• For Disk Format, select Same format as source.
• For Guest Customization, select Do not customize.
• Do not enable the option Power on the virtual machine after creation.
c. After the new VM is created, select the Edit Settings option and configure the
Network Adapter setting to the appropriate tenant VLAN. Make sure to select the
Connect at power on option for the Network Adapter.
d. Click OK to save the settings.
e. Power on the virtual machine.
2. Open a console to the new virtual machine and log in, using the user id spcadmin and
password U*spc2341.
3. To assign the static IP address to the load balancer virtual machine and change the
host name, first enter the appropriate IP addresses and host name in the following
table:
8–10 3850 6804–007

IP address
Subnet mask
Property Value
Gateway address (the tenant VLAN network appliance IP
address on the tenant VLAN)
Host name
Configure the IP addresses and change the host name, as follows:
a. Select System, point to Administration, and then click Network.
Note: If you are prompted to enter a password, enter U*spc2341.
The Network Settings dialog box appears.
b. Select the appropriate Ethernet connection and click Properties.
The Properties dialog box opens for the connection.
c. Select Static IP address in the Configuration list.
d. Enter the IP address, subnet mask, and gateway address from the preceding table
in the appropriate boxes.
e. Click OK to save the changes and close the dialog box.
f. In the Network Settings dialog box, select the General tab, enter the new
host name in the Host name box, and click Close to save all changes.
A message box appears stating that the host name is changed.
g. Click Change Host name on the message box.
h. Click Close to close the Network Settings dialog box.
4. Reboot the HAProxy virtual machine.
5. Configure inbound port forwarding on the tenant VLAN network appliance to forward
inbound traffic from the Internet to the load balancer. Refer to 8.2 Configuring
Network Appliances for Inbound Internet Connections for instructions on configuring
inbound port forwarding.
Note: When configuring the firewall rule for inbound port forwarding for the
destination address and destination port, use the IP address and the port number of
the Inside IP address and Inside IP address port from the following table.
Address Type Comment Value
Destination IP
address:
The IP address of the tenant VLAN network
appliance connected to your Public Network,
which is labeled the Public Network.
Additional Networking Configuration
3850 6804–007 8–11

Additional Networking Configuration
Address Type Comment Value
Destination IP
address port:
The port number that end users must append to
the destination IP address in order to access
your Web application.
Inside IP address: The IP address of this load balancer on the
tenant VLAN.
Inside IP address
port:
The port number set for the load balancer in the
haproxy.cfg file. By default, the port number in
the file is set to 80.
8.3.2. Configuring the HAProxy Configuration File
Next, perform the following procedure to configure an HAproxy configuration file. A
sample configuration file named haproxy.cfg is stored at /etc/Unisys/Loadbalancer/. You
can modify this file or start a new configuration file and save it with a .cfg extension.
The following instructions use the sample HAproxy configuration file to explain which
fields need to be modified and the purpose of the fields. In order to modify the files, you
must be logged in as root.
Perform the following procedure to log in as root and configure the file:
1. Open a Terminal window on the LoadBalancer appliance console.
2. Enter the following command to log in as root:
su
3. When you are prompted for a password, enter
U*spc2341
4. Enter the following command to open the HAProxy configuration file so that you can
edit it:
vi /etc/Unisys/Loadbalancer/haproxy.cfg
This file defines a group (“listen” block) called LOAD_BALANCER that contains 2
servers: WEB_SERVER_1 and WEB_SERVER_2. The sample configuration file is as
follows:
global
# Sets the maximum per-process number of concurrent connections.
# Proxies stop accepting connections when this limit is reached.
maxconn 4096
# Writes pids of all daemons into file.
# The file must be accessible to the user starting the process.
pidfile /var/run/haproxy.pid
# Makes the process fork into background. This is the recommended
# mode of operation.
8–12 3850 6804–007

daemon
defaults
mode http
retries 3
option redispatch
maxconn 2000
contimeout 5000
clitimeout 50000
srvtimeout 50000
listen LOAD_BALANCER aaa.bbb.ccc.ddd:80
mode http
cookie LOAD_BALANCER insert
balance roundrobin
#balance leastconn
option httpclose
option forwardfor
stats enable
stats auth myuser:mypass
server WEB_SERVER_1 ###.###.###.###:8080 #cookie LOAD_BALANCER_01
check
server WEB_SERVER_2 ###.###.###.###:8080 #cookie LOAD_BALANCER_02
check
5. This configuration file uses the roundrobin balance option; to use the leastconn
balance option instead, insert a # sign in front of the “balance roundrobin” line and
remove the # sign from the “balance leastconn” line.
6. Add valid IP addresses and port numbers to the configuration file as follows:
• On the “listen LOAD_BALANCER aaa.bbb.ccc.ddd:80” line, do the following:
- Change aaa.bbb.ccc.ddd to the IP address of the load balancer.
- Update the port number (80) if it is different from the one already in the
configuration file.
• On the “server WEB_SERVER_1 ###.###.###.###:8080” and “server
WEB_SERVER_2 ###.###.###.###:8080” lines, change the
###.###.###.###:8080 to the IP address of the servers. Also change the port
number if it is different from the one already in the configuration file.
7. If needed, customize any field in the configuration file that is shown in uppercase:
• LOAD_BALANCER
• WEB_SERVER_1
• WEB_SERVER_2
• LOAD_BALANCER_01
• LOAD_BALANCER_02
Additional Networking Configuration
3850 6804–007 8–13

Additional Networking Configuration
8. Specify if you want to use the cookie load balancer feature. This feature works as
follows:
• When a user reaches the LOAD_BALANCER group (using http://aaa.bbb.ccc.ddd),
the cookie LOAD_BALANCER is created and the server ID specified for “cookie”
in the servers definitions is stored in it (that is, in LOAD_BALANCER_01 or
LOAD_BALANCER_02).
• With this cookie, HAProxy forces the use of the server stored within the cookie for
the entire session.
The “cookie LOAD_BALANCER insert” line and the “cookie LOAD_BALANCER_XX”
parts in the LOAD_BALANCER group block control this feature. In the sample file, this
feature is disabled. To enable this feature, remove the # that precedes the “cookie
LOAD_BALANCER_XX” parts in the LOAD_BALANCER group block.
9. Determine if you want to enable or disable the statistics page. The HAProxy load
balancer has a built-in statistics page that can be reached from
http://aaa.bbb.ccc.ddd/haproxy?stats.
To enable the statistics page, change the user and password on the “stats auth
myuser:mypass” line.
To disable the statistics page, remove the following lines from the configuration file (or
insert a # before these lines):
• stats enable
• stats auth myuser:mypass
10. Save the configuration file.
11. Verify that the HAProxy service shell script references the appropriate configuration
file. Do the following:
a. Enter the following command to open the haproxy service shell script so that you
can edit it:
vi /etc/init.d/haproxy
b. Locate the line that references the location of the haproxy.cfg file. The line looks
like the following:
CONFIG=/etc/Unisys/Loadbalancer/haproxy.cfg
c. Verify that the line correctly references the path and file, or update it so that it
references the appropriate file.
12. To enable the HAProxy load balancer to start from a shell script, do the following:
a. Enter the following command to open the haproxy service shell script:
sudo vi /etc/default/haproxy
Note: This is not the same file that you opened in the previous step. Be sure to
open /etc/default/haproxy.
b. Change the ENABLED=0 setting to ENABLED=1.
13. Reboot the LoadBalancer appliance.
8–14 3850 6804–007

8.4. Configuring Tenant VLAN Firewall Exceptions
By default, the Secure Private Cloud network configuration does not permit
communication between virtual machines that reside on different tenant VLANs, even if
those VLANs belong to the same tenant.
If your tenants have a specific need to enable communication across VLANs, perform one
of the following procedures:
• 8.4.1 Enabling Selected Tenant VLANs to Communicate
• 8.4.2 Enabling All Tenant VLANs to Communicate
Note: These procedures apply only to tenant VLANs that belong to the same tenant.
Secure Private Cloud does not support communication between tenant VLANs that
belong to different tenants
8.4.1. Enabling Selected Tenant VLANs to Communicate
To enable selected tenant VLANs for a given tenant to communicate with each other, do
the following:
1. Using a vSphere Client that is connected to the vCenter server, open the console to
the tenant VLAN network appliance.
2. Log in, using the vyatta user credentials, and enter the following command:
configure
3. Enter the following command to display the TENANT_VLANS_OUT firewall rule set:
show firewall name TENANT_VLANS_OUT
4. Verify that the output appears as follows:
Additional Networking Configuration
default-action accept
rule 100 {
action drop
source {
group {
network-group TENANT_VLAN_NETWORKS
}
}
}
}
Note: If the TENANT_VLANS_OUT rule set is different than the output shown
previously, then the rule set has previously been customized for your environment.
Refer to the firewall documentation at http://www.vyatta.org/documentation for
assistance in understanding your existing rules. Then, adapt the remaining step in this
procedure as needed for your environment.
5. Add new rules to the TENANT_VLANS_OUT rule set to allow communication between
selected tenant VLANs.
3850 6804–007 8–15

Additional Networking Configuration
The existing rule 100 has the effect of blocking all traffic between different tenant
VLANs. Because rules are enforced in numerical order, any exceptions that you create
should have rule numbers less than 100.
For example, if you want to enable communication between two VLANs whose
address ranges are 192.168.116.0 and 192.168.120.0, you could use the following
commands to create rules 10 and 20:
set firewall name TENANT_VLANS_OUT rule 10
action accept
set firewall name TENANT_VLANS_OUT rule 10
source address 192.168.116.0/24
set firewall name TENANT_VLANS_OUT rule 10
destination address 192.168.120.0/24
set firewall name TENANT_VLANS_OUT rule 20
action accept
set firewall name TENANT_VLANS_OUT rule 20
source address 192.168.120.0/24
set firewall name TENANT_VLANS_OUT rule 20
destination address 192.168.116.0/24
commit
save
The resulting rule set appears as follows:
default-action accept
rule 10 {
action accept
destination {
address 192.168.120.0/24
}
source {
address 192.168.116.0/24
}
}
rule 20 {
action accept
destination {
address 192.168.116.0/24
}
source {
address 192.168.120.0/24
}
}
rule 100 {
action drop
source {
group {
network-group TENANT_VLAN_NETWORKS
}
}
}
8–16 3850 6804–007

}
Rule 10 allows traffic from 192.168.116.0 to reach 192.168.120.0, and rule 20 allows
traffic from 192.168.120.0 to reach 192.168.116.0. However, the existing rule 100
prevents either of these tenant VLANs from communicating with any other tenant VLANs.
Restoring Blocked VLAN Traffic
If you want to undo this change and restore the blocking of traffic between selected
tenant VLANs, delete the rules you created. For example, enter the following:
delete firewall name TENANT_VLANS_OUT rule 10
delete firewall name TENANT_VLANS_OUT rule 20
commit
save
8.4.2. Enabling All Tenant VLANs to Communicate
To enable all tenant VLANs for a given tenant to communicate with one another, do the
following:
1. Using a vSphere Client that is connected to the vCenter server, open the console to
the tenant VLAN network appliance.
2. Log in, using the vyatta user credentials, and enter the following command:
configure
3. Enter the following command to display the TENANT_VLANS_OUT firewall rule set:
show firewall name TENANT_VLANS_OUT
4. Verify that the output appears as follows:
default-action accept
rule 100 {
action drop
source {
group {
network-group TENANT_VLAN_NETWORKS
}
}
}
}
5. Do one of the following, based on the output result:
Additional Networking Configuration
• If the TENANT_VLANS_OUT rule set appears as shown previously, then disable
rule 100 by entering the following commands:
set firewall name TENANT_VLANS_OUT rule 100 disable
commit
save
• If the TENANT_VLANS_OUT rule set is different than the output shown
previously, then the rule set has previously been customized for your
3850 6804–007 8–17

Additional Networking Configuration
environment. Enter commands to disable or delete all rules in this rule set that
have an action value other than accept. For assistance, refer to the firewall
documentation at http://www.vyatta.org/documentation .
Restoring Blocked VLAN Traffic
If you want to undo this change and restore the blocking of traffic between all tenant
VLANs, enter the following commands:
delete firewall name TENANT_VLANS_OUT rule 100 disable
commit
save
8.5. Changing the Predefined IP Address on the
Intercom Network
The Secure Private Cloud is preconfigured to use the 172.31.1.0/24 IP address for all
interfaces that connect to the Intercom Network. If you need to change this IP address
and mask, you can do so by performing the following procedures.
Before you begin this procedure, you should update the cloud provider and tenant
worksheets to reflect the new values you want to use.
8.5.1. Configuring the Jump Box, SQL Server, Portal, WSUS,
Active Directory, and vCenter Server Management VMs
to Use a New Intercom Network IP Address
If you want to use a new Intercom Network IP address, do the following to configure the
SQL Server, Secure Private Cloud portal, WSUS, Unisys-supplied Active Directory, and
vCenter Server management VMs.
Note: You might not be using all of these management VMs.
1. Open a console to the SQL Server management VM.
2. Access Network Connections, and then access the Intercom Network Properties
dialog box for TCP/IPv4.
3. Update the properties to reflect the new Intercom Network IP address values in
Table 1–5.
4. Using Notepad, open the file C:\Windows\System32\drivers\etc\hosts.
5. Update each management VM entry in the hosts file, using the new Intercom
Network IP address values in Table 1–5.
6. Save and close the hosts file.
7. If your environment includes VLANs and you are updating the Unisys supplied Active
Directory management VMs, do the following:
Note: Skip this step if you are updating any other management VMs.
8–18 3850 6804–007

a. Open a command prompt using the Run As Administrator option.
b. Type the following command:
route print
c. Note all of the entries listed in Persistent Routes section.
d. For each Persistent Routes entry that uses the Management Network Appliance
IP address on the Intercom Network as the “Gateway Address,” type the
following command:
route -p change
For example, if the route print command shows the following persistent route:
10.1.1.0 255.255.255.0 172.31.1.200
Change the route to use the new Intercom Network IP of the management
network appliance, as follows:
route -p change 10.1.1.0/24 172.31.2.200
Note: The CIDR notation for each tenant’s VLAN information is in Table 1–26.
Repeat the previous steps to configure the Secure Private Cloud portal management VM.
If you are using the WSUS and VMware Update Manager management VM, repeat the
previous steps on that VM.
If you are using the Unisys supplied Active Directory management VMs, repeat the
previous steps on those VMs.
If you are using the Unisys-supplied vCenter Server management VM, repeat the previous
steps on that VM.
8.5.2. Configuring the uAdapt Controller Management VM to
Use a New Intercom Network IP Address
If you want to use a new Intercom Network IP address, do the following to configure the
uAdapt Controller Management VM:
1. Open a console to the uAdapt Controller Management VM.
2. Open the file /etc/hosts.
3. Update each management VM entry in the hosts file, using the new Intercom
Network IP address values in Table 1–5.
4. Save and close the file.
5. Open the file /etc/sysconfig/network-scripts/ifcfg-eth0.
Additional Networking Configuration
6. Update the IPADDR= line with the new Intercom Network IP address.
3850 6804–007 8–19

Additional Networking Configuration
8.5.3. Configuring the uChargeback Management VM to Use a
New Intercom Network IP Address
If you want to use a new Intercom Network IP address, do the following to configure the
uChargeback management VM:
1. Open a console to the uChargeback management VM.
2. Access Network Connections, and then access the Intercom Network Properties
dialog box for TCP/IPv4.
3. Update the properties to reflect the new Intercom Network IP address values in
Table 1–5.
4. Set the Preferred DNS Server to the new uChargeback Management VM IP
address on Intercom Network. Click OK until you exit the Properties dialog box.
5. Using Notepad, open the file C:\Windows\System32\drivers\etc\hosts.
6. Update each management VM entry in the hosts file, using the new Intercom
Network IP address values in Table 1–5.
7. Save and close the hosts file.
8. Access DNS Manager.
9. In the left pane, expand Forward Lookup Zones.
10. For each zone in the left pane, update the IP addresses of all uChargeback
management VM entries that contains the preconfigured IP address on the Intercom
Network, 172.31.1.3, to use the new IP address.
11. Access the uChargeback Administrator.
In approximately one minute, you see a warning dialog box that you are unable to
connect to the database server. (You receive this warning because you changed the IP
address of the SQL Server management VM.)
12. Click OK.
13. Wait several minutes until the uChargeback Administrator Database Configuration
Wizard appears.
14. In the Database Configuration Wizard, enter the following values:
• Server Name:
• Instance Name:
• Database Name: uChgData
15. Click Finish.
16. When the uChargeback Administrator appears, close it.
17. If your environment includes VLANs, do the following:
a. Open a command prompt using the Run As Administrator option.
b. Type the following command:
route print
8–20 3850 6804–007

c. Note all of the entries listed in Persistent Routes section.
d. For each Persistent Routes entry that uses the Management Network Appliance
IP address on the Intercom Network as the “Gateway Address,” type the
following command:
route -p change
For example, if the route print command shows the following persistent route:
10.1.1.0 255.255.255.0 172.31.1.200
Change the route to use the new Intercom Network IP of the management
network appliance, as follows:
route -p change 10.1.1.0/24 172.31.2.200
Note: The CIDR notation for each tenant’s VLAN information is in Table 1–26.
8.5.4. Configuring the Cloud Orchestrator Management VM to
Use a New Intercom Network IP Address
If you want to use a new Intercom Network IP address, do the following to configure the
Cloud Orchestrator management VM:
1. Open a console to the Cloud Orchestrator management VM.
2. Access Network Connections, and then access the Intercom Network Properties
dialog box for TCP/IPv4.
3. Update the properties to reflect the new Intercom Network IP address values in
Table 1–5.
4. Set the Preferred DNS Server to the new uChargeback Management VM IP
address on Intercom Network. Click OK until you exit the Properties dialog box.
5. Using Notepad, open the file C:\Windows\System32\drivers\etc\hosts.
6. Update each management VM entry in the hosts file, using the new Intercom
Network IP address values in Table 1–5.
7. Save and close the hosts file.
8. Using Notepad, open the file C:\Unisys\uspc\conf\uspcnetwork.config.xml.
9. Using the values from Table 1–5, update the following nodes in the config.xml file:
• udpAddr
• tcpAddr
Additional Networking Configuration
3850 6804–007 8–21

Additional Networking Configuration
10. Restart the following services.
Caution
Before restarting these services, ensure that no commissioning requests are in
progress by responding to all outstanding approval requests and waiting for all
in-progress commissioning requests to be completed.
• Unisys SPC Network Service
• Secure Private Cloud UCO Service
11. If your environment includes VLANs, do the following:
a. Open a command prompt using the Run As Administrator option.
b. Type the following command:
route print
c. Note all of the entries listed in Persistent Routes section.
d. For each Persistent Routes entry that uses the Management Network Appliance
IP address on the Intercom Network as the “Gateway Address,” type the
following command:
route -p change
For example, if the route print command shows the following persistent route:
10.1.1.0 255.255.255.0 172.31.1.200
Change the route to use the new Intercom Network IP of the management
network appliance, as follows:
route -p change 10.1.1.0/24 172.31.2.200
Note: The CIDR notation for each tenant’s VLAN information is in Table 1–26.
After you change the Intercom Network IP address for the Cloud Orchestrator
management VM, you must do the following to change the configuration for the Secure
Private Cloud portal management VM:
1. Open a console to the Secure Private Cloud portal management VM.
2. Using Notepad, open the portal-ext.properties file, which is located in the
following directory: C:\Unisys\liferay-portal-6.0.6\tomcat-
6.0.29\webapps\ROOT\WEB_INF\classes
3. Locate the axis.servlet.hosts.allowed property in the portal-ext.properties file.
4. Enter the new Intercom Network IP address for the Cloud Orchestrator management
VM in the axis.servlet.hosts.allowed property. (Use commas to separate the IP
address numbers.)
8–22 3850 6804–007

5. Save and close the properties file.
8.5.5. Configuring the Management Network Appliance to Use
a New Intercom Network IP Address
If you are using VLANs in your environment and you want to use a new Intercom Network
IP address, perform one of the following procedures to configure the Management
Network Appliance, depending on whether the network appliance is virtual or physical.
If you are not using VLANs, or if you want to use the default Intercom Network IP address,
you can skip this topic.
Configuring a Virtual Management Network Appliance to Use a New
Intercom Network IP Address
If you have a virtual Management Network Appliance, do the following to configure it to
use a new Intercom Network IP address:
1. Return to the console for the jump box management VM.
2. Ensure that the cloud provider XML file on the jump box management VM is up-todate.
3. From the Start menu, point to All Programs, Accessories, and then Windows
PowerShell, and then click Windows PowerShell (x86).
4. Enter the following command from the PowerShell (x86) window on the jump box
management VM:
.\Config-MNAicom.ps1
Additional Networking Configuration
The script configures the Intercom Network on the appliance using the information
from the Cloud Provider XML file.
Note: If you receive a warning message that there are limitations in your VMware ESX
license, this means that the script cannot be completed because the required VMware
license is not installed on the management server. If you receive this warning, you can
either install the required VMware license or perform the steps in 12.6.2 Configuring the
Virtual Management Network Appliance to Use a New Intercom Network IP Address (with
a VMware License Restriction).
Configuring a Physical Management Network Appliance to Use a
New Intercom Network IP Address
If you have a physical Management Network Appliance, do the following to configure it to
use a new Intercom Network IP address.
Note: The following procedure uses commands appropriate for Cisco switches. If you
have another brand of switch, you must adapt these commands for that switch.
3850 6804–007 8–23

Additional Networking Configuration
1. Connect the console cable to the switch and connect to it using the Hyper Terminal, or
connect to the switch using Telnet.
2. Log in to the switch in privileged mode by typing enable, and then responding to the
password prompt.
The prompt changes to end with #. (For example, it changes from MySwitch> to
MySwitch#.)
3. Type the following command to enter configuration mode:
configure terminal
4. Enter the following commands to configure a new gateway IP address for the
Intercom Network VLAN:
interface vlan
ip address
5. Create new access lists with updated Intercom Network IP addressing information
from Table 1–5 and Table 1–20, as follows:
a. Note the current access lists that are using the Intercom Network by entering
the following command:
show access-lists
b. Delete the current access lists that are using the Intercom Network by entering
the following command:
no access-list
c. Create new access lists using the updated Intercom Network information by
entering commands like the following:
access-list permit any
Note: If an access list number is changed from its previous value, ensure the
appropriate access group is updated to use the new number.
6. If NAT rules exist to enable the tenant VLAN to communicate with the DNS on the
uChargeback management VM, use ip nat commands to update the rules to use the
new uChargeback management VM Intercom Network IP address from Table 1–5.
7. Enter the following command to verify the configuration:
show running-config
8. Save the configuration by entering the following command:
copy running-config startup-config
You see the following: Destination Filename [startup-config]?
9. Press Enter.
You see the response [OK].
8–24 3850 6804–007

8.5.6. Configuring a Tenant VLAN Network Appliance to Use a
New Intercom Network IP Address
Perform the following procedure to configure a tenant VLAN network appliance to use a
new Intercom Network IP address range:
1. Revise the worksheet for this tenant by filling out an additional VLAN column in
Table 1–26.
2. Export the worksheet for this tenant to an XML file, as described in 1.1.6 Exporting the
Data.
3. Perform the procedure 5.3.1 Deploying a New Tenant VLAN Network Appliance and
VLAN, skip step 2 (deploying the tenant VLAN network appliance from a template)
because the virtual machine already exists.
If you need to configure more than seven VLANs for the same tenant, you must configure
an additional tenant VLAN network appliance. See 5.3.1 Deploying a New Tenant VLAN
Network Appliance and VLAN.
8.5.7. Configuring the Stealth Components to Use a New
Intercom Network IP Address
Note: If your environment does not include the Stealth for Secure Private Cloud, skip this
topic.
Configuring the Stealth Licensing Server to Use a New Intercom
Network IP Address
If you want to use a new Intercom Network IP address, do the following to configure the
Stealth Licensing management VM:
1. Open a console to the Stealth Licensing management VM.
2. Access Network Connections, and then access the Intercom Network Properties
dialog box for TCP/IPv4.
3. Update the properties to reflect the new Intercom Network IP address values in
Table 1–5.
4. Using Notepad, open the file C:\Windows\System32\drivers\etc\hosts.
5. Update each management VM entry in the hosts file, using the new Intercom
Network IP address values in Table 1–5.
6. Save and close the hosts file.
7. Do the following to reconfigure the SSL certificate on the Stealth Licensing
management VM to use the new Intercom Network IP address:
a. Enter the following command from a command prompt:
netsh http show sslcert
Additional Networking Configuration
3850 6804–007 8–25

Additional Networking Configuration
This command produces output similar to the following example:
SSL Certificate bindings:
-------------------------
IP:port : 172.31.1.14:443
Certificate Hash : 387d7c267b6601571a13124151e0c1020044fe99
Application ID : {1ad74a6e-2af9-4c14-8277-c4a1fa7e2134}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
The first output line (IP:port) shows the current IP address with which the
certificate is associated.
b. Stop the dynamic licensing service, as follows:
net stop USSL_DynamicLicensing
c. Delete the current association by specifying the IP address (IP:port) in the
following command:
netsh http delete sslcert ipport=
Note: In this example, the IP:port value is 172.31.1.14:443.
d. To associate the certificate with the correct address, enter the following
command:
netsh http add sslcert ipport=
certhash=
appid={1ad74a6e-2af9-4c14-8277-c4a1fa7e2134}
where:
is the new Intercom Network IP address of the
Stealth Licensing management VM.
is the IP address with which the certificate is associated.
Note: The application ID must appear exactly as shown in the example.
e. Start the dynamic licensing service, as follows:
net start USSL_DynamicLicensing
8. If your environment includes VLANs, do the following:
a. Open a command prompt using the Run As Administrator option.
b. Type the following command:
route print
c. Note all of the entries listed in Persistent Routes section.
8–26 3850 6804–007

d. For each Persistent Routes entry that uses the Management Network Appliance
IP address on the Intercom Network as the “Gateway Address,” type the
following command:
route -p change
For example, if the route print command shows the following persistent route:
10.1.1.0 255.255.255.0 172.31.1.200
Change the route to use the new Intercom Network IP of the management
network appliance, as follows:
route -p change 10.1.1.0/24 172.31.2.200
Note: The CIDR notation for each tenant’s VLAN information is in Table 1–26.
Configuring the Virtual Stealth Gateway to Use a New Intercom
Network IP Address
To configure the Virtual Stealth Gateway to use a new Intercom Network IP address, see
10.18.1 Adding COI Sets and Modifying COI Set Members. You must change all filters that
refer to the previous Intercom Network subnet address to refer to the new subnet value.
You must perform this procedure for each Stealth-enabled tenant VLAN.
8.5.8. Updating RBADB to Use the New Intercom Network IP
Address
To update RBADB to use the new Intercom Network IP address, do the following:
1. Perform the procedure in 6.1 Updating Cloud Provider or Adding Tenant Information in
the Secure Private Cloud Environment, running the updateCloudProperties
effector.
After you complete that procedure, return to this topic.
2. If you have any tenants in your environment, and if any of those tenants are using the
uChargeback management VM to act as their DNS server, you must update the
uChargeback management VM IP address on the Intercom Network for each tenant.
To do so
a. Make the appropriate corrections in the tenant data worksheet.
b. Export the worksheet to an XML file, using the procedure in 1.1.6 Exporting the
Data, and copy it to the following directory on the jump box management VM:
\Unisys\SPC-Automation\XML
c. Perform the procedure in 6.1 Updating Cloud Provider or Adding Tenant
Information in the Secure Private Cloud Environment, running the Populator
updateTenant effector.
3. Click Log Off, and then close the browser window.
Additional Networking Configuration
3850 6804–007 8–27

Additional Networking Configuration
8.5.9. Checkpoint
To verify that the new IP address for the Intercom Network is working properly,
commission a virtual machine using the Secure Private Cloud portal.
8–28 3850 6804–007

Section 9
Changing Credentials and Performing
Final Installation Tasks
Credentials include the user name and password that enable you to log on to the product
user interfaces. Initially, each product uses default credentials. The procedures in this
section instruct you to change the credentials appropriately. The final checkpoint verifies
that you can commission resources using the updated credentials. If the Virtual Office as a
Service solution is included in your environment, you are also directed to install and
configure it at the end of this section.
9.1. Recording Updated Credentials
Credentials are the user name and password that enable you to log on to a product. For
some products, you can change both the user name and password, but for others
products, you can change only the password.
It is strongly recommended that you change all credentials from the default values, using
the procedures in this topic. Record the changed values in Table 2–1 and in the Excel
workbook.
9.2. Prerequisites to Changing Credentials
Before you begin to change credentials, do the following:
1. Verify that no commissioning requests are in progress by responding to all outstanding
approval requests and waiting for all in-progress commissioning requests to be
completed. See 10.6 Responding to Requests Using the Operator Prompts Page for
more information.
2. Take a snapshot of each management VM. (You can delete these snapshots after you
confirm the final checkpoint in this section.) Do the following:
a. Open a console to the jump box management VM.
b. Open a PowerShell command window from the jump box management VM, and
enter the following command to automatically take a snapshot of all management
VMs (except the jump box management VM):
.\Checkpoint-Snapshots.ps1
–Name “”
–Description “”
3850 6804–007 9–1

Changing Credentials and Performing Final Installation Tasks
Notes:
• Quotation marks are required around and .
• The is optional.
If the script encounters a duplicate snapshot name for a management VM, it
prompts you to do one of the following:
• Enter a new value for , where the quotation marks are
not required.
• Enter C to continue, using the same name for the new snapshot.
• Enter Q to quit taking snapshots and exit the script.
• Press the Enter key to skip taking a snapshot for the VM.
If the script displays the error message “a general system error occurred” or
“VMware Tools is not running,” ensure that VMware Tools or the services for
VMware Tools is running on each management VM (which can take a few minutes
after a management VM is powered on), and then execute the script again.
c. After the script completes, shut down the jump box management VM, manually
take a snapshot, and then power it back on.
3. Update the Secure Private Cloud portal settings and prevent users from signing into
the portal as follows:
a. From a workstation on the Public Network, sign in to the Secure Private Cloud
portal using the URL in Table 2–2 and the Liferay administrator credentials in
Table 2–1.
b. From the Manage list (at the left of the top pane), click Control Panel.
c. Click Portal Settings under Portal in the left pane, and then click
Authentication in the right pane.
d. Click LDAP, and then click the Edit icon next to the LDAP server.
e. Change the value in the Principal box to an invalid name, and then click Save.
This disconnects the Secure Private Cloud portal communication with Active
Directory server.
f. From the Secure Private Cloud portal management VM, access Services, and then
restart the Unisys Secure Private Cloud Portal service.
Any users currently signed in to the Secure Private Cloud portal are disconnected.
9.3. Procedures for Changing Credentials
The following topics describe the procedures to change the credentials in Table 2–1.
Before changing any credentials, be sure to complete the prerequisites described in
9.2 Prerequisites to Changing Credentials.
9–2 3850 6804–007

Note: During the implementation of the Secure Private Cloud environment, you are
required to create new domain accounts (for example, for the uChargeback administrator)
or use existing domain accounts (for example, for the Active Directory management VM).
These credentials are not listed in Table 2–1, because there are no default values, but they
are listed in the cloud provider workbook tables. Unless specifically stated in this topic, you
can update these values using the standard domain credential management process for
your environment.
9.3.1. VMware ESXi Management Interface
To change credentials for the root user, do the following:
1. Open a vSphere Client to the management server.
2. Select the management server node in the left pane and select the Local Users and
Groups tab.
3. Right-click the root user and click Edit to edit the user properties.
4. Update the password.
5. Close the vSphere Client.
CHECKPOINT:
Open a new vSphere Client connection and verify that you can connect to the
management server using the updated credentials.
9.3.2. uAdapt Controller Management VM
To change credentials for the root user, do the following:
1. Open a console to the uAdapt Controller management VM, and log on using the
current root credentials.
2. Change the root password using the passwd command.
3. Log off.
Changing Credentials and Performing Final Installation Tasks
4. Log on using the updated credentials.
9.3.3. Windows Management VMs Administrator Accounts
Note: Depending on your environment, not all of the following management VMs could
be in use.
It is recommended that all the Windows based management VMs have the same
Windows administrator credentials. Change them in the following order, using the
procedures that follow:
1. Secure Private Cloud portal management VM
2. Cloud Orchestrator management VM
3. uChargeback management VM
3850 6804–007 9–3

Changing Credentials and Performing Final Installation Tasks
4. SQL Server management VM
5. vCenter server management VM
6. WSUS management VM
7. Jump box management VM
8. Stealth Licensing management VM
To change credentials for the local administrator user, do the following:
1. Open a console to the next management VM in the previous list, log on using local
administrator credentials, and complete the rest of this procedure before opening
another console.
2. To rename the local administrator, do the following:
a. Open Server Manager, expand Configuration, expand Local Users and
Groups, and then click Users.
b. Locate the default administrator user and rename it.
Caution
Do not use the Server Manager interface to change the password, because an
irreversible loss of information can occur.
c. Log off.
d. Log on using the new local administrator name.
3. To change the Windows administrator password, do the following:
a. Send a Ctl-Alt-Del to the management VM console, and then click Change a
Password.
b. Ensure that the username box contains the local administrator user name.
c. Enter the old and new passwords in the boxes, and then press Enter.
d. Log off.
e. Log on using the updated administrator credentials.
4. Repeat this procedure for each management VM that you are modifying. Refer to the
previous list for the recommended order.
9.3.4. uAdapt Console
To change credentials for the uAdapt Console admin user, do the following:
1. Connect to the uAdapt Console using the URL in Table 2–2 and log on.
2. Select Accounts on the View menu.
9–4 3850 6804–007

3. Select Admin in the Assigned Users list.
4. Change the password in the right pane, and click the floppy disk icon to save the new
password.
5. Log out.
CHECKPOINT:
Changing Credentials and Performing Final Installation Tasks
Log on to the uAdapt Console using the updated credentials.
6. Open a console to the uChargeback management VM, and log on using domain
credentials with administrator privileges, as shown in Table 1–10.
a. Launch the uChargeback Administrator.
b. On the Tools menu, point to Options, click Security, and then click Next to go
to the second page.
The Security Configuration Options dialog box appears.
3850 6804–007 9–5

Changing Credentials and Performing Final Installation Tasks
7. If you changed the uAdapt Console Admin credentials, do the following:
a. For the uAdapt Controller, update the values in the URL, Account and two
Password boxes.
b. Click Finish.
CHECKPOINT:
On the uChargeback management VM console, do the following:
1. Launch the uChargeback Administrator.
2. On the Tools menu, point to Monitor, and click Restart Monitor.
3. On the Tools menu, point to Monitor, and click View Monitor Log.
9–6 3850 6804–007

4. A success message is logged for uAdapt, which is similar to the following example:
Discovering uAdapt inventory at http://xxx.xxx.xxx.xxx.
Controller version=3.2.x.xxxxx
Note: An error message might be logged during the time when the credentials are
changed on the uChargeback management VM, and the uChargeback Administration
Service Account credentials are not yet updated to match. Refer to
9.3.13 uChargeback Services Domain Account for information on changing the
uChargeback Administration Service Account credentials.
9.3.5. SQL Server Database Administrator
To change credentials for the SQL Server database administrator sa user, do the following:
1. Open a console to the SQL Server management VM, and log on as the local
administrator user.
2. Start the SQL Server Management Studio and connect using Windows
Authentication.
3. Expand the Security and then the Logins folders in the Object Explorer pane, rightclick
sa, and click Properties.
4. Update the values in the Password and Confirm password boxes, and click OK.
5. Reboot the server to break any existing connections to the databases.
CHECKPOINT:
From the SQL Server management VM console, do the following:
1. Start SQL Server Management Studio.
2. Select the SQL Server Authentication authentication option.
3. Log on using the updated credentials.
9.3.6. RBADB Database Passwords
You can change the RBADB database passwords for the following accounts:
• ODSUI, which is the account that enables the RBADB Administrative interface to
access the RBADB database
• ODSRun, which is the account that enables the Cloud Orchestrator management VM
to access the RBADB database
Perform the following procedures to change the passwords for these accounts.
ODSUI RBADB Database Account
Changing Credentials and Performing Final Installation Tasks
To change credentials for the RBADB database ODSUI account, do the following:
1. Perform the procedure in 9.3.5 SQL Server Database Administrator for the ODSUI
account (rather than for the sa account).
3850 6804–007 9–7

Changing Credentials and Performing Final Installation Tasks
2. Open a console to the uChargeback management VM console, and log on as the local
administrator user.
3. Using a text editor, such as Notepad, open the following file:
C:\Program Files (x86)\Apache Software Foundation\Tomcat
6.0\conf\Catalina\localhost\RBADB.xml
4. Update the password in the RBADB.xml file to match the password that you updated
on the SQL Server management VM for the ODSUI account.
5. Save and close the file.
6. Restart the Apache Tomcat 6 service.
ODSRun RBADB Database Account
To change credentials for the RBADB database ODSRun account, do the following:
1. Perform the procedure in 9.3.5 SQL Server Database Administrator for the ODSRun
account (rather than for the sa account).
2. Open a console to the Cloud Orchestrator management VM, and log on as the local
administrator user.
3. Using a text editor, such as Notepad, open the following file:
C:\Unisys\UCO\conf\ODSAdapter.properties
4. Update the password in the ODSAdapter.properties file to match the password that
you updated on the SQL Server management VM for the ODSRun account.
5. Save and close the file.
6. Restart the Unisys Secure Private Cloud UCO service.
Caution
Before restarting this service, ensure that no commissioning requests are in
progress by responding to all outstanding approval requests and waiting for all
in-progress commissioning requests to be completed.
9.3.7. vCenter Database Administrator
Note: Only perform this procedure if you are using the vCenter Server supplied by
Unisys.
9–8 3850 6804–007

To change credentials for the vCenter database administrator vpxuser, do the following:
1. From a configuration workstation, do the following:
a. Launch vSphere Client to the vCenter server.
b. Click vCenter Server Settings on the Administration menu.
c. Select Advanced Settings in the left pane.
d. Update the values in the VirtualCenter.DBPassword box, and click OK.
e. Exit the vSphere Client.
2. Log on to the SQL Server management VM console as the local administrator user.
3. Start the SQL Server Management Studio and connect using Windows
Authentication.
4. Expand the Security and then the Logins folders in the Object Explorer pane, rightclick
vpxuser, and click Properties.
5. Update the values in the Password and Confirm password boxes to match the
value you entered for VirtualCenter.DBPassword, and click OK.
6. Open the vCenter server VM console, and restart the VMware VirtualCenter Server
service.
CHECKPOINT:
Changing Credentials and Performing Final Installation Tasks
From a configuration workstation
1. Launch vSphere Client and verify that you can connect to the vCenter server.
2. Using the Inventory view, make sure that the expected inventory of workload servers
and virtual machines is displayed.
9.3.8. Cloud Orchestrator Database Administrator
To change credentials for the Cloud Orchestrator database administrator,
lifecycle-dbadmin, do the following.
Note: Do not change the lifecycle-dbadmin user name.
1. Open a console to the Cloud Orchestrator management VM, and log on as the local
administrator user.
2. Stop the Unisys Secure Private Cloud UCO (Unisys Cloud Orchestrator) service.
3. Open a console to the SQL Server management VM, and log on as the local
administrator user.
4. Start SQL Server Management Studio, and connect using Windows authentication.
5. Expand the Security folder and then expand the Logins folders in the Object
Explorer pane.
6. Right-click lifecycle-dbadmin, and click Properties.
7. Update the values in the Password and Confirm password boxes, and then click
OK.
3850 6804–007 9–9

Changing Credentials and Performing Final Installation Tasks
8. In Windows Explorer, navigate to the C:\ProgramData\Unisys\ConfigSQL folder and
locate the LifecycleDbChangePw.bat file.
9. Edit the LifecycleDbChangePw.bat file to replace the current password with the new
password.
10. Run the LifecycleDbChangePw.bat file.
11. Enter Y when you receive a warning about replacing the existing task.
The script adds a task with the new database password and replaces the existing task
with the old password.
12. Log on to the Cloud Orchestrator management VM console as the local administrator
user.
13. Navigate to the C:\Unisys\UCO\conf folder, and edit the hibernate-mssql.cfg.xml
file.
14. Edit the line to replace the existing password with the new password.
15. Save and close the file.
16. Start the Unisys Secure Private Cloud UCO (Unisys Cloud Orchestrator) service, and
then verify that the service starts running and remains running.
9.3.9. Secure Private Cloud Portal Database Administrator
To change credentials for the Secure Private Cloud portal database administrator,
Portal-dbadmin, do the following.
Note: Do not change the Portal-dbadmin user name.
1. Open a console to the Secure Private Cloud portal management VM, and log on as the
local administrator user.
2. Stop the Unisys Secure Private Cloud portal service.
3. Open a console to the SQL Server management VM, and log on as the local
administrator user.
4. Start SQL Server Management Studio, and connect using Windows authentication.
5. Expand the Security folder and then expand the Logins folders in the Object
Explorer pane.
6. Right-click Portal-dbadmin, and click Properties.
7. Update the values in the Password and Confirm password boxes, and then click
OK.
8. Return to the console for the Secure Private Cloud Portal management VM.
9. Navigate to the C:\Unisys\liferay-portal-6.0.6\tomcat-
6.0.29\webapps\ROOT\WEB-INF\classes folder and edit the portalext.properties
file.
10. Edit the line ″jdbc.default.password=″ to replace the existing
password with the new password.
9–10 3850 6804–007

11. Save and close the file.
12. Start the Unisys Secure Private Cloud portal service.
9.3.10. Tomcat Manager
To change credentials for the Tomcat manager admin user, do the following:
1. Open a console to the uChargeback management VM, and log on as a local
administrator.
2. Using a text editor, such as Wordpad, open the following file.
Note: The Wordpad text editor maintains the formatting in the file, which makes the
file easier to update.
C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0\conf\tomcatusers.xml
3. Update the user name and password.
4. Save and close the file.
5. Restart the Apache Tomcat 6 service.
CHECKPOINT:
From the uChargeback management VM console, do the following:
1. Access https://localhost:8443 using a Web browser, and click Continue.
Note: If you get a certificate warning, dismiss it; it is not a problem.
2. Verify that you can access the Tomcat Manager using the updated credentials.
9.3.11. RBADB Administrator Interface
Note: To change credentials for the RBADB database, see 9.3.6 RBADB Database
Passwords.
To change credentials for the RBADB admin user on the RBADB administrator interface,
do the following:
1. From the jump box management VM, access RBADB using a browser and the URL in
Table 2–2, and log on as the admin user.
2. Select Site Users in the left pane, and click the Admin Admin user.
3. Click Reset Password in the upper right corner.
4. Enter the new password in both boxes (to enter and confirm the new password), and
then click Submit.
5. Close the browser to RBADB.
CHECKPOINT:
Changing Credentials and Performing Final Installation Tasks
Open a browser to RBADB using the updated credentials.
3850 6804–007 9–11

Changing Credentials and Performing Final Installation Tasks
9.3.12. Unisys-Supplied Domain Controllers
If you configured the optional, Unisys-supplied Domain Controllers, change the Windows
administrator credentials.
Note: It is recommended that all Windows based management VMs have the same
Windows administrator credentials. Therefore, you should change the administrator
credentials to match those you configured in 9.3.3 Windows Management VMs
Administrator Accounts.
You can also add other administrator and non-administrator users to the domain, but it is
not necessary.
When you perform this procedure on one Domain Controller, the change is automatically
made to the other Domain Controller.
To change the credentials of the Unisys-supplied management-side Domain Controllers,
do the following:
1. Open a console to the primary Domain Controller (SPC-AD1) and log on using the
Windows credentials in Table 2–1.
2. To rename the administrator, do the following:
a. Access Active Directory Users and Computers, and select Users in the
left pane.
b. Right-click the default administrator user, and then click Rename.
c. Type the new administrator name, and then press Enter.
d. Click Yes when you receive a warning that you should log out and log in using the
new user name.
e. In the Rename User dialog box, in the User logon name box, enter the new
name for the user. This should be the same name that you specified previously
when you renamed the user.
f. Select the appropriate domain in the Domain list.
g. Click OK.
h. Log off.
i. Log on using the new administrator name.
3. To change the Windows administrator password, do the following:
a. Send a Ctl-Alt-Del to the Domain Controller console, and then click Change a
Password.
b. Ensure that the username box contains the updated administrator user name.
c. Enter the old and new passwords in the boxes, and then press Enter.
CHECKPOINT:
Log off the Domain Controller and log back in as the domain administrator user using the
new credentials.
9–12 3850 6804–007

Changing Credentials and Performing Final Installation Tasks
When you have verified the new credentials, close the console to the Domain Controller
management VM.
9.3.13. uChargeback Services Domain Account
Caution
Do not perform this procedure if you will be commissioning physical servers. If
you will be commissioning physical servers, leave the Services Domain
Account as it was configured previously.
To change credentials for the uChargeback Services domain account, do the following:
1. Open a console to the uChargeback management VM, and log on using uChargeback
administrator credentials in Table 1–10.
2. Run the uChargeback Administrator
3. On the Tools menu, point to Options, and click Security.
4. Make note of the Account in the Service Account section; leave the dialog box
open.
5. Send a Ctl-Alt-Del to the virtual machine console, and click Change a Password
(for the server).
The Change Password dialog box opens.
6. Change the user name to the account from the Service Account section that you
noted previously. Refer to the values in Table 1–10.
7. Enter the old and new passwords in the boxes, and press Enter.
The Change Password dialog box closes.
8. In the Service Account section, update the two password values to match the new
passwords for the Service account.
3850 6804–007 9–13

Changing Credentials and Performing Final Installation Tasks
9. Click Finish.
The Unisys DWP Monitor Service and Unisys DWP Sdk Host services are restarted.
10. Open a console to the Cloud Orchestrator management VM, and log on using
administrator credentials.
11. Edit the following file:
C:\Program Files (x86)\Apache Software Foundation\Tomcat
6.0\webapps\platform\WEB-INF\classes\platformapi-config.properties.
12. Update the value for provider.metric.pass to match the password value for the
uChargeback service in Table 1–10.
13. Restart the Apache Tomcat 6 service.
9–14 3850 6804–007

CHECKPOINT:
Check that the following services are started on the uChargeback management VM:
• Unisys DWP Monitor Service
• Unisys DWP Sdk Host
9.3.14. Secure Private Cloud Liferay Administrator
To change the password for a Secure Private Cloud Liferay administrator, do the following.
Note: All cloud and tenant user credentials should be configured using Active Directory.
Use the standard Active Directory method to change those credentials as needed.
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and the Liferay administrator credentials in Table 2–1.
2. Click the Welcome tab, and then click the name of the Liferay administrator.
Note: If you are prompted to do so, reenter your credentials.
The My Account page appears.
3. On the Details page, update the Email Address and any other Name properties, if
required, and then click Save.
4. Click Password under User Information in the right pane.
5. On the Password page, type the current password, type the new password, and then
enter the new password again.
6. Click Save.
7. Sign out, and close the browser window.
CHECKPOINT:
On the Secure Private Cloud portal
1. Sign in using the updated credentials.
2. Verify that you can access the Control Panel from the Manage list at the left of the
top pane.
9.3.15. Virtual Management Network Appliance Administrator
If you are using VLANs to isolate tenant networks, and if you are using a virtual
Management Network Appliance to connect the management server or servers to the
Management Access Network, do the following to change the credentials for the
administrator account that can configure the virtual Management Network Appliance:
1. Open a console to the Management Network Appliance management VM, and log on
using the default administrator credentials.
2. Enter the following commands:
configure
Changing Credentials and Performing Final Installation Tasks
3850 6804–007 9–15

Changing Credentials and Performing Final Installation Tasks
set system login user vyatta authentication
plaintext-password
commit
save
3. Log off using the logout command.
CHECKPOINT:
Log on using the updated credentials.
9.3.16. Tenant VLAN Network Appliance Administrator
If you are using VLANs to isolate tenant networks, then the administrator password was
updated automatically when you ran the Config-TenantApp.sh script, as described in
5.3.1 Deploying a New Tenant VLAN Network Appliance and VLAN. The script updated the
password to the value in Table 1–25.
If you want to change the password again, do the following:
1. Open a console to the tenant VLAN network appliance, and log on using the current
administrator credentials.
2. Enter the following commands:
configure
set system login user vyatta authentication
plaintext-password
commit
save
3. Log off using the logout command.
CHECKPOINT:
Log on using the updated credentials.
9.3.17. uChargeback vCenter User
To configure the uChargeback vCenter User, do the following:
1. If you are using the vCenter Server supplied by Unisys, change the credentials for the
uChargeback vCenter User, as follows.
Note: If you are using an existing vCenter Server in your environment, use your own
procedures for changing the credentials.
9–16 3850 6804–007

a. Open a console to the vCenter Server management VM, and log on using the local
Windows administrator user credentials.
b. Open the Server Manager, expand Configuration, expand Local Users and
Groups, and then click Users.
c. Locate the uChargeback vCenter User and rename it.
d. Send a Ctl-Atl-Del command to the console.
e. Click Change a password.
f. Set the user to be the uChargeback vCenter User.
g. Enter the previous password and new password in the boxes, and then press
Enter.
h. Close any vSphere Client sessions connected to vCenter Server, and then restart
the VMware VirtualCenter Server service.
2. If you renamed the uChargeback vCenter User, assign the new user name to the
Read-Only role in vCenter Server, as follows:
a. Using vSphere Client, connect to vCenter Server using the vCenter administrator
user credentials.
b. Select the Hosts & Clusters inventory view.
c. Right-click the workload datacenter in the left pane and click Add Permission.
The Assign Permissions dialog box appears.
d. Click Add under Users and Groups.
The Select Users and Groups dialog box appears.
e. Leave the default value, (server), in the Domain box.
f. Enter the new uChargeback vCenter User in the Users box.
g. Click Check Names to verify that the user name is correct.
If the user is not correct, an Incorrect username error message is displayed.
h. Click OK.
The Select Users and Groups dialog box closes.
i. Select Read-only from the Assigned Role list.
j. Click OK.
Changing Credentials and Performing Final Installation Tasks
The Assign Permissions dialog box closes.
3. Open a console to the uChargeback management VM, and log on using a
uChargeback administrator account from Table 1–10.
4. Run the uChargeback Administrator.
5. Point to Options on the Tools menu, click Security, and then click Next to go to
the second page.
The Security Configuration Options dialog box appears.
3850 6804–007 9–17

Changing Credentials and Performing Final Installation Tasks
6. In the Virtual Center section, update the values in the Account and two
Password boxes.
7. Click Finish.
CHECKPOINT:
On the uChargeback Administrator, do the following:
1. Point to Monitor on the Tools menu, and click Restart Monitor.
2. Point to Monitor on the Tools menu, and click View Monitor Log.
Verify that the vCenter inventory was successfully discovered.
9.3.18. Cloud Orchestrator vCenter User
To configure the Cloud Orchestrator vCenter User, do the following:
1. If you are using the vCenter Server supplied by Unisys, change the credentials for the
Cloud Orchestrator vCenter User, as follows.
Note: If you are using an existing vCenter Server in your environment, use your own
procedures for changing the credentials.
a. Open a console to the vCenter Server management VM, and log on using the local
Windows administrator user credentials.
b. Open the Server Manager, expand Configuration, expand Local Users and
Groups, and then click Users.
c. Locate the Cloud Orchestrator vCenter User and rename it.
d. Send a Ctl-Atl-Del command to the console.
e. Click Change a password.
f. Set the user to be the Cloud Orchestrator vCenter User.
g. Enter the previous password and new password in the boxes, and then press
Enter.
h. Close any vSphere Client sessions connected to vCenter Server, and then restart
the VMware VirtualCenter Server service.
2. If you renamed the Cloud Orchestrator vCenter user, assign the user to the vCenter
Cloud Orchestrator role, as follows:
a. Launch the vSphere Client and connect to the vCenter server, using administrator
credentials.
b. Select the Hosts & Clusters inventory view.
c. Right-click the workload datacenter and click Add Permission.
The Assign Permissions dialog box appears.
d. Click Add under Users and Groups to add the Cloud Orchestrator user for this
role.
The Select Users and Groups dialog box is displayed.
9–18 3850 6804–007

Changing Credentials and Performing Final Installation Tasks
e. Leave the default value, (server), in the Domain box.
f. Select the vCenter Cloud Orchestrator user, click Add, and then click OK.
g. Select the Cloud Orchestrator user role in the Assigned Role list.
h. Click OK to close the dialog box.
3. Log on to the Cloud Orchestrator management VM console using administrator
credentials, and do the following:
a. Stop the Unisys Secure Private Cloud UCO (Unisys Cloud Orchestrator) service.
b. In Wordpad, open the following file:
C:\Unisys\UCO\mlets\serviceInstance.mlet
Note: The Wordpad editor maintains formatting in the file, which makes it easier
to update.
c. Update the user and password parameter values with the new Cloud Orchestrator
vCenter user credential values. These values appear in the following lines in this
file:

Changing Credentials and Performing Final Installation Tasks
4. Update the values in the Password and Confirm password boxes, and then click
OK.
5. Log on to the WSUS management VM console as the local administrator user.
Note: The following steps use the VMware Update Manager Utility to change
vumuser credentials that the VMware Update Manager uses. For additional
documentation on the Update Manager Utility, refer to the VMware Web site and
perform a documentation search on “Update Manager Utility.”
6. Navigate to the Update Manager installation directory:
C:\Program Files (x86)\VMware\Infrastructure\Update Manager
7. Double-click VMwareUpdateManagerUtility.exe.
8. Enter the vCenter Administrator credentials in the User Name and Password
boxes.
9. Click Login.
10. Click Database Settings in the Options pane of the Update Manager Utility.
11. In the Configurations pane, enter vumuser in the User Name box, if it does not
already exist in the box.
12. Enter the same vumuser password in the Password and Confirm Password
boxes that was entered in step 4.
13. Click Apply.
14. Restart the VMware vCenter Update Manager Service.
CHECKPOINT:
From a configuration workstation, do the following:
1. Launch vSphere Client, and open the vCenter management VM console using
administrator credentials.
2. Run the VMware vSphere Client.
3. Select Manage Plug-ins from the Plug-ins menu, right-click VMware vCenter
Update Manager Extension, and then click Enable.
4. Verify that the plug in is successfully enabled.
5. Close the dialog box and exit vSphere.
9.3.20. HAProxy Load Balancer for Web Applications
If you are using the HAproxy load balancer for Web applications, which is an optional
component included with the Secure Private Cloud, do the following to change the
password for the spcadmin and root users:
1. Select System, point to Administration, and then click Users and Groups.
2. In the Users Settings dialog box, select the appropriate user and click the
Properties button.
9–20 3850 6804–007

3. Select Set password by hand, and enter the new password for the user in the
User password and Confirmation boxes.
4. Click OK.
Changing Credentials and Performing Final Installation Tasks
9.3.21. Stealth Infrastructure VMs, Administration Application,
and Dynamic Licensing Web Interface
Note: If Stealth for Secure Private Cloud is not included in your environment, skip the
following procedures.
Perform the procedures in this topic to change the credentials for the tenant Stealth
Infrastructure VMs, for the Administration Application (which runs on the Stealth
Configuration Machine infrastructure VM for each tenant), or to change the credentials for
the Dynamic Licensing Web Interface (which runs on the Stealth Licensing management
VM for the cloud environment as a whole).
If you want to change the credentials for the Stealth Licensing management VM, perform
the procedure in 9.3.3 Windows Management VMs Administrator Accounts.
Stealth Configuration Machine, Stealth Transfer Machine, Stealth
Proxy Server, and Stealth Relay Server Infrastructure VMs
If Stealth for Secure Private Cloud is included in your environment, five Stealth
infrastructure VMs are created for each Stealth-enabled VLAN.
To change the credentials for the Stealth Configuration Machine, Stealth Transfer Machine,
Stealth Proxy Server, and Stealth Relay Server infrastructure VMs, do the following. (You
can change the password for one or all of the infrastructure VMs.)
Note: To change the password for the Virtual Stealth Gateway infrastructure VM,
perform the procedure in Virtual Stealth Gateway Infrastructure VM.
1. Open a console to the first infrastructure VM whose credentials you want to change,
and log on as the local administrator user specified in Table 1–31.
2. To rename the local administrator user, do the following:
a. Open Server Manager, expand Configuration, expand Local Users and
Groups, and then click Users.
b. Locate the local administrator user, right-click the user, and then select Rename.
Note: When you perform this procedure on the Stealth Configuration Machine
infrastructure VM, you see an Administrator user named FDAdmin. Do not
change the user name for the FDAdmin user.
c. Rename the local administrator user.
d. Close Server Manager.
Note: Do not use Server Manager to change the local administrator password,
because an irreversible loss of information can occur.
3850 6804–007 9–21

Changing Credentials and Performing Final Installation Tasks
e. Log off.
3. To change the local administrator password, do the following:
a. Log on using the local administrator user name.
b. Send a Ctl-Alt-Del command to the infrastructure VM console, and then click
Change a Password.
c. Ensure that the username box contains the local administrator user name.
d. Enter the old and new passwords in the boxes, and then press Enter.
e. Log off.
f. Log on using the updated administrator credentials.
Note: When you perform this procedure on the Stealth Configuration Machine
infrastructure VM, you can perform this step twice: once for the local administrator
user whose user name you changed and once for the FDAdmin user. The local
administrator user and the FDAdmin user share the same initial password that you
entered in Table 1–31. (The new passwords you assign for the local administrator user
and for the FDAdmin user can be different values. If you change only the local
administrator user password, be sure to make a note of the original password so that
you can later log in as the FDAdmin user, if required.)
4. Repeat this procedure for each Stealth infrastructure VM that you are modifying.
5. Update Table 1–31 in the tenant worksheet to include the new credentials you
entered for each infrastructure VM.
6. If you changed the user name or password for the Stealth Transfer Machine
infrastructure VM, you must also run the updateTenant effector. Perform the
procedure in 6.1 Updating Cloud Provider or Adding Tenant Information in the Secure
Private Cloud Environment, and run the updateTenant effector for the tenant whose
Stealth infrastructure VMs were updated.
Virtual Stealth Gateway Infrastructure VM
To change the password for the Virtual Stealth Gateway infrastructure VM, do the
following.
Note: You cannot change the user name for the Virtual Stealth Gateway infrastructure
VM.
1. Open a console to the Stealth Configuration Machine infrastructure VM (which is
associated with the Virtual Stealth Gateway infrastructure VM whose password you
want to change).
Log in using the FDAdmin user name and password. (The local administrator user and
the FDAdmin user share the same initial password that you entered in Table 1–31.)
2. Open a command prompt.
3. Change the directory to C:\Stealth Files\Software.
4. Enter the following command:
changeVSGpassword.bat
9–22 3850 6804–007

You see a dialog box that prompts you to enter and confirm the new password.
5. Enter and confirm the new password for the Virtual Stealth Gateway infrastructure
VM.
You see a message that states that the password was changed.
6. Close the command prompt.
Dynamic Licensing Web Interface
Note: For more information on accessing the Dynamic Licensing Web Interface and the
Stealth licensing settings you can view and change, see 10.18.4 Viewing and Configuring
Stealth Licensing Options.
To change the password for the Stealth Dynamic Licensing Web Interface, you must
update the password on both the Cloud Orchestrator management VM and the Stealth
Licensing management VM. Do the following:
1. Open a console to the Cloud Orchestrator management VM, and log on using the
current administrator credentials.
2. Edit the following file in Notepad:
C:\Program Files (x86)\Apache Software Foundation\Tomcat
6.0\webapps\platform\WEB-INF\classes\platformapi-config.properties
3. Locate the line that reads:
Changing Credentials and Performing Final Installation Tasks
Cloud.PlatformAPI.provider.license.password=
The default password is U*spc2341.
4. Update the password to a new value.
5. Save and close the platformapi-config.properties file.
6. Access Services, and restart the Apache Tomcat 6.0 Service.
7. Close the console to the Cloud Orchestrator management VM.
8. Open a console to the Stealth Licensing management VM, and log on using the
current administrator credentials.
9. Open a command prompt using the Run as administrator option.
10. Change the directory to C:\Program Files\Unisys\Stealth Solution for LAN.
11. Enter the following command to change the password to match the value you entered
on the Cloud Orchestrator management VM:
dynamiclicensing.exe /set WebPassword
Note: If the password contains spaces, enclose it in quotation marks.
12. Close the command prompt.
13. Close the console to the Stealth Licensing management VM.
3850 6804–007 9–23

Changing Credentials and Performing Final Installation Tasks
9.4. Restoring Users’ Connection to the Portal After
Credentials Have Been Changed
Before you began to change credentials, you were advised to update the Secure Private
Cloud portal settings to prevent users from signing into the portal. Do the following to
reverse this procedure and enable users to sign into the portal:
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and your Liferay administrator credentials.
2. From the Manage list (at the left of the top pane), click Control Panel.
3. Click Portal Settings under Portal in the left pane, and then click
Authentication in the right pane.
4. Click LDAP, and then click the Edit icon next to the LDAP server.
5. Change the value in the Principal box to the user name that the portal uses to
authenticate with LDAP. This value is the same as the Principal (User) value from
Table 1–6.
6. Test the connection, and then click Save.
This enables the Secure Private Cloud portal communication with Active Directory
server.
9.5. Performing a Final Commissioning Checkpoint
As a final checkpoint when you are finished changing credentials for all management VMs,
do the following:
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and credentials that enable you to commission virtual
machines.
2. Verify that you can successfully commission a machine by repeating the procedure in
7.5 Checkpoint: Commissioning a Resource .
9.6. Installing Virtual Office as a Service
If the Virtual Office as a Service (VOaaS) is included in the environment, refer to the Secure
Virtual Office as a Service Implementation and Best Practices Guide (3843 4536) for
information on installing the Virtual Office servers, completing networking for these
servers, creating virtual desktop gold images, and configuring new tenants in the
database.
9–24 3850 6804–007

Section 10
Cloud Portal Operations
This section describes the tasks performed by administrators and operators to support the
cloud environment.
10.1. Understanding How Requests are Processed
During the configuration process, the Unisys service consultant sets up one or more of the
following methods for user requests to be passed to administrators and operators:
• Through e-mail
• Through your Remedy ITSM ticketing system
If your environment already includes BMC Remedy IT Service Management (ITSM)
software suite version 7, the Unisys service consultant can configure tickets to be
generated through the existing ticketing system.
• Through the Unisys Remedy ITSM ticketing system
If you choose, the Unisys service consultant can configure the tickets to be handled by
an off-site Unisys Remedy ITSM ticketing system.
You receive notifications when action is required. If Remedy ITSM is configured in your
environment, a Remedy ticket is generated to deliver this request. If Remedy ITSM is not
configured, or if both Remedy ITSM and e-mail are configured, you receive an e-mail
message.
Users also receive notifications based on how the environment is configured.
10.2. Responding to Virtual Machine Requests
Users request new virtual machines, request that virtual machines be started or stopped,
and request that virtual machines be decommissioned (deleted) using the Secure Private
Cloud portal. These tasks are performed, for the most part, automatically by the Secure
Private Cloud portal, and little manual action is required by administrators or operators. You
receive notifications of new requests and when new virtual machine are commissioned.
Note: Virtual machines must always be decommissioned using the Secure Private Cloud
portal. Do not delete virtual machines directly from VMware vCenter.
3850 6804–007 10–1

Cloud Portal Operations
If your version of Remedy ITSM is provided by Unisys and located at a Unisys datacenter,
or if you are using e-mail to handle Secure Private Cloud requests, no action is required.
Only if your environment uses Remedy ITSM (a version provided by your organization),
you must update the Remedy ticket status field manually as the request is processed.
(The ticket status is set as “Draft” and does not change automatically.)
Your site administrator determines whether users can request additional operator actions
when commissioning virtual machines. These additional actions are not part of the normal,
automatic, commissioning process, such as the following:
• Adding an additional virtual hard drive of a specific size
• Adding additional memory
• Adding an additional virtual NIC
• Installing specified software
If the user requested additional actions for the virtual machine, you are notified of the
actions and their requested values through your normal method of notification. You receive
only the user-requested additional actions and values if the person who created the
blueprint enabled users to request additional operator actions.
You must examine each request and decide whether it was filled automatically or whether
you need to perform a manual action to fill the request. When you finish satisfying all
additional requests for a virtual machine, you
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and your cloud administrator credentials.
2. Click the Administration tab.
You see the Operator Prompts in the right pane.
3. Select the waiting requests for which you completed additional actions, and approve
them.
4. Notify the user that the requested virtual machine is ready, using your normal
procedure.
The site administrator should provide operator training for the following:
• The types of additional operator actions that users can request and valid values for
each actions
• The wording of administrator-defined properties that identify the additional operator
actions that users can request
• The value of any filters that apply to blueprints and how they affect the possible
operator actions
• How to perform the manual action for each request
10–2 3850 6804–007

10.3. Managing Expired Virtual Machines
When a virtual machine lease expires, the virtual machine is stopped, and it appears as
Expired on the Resource Overview page of the Secure Private Cloud portal. To access
this page, click Commission and Manage, and then click Manage Resources.
From this page, you can change the lease, detach, or decommission (delete) an expired
virtual machine. To filter the list of all virtual machines and display only those that have
expired, select Lease from the Filter list, select Expired from the secondary list, and
then click Go.
10.4. Responding to Physical Server Requests
Users request that new physical servers be commissioned using the Secure Private Cloud
portal. Users request that physical servers be started, stopped, or decommissioned
(deleted) through another method; the Unisys service consultant helps determine the
method used to communicate these issues to administrators and operators.
All physical server tasks require manual action by an administrator or operator. Refer to the
following topics for more information on handling physical server requests.
10.4.1. Commissioning New Physical Servers
When a user requests that a new physical server be commissioned, you receive a notice
asking you to start one of the uAdapt personas that was created when the account was
configured.
Do the following to start the uAdapt persona:
1. Launch the uAdapt Console.
2. Access the Dashboard view from the View menu.
3. In the left list box, select Server Pools:Personas.
4. Locate the server pool that matches the user request. Typically, the pool name is
comprised of a company name (identified in the request as the ″company″) and the
″blueprint″ name listed in the request. Use the pool that does not end with ″-active.″
5. If a persona is available in the pool, then select a persona from the pool, making a note
of the persona name.
If no persona is available in the pool, then you must either contact your Unisys service
consultant to arrange for an increase in the number of physical servers and personas
available to your users, or you must delete an existing physical server to make those
resources available to another user. See 10.4.3 Decommissioning Physical Servers
(Releasing Physical Server Resources).
6. In top-right list box, select Persona Assignment.
Cloud Portal Operations
7. In the second (lower) list box, select the matching pool name that ends with “-active.”
3850 6804–007 10–3

Cloud Portal Operations
For example, if the initial server pool is named
Widget-W2K3x86MULT-CI-Small-0008-P, select the server pool named Widget-
W2K3x86MULT-CI-Small-0008-P-active.
8. Save the uAdapt configuration.
9. Start the persona by selecting Start Persona on the right menu.
10. Save the uAdapt configuration.
11. After the persona is started, access the Catalog view, and then select Personas on
the top-left list box.
12. Select the persona that was selected in Step 5.
13. Verify that Persona is selected in the top-right list box.
14. Copy the value from the Name field, and then paste it in the Description field. In
the Name field, type the ″physical machine name″ as it is listed in the user request.
15. Save the uAdapt configuration.
16. Ensure that the persona goes into the running state in uAdapt.
17. Log onto the persona using Remote Desktop or the server console.
18. From a command prompt, enter the following command:
ipconfig /all
19. From the output of this command, examine the IP addresses listed for each
connection.
Use this information to determine which connection is attached to the uAdapt Server
Control Network, which connection is attached to the Cloud Management Network,
and which connection (if any) is connected to the Public Network.
Make a list of which connection names (such as Local Area Connection, Local Area
Connection 2, and so forth) are connected to which network.
20. Access Network Connections, as follows:
• For Windows Server 2003, click Start, point to Control Panel, and then click
Network Connections.
• For Window Server 2008, click Start, and then click Control Panel. Doubleclick
Network and Sharing Center, then click Manage network
connections.
21. Configure the network connections so that IPv6 is disabled, and so that only one of the
network connections registers itself.
If the system has a connection to the Public Network, then configure that network
connection to register itself in DNS. Otherwise, configure the network connection for
the Cloud Management Network to register itself in DNS.
Note: Physical server commissioning cannot be finalized if the system registers with
multiple DNS addresses.
To configure each connection, perform the following steps:
a. Double-click the connection in Network Connections.
b. On the Status dialog box, click Properties.
10–4 3850 6804–007

c. On the Properties dialog box, under This connection uses the following
items, select one of the following, depending on your operating system:
• For Windows Server 2008, clear the Internet Protocol Version 6
(TCP/IPv6) check box, select Internet Protocol Version 4 (TCP/IP4),
and then click Properties.
• For Windows Server 2003, select Internet Protocol (TCP/IP), and then
click Properties.
Note: Because IPv6 is not supported by Windows Server 2003, there is no
need to disable IPv6 explicitly.
d. On the Internet Protocol Properties dialog box, click Advanced.
e. On the Advanced TCP/IP Settings dialog box, select the DNS tab.
f. Select the Register this connection’s addresses in DNS check box.
g. Enable or clear the Use this connection’s DNS suffix in DNS
registration check box.
Note: Enable only one connection.
h. Click OK to close the Advanced TCP/IP Settings dialog box.
i. Click OK to close the Internet Protocol (TCP/IP) Properties dialog box.
j. Click Close to close the Properties dialog box.
22. Change the computer name to match the physical computer name; this name is the
same as the changed persona name.
23. Configure the server to synchronize time with a time server that is compatible with the
uChargeback management VM.
This is required in order for resource utilization metrics to display the correct data in
the Secure Private Cloud portal.
24. When Windows prompts you to reboot, click No.
Note: You must use the uAdapt Console to “reboot” the Windows operating system
by stopping and restarting the persona, as described in the following steps.
25. Using the uAdapt Console, stop the persona, and then start it again.
These commands enable the computer name change to take effect in Windows
without causing the persona to retarget to a different server.
Do the following to stop and then start the persona:
a. Select Personas from the top-left list box.
b. Select the persona.
c. Select Stop Persona command in the right menu.
d. Save the configuration.
The persona changes states and eventually ends in the dormant state.
e. In the top-right list box, select Persona Assignment.
Cloud Portal Operations
3850 6804–007 10–5

Cloud Portal Operations
f. Verify that the top list box value is Try to run on server in Pool and that the
bottom list box is set to the “-active” pool associated with the request.
g. Select Start Persona on the right menu.
h. Save the configuration.
The persona changes states and eventually goes into the running state.
26. Open a console to the Cloud Orchestrator management VM.
27. Launch a Web browser, and access the uOrchestrate Operations Console using the
URL in Table 2–2.
28. Log in to the Operations Console using the credentials in Table 2–1.
29. If you receive a message that the Operations Console has stopped polling, click OK.
30. When you see the question, “What is the Computer Name of the newly started
persona xxx?” enter the computer name (persona name) of the commissioned
physical server.
The computer name you enter must be resolvable from the Cloud Orchestrator and
the uChargeback management VMs. This can be the fully qualified domain name of
the server, where the domain suffix is the Domain value from Table 1–9. For example,
if the host name of the server is host-1, and the Domain value in Table 1–9 is
Managed.example.com, then enter host-1.Managed.example.com.
(The name that appears in this message is the ″User Entered Name″ listed in the user
request, which is different from the physical computer name/persona name.)
31. Click response.
After you enter the computer name, the Secure Private Cloud portal completes the
physical machine request. When the request is complete, the user who requested the
physical server receives a notice that the physical server has been commissioned and
can be accessed using the new computer name.
32. On the persona, ensure that the Unisys DWP Meter service is started and is
configured to start automatically when the operating system is started.
33. Restart the server using the following procedure, 10.4.2 Starting or Stopping Physical
Servers.
10.4.2. Starting or Stopping Physical Servers
When a user requests that a physical server be started or stopped, you receive a notice
requesting that you complete this action.
Starting a Physical Server
Do the following to start a physical server:
1. Launch the uAdapt Console.
2. Access the Catalog view from the View menu.
3. Select Personas in the top-left list box.
10–6 3850 6804–007

4. Select the persona that matches the computer name that the user requested you
start.
5. In the top-right list box, select Persona Assignment.
6. Verify that the top list box value is Try to run on server in Pool and that the
bottom list box is set to the “-active” pool associated with the request.
7. Select Start Persona on the right menu.
8. Save the configuration.
The persona changes states and eventually ends in the running state.
9. Verify that the state has changed to ″Running″ to ensure that the persona has
successfully started.
Stopping a Physical Server
Do the following to stop a physical server:
1. Launch the uAdapt Console.
2. Access the Catalog view from the View menu.
3. Select Personas from the top-left list box.
4. Select the persona that the user requested to stop.
5. Select Stop Persona on the right menu.
6. Save the configuration.
The persona changes states and eventually ends in the dormant state.
7. Verify that the state has changed to ″Dormant″ to ensure that the persona has
successfully stopped.
Caution
Cloud Portal Operations
Do not change the server pool for the persona to the non-active pool; the
non-active pool is only for personas that are not commissioned.
10.4.3. Decommissioning Physical Servers (Releasing Physical
Server Resources)
When you decommission a physical server, you release its resources back to the cloud so
that they can be reassigned.
When a user requests that a physical server be decommissioned, you receive a notice
requesting that you complete this action.
3850 6804–007 10–7

Cloud Portal Operations
Decommission a physical server and making its resources available to other users includes
the following tasks:
1. Stopping the persona in uAdapt.
2. Reinitializing the operating system image for this persona from the gold image that
was configured by the Unisys service consultant. For the storage LUN for this
persona, this involves doing either of the following:
• Writing over the storage LUN.
• Deleting the storage LUN and creating an identically named LUN.
3. Moving the persona from the active pool to the inactive pool.
Note: After you stop and decommission virtual machines, they are moved into the
Archived Servers Department in uChargeback. This enables you to create historical
reports, as needed. However, if you want to fully delete the virtual machines from
uChargeback, see 11.8 Removing Tenant Resources and Departments from uChargeback.
Stopping the Persona
Stop the persona in uAdapt. See 10.4.2 Starting or Stopping Physical Servers.
Managing the Storage LUN
Reinitialize the operating system image for this persona from the gold image that was
configured by the Unisys service consultant. For the storage LUN for this persona, do
either of the following:
• Write over the existing LUN
• Delete the existing LUN and create a new LUN with an identical name
In order for the physical server to be recommissioned using uAdapt, you must
rename the LUN using the exact name used previously. If you do not, the physical
server becomes uncommissionable, and you must call your Unisys service consultant
for assistance in creating a new persona.
Use the documentation provided by your storage system to perform one of these tasks.
Moving the Persona to the Inactive Server Pool
Do the following to move the uAdapt persona from the active to the inactive server pool:
1. Launch the uAdapt Console.
2. Access the Catalog view from the View menu.
3. Select Personas from the top-left list box.
4. Select the persona that is being deleted.
5. In the top-right list box, select Persona Assignment.
6. In the second (lower) list box, select the matching pool name that does not end with
10–8 3850 6804–007

″active.″ For example, if the assigned server pool is named Widget-W2K3x86-active,
select the server pool named Widget-W2K3x86.
7. Save the configuration.
8. In the top-right list box, select Persona.
9. Copy the value from the Description field, and then past it in the Name field.
10. Save the configuration.
10.5. Responding to Virtual Desktop Requests
Users request that new virtual desktops be commissioned using the Secure Private Cloud
portal. Users can also request that virtual desktops be deleted (decommissioned) using
the Secure Private Cloud portal. If a virtual desktop needs to be started or stopped, the
administrator or operator receives a message by e-mail, by Remedy ticket, or by both,
depending on the configuration.
All virtual desktop tasks require manual action by an administrator or operator. Refer to the
following topics for more information on handling requests.
10.5.1. Commissioning New Virtual Desktops
When a user uses the Secure Private Cloud portal to request that a virtual desktop be
created, a notification (e-mail, Remedy ticket, or both) is created to direct the cloud
administrator or operator to manually create the required desktop.
The notification includes the specific blueprint name that should be used and a link to the
Secure Virtual Office as a Service Implementation and Best Practices Guide (3843 4536),
which provides detailed instructions on implementing the Virtual Office as a Service
solution, onboarding new tenants, and creating new virtual desktops. This document is
available from the Unisys Product Support Web site (www.support.unisys.com). You can
also refer to the Secure Virtual Office as a Service Session Manager Help (3826 5187),
which is available directly from the Session Manager connection broker interface.
After the desktop has been created and started in Session Manager, the administrator or
operator must sign into the Secure Private Cloud portal and approve the pending request.
The administrator or operator must also manually maintain a mapping of the resource
descriptive name to the desktop name created. (This is used later when deleting virtual
desktops.)
10.5.2. Starting, Stopping, and Deleting Virtual Desktops
Starting and Stopping Virtual Desktops
Cloud Portal Operations
In general, users do not have to request that virtual desktops be started. When a user
starts the process to connect to the virtual desktop using the Thin Client software, the
software automatically tries to start the virtual desktop if it is not already running. Users
can also use the Thin Client software to request that a virtual desktop be restarted (that is,
3850 6804–007 10–9

Cloud Portal Operations
if the virtual desktop is running, it is stopped and then restarted). A user can make a stop
request from within the virtual desktop operating system, if the operating system image
was built with a capability that enables users to shut it down.
If a user needs administrator or operator assistance to start or stop a virtual desktop, the
user must create a request using the method established with the Unisys service
consultant.
Deleting Virtual Desktops
When a user uses the Secure Private Cloud portal to request that a virtual desktop be
decommissioned (deleted), a notification—through e-mail, Remedy ticket, or both—is
created to direct the cloud administrator or operator to manually complete the deletion
process.
The notification contains the resource descriptive name to be deleted and a link to the
Secure Virtual Office as a Service Implementation and Best Practices Guide, which
provides detailed instructions on deleting the Virtual Office as a Service desktop.
10.6. Responding to Requests Using the Operator
Prompts Page
Operator prompts are generated by the Secure Private Cloud when the automation
software encounters a condition that requires intercession by an administrator or operator.
For example, an operator prompt is generated if a user requests a custom configuration for
a virtual machine, or if a commissioning request has failed due to a configuration or
infrastructure problem (such as insufficient space to create a new virtual machine).
In these cases, the administrator or operator responsible for handling the prompt should
review the information presented and determine how to proceed. In the event of an error,
if the problem can be resolved (for example, by adding additional storage), the
administrator or operator should take whatever action is necessary to resolve the problem,
and then approve the prompt. The automation software will retry the operation that failed.
If the error cannot or should not be resolved (for example, due to invalid user input), the
administrator or operator should reject the operator prompt. The automation software
then informs the requesting user that his request has failed.
The Operator Prompts page of the Secure Private Cloud portal enables administrators and
operators to approve or reject requests. Do the following to access the Operator Prompts
page:
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and your cloud administrator or cloud operator credentials.
2. Click Administration.
In the right pane, you see the Operator Prompt Overview, the Operator Prompt Details,
and Operator Prompt Status tables. Each table provides a different level of detail about the
operator prompts.
10–10 3850 6804–007

See the Secure Private Cloud Interface Help for more information on using this page.
10.7. Managing Tenant Users
Perform the following procedures to change a user’s e-mail address, deactivate or
reactivate a user, or delete a user.
10.7.1. Updating a Tenant User’s E-mail Address
To change a tenant user’s e-mail address, do the following.
Note: If you change a user’s e-mail address in Active Directory, you must perform the
following procedure to change the e-mail address in the Secure Private Cloud portal.
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and your Liferay administrator credentials.
2. From the Manage list (at the left of the top pane), click Control Panel.
3. In the left pane, under Portal, click Users.
The Users page appears with a list of active users.
4. Click the user whose e-mail address you want to change.
5. Type the new e-mail address in the Email Address box.
6. Click Save.
10.7.2. Moving a User from One Tenant Organization to Another
Note: Before moving a tenant user from one organization to another, ensure that the
user does not own any resources (virtual machines, physical servers, or virtual desktops.)
If the user owns any resources, you must either decommission those resources or change
the ownership of those resources before performing this procedure. See
Section 10, Cloud Portal Operations, for more information about decommissioning virtual
machines, virtual desktops, or physical servers, or see the Secure Private Cloud Interface
Help for information about changing ownership of a resource.
If you need to move a user from one tenant organization to another, do the following:
1. Sign in to the Secure Cloud Portal using the URL from Table 2–2 and the Liferay
administrator credentials from Table 2–1.
2. Click OK when you receive one or more errors that there has been an error processing
your request or that you do not have permission to view requests.
3. At the top of the window, directly below the browser address bar, select Manage,
and then click Control Panel.
4. In the left pane, under Portal, click Users.
The Users page appears.
Cloud Portal Operations
3850 6804–007 10–11

Cloud Portal Operations
5. Using the First Name, Last Name, or Email Address boxes, search for the user
whose organization you want to change.
Note: You might have to click Advanced to see all available search fields.
6. When you locate the user, click the user name.
The Details page appears containing the details of the user.
7. In the right pane, click Organizations.
8. Click Select to assign the user to an organization.
The Organizations window appears.
9. Select one of the listed organizations.
Note: You can search for an organization, if required.
10. Click Remove next to the user’s former organization to remove the association with
that organization.
11. Click Roles.
12. Click Remove next to the role or roles associated with the user’s former organization.
13. At the bottom of the right pane, click Save.
14. Exit Control Panel, and log out.
15. Log in using your cloud administrator credentials, and assign the user to the
appropriate role and project using the Role and Project Membership page. See
7.4 Assigning Cloud Provider and Tenant Users to Roles, and Assigning Tenant Users
to Projects for more information.
10.7.3. Deactivating or Reactivating Tenant Users
The following procedure describes how to deactivate tenant users and prevent them from
logging in to the Secure Private Cloud portal. It also describes how to reactivate users, if
needed.
Do the following to deactivate a user:
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and your Liferay administrator credentials.
2. From the Manage list (at the left of the top pane), click Control Panel.
3. In the left pane, under Portal, click Users.
The Users page appears with a list of active users.
4. Locate the users you want to deactivate, and select the check boxes next to the user
names.
5. Click Deactivate (at the top of the list of users) to deactivate the users.
If you want to reactivate a user, do the following:
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and your Liferay administrator credentials.
10–12 3850 6804–007

2. From the Manage list (at the left of the top pane), click Control Panel.
3. In the left pane, under Portal, click Users.
The Users page appears with a list of active users.
4. From the Active list, select No, and then click Search.
Note: You might have to click Advanced under the Search button to view the
Active list.
A list of the deactivated users appears.
5. Locate the users you want to activate, and select the check boxes next to the user
names.
6. Click Restore (at the top of the list of users) to reactivate the users.
10.7.4. Deleting Tenant Users and User Roles
Deleting Tenant Users and User Roles from the Secure Private Cloud
Portal
To delete tenant users, do the following:
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and your Liferay administrator credentials.
2. From the Manage list (at the left of the top pane), click Control Panel.
3. In the left pane, under Portal, click Users.
The Users page appears with a list of active users.
4. If you have not already deactivated the users you want to delete, do the following. If
the users are already deactivated, skip to the next step.
Do the following to deactivate users:
a. Select the check boxes next to the users who you want to deactivate.
b. Click Deactivate (at the top of the list of users) to deactivate the users.
5. From the Active list, select No, and then click Search.
Note: You might have to click Advanced under the Search button to view the
Active list.
A list of the deactivated users appears.
6. Locate the users you want to delete, and select the check boxes next to the user
names.
7. Click Delete (at the top of the list of users) to delete the selected users.
To delete a tenant user role, do the following.
Cloud Portal Operations
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and your Liferay administrator credentials.
2. From the Manage list (at the left of the top pane), click Control Panel.
3850 6804–007 10–13

Cloud Portal Operations
3. In the left pane, under Portal, click Roles.
The Roles page appears with a list of roles.
4. Locate the tenant user role you want to delete, click the Actions button for that user
role, and then click View Users.
5. Verify that no users are associated with the role you are deleting.
If any users are associated with the role, you should create a new role and reassign
the users before continuing.
6. Locate the tenant user role you want to delete, click the Actions button for that user
role, and then click Delete.
10.8. Editing Blueprints
To edit a blueprint that has already been refined, do the following.
Note: Some blueprint attributes cannot be changed, such as blueprint type.
1. Click Administration, and then click Manage Blueprints.
2. Under Manage Blueprints, select the project associated with the blueprint you
want to edit.
The Blueprint pane is updated to list all blueprints associated with the project.
3. Under Blueprints, select the blueprint that you want to edit, and then click Edit
Blueprint.
4. Edit the values as required.
Note: The blueprint name cannot be longer than 128 characters. Only numbers (0-9),
uppercase and lowercase letters (A-Z, a-z), space, hyphen (-), underscore (_), period (.),
ampersand (&), and at sign (@) characters are allowed.
See the following topics for information:
• 6.5 Virtual Machine Attributes and Values
• 6.6 Virtual Desktop Attributes and Values
5. After you finish editing the values, click Apply.
10.9. Deleting Blueprints or Projects from the Cloud
Environment
Note: Renaming projects is not a supported operation. To give a project a different name,
you must delete it using the procedures in this topic and then recreate it using the new
name.
If you want to delete a blueprint, you must delete it from both the Secure Private Cloud
portal and from RBADB. If you want to delete a project, you must delete it from both
RBADB and from uOrchestrate.
10–14 3850 6804–007

Perform the procedures in this topic to delete components from the cloud environment.
10.9.1. Deleting Blueprints from the Secure Private Cloud
Portal
Note: To delete a blueprint, you must first decommission the resources that have been
commissioned using the blueprint. You receive the following error message when you try
to delete a blueprint that has resources tied to it:
There has been a problem processing your request.
To delete a blueprint from the Secure Private Cloud portal, do the following:
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and your cloud administrator or cloud operator credentials.
2. Click Administration, and then click Manage Blueprints.
3. Under Manage Blueprints, select the tenant folder.
The Blueprint pane is updated to list all blueprints associated with the tenant.
4. Under Blueprints, select the blueprint that you want to delete, and then click
Delete Blueprint.
A confirmation message appears.
5. Confirm that you want to delete the blueprint.
The blueprint is deleted from the tenant and from all tenant projects with which it is
associated.
6. Delete the blueprint from RBADB. See Removing a Blueprint from a Contract and
Deleting a Blueprint.
10.9.2. Deleting Projects or Blueprints from RBADB
If you want to delete tenant projects or blueprints from RBADB, perform the following
procedures.
Note: If you delete a tenant, the projects associated with the tenant are deleted
automatically. (See 11.6 Removing a Tenant Contract and Tenant from RBADB for
information about deleting tenants.) However, any blueprints associated with the tenant
must be deleted individually, as described later in this topic.
In addition, remove any deleted projects or blueprints from the tenant data worksheet, so
that any future updates in the worksheet can be applied correctly to RBADB.
Note: It is not necessary to export the worksheet at this time.
Restrictions When Deleting Items in RBADB
Cloud Portal Operations
• A project cannot be deleted if it is associated with any commissioned resources.
• A contract cannot be deleted if it is associated with any commissioned resources.
3850 6804–007 10–15

Cloud Portal Operations
• A tenant cannot be deleted if it is associated with a contract.
• A blueprint cannot be deleted if it is associated with a contract.
Verifying that Commissioned Resources Are Not Associated with
Tenants, Projects, or Blueprints
You cannot delete a tenant, project, or blueprint if it is associated with any commissioned
resources. To verify that commissioned resources are not associated with tenants,
projects, or blueprints, do the following:
1. From the jump box management VM, access RBADB using the URL in Table 2–2.
2. Log in with the RBADB Administrator credentials in Table 2–1.
3. Click Contracts in the left pane.
4. Select the contract for the tenant.
You see the Contracted Resources page, which includes a table listing associated
blueprints.
5. For any Blueprint Type whose Deployed value is not 0, select View Deployed
Resources from the Actions list.
You see the Deployed Resources page, which includes a table listing
commissioned resources. Commissioned resources are grouped by project, and each
machine is identified by the tenant fully qualified name (FQN).
For any deployed resources that are associated with tenants, projects, or blueprints
that you want to decommission (delete), do the following:
a. Access the Secure Private Cloud portal, and verify that the commissioned
resources have not been decommissioned. If any commissioned resources have
not been decommissioned from the Secure Private Cloud portal, you must ensure
that they are decommissioned.
If possible, you should request that users decommission their own virtual
machines. The procedure that explains how users decommission virtual machines
is included in the Secure Private Cloud Interface Help. However, if users are no
longer available to decommission their own virtual machines, you might have to
decommission them. See 11.1 Stopping and Decommissioning Virtual Machines
for more information.
The procedure that explains how administrators decommission physical servers is
described in 10.4.3 Decommissioning Physical Servers (Releasing Physical Server
Resources).
b. If any commissioned resources still remain in RBADB, access the Deployed
Resources page, and delete those resources by clicking the recycle bin icon next
to each machine.
Note: Perform this step only if you are sure that the resources do not exist in the
Secure Private Cloud portal. The recycle bin icon is provided only to resolve errors
between commissioned resources that do not exist in the Secure Private Cloud
portal but still appear in RBADB. If you delete a resource that still exists in the
Secure Private Cloud portal, serious errors can occur.
10–16 3850 6804–007

Removing a Blueprint from a Contract and Deleting a Blueprint
Note: The Import VMware Virtual Machine blueprint can be removed from the tenant’s
contract; however, you should not remove this blueprint from RBADB.
A blueprint cannot be deleted if it is associated with a contract. To remove a blueprint from
a contract (if the contract has not already been deleted) and delete a blueprint, do the
following in RBADB:
1. From the jump box management VM, access RBADB using the URL in Table 2–2.
2. Log in with the RBADB Administrator credentials in Table 2–1.
3. If you need to remove a blueprint from a contract (if the contract has not already been
deleted), do the following:
a. Click Contracts in the left pane.
b. Select the contract for the tenant.
You see the Contracted Resources page, which includes a table of associated
blueprints.
c. Verify that there are no commissioned resources associated with the blueprint
(that the value in the Deployed column is 0). See Verifying that Commissioned
Resources Are Not Associated with Tenants, Projects, or Blueprints.
d. Select Delete Resource from the Actions list.
e. Click OK to confirm that you want to remove the blueprint from the contract.
4. Click Blueprint Types in the left pane.
5. Select the blueprint you want to delete.
6. Click Delete.
7. Click OK to confirm that you want to delete the blueprint.
Deleting a Project
To delete a project, do the following.
Note: If you delete a tenant, all associate projects are automatically deleted from
RBADB.
1. From the jump box management VM, access RBADB using the URL in Table 2–2.
2. Log in with the RBADB Administrator credentials in Table 2–1.
3. Click Accounts in the left pane.
4. Click SubAccounts for the tenant whose project you want to delete.
5. Select the subaccount for the project you want to delete.
6. Click Delete.
Cloud Portal Operations
Note: If the Delete button is not active, there might be commissioned resources
associated with this project. See Verifying that Commissioned Resources Are Not
Associated with Tenants, Projects, or Blueprints for information on how to verify this
3850 6804–007 10–17

Cloud Portal Operations
and delete commissioned resources if required.
7. Click OK to confirm that you want to delete the project.
8. Perform the procedure in 10.9.3 Removing Projects from uOrchestrate to remove the
project from uOrchestrate.
10.9.3. Removing Projects from uOrchestrate
To remove a project from uOrchestrate, do the following:
1. Open a console to the Cloud Orchestrator management VM.
2. Launch a Web browser, and access the uOrchestrate Operations Console using the
URL in Table 2–2.
3. Log in to the Operations Console using the credentials in Table 2–1.
4. If you receive a message that the Operations Console has stopped polling, click OK.
5. In the Service Organization pane on the left, click the Registration service.
6. Expand Effectors in the right pane to view the effectors.
7. Under All Effectors, click removeSubAccountStructure.
This effector removes a single project from an existing tenant. Type the name of the
tenant that owns the project in the tenant parameter, and then type the name of the
project that you want to delete in the subAccount parameter.
8. Click Execute.
9. Check the result in the result pane.
You should see the message “Success” when the process is complete.
10. If there were any errors encountered attempting to delete the tenant or project,
resolve them, and then rerun the effector.
For example, if you see an error message that states that a folder cannot be deleted
because a resource is associated with it, delete the resource, and then rerun the
effector.
10.9.4. Archiving Projects in uChargeback
After you delete projects from RBADB and uOrchestrate, you should archive those
projects in uChargeback. Do the following:
1. From a vSphere Client, open a console to the uChargeback management VM, and log
in using the domain uChargeback administrator account from Table 1–10.
2. Access the uChargeback Administrator from the Start menu by pointing to All
Programs, pointing to Unisys, pointing to uChargeback,, and then clicking
Administrator.
3. In the Object Browser tree in the left pane, expand the Departments tree, select
the project that has been deleted from RBADB and uOrchestrate, and drag that project
under Archived Accounts.
10–18 3850 6804–007

If you want to fully delete a project after archiving it, see 11.8 Removing Tenant Resources
and Departments from uChargeback.
10.10. Configuring Snapshot Limits and Managing
Snapshots
The Secure Private Cloud environment enables you to take snapshots of your virtual
machines at any time. These snapshots are known as versions on the Secure Private
Cloud portal.
As an administrator, you can limit the number of snapshots that can be taken. By default,
the snapshot limit is not set, meaning that one snapshot can be taken for each virtual
machine. You can update this value to allow the appropriate amount of storage for your
environment to be used to store snapshots.
10.10.1. Configuring Snapshot Limits
You configure snapshots limits using the Excel worksheets. You can configure limits at
three levels:
• For the entire Cloud environment
• For a specific tenant folder
• For a specific project folder
Cloud Portal Operations
If you set these three values differently, then the snapshot limits at the lower levels of the
hierarchy take precedence over snapshot limits at higher levels. That is, snapshot limits
defined at the project level take precedence over the tenant and Cloud level limits, and
snapshot limits defined at the tenant level take precedence over the Cloud level limit. The
only exception is that the default value (blank) does not override snapshot limits set at
higher levels of the hierarchy.
If you want to prevent users from saving snapshots, then set the appropriate snapshot
limit to 0; you can set this limit on the Cloud level, the tenant level, or project level. If you
set the Cloud level snapshot to 0 and you leave the tenant and project values blank, then
users cannot save snapshots. However, if you set the Cloud level snapshot to 0 and then
set a different value for a particular tenant or project, only virtual machines that belong to
that tenant or project can save snapshots.
The snapshot limits you set apply to each virtual machine individually. That means that if
you set the snapshot limit to 10 at the project level, and if you have 10 virtual machines in
that project, then you could have a total of 100 snapshots.
To update the snapshot limit for the cloud environment, change the Snapshot Limit in
Table 1–9, export the cloud provider worksheet, and run the Populator
updateCloudProperties effector, as described in 6.1 Updating Cloud Provider or Adding
Tenant Information in the Secure Private Cloud Environment.
To set the snapshot limit for a tenant, change the Snapshot Limit in Table 1–29. To set the
3850 6804–007 10–19

Cloud Portal Operations
snapshot limit for a project, change the Snapshot Limit in Table 1–40. Then, export the
worksheet, and then run the Populator updateTenant effector as described in 6.1 Updating
Cloud Provider or Adding Tenant Information in the Secure Private Cloud Environment.
10.10.2. Managing Snapshots
You can create, delete, or revert a snapshot of a virtual machine.
Note: You cannot take snapshots of a physical server or a virtual desktop.
The portal enables you to take snapshots of your virtual machines at any time. These
snapshots are known as versions. A virtual machine snapshot is a representation of the
state of a virtual machine and its data at a given time. Snapshots are useful for storing a
virtual machine state that you might need to restore as the current processing state in the
future.
The portal enables you to do the following tasks:
• Creating New Snapshots
• Reverting to a Different Snapshot
• Deleting a Snapshot
Creating New Snapshots
Do the following to create a new snapshot:
1. Click Commission and Manage, and then click Manage Resources.
2. Select the virtual machine for which you want to take a snapshot in the Resource
Overview pane, and click Create Snapshot.
Create Snapshot dialog box appears.
Note: If the virtual machine is running, the best practice is to stop the virtual machine
before taking a snapshot. This ensures that you know the state of the virtual machine
before you take the snapshot, and the size of the snapshot is smaller if the snapshot is
taken when the virtual machine is stopped.
3. Type a name for the new snapshot, enter a description of the snapshot, and click
Execute.
Reverting to a Different Snapshot
1. Click Commission and Manage, and then click Manage Resources.
2. Select the virtual machine in the Resource Overview pane and click Revert
Snapshot.
Revert Snapshot dialog box appears. Revert Snapshot displays a list of all the
available snapshots, with the latest snapshot selected.
3. Select the snapshot that you want to revert to and click Execute.
10–20 3850 6804–007

Note: When you activate a different snapshot, you lose the current state of your virtual
machine, unless you first stop the virtual machine and take a snapshot before activating
another snapshot.
Deleting a Snapshot
1. Click Commission and Manage, and then click Manage Resources.
2. Select the virtual machine in the Resource Overview pane and click Delete
Snapshot.
Delete Snapshot dialog box appears. Delete Snapshot displays a list of all the
available snapshots, with the latest snapshot selected.
3. Select the snapshot that you want to delete and click Execute.
Cloud Portal Operations
10.11. Using the Resource Utilization Dashboard
The Resource Utilization dashboard enables the users—based on their roles and
privileges—to view the utilization information (CPU, Memory, Storage, and Network) of
various resources allocated to the tenants and their associated projects.
When you initially sign in to the Secure Private Cloud portal, you see the Resource
Utilization Overview dashboard on the Home page.
This dashboard provides a graphical overview of CPU utilization, Memory utilization,
Storage utilization, and Network utilization for virtual machines and physical servers in a
single pane.
This data is gathered every 15 minutes, and the time zone listed on the dashboard is that
of the uChargeback management VM. uChargeback can manage data from workload
servers in different time zones, but all data is stored using the uChargeback management
VM time zone. It is highly recommended that you synchronize your system clocks so that
data can be meaningfully compared across multiple workload servers.
For CPU and Memory utilization, each resource in the cloud environment is grouped in one
of four categories: low, medium, high, and critical. Each category is a range of percentages
of the total available capacity. A Unisys service consultant configures these categories
during initial implementation.
For example, the categories can be defined as follows: Low (0-30%), Medium (31-60%),
High (61-75%), and Critical (76-100%). If there are a total of 1000 resources (800 virtual
machines and 200 physical servers) in the cloud environment, you can graphically view the
number of resources that fall into each range for CPU utilization and Memory utilization.
In contrast, for Storage and Network utilization, the values displayed are for all virtual
machines and all physical servers in the cloud environment (rather than on a resource-byresource
basis).
CPU Utilization: The average percentage of available CPU capacity that a resource
consumes for a given 15-minute period.
3850 6804–007 10–21

Cloud Portal Operations
Note: For virtual machines, this is the view presented by the virtualization server rather
than the view from the virtual machine operating system.
Every 15 minutes, uChargeback requests the average utilization for each resource, and
then each resource is sorted into one of four ranges based on that measurement (low,
medium, high, and critical).
The uChargeback metric “Server CPU Percent Average” is derived as follows:
• For virtual machines: VMware metric cpu.usage.average
• For physical servers, one of the following, based on the operating system:
- Windows: perfmon Processor object and % Processor Time counter
- Linux: /proc file system /proc/stat
Memory Utilization:
The amount of memory that is actively used, as estimated by VMkernel based on recently
accessed memory pages, which is expressed as a percentage of the allocated memory for
the resource for a 15-minute period. For example, if the resource has been allocated 1024
MB and is using 512 MB, then the memory utilization is 50%.
Every 15 minutes, uChargeback requests the average utilization for each resource, and
then each resource is sorted into one of four ranges based on that measurement (low,
medium, high, and critical).
The uChargeback metric “Server Memory Percent Active” is computed as (VMware
metric mem.active.average / VMware metric
VirtualMachine.config.hardware.memoryMB) × 100.
Storage Utilization: The total used and total free space (in GB) across all virtual
machines and physical servers for a 15-minute period. This includes running, stopped, and
expired resources.
Every 15 minutes, uChargeback requests the utilization for each resource, and the results
from all resources are aggregated in one value for used space (GB) and one value for free
space (GB).
The uChargeback metrics “Server Storage Available” and “Server Storage Used” are
derived as follows:
• For virtual machines: VMware metrics guest.disk.freeSpace and guest.disk.capacity
minus guest.disk.freeSpace
• For physical servers, one of the following, based on the operating system:
- Windows: Windows Management Instrumentation (WMI) Win32_LogicalDisk
object and Size property
- Linux: df –h Linux command
Network Utilization: The total number of bytes transmitted and received over all NICs
on all resources for a 15-minute period.
10–22 3850 6804–007

Every 15 minutes, uChargeback requests the utilization for each resource, and the results
from all resources are aggregated in one value for I/O transmitted and one value for I/O
received.
The uChargeback metrics “Server I/O Network Xmt” and “Server I/O Network Rcv” are
derived as follows:
• For virtual machines: VMware metrics net.transmitted.average and
net.received.average
• For physical servers, one of the following, based on the operating system:
- Windows: Windows Performance Counter – Network Interface category and
Bytes Received/sec counter name
- Linux: /proc file system /proc/net/dev
To view additional details at the cloud, tenant, or project level and to sort by resource type,
click Tenant/Project Utilization.
For more information, see the Secure Private Cloud Interface Help.
10.12. Configuring Resource Utilization Ranges
When a user initially signs in to the Secure Private Cloud portal, he or she sees the
Resource Utilization Overview dashboard. This dashboard provides a graphical overview of
CPU utilization, Memory utilization, Storage utilization, and Network utilization for virtual
machines, physical servers, and virtual desktops in a single pane.
For CPU and Memory utilization, each resource in the cloud environment is grouped in one
of four categories: low, medium, high, and critical. Each category is a range of percentages
of the total available capacity. For Storage and Network utilization, the values displayed are
for all virtual machines and all physical servers in the cloud environment (rather than on a
resource-by-resource basis).
CPU and memory ranges are common to all tenants in the cloud. Values for the CPU and
memory ranges are set by default. If required, you can modify these values by changing
the following parameters in the configuration file, ECMConfig.properties, and then
restarting the Secure Private Cloud portal.
Valid ranges for CPU and Memory Thresholds are between 0 and 100 in the following
format:
-
Cloud Portal Operations
3850 6804–007 10–23

Cloud Portal Operations
Do the following to view and change these ranges:
1. Navigate to the following directory on the Secure Private Cloud portal management
VM:
\\webapps\unisys-ecm-portlet\WEB-INF\config
For example, navigate to C:\Unisys\liferay-portal-6.06\tomcat-6.0.29\webapps\unisysecm-portlet\WEB-I
NF\config
2. Open the following file using a text editor, such as Notepad:
ECMConfig.properties
3. For each of the following ranges, modify the specified parameters as desired:
• CPU Threshold (cpuThreshold) - low, medium, high, and critical ranges
• Memory Threshold (memoryThreshold) - low, medium, high, and critical ranges
4. Restart the Unisys Secure Private Cloud portal service.
10.13. Managing the Lifecycle Database
The Cloud Orchestrator Lifecycle database uses table structures to store the following
entities:
• Requests
• Approval requests
• Various log entries
If the number of entries in these tables is high, the database becomes large and
performance can be affected. On the other hand, removing too many entries from the
database can hinder debugging and tracing efforts.
The Lifecycle database contains stored procedures for removing the older unneeded
database table entries to manage the size of the database and, thereby, improve
performance. The stored procedures use parameters that specify how old table entries
need to be before they are deleted. The default settings are as follows:
• Requests are deleted when they are older than one day.
• Log entries are deleted when they are older than one week.
A Windows scheduled task calls the stored procedures once an hour, using a data file at
the following location on the database server in the Cloud Management Environment to
determine which procedures to call:
c:\ProgramData\Unisys\ConfigSQL\LifecycleCleanup.sql
Initially, the data file contains the following lines:
exec uorch_lifecycle.dbo.Request_Delete
exec uorch_lifecycle.dbo.ActionLog_Delete
10–24 3850 6804–007

You can append the following parameters, separated by a comma and a space, to
determine which entries to delete:
• Number of units (integer)
• Unit type (one of ‘minutes’, ‘hours’, ‘days’, ‘weeks’, or ‘months’, including the single
quotation marks)
For example, to delete requests that are older than two weeks instead of the default one
day, you can change the first line in the LifecycleCleanup.sql file to
exec uorch_lifecycle.dbo.Request_Delete 2, ‘weeks’
The stored procedures calculate the age of any single entry based on the newest entry in
the table. Therefore, if the newest entry in the requests table is 10:00 AM on June 16,
then the preceding example causes the stored procedures to delete all requests that
completed before 10:00 AM on June 2 the next time the Windows scheduled task runs.
10.14. Creating uChargeback Criteria
Specifications
uChargeback enables you to analyze usage data for the virtual machines in the Cloud
environment and export that usage data for billing, if required. The first step is to create a
criteria specification to identify the resource usage data that uChargeback generates. A
criteria specification is a set of parameters that uChargeback Exporter and Calculator use
to extract usage data from the uChargeback database.
Caution
Criteria specifications are based upon the usage data that is collected.
Therefore, do not create a criteria specification until usage data has been
collected by the uChargeback management server from a managed server.
1. To add a criteria, in the uChargeback Administrator, right click the Criteria
Specification node in the Object Browser, and select Add New Criteria.
The following is an example Criteria Specification named Billing. Create a criteria
specification that is appropriate for the environment.
Table 10–1. Example Criteria Specification, Page 1 Data
Option Name Option Value Comments
Name Billing
Summary
Level
Sum by Server
Cloud Portal Operations
3850 6804–007 10–25

Cloud Portal Operations
Table 10–1. Example Criteria Specification, Page 1 Data (cont.)
Option Name Option Value Comments
Department
Level
Grandchild Departments
Date Range Last Month If this option is grayed out,
do not proceed. There must
be usage data collected
from a managed server in
order to specify a Date
Range.
Interval 1 Month
Resources
Tree
Server Count Active
Server CPU Time
Server Memory Allocated
Servers Tree By department is checked and Secure Cloud is
checked
Sources Tree To exclude Processor Idle and System Idle, the
System Idle Process and Processor Idle boxes
are cleared
2. Click Next.
Table 10–2. Example Criteria Specification, Page 2 Data
Option Name Option Value
Selected Tab Usage Data
Load Data immediately True (box is checked)
For more information, see the “Add or Edit Criteria Specification” topic in the uChargeback
Installation, Configuration, and Operations Guide. This document is available from the
uChargeback Administrator.
10.15. Importing Existing Virtual Machines
If your environment or your tenants’ environments include existing virtual machines, you
can import them to the Secure Private Cloud so that they can be managed using the
Secure Private Cloud portal. The Unisys Cloud Import Utility imports virtual machines into
the Secure Private Cloud environment, as described in this subsection.
10–26 3850 6804–007

10.15.1. Prerequisites for Importing Virtual Machines
Before you run the Import Utility, verify the following:
• The Secure Private Cloud portal has tenants, projects, blueprints, and users
configured.
• The Cloud Orchestrator management VM and Secure Private Cloud management VM
are in a running state.
• The virtual machines to be imported exist in vCenter.
• The virtual machines to be imported use a valid DNS zone, as defined by the provider
or tenant account against which they will be imported.
• A valid DNS entry, containing the management-side DNS address, exists for the virtual
machines to be imported in the DNS zone for commissioned virtual machines or any
other zone reachable using the DNS servers in Table 1–3.
• A valid DNS entry exists for the machines to be imported in the tenant DNS server.
• The virtual machines to be imported are running and respond to ping requests using
the virtual machines fully qualified name as defined in the cloud provider DNS server.
• The virtual machines to be imported do not contain snapshots that include the percent
sign (%) in the snapshot name.
• If any agents are required by software running in the Secure Private Cloud
environment, the virtual machines to be imported contain those required agents. For
example, if Nagios is included in your environment, install the required Nagios agents
before importing the virtual machines.
10.15.2. Utility Components and Layout
The Import Utility has the following components, as shown in Figure 10–1:
• Virtual Machines list
The left pane contains the Virtual Machines list, which displays the candidate virtual
machines that can be imported. Candidate virtual machines are virtual machines that
exist in the vCenter inventory but are not managed by the Secure Private Cloud.
• Import table
The upper-right pane contains the Import table. The Import table defines the required
Secure Private Cloud information for each virtual machine, including the virtual
machine name, hostname, Nagios profile (if applicable for your environment), tenant,
project, associated user, and the lease period.
• Request table
The middle-right pane contains the Request table, which displays information about
recent import requests, including the following:
- Request ID
A unique identifier representing an individual import request.
- VM Name
Cloud Portal Operations
3850 6804–007 10–27

Cloud Portal Operations
The virtual machine name associated with an individual import request.
- Status
The status of an individual import request. This field displays summary information
about the success or failure of a given request.
- Time Started
The start time of a given import request.
- Time Completed
The completion time of a given import request.
• Request details
The lower-right pane displays detailed information about the individual import request
for the virtual machine that is currently selected in the Request table.
Figure 10–1. Unisys Cloud Import Utility
10–28 3850 6804–007

10.15.3. Using the Import Utility
Launching the Import Utility
To launch the Import Utility, do the following:
1. Open a console to the Cloud Orchestrator management VM.
2. Open a command prompt, and navigate to C:\Unisys\UCO\vmimport.
3. Run com.unisys.cloud.vmimport.jar.
The Unisys Cloud Import Utility opens.
Selecting Virtual Machines to Import
To select virtual machines to import, do the following:
1. In the left pane of the Import Utility, select one or more virtual machines that you want
to import. (The left pane of the import utility displays all candidate virtual machines
available for import.)
2. Do either of the following to move the selected virtual machines to the Import table:
• Click and drag the selected virtual machines from the Virtual Machines list to the
Import table.
• Right-click one of the selected virtual machines in the Virtual Machines list, and
then click Select for Import.
The selected virtual machines are removed from the Virtual Machine list and added to
the Import table.
If you need to remove a virtual machine from the Import table and return it to the
Virtual Machines list, you can select and drag the virtual machine back to the Virtual
Machines list, or you can right-click a virtual machine and then click Delete.
Entering Data in the Import Table
After one or more virtual machines have been added to the Import table, you must provide
a value for each cell in the table in order to successfully import the virtual machines.
Perform one of the following procedures to enter values in the Import table:
• To enter a value in any one cell, click that cell and type the required information.
• To enter all required values for a single virtual machine, do the following:
1. Right-click a virtual machine, and then click Edit.
2. Enter the values in the Edit Single Import dialog box.
3. Click OK to save your changes.
Cloud Portal Operations
3850 6804–007 10–29

Cloud Portal Operations
• To enter shared values for a group of virtual machines, do the following:
1. Select the virtual machines that share some of the same values.
2. Right-click, and then click Edit.
3. Enter the values in the Edit Multiple Import dialog box
Note: You cannot enter values for the Name or Hostname in the Edit Multiple
Import dialog box, because those are unique entries for each virtual machine.
4. Click OK to save your changes.
5. Enter values in each Name and Hostname cell individually for each virtual
machine, and update any other values as required.
Enter the following values for each virtual machine:
• Name
A descriptive name for the virtual machine to be imported (for example, “webserver”
or “testVM”). This value is required; if you do not provide a value, the Import Utility will
not attempt to import the virtual machine.
• Host Name
The host name used by the virtual machine operating system. This value must exactly
match the host name of the operating system, or the import operation will fail. This
value is required; if you do not provide a value, the Import Utility will not attempt to
import the virtual machine.
• Nagios Profile
This optional field is intended for use only if your environment includes Nagios and if
the imported virtual machine will be monitored by Nagios. This value should contain a
valid host profile.
• VM Name
The virtual machine name as it appears in vCenter. Do not change this value.
• Tenant
This Secure Private Cloud tenant with which the imported virtual machine should be
associated. This value is required; if you do not provide a value, the Import Utility will
not attempt to import the virtual machine.
• Project
This Secure Private Cloud tenant project with which the imported virtual machine
should be associated. This value is required; if you do not provide a value, the Import
Utility will not attempt to import the virtual machine.
• User
The specific user with which the imported virtual machine should be associated. This
value is required; if you do not provide a value, the Import Utility will not attempt to
import the virtual machine.
• Lease Duration (Days)
10–30 3850 6804–007

The lease period (in days) of the virtual machine to be imported. Enter the number of
days until the virtual machine lease expires, or enter Permanent to indicate that a
virtual machine lease should never expire. This value is required; if you do not provide
a value, the Import Utility will not attempt to import the virtual machine.
Starting and Monitoring the Import Operation
After you enter the required information in the Import table for one or more virtual
machines, do one of the following to start the import:
• Select Import from the Action menu.
• Right-click the Import table, and then click Import.
When the import operation starts, the Request table in the middle-right pane of the Import
Utility is populated with an entry for each virtual machine being imported.
The Request table entries are updated as the import operation occurs. You can select an
individual entry to view more detailed information about an individual import request in the
Request details pane.
When a request is complete, you can remove it from the Request table by right-clicking
the request, and then clicking Delete.
Handling Failed Requests
If a request fails, right-click the failed request in the Request table, and click Select for
Import. This returns the virtual machine to the Import table, and you can review and
revise your input and attempt the import operation again.
10.15.4. Operational Considerations
Rolling Back an Import Operation
Although the Import Utility provides a mechanism for starting an import operation, it does
not provide any further life-cycle management operations (for example, the Detach or
Decommission operation used to remove a virtual machine from Secure Private Cloud
management). If an imported virtual machine needs to be removed from management by
the Secure Private Cloud for any reason, remove that virtual machine using the Secure
Private Cloud portal.
Refreshing the Display
Cloud Portal Operations
The Import Utility does not automatically refresh after it is launched. In some cases, you
might need to refresh the display to discover newly created virtual machines, users, or
projects. You can refresh the display by selecting Refresh from the View menu. When a
refresh operation is in progress, parts of the Import Utility are temporarily disabled and
cannot be used until the view is completely refreshed.
3850 6804–007 10–31

Cloud Portal Operations
Handling Duplicate Virtual Machine Names
The Import Utility requires virtual machine names to be unique. If two or more virtual
machines use the same name, an error is displayed, and the virtual machines are excluded
from the virtual machines pane. This requirement for unique names is for all virtual
machines, whether they are currently managed by the Secure Private Cloud portal or
whether they are outside the Secure Private Cloud environment.
If you want to import a virtual machine that shares a name with a virtual machine already
managed by the Secure Private Cloud portal, rename that virtual machine in vCenter, verify
that the rename operation was successful, and then refresh the Import Utility. Do not
rename the virtual machine in the Secure Private Cloud portal.
If your environment contains a duplicate virtual machine names, you receive an error each
time you launch the Import Utility. If you do not want to import these machines, but you
want the Import Utility to stop displaying this error, you can set the following property in
the C:\Unisys\UCO\vmimport\conf\ImportUtil.properties file:
#===========================================================#
# Indicates that the import utility should display an error
# message when two or more virtual machines use the same
# name. If display_duplicate_vm_error = true, the utility
# will display an error for each virtual machine name that
# identifies two or more virtual machines.
# If display_duplicate_vm_error = false, the import utility
# will not display an error when duplicate virtual machines
# are encountered.
#===========================================================#
display_duplicate_vm_error=false
Note: The change to the ImportUtil.properties file is a global change, and if you update
this setting, you never again receive notice that there are duplicate virtual machine names
in the environment.
10.15.5. Inspecting Logs and Troubleshooting
Log Files
If import failures occur, the log files might provide information about the causes of the
failures.
• The Import Utility log file is in the following folder:
C:\Unisys\UCO\vmimport\logs
• The Unisys Cloud Orchestrator service log file is in the following folder:
C:\Unisys\uorchestrate\platform\log
10–32 3850 6804–007

Troubleshooting
If you receive either of the following errors, do the following to resolve them:
• Error encountered when connecting to the Virtual Center Server
If the Import Utility displays a message that it is unable to locate the connection
information for Virtual Center, do the following:
- Verify that the C:\Unisys\UCO\conf\serviceInstance.mlet file exists and contains
the required information for connecting to vCenter, including the appropriate URL,
user name, and password.
For example:
- Verify that the C:\Unisys\UCO\vmimport\conf\ImportUtil.properties file exists and
references the C:\Unisys\UCO\conf\serviceInstance.mlet file.
• Error encountered when connecting to the Secure Private Cloud Platform API
If the Import Utility displays a message that an error was encountered when
connecting to the platform API, open the following file and verify that the values are
correct:
C:\Unisys\UCO\vmimport\conf\ImportUtil.properties
The expected values are as follows:
Cloud Portal Operations
#===========================================================================#
# The endpoint of the Unisys Secure Private Cloud Platform API
#===========================================================================#
platform_api_endpoint=http://localhost:8447/platform/1.0
#===========================================================================#
# The absolute path of the Unisys uCloudTruststore file. This file
# should contain all relevant Unisys Secure Private Cloud keys.
#===========================================================================#
javax.net.ssl.keyStore=C:/Unisys/Secured/Certificate/uCloudTruststore.jks
#===========================================================================#
# The password used for the keystore referenced by the javax.net.ssl.keyStore
# property.
#===========================================================================#
javax.net.ssl.keyStorePassword=U*spc2341
#===========================================================================#
# The absolute path of the Unisys uCloudTruststore file. This file
# should contain all relevant Unisys Secure Private Cloud keys.
#===========================================================================#
javax.net.ssl.trustStore=C:/Unisys/Secured/Certificate/uCloudTruststore.jks
#===========================================================================#
# The password used for the keystore referenced by the javax.net.ssl.trustStore
3850 6804–007 10–33

Cloud Portal Operations
# property.
#===========================================================================#
javax.net.ssl.trustStorePassword=U*spc2341
If any of the information in this file is inaccurate or has been customized to suit your
environment, you must update the values above to reflect your custom settings.
10.16. Configuring Tenant-Dedicated Workload
Servers Manually
The following topics describe the steps to create an initial tenant-dedicated hardware
environment as part of the on-boarding process for a new cloud tenant. You can repurpose
workload servers from a public cloud or multitenant private cloud infrastructure pool to
serve as VMware ESX or ESXi workload servers that are dedicated to one tenant in the
cloud environment. The cloud management environment is shared across all instances of
the tenant-dedicated servers and the public cloud or multi-tenant private cloud in that
cloud instance.
Note: If you want to remove a workload server from the Secure Private Cloud (even if
you later intend to add it back into the cloud environment), you must first migrate all virtual
machines and templates from that workload server to another workload server still in use.
If you remove a workload server while it is still hosting virtual machines and templates and
then re-add it, the Secure Private Cloud will not recognize the virtual machines and
templates as existing components in the environment. See the VMware documentation
for more information on migrating virtual machines and templates.
10.16.1. Creating Workload Server Clusters with HA and DRS
Do the following to create workload server clusters with high availability (HA) and VMware
Distributed Resource Scheduler (DRS):
1. From a vSphere Client, connect to the vCenter management VM.
2. In the Hosts and Clusters Inventory view, do one of the following:
For a new cluster
a. Right-click the datacenter name and click New Cluster.
b. Enter a name for the cluster.
For an existing cluster, right-click the cluster name and click Edit Settings.
3. For Cluster Features, select VMware HA and VMware DRS to enable them.
4. For a new cluster, click Next, select any desirable options, click Next several times,
and then click Finish.
For an existing cluster, select a feature in the left pane, select any desirable options for
each feature, and then click OK.
5. To add a workload server to the cluster, right-click the new cluster name and click Add
Host.
10–34 3850 6804–007

6. Enter the host name or IP address of the workload server and the root user name and
password for that server, and then click Next.
If a Security Alert dialog box appears asking you to verify the authenticity of the
server, click Yes.
7. For licensing, assign an existing license or assign a new license, and then click Next.
8. When prompted about virtual machine resources, select the option to put all of this
server’s virtual machines in the cluster’s root resource pool, and then click Next.
9. Click Finish.
Repeat this procedure for all the workload clusters and servers.
10.16.2. Completing Additional HA Tasks
Refer to the vSphere Availability Guide for additional information on high availability (HA)
configuration.
Configure your redundant consoles to use the heartbeat network and any other HA
capability that is required.
10.16.3. Configuring a vMotion Interface for each Workload
Server in each Cluster
Configure vMotion so that virtual machines do not have to be powered off when they are
migrated to another workload server. For security reasons, VMware best practices
recommend that the service console and vMotion use their own networks. Do the
following:
1. From a vSphere Client, connect to the vCenter management VM.
2. In the Hosts and Clusters Inventory view, select the workload server.
3. Select the Configuration tab and click Networking.
4. Click Add Networking in the upper right of the window.
5. Select VMkernel, and click Next.
6. Select whether to use an existing virtual switch or create a new switch, and click
Next.
7. Configure the port group properties, as follows, and click Next.
a. Enter a network label.
Use network labels to identify migration-compatible connections that are common
to two or more workload servers.
b. If a VLAN is being used, enter the number (between 1 and 4095) in the VLAN ID
box.
c. Select Use this port group for vMotion.
8. Select the IP settings for the virtual switch, and click Next.
Cloud Portal Operations
3850 6804–007 10–35

Cloud Portal Operations
9. Click Finish.
10.16.4. Adding Tenants
To ensure tenant isolation for dedicated workload servers, do the following:
• Add tenants to the cloud environment, using the instructions in Section 6, Creating
and Managing Tenant Configurations.
• Set up resource pools and datastores for a cloud. using the guidelines in
10.16.5 Configuring Resource Groups and Datastores and the naming conventions in
10.16.6 Best Practices for Datastore and Resource Pool Naming.
10.16.5. Configuring Resource Groups and Datastores
For the Cloud Orchestrator load balancer to run correctly, you need to create resource
pools in vCenter for the workload servers (VMware ESX or ESXi virtualization servers), as
follows:
1. Start a vSphere Client, and connect to the vCenter server.
2. Go to the Inventory Hosts and Clusters view and add new resource pools by
performing one of the following procedures:
• If you are using workload server HA or DRS, right-click the workload server cluster
and click New Resource Pool.
• Otherwise, right-click a workload server, and click New Resource Pool.
3. Enter one of the resource pool names from Table 1–13. Retain the defaults for the rest
of the values, or set them to match the provider’s local policy, and click OK.
Note: See 10.16.6 Best Practices for Datastore and Resource Pool Naming for more
information on resource pool naming.
4. Repeat steps 2 and 3 for each workload server or cluster in vCenter. There must be at
least one resource pool for each workload server or cluster.
5. Verify that the datastore names for the workload server conform to the naming
convention in Table 1–13 by selecting the workload server in the left pane, and then
selecting the Summary tab for each workload server.
Note: See 10.16.6 Best Practices for Datastore and Resource Pool Naming for more
information on resource pool naming.
10.16.6. Best Practices for Datastore and Resource Pool
Naming
Public Cloud
Use generic datastore and resource pool names to ensure that they are isolated from a
private cloud. To ensure uniqueness, a naming convention in the following form is
recommended:
10–36 3850 6804–007

For example, specify the following:
1. Using the vSphere Client, add a resource pool for each cluster specifying a generic
resource pool name, such as the following:
• Public-RP-1
• Public-RP-2
• {
2. Using the vSphere Client, specify a generic identification for each virtual machine
datastore that is used by the cluster, such as the following:
• Public-DS-1
• Public-DS-2
• {
3. Specify the following regular expressions in the virtual machine blueprint constant
values:
Name: ResourcePoolFilter
Type: String
Description: Resource Pool Filter
Name: DatastoreFilter
Type: String
Private Cloud
Description: Datastore Filter
Name / Type / Description Value
Public-RP-.*
Public-DS-.*
Use tenant-unique datastore and resource pool names to ensure that tenant VMs are
isolated. To ensure uniqueness, a naming convention in the following form is
recommended:
For example, if a tenant account is named Widget, specify the following:
1. Using the vSphere Client, add a resource pool for each cluster specifying a generic
resource pool name, such as the following:
• WDG-RP-1 or Widget-RP-1
• WDG-RP-2 or Widget-RP-2
• {
Cloud Portal Operations
3850 6804–007 10–37

Cloud Portal Operations
2. Using the vSphere Client, specify a generic identification for each virtual machine
datastore that is used by the cluster, such as the following:
• WDG-DS-1 or Widget-DS-1
• WDG-DS-2 or Widget-DS-2
• {
3. Specify the following regular expressions in the virtual machine blueprint constant
values:
Name: ResourcePoolFilter
Type: String
Description: Resource Pool Filter
Name: DatastoreFilter
Type: String
Description: Datastore Filter
Name / Type / Description Value
10.16.7. Moving Workload Servers Between Clusters
To move workload servers between clusters, do the following:
1. From a vSphere Client, connect to the vCenter management VM.
2. Repeat the following procedure for each affected template:
Caution
WDG-RP-.* or Widget-RP-.*
WDG-DS-.* or Widget-
DS-.*
If a template resides on a workload server that is being repurposed and you do
not want to move it with the server, you need to convert it temporarily to a
virtual machine so that it is migrated to another workload server in the cluster.
Otherwise, the template cannot be accessed while the server is in
maintenance mode.
a. In the Hosts and Clusters Inventory view, select the workload server that is
being repurposed, and then click the Virtual Machines tab.
b. Right-click a template and click Convert to Virtual Machine.
c. Select the cluster in which the template currently resides, and click Next.
d. Click Next and then Finish.
10–38 3850 6804–007

3. In the Hosts and Clusters Inventory view, right-click the workload server and
click Enter Maintenance Mode.
Click Yes or OK for any warning messages.
If any virtual machines are on the virtualization server, ensure the Move powered
off and suspended virtual machines to other hosts in the cluster option is
selected.
4. When the request completes, use the drag-and-drop mouse action to move the
workload server to the desired cluster.
5. For any templates that you converted to a virtual machine, in the Hosts and
Clusters Inventory view, right-click the virtual machine, point to Template, and
click Convert to Template.
6. Right-click the workload server and click Exit Maintenance Mode to remove the
maintenance mode on the server.
10.17. Updating the Cloud Name in the Secure
Private Cloud Portal
The following procedure is optional if you want to change the cloud name in Secure Private
Cloud portal. Skip this procedure if you do not want to change the cloud name.
To update the cloud name in Secure Private Cloud portal, run the following script from a
Powershell session on the jump box console, depending on whether the default password
is being used for the PortalDB database:
• The default password is being used for the PortalDB database:
.\Update-CloudNameInPortal.ps1
• The default password is not being used for the PortalDB database:
.\Update-CloudNameInPortal.ps1 –updatePw $true
Enter the correct password for the PortalDB database when prompted.
The script performs the following actions:
• Stops the Unisys Secure Private Cloud portal service on the portal management VM, if
it is running
• Edits all ecm_*.bat files on the SQL management VM to update them with the correct
password if the default password is not being used.
• Edits the following file on the SQL management VM to update the Cloud Name value
from Table 1–1:
C:\ProgramData\Unisys\ConfigSQL\ecm_db_update.sql
Cloud Portal Operations
• Runs the following file on the SQL management VM to update the PortalDB
database:
C:\ProgramData\Unisys\ConfigSQL\ecm_db_update_data.bat
• Runs the following file on the SQL management VM to display the values in the
SPC_PlatformInstances table:
3850 6804–007 10–39

Cloud Portal Operations
C:\ProgramData\Unisys\ConfigSQL\ecm_db_select_data.bat
• Starts the Unisys Secure Private Cloud portal service on the portal management VM
CHECKPOINT:
Review the output from the script to verify that the cloud name is updated in the Platform
Name column of the SPC_PlatformInstances table.
10.18. Stealth for Secure Private Cloud Operations
If Stealth for Secure Private Cloud is included in the cloud environment, you can perform
the following procedures as needed.
10.18.1. Adding COI Sets and Modifying COI Set Members
Overview
If your environment includes Stealth for Secure Private Cloud, you might need to modify
the COI configuration for a tenant Stealth-enabled VLAN. You might need to add new COI
Sets for new virtual machines that will run in the existing Stealth-enabled VLAN, change
COI Set access, or correct mistakes in the initial COI configuration.
By performing the procedures in this topic, you are adding COI Sets to the existing VLAN
or modifying the communication between existing COI Sets. The name of the COI Set
assigned to commissioned virtual machines does not change, but the way that the COI
Sets communicate across the VLAN does change.
For example, you might have the following existing configuration:
Stealth ID COI Set Name
Stealth VLAN [1] HRSet FinanceSet,
EngineeringSet
External
Access COI Sets to Access [COI Set Members]
[HR, Finance,
Engineering]
Stealth VLAN [1] FinanceSet [Finance]
Stealth VLAN [1] EngineeringSet [Engineering]
If you add a new department called Marketing, and you want to configuring your existing
HR and Engineering virtual machines to communicate with the marketing department, you
can update this configuration by adding a new COI Set and modifying two of your existing
COI Sets:
10–40 3850 6804–007

Stealth ID COI Set Name
Stealth VLAN [1] HRSet FinanceSet,
EngineeringSet,
MarketingSet
External
Access COI Sets to Access [COI Set Members]
[HR, Finance,
Engineering,
Marketing]
Stealth VLAN [1] FinanceSet [Finance]
Stealth VLAN [1] EngineeringSet MarketingSet [Engineering,
Marketing]
Stealth VLAN [1] MarketingSet [Marketing]
All of the existing virtual machines still have the same COI Set Name, but the ability to
access other virtual machines in the Stealth-enabled VLAN has changed as a result of the
addition of one COI Set and the modification of two other COI Sets.
You use the open source Dia tool to perform the procedure to add or modify COI Sets.
(This tool was installed for you by your Unisys service consultant during initial
implementation.)
After you finish updating the COI Sets using Dia, you should also update the tenant
workbook with these changes so that you have a record of the current Stealth
implementation. In the tenant workbook, you should update both the COI Set list and
update the COI Set value for any blueprints you changed. If you delete one or more COI
Sets, you should also delete the commissioned virtual machines that were created using
the COI Sets that you deleted, and then commission new virtual machines using the new
COI Sets.
Required Files for Adding or Modifying COI Sets
The following files are generated on the jump box management VM during the initial
onboarding process and are needed when you add or modify COI Sets:
• In the directory where the initial XML files for onboarding were generated:
AddModifyCOISets.xml
• In the C:\Unisys\Stealth directory:
shares.txt
.dia
Copy these three files to the following directory on the Cloud Orchestrator management
VM (where all subsequent configuration is performed):
C:\Unisys\UCO\Stealth
Cloud Portal Operations
3850 6804–007 10–41

Cloud Portal Operations
Using Dia to Add and Modify COI Sets
Note: You do not use Dia to update the IP address filters for the Home Site or Internet;
instead, you do so using the AddModifyCOISets.xml file.
Directions to update filters are included in the procedure to finalize COI Set changes in
Finalizing COI Set Changes.
To add or modify the COI Sets, do the following:
1. If you have not already done so, copy the three required files from the jump box
management VM to the C:\Unisys\UCO\Stealth on the Cloud Orchestrator
management VM.
2. On the Cloud Orchestrator management VM Start menu, point to Programs, point to
Dia, and then click Dia.
3. Click Open on the File menu.
The Open Diagram dialog box appears.
4. In the Open Diagram dialog box, navigate to C:\Unisys\UCO\Stealth.
5. Select .dia, and then click Open.
6. On the View menu, click Best Fit.
The full view of the diagram expands on the grid.
On the left side of the grid, you see one symbol for each of the components you can
use to update the COI Sets, as follows:
• A cube to create new COI Sets
• An dotted line and arrow to enable communication between COI Sets
• A cloud shape to enable communication with the tenant Home Site
• A cloud shape to enable communication with the Internet
In the center of the grid, you see the current COI Sets, the dotted lines that represent
their communications, and cloud shapes to indicate communications with the Home
Site and Internet. COI Sets that can administer the Stealth solution (that include the
Stealth Admin COI) are red.
7. Make sure that all components are exposed on the grid by dragging each COI Set and
each line slightly to expose any underlying components.
8. To add a new COI Set, do the following:
a. Select the COI Set cube on the left side of the grid.
b. On the Edit menu, click Duplicate. (Alternatively, press Ctrl+D. The Duplicate
function is a combination of copy and paste.)
A new COI Set appears, and the cursor is automatically positioned for you to
automatically name the COI Set.
10–42 3850 6804–007

Notes:
• If you do not see the cursor in the COI Set cube, select the COI Set, and then
press F2.
• Do not rename existing COI Sets.
c. Delete the label “COI Set” from the COI Set you just created, and enter a new
name. Use the following guidelines to name the new COI Set:
• Use 12 or fewer alphanumeric characters.
• Use a name that is unique in the Stealth-enabled VLAN. (You can use the
same name that you used for a different VLAN or for a different tenant.)
d. Drag the new COI Set to the appropriate place on the grid.
9. To update the communication with a new or existing COI Set, do the following:
a. Select the dotted line and arrow on the left side of the grid, and then on the Edit
menu, click Duplicate.
b. Drag the two ends of the line into place. Note the following:
• Every dotted line must have an arrow on only one end. (It might appear that a
line has an arrow on two ends, but that is simply two or more stacked lines.
You can drag one line aside to view the line or lines beneath it.)
• For two COIs to communicate, the arrow should point from the COI Set
whose COI you want to include in the other COI Set. Using the COI Sets table
in the tenant workbook, you should draw the communication path in Dia from
right-to-left (from the COI Sets to Access pointing to the COI Set Name).
In the example described earlier in this topic, the HRSet had the FinanceSet
and EngineeringSet configured as COI Sets to Access. Therefore, the arrow
points from the FinanceSet to the HRSet, and another line points from the
EngineeringSet to the HRSet. In this example, the arrow on the new line
should point from the MarketingSet to the HRSet. (This means that the
Marketing COI is included in the HRSet.)
• When a line is successfully associated with a COI Set, when you select the
line, the end displays a red square. (When a line is unassociated, the end of
the line displays a green square.)
You might have to drag one line on top of another line to successfully
associate the line with a COI.
• Use the orange square box in the middle of the dotted line to change the
shape and direction of the line.
10. To add new communication with the Home Site or Internet, do the following:
a. Select the Home Site cloud or Internet cloud on the left side of the grid.
b. On the Edit menu, click Duplicate. (Alternatively, press Ctrl+D. The Duplicate
function is a combination of copy and paste.)
A new cloud appears.
Note: Do not rename the Home Site or Internet.
c. Drag the new cloud to an appropriate place on the grid.
Cloud Portal Operations
3850 6804–007 10–43

Cloud Portal Operations
d. Select the dotted line and arrow on the left side of the grid, and then on the Edit
menu, click Duplicate.
e. Drag the end of the new line to a COI Set, and drag the arrow into the Home Site
or Internet.
11. To add the Stealth Admin COI to an existing COI Set (so that the virtual machines
commissioned from the blueprint that includes that COI Set can administer Stealth),
do the following:
a. Select the COI Set.
b. Right-click the COI Set, and click Properties.
c. In the Fill Color list, select the red fill color.
Note: If you did not select the COI Set (if you simply right-clicked the COI Set
without first selecting it), you do not see this option. Close the Properties box and
begin again by selecting the COI Set.
d. Click Apply, and then click OK.
12. To delete a COI Set, select the COI Set, and then press Delete. Delete or redirect all
of the lines associated with the COI Set.
Note: If you delete one or more COI Sets, you should also delete the commissioned
virtual machines that were created using the COI Sets that you deleted.
13. When you are finished making changes to the COI Sets, click Save as on the File
menu.
The Save Diagram dialog box appears.
14. Name the file using a different name than the original file name.
For example, name it Ver2_.dia.
15. Click Save.
Finalizing COI Set Changes
Do the following to finalize the changes you made using Dia:
1. Using Notepad, open AddModifyCOISets.xml.
2. Locate , and verify the user name and the password for the
workload server on which the infrastructure VMs are running. If you changed the user
name or password for the workload server, update these values.
3. Locate , and verify the following values:
• configMachinePassword – the password for the Stealth Configuration Machine
infrastructure VM
• VSGAdminPassword – the password for the Virtual Stealth Gateway infrastructure
VM
If you changed either of these passwords, update these values.
4. Under , locate , and
change the value to the new file name:
10–44 3850 6804–007

Ver2_.dia
5. To modify filters, update the following values in the tag appropriately, using
Cisco Access Control List wildcard mask notation.
Note: You can calculate the Cisco Access Control List wildcard mask notation from
the CIDR notation by using the following formula: CIDR a.b.c.d/x = Cisco Access List
a.b.c.d/*(32-x).
For example, if the CIDR notation is 192.16.96.0/24, then the Cisco Access Control
List wildcard mask notation is 192.16.96.0/*8.
Filters specify the external IP addresses that are allowed to communicate with
Stealth-enabled virtual machines. Traffic to or from an IP address not included in the
filter is discarded by the Virtual Stealth Gateway. For example, if the tenant’s home
site uses the IP address range 172.16.240.0 to 172.16.255.255, the Cisco Access
Control List wildcard mask range in the Home filter list would be 172.16.240.0/*12
(and the CIDR notation would be /20).
Update the following filters, as required:
• CME (Cloud Management Environment)
Note: You should not change the CME filter value unless you changed the IP
address values of the Cloud Management Environment on the Intercom Network.
• Internet
Note: You can enter 0.0.0.0/0 to enable complete access to the Internet.
• Home Site
6. Click Save on the File menu, and then close Notepad.
7. Open a command prompt, and navigate to the C:\Unisys\UCO\stealth directory.
8. Enter the following command to create the appropriate XML files:
Java –jar AutomationClient.jar
GenerateAddMofifyCOISetsXML
C:\Unisys\UCO\Stealth\
AddModifyCOISets.xml>
When the script is finished, the following files appear in the :
• AddModifyCOISets.xml
• ReprovisionAffectedVMs.xml
9. Enter the following command to modify the COI Sets on the Virtual Stealth Gateway
infrastructure VM:
Java –jar AutomationClient.jar
BatchJob
\AddModifyCOISets.xml
shares.txt
Cloud Portal Operations
10. Enter the following command to update any already commissioned virtual machines
that are affected by the COI Set changes:
3850 6804–007 10–45

Cloud Portal Operations
Java –jar AutomationClient.jar
BatchJob
\ReprovisionAffectedVMs.xml
shares.txt
When a virtual machine is commissioned, the COI Set that is assigned to that virtual
machine is kept in a file named .ser on the Cloud
Orchestrator management VM. This file is accessed for current virtual machines,
which have their COIs reprovisioned according to the new COI Set configuration
when you run this ReprovisionAffectedVMs.xml command.
Updating the Workbook and Deleting Unneeded Virtual Machines
After you finish updating the COI Sets, you should also update the tenant workbook with
these changes so that you have a record of the current Stealth implementation. In the
tenant workbook, you should update both the COI Set list and update the COI Set value for
any blueprints you changed.
If you delete one or more COI Sets, you should also delete the commissioned virtual
machines that were created using the COI Sets that you deleted, and then commission
new virtual machines using the new COI Sets.
10.18.2. Viewing Stealth Licenses in the Secure Private Cloud
Portal
When Stealth for Secure Private Cloud is included in your environment, the Stealth
Licenses page displays the licenses. To access this page from the Secure Private Cloud
portal, select the Administration tab, and then click Stealth Licenses.
This page displays the total number of stealth licenses included in your cloud environment,
the number of licenses allocated to each tenant, and the number of licenses that are still
available. The Usage Information pane displays the total licenses used by each tenant
and each Stealth-enabled VLAN in the tenant.
Note: Each tenant can have one or more Stealth-enabled VLANs. Stealth-enabled VLANs
protect the communication between virtual machines in your cloud environment through
the use of the Communities of Interest (COI). This enables multiple groups of virtual
machines to share the same network without fear of another group accessing their data,
which results in a more secure infrastructure
When licenses are required for a particular tenant, the requests are communicated to the
Stealth Licensing management VM.
For information on understanding licensing, see the Secure Private Cloud Overview and
Planning Guide. For more information on this page, see the Secure Private Cloud Interface
Help.
10–46 3850 6804–007

10.18.3. Accessing Logs and Monitoring Tunnels Using the
Administration Application
The Stealth Solution Administration Application is a Web-based interface that enables you
to access log and diagnostic information and to monitor Stealth tunnel usage on a Stealthenabled
VLAN basis.
Do the following to access and log on to the Administration Application pages for a
particular tenant Virtual Stealth Gateway:
1. Log on to a virtual machine that includes the Admin COI.
Note: You can open a console to the Stealth Configuration Machine, which includes
the Admin COI.
2. Open a browser window, and enter the following URL in the address bar:
http://:8080/stealth
For example, enter http://192.168.222.222:8080/stealth.
3. Type the Stealth Web administrator user name and password from Table 1–31.
4. Click Logon.
The Appliance Status page opens.
See the help available with the Administration Application for more information on viewing
logs and diagnostics information, clearing log information, and monitoring tunnel usage.
Notes:
• If you have any problems accessing or using the Administration Application Web
pages, add the Virtual Stealth Gateway IP address to the Internet Explorer trusted
sites. Do the following:
1. Select Internet options from the Internet Explorer Tools menu.
2. Select the Security tab.
3. Click Trusted sites, and then click Sites.
4. Add the Virtual Stealth Gateway IP address to the Trusted sites.
5. Click Close to close the Trusted sites dialog box.
6. Click OK to close the Internet Options dialog box.
Cloud Portal Operations
• For security purposes, Unisys advises that you do not allow the browser to remember
your log-on information, such as user name and password.
• User log-on information is recorded in the Windows event log on the appliance.
10.18.4. Viewing and Configuring Stealth Licensing Options
You can view and configure Stealth licensing options for the components that run the
Stealth license service. These include the Stealth Licensing management VM (for the
cloud environment as a whole) and the Stealth Relay Server infrastructure VMs and
Stealth Proxy Server infrastructure VMs (for each tenant).
3850 6804–007 10–47

Cloud Portal Operations
Note: The Stealth license service also runs on the Virtual Stealth Gateway infrastructure
VM, but for security reasons, you cannot open a console to that VM or change its settings.
These licensing options are configured during initial implementation and tenant
onboarding, and changes are usually not required. However, you can make changes if
required for your environment or for a particular tenant. For example, if you need to view
the number of licenses in use for a particular tenant or restrict the number of Stealth
licenses that can be used, you can do so using the procedures in this topic.
Viewing Stealth Licensing Options in the Dynamic Licensing Web
Interface
This topic describes how you can make changes to the Stealth licensing options using a
command line interface. You can also view (but not change) these settings using the more
user-friendly Dynamic Licensing Web interface. To view these Stealth licensing settings
from the Dynamic Licensing Web interface, do the following:
1. Using the vSphere Client, open a console to the Stealth Proxy Server infrastructure
VM or the Stealth Configuration Machine infrastructure VM.
2. In a browser, enter the following URL in the address bar to connect to the Dynamic
Licensing Web interface running on the Stealth Licensing management VM, Stealth
Relay Server infrastructure VM, or the Stealth Proxy Server infrastructure VM:
http://:/uisdynlic/param
For example, from a console on the Stealth Proxy Server infrastructure VM, enter
https://172.31.1.14/uisdynlic/param (if the port value is 443) or
https://172.31.1.14:444/uisdynlic/param (if you changed the port value to 444).
3. When prompted, enter the Stealth for Secure Private Cloud Dynamic Licensing Web
interface credentials from Table 2–1.
Updating Stealth Licensing Options using the Command Line
Interface
Do the following to verify the Stealth licensing options or make changes to the
configuration (using a command line interface):
1. Using the vSphere Client, open a console to the Stealth Licensing management VM to
view the Stealth license server settings for the cloud environment.
Note: If you want to view the Stealth license server settings for a particular tenant,
open a console to the Stealth Relay Server infrastructure VM or the Stealth Proxy
Server infrastructure VM for that tenant.
2. If you are accessing the Stealth Licensing management VM, log on using the standard
Windows management VM user name and password from Table 2–1.
If you are accessing the Stealth Relay Server infrastructure VM or the Stealth Proxy
Server infrastructure VM, log on using the tenant-specific password.
3. Open a command prompt using the Run as administrator option.
4. Change the directory to C:\Program Files\Unisys\Stealth Solution for LAN.
10–48 3850 6804–007

5. Enter one of the following commands to see the current status:
• To see the number of available licenses for the entire cloud environment and the
number of licenses allocated (labeled InUse) to all of the tenant Virtual Stealth
Gateway infrastructure VMs, access the Stealth Licensing management VM and
enter the following command:
dynamiclicensing.exe /alloc
• To see the status of the licensing service, access the Stealth Relay Server
infrastructure VM or the Stealth Proxy Server infrastructure VM and enter the
following command:
dynamiclicensing.exe /status
You see the total number of allocated and available licenses, which should be
equal. (For example, if a Virtual Stealth Gateway requested 10 licenses to be
allocated, then that is the total available to the tenant at this time.)
6. Enter the following command to see the current settings:
dynamiclicensing.exe /set
Note: Enter dynamiclicensing.exe /? to see a list of all values you can configure
or enter dynamiclicensing.exe /set ? to see an explanation of each setting.
When you enter dynamiclicensing.exe /set, you see the following:
• DebugFile – The file to which the license service prints debugging information.
The initial value is C:\Stealth\LicService.txt. If there are any problems in your
environment, you might be asked to submit this file to the Unisys service
consultant.
• DebugFileSize – The maximum file size of the debugging file. If this limit is
reached, then the earliest information in the file is overwritten. The default file size
is 102400 KB (100 MB).
• JournalFile – The file to which the license allocations and changes are recorded.
The default is blank; therefore, license allocations are not recorded. You can
change this if required.
For example, to set the JournalFile, enter
dynamiclicensing.exe /set JournalFile
C:\Stealth\LicJournal.txt
Cloud Portal Operations
When you set this value, you must restart the Stealth license service.
Note: If you want to use a file name that includes spaces, you must enclose the
file name in quotation marks.
• LicenseChunk – The additional number of licenses that are requested by default
by any Virtual Stealth Gateway. Do not change the LicenseChunk value, as it has
no effect on the Stealth Licensing management VM, the Stealth Proxy Server
infrastructure VM, or the Stealth Relay Server infrastructure VM.
By default, this value is set to 0, which means that the Virtual Stealth Gateway
dynamically requests additional licenses in direct proportion to the number of
licenses that are already in use for that tenant. When the first request is made
from a recently created Virtual Stealth Gateway, a small number of licenses (six)
are requested. As additional virtual machines are commissioned, the Virtual
3850 6804–007 10–49

Cloud Portal Operations
Stealth Gateway dynamically requests additional licenses in direct proportion to
the number of licenses that are already in use for that tenant; that is, it requests
approximately 20% more licenses than the number of licenses currently in use.
This dynamic licensing model helps to ensure that licenses are available as new
virtual machines begin running and require Stealth licenses.
Note: If a Virtual Stealth Gateway requests more licenses than are available, the
Stealth Licensing management VM allocates the amount that is available.
• LicenseLimit – The maximum number of licenses available. If, for any reason, you
want to limit the number of licenses that can be used to less than are provided
through the Stealth fob, you can set this parameter to a smaller value on the
Stealth Licensing management VM.
For example, if you purchased 400 licenses total, and you want to limit the
environment to use only 100 licenses to reduce network traffic for a short time,
then you can log on to the Stealth Licensing management VM console and set the
LicenseLimit to 100 by entering
dynamiclicensing.exe /set LicenseLimit 100
This value has no impact on the Stealth Relay Server and Stealth Proxy Server,
and so you should not change it on those infrastructure VMs.
• LicenseTimeout – The number of seconds that a virtual machine can run without
a license until communication stops. Do not change the LicenseTimeout value,
as it has no effect on the Stealth Licensing management VM, the Stealth Proxy
Server infrastructure VM, or the Stealth Relay Server infrastructure VM.
The default value is 1800 seconds, or 30 minutes. This value enables virtual
machines to continue communicating across the Stealth VLAN, even if there is
an interruption in communication with the Stealth Licensing management VM.
• LogLevel – The default value is set to 7 for normal logging. Information is saved
to the Windows application log (which is accessible from Server Manager for the
VM). You can set this value to 127 if you want to provide both application logging
and debugging-level logging information. To do so, enter
dynamiclicensing.exe /set LogLevel 127
• MinLicenses – The minimum number of licenses to request for a tenant VLAN.
You can set this value on a Stealth Relay Server or Stealth Proxy Server
infrastructure VM, and the minimum number of licenses you request will be preallocated
for the tenant VLAN. This setting can be used to ensure that enough
licenses are available for high-priority applications running on a particular Stealth
VLAN.
For example, if a tenant purchases 100 licenses and wants to be sure that those
license are immediately allocated, you can set the MinLicense value to 100, and
100 licenses are initially allocated. When the number of licenses needed
exceeds the allocated amount, additional licenses are requested according to the
regular formula for dynamic licensing. (Licenses are requested in direct
proportion to the number of licenses that are already in use for that tenant; that
is, the amount requested is approximately 20% more licenses than the number
of licenses currently in use.)
The default value is 0, meaning that licenses are requested in proportion to the
number of licenses already in use.
10–50 3850 6804–007

To change the minimum number of licenses, enter
dynamiclicensing.exe /set MinLicenses
• PollInterval – This determines the frequency of license requests. All the license
systems that connect to each other should use the same value, and so you
should not change this value.
• Port – The port that the management VM or infrastructure VM listens on for
incoming requests. The default port is 31420. You can change this port if
necessary by entering
dynamiclicensing.exe /set Port
The VMs listen for communication as follows:
- The Stealth Licensing management VM listens for communication from the
Stealth Relay Server infrastructure VMs.
- Each Stealth Relay Server infrastructure VM listens for communication from
the associated Stealth Proxy Server infrastructure VM.
- Each Stealth Proxy Server infrastructure VM listens for communication from
the associated Virtual Stealth Gateway infrastructure VM.
Note: If you change the port value, you must update the ServerAddresses value
for any management or infrastructure VM that attempts to access this VM to
update the port value in the address.
• ServerAddresses – The IP addresses of the server to which the VM is transmitting
messages about Stealth licensing (for requesting and releasing licenses). These
values are automatically configured during tenant onboarding based on the values
in the tenant workbook. On the Stealth Proxy Server infrastructure VM, this is the
IP address of the Stealth Relay Server. On the Stealth Relay Server, this is the IP
address of the Stealth Licensing management VM. On the Stealth Licensing
management VM, this value is blank, because the Stealth Licensing management
VM is not transmitting messages to any other components regarding license
requests.
• SSP – The Secure Socket Protocol is used to encrypt and transmit the license
requests between VMs. This value is 1 to indicate SSP is enabled. Do not change
this value.
The protocol uses a handshake when a connection between machines is
established to determine the encryption keys. SSP is required when
communicating with a license source or when Stealth is not available; otherwise,
the VMs automatically communicate using Stealth. SSP requires that you log on to
the VM; therefore, your credentials must be known to the VM.
• WebCertificate – The certificate name (CN) or thumbprint used for SSL for the
connection to the Dynamic Licensing Web interface (as described at the beginning
of this topic). The Unisys service consultant configures this certificate during the
initial implementation.
To see the certificate, enter
netsh http show sslcert
Cloud Portal Operations
3850 6804–007 10–51

Cloud Portal Operations
To change the certificate on the Stealth Licensing management VM, Stealth
Relay Server infrastructure VM, or Stealth Proxy Server infrastructure VM, first
import the new certificate into the certificate store. Then, enter the following
command:
netsh http add sslcert
ipport=:
certhash=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
appid={1ad74a6e-2af9-4c14-8277-c4a1fa7e2134}
Note: The appid must appear exactly as shown.
For example, enter
netsh http add sslcert ipport=192.168.233.34:443
certhash=3bc4388ee6gee90e6acbhcd9acdc175d89469443
appid={1ad74a6e-2af9-4c14-8277-c4a1fa7e2134}
• WebPassword – The password that the Stealth Licensing management VM uses
for the Dynamic Licensing Web interface. The default value is listed in Table 2–1.
To change this value, perform the procedure in Dynamic Licensing Web
Interface.
• WebPort – The port that the Stealth Licensing management VM uses for the
Dynamic Licensing Web interface. The default value is 443, and so you access
these Web pages using the URL format: http://:/uisdynlic/param. For
example, from a console on the Stealth Proxy Server infrastructure VM, you
would enter https://172.31.1.14/uisdynlic/param (if the port value is 443) or
https://172.31.1.14:444/uisdynlic/param (if you changed the port value to 444).
To change the port value, enter
dynamiclicensing.exe /set WebPort
10.18.5. Increasing the License Count for Stealth for Secure
Private Cloud
If Stealth for Secure Private Cloud is included in your environment, you receive a licensing
fob (USB device) which determines the number of Stealth-enabled virtual machines that
can be active at one time for Stealth-secured communications. By default, if your cloud
environment includes Stealth for Secure Private Cloud, you receive a fob with 10 licenses.
If your initial order included additional Stealth licenses, your Unisys service consultant
configured your management server to use the fob with the greater number of licenses
you ordered. If your cloud environment is configured for HA, you receive two identical
fobs.
If you want to increase the number of Stealth licenses that are available in your
environment, contact your Unisys service consultant, who will help you order a new fob
with a greater licensing count. When you receive your new fob, simply remove the old fob
from the management server, and insert the new fob in its place. You must insert the new
fob into the same USB port in the management server in which the old fob was located. (If
your environment includes HA, you must remove and replace the fobs in both
management servers in the same USB ports.)
10–52 3850 6804–007

As long as you take no more than 30 minutes to remove the old fob and insert the new
fob, no additional configuration is necessary. The Stealth Licensing management VM
automatically registers the new fob and the increased license count.
Note: If you take longer than 30 minutes to remove and replace the fob, your Unisys
service consultant must reconfigure the Stealth Licensing management VM to
communicate with the USB drive containing the fob. Therefore, it is highly recommended
that you have the new fob ready to insert before removing the old fob.
10.18.6. Enabling Stealth for Secure Private Cloud After Initial
Implementation
When you placed your order for the Secure Private Cloud, the Stealth for Secure Private
Cloud feature was automatically included (if your cloud environment is located in a nonexport
restricted country). This includes the Stealth Licensing management VM, software
to Stealth-enable VLANs and virtual machines, and the Stealth licensing fob (with 10
available licenses).
If, during initial implementation, you instructed your Unisys service consultant not to
configure Stealth for Secure Private Cloud, then those components were not configured. If
you later decide to use Stealth for Secure Private Cloud—either on a trial basis with the 10
available licenses or using a fob with a greater available license count—you must contact
your Unisys service consultant to upgrade your environment to include this feature.
10.19. Important Operational Restrictions
The following operations are not supported in the cloud environment:
• Do not use an XML editor to edit the cloud provider or tenant XML files created by the
workbook.
You must use Microsoft Excel to make all required changes and then to produce the
updated XML files.
• You cannot rename tenant projects. To give a tenant project a new name, you must do
the following:
- Delete all resources associated with the blueprint by performing the procedures in
11.1 Stopping and Decommissioning Virtual Machinesor 11.2 Stopping and
Decommissioning Physical Machines. (Resources cannot be moved between an
old project and a new project.)
- Delete the project by performing the procedure in 10.9 Deleting Blueprints or
Projects from the Cloud Environment.
- Create a new project using the tenant worksheet.
Cloud Portal Operations
• If Stealth for Secure Private Cloud is included in your environment, note the following:
- You cannot remove Stealth from commissioned Stealth-enabled virtual machines
or existing Stealth-enabled VLANs.
- You cannot add Stealth to already-commissioned virtual machines or to existing
VLANs that include resources.
3850 6804–007 10–53

Cloud Portal Operations
If you want to remove Stealth from any component, delete the current component and
recreate it using the appropriate template. If you want to add Stealth to an alreadycommissioned
virtual machine, delete the virtual machine and recreate it using the
appropriate template.
If you want to add Stealth to an existing VLAN, perform the procedure in 8.1 Enabling
Stealth for an Existing Tenant VLAN to delete the resources running on the VLAN and
then Stealth-enable the VLAN.
• Use only approved characters in tenant, project, and blueprint names. See
2.8.4 Naming Guidelines for Components in the Cloud Environment.
10–54 3850 6804–007

Section 11
Removing Tenants and Components
from the Cloud Environment
This section describes how to remove tenants or tenant components from your Secure
Private Cloud environment, if you are hosting a multi-tenant environment. To completely
remove tenants, their users, their machines, and the tenant infrastructure from the Cloud
environment, perform the procedures in 11.1 Stopping and Decommissioning Virtual
Machines through 11.8 Removing Tenant Resources and Departments from uChargeback.
If you want to remove a specific tenant component, perform the procedure in this section
that is associated with that particular component. If you simply want to suspend tenant
operations, you can perform only the procedures to disable users and stop virtual
machines and physical servers.
11.1. Stopping and Decommissioning Virtual
Machines
Do the following to stop the tenant virtual machines and decommission them (delete them
from the Secure Private Cloud).
Note: If you want to suspend a tenant account, you can simply stop the virtual machines
without decommissioning them. After the virtual machines have been stopped, they
cannot be restarted by any of the users (assuming that the tenant users have been
disabled).
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and your cloud administrator credentials.
2. Click Commission and Manage, and then click Manage Resources.
3. Select a running virtual machine in the Resources Overview table and click Stop.
The status of the virtual machine transitions to Stopping and then to Stopped, but this
transition could take some time.
Select the next running virtual machine, and click Stop. (You do not need to wait until
one machine is stopped before requesting that the next machine be stopped.)
4. Select the resource in the Resources Overview table, and click Decommission to
delete the virtual machine.
A dialog box appears asking you to confirm that you want to decommission (delete)
the specified resource.
3850 6804–007 11–1

Removing Tenants and Components from the Cloud Environment
5. Click OK to confirm.
On the Manage Requests page, a new entry appears. When the status of the remove
entry changes to Success, the resource has been decommissioned. The resource
also is removed from Manage Resources.
6. Click Administration.
7. On the Operator Prompts page, reject any outstanding requests from the tenant.
8. After all of the virtual machines in all projects have been stopped and
decommissioned, from a vSphere Client, connect to the vCenter management VM,
using its current host name or IP address.
9. Verify that all of the tenant virtual machines have been deleted.
10. If any virtual machines still exist, verify that they are not still present in the Cloud
Orchestrator portal, and then delete them manually in vCenter.
Note: After you stop and decommission virtual machines, they are moved into the
Archived Servers Department in uChargeback. This enables you to create historical
reports, as needed. However, if you want to fully delete the virtual machines from
uChargeback, see 11.8 Removing Tenant Resources and Departments from uChargeback.
11.2. Stopping and Decommissioning Physical
Machines
To stop tenant physical servers, perform the following procedure: 10.4.2 Starting or
Stopping Physical Servers.
To decommission tenant physical servers (delete them from the Secure Private Cloud),
perform the following procedure: 10.4.3 Decommissioning Physical Servers (Releasing
Physical Server Resources).
Notes:
• If you want to suspend a tenant account, you can simply stop the physical servers
without decommissioning them. After the physical servers have been stopped, they
cannot be restarted by any of the users (assuming that the tenant users have been
disabled).
• After you stop and decommission virtual machines, they are moved into the Archived
Servers Department in uChargeback. This enables you to create historical reports, as
needed. However, if you want to fully delete the virtual machines from uChargeback,
see 11.8 Removing Tenant Resources and Departments from uChargeback.
11–2 3850 6804–007

11.3. Removing the Tenant Virtual Components in
vCenter
Removing Network Appliances and Load Balancers in vCenter
Do the following to remove the tenant network appliances and load balancers:
1. From a vSphere Client, connect to the vCenter Server using its current host name or IP
address.
2. Shut down and remove any VLAN network appliances. To do so
a. In the Hosts and Clusters Inventory view, right-click a VLAN network
appliance virtual machine, select Power, and then click Shut Down Guest.
b. After the VLAN network appliance virtual machine is shut down, right-click it, and
select Delete from Disk.
c. Click Yes in the confirmation dialog box.
3. Shut down and remove any Load Balancer virtual machines. To do so
a. In the Hosts and Clusters Inventory view, right-click a load balancer virtual
machine, select Power, and then click Shut Down Guest.
b. After the load balancer virtual machine is shut down, right-click it, and select
Delete from Disk.
c. Click Yes in the confirmation dialog box.
Removing Stealth Infrastructure VMs from vCenter
If Stealth for Secure Private Cloud is included in your environment and enabled for the
tenant, remove the tenant Stealth infrastructure VMs from each of the tenant Stealthenabled
VLANs. There are five Stealth infrastructure VMs for each Stealth-enabled VLAN,
and they are named using the following format:
• SConfig
• SProxy
• SRelay
• STM
• VSG
Removing Tenants and Components from the Cloud Environment
Removing Networking in vCenter
Note: If Stealth for Secure Private Cloud is included in your environment and enabled for
the tenant, each Stealth-enabled VLAN consists of a pair of VLANs: a clear-text VLAN and
an encrypted VLAN. Be sure to remove both of these VLANs.
Do the following to remove the tenant networking:
3850 6804–007 11–3

Removing Tenants and Components from the Cloud Environment
1. From a vSphere Client, connect to the vCenter management VM using its current host
name or IP address.
2. Remove the distributed virtual network switch or virtual machine port groups. To do so
For a distributed virtual network switch port group, do the following:
a. In the Networking Inventory view, right-click the port group name, and then
click Delete.
b. Click Yes in the confirmation dialog box.
For a virtual machine port group, do the following:
a. In the Hosts and Clusters Inventory view, select a workload server.
b. Select the Configuration tab, and then click Networking.
c. Select Properties for a virtual switch.
d. Select a port group, and then click Remove.
e. Click Yes in the delete confirmation dialog box.
f. Repeat these steps for each workload server.
Removing Datastores, Resource Pools, and Templates in vCenter
Do the following to remove datastores, resource pools, and templates:
1. From a vSphere Client, connect to the vCenter management VM using its current host
name or IP address.
2. Ensure that datastores do not contain any of the tenant folders or virtual machines. To
do so
a. In the Datastores view, right-click the datastore name, and select Browse
Datastore.
b. Delete any folders or virtual machines belonging to the tenant.
3. If you have certain datastores that were used only by the tenant you are deleting, then
you should make the datastore unavailable to the tenant. For example, you can delete
the datastore or rename it.
To rename a datastore, do the following:
a. In the Datastores view, right-click the datastore name, and click Rename.
b. Type a new name for the datastore.
To delete a datastore, do the following:
a. In the Datastores view, right-click the datastore name, and click Delete.
b. Click Yes in the confirmation dialog box.
11–4 3850 6804–007

Removing Tenants and Components from the Cloud Environment
4. If you have certain resource pools that were used only by the tenant you are deleting,
then delete those resource pools as follows:
a. In the Hosts and Clusters Inventory view, right-click a resource pool name,
and then click Remove.
b. Click Yes in the confirmation dialog box.
5. If you have certain templates that were used only by the tenant you are deleting, then
delete those templates as follows:
a. In the VMs and Templates view, right click a template name, and then click
Delete from Disk.
b. Click Yes in the confirmation dialog box.
11.4. Removing Management-Side Tenant
Infrastructure in vCenter
Removing a Zone in uChargeback for a Tenant with no DNS
During initial VLAN configuration, if a tenant did not have a DNS, or if the tenant DNS could
not support non-secure dynamic DNS updates, the uChargeback management VM was
configured to act as the tenant DNS server. Do the following to remove a zone in the
uChargeback management VM, if it is acting as the tenant DNS:
1. From a vSphere Client, open a console to the uChargeback management VM.
2. Launch DNS Manager by clicking Start, pointing to Administrative Tools, and
then clicking DNS.
3. If you created a unique forward lookup zone for this tenant, then in the Forward
Lookup Zones node, right-click the tenant’s zone and click Delete.
4. Click Yes in the confirmation dialog box.
Removing Static Routes to Tenant VLANs
Perform this procedure on the jump box management VM, the Cloud Orchestrator
management VM, the uChargeback management VM, and (if Stealth for Secure Private
Cloud is included in your environment and enabled for the tenant) the Stealth Licensing
management VM. Do the following to remove static routes to tenant VLANs:
1. From a vSphere Client, open a console to the management VM.
2. Open a command prompt, using the Run as Administrator option, and enter the
following command to delete a static route for the VLAN:
route -p delete
3. Repeat the previous steps for the next management VM.
3850 6804–007 11–5

Removing Tenants and Components from the Cloud Environment
Removing Tenant Information from a Virtual Management Network
Appliance
If your Management Network Appliance is virtual, do the following to remove the tenantspecific
information.
Note: If your Management Network Appliance is physical, skip this procedure, and
perform the following procedure.
1. From a vSphere Client, open a console to the Management Network Appliance virtual
machine.
2. Log on.
3. Enter the following command:
configure
4. To remove static routes to the tenant VLAN network appliance, do the following:
a. Enter the command the following command, and note all routes to the tenant
VLANs:
show protocols static
b. For each route to the tenant VLAN, enter the following command:
delete protocols static route
5. To remove tenant firewall rules, do the following:
a. Enter the following command, and note all the network entries which contain
VLAN information for the tenant:
show firewall group network-group TARGET_VM
b. For each network entry that includes tenant VLAN information, enter the
following command:
delete firewall group network-group TARGET_VM network
6. Enter the following commands to commit and save the changes:
commit
save
exit
Removing Tenant Information from a Physical Management Network
Appliance
If your Management Network Appliance is physical, do the following to remove the tenantspecific
information.
11–6 3850 6804–007

Notes:
• If your Management Network Appliance is virtual, do not perform this procedure;
instead, perform the previous procedure.
• The following procedure uses commands appropriate for Cisco switches. If you have
another brand of switch, you must adapt these commands for that switch.
1. To remove tenant VLAN IDs, enter the following command:
no vlan
2. To remove tenant access lists, enter the following command:
no access-list
3. To remove tenant access groups on the Management Access Network VLAN, enter
the following commands:
interface
no ip access-group in
no ip access-group out
4. To remove tenant VLAN IDs for each switchport interface to a workload server, enter
the following commands:
interface
switchport trunk allowed vlan remove
5. To remove tenant routes, enter the following command:
no ip route
6. To remove any existing NAT rules, use no ip nat commands.
Note: A physical switch must support NAT to perform these commands. Refer to the
documentation for your switch for more information on NAT and the specific
commands that apply.
Remove the following rules:
a. Remove the management access network VLAN interface as the network subject
to inside NAT translation.
b. Remove NAT rules that translate the and destination addresses to the address.
7. Enter the following command to verify the configuration:
show running-config
8. Save the configuration by entering the following command:
copy running-config startup-config
You see the following: Destination Filename [startup-config]?
9. Press Enter.
Removing Tenants and Components from the Cloud Environment
You see the response [OK].
3850 6804–007 11–7

Removing Tenants and Components from the Cloud Environment
11.5. Deleting Tenant Account Entities
The following topics describe the steps required to delete a configured tenant account
from the Secure Private Cloud portal. Using a browser connected to the Secure Private
Cloud portal, sign in using the Liferay Administrator credentials.
To delete a tenant account, perform the procedures in this topic.
Note: When you delete a tenant, project, or blueprint using the Secure Private Cloud
portal, you must also delete that component from RBADB. See the following procedures
for more information.
11.5.1. Deleting Tenant Users and User Roles
Deleting Tenant Users and User Roles from the Secure Private Cloud
Portal
To delete tenant users, do the following:
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and your Liferay administrator credentials.
2. From the Manage list (at the left of the top pane), click Control Panel.
3. In the left pane, under Portal, click Users.
The Users page appears with a list of active users.
4. If you have not already deactivated the users you want to delete, do the following. If
the users are already deactivated, skip to the next step.
Do the following to deactivate users:
a. Select the check boxes next to the users who you want to deactivate.
b. Click Deactivate (at the top of the list of users) to deactivate the users.
5. From the Active list, select No, and then click Search.
Note: You might have to click Advanced under the Search button to view the
Active list.
A list of the deactivated users appears.
6. Locate the users you want to delete, and select the check boxes next to the user
names.
7. Click Delete (at the top of the list of users) to delete the selected users.
To delete a tenant user role, do the following.
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and your Liferay administrator credentials.
2. From the Manage list (at the left of the top pane), click Control Panel.
3. In the left pane, under Portal, click Roles.
11–8 3850 6804–007

Removing Tenants and Components from the Cloud Environment
The Roles page appears with a list of roles.
4. Locate the tenant user role you want to delete, click the Actions button for that user
role, and then click View Users.
5. Verify that no users are associated with the role you are deleting.
If any users are associated with the role, you should create a new role and reassign
the users before continuing.
6. Locate the tenant user role you want to delete, click the Actions button for that user
role, and then click Delete.
11.5.2. Removing a Tenant User Group from the Secure Private
Cloud Portal
To remove a tenant user group, do the following:
1. From the Manage list (at the left of the top pane), click Control Panel.
2. In the left pane, under Portal, click User Groups.
The User Groups page appears with a list of user groups.
3. Select the check box for a tenant user group you want to delete, and then click
Delete.
11.5.3. Deleting Blueprints from the Secure Private Cloud
Portal
Note: To delete a blueprint, you must first decommission the resources that have been
commissioned using the blueprint. You receive the following error message when you try
to delete a blueprint that has resources tied to it:
There has been a problem processing your request.
To delete a blueprint from the Secure Private Cloud portal, do the following:
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and your cloud administrator or cloud operator credentials.
2. Click Administration, and then click Manage Blueprints.
3. Under Manage Blueprints, select the tenant folder.
The Blueprint pane is updated to list all blueprints associated with the tenant.
4. Under Blueprints, select the blueprint that you want to delete, and then click
Delete Blueprint.
A confirmation message appears.
5. Confirm that you want to delete the blueprint.
The blueprint is deleted from the tenant and from all tenant projects with which it is
associated.
3850 6804–007 11–9

Removing Tenants and Components from the Cloud Environment
6. Delete the blueprint from RBADB. See Removing a Blueprint from a Contract and
Deleting a Blueprint.
11.5.4. Deleting a Tenant Organization
To delete a tenant organization, do the following.
Note: Before you delete a tenant organization, you must delete any associated users,
user roles, and user groups.
1. From the Manage list (at the left of the top pane), click Control Panel.
2. In the left pane, under Portal, click Organizations.
The Organizations page appears with a list of tenants.
3. Select the check box for the tenant organization that you want to delete, and then click
Delete.
11.6. Removing a Tenant Contract and Tenant from
RBADB
A tenant cannot be deleted if it is associated with a contract. To delete a tenant contract
and then delete a tenant from RBADB, do the following:
1. From the jump box management VM, access RBADB using the URL in Table 2–2.
2. Log in with the RBADB Administrator credentials in Table 2–1.
3. Click Contracts in the left pane.
4. Select the contract for the tenant.
You see the Contracted Resources page, which includes a table of associated
blueprints.
5. Verify that there are no commissioned resources associated with the contract (that the
values in the Deployed column are all 0). See Verifying that Commissioned
Resources Are Not Associated with Tenants, Projects, or Blueprints.
6. Click Edit in the upper right of the screen.
7. Click Delete.
8. Click OK to confirm that you want to delete the contract.
9. Click Accounts in the left pane.
10. Select the tenant you want to delete.
11. Click Delete.
12. Click OK to confirm that you want to delete the tenant.
The tenant is deleted, and any projects associated with the tenant are also
automatically deleted.
13. Delete the blueprints associated with the tenant you deleted, as described in
11–10 3850 6804–007

Removing a Blueprint from a Contract and Deleting a Blueprint.
11.7. Removing Tenants from uOrchestrate
To remove a tenant from uOrchestrate, do the following:
1. Open a console to the Cloud Orchestrator management VM.
2. Launch a Web browser, and access the uOrchestrate Operations Console using the
URL in Table 2–2.
3. Log in to the Operations Console using the credentials in Table 2–1.
4. If you receive a message that the Operations Console has stopped polling, click OK.
5. In the Service Organization pane on the left, click the Registration service.
6. Expand Effectors in the right pane to view the effectors.
7. Under All Effectors, click removeTenantStructure.
This effector removes a tenant and all associated projects. Type the name of the
tenant that you want to delete in the tenant box.
8. Click Execute.
Removing Tenants and Components from the Cloud Environment
9. Check the result in the result pane.
You should see the message “Success” when the process is complete.
10. If there were any errors encountered attempting to delete the tenant or project,
resolve them, and then rerun the effector.
For example, if you see an error message that states that a folder cannot be deleted
because a resource is associated with it, delete the resource, and then rerun the
effector.
11.8. Removing Tenant Resources and Departments
from uChargeback
Note: The following procedure explains how to fully delete tenant resources and
departments from uChargeback. However, if you want to archive projects (rather than
deleting them) to ensure that you can continue to create historical reports, perform the
procedure in 10.9.4 Archiving Projects in uChargeback.
To remove tenant resources and departments from uChargeback, do the following:
1. From a vSphere Client, open a console to the uChargeback management VM, and log
in using the domain uChargeback administrator account from Table 1–10.
2. Access the uChargeback Administrator from the Start menu by pointing to All
Programs, pointing to Unisys, pointing to uChargeback,, and then clicking
Administrator.
3. In the Object Browser tree in the left pane, expand the Departments tree, and
then select Archived Servers.
3850 6804–007 11–11

Removing Tenants and Components from the Cloud Environment
All of the tenant servers that have been decommissioned using the Cloud
Orchestrator portal should be located in this department.
4. In the right pane, highlight the entire row for the server to be deleted by selecting the
arrow in the far-left column.
5. Right-click on the row, and select Delete Server.
6. Click Yes to confirm that you want to delete the server.
7. Repeat the previous three steps for each server you want to delete.
8. Ensure there are no other servers that belong to the tenant, by doing the following:
a. In the Object Browser tree in the left pane, expand the Managed Servers
tree and view the list of servers.
b. If there are any servers assigned to departments that belong to the tenant, rightclick
on the server name and select Delete Server.
9. Delete the tenant departments from uChargeback by doing the following:
a. Expand the Departments tree and locate the tenant departments.
b. Right-click a department name, and select Delete Department.
c. In the delete confirmation dialog box, select Yes.
10. Close the uChargeback Administrator.
11.9. Removing a Stealth-Enabled VLAN from the
Tenant Infrastructure
The procedures in this topic describe how to remove a single Stealth-enabled VLAN from a
tenant infrastructure, while maintaining the tenant infrastructure as a whole. If you are
removing a tenant in its entirety, perform the procedures in 11.1 Stopping and
Decommissioning Virtual Machines through 11.8 Removing Tenant Resources and
Departments from uChargeback.
Note: You cannot remove Stealth from commissioned Stealth-enabled virtual machines
or existing Stealth-enabled VLANs, and you cannot add Stealth to already-commissioned
virtual machines or existing VLANs that include resources. Note the following:
• If you want to remove Stealth from any component, delete the current component and
recreate it using the appropriate template.
• If you want to add Stealth to an already-commissioned virtual machine, delete the
virtual machine and recreate it using the appropriate template.
• If you want to add Stealth to an existing VLAN, perform the procedure in 8.1 Enabling
Stealth for an Existing Tenant VLAN to delete the resources running on the VLAN and
then Stealth-enable the VLAN.
Updating the Tenant Worksheet
Update the tenant worksheet to remove the Stealth-enabled VLAN. Also remove the
VLAN from any virtual machine blueprints. Then, export the tenant worksheet to the jump
11–12 3850 6804–007

Removing Tenants and Components from the Cloud Environment
box management VM, as described in 1.1.6 Exporting the Data.
Stopping and Decommissioning Virtual Machines
Decommission all virtual machines that were deployed on the Stealth-enabled VLAN, as
described in 11.1 Stopping and Decommissioning Virtual Machines.
Removing the Stealth Infrastructure VMs from vCenter
1. From a vSphere Client connected to the vCenter Server, locate the Stealth
Infrastructure VMs for the Stealth-enabled VLAN you are removing. The Stealth
Infrastructure VMs are named using the following format:
• SConfig
• SProxy
• SRelay
• STM
• SVSG
2. Shut down each infrastructure VM, and then delete each infrastructure VM.
Removing Stealth-Enabled VLAN Networking in vCenter
1. Configure the tenant VLAN network appliance’s network setting so that the network
adapter connected to the associated clear text VLAN is set to the
Interconnect network label.
2. Verify that the Connected and Connect at power on check boxes for the
network adapter are cleared.
3. Remove the virtual machine port groups or the distributed virtual network switch port
group associated with the Stealth-enabled VLAN.
Each Stealth-enabled VLAN consists of a pair of VLANs: a clear text VLAN and an
encrypted VLAN. Be sure to remove the virtual machine port groups or distributed
virtual network switches associated with both of these VLANs from each workload
server.
Removing Management-Side Tenant VLAN Infrastructure
Perform this procedure on the jump box management VM, the Cloud Orchestrator
management VM, the uChargeback management VM, and the Stealth Licensing
management VM. Do the following to remove static routes to tenant VLANs:
1. From a vSphere Client, open a console to the management VM.
2. Open a command prompt, using the Run as Administrator option, and enter the
following command to delete the static route for the tenant VLAN that you are
deleting:
route –p delete
3. Repeat the previous steps for the next management VM.
3850 6804–007 11–13

Removing Tenants and Components from the Cloud Environment
Removing VLAN Information from a Virtual Management Network
Appliance
If your Management Network Appliance is virtual, do the following to remove the tenantspecific
VLAN information.
Note: If your Management Network Appliance is physical, skip this procedure, and
perform the following procedure.
1. From a vSphere Client, open a console to the Management Network Appliance virtual
machine.
2. Log on.
3. Enter the following command:
configure
4. To remove static routes to the tenant VLAN network appliance, do the following:
a. Enter the command the following command, and note all routes to the tenant
VLANs:
show protocols static
b. For each route to the tenant VLAN, enter the following command:
delete protocols static route
5. To remove tenant firewall rules, do the following:
a. Enter the following command, and note all the network entries which contain
VLAN information for the tenant:
show firewall group network-group TARGET_VM
b. For each network entry that includes tenant VLAN information, enter the
following command:
delete firewall group network-group TARGET_VM network
6. Enter the following commands to commit and save the changes:
commit
save
exit
Removing VLAN Information from a Physical Management Network
Appliance
If your Management Network Appliance is physical, do the following to remove the tenantspecific
VLAN information.
11–14 3850 6804–007

Notes:
• If your Management Network Appliance is virtual, do not perform this procedure;
instead, perform the previous procedure.
• The following procedure uses commands appropriate for Cisco switches. If you have
another brand of switch, you must adapt these commands for that switch.
1. To remove tenant VLAN IDs, enter the following command:
no vlan
2. To remove tenant access lists, enter the following command:
no access-list
3. To remove tenant access groups on the Management Access Network VLAN, enter
the following commands:
interface
no ip access-group in
no ip access-group out
4. To remove tenant VLAN IDs for each switchport interface to a workload server, enter
the following commands:
interface
switchport trunk allowed vlan remove
5. To remove tenant routes, enter the following command:
no ip route
6. To remove any existing NAT rules, use no ip nat commands.
Note: A physical switch must support NAT to perform these commands. Refer to the
documentation for your switch for more information on NAT and the specific
commands that apply.
Remove the following rules:
a. Remove the management access network VLAN interface as the network subject
to inside NAT translation.
b. Remove NAT rules that translate the and destination addresses to the
address.
7. Enter the following command to verify the configuration:
show running-config
8. Save the configuration by entering the following command:
copy running-config startup-config
You see the following: Destination Filename [startup-config]?
9. Press Enter.
Removing Tenants and Components from the Cloud Environment
You see the response [OK].
3850 6804–007 11–15

Removing Tenants and Components from the Cloud Environment
Removing the Tenant VLAN Definition in RBADB
1. From the jump box management VM, access RBADB using the URL in Table 2–2.
2. Log in using the RBADB administrator credentials.
3. Select Accounts in the left pane.
4. Locate the tenant whose VLAN you are removing, and click the VLANs link for that
tenant.
5. Locate the Stealth-enabled VLAN that you are removing, and click the Edit VLAN link
for that VLAN.
6. On the VLAN page, click Delete to delete the VLAN definition from the tenant.
Updating Blueprints Associated with the VLAN
Using the Secure Private Cloud portal, delete or edit each blueprint that references the
VLAN you are removing (so that the VLAN cannot be used for virtual machines
commissioned from the blueprint).
11–16 3850 6804–007

Section 12
Troubleshooting
Use the procedures in this section to troubleshoot your Secure Private Cloud environment.
12.1. Troubleshooting Errors When Using a Secure
Private Cloud Workbook
Error messages that are similar to the following can appear when you are working with a
Secure Private Cloud workbook:
Could not load an object because it is not available on
this machine.
Object Library invalid or contains references to object
definitions that could not be found.
Compile error in hidden module.
Microsoft Office Excel has encountered a problem and needs
to close.
Error messages can appear at the following times:
• After opening a workbook
• After enabling macros while a workbook is open
• When hovering the cursor over a button in the workbook
These errors can occur when the locally cached versions of controls for Microsoft Office
Excel become unusable after you receive new software security updates or other updates
from Microsoft Corporation. For more information, refer to the Microsoft article titled ″EXD
files are created when you insert controls″ at the following URL:
http://support.microsoft.com/kb/290537
An example of a security update that can cause this problem is MS12-027: Security
Update for Office 2010: April 10, 2012, as described at the following URL:
http://support.microsoft.com/kb/2598039
3850 6804–007 12–1

Troubleshooting
Resolution:
1. Close the workbook without saving changes.
Caution
It is important not to save changes, or the controls in the workbook might be
deleted automatically.
2. Close any copies of Excel or other Microsoft Office programs that are currently
running.
3. Search for and delete all *.exd files on your hard disk, as follows:
Note: The following steps are for Windows 7 environments. If you have a different
Windows environment, modify the steps as needed.
a. Open File Explorer, and click Folder and Search Options on the Organize
menu.
The Folder Options dialog box opens.
b. Select the Search tab, and then select the Include system directories check
box under the When searching non-indexed locations heading.
c. Select the View tab and do the following in the Advanced settings list:
• Select the Show Hidden Files, Folders, and Drives option under the
Hidden Files and Folders heading.
• Clear the Hide Extensions for Known File Types check box.
d. Click OK.
e. In the left pane, expand Computer and double-click the name of your hard drive.
The hard drive name and identifier (such as C:) appears in the address field at the
top of the window.
f. Click the search box at the upper right of the window, enter the following, and
press Enter:
*.exd
The search begins, and a progress bar monitors the search process. A list
appears containing files that meet the search criteria.
g. Delete all the *.exd files in the search list.
Note: For the specific paths to *.exd files, refer to the knowledge base article at the
following URL:
http://support.unisys.com/common/ShowWebPage.aspx?id=5896&pla=SPC&nav=SPC
12–2 3850 6804–007

12.2. Troubleshooting Signing In to the Secure
Private Cloud Portal
The first time you sign into the Secure Private Cloud portal, you might see an error
message about a security certificate in your browser window. The specific message and
your response depend on your specific browser, as follows:
• Internet Explorer version 8 displays an error message in red on the right of the address
line that states there is no certificate. Click Certificate Error to view and install the
certificate.
• Mozilla Firefox versions 3.6 and higher display a message about the lack of a security
certificate and provide a link to add an exception. Click the link and identify the
certificate.
If you continue to see an error message on the address line, ignore it as long as you can
sign into the portal. After you satisfy the certificate error issue, the Sign In dialog box
appears.
12.3. Handling Suspended, Failed, and Aborted Jobs
Understanding Failed Requests
If a user requests an action for a virtual machine or a physical server, and if that task fails,
you receive a message (by e-mail, by Remedy ITSM ticket, or by both) that there has been
a failed job. The user sees the status of the failed job in the Secure Private Cloud portal. To
see details, you can sign in to the Secure Private Cloud portal using the credentials of the
user who made the original request.
There is no requirement to delete failed or aborted jobs; however, you should review the
status of the job using the Secure Private Cloud portal to try to determine why the failure
occurred. After the problem has been resolved, you might need to direct the user to
perform the same action again.
Handling Suspended Build Requests for Virtual Machines
If a user submits a request for a new virtual machine, and if there is not enough space
available in the datastore, the build request is suspended, and you receive a message (by
e-mail, by Remedy ITSM ticket, or by both) notifying you of the problem. Do the following:
1. Define a new datastore or increase the size of the existing datastore using VMware
vCenter.
Detailed instructions on how to complete these procedures are explained in the
VMware documentation.
2. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and your cloud administrator or cloud operator credentials.
3. Locate the pending authorization, and accept the request.
Troubleshooting
3850 6804–007 12–3

Troubleshooting
If you performed the operation to define a new datastore or increase the existing
datastore, the request should be processed. If you did not define a new datastore, or if
the datastore you defined was not sufficient, you are notified by e-mail, by Remedy
ITSM ticket, or by both.
If you cannot define a new datastore or adjust the existing datastore, you can decline
the user request, and the new virtual machine is not created.
12.4. Troubleshooting Machine Names
During the initial planning of your Secure Private Cloud environment, you were prompted
to determine how virtual machine and physical server host names should be configured.
The two configuration options are as follows:
• Use the host name provided by the user in the machine request.
• Use an automatically generated host name (up to 11 characters, customized for your
environment, followed by a four-digit, leading-zero-filled number).
Enabling users to provide their own virtual machine and physical server host names
improves usability and provides flexibility for users to determine host names as they
desire. However, this method also increases the likelihood that users might experience
errors when requesting new machines, because the host names must meet all of the
following requirements:
• Must contain between one and 15 characters.
• Must include only letters, numbers, and hyphens (-); however, cannot begin or end
with a hyphen.
• Must not consist entirely of numbers.
• Must not already exist in the workload environment.
• Must not already exist in DNS at the time that the system is commissioned.
The Unisys service consultant configures this global setting. You can override this setting
on a blueprint-specific basis using the Machine Name attribute when you configure
blueprints. Refer to Table 6–5 for more information.
12.5. Troubleshooting Physical Server Resources
When a user requests that you commission a physical server for his or her use, he or she
has no way to know if physical server resources of the type requested are available. You
can verify whether physical servers are available using uAdapt.
If all of your physical servers are currently in use, you can do the following:
• Decommission one of the current physical servers in use and reallocate the server
resources to a new user. See 10.4.3 Decommissioning Physical Servers (Releasing
Physical Server Resources) for more information.
• Request that your Unisys service consultant expand your Secure Private Cloud
configuration to add additional server resources.
12–4 3850 6804–007

12.6. Configuring the Virtual Management Network
Appliance with a VMware License Restriction
If you are not able to configure the virtual Management Network Appliance—as described
in 5.4.1 Configuring the Virtual Management Network Appliance for a New VLAN or
8.5.5 Configuring the Management Network Appliance to Use a New Intercom Network IP
Address—due to VMware license restriction, this topic provides an alternative
configuration method.
This procedures in this topic use an active network connection between the jump box
management VM and the Management Network Appliance; therefore, you might be
required to temporarily change the jump box management VM network configuration.
12.6.1. Configuring the Virtual Management Network
Appliance for a New VLAN (with a VMware License
Restriction)
This procedure performs the same function as 5.4.1 Configuring the Virtual Management
Network Appliance for a New VLAN. If you are unable to complete the procedure in
5.4.1 Configuring the Virtual Management Network Appliance for a New VLAN due to a
VMware license restriction, perform the following steps:
1. Access the console for the jump box management VM.
2. Launch the PowerShell (x86) window by clicking Start, pointing to All Programs,
pointing to Accessories, pointing to Windows PowerShell, and clicking
Windows PowerShell (x86).
3. Enter the following command to determine if the current IP address on the jump box
management VM is compatible with the current IP address of the Management
Network Appliance on the Intercom Network:
ping
4. If you do not receive a response from the ping, temporary assign the jump box
management VM an IP address for the Intercom Network connection that is
compatible with the current IP address of the Management Network Appliance.
5. Enter the following command:
.\Config-TenantOnMNA.ps1 –usePutty $true
–tenantXML “”
Where is the XML file name for the tenant
workbook. Be sure to include the .xml extension in the name.
If necessary, include the following parameters in the command:
• If the root user on the Management Server is using an updated password,
include
-hostUserPw
Troubleshooting
• If the vyatta user on the Management Network Appliance is using an updated
password, include
3850 6804–007 12–5

Troubleshooting
-vmUserPw
For example, enter the following for a tenant named Example with updated
credentials for the vyatta user on the Management Network Appliance:
.\Config-TenantOnMNA.ps1 –usePutty $true –tenantXML “Tenant-Example.xml”
–vmUserPw myNewPw
6. If you changed the jump box management VM IP address, reset it to the previous IP
address in Table 1–5.
7. Return to 5.4.1 Configuring the Virtual Management Network Appliance for a New
VLAN, and perform the CHECKPOINT.
12.6.2. Configuring the Virtual Management Network
Appliance to Use a New Intercom Network IP Address
(with a VMware License Restriction)
This procedure performs the same function as 8.5.5 Configuring the Management
Network Appliance to Use a New Intercom Network IP Address. If you are unable to
complete the procedure in 8.5.5 Configuring the Management Network Appliance to Use
a New Intercom Network IP Address due to a VMware license restriction, perform the
following steps:
1. Access the console for the jump box management VM.
2. Launch the PowerShell (x86) window by clicking Start, pointing to All Programs,
pointing to Accessories, pointing to Windows PowerShell, and clicking
Windows PowerShell (x86).
3. Enter the following command to determine if the current IP address on the jump box
management VM is compatible with the default IP address of the Management
Network Appliance on the Intercom Network:
ping 172.31.1.200
4. If you do not receive a response from the ping, temporary assign the jump box
management VM an IP address for the Intercom Network connection that is
compatible with the default IP address of the Management Network Appliance.
Note: The default IP address of the Management Network Appliance is
172.31.1.200.
5. Enter the following command:
.\Config-MNAicom.ps1 –usePutty $true
If the vyatta user on the Management Network Appliance is using an updated
password, include the following parameter:
-vmUserPw
For example, enter
.\Config-MNAicom.ps1 –usePutty $true –vmUserPw myNewPw
6. Open a console to the Management Network Appliance and sign in using the vyatta
user credentials from Table 2–1.
12–6 3850 6804–007

7. Enter the following command:
Config-MNAicom.sh
8. If you changed the jump box management VM IP address, reset it to the previous IP
address in Table 1–5.
9. Return to 8.5.5 Configuring the Management Network Appliance to Use a New
Intercom Network IP Address, and perform the CHECKPOINT.
12.7. Troubleshooting Onboarding Tenants and
Users
Perform the procedures in this topic if you have any problems onboarding tenants and
users.
12.7.1. Troubleshooting Sign In Problems Due to an Unknown
E-mail Suffix
When a new user signs in to the Secure Private Cloud portal for the first time, the
credentials are validated using Active Directory, and then the user is assigned to the
default user role for the organization (based on the e-mail address suffix used to sign in).
For example, if the e-mail suffix for the cloud provider is cloudprovider.com as configured
in Table 1–8, a new user who signs in as john.doe@cloudprovider.com is automatically
assigned to the default cloud provider user role.
New tenant users who sign in to the portal for the first time are assigned to the default role
for their tenant organization in the same way, based on the tenant e-mail suffix in
Table 1–24.
If a user signs in and his or her e-mail suffix is not recognized, do the following to assign
that user to the appropriate organization:
1. Sign in to the Secure Cloud Portal using the URL from Table 2–2 and the Liferay
administrator credentials from Table 2–1.
2. Click OK when you receive one or more errors that there has been an error processing
your request or that you do not have permission to view requests.
3. At the top of the window, directly below the browser address bar, select Manage,
and then click Control Panel.
4. In the left pane, under Portal, click Users.
The Users page appears.
5. Using the First Name, Last Name, or Email Address boxes, search for the user
who does not have an organization assigned to him.
Note: You might have to click Advanced to see all available search fields.
6. When you locate the user, click the user name.
The Details page appears containing the details of the user.
Troubleshooting
3850 6804–007 12–7

Troubleshooting
7. In the right pane, click Organizations.
8. Click Select to assign the user to an organization.
The Organizations window appears.
9. Select one of the listed organizations.
Note: You can search for an organization, if required.
10. At the bottom of the right pane, click Save.
12.7.2. Verifying and Updating the E-mail Suffixes for an
Organization
Use this procedure to verify, and if necessary update, the e-mail suffixes for an
organization. (Users are automatically assigned to the appropriate organization based on
their e-mail address suffix.) Do the following:
1. Sign in to the Secure Cloud Portal using the URL from Table 2–2 and the Liferay
administrator credentials from Table 2–1.
2. Click OK when you receive one or more errors that there has been an error processing
your request or that you do not have permission to view requests.
3. At the top of the window, directly below the browser address bar, select Manage,
and then click Control Panel.
4. In the left pane, under Portal, click Organizations.
The Organizations page appears.
5. Click Cloud to update the e-mail suffixes for your cloud organization, or click a tenant
name to update the e-mail suffixes for that tenant.
6. On the organization page, in the right pane, click Custom Fields.
The Custom Fields page appears.
7. In the Organization Alias box, verify the existing e-mail suffixes.
8. If required, type one or more additional e-mail suffixes.
Separate the new suffixes with a comma or add each new suffix on a new line.
9. At the bottom of the right pane, click Save.
12.7.3. Verifying and Updating the Default Role for an
Organization
Use this procedure to verify, and if necessary update, the default role for an organization.
(Users are automatically assigned to a default role in an organization based on their e-mail
address suffix.) Do the following:
1. Sign in to the Secure Cloud Portal using the URL from Table 2–2 and the Liferay
administrator credentials from Table 2–1.
2. Click OK when you receive one or more errors that there has been an error processing
your request or that you do not have permission to view requests.
12–8 3850 6804–007

3. At the top of the window, directly below the browser address bar, select Manage,
and then click Control Panel.
4. In the left pane, under Portal, click Organizations.
The Organizations page appears.
5. Click Cloud to update the e-mail suffixes for your cloud organization, or click a tenant
name to update the default role for that tenant.
6. On the organization page, in the right pane, click Custom Fields.
The Custom Fields page appears.
7. In the Default Role Name box, verify the current default role.
8. If required, enter a new default role name, as follows:
• _Administrators
• _Operators
• _Users
Caution
Users who sign in to the Secure Private Cloud portal using an e-mail address
suffix associated with an organization are automatically assigned to the default
role for that organization. Be very careful before reassigning the default role to
Administrator or Operator, as this can give new users the ability to change
portal settings and resources.
9. At the bottom of the right pane, click Save.
12.7.4. Updating the Default Project for a Tenant
Note: This procedure applies only to tenant organizations. Cloud administrators and
cloud operators are not assigned to projects, because they are able to administer all
tenants and projects.
Use this procedure to verify, and if necessary update, the default project for a tenant.
(Users are automatically assigned to a default project in an organization based on their
e-mail address suffix.) Do the following:
1. Sign in to the Secure Cloud Portal using the URL from Table 2–2 and the Liferay
administrator credentials from Table 2–1.
2. Click OK when you receive one or more errors that there has been an error processing
your request or that you do not have permission to view requests.
3. At the top of the window, directly below the browser address bar, select Manage,
and then click Control Panel.
4. In the left pane, under Portal, click Organizations.
Troubleshooting
3850 6804–007 12–9

Troubleshooting
The Organizations page appears.
5. Click a tenant name to update the default project for that tenant.
6. On the organization page, in the right pane, click Custom Fields.
The Custom Fields page appears.
7. In the Default Project Name box, verify the current default project.
8. If required, enter a new default project name. The default project must exist in
Table 1–40.
9. At the bottom of the right pane, click Save.
12.7.5. Troubleshooting Tenant Permissions in the Secure
Private Cloud Portal
Tenant user roles are automatically assigned permissions in the Secure Private Cloud
portal, and tenant personnel can access applications and data based on the permissions
defined for the user role to which they are assigned. If you need to verify that these roles
are correct or change them, do the following.
Caution
Be very careful when viewing and changing permissions. If you change
permissions for your cloud personnel and remove editing privileges from all
users, you could make your cloud environment completely unusable. If you
change permissions for tenant personnel, you could compromise security if
tenant users are allowed to see other tenants’ components.
Do NOT make any permissions changes unless you are certain how these
changes will impact your cloud environment and your tenants.
1. Sign in to the Secure Cloud Portal using the URL from Table 2–2 and the Liferay
administrator credentials from Table 2–1.
2. Click OK when you receive one or more errors that there has been an error processing
your request or that you do not have permission to view requests.
3. At the top of the window, directly below the browser address bar, select Manage,
and then click Control Panel.
4. In the left pane of the Control Panel, under Portal, click Roles.
5. Click Actions next to each role name, and then click Define Permissions to verify
that the permissions for the selected role are defined correctly.
The permissions for each role are defined in Table 12–1.
6. If you want to remove a permission, click Delete in the permission role.
7. If you want to add additional permissions, click a permission type in the Resource
Set column, and then select one or more check boxes to add permissions.
12–10 3850 6804–007

For example, if you want your Tenant Administrators to be able to add Help content,
click Help under Resource Set, and then select the Add to Page check box.
Alternatively, from the roles page on the Define Permissions tab, you can select a
permission type under the Applications group from the Add Permissions list,
and then select one or more check boxes to add permissions.
8. Click Save to save your changes.
Table 12–1. Tenant Role Permissions
Resource Set Action Machine Owner
Tenant
Administrators
Tenant
Operators Tenant Users
Help Add to Page Not applicable No No No
Request
Details
Request
Overview
Request
Status
Resource
Details
Configuration Not applicable No No No
View Not applicable Yes Yes Yes
Add to Page Not applicable No No No
Configuration Not applicable No No No
Preferences Not applicable No No No
View Not applicable Yes Yes Yes
Add to Page No No No No
Configuration No No No No
Preferences Yes Yes Yes Yes
View No Yes Yes Yes
View Requests Yes Yes Yes No
Add to Page Not applicable No No No
Configuration Not applicable No No No
View Not applicable Yes Yes Yes
Add to Page Not applicable No No No
Configuration Not applicable No No No
Preferences Not applicable No No No
View Not applicable Yes Yes Yes
Troubleshooting
3850 6804–007 12–11

Troubleshooting
Table 12–1. Tenant Role Permissions (cont.)
Resource Set Action Machine Owner
Resource
Overview
Commission
Resources
Role
Membership
Tenant
Administrators
Tenant
Operators Tenant Users
Add to Page No No No No
Change Lease Yes Yes Yes No
Change Owner No Yes No No
Configuration No No No No
Create Snapshot Yes Yes Yes No
Decommission
Resource
Yes Yes Yes No
Delete Snapshot Yes Yes Yes No
Detach Resource No No No No
Preferences Yes Yes Yes Yes
Revert Snapshot Yes Yes Yes No
Start Resource Yes Yes Yes No
Stop Resource Yes Yes Yes No
Suspend Resource Yes Yes Yes No
View No Yes Yes Yes
View Resources Yes Yes Yes No
Add to Page No No No No
Commission Not applicable Yes No Yes
Configuration No No No No
Delete Blueprint Not applicable No No No
Edit Blueprint Not applicable No No No
View Not applicable Yes Yes Yes
View Tenants and
Projects
View Role
membership
Yes Yes Yes Yes
Not applicable Yes No No
Assign Project Not applicable Yes No No
Assign Role Not applicable Yes No No
Assign Project Not applicable Yes No No
Assign Role Not applicable Yes No No
View Not applicable Yes No No
12–12 3850 6804–007

12.8. Resolving Secure Private Cloud Portal
Messages
This section describes messages you might receive when using the Secure Private Cloud
portal and how to resolve them.
Error Message:
Out of Memory at line: x
Resolution:
Restart the browser.
Error Message:
Rejected Commission Request. Approval Denied
(Blueprint is not a Contracted Resource)
This error message occurs when a cloud administrator attempts to commission a blueprint
for one tenant using the project for another tenant.
Resolution:
When commissioning resources for testing purposes, cloud administrators should ensure
that they use a blueprint and a project associated with the same tenant.
Note: This error only occurs for cloud administrators, who can view multiple tenant
blueprints and projects, and should never appear to tenant end users.
Error Message:
Approval Denied. (Project contracted limits exceeded.)
The message occurs when the contract limit for the project is exceeded.
Resolution:
Increase the tenant contract limit or the project contract limit by updating the workbook
and then running the Populator effector. See 6.1 Updating Cloud Provider or Adding Tenant
Information in the Secure Private Cloud Environment for additional information.
Error Message:
User does not have permission to view
Requests/Resources/Operator Prompts
Troubleshooting
This message occurs when the user’s role does not have permission to view requests,
view resources, or view operator prompts.
3850 6804–007 12–13

Troubleshooting
Resolution:
Assign the user a role with greater privileges.
See Section 7, Onboarding Tenants, Creating Users, and Assigning Roles , and
12.7.5 Troubleshooting Tenant Permissions in the Secure Private Cloud Portal for
additional information.
Error Message:
Unique User ID Custom Field Value is missing.
This message occurs when the Uniqueuserid field is empty for the user in the Control
Panel. This could happen if the users uniqueuserid were accidentally removed from the
Secure Private Cloud portal Control Panel.
Resolution:
Enter the value for the Uniqueuserid field by doing the following:
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and your Liferay administrator credentials.
2. From the Manage list (at the left of the top pane), click Control Panel.
3. Click Users under Portal in the left pane.
The Users page appears.
4. Click Actions next to a user name corresponding to the user for which you want to
verify the Uniqueuserid value, and then click Edit.
The Details page appears.
5. Make a note of the value in the Screen Name box.
6. Click Custom Fields under Miscellaneous in the left pane.
7. Type the following in the Uniqueuserid box, based on the user’s organization:
• For cloud administrators and operators, type SPC_
• For tenant administrators, operators, and users, type
_.
For example, if John J Smith is an SPC administrator and his Screen Name is smithjj1,
type SPC_smithjj1.
8. Click Save.
See Section 7, Onboarding Tenants, Creating Users, and Assigning Roles , for additional
information.
Error Message:
Department Custom Field Value is missing.
The message occurs when the Department field is empty for the user in the Control Panel.
12–14 3850 6804–007

Resolution:
Enter the value for the user in the Department field.
See Section 7, Onboarding Tenants, Creating Users, and Assigning Roles , for additional
information.
Error Message:
REASON FOR FAILURE: Commission postAction failed;
consult the message log for details
The message occurs when the commissioning of a resource (virtual machine) fails.
Go to the operator prompt for the request. The following message appears in the
Request Details pane:
new Axis Fault: (403)Forbidden
On the Cloud Orchestrator management VM, the Unisys Secure Private Cloud UCO
service failed to add the new resource to uChargeback because of a problem with the
uChargeback credentials. In Table 1–10, the credentials are referred to as the uChargeback
Service credentials and Cloud Orchestration Runbook credentials.
The following problems might exist:
• The passwords might have expired.
• The Cloud Orchestrator management VM might have been configured with incorrect
user names or passwords for these accounts. This could happen, for example, if you
changed the credentials for the cloud and later upgraded the cloud to a new software
level without first updating the CloudProvider.xml on the jump box management VM.
To troubleshoot the problem, perform the following steps on the Cloud Orchestrator
management VM:
1. Open the following file in Notepad:
C:\Program Files (x86)\Apache Software Foundation
\Tomcat 6.0\webapps\platform\WEB-INF\classes
\platformapi-config.properties
2. Make a note of the values listed for the following items (the credentials for the
uChargeback service):
• provider.metric.domain
• provider.metric.user
• provider.metric.pass
3. Open the following file in Notepad:
C:\Unisys\UCO\conf\uChargebackSecurityConfig.xml
Troubleshooting
3850 6804–007 12–15

Troubleshooting
4. Make a note of the values listed for the following items (the credentials for the Cloud
Orchestration Runbook account):
• ems:Request username
• ems:HttpAuthentication password
5. Log out of Windows.
6. Try to log in using the uChargeback service credentials, making a note of any problems
that occur.
• If the log in fails, then you know that the user name or password is incorrect.
• If the log in succeeds but Windows prompts you to enter a new password, then
you know that the password has expired.
7. Try to log in using the Cloud Orchestration Runbook credentials, making a note of any
problems that occur.
• If the log in fails, then you know that the user name or password is incorrect.
• If the log in succeeds but Windows prompts you to enter a new password, then
you know that the password has expired.
Resolution:
You can resolve an incorrect user name or password, as follows:
1. Open the Secure Private Cloud workbook, using Excel.
2. Inspect the values for the uChargeback Service credentials and Cloud Orchestration
Runbook credentials in Table 1–10, and change these values if desired.
3. Click Export on the Table of Contents to export the Cloud Provider worksheet as
CloudProvider.xml.
4. In the domain controller for your cloud, modify the existing accounts to match the user
name and password that you entered in the workbook.
5. Upload the new version of the CloudProvider.xml file to the following location on the
jump box management VM:
C:\ProgramData\Unisys\SPC-Automation\xml
6. Open the PowerShell prompt and run the following script:
Config-UCO-SystemProp.ps1
7. Restart the following services on the Cloud Orchestrator management VM.
Caution
Before restarting these services, ensure that no commissioning requests are in
progress by responding to all outstanding approval requests and waiting for all
in-progress commissioning requests to be completed.
12–16 3850 6804–007

• Unisys Secure Private Cloud UCO
• Apache Tomcat 6
You can resolve expired passwords in either of the following ways:
• Use the domain controller to mark the password as not expired, as follows:
1. When Windows prompts you to enter a new password on the Cloud Orchestrator
management VM, click Cancel to abandon your login attempt.
2. On the domain controller, run the Active Directory Users and Computers
tool.
3. Open the properties for the expired account and enable the following options:
- Password never expires
- Unlock account
• Update the cloud to use a revised password, as follows:
1. Update the account password when prompted by Windows.
2. Perform the previous procedure for resolving an incorrect user name or password.
12.9. Restoring a Closed Pane in the Secure Private
Cloud Portal
If you close one of the open panes in the Secure Private Cloud portal, do the following to
restore it:
1. From a workstation on the Public Network, sign in to the Secure Private Cloud portal
using the URL in Table 2–2 and your Liferay administrator credentials.
2. From the Add list (at the left of the top pane), click More.
3. Click Unisys SPC Portal, and then select the pane (portlet) you want to restore.
4. Drag and drop the pane onto the page, or click Add next to the pane name.
12.10. Log Files Maintenance
Troubleshooting
Log files are automatically written to the \logs directory. The is typically
\liferay-portal-x.x.x\tomcat-x.x.x\ where x.x.x represents the software version.
Each file includes a timestamp, so you can clearly see when each was created. As part of
general maintenance, you should delete older log files on a monthly basis.
3850 6804–007 12–17

Troubleshooting
12.11. Reporting Problems to Unisys
If you need to report a problem to Unisys, you do so using a User Communication Form
(UCF). Enter the product name SECPRIVATECLOUD, and then list the specific
component with which you are experiencing an issue; for example, uAdapt or the Unisys
Secure Private Cloud portal.
You are prompted to provide specific details and gather diagnostics information, if
applicable.
12.12. Troubleshooting Datastore Filter and
ResourcePoolFilter Constants
The Datastore Filter and ResourcePoolFilter constants in the blueprint are case-sensitive
and must match exactly the values in vCenter.
If an error occurs in finding a datastore, an e-mail notification is sent to the operator with
the subject title “Insufficient Disk Space Approval Notification.”
12.13. Disconnecting Users from the Secure Private
Cloud Portal and Enabling Maintenance
Mode
If you need to disconnect all users from the Secure Private Cloud portal—for example,
before changing credentials, before updating software, or if you are diagnosing a problem
with the environment—perform the procedure in 9.2 Prerequisites to Changing
Credentials.
To allow users to reconnect when you have finished the required maintenance, perform
the procedure in 9.4 Restoring Users’ Connection to the Portal After Credentials Have
Been Changed.
12.14. Troubleshooting Configuring Stealth-
Enabled VLANs
In 6.2 Configuring Stealth-Enabled VLANs, you configure Stealth-enabled VLANs. The
process of onboarding a new Stealth-enabled VLAN takes about one and a half hours to
complete. If you experience problems due to a configuration error or a problem with the
vCenter server, perform the procedures in this topic.
12–18 3850 6804–007

During onboarding, a transcript is produced that indicates the progress of the “job
groups,” including which job group is running and its status. If a failure occurs, the process
of Stealth onboarding can be restarted from the last successful step. Almost any failed job
group can be restarted, with the following two exceptions:
• If the Stealth on-boarding fails during the “Provision VSG” job group, the Virtual
Stealth Gateway and Stealth Configuration Machine infrastructure VMs have probably
been left in unknown states. Therefore, if the “Provision VSG” job group fails, you
must restore the VM snapshot, and restart the previous job group (“Create Config
Machine”) so that the previous snapshots of the infrastructure VMs are used. See the
procedure later in this topic for more information.
• Failure to activate a Microsoft license on the Stealth Configuration Machine, Stealth
Proxy Server, or Stealth Relay Server infrastructure VMs is not considered fatal and
does not halt the onboarding process. Therefore, you do not have to restart these jobs
if they fail. See the procedure later in this topic for information on activating these
licenses in case of failure.
Job Group Order
(Note that failure to activate a Microsoft license on the Virtual Stealth Gateway
infrastructure VM is considered fatal and does stop the onboarding process, because
there is no way to activate the license manually or through automation after the Virtual
Stealth Gateway has been configured. In this case, you must restart the onboarding
process from the previous successful step.)
The Stealth job groups occur in the following order:
• Create Transfer Machine
• Create VSG
• Activate VSG License
• Deploy VSG
• Create Config Machine
• Provision VSG
• Activate Config Machine License
• Create Proxy Server
• Provision Proxy Server
• Activate Proxy Server License
• Create Relay Server
• Provision Relay Server
• Activate Relay Server License
• Delete All Snapshots
Troubleshooting
3850 6804–007 12–19

Troubleshooting
Understanding Error Conditions
If you see “Automation step failed,” this indicates that a step in one of the tasks of a job
group failed. When there is a job group failure, the Stealth onboarding process will stop.
(The only exception, as stated previously, is Windows license activation failures for the
Stealth Configuration Machine, Stealth Proxy Server, or Stealth Relay Server infrastructure
VMs, which will not cause the onboarding to stop.)
The details of the error message appear immediately above the “Automation step failed”
error. You might see various virtual machine configuration errors or Secure Private Cloud
configuration errors. vCenter errors are enclosed in brackets {}.
Read the error condition details, and resolve the error condition based on the information
provided. If you need assistance, see 12.16 Troubleshooting Articles on the Unisys
Product Support Web Site, and access the Troubleshooting article on Stealth onboarding.
After the error condition is resolved, perform the following procedure to restart the failed
job group.
Note: If the Windows license activation fails for the Stealth Configuration Machine,
Stealth Proxy Server, or Stealth Relay Server infrastructure VMs, perform the procedure to
activate a failed license rather than the procedure to restart a failed job group.
Restarting a Failed Job Group
To restart a failed job group, do the following:
1. If the failed job is any other job other than Provision VSG, skip to the next step.
If the failed job is Provision VSG, do the following:
a. Using the vSphere Client, connect to the vCenter server that is managing the
workoad servers.
b. Locate the Virtual Stealth Gateway infrastructure VM whose provisioning job
failed. The Virtual Stealth Gateway infrastructure VM name is in Table 1–31 of the
tenant worksheet.
c. Right-click the infrastructure VM, point to Snapshot, and then click Revert to
Current Snapshot.
d. After the snapshot is restored, restart the infrastructure VM.
e. Perform the remaining steps in this procedure, rerunning the Create Config
Machine job (rather than the Provision VSG job).
2. If a console to the jump box management VM is not already available, open a console
to the jump box management VM.
3. Enter the following command in the Powershell command window:
Java –jar AutomationClient.jar
C:\Unisys\Stealth\_\
StealthOnBoardingJobs-restartable.xml “”
12–20 3850 6804–007

The StealthOnBoardingJobs-restartable.xml is located in the
C:\Unisys\Stealth\_ folder, where is the
name of the tenant being onboarded from Table 1–24 and the is the
identifier for the Stealth-enabled tenant VLAN specified in Table 1–26.
Activating Failed Licenses
After the onboarding process is complete, review the transcript and note any license
activation failures. Failure to activate a Microsoft license on the Stealth Configuration
Machine, Stealth Proxy Server, or Stealth Relay Server infrastructure VMs is not
considered fatal and does not halt the onboarding process. However, you must do the
following to activate these licenses:
1. If a console to the jump box management VM is not already available, open a console
to the jump box management VM.
2. Enter the following command in the Powershell command window:
Java –jar AutomationClient.jar
C:\Unisys\Stealth\_\
StealthOnBoardingJobs-restartable.xml “” 1
The StealthOnBoardingJobs-restartable.xml is located in the
C:\Unisys\Stealth\_ folder, where is the
name of the tenant being onboarded from Table 1–24 and the is the
identifier for the Stealth-enabled tenant VLAN specified in Table 1–26.
The Job Group Name should be one of the following:
• Activate Config Machine License
• Activate Proxy Server License
• Activate Relay Server License
1 indicates that only the given job is executed.
12.15. Identifying the Secure Private Cloud
Software Version
The Secure Private Cloud software version is listed on the Secure Private Cloud portal,
under the Help menu. For example, version 2.0 of the software is listed as “Unisys Secure
Private Cloud v.2.0.”
You can also identify the Secure Private Cloud software version used to commission a
virtual machine by navigating to one of the following text files on any of the Unisys
supplied virtual machines:
• For Windows virtual machines
C:\ProgramData\Unisys\SPC Version.txt
• For Linux virtual machines
/etc/Unisys/SPC-Version.txt
Troubleshooting
3850 6804–007 12–21

Troubleshooting
12.16. Troubleshooting Articles on the Unisys
Product Support Web Site
The Unisys Product Support Web site includes troubleshooting articles for the Secure
Private Cloud. To locate these articles
1. Log on to the Unisys Product Support Web site at www.support.unisys.com.
2. Click Secure Private Cloud in the Infrastructure Management platform list.
The Secure Private Cloud Support Site opens.
3. Click TroubleShooting on the left pane under the Support Options heading.
A list of troubleshooting articles appears.
Select the article you want to review. You can also use the Search capability at the top of
the page.
12–22 3850 6804–007

Appendix A
Incorporating an External Server into
the Cloud Management Environment
If your environment includes a external server (such as an Active Directory server, vCenter
server, patch management system, Nagios collector or other value-add component) that is
not reachable on the cloud management network, perform the steps in this appendix to
connect that server to your cloud management environment.
A.1. Requirements for Incorporating an External
Server
Keep the following requirements in mind when incorporating an external server in the
Cloud Management Environment:
• The external server must connect to the management server using the Intercom
Network or the Cloud Management Network. (It is recommended that the external
server connects using the Intercom Network.)
If necessary, add an additional network adapter to the server.
• For the management VMs to be able to communicate with the external server over
the Intercom Network, the Intercom Network on the management server must be
configured to use a physical network adapter. Determine which network adapter on
the management server the Intercom Network uses. If the network adapter on the
management server is shared using VLAN tagging, also determine the VLAN ID to
use.
• To verify communication with other management VMs, make sure the external server
responds to a ping command over the Intercom Network.
A.2. Configuring the Management Server Intercom
Network Connection to Communicate with
External Servers
In a Non-HA Configuration
Use the procedure in either A.2.1 Using a Dedicated Network Adapter or A.2.2 Using a
Shared Network Adapter to configure the Intercom Network on the management server
so that management VMs can communicate with an external server that is not a virtual
machine running on the management server.
3850 6804–007 A–1

Incorporating an External Server into the Cloud Management Environment
Skip this procedure if the external server has already been incorporated into the Cloud
Management Environment.
In an HA Configuration
Note: Do not perform the procedures in this section if the management server is set up
for HA.
If the management server is already set up in an HA configuration, the Unisys service
representative completes all necessary network changes required on the Intercom
Network after configuring High Availability on the management server. No additional
configuration is required on the management server to set up the Intercom Network to
use a physical adapter.
A.2.1. Using a Dedicated Network Adapter
Perform the following procedure if a dedicated network adapter on the management
server enables the management VMs and the external server to communicate using the
Intercom Network.
1. Connect a network cable from the network adapter to be used for the Intercom
Network to the external switch.
2. From the vSphere Client connected to the management server, select the
management server node in the left pane.
3. Select the Configuration tab, and click Networking under Hardware.
4. Click Properties for the Intercom Network virtual machine port group (vSwitch4).
The vSwitch4 Properties window opens.
5. Select the Network Adapters tab, and click Add.
6. Select the check box for the entry that corresponds to the network adapter from step
1.
7. Click Next several times, and then click Finish.
A.2.2. Using a Shared Network Adapter
Perform the following procedure if the network adapter for the Intercom Network on the
management server is shared using VLAN tagging. For example, use this procedure if the
same network adapter is used for the Intercom Network and the Management Access
Network (if a tenant VLAN is enabled) using VLAN IDs.
1. Make sure the physical switch used by the physical adapter on the management
server is configured to support the VLAN ID for the Intercom Network.
2. Launch the vSphere Client, connect to the management server, and log in, using the
root user from Table 2–1.
3. Select the Configuration tab, and click Networking under Hardware.
4. Locate the Intercom Network virtual machine port group (vSwitch4).
A–2 3850 6804–007

Incorporating an External Server into the Cloud Management Environment
5. Identify all the virtual machines that are using the Intercom Network port group, and
disconnect them, as follows:
Note: You must disconnect all virtual machines that are powered on from the
Intercom Network before you can delete the Intercom Network port group in the next
step.
a. Open the VM Properties dialog box for a virtual machine.
b. Clear the Connected option under Device Status for the network adapter
configured for the Intercom Network.
Caution
Do not power off the virtual machine; do not clear the Connect at power on
option.
c. Repeat for the next virtual machine.
6. Click Remove for the Intercom Network virtual machine port group (vSwitch4), and
then click Yes to confirm removing the port group.
7. Locate the virtual switch associated with the network adapter being shared, and
select Properties for the virtual switch.
The vSwitch Properties window opens.
8. Select the Ports tab, and click Add.
9. Select Virtual Machine, and click Next.
10. Type Intercom Network in the Network Label box.
11. Type the VLAN ID for the Intercom Network in the VLAN ID box, using the value from
Table 2–1.
12. Click Next and then Finish.
13. Reconnect the Intercom Network connection for each virtual machine that was
disconnected from the Intercom Network.
A.3. Updating the Hosts File on All Management
VMs and External Servers Running Windows
Perform the following procedure for each management VM running Windows and marked
InUse in Table 1–5 and for other external servers running Windows that are incorporated
into the Cloud Management Environment.
Note: For the vCenter management VM, perform this procedure only if it is supplied by
Unisys. Do not perform this procedure on a customer-supplied vCenter management VM.
3850 6804–007 A–3

Incorporating an External Server into the Cloud Management Environment
1. Launch Notepad using the Run as administrator option.
2. In Notepad, open the file c:\windows\system32\drivers\etc\hosts.
3. Insert an entry for the external server’s IP address on the Intercom Network. Use the
same naming convention for assigning an “internal hostname” for the server.
4. Save the file and close Notepad.
5. Repeat the procedure on the next management VM or external server running
Windows (except a customer-supplied vCenter management VM, as noted).
A.4. Updating the Hosts File on uAdapt
Management VM and External Servers Running
Linux
Note: Skip this procedure if you are not incorporating an external server.
Perform the following procedure for the uAdapt management VM and on other external
servers running Linux that are incorporated in the Cloud Management Environment.
1. Log in to the server using a user that has root user privileges.
2. Edit the file /etc/hosts using a text editor.
3. Insert an entry for the external server’s IP address on the Intercom Network. Use the
same naming convention for assigning an “internal hostname” for the server.
4. Save the file and close the editor.
5. Repeat the procedure on other external servers running Linux.
A.5. Configuring External Servers
Note: Skip this procedure if you are not incorporating an external server.
Perform the procedure in this section on each external server:
1. Connect the external server to the Intercom Network.
a. Connect a network cable from the network adapter to be used for the Intercom
Network to the external switch.
b. Locate the network connection for the Intercom Network.
c. Assign a static IP address for the network connection. The IP address must be
within the allowable IP range on the Intercom Network. See Table 1–4.
2. Configure the hosts file.
If the external server is running
• Windows. Copy the contents of the hosts file from the jump box management VM
to the external server’s hosts file.
• Linux. Copy the contents of the hosts file from the uAdapt management VM or the
A–4 3850 6804–007

Incorporating an External Server into the Cloud Management Environment
Management Network Appliance to the external server’s hosts file. If neither are
InUse, use the contents of the hosts file on the jump box management VM as
input.
3. Configure the static routes.
If the Secure Private Cloud environment is configured to use VLANs for tenant
isolation and the external server requires communication with commissioned tenant
resources on the tenant VLANs, add static route statements on the external server to
properly route traffic to the tenant VLANs using the Management Network Appliance
as the gateway.
Skip this step if the external server does not require communication with tenant
resources.
Procedure for Windows External Servers
a. Start the Windows Command Prompt using the Run as administrator option.
b. Enter the follow command to add static routes:
route -p add mask
where
is the management-side tenant VLAN subnet from Table 1–26.
is the VLAN netmask from Table 1–26.
is the management network appliance IP address on the
Intercom Network from Table 1–5.
c. Repeat this command for each tenant VLAN as required.
Example
route -p add 10.3.1.0 mask 255.255.255.0 172.31.1.200
4. Configure the DNS resolver.
If the external server requires communication with commissioned tenant resources
using FQDN, configure the server to use the appropriate DNS server so the tenant
resource’s FQN is resolved to the correct IP address.
If the Secure Private Cloud is not configured to use VLANs for tenant isolation, the
external server uses the same DNS servers as the Cloud Orchestrator management
VM.
If the Secure Private Cloud is configured to use VLAN for tenant isolation, the
external server communicates with commissioned tenant resources on the tenant
VLANs using the management side hostname. Configure the server’s DNS so that it
resolves the tenant resource’s management side hostname (fully qualified name) to
the management side IP address.
For example, tenant resource tenant tenant-0003.managed.spc.local is resolved to
10.3.1.15.
3850 6804–007 A–5

Incorporating an External Server into the Cloud Management Environment
CHECKPOINT:
1. Verify that the external server responds to a ping command from the jump box
management VM using the “internal hostname”. That is, ping the external server
using its IP address on the Intercom Network.
2. Verify that the external server can ping the jump box management VM using the
“internal hostname”. That is, ping the jump box management VM using its IP address
on the Intercom Network.
3. Verify that the external server can communicate with a tenant resource on the tenant’s
VLAN using the FQDN of the tenant resource. If a tenant VLAN is configured, use the
management side FQN of the tenant resource. For example, ping tenant-
0003.managed.spc.local.
A–6 3850 6804–007

© 2012 Unisys Corporation.
All rights reserved.
*38506804-007*
3850 6804–007