18.08.2013 Views

Secure Private Cloud Administration and Operations Guide

Secure Private Cloud Administration and Operations Guide

Secure Private Cloud Administration and Operations Guide

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

<strong>Secure</strong><strong>Private</strong><strong>Cloud</strong><br />

<strong>Administration</strong><strong>and</strong><strong>Operations</strong><strong>Guide</strong><br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> 2.2 <strong>and</strong> Higher<br />

July 2012 3850 6804–007<br />

unisys


NO WARRANTIES OF ANY NATURE ARE EXTENDED BY THIS DOCUMENT. Any product or related information<br />

described herein is only furnished pursuant <strong>and</strong> subject to the terms <strong>and</strong> conditions of a duly executed agreement to<br />

purchase or lease equipment or to license software. The only warranties made by Unisys, if any, with respect to the<br />

products described in this document are set forth in such agreement. Unisys cannot accept any financial or other<br />

responsibility that may be the result of your use of the information in this document or software material, including<br />

direct, special, or consequential damages.<br />

You should be very careful to ensure that the use of this information <strong>and</strong>/or software material complies with the laws,<br />

rules, <strong>and</strong> regulations of the jurisdictions with respect to which it is used.<br />

The information contained herein is subject to change without notice. Revisions may be issued to advise of such<br />

changes <strong>and</strong>/or additions.<br />

Notice to U.S. Government End Users: This is commercial computer software or hardware documentation developed at<br />

private expense. Use, reproduction, or disclosure by the Government is subject to the terms of Unisys st<strong>and</strong>ard<br />

commercial license for the products, <strong>and</strong> where applicable, the restricted/limited rights provisions of the contract data<br />

rights clauses.<br />

Unisys is a registered trademark of Unisys Corporation in the United States <strong>and</strong> other countries.<br />

Linux is a registered trademark of Linus Torvalds.<br />

SUSE is a registered trademark of SUSE LINUX AG, a Novell business.<br />

Red Hat is a trademark or registered trademark of Red Hat, Inc. in the U.S. <strong>and</strong> other countries.<br />

VMware is a registered trademark of VMware, Inc. in the U.S. <strong>and</strong> other countries.<br />

All other br<strong>and</strong>s <strong>and</strong> products referenced in this document are acknowledged to be the trademarks or registered<br />

trademarks of their respective holders.


Contents<br />

Section 1. Installation <strong>and</strong> Configuration Data<br />

Section 2. Introduction<br />

1.1. Completing Worksheets for Installation <strong>and</strong> Configuration. . . 1–1<br />

1.1.1. Workbook Organization. . . . . . . . . . . . . . . . . . . . . . . . 1–1<br />

1.1.2. Implementing the Workbook . . . . . . . . . . . . . . . . . . . . 1–2<br />

1.1.3. Exp<strong>and</strong>ing the Workbook to Include Tenants . . . . . . . . 1–3<br />

1.1.4. Adding Tenant Blueprints <strong>and</strong> Projects . . . . . . . . . . . . . 1–3<br />

1.1.5. Validating the Workbook . . . . . . . . . . . . . . . . . . . . . . . 1–4<br />

1.1.6. Exporting the Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–5<br />

1.1.7. Preserving Configuration Data . . . . . . . . . . . . . . . . . . . 1–6<br />

1.2. <strong>Cloud</strong> Provider Data Worksheet. . . . . . . . . . . . . . . . . . . . . . 1–6<br />

1.2.1. <strong>Cloud</strong> Provider Environment, License, <strong>and</strong> Network<br />

Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–6<br />

1.2.2. Management VM Infrastructure. . . . . . . . . . . . . . . . . . 1–7<br />

1.2.3. VMware. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–7<br />

1.2.4. Notification. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8<br />

1.2.5. High Availability Cluster. . . . . . . . . . . . . . . . . . . . . . . . 1–8<br />

1.2.6. Virtual Office as a Service . . . . . . . . . . . . . . . . . . . . . . 1–8<br />

1.2.7. Virtual LAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–9<br />

1.2.8. vCenter Supplied by the <strong>Cloud</strong> Provider . . . . . . . . . . . . 1–9<br />

1.3. Tenant Data Worksheet. . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–9<br />

1.3.1. Tenant Information . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10<br />

1.3.2. Tenant VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10<br />

1.3.3. RBADB Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10<br />

1.3.4. Stealth Onboarding . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11<br />

1.3.5. Tenant Blueprints . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11<br />

1.3.6. Tenant Projects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–12<br />

1.3.7. Virtual Office as a Service Session Manager . . . . . . . . 1–12<br />

2.1. Documentation Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–1<br />

2.2. Accessing Architecture <strong>and</strong> Networking Information. . . . . . . 2–2<br />

2.3. Administrator <strong>and</strong> Operator Responsibilities . . . . . . . . . . . . . 2–3<br />

2.4. Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–3<br />

2.5. Default <strong>and</strong> Updated Environment Credentials . . . . . . . . . . . 2–5<br />

2.6. URLs for Web-Based UIs . . . . . . . . . . . . . . . . . . . . . . . . . . 2–7<br />

2.7. Completing <strong>and</strong> Exporting Tenant Worksheets . . . . . . . . . . . 2–8<br />

3850 6804–007 iii


Contents<br />

2.8. Underst<strong>and</strong>ing Tenants Accounts <strong>and</strong> <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–8<br />

2.8.1. XYZ Company Example (Single Tenant) . . . . . . . . . . . . 2–9<br />

2.8.2. Acme Company Example (Multi-tenant) . . . . . . . . . . . . 2–9<br />

2.8.3. Projects, Departments, Accounts, <strong>and</strong> SubAccounts. . 2–10<br />

2.8.4. Naming <strong>Guide</strong>lines for Components in the <strong>Cloud</strong><br />

Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–12<br />

Section 3. Initial Configuration Tasks<br />

3.1. Configuring a Workstation to Configure the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3–1<br />

3.2. Inserting the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Terms of Use. . . . . 3–4<br />

Section 4. Creating VMware Template Gold Images<br />

4.1. Using Unisys Provided VMware Templates for Windows. . . . 4–1<br />

4.1.1. Importing Unisys Provided Templates into vCenter . . . . 4–2<br />

4.1.2. Preinstalling Required Applications . . . . . . . . . . . . . . . 4–4<br />

4.1.3. Converting to a Template . . . . . . . . . . . . . . . . . . . . . . 4–4<br />

4.2. Creating Custom Windows VMware Templates <strong>and</strong><br />

Creating Linux VMware Templates. . . . . . . . . . . . . . . . . . 4–4<br />

4.2.1. Moving Template Configuration Images Folder . . . . . . . 4–5<br />

4.2.2. Configuring a Windows Target Template . . . . . . . . . . . 4–5<br />

Setting Firewall Exceptions for Windows Server<br />

2003 <strong>and</strong> Windows XP . . . . . . . . . . . . . . . . . . . . 4–7<br />

Setting Firewall Exceptions for Windows Server<br />

2008 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–7<br />

Verifying the Remote Desktop Connection . . . . . . . . 4–8<br />

Preinstalling Required Applications . . . . . . . . . . . . . 4–8<br />

Making a Windows Template Stealth Ready . . . . . . . 4–8<br />

VNIC Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . 4–9<br />

Converting to a Template . . . . . . . . . . . . . . . . . . . . 4–9<br />

Testing the Windows Target Template . . . . . . . . . . . 4–9<br />

4.2.3. Configuring a Red Hat Enterprise Linux Target<br />

Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–10<br />

Making a Red Hat Enterprise Linux Template<br />

Stealth Ready . . . . . . . . . . . . . . . . . . . . . . . . . . 4–12<br />

VNIC Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . 4–13<br />

Preinstalling Required Applications. . . . . . . . . . . . . 4–13<br />

Converting to a Template. . . . . . . . . . . . . . . . . . . . 4–14<br />

Testing the Red Hat Enterprise Linux Target<br />

Template . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–14<br />

4.2.4. Configuring a SUSE Linux Target Template . . . . . . . . . 4–15<br />

VNIC Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . 4–17<br />

Preinstalling Required Applications. . . . . . . . . . . . . 4–18<br />

iv 3850 6804–007


Deleting MAC Addresses . . . . . . . . . . . . . . . . . . . 4–18<br />

Converting to a Template. . . . . . . . . . . . . . . . . . . . 4–19<br />

Testing a SUSE Linux Target Template . . . . . . . . . . 4–19<br />

4.3. Preparing an Existing Virtual Machine or Template for a<br />

Stealth-Enabled VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . 4–20<br />

4.3.1. VNIC Restrictions . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–20<br />

4.3.2. Preparing a Windows Virtual Machine or Template<br />

for a Stealth-Enabled VLAN . . . . . . . . . . . . . . . . . . 4–20<br />

4.3.3. Preparing a Red Hat Enterprise Linux Virtual<br />

Machine or Template for a Stealth-Enabled VLAN . . 4–23<br />

4.4. Importing Tenant VLAN Network Appliance <strong>and</strong> Load<br />

Balancer Templates. . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–25<br />

4.5. Installing VMware Tools 5.0 in the Tenant VLAN Network<br />

Appliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–26<br />

4.6. Preparing the vCenter Server to Sysprep the Target<br />

Template (Windows Server 2003 <strong>and</strong> Windows XP<br />

Only) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4–28<br />

Section 5. Implementing a New Tenant VLAN<br />

Contents<br />

5.1. Configuring a DNS or Alternative for the Tenant . . . . . . . . . . 5–2<br />

5.1.1. Configuring the Tenant DNS . . . . . . . . . . . . . . . . . . . . 5–3<br />

5.1.2. Configuring the uChargeback Management VM if<br />

Tenants Do Not Have a DNS . . . . . . . . . . . . . . . . . . 5–3<br />

5.2. Configuring Workload Servers for VLAN Networking. . . . . . . 5–5<br />

5.2.1. Underst<strong>and</strong>ing Workload Server Networking<br />

Connection Options . . . . . . . . . . . . . . . . . . . . . . . . 5–6<br />

5.2.2. Configuring Access to Tenant VLAN Networks <strong>and</strong><br />

Tenant Interconnect . . . . . . . . . . . . . . . . . . . . . . . . 5–6<br />

Option 1: Using a Dedicated Physical NIC to<br />

Access a Tenant VLAN Network or Tenant<br />

Interconnect. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–7<br />

Option 2: Using a Distributed Switch to Access a<br />

Tenant VLAN Network or Tenant Interconnect . . . 5–8<br />

Option 3: Creating vSwitch Virtual Machine Port<br />

Groups to Access a Tenant VLAN Network or<br />

Tenant Interconnect . . . . . . . . . . . . . . . . . . . . . . 5–9<br />

5.3. Deploying a New Tenant VLAN Using a New or Existing<br />

Tenant VLAN Network Appliance . . . . . . . . . . . . . . . . . . 5–11<br />

5.3.1. Deploying a New Tenant VLAN Network Appliance<br />

<strong>and</strong> VLAN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–11<br />

5.3.2. Adding a New VLAN to an Existing Tenant VLAN<br />

Network Appliance . . . . . . . . . . . . . . . . . . . . . . . . 5–18<br />

5.4. Configuring the Management Network Appliance for a<br />

New Tenant VLAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–19<br />

5.4.1. Configuring the Virtual Management Network<br />

Appliance for a New VLAN . . . . . . . . . . . . . . . . . . 5–19<br />

3850 6804–007 v


Contents<br />

5.4.2. Configuring a Physical Management Network<br />

Appliance for a New VLAN . . . . . . . . . . . . . . . . . . 5–20<br />

5.5. Configuring the <strong>Cloud</strong> Orchestrator <strong>and</strong> uChargeback<br />

Management VMs to Communicate with Tenant VLAN. . 5–23<br />

5.6. Configuring the Tenant VLAN Network Appliance to be<br />

Monitored by the Nagios Collector. . . . . . . . . . . . . . . . . 5–24<br />

5.7. Additional Nagios Collector Configuration Information . . . . . 5–24<br />

5.8. Configuring External Servers to Communicate with<br />

Tenant VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–25<br />

Section 6. Creating <strong>and</strong> Managing Tenant Configurations<br />

6.1. Updating <strong>Cloud</strong> Provider or Adding Tenant Information in<br />

the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Environment . . . . . . . . . . . . . . . 6–1<br />

6.2. Configuring Stealth-Enabled VLANs . . . . . . . . . . . . . . . . . . . 6–3<br />

6.3. Underst<strong>and</strong>ing Blueprints <strong>and</strong> General Blueprint<br />

<strong>Guide</strong>lines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–6<br />

6.4. Creating Blueprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–9<br />

6.5. Virtual Machine Attributes <strong>and</strong> Values . . . . . . . . . . . . . . . . 6–11<br />

6.5.1. Virtual Machine General Configuration . . . . . . . . . . . . 6–11<br />

6.5.2. Virtual Machine Resource Balancer . . . . . . . . . . . . . . 6–14<br />

6.5.3. Virtual Machine Operating System Customization. . . . 6–15<br />

6.5.4. Virtual Machine Additional Instructions. . . . . . . . . . . . 6–20<br />

6.6. Virtual Desktop Attributes <strong>and</strong> Values. . . . . . . . . . . . . . . . . 6–21<br />

6.6.1. Virtual Desktop General Configuration . . . . . . . . . . . . 6–22<br />

6.6.2. Virtual Desktop Additional Instructions . . . . . . . . . . . . 6–23<br />

Section 7. Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles<br />

7.1. Underst<strong>and</strong>ing User Roles. . . . . . . . . . . . . . . . . . . . . . . . . . 7–1<br />

7.2. Adding Tenants, Projects, <strong>and</strong> User Roles to the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7–3<br />

7.2.1. Tenant Onboarding Overview . . . . . . . . . . . . . . . . . . . 7–3<br />

7.2.2. Onboarding a New Tenant. . . . . . . . . . . . . . . . . . . . . . 7–3<br />

7.3. Creating <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Users in Active Directory . . . . 7–4<br />

7.4. Assigning <strong>Cloud</strong> Provider <strong>and</strong> Tenant Users to Roles, <strong>and</strong><br />

Assigning Tenant Users to Projects . . . . . . . . . . . . . . . . . 7–5<br />

7.5. Checkpoint: Commissioning a Resource . . . . . . . . . . . . . . . 7–7<br />

Section 8. Additional Networking Configuration<br />

8.1. Enabling Stealth for an Existing Tenant VLAN . . . . . . . . . . . . 8–1<br />

8.2. Configuring Network Appliances for Inbound Internet<br />

Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–2<br />

8.2.1. Disabling Internet Access for Tenant Virtual<br />

Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–3<br />

vi 3850 6804–007


8.2.2. Underst<strong>and</strong>ing Inbound Connection Limitations . . . . . . 8–3<br />

8.2.3. Providing a Public Source IP Address in Outbound<br />

Packets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–4<br />

8.2.4. Enabling Inbound Internet Connections . . . . . . . . . . . . 8–5<br />

Shared Public IP Address Example. . . . . . . . . . . . . . 8–6<br />

Unique Public IP Address Example . . . . . . . . . . . . . 8–8<br />

8.3. Configuring an HAProxy Load Balancer for Web<br />

Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–10<br />

8.3.1. Deploying a New HAProxy Virtual Machine. . . . . . . . . 8–10<br />

8.3.2. Configuring the HAProxy Configuration File . . . . . . . . 8–12<br />

8.4. Configuring Tenant VLAN Firewall Exceptions. . . . . . . . . . . 8–15<br />

8.4.1. Enabling Selected Tenant VLANs to Communicate . . . 8–15<br />

8.4.2. Enabling All Tenant VLANs to Communicate . . . . . . . . 8–17<br />

8.5. Changing the Predefined IP Address on the Intercom<br />

Network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–18<br />

8.5.1. Configuring the Jump Box, SQL Server, Portal,<br />

WSUS, Active Directory, <strong>and</strong> vCenter Server<br />

Management VMs to Use a New Intercom<br />

Network IP Address . . . . . . . . . . . . . . . . . . . . . . . 8–18<br />

8.5.2. Configuring the uAdapt Controller Management VM<br />

to Use a New Intercom Network IP Address . . . . . 8–19<br />

8.5.3. Configuring the uChargeback Management VM to<br />

Use a New Intercom Network IP Address . . . . . . . 8–20<br />

8.5.4. Configuring the <strong>Cloud</strong> Orchestrator Management<br />

VM to Use a New Intercom Network IP Address . . 8–21<br />

8.5.5. Configuring the Management Network Appliance to<br />

Use a New Intercom Network IP Address . . . . . . . 8–23<br />

8.5.6. Configuring a Tenant VLAN Network Appliance to<br />

Use a New Intercom Network IP Address . . . . . . . 8–25<br />

8.5.7. Configuring the Stealth Components to Use a New<br />

Intercom Network IP Address . . . . . . . . . . . . . . . . 8–25<br />

8.5.8. Updating RBADB to Use the New Intercom<br />

Network IP Address . . . . . . . . . . . . . . . . . . . . . . . 8–27<br />

8.5.9. Checkpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8–28<br />

Section 9. Changing Credentials <strong>and</strong> Performing Final Installation<br />

Tasks<br />

Contents<br />

9.1. Recording Updated Credentials . . . . . . . . . . . . . . . . . . . . . . 9–1<br />

9.2. Prerequisites to Changing Credentials . . . . . . . . . . . . . . . . . 9–1<br />

9.3. Procedures for Changing Credentials . . . . . . . . . . . . . . . . . . 9–2<br />

9.3.1. VMware ESXi Management Interface . . . . . . . . . . . . . 9–3<br />

9.3.2. uAdapt Controller Management VM. . . . . . . . . . . . . . . 9–3<br />

9.3.3. Windows Management VMs Administrator<br />

Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–3<br />

9.3.4. uAdapt Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–4<br />

3850 6804–007 vii


Contents<br />

9.3.5. SQL Server Database Administrator. . . . . . . . . . . . . . . 9–7<br />

9.3.6. RBADB Database Passwords . . . . . . . . . . . . . . . . . . . 9–7<br />

9.3.7. vCenter Database Administrator . . . . . . . . . . . . . . . . . 9–8<br />

9.3.8. <strong>Cloud</strong> Orchestrator Database Administrator . . . . . . . . . 9–9<br />

9.3.9. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Database Administrator . . 9–10<br />

9.3.10. Tomcat Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–11<br />

9.3.11. RBADB Administrator Interface . . . . . . . . . . . . . . . . . 9–11<br />

9.3.12. Unisys-Supplied Domain Controllers. . . . . . . . . . . . . . 9–12<br />

9.3.13. uChargeback Services Domain Account . . . . . . . . . . . 9–13<br />

9.3.14. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Liferay Administrator. . . . . . . . . 9–15<br />

9.3.15. Virtual Management Network Appliance<br />

Administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–15<br />

9.3.16. Tenant VLAN Network Appliance Administrator . . . . . 9–16<br />

9.3.17. uChargeback vCenter User . . . . . . . . . . . . . . . . . . . . 9–16<br />

9.3.18. <strong>Cloud</strong> Orchestrator vCenter User . . . . . . . . . . . . . . . . 9–18<br />

9.3.19. Changing VMware Update Manager Database User<br />

Password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–19<br />

9.3.20. HAProxy Load Balancer for Web Applications . . . . . . . 9–20<br />

9.3.21. Stealth Infrastructure VMs, <strong>Administration</strong><br />

Application, <strong>and</strong> Dynamic Licensing Web<br />

Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9–21<br />

Stealth Configuration Machine, Stealth Transfer<br />

Machine, Stealth Proxy Server, <strong>and</strong> Stealth<br />

Relay Server Infrastructure VMs . . . . . . . . . . . . 9–21<br />

Virtual Stealth Gateway Infrastructure VM . . . . . . . 9–22<br />

Dynamic Licensing Web Interface . . . . . . . . . . . . . 9–23<br />

9.4. Restoring Users’ Connection to the Portal After<br />

Credentials Have Been Changed . . . . . . . . . . . . . . . . . . 9–24<br />

9.5. Performing a Final Commissioning Checkpoint . . . . . . . . . . 9–24<br />

9.6. Installing Virtual Office as a Service . . . . . . . . . . . . . . . . . . 9–24<br />

Section 10. <strong>Cloud</strong> Portal <strong>Operations</strong><br />

10.1. Underst<strong>and</strong>ing How Requests are Processed . . . . . . . . . . . 10–1<br />

10.2. Responding to Virtual Machine Requests . . . . . . . . . . . . . . 10–1<br />

10.3. Managing Expired Virtual Machines . . . . . . . . . . . . . . . . . . 10–3<br />

10.4. Responding to Physical Server Requests . . . . . . . . . . . . . . 10–3<br />

10.4.1. Commissioning New Physical Servers . . . . . . . . . . . . 10–3<br />

10.4.2. Starting or Stopping Physical Servers . . . . . . . . . . . . . 10–6<br />

10.4.3. Decommissioning Physical Servers (Releasing<br />

Physical Server Resources) . . . . . . . . . . . . . . . . . . 10–7<br />

Stopping the Persona . . . . . . . . . . . . . . . . . . . . . . 10–8<br />

Managing the Storage LUN . . . . . . . . . . . . . . . . . . 10–8<br />

Moving the Persona to the Inactive Server Pool . . . 10–8<br />

10.5. Responding to Virtual Desktop Requests . . . . . . . . . . . . . . 10–9<br />

viii 3850 6804–007


Contents<br />

10.5.1. Commissioning New Virtual Desktops . . . . . . . . . . . . 10–9<br />

10.5.2. Starting, Stopping, <strong>and</strong> Deleting Virtual Desktops . . . . 10–9<br />

10.6. Responding to Requests Using the Operator Prompts<br />

Page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–10<br />

10.7. Managing Tenant Users. . . . . . . . . . . . . . . . . . . . . . . . . . 10–11<br />

10.7.1. Updating a Tenant User’s E-mail Address . . . . . . . . . 10–11<br />

10.7.2. Moving a User from One Tenant Organization to<br />

Another . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–11<br />

10.7.3. Deactivating or Reactivating Tenant Users . . . . . . . . 10–12<br />

10.7.4. Deleting Tenant Users <strong>and</strong> User Roles . . . . . . . . . . . 10–13<br />

10.8. Editing Blueprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–14<br />

10.9. Deleting Blueprints or Projects from the <strong>Cloud</strong><br />

Environment. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–14<br />

10.9.1. Deleting Blueprints from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–15<br />

10.9.2. Deleting Projects or Blueprints from RBADB . . . . . . 10–15<br />

Restrictions When Deleting Items in RBADB . . . . 10–15<br />

Verifying that Commissioned Resources Are Not<br />

Associated with Tenants, Projects, or<br />

Blueprints. . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–16<br />

Removing a Blueprint from a Contract <strong>and</strong><br />

Deleting a Blueprint. . . . . . . . . . . . . . . . . . . . . 10–17<br />

Deleting a Project . . . . . . . . . . . . . . . . . . . . . . . . 10–17<br />

10.9.3. Removing Projects from uOrchestrate . . . . . . . . . . . 10–18<br />

10.9.4. Archiving Projects in uChargeback . . . . . . . . . . . . . . 10–18<br />

10.10. Configuring Snapshot Limits <strong>and</strong> Managing Snapshots . . . 10–19<br />

10.10.1. Configuring Snapshot Limits . . . . . . . . . . . . . . . . . . 10–19<br />

10.10.2. Managing Snapshots. . . . . . . . . . . . . . . . . . . . . . . . 10–20<br />

Creating New Snapshots . . . . . . . . . . . . . . . . . . . 10–20<br />

Reverting to a Different Snapshot . . . . . . . . . . . . 10–20<br />

Deleting a Snapshot . . . . . . . . . . . . . . . . . . . . . . 10–21<br />

10.11. Using the Resource Utilization Dashboard . . . . . . . . . . . . 10–21<br />

10.12. Configuring Resource Utilization Ranges . . . . . . . . . . . . . 10–23<br />

10.13. Managing the Lifecycle Database. . . . . . . . . . . . . . . . . . . 10–24<br />

10.14. Creating uChargeback Criteria Specifications . . . . . . . . . . 10–25<br />

10.15. Importing Existing Virtual Machines . . . . . . . . . . . . . . . . . 10–26<br />

10.15.1. Prerequisites for Importing Virtual Machines. . . . . . . 10–27<br />

10.15.2. Utility Components <strong>and</strong> Layout . . . . . . . . . . . . . . . . 10–27<br />

10.15.3. Using the Import Utility . . . . . . . . . . . . . . . . . . . . . . 10–29<br />

10.15.4. Operational Considerations . . . . . . . . . . . . . . . . . . . 10–31<br />

10.15.5. Inspecting Logs <strong>and</strong> Troubleshooting . . . . . . . . . . . . 10–32<br />

10.16. Configuring Tenant-Dedicated Workload Servers Manually. 10–34<br />

10.16.1. Creating Workload Server Clusters with HA <strong>and</strong><br />

DRS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–34<br />

10.16.2. Completing Additional HA Tasks. . . . . . . . . . . . . . . . 10–35<br />

3850 6804–007 ix


Contents<br />

10.16.3. Configuring a vMotion Interface for each Workload<br />

Server in each Cluster . . . . . . . . . . . . . . . . . . . . . 10–35<br />

10.16.4. Adding Tenants . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–36<br />

10.16.5. Configuring Resource Groups <strong>and</strong> Datastores. . . . . . 10–36<br />

10.16.6. Best Practices for Datastore <strong>and</strong> Resource Pool<br />

Naming . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–36<br />

10.16.7. Moving Workload Servers Between Clusters . . . . . . 10–38<br />

10.17. Updating the <strong>Cloud</strong> Name in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–39<br />

10.18. Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> <strong>Operations</strong> . . . . . . . . . . . 10–40<br />

10.18.1. Adding COI Sets <strong>and</strong> Modifying COI Set Members . . 10–40<br />

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–40<br />

Required Files for Adding or Modifying COI Sets. . 10–41<br />

Using Dia to Add <strong>and</strong> Modify COI Sets . . . . . . . . . 10–42<br />

Finalizing COI Set Changes . . . . . . . . . . . . . . . . . 10–44<br />

Updating the Workbook <strong>and</strong> Deleting Unneeded<br />

Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . 10–46<br />

10.18.2. Viewing Stealth Licenses in the <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–46<br />

10.18.3. Accessing Logs <strong>and</strong> Monitoring Tunnels Using the<br />

<strong>Administration</strong> Application . . . . . . . . . . . . . . . . . . 10–47<br />

10.18.4. Viewing <strong>and</strong> Configuring Stealth Licensing Options. . 10–47<br />

10.18.5. Increasing the License Count for Stealth for <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–52<br />

10.18.6. Enabling Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> After<br />

Initial Implementation . . . . . . . . . . . . . . . . . . . . . 10–53<br />

10.19. Important Operational Restrictions. . . . . . . . . . . . . . . . . . 10–53<br />

Section 11. Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong><br />

Environment<br />

11.1. Stopping <strong>and</strong> Decommissioning Virtual Machines . . . . . . . . 11–1<br />

11.2. Stopping <strong>and</strong> Decommissioning Physical Machines . . . . . . 11–2<br />

11.3. Removing the Tenant Virtual Components in vCenter . . . . . 11–3<br />

11.4. Removing Management-Side Tenant Infrastructure in<br />

vCenter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11–5<br />

11.5. Deleting Tenant Account Entities . . . . . . . . . . . . . . . . . . . . 11–8<br />

11.5.1. Deleting Tenant Users <strong>and</strong> User Roles . . . . . . . . . . . . 11–8<br />

11.5.2. Removing a Tenant User Group from the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> Portal. . . . . . . . . . . . . . . . . . . . . . . . 11–9<br />

11.5.3. Deleting Blueprints from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11–9<br />

11.5.4. Deleting a Tenant Organization. . . . . . . . . . . . . . . . . 11–10<br />

11.6. Removing a Tenant Contract <strong>and</strong> Tenant from RBADB. . . . 11–10<br />

11.7. Removing Tenants from uOrchestrate . . . . . . . . . . . . . . . 11–11<br />

x 3850 6804–007


11.8. Removing Tenant Resources <strong>and</strong> Departments from<br />

uChargeback. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11–11<br />

11.9. Removing a Stealth-Enabled VLAN from the Tenant<br />

Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11–12<br />

Section 12. Troubleshooting<br />

Contents<br />

12.1. Troubleshooting Errors When Using a <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> Workbook . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–1<br />

12.2. Troubleshooting Signing In to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–3<br />

12.3. H<strong>and</strong>ling Suspended, Failed, <strong>and</strong> Aborted Jobs. . . . . . . . . . 12–3<br />

12.4. Troubleshooting Machine Names. . . . . . . . . . . . . . . . . . . . 12–4<br />

12.5. Troubleshooting Physical Server Resources . . . . . . . . . . . . 12–4<br />

12.6. Configuring the Virtual Management Network Appliance<br />

with a VMware License Restriction . . . . . . . . . . . . . . . . 12–5<br />

12.6.1. Configuring the Virtual Management Network<br />

Appliance for a New VLAN (with a VMware<br />

License Restriction) . . . . . . . . . . . . . . . . . . . . . . . 12–5<br />

12.6.2. Configuring the Virtual Management Network<br />

Appliance to Use a New Intercom Network IP<br />

Address (with a VMware License Restriction). . . . . 12–6<br />

12.7. Troubleshooting Onboarding Tenants <strong>and</strong> Users . . . . . . . . . 12–7<br />

12.7.1. Troubleshooting Sign In Problems Due to an<br />

Unknown E-mail Suffix . . . . . . . . . . . . . . . . . . . . . 12–7<br />

12.7.2. Verifying <strong>and</strong> Updating the E-mail Suffixes for an<br />

Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–8<br />

12.7.3. Verifying <strong>and</strong> Updating the Default Role for an<br />

Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–8<br />

12.7.4. Updating the Default Project for a Tenant . . . . . . . . . . 12–9<br />

12.7.5. Troubleshooting Tenant Permissions in the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> Portal. . . . . . . . . . . . . . . . . . . . . . . 12–10<br />

12.8. Resolving <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Messages . . . . . . . 12–13<br />

12.9. Restoring a Closed Pane in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–17<br />

12.10. Log Files Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . 12–17<br />

12.11. Reporting Problems to Unisys . . . . . . . . . . . . . . . . . . . . . 12–18<br />

12.12. Troubleshooting Datastore Filter <strong>and</strong> ResourcePoolFilter<br />

Constants. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–18<br />

12.13. Disconnecting Users from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

Portal <strong>and</strong> Enabling Maintenance Mode . . . . . . . . . . . . 12–18<br />

12.14. Troubleshooting Configuring Stealth-Enabled VLANs . . . . . 12–18<br />

12.15. Identifying the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Software Version . . . 12–21<br />

12.16. Troubleshooting Articles on the Unisys Product Support<br />

Web Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–22<br />

3850 6804–007 xi


Contents<br />

Appendix A. Incorporating an External Server into the <strong>Cloud</strong><br />

Management Environment<br />

A.1. Requirements for Incorporating an External Server. . . . . . . . A–1<br />

A.2. Configuring the Management Server Intercom Network<br />

Connection to Communicate with External Servers . . . . . A–1<br />

A.2.1. Using a Dedicated Network Adapter . . . . . . . . . . . . . . A–2<br />

A.2.2. Using a Shared Network Adapter . . . . . . . . . . . . . . . . A–2<br />

A.3. Updating the Hosts File on All Management VMs <strong>and</strong><br />

External Servers Running Windows. . . . . . . . . . . . . . . . . A–3<br />

A.4. Updating the Hosts File on uAdapt Management VM <strong>and</strong><br />

External Servers Running Linux. . . . . . . . . . . . . . . . . . . . A–4<br />

A.5. Configuring External Servers. . . . . . . . . . . . . . . . . . . . . . . . A–4<br />

xii 3850 6804–007


Figures<br />

2–1. Projects, Departments, Accounts, <strong>and</strong> SubAccounts . . . . . . . . . . . . . . . . . . 2–11<br />

2–2. Comparison of <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, uChargeback, <strong>and</strong> RBADB Entities . . . . 2–12<br />

5–1. Logical VLAN Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5–2<br />

6–1. <strong>Operations</strong> Console Populator. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–2<br />

10–1. Unisys <strong>Cloud</strong> Import Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10–28<br />

3850 6804–007 xiii


Figures<br />

xiv 3850 6804–007


Tables<br />

1–1. <strong>Cloud</strong> Provider Site Environment Information. . . . . . . . . . . . . . . . . . . . . . . . . 1–6<br />

1–2. <strong>Cloud</strong> Provider License Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–6<br />

1–3. General Networking Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–6<br />

1–4. <strong>Cloud</strong> Management Environment Network Addresses . . . . . . . . . . . . . . . . . . 1–7<br />

1–5. Networking for Management VMs <strong>and</strong> Management Server. . . . . . . . . . . . . . 1–7<br />

1–6. LDAP Values for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal . . . . . . . . . . . . . . . . . . . . . . . . . 1–7<br />

1–7. <strong>Cloud</strong> Management Environment Certificate Details. . . . . . . . . . . . . . . . . . . . 1–7<br />

1–8. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Community Information. . . . . . . . . . . . . . . . . . . . 1–7<br />

1–9. Runbook Automation Database (RBADB) <strong>Cloud</strong> Properties . . . . . . . . . . . . . . . 1–7<br />

1–10. uChargeback Domain Account <strong>and</strong> Configuration Information . . . . . . . . . . . . 1–7<br />

1–11. Datacenter Workload Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–7<br />

1–12. VMware Sysprep Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8<br />

1–13. VMware Resource Balancer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8<br />

1–14. E-mail Notification Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8<br />

1–15. BMC Remedy/ITSM Adapter Notification Information. . . . . . . . . . . . . . . . . . 1–8<br />

1–16. High Availability (HA) Management Server Information . . . . . . . . . . . . . . . . . 1–8<br />

1–17. Clustered Workload Server Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8<br />

1–18. Virtual Office Server Network Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–8<br />

1–19. Virtual Office Server Failover Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–9<br />

1–20. Management Server VLAN Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . 1–9<br />

1–21. Switchport Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–9<br />

1–22. Distributed Virtual Network Switch Properties . . . . . . . . . . . . . . . . . . . . . . . 1–9<br />

1–23. <strong>Cloud</strong> Provider-supplied vCenter Configuration. . . . . . . . . . . . . . . . . . . . . . . 1–9<br />

1–24. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Tenant Organization <strong>and</strong> Global Roles. . . . . . . . 1–10<br />

1–25. Tenant VLAN Network Appliance Information. . . . . . . . . . . . . . . . . . . . . . . 1–10<br />

1–26. Tenant VLAN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10<br />

1–27. Tenant Internal Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10<br />

1–28. Account Contract Details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10<br />

1–29. Runbook Automation Database (RBADB) Account Properties . . . . . . . . . . . 1–10<br />

1–30. RBADB Account VLAN Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–10<br />

1–31. Stealth Infrastructure Virtual Machines . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11<br />

1–32. Stealth Tenant Infrastructure Configuration . . . . . . . . . . . . . . . . . . . . . . . . 1–11<br />

1–33. COI Sets <strong>and</strong> Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11<br />

1–34. Virtual Machine Blueprints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11<br />

1–35. Virtual Machine Blueprint Attributes <strong>and</strong> Values . . . . . . . . . . . . . . . . . . . . . 1–11<br />

1–36. Physical Server Blueprints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11<br />

1–37. Physical Server Blueprint Attributes <strong>and</strong> Values . . . . . . . . . . . . . . . . . . . . . 1–11<br />

3850 6804–007 xv


Tables<br />

1–38. Virtual Desktop Blueprints. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–11<br />

1–39. Virtual Desktop Blueprint Attributes <strong>and</strong> Values . . . . . . . . . . . . . . . . . . . . . 1–12<br />

1–40. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Information for Tenant Projects . . . . . . . . . . . . 1–12<br />

1–41. Project Contract Limits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1–12<br />

1–42. Virtual Office as a Service Session Manager Configuration . . . . . . . . . . . . . 1–12<br />

2–1. Default <strong>and</strong> Updated Environment Credentials . . . . . . . . . . . . . . . . . . . . . . . . 2–5<br />

2–2. URLs for Web-Based UIs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2–8<br />

6–1. Virtual Machine Basic Attributes <strong>and</strong> Values. . . . . . . . . . . . . . . . . . . . . . . . . 6–11<br />

6–2. Virtual Machine General Configuration Attributes <strong>and</strong> Values. . . . . . . . . . . . . 6–11<br />

6–3. Virtual Machine Resource Balancer Attributes <strong>and</strong> Values . . . . . . . . . . . . . . . 6–14<br />

6–4. Virtual Machine Operating System Customization Attribute <strong>and</strong> Values . . . . . 6–15<br />

6–5. Virtual Machine Operating System Attributes <strong>and</strong> Values . . . . . . . . . . . . . . . 6–15<br />

6–6. Virtual Machine Network Configuration Attributes <strong>and</strong> Values . . . . . . . . . . . . 6–18<br />

6–7. Virtual Machine Additional Instruction Attributes <strong>and</strong> Values . . . . . . . . . . . . . 6–20<br />

6–8. Resource Pre-Expiration Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–21<br />

6–9. Virtual Desktop Basic Attributes <strong>and</strong> Values . . . . . . . . . . . . . . . . . . . . . . . . . 6–22<br />

6–10. Virtual Desktop General Configuration Attributes <strong>and</strong> Values . . . . . . . . . . . . 6–22<br />

6–11. Virtual Desktop Additional Instruction Attributes <strong>and</strong> Values . . . . . . . . . . . . 6–23<br />

6–12. Resource Pre-Expiration Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6–24<br />

10–1. Example Criteria Specification, Page 1 Data . . . . . . . . . . . . . . . . . . . . . . . 10–25<br />

10–2. Example Criteria Specification, Page 2 Data . . . . . . . . . . . . . . . . . . . . . . . 10–26<br />

12–1. Tenant Role Permissions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12–11<br />

xvi 3850 6804–007


Section 1<br />

Installation <strong>and</strong> Configuration Data<br />

The procedures in this guide assume a configuration in which the Unisys service<br />

consultant configures a cloud datacenter at a cloud provider site, <strong>and</strong> the cloud provider<br />

then supplies virtual machine, physical server, or virtual desktop usage to its tenants (the<br />

cloud provider’s customers).<br />

A tenant is an individual entity for whom you supply virtual machine, physical server, or<br />

virtual desktop usage from the cloud datacenter. Tenants are your customers or your<br />

subsidiaries or departments. If the cloud datacenter is intended to be used only by your<br />

own personnel, the environment can be treated as a single-tenant environment, or each<br />

organizational tier can be treated as a tenant (a multi-tenant environment).<br />

For information on networking <strong>and</strong> environment architecture, see 2.2 Accessing<br />

Architecture <strong>and</strong> Networking Information.<br />

1.1. Completing Worksheets for Installation <strong>and</strong><br />

Configuration<br />

The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook (a Microsoft Excel workbook) contains the data that<br />

describes your environment <strong>and</strong> that of any tenants (internal <strong>and</strong> external customers). One<br />

set of tables contains data for the infrastructure. Separate sets of tables contain data for<br />

the tenants, one set for each tenant account. After the solution is implemented at your<br />

site, obtain the completed workbook from the Unisys service consultant <strong>and</strong> use it to add<br />

tenants to your environment.<br />

Note: Microsoft Excel 2007 or 2010 is required to use the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

workbook.<br />

1.1.1. Workbook Organization<br />

The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook has the following worksheets:<br />

• Table of contents, which shows the overall organization <strong>and</strong> contains the following:<br />

- Links to cloud provider tables<br />

- Structure of tenant tables<br />

- Links to credentials <strong>and</strong> URLs tables<br />

- Buttons perform actions: Add Tenant, Validate, Export, Import<br />

3850 6804–007 1–1


Installation <strong>and</strong> Configuration Data<br />

Note: These actions are discussed in the following subsections.<br />

• Credentials <strong>and</strong> URLs worksheet, which contains the following:<br />

- Table 2–1<br />

- Table 2–2<br />

Note: In the workbook, these tables are numbered Table 3-1, “Default <strong>and</strong> Updated<br />

Environment Credentials” <strong>and</strong> Table 5-1, “URLs for Web-Based UIs.”<br />

• <strong>Cloud</strong> provider worksheet, in 1.2 <strong>Cloud</strong> Provider Data Worksheet, which is organized<br />

as follows:<br />

- 1.2.1 <strong>Cloud</strong> Provider Environment, License, <strong>and</strong> Network Information<br />

- 1.2.2 Management VM Infrastructure<br />

- 1.2.3 VMware<br />

- 1.2.4 Notification<br />

- 1.2.5 High Availability Cluster<br />

- 1.2.6 Virtual Office as a Service<br />

- 1.2.7 Virtual LAN<br />

- 1.2.8 vCenter Supplied by the <strong>Cloud</strong> Provider<br />

• Tenant template worksheet, in 1.3 Tenant Data Worksheet, which is organized as<br />

follows:<br />

- 1.3.1 Tenant Information<br />

- 1.3.2 Tenant VLAN<br />

- 1.3.3 RBADB Accounts<br />

- 1.3.4 Stealth Onboarding<br />

- 1.3.5 Tenant Blueprints<br />

- 1.3.6 Tenant Projects<br />

- 1.3.7 Virtual Office as a Service Session Manager<br />

1.1.2. Implementing the Workbook<br />

Edit the tables in the cloud provider worksheet to describe the provider’s site<br />

configuration. Create a tenant worksheet for each tenant environment <strong>and</strong> edit the tables<br />

to describe each tenant environment. Refer to 1.1.3 Exp<strong>and</strong>ing the Workbook to Include<br />

Tenants <strong>and</strong> 1.1.4 Adding Tenant Blueprints <strong>and</strong> Projects.<br />

The workbook automatically validates much of the data you enter <strong>and</strong> fills some cells,<br />

using values in other cells. Refer to 1.1.5 Validating the Workbook.<br />

In some tables, IP address ranges are defined using Classless Inter-Domain Routing<br />

(CIDR) notation, which includes a base network IP address <strong>and</strong> a network mask. For<br />

example, the CIDR notation ″192.68.100.0/24″ refers to the address range from<br />

192.68.100.1 through 192.68.100.255.<br />

1–2 3850 6804–007


The table headings in 1.2 <strong>Cloud</strong> Provider Data Worksheet <strong>and</strong> 1.3 Tenant Data Worksheet<br />

reflect the same hierarchy as the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook. They are included in this<br />

document to resolve references in the procedures. When you see a reference to a table,<br />

refer to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook for the data.<br />

Note: Refer to 12.1 Troubleshooting Errors When Using a <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

Workbook for help if you receive error messages when using the workbook.<br />

1.1.3. Exp<strong>and</strong>ing the Workbook to Include Tenants<br />

A tenant is an individual entity for whom you supply virtual machine, physical server, or<br />

virtual desktop usage from the cloud datacenter. Tenants are your customers or your<br />

subsidiaries or departments. If the cloud datacenter is intended to be used only by your<br />

own personnel, the environment can be treated as a single-tenant environment, or each<br />

organizational tier can be treated as a tenant (a multi-tenant environment).<br />

Create a tenant worksheet in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook for each tenant account,<br />

as follows:<br />

1. Open the workbook <strong>and</strong> select the Table of Contents tab.<br />

The Installation <strong>and</strong> Configuration Worksheets Table of Contents<br />

worksheet is displayed.<br />

Note: The organization is the same as 1.1.1 Workbook Organization.<br />

2. Click Add Tenant.<br />

The Add Tenant dialog box opens.<br />

3. Enter a name for the new tenant in the box, <strong>and</strong> click OK.<br />

Note: This name is configured as the folder in the <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> portal hierarchy in a later procedure in this guide.<br />

A new tenant worksheet is created in the workbook from the template.<br />

Repeat this procedure to create a separate worksheet for each tenant.<br />

1.1.4. Adding Tenant Blueprints <strong>and</strong> Projects<br />

Adding Tenant Blueprints<br />

Installation <strong>and</strong> Configuration Data<br />

Enter tenant blueprint data in Table 1–34, Table 1–36, or Table 1–38. For each blueprint<br />

name that you enter, the blueprint attributes <strong>and</strong> default values are initialized in<br />

Table 1–35, Table 1–37, or Table 1–39, <strong>and</strong> an Edit link is made available in the<br />

Properties column of the names table. Double-click the Edit link to jump to the column<br />

for that blueprint in the attributes <strong>and</strong> values table, <strong>and</strong> then update the attributes <strong>and</strong><br />

values for that blueprint.<br />

If you need to enter more blueprints for a tenant than Table 1–34, Table 1–36, or<br />

Table 1–38 allows, click Add Blueprints to insert a group of six blank rows at the bottom<br />

of the table. You can insert as many groups of blank rows as needed.<br />

3850 6804–007 1–3


Installation <strong>and</strong> Configuration Data<br />

To delete a blueprint, clear its name in the names table. You are asked if you also want to<br />

clear the attributes <strong>and</strong> values for the blueprint. Click Yes to clear its values in the<br />

attributes <strong>and</strong> values table.<br />

Adding Tenant Projects<br />

Enter tenant project data in Table 1–40.<br />

In the Contract Limits column, double-click Edit to open an interface that enables you<br />

to edit the contract limits of the blueprints associated with the project.<br />

If you need to enter more projects for a tenant than Table 1–40 allows, click Add Project<br />

to insert a blank row at the bottom of the table. You can insert as many blank rows as<br />

needed.<br />

To delete a project, select the Project Name <strong>and</strong> click Delete Project.<br />

1.1.5. Validating the Workbook<br />

Data in individual cells is validated as much as possible while you enter the data. However,<br />

more extensive validation is needed after you complete all the cloud provider <strong>and</strong> tenant<br />

worksheets to make sure that the overall configuration is consistent. Perform this<br />

validation <strong>and</strong> correct any errors before exporting the data.<br />

Caution<br />

Invalid data can cause unexpected <strong>and</strong> critical errors when you are configuring<br />

the cloud environment.<br />

Validate the worksheets, as follows:<br />

1. Open the workbook <strong>and</strong> select the Table of Contents tab.<br />

2. If prompted, enable macros <strong>and</strong> set the macro security level to medium or higher.<br />

3. Click Validate.<br />

The Worksheet Selection dialog box opens with the following validation options:<br />

• Only the cloud provider worksheet<br />

• All worksheets in the workbook<br />

• One tenant worksheet<br />

4. Select the worksheets that you want to validate, <strong>and</strong> then click OK.<br />

The Validation Results dialog box opens <strong>and</strong> lists each error <strong>and</strong> location. Click<br />

Open Log to view the validation results in a log file, if desired.<br />

1–4 3850 6804–007


Repeat the following steps as often as necessary to correct all errors:<br />

a. Navigate to the cells that contain errors, using the links in the results list, <strong>and</strong><br />

correct the errors.<br />

b. Click Revalidate after correcting one or more cells to update the error list.<br />

Click OK to close the Validation Results dialog box when you are finished reviewing<br />

the results.<br />

1.1.6. Exporting the Data<br />

The automated procedures in this guide are initiated from the jump box management VM<br />

to the other management VMs that are configured (refer to the In Use column in<br />

Table 1–5). The automated procedures require certain data in XML format as input. After<br />

entering all data in all worksheets in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook, you can create<br />

the necessary XML files, as follows.<br />

Note: For security reasons, the exported data does not include the values of any updated<br />

credentials in Table 3-1, ″Default <strong>and</strong> Updated Environment Credentials.″<br />

1. Open a copy of the workbook that contains all the data, <strong>and</strong> select the Table of<br />

Contents tab.<br />

2. If prompted, enable macros <strong>and</strong> set the macro security level to medium or higher.<br />

3. Click Export.<br />

A Worksheet Selection dialog box opens with the following export options:<br />

• Only the cloud provider worksheet<br />

• All worksheets in the workbook<br />

• One tenant worksheet<br />

4. Select the worksheets that you want to export, <strong>and</strong> then click OK.<br />

The data is validated first.<br />

• If no validation errors are detected, the Chose a folder to export to dialog box<br />

appears. Navigate to the folder where you want to save the XML files <strong>and</strong> click<br />

OK. When the export process completes, you see a message that the export was<br />

successful. Click OK.<br />

The cloud provider file is named<br />

<strong>Cloud</strong>Provider.xml<br />

Each tenant has its own tenant XML file named<br />

Tenant-.xml<br />

Installation <strong>and</strong> Configuration Data<br />

• If validation errors are detected, a Continue Export? dialog box is displayed<br />

advising you to correct the errors. Click Cancel.<br />

The Export Cancelled message box appears, <strong>and</strong> XML files are not created.<br />

You can correct errors <strong>and</strong> try exporting again. Refer to 1.1.5 Validating the<br />

Workbook.<br />

3850 6804–007 1–5


Installation <strong>and</strong> Configuration Data<br />

Note: If the data contains errors but you still want to export the files, click OK on<br />

the Continue Export? dialog box. The XML files are created, but errors can occur<br />

when configuring your <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment.<br />

5. Copy all XML files that you created to the following folder on the jump box<br />

management VM:<br />

C:\ProgramData\Unisys\SPC-Automation\xml<br />

1.1.7. Preserving Configuration Data<br />

The cloud provider worksheet in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook must be kept up-todate<br />

with configuration data changes. Store the workbook <strong>and</strong> XML files in a secure<br />

location for future use when updating the cloud configuration or onboarding tenants.<br />

Snapshots of management VMs that were taken during the configuration process <strong>and</strong> are<br />

no longer needed should be deleted.<br />

1.2. <strong>Cloud</strong> Provider Data Worksheet<br />

Use Table 1–1 through Table 1–23 to gather data that applies to the cloud provider in this<br />

environment.<br />

Only the categories, table headers, <strong>and</strong> a short description from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

workbook are included to provide references throughout this document. The details of<br />

each table are in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook.<br />

1.2.1. <strong>Cloud</strong> Provider Environment, License, <strong>and</strong> Network<br />

Information<br />

Table 1–1. <strong>Cloud</strong> Provider Site Environment Information<br />

Contains site environment information, including default values that cannot be changed, default<br />

values that can be changed, <strong>and</strong> values that apply to the cloud provider’s specific environment.<br />

Table 1–2. <strong>Cloud</strong> Provider License Information<br />

Contains information about the cloud provider’s licenses.<br />

Table 1–3. General Networking Information<br />

Contains information about the cloud provider’s network, including DNS servers <strong>and</strong> domains,<br />

as it applies to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> implementation.<br />

1–6 3850 6804–007


Table 1–4. <strong>Cloud</strong> Management Environment Network Addresses<br />

Contains information about the networks that are used in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

management environment.<br />

Table 1–5. Networking for Management VMs <strong>and</strong> Management Server<br />

Contains networking values for the management VMs <strong>and</strong> management server.<br />

1.2.2. Management VM Infrastructure<br />

Table 1–6. LDAP Values for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal<br />

Contains information that is needed if you are using LDAP to validate credentials using a domain<br />

or to integrate with a cloud provider-supplied Active Directory.<br />

Table 1–7. <strong>Cloud</strong> Management Environment Certificate Details<br />

Contains information about the certificates that are used to secure certain management VMs.<br />

Table 1–8. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Community Information<br />

Contains information that is needed for the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal user community.<br />

Table 1–9. Runbook Automation Database (RBADB) <strong>Cloud</strong> Properties<br />

Contains information about the Runbook Automation Database (RBADB) cloud properties.<br />

Table 1–10. uChargeback Domain Account <strong>and</strong> Configuration Information<br />

Contains information about at least one domain user who is the uChargeback administrator.<br />

1.2.3. VMware<br />

Installation <strong>and</strong> Configuration Data<br />

Table 1–11. Datacenter Workload Server Information<br />

Contains information about the datacenter workload server, which supports virtual machines for<br />

users.<br />

3850 6804–007 1–7


Installation <strong>and</strong> Configuration Data<br />

Table 1–12. VMware Sysprep Configuration<br />

Contains information that is needed for VMware Sysprep configuration.<br />

Table 1–13. VMware Resource Balancer<br />

Contains information that is needed for VMware resource balancer configuration.<br />

1.2.4. Notification<br />

Table 1–14. E-mail Notification Information<br />

Contains information that is needed to send notifications using e-mail messages.<br />

Table 1–15. BMC Remedy/ITSM Adapter Notification Information<br />

Contains information that is needed to send notifications using BMC Remedy tickets.<br />

1.2.5. High Availability Cluster<br />

Table 1–16. High Availability (HA) Management Server Information<br />

Contains information that is needed to enable the management server High Availability (HA)<br />

capability.<br />

Table 1–17. Clustered Workload Server Information<br />

Contains information that is needed to define clusters for the workload servers, such as<br />

enabling DRS or High Availability capabilities for the workload servers.<br />

1.2.6. Virtual Office as a Service<br />

Table 1–18. Virtual Office Server Network Addresses<br />

Contains network address information that is needed to configure the Virtual Office as a Service<br />

capability.<br />

1–8 3850 6804–007


Table 1–19. Virtual Office Server Failover Cluster<br />

Contains network information that is needed to configure Virtual Office servers as a failover<br />

cluster.<br />

1.2.7. Virtual LAN<br />

Table 1–20. Management Server VLAN Configuration<br />

Contains information that is needed in a multi-tenant environment to implement virtual LANs<br />

(VLAN) to isolate the network traffic for each tenant from all other tenants.<br />

Table 1–21. Switchport Configuration<br />

Contains information that is needed to support workload servers, either clustered or st<strong>and</strong>alone.<br />

Table 1–22. Distributed Virtual Network Switch Properties<br />

Contains information that is needed to support the distributed virtual network switches in the<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Virtual Center server datacenter.<br />

1.2.8. vCenter Supplied by the <strong>Cloud</strong> Provider<br />

Table 1–23. <strong>Cloud</strong> Provider-supplied vCenter Configuration<br />

Contains information that is needed if the vCenter in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment is<br />

supplied by the cloud provider.<br />

1.3. Tenant Data Worksheet<br />

Installation <strong>and</strong> Configuration Data<br />

Use Table 1–24 through Table 1–42 to gather data that applies to each tenant in this<br />

environment.<br />

Only the categories, table headers, <strong>and</strong> a short description from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

workbook are included to provide references throughout this document. The details are in<br />

the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook.<br />

3850 6804–007 1–9


Installation <strong>and</strong> Configuration Data<br />

1.3.1. Tenant Information<br />

Table 1–24. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Tenant Organization <strong>and</strong> Global<br />

Roles<br />

Contains the global data for defining the tenant in the provider’s cloud.<br />

1.3.2. Tenant VLAN<br />

Table 1–25. Tenant VLAN Network Appliance Information<br />

Contains information about the virtual LAN (VLAN) in a multi-tenant environment that isolates<br />

the network traffic for each tenant from all other tenants.<br />

Table 1–26. Tenant VLAN Configuration<br />

Contains data for configuring the tenant VLAN network appliance for the tenant.<br />

Table 1–27. Tenant Internal Configuration<br />

Contains data for configuring this tenant.<br />

1.3.3. RBADB Accounts<br />

Table 1–28. Account Contract Details<br />

Contains data for configuring RBADB with information about the tenant <strong>and</strong> the tenant’s<br />

blueprints.<br />

Table 1–29. Runbook Automation Database (RBADB) Account Properties<br />

Contains data for configuring RBADB with information about the tenant.<br />

Table 1–30. RBADB Account VLAN Configuration<br />

Contains data for configuring RBADB with information about the tenant’s VLAN.<br />

1–10 3850 6804–007


1.3.4. Stealth Onboarding<br />

Table 1–31. Stealth Infrastructure Virtual Machines<br />

Contains information about the Stealth infrastructure virtual machines that are created for each<br />

tenant Stealth-enabled VLAN.<br />

Table 1–32. Stealth Tenant Infrastructure Configuration<br />

Contains the global data for configuring the infrastructure for the tenant Stealth environment.<br />

Table 1–33. COI Sets <strong>and</strong> Access<br />

Contains information for defining groups of virtual machines that can communicate with one<br />

another, with other components in the cloud, <strong>and</strong> with the Public Network, also known as<br />

Communities of Interest (COI).<br />

1.3.5. Tenant Blueprints<br />

Table 1–34. Virtual Machine Blueprints<br />

Contains information about the tenant’s virtual machine blueprints.<br />

Table 1–35. Virtual Machine Blueprint Attributes <strong>and</strong> Values<br />

Contains information about the attributes <strong>and</strong> values for the tenant’s virtual machine blueprints.<br />

Table 1–36. Physical Server Blueprints<br />

Contains information about the tenant’s physical server blueprints.<br />

Table 1–37. Physical Server Blueprint Attributes <strong>and</strong> Values<br />

Contains information about the attributes <strong>and</strong> values for the tenant’s physical server blueprints.<br />

Table 1–38. Virtual Desktop Blueprints<br />

Contains information about the tenant’s virtual desktop blueprints.<br />

Installation <strong>and</strong> Configuration Data<br />

3850 6804–007 1–11


Installation <strong>and</strong> Configuration Data<br />

Table 1–39. Virtual Desktop Blueprint Attributes <strong>and</strong> Values<br />

Contains information about the attributes <strong>and</strong> values for the tenant’s virtual desktop blueprints.<br />

1.3.6. Tenant Projects<br />

Table 1–40. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Information for Tenant Projects<br />

Contains information about the tenant’s projects.<br />

Table 1–41. Project Contract Limits<br />

Contains optional limits for the number of virtual machines that can be commissioned from<br />

each blueprint in a tenant project.<br />

1.3.7. Virtual Office as a Service Session Manager<br />

Table 1–42. Virtual Office as a Service Session Manager Configuration<br />

Contains information that is needed to configure Session Manager to support the Virtual Office<br />

as a Service capability for the tenant.<br />

1–12 3850 6804–007


Section 2<br />

Introduction<br />

This document is intended for Unisys service consultants initially implementing the Unisys<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> solution as well as the administrators <strong>and</strong> operators who maintain<br />

the solution.<br />

In this library, a tenant is defined as an individual entity with whom the cloud provider has a<br />

contract to provide virtual machine, virtual desktop, or physical server usage from the<br />

cloud datacenter. These tenants might be the cloud provider’s customers, or they might<br />

be the provider’s subsidiaries or departments that should be treated as separate entities.<br />

Depending on the cloud provider’s needs, you can configure a single-tenant or a multitenant<br />

environment.<br />

This document describes the processes required to administer <strong>and</strong> operate a cloud<br />

environment, including how to add new VMware templates to create new blueprints for<br />

tenants, how to h<strong>and</strong>le user requests for new virtual machines, virtual desktops, <strong>and</strong><br />

physical servers, <strong>and</strong> how to troubleshoot issues with the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />

Note: This document does not describe the procedures performed to initially configure<br />

the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment; those procedures are described in the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> Implementation <strong>Guide</strong> (3850 6846), which is available only to Unisys<br />

service consultants.<br />

2.1. Documentation Updates<br />

This document contains all the information that was available at the time of publication.<br />

Changes identified after release of this document are included in problem list entry (PLE)<br />

18886286. To obtain a copy of the PLE, contact your service representative or access the<br />

current PLE from the product support Web site:<br />

http://www.support.unisys.com/all/ple/18886286<br />

Note: If you are not logged into the product support site, you will be asked to do so.<br />

3850 6804–007 2–1


Introduction<br />

2.2. Accessing Architecture <strong>and</strong> Networking<br />

Information<br />

Detailed architectural <strong>and</strong> networking information is available in Section 2 of the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> Overview <strong>and</strong> Planning <strong>Guide</strong>. If you have a current connection to the<br />

Internet, you can access this information directly from the following link:<br />

http://www.support.unisys.com/spc/docs/spc-2.2/38506796-007.pdf#architecture<br />

Section 2 of the Overview <strong>and</strong> Planning <strong>Guide</strong> includes the following:<br />

• A detailed description of the following <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> solution hardware:<br />

- <strong>Cloud</strong> Management Environment<br />

One or more management virtualization servers, which run VMware ESXi <strong>and</strong> are<br />

part of the <strong>Cloud</strong> Management Environment. These servers are called<br />

management servers in this document. Each management server hosts multiple<br />

management VMs. A management VM is a specialized virtual machine that<br />

performs management functions for the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>.<br />

The Overview <strong>and</strong> Planning <strong>Guide</strong> describes the required <strong>and</strong> optional<br />

management VMs <strong>and</strong> the infrastructure VMs (which provide infrastructure<br />

services for each tenant).<br />

- Workload environment<br />

One or more workload servers that host your data <strong>and</strong> your tenants’ data, as well<br />

as tenant-commissioned virtual machines, virtual desktops, <strong>and</strong> physical servers.<br />

VMware ESX or ESXi workload virtualization servers are known simply as<br />

virtualization servers <strong>and</strong> host virtual machines running Windows server operating<br />

systems or Linux operating systems.<br />

If your environment includes the Virtual Office as a Service, Virtual Office servers<br />

run Windows Server 2008 R2 with the Hyper-V role enabled. If your environment<br />

includes uAdapt, physical servers host uAdapt personas.<br />

• Overview of the <strong>Cloud</strong> Management domain <strong>and</strong> configuring domain controllers<br />

• Overview of logical network configurations<br />

• Requirements for configuring a highly available (HA) environment<br />

• Detailed networking considerations for isolating tenant networks using virtual LANs<br />

(VLANs), including example VLAN architecture,<br />

• Directions for including the Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> feature in one or more<br />

tenant environments<br />

• Requirements for designing domain name system (DNS)<br />

• Overview of network connections <strong>and</strong> communication paths (single tenancy or multitenancy<br />

<strong>and</strong> non-highly available, or high availability configurations)<br />

• <strong>Guide</strong>lines for combining physical networks (non-highly available or high availability<br />

configurations)<br />

• Examples of using physical switches versus virtual network appliances<br />

2–2 3850 6804–007


• Details on using hybrid configurations (a combination of physical <strong>and</strong> virtual<br />

components, such as a physical switch in the <strong>Cloud</strong> Management Environment <strong>and</strong><br />

virtual network appliances in the workload environment), including configuring high<br />

network isolation, high routing, <strong>and</strong> configuring an enterprise private cloud<br />

• Instructions for incorporating an external server into the <strong>Cloud</strong> Management<br />

Environment<br />

• An overview of multi-tenant networking considerations, including tenant VLAN swich<br />

requirements, managing overlapping tenant IP address <strong>and</strong> domain names, <strong>and</strong><br />

Network Address Translation (NAT) overview<br />

2.3. Administrator <strong>and</strong> Operator Responsibilities<br />

Personnel in the cloud provider’s organization are designated as administrators <strong>and</strong><br />

operators of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>. If there are a small number of users, one person<br />

might be designated to complete both administration <strong>and</strong> operation tasks; if there are a<br />

large number of users, groups of administrators <strong>and</strong> operators might be designated to<br />

perform specific procedures.<br />

Administrators <strong>and</strong> operators generally have the following responsibilities:<br />

• Add new tenants <strong>and</strong> users to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />

• Perform any required manual operations, including responding to end user requests<br />

sent through e-mail, through Remedy tickets, or through both.<br />

• Use the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal to authorize commissioning requests when any<br />

required manual operations are complete.<br />

• Operate the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, the uChargeback interface, <strong>and</strong> other user<br />

interfaces, as required.<br />

• Perform routine database maintenance on the SQL Server database.<br />

• Work with Unisys service consultants to exp<strong>and</strong>, change, or troubleshoot the<br />

environment, as required<br />

2.4. Before You Begin<br />

Before you begin administering <strong>and</strong> operating the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> solution, you<br />

should review the following documents:<br />

• Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Overview <strong>and</strong> Planning <strong>Guide</strong> (3850 6796)<br />

This document provides an overview of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment <strong>and</strong> its<br />

features.<br />

• Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Interface Help (8207 3115)<br />

Introduction<br />

This document describes how end users sign in <strong>and</strong> navigate the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

portal. It also describes how end users request, start, stop, <strong>and</strong> decommission (delete)<br />

virtual machines, virtual desktops, <strong>and</strong> physical servers.<br />

3850 6804–007 2–3


Introduction<br />

Most administrative <strong>and</strong> operational tasks involve reacting to user requests <strong>and</strong><br />

problems, <strong>and</strong> so you should review this document carefully to ensure that you<br />

underst<strong>and</strong> your end users’ experience.<br />

• uChargeback Installation, Configuration, <strong>and</strong> <strong>Operations</strong> <strong>Guide</strong> (3843 3801)<br />

uChargeback is a set of tools that help you collect <strong>and</strong> manage resource usage data for<br />

both consolidated application servers <strong>and</strong> virtual machines. uChargeback determines<br />

the IT resources that each application uses. Review this document to familiarize<br />

yourself with the uChargeback functionality.<br />

• uAdapt User’s <strong>Guide</strong> <strong>and</strong> Reference<br />

uAdapt enables physical server commissioning; in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

environment, administrators <strong>and</strong> operators must perform manual actions when end<br />

users request physical servers. Review this document to familiarize yourself with the<br />

uAdapt interface. uAdapt provides important functionality for the <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong>.<br />

First, determine which version of uAdapt is supported with your version of the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong>. To do so<br />

1. On the Unisys Product Support Web site www.support.unisys.com, exp<strong>and</strong><br />

Infrastructure Management, <strong>and</strong> then click <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>.<br />

2. On the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Support Site, click Releases.<br />

3. On the System Release Information page, click your <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> release.<br />

4. In the Supported System Releases table, locate the supported uAdapt level.<br />

The uAdapt documentation is available from the following locations:<br />

- On the Unisys Product Support Web site (www.support.unisys.com).<br />

Click Documentation in the left menu, <strong>and</strong> then agree to the terms of use. In<br />

the documentation libraries list, under Infrastructure Management, exp<strong>and</strong><br />

Infrastructure Management, exp<strong>and</strong> uAdapt, <strong>and</strong> then click the appropriate<br />

uAdapt release.<br />

- On the uAdapt installation media.<br />

ISO images of these media are available on your Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

Management System, on the Datastore1 datastore, in the uAdapt Images<br />

folder. In the ISO image, the documentation is located in the getting_started<br />

folder.<br />

- From the uAdapt Console.<br />

After the uAdapt Controller is installed <strong>and</strong> configured, use Internet Explorer to<br />

access the uAdapt Console URL. After you log in, click Help, <strong>and</strong> then click<br />

Documentation.<br />

Note: Your licenses for the uAdapt software, uOrchestrate software, <strong>and</strong> uChargeback<br />

software (which are all installed on the management server) are for use within the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> environment only. These products contain many features <strong>and</strong> capabilities<br />

that can simplify the operation of other areas of your datacenter as well. Contact your<br />

Unisys sales representative if you want to purchase these products for use with servers<br />

that are not part of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>.<br />

2–4 3850 6804–007


2.5. Default <strong>and</strong> Updated Environment Credentials<br />

Software is configured using the default credentials in Table 2–1. Use these credentials as<br />

necessary during the integration process.<br />

After you complete the initial implementation <strong>and</strong> update the credentials, use the new<br />

credentials instead.<br />

This table is Table 3-1 in the online Excel version. Refer to 1.1 Completing Worksheets for<br />

Installation <strong>and</strong> Configuration.<br />

Note: For some components, you can only update the password. If the user name<br />

cannot be updated, it is listed in the far-right column.<br />

Table 2–1. Default <strong>and</strong> Updated Environment Credentials<br />

Product Description<br />

Management server Credentials for the server hosting<br />

the management VMs.<br />

Linux<br />

(operating system<br />

for uAdapt<br />

management VM)<br />

Windows<br />

(operating system<br />

for other<br />

management VMs)<br />

Management<br />

Network Appliance<br />

Tenant VLAN<br />

network appliances<br />

Administrator account credentials<br />

for the uAdapt Controller.<br />

Non-administrator account<br />

credentials for the uAdapt<br />

Controller. This is a user on the<br />

Linux system, but this account is<br />

not used.<br />

Local administrator account<br />

credentials.<br />

Local administrator account<br />

credentials that enable you to<br />

configure the Management<br />

Network Appliance management<br />

VM.<br />

Local administrator account<br />

credentials that enable you to<br />

configure the tenant VLAN<br />

network appliances.<br />

uAdapt Console Credentials that enable you to log<br />

on to the uAdapt Console.<br />

Default User Name<br />

Default Password<br />

root<br />

U*spc2341<br />

root<br />

U*spc2341<br />

user1<br />

User4Me<br />

Administrator<br />

U*spc2341<br />

vyatta<br />

U*spc2341<br />

vyatta<br />

U*spc2341<br />

admin<br />

admin<br />

Updated User Name<br />

Updated Password<br />

root<br />

root<br />

root<br />

vyatta<br />

vyatta<br />

admin<br />

Introduction<br />

3850 6804–007 2–5


Introduction<br />

Table 2–1. Default <strong>and</strong> Updated Environment Credentials (cont.)<br />

Product Description<br />

SQL Server<br />

Database<br />

Administrator<br />

Credentials for SQL Server<br />

authentication.<br />

Default User Name<br />

sa<br />

Default Password<br />

U*spc2341<br />

vCenter Database Credentials for vCenter database. vpxuser<br />

vCenter<br />

Administrator<br />

Stealth for <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong><br />

Dynamic Licensing<br />

Web interface<br />

Credentials for the vCenter user in<br />

the vCenter Administrator role.<br />

Note: If you are using the<br />

vCenter server supplied by Unisys<br />

(the management VM), use these<br />

credentials to initially log on. If you<br />

are using a provider-supplied<br />

vCenter server, use the providersupplied<br />

credentials from<br />

Table 1–23.<br />

Credentials for the Dynamic<br />

Licensing Web interface for Stealth<br />

for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, if Stealth<br />

is included in your environment.<br />

Tomcat Manager Credentials for the Web server on<br />

uChargeback management VM.<br />

RBADB Credentials for Runbook<br />

Automation Database<br />

administration.<br />

uOrchestrate<br />

<strong>Operations</strong> Console<br />

Credentials for the uOrchestrate<br />

<strong>Operations</strong> Console.<br />

Liferay administrator Credentials for the Liferay<br />

administrator user in the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> portal that is allowed<br />

to access the Control Panel.<br />

SSL certificate The certificate password for the<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, <strong>Cloud</strong><br />

Orchestrator, <strong>and</strong> uChargeback<br />

management VMs.<br />

<strong>Cloud</strong> Orchestrator<br />

vCenter user<br />

Credentials for a user who is<br />

assigned to the <strong>Cloud</strong> Orchestrator<br />

role in vCenter for runbook usage.<br />

U*spc2341<br />

Administrator<br />

U*spc2341<br />

admin<br />

U*spc2341<br />

admin<br />

U*spc2341<br />

admin<br />

U*spc2341<br />

uco@example.com<br />

(no password)<br />

uco@example.com<br />

U*spc2341<br />

(no user name)<br />

U*spc2341<br />

UCOUser<br />

U*spc2341<br />

Updated User Name<br />

sa<br />

Updated Password<br />

vpxuser<br />

Administrator<br />

admin<br />

admin<br />

admin<br />

uco@example.com<br />

(no password)<br />

uco@example.com<br />

2–6 3850 6804–007


uChargeback<br />

vCenter user<br />

Table 2–1. Default <strong>and</strong> Updated Environment Credentials (cont.)<br />

Product Description<br />

Virtual Office as a<br />

Service<br />

administrator<br />

VMware Update<br />

Manager Database<br />

(VUMDB)<br />

<strong>Cloud</strong> Orchestrator<br />

Lifecycle database<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

portal database<br />

Credentials for a user who is<br />

assigned a read-only role in<br />

vCenter. If you are using a domain<br />

account, specify the domain name,<br />

followed by a backslash, followed<br />

by the user name. For example,<br />

enter<br />

mydomain\myuser<br />

Credentials for a Virtual Office as a<br />

Service administrator.<br />

Credentials that enable you to log<br />

on to the VUMDB.<br />

Credentials for <strong>Cloud</strong> Orchestrator<br />

Lifecycle database<br />

(uorch_lifecycle).<br />

Credentials for the <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> portal database (PortalDB).<br />

Default User Name<br />

Default Password<br />

uChrgUser<br />

U*spc2341<br />

Administrator<br />

U*spc2341<br />

vumuser<br />

U*spc2341<br />

lifecycle-dbadmin<br />

U*spc2341<br />

Portal-dbadmin<br />

U*spc2341<br />

Updated User Name<br />

Updated Password<br />

vumuser<br />

lifecycle-dbadmin<br />

Portal-dbadmin<br />

Note: During the implementation of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment, you are<br />

required to create new domain accounts (for example, for the uChargeback administrator)<br />

or use existing domain accounts (for example, for the Active Directory management VM).<br />

These credentials are not listed in Table 2–1, because there are no default values, but they<br />

are listed in the cloud provider workbook tables. You create <strong>and</strong> update these values using<br />

the st<strong>and</strong>ard domain credential management process for your environment. See the<br />

workbook for more information about these required domain administrator accounts.<br />

2.6. URLs for Web-Based UIs<br />

Configuration instructions often reference the URLs in Table 2–2.<br />

Note: This table is Table 5-1 in the online Excel version.<br />

Introduction<br />

3850 6804–007 2–7


Introduction<br />

Table 2–2. URLs for Web-Based UIs<br />

User Interface URL<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal https://user-facing-fully-qualified-name-of-<strong>Secure</strong>-<strong>Private</strong>-<strong>Cloud</strong>-portal<br />

Note: This is the FQN of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal Web page, not<br />

the FQN of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal management VM.<br />

RBADB https://current-fully-qualified-name-of-uChargeback-mgmt-VM<br />

:8443/RBADB<br />

Note: “RBADB” must be uppercase in the URL.<br />

uAdapt Console http://IP-address-of-uAdapt-Console<br />

uOrchestrate <strong>Operations</strong><br />

Console<br />

uChargeback License Activation<br />

Web site<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

Troubleshooting<br />

Session Manager virtual<br />

machine<br />

Note: This is applicable only for<br />

tenants that have virtual<br />

desktops enabled through the<br />

Virtual Office as a Service<br />

solution.<br />

https://localhost:8443<br />

Note: You must be logged in to the <strong>Cloud</strong> Orchestrator management<br />

VM to access the <strong>Operations</strong> Console.<br />

https://www.support.unisys.com/public/licenseActivator/login.aspx<br />

http://www.support.unisys.com/common/search/FaqSearch.aspx?<br />

pla=SPC&nav=SPC&dt=kb&action=doit&key=trouble-shooting&<br />

title=<strong>Secure</strong>+<strong>Private</strong>+<strong>Cloud</strong>+Trouble+Shooting<br />

http://localhost:1780<br />

or, if accessing remotely<br />

http://current-fully-qualified-domain-name-of-session-mgr-VM:1780<br />

2.7. Completing <strong>and</strong> Exporting Tenant Worksheets<br />

Before performing the procedures in this book for a new implementation or a new tenant,<br />

you should complete <strong>and</strong> export the <strong>Cloud</strong> Provider worksheet <strong>and</strong> complete <strong>and</strong> export<br />

the worksheets for any tenants. See 1.1 Completing Worksheets for Installation <strong>and</strong><br />

Configuration.<br />

2.8. Underst<strong>and</strong>ing Tenants Accounts <strong>and</strong> <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> Interfaces<br />

You can configure the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal for the following types of access:<br />

2–8 3850 6804–007


• Single tenant<br />

One tenant exists in the environment.<br />

• Multi-tenant<br />

One or more tenants coexist in the same environment. Each tenant is configured its<br />

own set of administrators, users, projects, <strong>and</strong> blueprints. A multi-tenant environment<br />

in which only one tenant is defined is a single-tenant environment.<br />

Tenants can have one or more projects. Projects are used to further subdivide the tenant<br />

organization. You can configure projects based on the needs of a tenant environment. For<br />

example, you could configure one project for each tenant department or each<br />

subdepartment, or you could configure projects based on user responsibilities in the<br />

organization.<br />

Each project folder can contain one or more blueprints. A blueprint defines the resource<br />

type—virtual machine, physical server, or virtual desktop—that users can commission <strong>and</strong><br />

its associated attributes, such as operating system type <strong>and</strong> memory allocation. If you<br />

want users of multiple projects to commission resources using one blueprint, you can<br />

save the same blueprint in multiple projects. Alternatively, you can isolate one blueprint in<br />

one project, so that only users assigned to a certain project can access specific blueprints.<br />

2.8.1. XYZ Company Example (Single Tenant)<br />

The XYZ Company is a hypothetical company that serves as an example of a single tenant<br />

environment. The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> for the XYZ Company has the following structure:<br />

• For billing purposes, the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal tracks the following projects:<br />

- Billing<br />

- Inventory<br />

- Sales<br />

• All blueprints are available to the users, <strong>and</strong> the name of each blueprint helps to<br />

describe the blueprint. For example, W2K3x64–VM is a Windows Server 2003 x64<br />

operating system for a virtual machine. The following are examples of blueprints:<br />

- W2K3x64–VM<br />

- W2K3x86–P<br />

- W2K8x64–VM<br />

- W2K8x86–P<br />

2.8.2. Acme Company Example (Multi-tenant)<br />

Introduction<br />

The Acme Company, a hypothetical company, is an example of a multi-tenant<br />

environment. The Acme Company hosts a cloud in which other tenants (TPA tenant <strong>and</strong><br />

Widget tenant) coexist in the environment.<br />

Note: In the following examples, TPA <strong>and</strong> Widget are tenants in the same multi-tenant<br />

system.<br />

3850 6804–007 2–9


Introduction<br />

The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> for the Acme Company has the following structure:<br />

• TPA<br />

- Billing<br />

- Inventory<br />

- Sales<br />

• Widget<br />

- Billing<br />

- Manufacturing<br />

- Human Resources<br />

All blueprints are grouped by tenant, <strong>and</strong> all blueprint names must be unique, as follows:<br />

• TPA<br />

- TPA_W2K3x64–VM<br />

- W2K3x86–Phys<br />

• Widget<br />

- Widg_W2K8x64–VM<br />

- W2K8x86–Phys<br />

2.8.3. Projects, Departments, Accounts, <strong>and</strong> SubAccounts<br />

The user interfaces associated with the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> solution include the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> portal, uChargeback, <strong>and</strong> the Runbook Automation Database (RBADB).<br />

The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal is your interface for refining new blueprints <strong>and</strong> your<br />

tenants’ interface for deploying new virtual machines, physical servers, <strong>and</strong> virtual<br />

desktops. uChargeback includes a set of tools that help you collect <strong>and</strong> manage resource<br />

usage data for both physical servers <strong>and</strong> virtual machines. RBADB stores the tenant- <strong>and</strong><br />

account-based information that supports various functions in the cloud environment,<br />

including the following:<br />

• Equating values between the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal <strong>and</strong> uChargeback, enabling<br />

these interfaces to be coordinated.<br />

• Enforcing contract limits<br />

• Enforcing snapshot limits<br />

• Mapping tenant-side machine names <strong>and</strong> IP addresses to their management-side<br />

machine name <strong>and</strong> IP address equivalents.<br />

These interfaces use slightly different terms for tenants <strong>and</strong> projects, as shown in<br />

Figure 2–1.<br />

2–10 3850 6804–007


Figure 2–1. Projects, Departments, Accounts, <strong>and</strong> SubAccounts<br />

Introduction<br />

Tenant (Account) names must be unique across your entire cloud environment. (Tenants<br />

cannot share a name with another tenant or with any project.)<br />

Configuration data is added to the RBADB database, uChargeback, <strong>and</strong> the <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> portal when you execute the Populator addTenant effector. This data is retrieved<br />

from the tenant data worksheet. When you make changes, such as adding blueprints,<br />

accounts, or projects, you must update the appropriate worksheet <strong>and</strong> run the Populator<br />

updateTenant effector. Refer to Section 6, Creating <strong>and</strong> Managing Tenant Configurations,<br />

for more information.<br />

In the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, two tenants can use the same Project (SubAccount)<br />

name, but uChargeback requires that all names be unique. RBADB serves as a link<br />

between the portal <strong>and</strong> uChargeback. As shown in the previous example, when two or<br />

more tenant Projects (SubAccounts) share the same name, the Populator automatically<br />

adds a numerical suffix to the end of each duplicate project name. The version of the<br />

Project name that includes the numerical suffix appears only in RBADB <strong>and</strong> uChargeback.<br />

(In the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, the numerical suffix does not appear.) For example,<br />

TenantA has a project named Accounting, while TenantB has a project named<br />

Accounting01, <strong>and</strong> TenantC has a project named Accounting02.<br />

Figure 2–2 illustrates the relationships between the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, uChargeback,<br />

<strong>and</strong> RBADB in more detail.<br />

3850 6804–007 2–11


Introduction<br />

Figure 2–2. Comparison of <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, uChargeback, <strong>and</strong> RBADB<br />

Entities<br />

2.8.4. Naming <strong>Guide</strong>lines for Components in the <strong>Cloud</strong><br />

Environment<br />

Components in the cloud environment—including tenant, project, blueprint, <strong>and</strong> snapshot<br />

names, as well as blueprint attributes for template names <strong>and</strong> OS type names—can<br />

contain only the following characters.<br />

Note: Host names for management VMs <strong>and</strong> physical servers <strong>and</strong> user names (including<br />

COI Set names, if Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment) are<br />

more restrictive. Follow the guidelines in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook when<br />

creating host names, COI Set names, <strong>and</strong> user names.<br />

• Alpha-numeric characters<br />

• The following special characters:<br />

- Space<br />

- Hyphen (-)<br />

- Underscore (_)<br />

- Period (.)<br />

2–12 3850 6804–007


- Ampers<strong>and</strong> (&)<br />

- At sign (@)<br />

Names can be no longer than 128 characters in length.<br />

Introduction<br />

3850 6804–007 2–13


Introduction<br />

2–14 3850 6804–007


Section 3<br />

Initial Configuration Tasks<br />

Perform the procedures in this section to initially configure workstations to access the<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal <strong>and</strong> also to configure the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal Virtual<br />

Host value.<br />

3.1. Configuring a Workstation to Configure the<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal<br />

To configure a workstation that can access <strong>and</strong> configure the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal,<br />

you must<br />

• Configure the network connections<br />

• Install the vSphere Client<br />

• Install or configure a supported Web browser<br />

• Optimizing the screen resolution<br />

In addition, you might need to configure Windows File Explorer to view hidden files <strong>and</strong><br />

protected operating system files.<br />

Configuring the Network Connections<br />

To access <strong>and</strong> configure the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, the workstation must have direct<br />

or indirect access to the Public Network. Additionally, the workstation must be able to<br />

resolve the user-facing FQN of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal to the Public Network IP<br />

address of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. For example, the workstation could be<br />

configured to use a DNS where the user-facing FQN of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal has<br />

been registered. This is described in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Implementation <strong>Guide</strong>.<br />

Note: You must ensure that any workstation that end users use to access the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> portal must have direct or indirect access to the Public Network <strong>and</strong> be able<br />

to resolve the user-facing FQN of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />

To be able to connect to the management server <strong>and</strong> the vCenter server, the configuration<br />

workstation must have direct or indirect access to the VMware Management Network.<br />

For an overview of the networks in the <strong>Cloud</strong> Management Environment, see the<br />

architectural <strong>and</strong> networking discussion in the Overview <strong>and</strong> Planning <strong>Guide</strong> (http://<br />

www.support.unisys.com/spc/docs/spc-2.2/38506796-007.pdf#architecture).<br />

3850 6804–007 3–1


Initial Configuration Tasks<br />

Installing the vSphere Client<br />

To configure the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, you must install the VMware vSphere Client<br />

on the workstation so that you can connect to the management server <strong>and</strong> the vCenter<br />

server to perform configuration tasks. To install this software, do the following:<br />

1. Open a browser window <strong>and</strong> connect to the management server.<br />

You see a Security Warning indicating that the certificate is untrusted.<br />

2. Do one of the following:<br />

• Ignore this warning <strong>and</strong> continue to the Web page.<br />

• View the certificate.<br />

• Install the certificate.<br />

3. On the VMware ESXi Server Welcome page, click the link to download the vSphere<br />

Client.<br />

Installing or Configuring a Supported Web Browser<br />

Ensure that one of the following browsers is installed on any workstation that accesses<br />

the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal:<br />

• Internet Explorer 8.0 or 9.0<br />

• Mozilla Firefox 3.6 or higher<br />

If you are using Internet Explorer 8.0 or 9.0, configure the following settings:<br />

Note: Mozilla Firefox does not require additional configuration.<br />

1. Ensure that Compatibility View is not selected on the Tools menu. (That is,<br />

ensure that a check mark does not appear next to Compatibility View.) If Compatibility<br />

View is selected, clear it.<br />

2. Click Compatibility View Settings on the Tools menu. Do the following on the<br />

Compatibility View Settings dialog box:<br />

a. Verify that the URL of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal does not appear in the<br />

″Websites you’ve added to Compatibility View″ box.<br />

b. Clear all of the check boxes on the dialog box.<br />

c. Click Close.<br />

3. Add the URL for the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal to your Trusted Sites list, as follows:<br />

a. Click Internet Options on the Tools menu.<br />

The Internet Options dialog box opens.<br />

b. Select the Security tab, select Trusted sites, <strong>and</strong> click Sites.<br />

The Trusted sites dialog box opens.<br />

c. Enter the fully qualified name of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal (without the<br />

protocol HTTP or HTTPs) from Table 2–2, <strong>and</strong> then click Add.<br />

3–2 3850 6804–007


For example, enter SPC-Portal.Example.com, <strong>and</strong> then click Add.<br />

d. Click Close.<br />

4. Enable custom settings, as follows:<br />

a. On the Security tab, select Trusted sites, <strong>and</strong> then click Custom level.<br />

b. Scroll to the ActiveX controls <strong>and</strong> plug-ins category.<br />

c. Ensure that the Enable check box for the following settings is selected:<br />

• Binary <strong>and</strong> script behaviors<br />

• Run ActiveX controls <strong>and</strong> plug-ins<br />

• Script ActiveX controls marked safe for scripting<br />

d. Scroll to the Scripting category.<br />

e. Ensure that the Enable check box for Active scripting is selected.<br />

f. Click OK.<br />

5. If you are using Internet Explorer 8, close all open Internet Explorer windows to save<br />

your changes.<br />

If you are using Internet Explorer 9.0, configure the following additional settings:<br />

a. Select Developer Tools on the Tools menu.<br />

The Developer Tools page opens.<br />

b. Clear the Script option in the Disable list.<br />

c. Verify that the Browser Mode is set to IE9.<br />

If it is not, select Internet Explorer 9 from the Browser Mode list.<br />

Note: Do not select Internet Explorer 9 Compatibility View.<br />

d. Verify that the Document Mode is set to IE9 st<strong>and</strong>ards.<br />

If it is not, select Internet Explorer 9 st<strong>and</strong>ards from the Document Mode<br />

list.<br />

e. Clear Developer Tools on the Tools menu.<br />

The Developer Tools page closes.<br />

f. Close all open Internet Explorer windows to save your changes.<br />

Optimizing the Screen Resolution<br />

Initial Configuration Tasks<br />

The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal is optimized to work with the workstation screen<br />

resolution set to 1024 × 768.<br />

3850 6804–007 3–3


Initial Configuration Tasks<br />

3.2. Inserting the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Terms<br />

of Use<br />

A Terms of use link appears on the lower right of each <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal page.<br />

This link should direct portal users to a document, which is issued by the Portal<br />

Administrator entity, that outlines the acceptable usage <strong>and</strong> conduct on the portal.<br />

To insert a Terms of Use document, do the following:<br />

1. Open a console to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal management VM, <strong>and</strong> log in using<br />

administrator credentials.<br />

2. Using Windows Explorer, navigate to the following directory: C:\Unisys\liferay-portal-<br />

6.0.6\tomcat-6.0.29\webapps\unisys-spg-portlet\WebHelp.<br />

3. Map a network drive to the location of your TermsAndCondition.htm file.<br />

4. Copy the file to the C:\Unisys\liferay-portal-6.0.6\tomcat-6.0.29\webapps\unisysspgportlet\WebHelp<br />

folder.<br />

5. Disconnect the network drive that you mapped<br />

6. Log off the management VM.<br />

For any workstation that you used to access the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal previously,<br />

you must clear your browser history, cache, cookies, <strong>and</strong> all other browser records.<br />

CHECKPOINT:<br />

1. From your workstation, sign in to the portal using cloud administrator credentials.<br />

2. Click the Terms of Use link at the bottom right of the page, <strong>and</strong> verify that you see<br />

the new terms of use.<br />

3–4 3850 6804–007


Section 4<br />

Creating VMware Template Gold Images<br />

VMware template gold images are used by the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal blueprints to<br />

instantiate virtual machines for end users. This section describes how to use the VMware<br />

templates provided by Unisys or how to create your own custom templates based on<br />

various operating systems (Windows, Red Hat Enterprise Linux, or SUSE Linux).<br />

The VMware templates you use must contain the required components <strong>and</strong> initial<br />

configuration settings to enable blueprints to be successfully clone, customized, <strong>and</strong><br />

commissioned in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment.<br />

To complete the procedures in this section, you must be familiar with the vSphere Client<br />

virtual machine creation wizard. See the help provided with VMware vCenter for more<br />

information. You should also be knowledgeable about the following:<br />

• Assigning the number of virtual CPUs<br />

• Designating memory size<br />

• Assigning Vdisk capacity<br />

• Attaching a VNIC to the appropriate VLAN<br />

Note: Each virtual machine template must include only one VNIC.<br />

• Creating an Administrator account<br />

• Installing <strong>and</strong> configuring any additional software that is required for this template<br />

4.1. Using Unisys Provided VMware Templates for<br />

Windows<br />

The Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> solution provides a set of Windows VMware templates<br />

that can be used as a base for creating gold images. On these templates, the operating<br />

system is installed <strong>and</strong> the firewall is configured.<br />

Notes:<br />

• Two templates are provided: one for Windows Server 2003 <strong>and</strong> one for Windows<br />

Server 2008. If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment, two<br />

additional Stealth-enabled templates are provided for Windows Servers 2003 <strong>and</strong><br />

Windows Server 2008. These Stealth-enabled templates are deployed during initial<br />

implemenation by the Unisys service consultant.<br />

• Unisys does not provide templates for Linux. You can create Red Hat Enterprise Linux<br />

3850 6804–007 4–1


Creating VMware Template Gold Images<br />

or SUSE Linux templates by performing the procedures in 4.2 Creating Custom<br />

Windows VMware Templates <strong>and</strong> Creating Linux VMware Templates.<br />

Perform the procedures in this topic to use the Unisys provided VMware templates.<br />

4.1.1. Importing Unisys Provided Templates into vCenter<br />

Perform the following procedure to import the Unisys provided VMware templates into<br />

vCenter:<br />

1. From the Management Server datastore, navigate to the Recovery Images folder.<br />

2. Download the Target Templates folder to the workstation.<br />

Wait until the download is complete before proceeding, <strong>and</strong> then close the datastore<br />

window.<br />

3. Launch the vSphere Client, connect to the vCenter server using its current host name<br />

or IP address, <strong>and</strong> log in using the administrator user credentials in Table 2–1, for a<br />

Unisys-supplied vCenter server, or Table 1–23, if you are using an existing vCenter<br />

server in your environment that you provide.<br />

4. Point to Deploy OVF Template on the File menu, <strong>and</strong> then click Deploy from<br />

file.<br />

The Deploy OVF Template wizard starts.<br />

a. Click Browse, select one of the OVA files that you downloaded in step 2, <strong>and</strong><br />

then click Next.<br />

b. Complete each page of the wizard, using the following guidelines:<br />

• On the Name <strong>and</strong> Location page, select the inventory location using the<br />

datacenter name from Table 1–11.<br />

• On the Host / Cluster page, select the desired workload server or cluster.<br />

• On the Resource Pool page, select the desired workload server or cluster.<br />

Note: It is recommended that you do not select a resource pool.<br />

• On the Datastore page, select a datastore that is visible to all the workload<br />

servers where the template is intended to be used.<br />

• On the Disk Format page, select Thin provisioned format.<br />

• On the Network Mapping dialog, select the desired network.<br />

c. On the Ready to Complete page, verify the selections, <strong>and</strong> then click Finish to<br />

deploy the template.<br />

5. Repeat the previous step to deploy additional templates or to deploy the templates to<br />

additional workload servers or clusters.<br />

6. If you are using the Windows Server 2003 template, do the following to prepare the<br />

operating system:<br />

a. If required, convert the template to a virtual machine.<br />

b. Select the deployed virtual machine, click Edit Settings, select the Hardware<br />

4–2 3850 6804–007


tab, click Network adapter 1, <strong>and</strong> ensure that the following settings are<br />

accurate:<br />

• Connect at Power on is enabled.<br />

• Public Network is selected in the Network Connection list.<br />

c. Power on the virtual machine, <strong>and</strong> then open a console to it.<br />

The Windows Setup wizard starts.<br />

d. Provide a valid volume license key so that the virtual machine can be used as a<br />

template.<br />

Note: This key should be supplied by the cloud provider <strong>and</strong> the value recorded<br />

in Table 1–35 of the tenant worksheet.<br />

Wait for the Windows Setup wizard to complete <strong>and</strong> Windows to start.<br />

e. Log in to the Windows operating system when prompted.<br />

Note: The password for the local administrator user in the Windows Server 2003<br />

template is blank. Ensure that this password remains blank.<br />

f. Apply all necessary Windows updates <strong>and</strong> patches.<br />

g. Verify that the VMware Tools package is the latest available, <strong>and</strong> update this<br />

package if required.<br />

h. Shut down the virtual machine.<br />

You now can clone the virtual machine for further customization.<br />

7. If Stealth is included in your environment <strong>and</strong> you want to use the Stealth-enabled<br />

Windows Server 2003 template, repeat the previous step to prepare the operating<br />

system for that template.<br />

Note: This template was deployed during initial implementation by the Unisys<br />

service consultant.<br />

8. If you are using the Windows Server 2008 template, prepare the operating system as<br />

follows:<br />

a. If required, convert the template to a virtual machine.<br />

b. Select the deployed virtual machine, click Edit Settings, select the Hardware<br />

tab, click Network adapter 1, <strong>and</strong> ensure that the following settings are<br />

accurate:<br />

• Connect at Power on is enabled.<br />

• Public Network is selected in the Network Connection list.<br />

c. Power on the virtual machine.<br />

The Windows Setup wizard starts.<br />

Creating VMware Template Gold Images<br />

d. Log in to the operating system, using the Windows Administrator user password<br />

from Table 2–1.<br />

e. Apply all necessary Windows updates <strong>and</strong> patches. (You might be prompted to<br />

activate your Windows operating system in order to complete these updates.)<br />

3850 6804–007 4–3


Creating VMware Template Gold Images<br />

f. Verify that the VMware Tools package is the latest available, <strong>and</strong> update this<br />

package if required.<br />

g. Shut down the virtual machine.<br />

You now can clone the virtual machine for further customization.<br />

9. If Stealth is included in your environment <strong>and</strong> you want to use the Stealth-enabled<br />

Windows Server 2008 template, repeat the previous step to prepare the operating<br />

system for that template.<br />

Note: This template was deployed during initial implementation by the Unisys<br />

service consultant.<br />

4.1.2. Preinstalling Required Applications<br />

An important goal is to shorten the amount of time that it takes to provide an operational<br />

commissioned server. Therefore, in addition to installing <strong>and</strong> configuring the operating<br />

system, you should generally preinstall <strong>and</strong> configure some set of applications on your<br />

template. For example, this could be Apache Tomcat or Web services.<br />

However, before installing any application software, you should first clone your existing<br />

template <strong>and</strong> then install <strong>and</strong> configure the application software on the new clone. This<br />

new clone becomes a new template for the specific application. The existing template is<br />

retained in its original form for use with other application clones.<br />

4.1.3. Converting to a Template<br />

Do the following to convert the virtual machine to a template:<br />

1. Shut down the operating system.<br />

2. Click Edit Settings, set the CD/DVD device to use the Client Device, <strong>and</strong> then<br />

click OK.<br />

3. Right-click the virtual machine, <strong>and</strong> select Convert to Template under Template.<br />

4.2. Creating Custom Windows VMware Templates<br />

<strong>and</strong> Creating Linux VMware Templates<br />

If you want to create custom Windows VMware templates for your environment (rather<br />

than using the Unisys provided VMware templates), or if you want to create Red Hat<br />

Enteprise Linux or SUSE Linux templates, perform the procedures in this topic.<br />

4–4 3850 6804–007


4.2.1. Moving Template Configuration Images Folder<br />

In preparation for creating your own template, do the following to move the configuration<br />

images folders from the cloud management environment to the workload environment:<br />

1. From a vSphere Client connected to the management server, browse to the datastore,<br />

<strong>and</strong> download the Template Configuration Images folder to the workstation.<br />

2. From a vSphere Client connected to the vCenter server, browse to the datastore, <strong>and</strong><br />

upload the Template Configuration Images folder.<br />

Repeat as necessary to ensure that the folder is visible to all workload servers.<br />

4.2.2. Configuring a Windows Target Template<br />

Do the following to configure a new Windows target template using the Windows<br />

installation media:<br />

1. Do the following to create a virtual machine as VMware target template:<br />

a. Using your vSphere Client, connect to the vCenter running on the vCenter server.<br />

b. On one of the workload servers in Table 1–11, create a virtual machine that is to<br />

become the template.<br />

The template virtual machine must have a vNIC on your Public Network, which is<br />

labeled the Public Network.<br />

2. On the newly created virtual machine, select Edit Settings.<br />

3. Connect a CD/DVD drive containing the Windows .iso image.<br />

4. Select the Connect at power on check box.<br />

5. Select the network adapter in the Hardware list on the left, ensure that Connect at<br />

Power on is enabled, <strong>and</strong> then select the Public Network from the Network<br />

Connection list on the right.<br />

6. Power on the virtual machine <strong>and</strong> open a console to it.<br />

The Windows Install wizard starts.<br />

7. Complete the installation of the operating system, using the wizard. Note the<br />

following key points.<br />

a. Change the host name to a descriptive name.<br />

b. Create a blank administrator password that will be used in the runbook.<br />

Note: If you are loading Windows Server 2008, you cannot leave the password<br />

blank. You can use any password for Windows Server 2008.<br />

c. Enter a volume license key.<br />

This key should be supplied by the cloud provider <strong>and</strong> the value recorded in<br />

Table 1–35.<br />

d. Leave the template out of a domain.<br />

8. Disconnect the CD drive from the virtual machine.<br />

Creating VMware Template Gold Images<br />

3850 6804–007 4–5


Creating VMware Template Gold Images<br />

9. Restart the virtual machine.<br />

10. Log on to the virtual machine.<br />

Note: The password for Windows Server 2003 virtual machines should be blank.<br />

11. Apply all necessary Windows updates <strong>and</strong> patches.<br />

12. Ensure that the Administrator user does not have the User cannot change<br />

password option selected.<br />

13. Install anti-virus software.<br />

14. Install VMware Tools from Virtual Client. Do a complete installation of the VMware<br />

tools (not a typical installation).<br />

15. For environments in which one or more VLANs are configured <strong>and</strong> enabled, perform<br />

the following depending on your environment:<br />

For Windows Server 2003 <strong>and</strong> Windows XP<br />

Copy the dns-setup.vbs script from the datastore to the root of the C:\ drive.<br />

The dns-setup.vbs script is in the Win_2k3_Config.iso image, which is on the<br />

datastore in the Template Configuration Images folder that was uploaded in<br />

4.2.1 Moving Template Configuration Images Folder.<br />

For Windows Server 2008<br />

a. Edit the network adapter settings for the LAN connection attached to the VLAN<br />

<strong>and</strong> ensure that the following two options are enabled (on the Advanced settings<br />

DNS tab):<br />

Register this connection’s addresses in DNS<br />

Use this connection’s DNS suffix registration<br />

Note: Ensure that the DNS suffix for this connection box is blank<br />

b. Disable IPv6, as follows:<br />

• Edit the network connection <strong>and</strong> ensure that Internet Protocol Version 6<br />

(TCP/IPv6) is not selected.<br />

• Run regedit <strong>and</strong> edit the following registry entry:<br />

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services<br />

\TCPIP6\Parameters]<br />

“DisabledComponents”=dword:ffffffff<br />

c. If the optional Key Management Service (KMS) server role is set up in the<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment, do the following:<br />

• Copy the activate.vbs script from the datastore to the root of the C:\ drive.<br />

The activate.vbs script is in the W2K8_Config.iso image, which is on the<br />

datastore in the Template Configuration Images folder that was uploaded in<br />

4.2.1 Moving Template Configuration Images Folder.<br />

• Edit this script to contain the correct KMS server name.<br />

16. Reboot the virtual machine if necessary.<br />

4–6 3850 6804–007


Setting Firewall Exceptions for Windows Server 2003 <strong>and</strong> Windows XP<br />

To set Firewall Exceptions for Windows Server 2003 or Windows XP, open a comm<strong>and</strong><br />

prompt, <strong>and</strong> enter the following comm<strong>and</strong>s:<br />

• To enable ping comm<strong>and</strong>s:<br />

netsh firewall set icmpsetting type=8<br />

mode=ENABLE profile=ALL<br />

• To enable Remote Desktop:<br />

netsh firewall set service type=REMOTEDESKTOP<br />

mode=ENABLE profile=ALL<br />

Setting Firewall Exceptions for Windows Server 2008<br />

For the Windows Server 2008 template, create <strong>and</strong> enable custom firewall exceptions for<br />

ICMPv4 <strong>and</strong> ICMPv6 Echo Requests, as follows:<br />

1. In the Windows Firewall with Advanced Security snap-in, click Inbound Rules in the<br />

tree, <strong>and</strong> click New Rule in the Actions pane.<br />

2. Click Custom, <strong>and</strong> then click Next.<br />

3. Click All programs, <strong>and</strong> then click Next.<br />

4. For Protocol type, select ICMPv4.<br />

5. Click Customize next to Internet Control Message Protocol (ICMP)<br />

settings.<br />

6. Click Specific ICMP types.<br />

7. Click Echo Request, click OK, <strong>and</strong> then click Next.<br />

8. Under Which local IP address does this rule match? <strong>and</strong> For which remote<br />

IP address does this rule match?, click either of the following:<br />

• Any IP address<br />

• These IP addresses<br />

This value represents a set of IP addresses to which the instantiated virtual<br />

machine will respond, if those IP addresses ping the virtual machine. The virtual<br />

machine does not respond to pings from other IP addresses.<br />

If you click These IP addresses, specify the IP addresses to which the virtual<br />

machine will respond, click Add, <strong>and</strong> then click Next.<br />

9. Verify that Allow the connection is selected, <strong>and</strong> then click Next.<br />

10. Under When does this rule apply?, ensure that Domain, <strong>Private</strong>, <strong>and</strong> Public<br />

are selected, <strong>and</strong> then click Next.<br />

11. In the Name box, type a name for this rule. It is recommended that you create a rule<br />

name that indicates that Echo has been enabled for ICMPv4 networks.<br />

In the Description box, type an optional description.<br />

12. Click Finish.<br />

Creating VMware Template Gold Images<br />

3850 6804–007 4–7


Creating VMware Template Gold Images<br />

13. From the predefined Inbound Rules list, enable Remote Desktop for all profiles.<br />

14. If your tenants require a template that consists of more than just the base operating<br />

system, install <strong>and</strong> configure any additional software at this time.<br />

Verifying the Remote Desktop Connection<br />

Verify that the Remote Desktop Connection is enabled in the template.<br />

Preinstalling Required Applications<br />

An important goal is to shorten the amount of time that it takes to provide an operational<br />

commissioned server. Therefore, in addition to installing <strong>and</strong> configuring the operating<br />

system, you should generally preinstall <strong>and</strong> configure some set of applications on your<br />

template. For example, this could be Apache Tomcat or Web services.<br />

However, before installing any application software, you should first clone your existing<br />

template <strong>and</strong> then install <strong>and</strong> configure the application software on the new clone. This<br />

new clone becomes a new template for the specific application. The existing template is<br />

retained in its original form for use with other application clones.<br />

Making a Windows Template Stealth Ready<br />

Note: This procedure is not required for the Unisys provided Stealth-enabled template.<br />

If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment, <strong>and</strong> if you want to<br />

make a custom Windows template Stealth ready, do the following:<br />

1. Point to the CD/DVD icon on the tool bar, point to CD/DVD Drive 1, <strong>and</strong> click<br />

Connect to ISO image on a datastore.<br />

The Browse Datastores dialog box appears.<br />

2. Browse to the datastore specified in the “Connection information for Workload<br />

vCenter” section of Table 1–9, select the Stealth-Tenant-Server-Windowstemplate-.iso<br />

file in the Stealth for SPC Configuration Images<br />

folder, <strong>and</strong> then click OK.<br />

Close the Autoplay dialog box, if it appears.<br />

3. Open a comm<strong>and</strong> prompt, <strong>and</strong> enter the following comm<strong>and</strong>s:<br />

D:<br />

Run_SetUpTenantVM.bat<br />

The setup file runs, restarts the template, <strong>and</strong> the login dialog box appears.<br />

4. Enter the appropriate user name <strong>and</strong> password to sign into the virtual machine.<br />

The Windows Activation dialog box appears.<br />

5. Click Cancel.<br />

Note: Do not enter a product key.<br />

The virtual machine desktop appears.<br />

4–8 3850 6804–007


6. Open File Explorer, browse to the C: drive, <strong>and</strong> then open the Results file using<br />

Notepad.<br />

The last line of the file has the following message:<br />

Tenant VM setup complete.<br />

7. Click the Drive icon on the toolbar, point to CD/DVD drive <strong>and</strong> click Disconnect<br />

from datastore image.<br />

The Disconnect Device dialog box opens.<br />

8. Click Yes.<br />

9. Shut down the virtual machine.<br />

VNIC Restrictions<br />

Each virtual machine template must include only one VNIC. This maintains network<br />

security in your environment by preventing bridging across multiple network connections.<br />

Converting to a Template<br />

Do the following to convert the virtual machine to a template:<br />

1. Shut down the operating system.<br />

2. Click Edit Settings, set the CD/DVD device to use the Client Device, <strong>and</strong> then<br />

click OK.<br />

3. Right-click the virtual machine, <strong>and</strong> select Convert to Template under Template.<br />

Testing the Windows Target Template<br />

Note: Perform the following test if you have a flat network; otherwise, perform this test<br />

after configuring the VLANs.<br />

Do the following to test the template:<br />

1. Unmount any CD image that is in the CD drive.<br />

Creating VMware Template Gold Images<br />

2. Shut down the virtual machine, set the CD/DVD device to Use Client Device, <strong>and</strong><br />

convert it to a template.<br />

3. Deploy a virtual machine from the template, using the Deploy Template wizard. Enter<br />

your preferred values in each page of the wizard using values from Table 1–27, except<br />

that you must fill out the following pages as follows:<br />

• On the Guest Customization page, select Customize Using the<br />

Customization Wizard.<br />

• On the Computer Name page, select Use the Virtual Machine Name, <strong>and</strong><br />

enter the tenant DNS domain name from Table 1–27 in the Domain Name box.<br />

• On the DNS <strong>and</strong> Domain Settings page, enter the IP address for the tenant<br />

Domain Name Server from Table 1–27 in the Primary DNS box, enter the tenant<br />

3850 6804–007 4–9


Creating VMware Template Gold Images<br />

DNS domain name from Table 1–27 in the DNS Search Path box, <strong>and</strong> then click<br />

Add.<br />

4. After the template deployment completes open a VMware console to the desktop of<br />

the new virtual machine <strong>and</strong> wait until the log-on screen appears (this can take a few<br />

minutes).<br />

5. Log in using the default credentials.<br />

4.2.3. Configuring a Red Hat Enterprise Linux Target Template<br />

Do the following to configure a new Red Hat Enterprise Linux target template using the<br />

installation media:<br />

Note: The startup scripts for the Linux templates perform nonsecure DNS registration. If<br />

the tenant-side DNS server requires secure DNS registration, you must modify the startup<br />

scripts as appropriate for the tenant’s needs.<br />

1. Do the following to create a virtual machine as VMware target template:<br />

a. Using your vSphere Client, connect to the vCenter running on the vCenter server.<br />

b. On one of the workload servers in Table 1–11, create a virtual machine that is to<br />

become the template.<br />

c. Assign the following attributes to the new virtual machine:<br />

• A vNIC on your Public Network, which is labeled the Public Network<br />

• At least 5 GB of disk space<br />

• Guest Operating System value of Linux<br />

• Version Red Hat Enterprise Linux 5 (32-bit) or Red Hat Enterprise Linux 5<br />

(64-bit)<br />

• Thin Provisioning enabled<br />

Do not start the virtual machine at this time.<br />

2. Select the deployed virtual machine, click Edit Settings, <strong>and</strong> do the following:<br />

a. Select the network adapter on the Hardware tab, <strong>and</strong> select the desired network<br />

for the virtual machine in the Network Label list.<br />

b. Ensure that Connect at Power on is enabled.<br />

c. Select the CD/DVD drive <strong>and</strong> click Client Device.<br />

d. Click the Options tab, select Boot Options, <strong>and</strong> enter10,000 in the<br />

Power-on Boot Delay box.<br />

e. Click OK.<br />

3. Open a console to the virtual machine, <strong>and</strong> then power on the virtual machine.<br />

4. Click in the black area inside the console window, <strong>and</strong> press Esc to enter the boot<br />

menu.<br />

5. Press Ctrl+Alt to release the cursor.<br />

4–10 3850 6804–007


6. Click the CD icon on the console, <strong>and</strong> select either CD image or ISO image as the<br />

connection to the Red Hat installation media.<br />

7. Click in the black area inside the console window, select CD-ROM Drive using the<br />

down arrow, <strong>and</strong> then press Enter.<br />

The Red Hat installation wizard begins.<br />

8. Follow the wizard instructions to complete the installation of the operating system,<br />

noting the following key points:<br />

• Select Skip Entering Installation Number when prompted for an installation<br />

number.<br />

• Do the following on the Network Devices page:<br />

a. Click Edit.<br />

The Edit Interface dialog box appears.<br />

b. Clear the IPv6 support check box, <strong>and</strong> then click OK.<br />

The Edit Interface dialog box closes.<br />

c. Select Manually under the Hostname label, <strong>and</strong> then enter a descriptive<br />

host name, a period, <strong>and</strong> localdomain, as in the following example:<br />

rh53x64-tmp.localdomain<br />

• Set the root user’s password to the SysPrepVMAdminPwd value in<br />

Table 1–12.<br />

• When the Congratulations, the installation is complete message<br />

appears, click the CD icon on the console, disconnect the CD or ISO image, <strong>and</strong><br />

then click Reboot.<br />

• On the Set Up Software Updates page, select the No, I’d prefer to<br />

register at a later time check box.<br />

A prompt appears, asking Are you sure you don’t want to connect....<br />

Select the No thanks, I’ll connect later check box.<br />

• On the Create User page, leave the boxes blank <strong>and</strong> click Forward.<br />

• When the It is highly recommended that a personal user account be<br />

created warning appears, click Continue.<br />

9. Log on to the virtual machine.<br />

10. Install VMware Tools, as follows:<br />

Creating VMware Template Gold Images<br />

a. In the vSphere Client, right-click the virtual machine, point to Guest, click<br />

Install/Upgrade VMware Tools, <strong>and</strong> then click OK.<br />

The VMware Tools folder appears in the virtual machine desktop.<br />

Note: Newer versions of VMware have automated the installation of the<br />

VMware Tools. The remainder of this step applies only to older versions of<br />

VMware.<br />

b. In the VMware Tools folder, double-click the VMwareTools-.targ.gz file.<br />

The VMwareTools-.tar.gz dialog box appears.<br />

3850 6804–007 4–11


Creating VMware Template Gold Images<br />

c. Click Extract.<br />

The Extract dialog box appears.<br />

d. Select Desktop in the Extract in Folder list, <strong>and</strong> then click Extract.<br />

e. Close the VMwareTools-.targ.gz dialog box.<br />

f. Run the Terminal application <strong>and</strong> enter the following comm<strong>and</strong>:<br />

cd /root/Desktop/vmware-tools-distrib<br />

g. Enter the following comm<strong>and</strong>:<br />

./vmware-install.pl<br />

The VMware Tools installation begins.<br />

h. Accept all installation defaults until you see the prompt for the display size, <strong>and</strong><br />

then select the desired display size for your environment.<br />

i. Delete the vmware-tools-distrib folder from the desktop.<br />

j. Restart the virtual machine.<br />

11. Configure the system to support your desired remote access technology, such as<br />

SSH or VNC.<br />

12. Reboot the virtual machine, if necessary.<br />

13. Use vCenter to mount the RHEL_Config.iso file in the CD drive for the Red Hat<br />

system.<br />

The RHEL_Config.iso file is in the Template Configuration Images folder. Refer to<br />

4.2.1 Moving Template Configuration Images Folder.<br />

14. Copy the rc.local file from the CD to the folder /etc/rc.d, replacing the rc.local file that<br />

already exists.<br />

15. Ensure that the Allow executing file as a program permission is enabled for<br />

the file, as follows:<br />

a. Right-click the file, <strong>and</strong> then click Properties.<br />

b. Select the Execute check box on the Permissions tab, <strong>and</strong> then click Close.<br />

Making a Red Hat Enterprise Linux Template Stealth Ready<br />

If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment, <strong>and</strong> if you want to<br />

make a Red Hat Enterprise Linux template Stealth ready, do the following:<br />

1. Click Applications on the task bar, point to Accessories, <strong>and</strong> click Terminal.<br />

The username@host window opens.<br />

2. Click the Drive icon on the toolbar (the rightmost icon), point to CD/DVD drive <strong>and</strong><br />

click Connect to ISO image on a datastore.<br />

The Browse Datastores dialog box opens.<br />

3. Browse to the datastore specified in the “Connection information for Workload<br />

vCenter” section of Table 1–9, <strong>and</strong> open the Stealth for SPC Configuration<br />

Images folder.<br />

4–12 3850 6804–007


4. Browse to the following file, <strong>and</strong> click OK:<br />

Stealth-Tenant-Server-RedHat-template-.iso<br />

The CD/DVD drive icon appears on the desktop.<br />

5. Double-click the CD/DVD drive icon.<br />

A dialog box for the .iso file opens, showing the contents of the file.<br />

6. In the Terminal window, enter the following comm<strong>and</strong>:<br />

mount /dev/cdrom /mnt/cdrom<br />

A message appears that the CD-ROM is write-protected <strong>and</strong> mounted as read-only.<br />

Note: If this fails, create a mount directory using the following comm<strong>and</strong>, <strong>and</strong> then<br />

repeat the previous step:<br />

mkdir /mnt/cdrom/SetUpTenantVM.py<br />

7. Enter the following comm<strong>and</strong>:<br />

python /mnt/cdrom/SetUpTenantVM.py<br />

The script runs <strong>and</strong> displays messages.<br />

Wait for the setup process to complete.<br />

8. Enter the following comm<strong>and</strong> to dismount the CD-ROM:<br />

umount /mnt/cdrom<br />

9. Close the CD/DVD drive window <strong>and</strong> close the Terminal window.<br />

10. Right-click the CD/DVD icon on the desktop, <strong>and</strong> select Eject.<br />

11. Click the Drive icon on the toolbar, point to CD/DVD drive <strong>and</strong> click Disconnect<br />

from datastore image.<br />

VNIC Restrictions<br />

Each virtual machine template must include only one VNIC. This maintains network<br />

security in your environment by preventing bridging across multiple network connections.<br />

Preinstalling Required Applications<br />

Creating VMware Template Gold Images<br />

An important goal is to shorten the amount of time that it takes to provide an operational<br />

commissioned server. Therefore, in addition to installing <strong>and</strong> configuring the operating<br />

system, you should generally preinstall <strong>and</strong> configure some set of applications on your<br />

template. For example, this could be Apache Tomcat or Web services.<br />

However, before installing any application software, you should first clone your existing<br />

template <strong>and</strong> then install <strong>and</strong> configure the application software on the new clone. This<br />

new clone becomes a new template for the specific application. The existing template is<br />

retained in its original form for use with other application clones.<br />

3850 6804–007 4–13


Creating VMware Template Gold Images<br />

Converting to a Template<br />

Do the following to convert the virtual machine to a template:<br />

1. Shut down the operating system.<br />

2. Click Edit Settings, set the CD/DVD device to use the Client Device, <strong>and</strong> then<br />

click OK.<br />

3. Right-click the virtual machine, <strong>and</strong> select Convert to Template under Template.<br />

Testing the Red Hat Enterprise Linux Target Template<br />

Note: Perform the following test if you have a flat network; otherwise, perform this test<br />

after configuring the VLANs.<br />

Do the following to test the template:<br />

1. Deploy a virtual machine from the template, using the Deploy Template wizard. Enter<br />

your preferred values in each page of the wizard using values from Table 1–27, except<br />

that you must fill out the following pages as follows:<br />

• On the Guest Customization page, select Customize Using the<br />

Customization Wizard.<br />

• On the Computer Name page, select Use the Virtual Machine Name, <strong>and</strong><br />

enter the tenant DNS domain name from Table 1–27 in the Domain Name box.<br />

• On the DNS <strong>and</strong> Domain Settings page, enter the IP address for the tenant<br />

Domain Name Server from Table 1–27 in the Primary DNS box, enter the tenant<br />

DNS domain name from Table 1–27 in the DNS Search Path box, <strong>and</strong> then click<br />

Add.<br />

• On the Ready to Complete page, disable the Power on this virtual<br />

machine after creation option.<br />

2. After the template deployment completes<br />

a. Go to Edit Settings for the new virtual machine, <strong>and</strong> set the network adapter to<br />

the tenant VLAN network label in Table 1–26.<br />

b. Power on the new virtual machine.<br />

c. Open a VMware console to the desktop of the new virtual machine <strong>and</strong> wait until<br />

the log-on screen appears (this can take a few minutes), <strong>and</strong> then log in as root<br />

using the SysPrepVMAdminPwd value from Table 1–12.<br />

d. In the /etc/rc.d folder, open the runonce.log file <strong>and</strong> check for error messages. If<br />

the DNS registration was successful, the file should have a line that includes the<br />

following phrase:<br />

status: NOERROR<br />

3. Verify that the system was registered in the tenant-side DNS or in the uChargeback<br />

DNS if the tenant did not supply a DNS.<br />

4–14 3850 6804–007


If the tenant is using a Windows DNS, or if you are using the uChargeback DNS,<br />

then you can verify registration as follows:<br />

a. On the DNS, run DNS on the Administrative Tools menu.<br />

b. In the left pane, exp<strong>and</strong> the DNS host name node, exp<strong>and</strong> the Forward<br />

Lookup Zones node, <strong>and</strong> exp<strong>and</strong> the domain name node.<br />

c. In the right pane, verify that the host name for the Red Hat virtual machine<br />

appears.<br />

Note: If you were already running the DNS administrative tool, you might need<br />

to refresh the computer list by clicking the domain name in the left pane <strong>and</strong> then<br />

clicking Refresh on the Action menu.<br />

4. Power down the virtual machine, <strong>and</strong> delete the virtual machine from the disk.<br />

4.2.4. Configuring a SUSE Linux Target Template<br />

Do the following to configure a new SUSE Linux target template using the installation<br />

media:<br />

Notes:<br />

• The startup scripts for the Linux templates perform nonsecure DNS registration. If the<br />

tenant-side DNS server requires secure DNS registration, you have to modify the<br />

startup scripts as appropriate for the tenant’s needs.<br />

• Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is not supported with SUSE Linux. If you want to<br />

create a Stealth-enabled Linux template, you must use Red Hat Enterprise Linux. See<br />

4.2.3 Configuring a Red Hat Enterprise Linux Target Template.<br />

1. Do the following to create a virtual machine as VMware target template:<br />

a. Using your vSphere Client, connect to the vCenter running on the vCenter server.<br />

b. On one of the workload servers in Table 1–11, create a virtual machine that is to<br />

become the template.<br />

c. Assign the following attributes to the new virtual machine:<br />

• A vNIC on your Public Network, which is labeled the Public Network<br />

• At least 5 GB of disk space<br />

• Guest Operating System value of Linux<br />

• Version SUSE Linux Enterprise 10 or SUSE Linux Enterprise 11, 32-bit or<br />

64-bit<br />

• Thin Provisioning enabled<br />

Do not start the virtual machine at this time.<br />

2. Select the deployed virtual machine, click Edit Settings, <strong>and</strong> do the following:<br />

a. Select the network adapter on the Hardware tab, <strong>and</strong> select the Public<br />

Network for the virtual machine in the Network Label list.<br />

b. Select the CD/DVD drive <strong>and</strong> click Client Device.<br />

Creating VMware Template Gold Images<br />

3850 6804–007 4–15


Creating VMware Template Gold Images<br />

c. Click the Options tab, select Boot Options, <strong>and</strong> enter10,000 in the<br />

Power-on Boot Delay box.<br />

d. Click OK.<br />

3. Open a console to the virtual machine, <strong>and</strong> then power on the virtual machine.<br />

4. Click in the black area inside the console window, <strong>and</strong> press Esc to enter the boot<br />

menu.<br />

5. Press Ctrl+Alt to release the cursor.<br />

6. Right-click the CD icon on the console, <strong>and</strong> select either CD image or ISO image as<br />

the connection to the SUSE Linux installation media.<br />

7. Click in the black area inside the console window, select CD-ROM Drive using the<br />

down arrow, <strong>and</strong> then press Enter.<br />

The SUSE Linux installation wizard begins.<br />

8. Follow the wizard instructions to complete the installation of the operating system,<br />

noting the following key points:<br />

• On the Password for the System Administrator ″root″ page, set the<br />

password to the value for SysPrepVMAdminPwd in Table 1–12.<br />

• On the Hostname <strong>and</strong> Domain Name page, change the host name to a<br />

descriptive name, but leave the domain name unchanged.<br />

• On the Network Configuration page, clear the IPv6 check box.<br />

• On the Test Internet Connection page, select the No, Skip This Test if the<br />

virtual machine is not currently connected to a network with Internet access.<br />

• On the User Authentication method page, select Local.<br />

• On the New Local User page, leave the boxes blank <strong>and</strong> click Next.<br />

• When the Empty User Login prompt appears, click Yes.<br />

9. Log on to the virtual machine.<br />

10. Install VMware Tools, as follows:<br />

a. In the vSphere Client, right-click the virtual machine, point to Guest <strong>and</strong> then<br />

Install/Upgrade VMware Tools, click Interactive Install, <strong>and</strong> then click<br />

OK.<br />

The VMware_Tools File Browser appears on the virtual machine desktop.<br />

b. In the VMware_Tools folder, double-click the VMwareTools-.targ.gz file.<br />

The VMwareTools-.targ.gz dialog box appears.<br />

c. Click Extract.<br />

The Extract dialog box appears.<br />

d. Select Desktop in the Extract in Folder list, <strong>and</strong> then click Extract.<br />

e. Close the VMwareTools-.tar.gz dialog box.<br />

f. Run the Terminal application <strong>and</strong> enter the following comm<strong>and</strong>:<br />

cd /root/Desktop/vmware-tools-distrib<br />

4–16 3850 6804–007


g. Enter the following comm<strong>and</strong>:<br />

./vmware-install.pl<br />

The VMware Tools installation begins.<br />

h. Accept all installation defaults until you see the prompt for the display size, <strong>and</strong><br />

then select the desired display size for your environment.<br />

i. Delete the vmware-tools-distrib folder from the desktop.<br />

j. Restart the virtual machine.<br />

11. Configure the system to support your desired remote access technology, such as<br />

SSH or VNC.<br />

12. Reboot the virtual machine, if necessary.<br />

13. Use vCenter to mount the SLES_Config.iso file in the CD drive for the SUSE Linux<br />

system.<br />

The SLES_Config.iso file is in the Template Configuration Images folder. Refer to<br />

4.2.1 Moving Template Configuration Images Folder.<br />

14. Copy the example spc_dns file from the CD to the folder /etc/init.d.<br />

15. Run the Gnome Terminal <strong>and</strong> enter the following comm<strong>and</strong>:<br />

cd /etc/init.d<br />

16. Enter the following comm<strong>and</strong> to make the spc_dns script executable:<br />

chmod 755 spc_dns<br />

17. Enter the following comm<strong>and</strong> to cause the spc_dns script to run automatically after<br />

every reboot:<br />

insserv spc_dns<br />

18. If you are using SUSE Linux Enterprise 10, then perform the following workaround<br />

for the name resolution problem with “.local” domains, as follows:<br />

VNIC Restrictions<br />

Note: This is a known problem with Novell SUSE Linux 10. Do not perform this<br />

workaround on SUSE Linux 11. Refer to the following link for more information:<br />

http://www.novell.com/support/dynamickc.do?cmd=show&forward=nonthreadedKC<br />

&docType=kc&externalId=3794674&sliceId=1<br />

a. Using a text editor, open the file /etc/host.conf.<br />

b. Insert a line with the following value:<br />

mdns off<br />

c. Save <strong>and</strong> close the file.<br />

Creating VMware Template Gold Images<br />

Each virtual machine template must include only one VNIC. This maintains network<br />

security in your environment by preventing bridging across multiple network connections.<br />

3850 6804–007 4–17


Creating VMware Template Gold Images<br />

Preinstalling Required Applications<br />

An important goal is to shorten the amount of time that it takes to provide an operational<br />

commissioned server. Therefore, in addition to installing <strong>and</strong> configuring the operating<br />

system, you should generally preinstall <strong>and</strong> configure some set of applications on your<br />

template. For example, this could be Apache Tomcat or Web services.<br />

However, before installing any application software, you should first clone your existing<br />

template <strong>and</strong> then install <strong>and</strong> configure the application software on the new clone. This<br />

new clone becomes a new template for the specific application. The existing template is<br />

retained in its original form for use with other application clones.<br />

Deleting MAC Addresses<br />

Use the following steps to modify the network adapter configuration so that it does not<br />

specify a MAC address. Otherwise, when a virtual machine is cloned from this template,<br />

Linux renames the network adapter <strong>and</strong> the spc_dns script is unable to register in DNS.<br />

To delete MAC addresses<br />

1. In the folder /etc/sysconfig/network, locate a file with the name ifcfg-eth-id-<br />

(such as ifcfg-eth id-00:50:56:8a:09:83) <strong>and</strong> change the filename to<br />

ifcfg-eth0.<br />

2. Edit the ifcfg-eth0 file. If the file includes a DEVICE assignment, change the value to<br />

’eth0’. For example, if the assignment is<br />

DEVICE=’eth2’<br />

Change the assignment to<br />

DEVICE=’eth0’<br />

3. Open the following file for editing, if it exists:<br />

/etc/udev/rules.d/30-net_persistent_names.rules<br />

4. Delete any rules that are present in this file (that is, any statements that are not<br />

preceded by a # comment character).<br />

5. Delete the following file, if it exists:<br />

/etc/udev/rules.d/70-persistent_net.rules<br />

6. Immediately after performing step 5, shut the system down <strong>and</strong> convert it to a<br />

template.<br />

Note: If you mistakenly reboot the system after performing step 5, then you must<br />

perform steps 3 through 5 again, because the rules in 30 net_persistent_names.rules<br />

<strong>and</strong> 70-persistent_net.rules are regenerated automatically after each reboot.<br />

4–18 3850 6804–007


Converting to a Template<br />

Do the following to convert the virtual machine to a template:<br />

1. Shut down the operating system.<br />

2. Click Edit Settings, set the CD/DVD device to use the Client Device, <strong>and</strong> then<br />

click OK.<br />

3. Right-click the virtual machine, <strong>and</strong> select Convert to Template under Template.<br />

Testing a SUSE Linux Target Template<br />

Note: Perform the following test if you are not using VLANs to isolate tenant resources;<br />

otherwise, perform this test after configuring the VLANs.<br />

Do the following to test the template:<br />

1. Deploy a virtual machine from the template, using the Deploy Template wizard. Enter<br />

your preferred values in each page of the wizard using values from Table 1–27, except<br />

that you must fill out the following pages as follows:<br />

• On the Guest Customization page, select Customize Using the<br />

Customization Wizard.<br />

• On the Computer Name page, select Use the Virtual Machine Name, <strong>and</strong><br />

enter the tenant DNS domain name from Table 1–27 in the Domain Name box.<br />

• On the DNS <strong>and</strong> Domain Settings page, enter the IP address for the tenant<br />

Domain Name Server from Table 1–27 in the Primary DNS box, enter the tenant<br />

DNS domain name from Table 1–27 in the DNS Search Path box, <strong>and</strong> then click<br />

Add.<br />

• On the Ready to Complete page, disable the Power on this virtual<br />

machine after creation option.<br />

2. After the template deployment completes<br />

a. Go to Edit Setting for the new virtual machine, <strong>and</strong> set the network adapter to<br />

the tenant VLAN network label in Table 1–26.<br />

b. Power on the new virtual machine.<br />

c. Open a VMware console to the desktop of the new virtual machine <strong>and</strong> wait until<br />

the log-on screen appears (this can take a few minutes), <strong>and</strong> then log in as root<br />

using the SysPrepVMAdminPwd value from Table 1–12.<br />

d. In the /etc/init.d folder, open the spc_dns.log file <strong>and</strong> check for error messages. If<br />

the DNS registration was successful, the file should have a line that includes the<br />

following phrase:<br />

status: NOERROR<br />

Creating VMware Template Gold Images<br />

3. Verify that the system was registered in the tenant-side DNS.<br />

3850 6804–007 4–19


Creating VMware Template Gold Images<br />

If the tenant is using a Windows DNS, then you can verify registration as follows:<br />

a. On the domain controller, run DNS on the Administrative Tools menu.<br />

b. In the left pane, exp<strong>and</strong> the DNS host name node, exp<strong>and</strong> the Forward<br />

Lookup Zones node, <strong>and</strong> exp<strong>and</strong> the domain name node.<br />

c. In the right pane, verify that the host name for the SUSE Linux virtual machine<br />

appears.<br />

Note: If you were already running the DNS administrative tool, you might need<br />

to refresh the computer list by clicking the domain name in the left pane <strong>and</strong> then<br />

clicking Refresh on the Action menu.<br />

4. Power down the virtual machine, <strong>and</strong> delete the virtual machine from the disk.<br />

4.3. Preparing an Existing Virtual Machine or<br />

Template for a Stealth-Enabled VLAN<br />

Perform the following procedures to prepare an existing Windows or Red Hat Enterprise<br />

Linux virtual machine or virtual machine template to run on a Stealth-enabled VLAN.<br />

Note: Perform this procedure if you have an existing template in your environment that<br />

meets the requirements of <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> but that has not yet been Stealthenabled.<br />

(If you are using a Unisys provided template, do not perform this procedure;<br />

instead, use the Unisys provided Stealth-enabled template. If you already performed the<br />

procedure in Making a Windows Template Stealth Ready or Making a Red Hat Enterprise<br />

Linux Template Stealth Ready, do not perform this procedure, since your template is<br />

already Stealth ready.)<br />

4.3.1. VNIC Restrictions<br />

Each virtual machine template must include only one VNIC. This maintains network<br />

security in your environment by preventing bridging across multiple network connections.<br />

4.3.2. Preparing a Windows Virtual Machine or Template for a<br />

Stealth-Enabled VLAN<br />

You can prepare an existing Windows virtual machine or virtual machine template to run on<br />

a Stealth-enabled VLAN (that is, make the template Stealth ready). Before starting the<br />

following procedure, you can make a clone of the virtual machine or template if you want<br />

to preserve it in its original form.<br />

Notes:<br />

• Making a virtual machine or template Stealth ready does not install Stealth for <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> software. Instead, the procedure copies the files necessary for Stealth<br />

for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> software to be installed <strong>and</strong> configured.<br />

• For Windows Server 2003 operating systems, ensure that the password for the local<br />

administrator account on the virtual machine template is blank.<br />

4–20 3850 6804–007


1. Open a vSphere Client, <strong>and</strong> log on to vCenter.<br />

2. In the vSphere Client, select the Windows virtual machine or template that you want<br />

to prepare for Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, <strong>and</strong> do the following:<br />

a. Click Convert to a virtual machine in the Basic Tasks list.<br />

The Convert Template to Virtual Machine dialog box opens.<br />

b. Exp<strong>and</strong> Host/Cluster, select the specific host, select the IP address, <strong>and</strong> click<br />

Next.<br />

The Resource Pool page appears.<br />

c. Verify that a “validation succeeded” message appears in the Compatibility box,<br />

<strong>and</strong> then click Next.<br />

The Ready to Complete page appears.<br />

d. Click Finish.<br />

3. In the vSphere Client, select the Windows virtual machine, <strong>and</strong> click Power On the<br />

virtual machine in the Basic Tasks list.<br />

The virtual machine is powered on <strong>and</strong> the task changes to Power Off the virtual<br />

machine.<br />

4. Right-click the Windows virtual machine in the left pane, <strong>and</strong> do the following:<br />

a. Click Open Console.<br />

The Windows Template window opens <strong>and</strong> shows the virtual machine starting.<br />

A progress bar appears <strong>and</strong> shows the startup steps.<br />

When the startup process finishes, a login prompt appears, followed by the login<br />

dialog box.<br />

b. Enter the appropriate user name to sign into the virtual machine.<br />

The Windows Activation dialog box appears.<br />

c. Click Cancel.<br />

Note: Do not enter a product key.<br />

A restart message box appears.<br />

d. Click Restart Later.<br />

5. Set up directories <strong>and</strong> copy files for making the virtual machine or template Stealth<br />

ready, as follows:<br />

a. Point to the CD/DVD icon on the tool bar, point to CD/DVD Drive 1, <strong>and</strong> click<br />

Connect to ISO image on a datastore.<br />

The Browse Datastores dialog box appears.<br />

Creating VMware Template Gold Images<br />

b. Browse to the Stealth for SPC Configuration Images folder on the desired<br />

datastore, <strong>and</strong> click the desired template ISO file.<br />

c. If the Autoplay dialog box appears, click Run_SetUpTenantVM.bat.<br />

Note: On some versions of Windows, this .bat file runs automatically.<br />

3850 6804–007 4–21


Creating VMware Template Gold Images<br />

The setup file runs, restarts the template, <strong>and</strong> the log in dialog box appears.<br />

d. Enter the appropriate user name <strong>and</strong> password to sign into the virtual machine.<br />

e. If the Windows Activation dialog box appears, click Cancel.<br />

Note: Do not enter a product key.<br />

The virtual machine desktop appears.<br />

f. CHECKPOINT:<br />

Open Windows Explorer, browse to the C: drive, <strong>and</strong> then open the Result.txt<br />

file using Notepad.<br />

Verify that the last line of the file displays the following message:<br />

Tenant VM setup complete.<br />

Close the Result.txt file.<br />

g. Click the Drive icon on the toolbar, point to CD/DVD drive <strong>and</strong> click<br />

Disconnect from datastore image.<br />

The Disconnect Device dialog box opens.<br />

h. Click Yes.<br />

i. Click the Start menu, point to Log off, <strong>and</strong> click Shut down.<br />

6. Configure the virtual machine, as follows:<br />

a. Click Edit Settings on the VM menu.<br />

The Virtual Machine Properties dialog box opens.<br />

b. Click CD/DVD Drive 1 in the Hardware list in the left pane, <strong>and</strong> then click<br />

Client Device in the right pane.<br />

CD/DVD Drive 1 appears as edited in the left pane, with Client Device in<br />

the Summary list.<br />

c. Click Floppy drive 1 in the Hardware list in the left pane, <strong>and</strong> then click<br />

Client Device in the right pane.<br />

Floppy drive 1 appears as edited in the left pane, with Client Device in the<br />

Summary list.<br />

d. Click OK.<br />

7. Close the console to the Windows virtual machine.<br />

8. Right-click the Windows virtual machine in the left pane, point to Template, <strong>and</strong><br />

then click Convert to Template.<br />

The Windows template is ready to be run or used for provisioning virtual machines running<br />

the Windows operating system on a Stealth-enabled VLAN.<br />

4–22 3850 6804–007


4.3.3. Preparing a Red Hat Enterprise Linux Virtual Machine or<br />

Template for a Stealth-Enabled VLAN<br />

You can prepare an existing Red Hat Enterprise Linux virtual machine or virtual machine<br />

template to run on a Stealth-enabled VLAN (that is, make the template Stealth ready).<br />

Before starting the following procedure, you can make a clone of the virtual machine or<br />

template if you want to preserve it in its original form.<br />

Note: Making a virtual machine or template Stealth ready does not install Stealth for<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> software. Instead, the procedure copies the files necessary for<br />

Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> software to be installed <strong>and</strong> configured.<br />

1. Open a vSphere Client, <strong>and</strong> log on to vCenter.<br />

2. In the vSphere Client, select the Red Hat Enterprise Linux virtual machine or template<br />

that you want to prepare for Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, <strong>and</strong> do the following:<br />

a. Click Convert to a virtual machine in the Basic Tasks list.<br />

The Convert Template to Virtual Machine dialog box opens.<br />

b. Exp<strong>and</strong> Host/Cluster, select the specific host, select the IP address, <strong>and</strong> click<br />

Next.<br />

The Resource Pool page appears.<br />

c. Verify that a “validation succeeded” message appears in the Compatibility box,<br />

<strong>and</strong> then click Next.<br />

The Ready to Complete page appears.<br />

d. Click Finish.<br />

3. In the vSphere Client, select the Red Hat Enterprise Linux virtual machine, <strong>and</strong> click<br />

Power On the virtual machine in the Basic Tasks list.<br />

The virtual machine is powered on <strong>and</strong> the task changes to Power Off the virtual<br />

machine.<br />

4. Right-click the Red Hat Enterprise Linux virtual machine in the left pane, <strong>and</strong> do the<br />

following:<br />

a. Click Open Console.<br />

The Red Hat Template window opens <strong>and</strong> shows the virtual machine starting.<br />

A progress bar appears <strong>and</strong> shows the startup steps.<br />

Creating VMware Template Gold Images<br />

When the startup process finishes, a login prompt appears, followed by the login<br />

window.<br />

b. Enter the appropriate user name, followed by the appropriate password, to sign<br />

into the virtual machine.<br />

3850 6804–007 4–23


Creating VMware Template Gold Images<br />

5. Set up directories <strong>and</strong> copy files for making the virtual machine or template Stealth<br />

ready, as follows:<br />

a. Click Applications on the task bar, point to Accessories, <strong>and</strong> click Terminal.<br />

The username@host window opens.<br />

b. Click the Drive icon on the toolbar (the rightmost icon), point to CD/DVD drive<br />

<strong>and</strong> click Connect to ISO image on a datastore.<br />

The Browse Datastores dialog box opens.<br />

c. Browse to the “Stealth for SPC Configuration Images” folder on the datastore<br />

referenced in the Connection Information for Workload vCenter section of<br />

Table 1–9.<br />

d. Select the Stealth-Tenant-Server-RedHat-template-.iso file,<br />

<strong>and</strong> then click OK<br />

The CD/DVD drive icon appears on the desktop.<br />

e. Double-click the CD/DVD drive icon.<br />

A dialog box for the .iso file opens, showing the contents of the file.<br />

f. Enter the following comm<strong>and</strong>:<br />

mount /dev/cdrom /mnt/cdrom<br />

A message appears that the CD-ROM is write-protected <strong>and</strong> mounted as readonly.<br />

Note: If this fails, create a mount directory using the following comm<strong>and</strong>:<br />

mkdir /mnt/cdrom<br />

g. Enter the following comm<strong>and</strong>:<br />

python /mnt/cdrom/SetUpTenantVM.py<br />

The script runs <strong>and</strong> displays messages.<br />

Wait for the setup process to complete.<br />

h. Enter the following comm<strong>and</strong> to dismount the CD-ROM:<br />

umount /mnt/cdrom<br />

i. Click the Drive icon on the toolbar, point to CD/DVD drive, <strong>and</strong> then click<br />

Disconnect from datastore image.<br />

6. Configure the virtual machine, as follows:<br />

a. Click Edit Settings on the VM menu.<br />

The Virtual Machine Properties dialog box opens.<br />

b. Click CD/DVD Drive 1 in the Hardware list in the left pane, <strong>and</strong> then click<br />

Client Device in the right pane.<br />

CD/DVD Drive 1 appears as edited in the left pane, with Client Device in<br />

the Summary list.<br />

c. Click Floppy drive 1 in the Hardware list in the left pane, <strong>and</strong> then click<br />

Client Device in the right pane.<br />

4–24 3850 6804–007


Floppy drive 1 appears as edited in the left pane, with Client Device in the<br />

Summary list.<br />

d. Click OK.<br />

7. Close the Red Hat Template window.<br />

The Virtual Machine Question dialog box appears.<br />

8. Click Yes to disconnect, <strong>and</strong> then click OK.<br />

9. In the vSphere Client, select the Red Hat Enterprise Linux virtual machine in the left<br />

pane, click Shut Down Guest in the Basic Tasks list, <strong>and</strong> then click Yes to<br />

confirm.<br />

The virtual machine is powered off.<br />

10. Select the Red Hat Enterprise Linux template in the left pane, click Convert to a<br />

template in the Basic Tasks list.<br />

The Red Hat Enterprise Linux virtual machine or template is ready to be run or used for<br />

provisioning virtual machines running the Linux operating system on a Stealth-enabled<br />

VLAN.<br />

4.4. Importing Tenant VLAN Network Appliance <strong>and</strong><br />

Load Balancer Templates<br />

Specialized virtual machine templates are provided with the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

environment to isolate tenant traffic using VLANs <strong>and</strong> to enable load balancing. You can<br />

import these templates, depending on your cloud environment.<br />

Do the following to import these templates:<br />

Creating VMware Template Gold Images<br />

1. Locate the following templates in the “Recovery Images\Tenant VLAN Appliances”<br />

folder on the management server datastore or the SAN:<br />

• A tenant VLAN network appliance template, which enables you to isolate tenant<br />

network traffic using VLANs (Tenant-VLAN-NetAppliance.ova)<br />

• A template for load balancing Web applications (Tenant-Load-Balancer.ova)<br />

2. Download the .ova file or files to the configuration workstation.<br />

3. Using vSphere, connect to the vCenter server that is managing the workload servers.<br />

4. To deploy the tenant VLAN network appliance template, do the following:<br />

a. On the vSphere File menu, point to Deploy OVF Template.<br />

b. Browse to the Tenant-VLAN-NetAppliance.ova file that you downloaded to the<br />

configuration workstation.<br />

3850 6804–007 4–25


Creating VMware Template Gold Images<br />

c. Complete each page of the wizard, supplying appropriate values when prompted.<br />

• At the prompt for a datastore, select the datastore to which you want to<br />

deploy the appliance.<br />

The best practice is to deploy to a SAN storage datastore. Select a datastore<br />

that can be accessed from all the workload servers.<br />

Note: If there is only one datastore, you are not prompted to select a<br />

datastore.<br />

• At the prompt for a disk format, select Thin Provisioned Format.<br />

• On the Network Mapping dialog box, accept all the default values.<br />

These settings are modified when you deploy a tenant VLAN network<br />

appliance later in the configuration process.<br />

d. Click Next several times, <strong>and</strong> then click Finish.<br />

The import process begins.<br />

5. To deploy the template for load balancing Web applications, do the following:<br />

a. On the vSphere File menu, point to Deploy OVF Template.<br />

b. Browse to the Tenant-Load-Balancer.ova file that you downloaded to the<br />

configuration workstation.<br />

c. Answer any prompts as appropriate for your environment.<br />

6. For each network adapter, use the Edit Settings option to ensure that the network<br />

adapters do not have the “Connect at power on” option enabled.<br />

7. If you are deploying the tenant VLAN network appliance (Tenant-VLAN-<br />

NetAppliance.ova), <strong>and</strong> if your workload servers are running VMware ESXi 5.x, then<br />

you must install the VMware Tools 5.0 in this template. Perform the procedure in<br />

4.5 Installing VMware Tools 5.0 in the Tenant VLAN Network Appliance, <strong>and</strong> then<br />

return to this procedure.<br />

Note: If you are only deploying the Tenant-Load-Balancer.ova, you do not need to<br />

install the VMware Tools 5.0. If your workload servers are running VMware ESX or<br />

ESXi 4.x or earlier, you do not need to install the VMware Tools 5.0. Simply proceed to<br />

the next step.<br />

8. Use vSphere to convert the virtual machines into templates.<br />

You use these templates to deploy a new tenant VLAN network appliance (as described in<br />

Section 5, Implementing a New Tenant VLAN), or to deploy a tenant load balancer (as<br />

described in 8.3 Configuring an HAProxy Load Balancer for Web Applications).<br />

4.5. Installing VMware Tools 5.0 in the Tenant VLAN<br />

Network Appliance<br />

Note: Perform this procedure if the workload servers are running VMware ESXi 5.x.<br />

4–26 3850 6804–007


Do the following to install the VMware Tools 5.0 in the tenant VLAN network appliance:<br />

1. Open a vSphere Client, <strong>and</strong> log on to vCenter.<br />

2. Open a console to the tenant VLAN network appliance (Tenant-VLAN-NetAppliance),<br />

power it on, <strong>and</strong> log in using the credentials from Table 2–1.<br />

3. Enter the following comm<strong>and</strong> to uninstall the existing version of the VMware Tools:<br />

sudo /home/vyatta/vmware-tools-distrib/bin<br />

/vmware-uninstall-tools.pl<br />

4. Accept the default values for any prompts you receive.<br />

5. Enter the following comm<strong>and</strong> to completely delete the existing version of the<br />

VMware Tools installation software:<br />

sudo rm –rf VMwareTools-8.6.5-621624.tar.gz<br />

vmware-tools-distrib<br />

6. Enter the following comm<strong>and</strong> to reboot the tenant VLAN network appliance:<br />

sudo reboot<br />

7. After the tenant VLAN network appliance reboots, on the VM menu, point to<br />

Guest, <strong>and</strong> then click Install/Upgrade VMware Tools.<br />

8. If the Install/Upgrade Tools dialog box appears, select Interactive Tools<br />

Upgrade, <strong>and</strong> then click OK.<br />

9. Return to the console for the tenant VLAN network appliance, <strong>and</strong> log in again using<br />

the credentials from Table 2–1.<br />

10. Enter the following comm<strong>and</strong> to create a mount point for the ISO image that<br />

VMware has connected to the virtual CD-ROM drive:<br />

sudo mkdir /mnt/tools<br />

11. Enter the following comm<strong>and</strong> to mount the CD-ROM ISO image:<br />

sudo mount /dev/cdrom /mnt/tools<br />

12. Enter the following comm<strong>and</strong> to change the working directory to the Vyatta home<br />

directory:<br />

cd /home/vyatta<br />

13. Enter the following comm<strong>and</strong> to extract the VMware Tools 5.0 installation directory<br />

from the tar.gz file on the CD-ROM ISO image:<br />

tar -xvf /mnt/tools/VMwareTools-*.tar.gz<br />

Note: Entering the wildcard character (*) in the comm<strong>and</strong> simplifies the installation,<br />

because you do not have to enter the exact version of VMware ESXi running on the<br />

workload server.<br />

14. Enter the following comm<strong>and</strong> to change to the VMware Tools installation directory:<br />

cd /home/vyatta/vmware-tools-distrib<br />

15. Enter the following comm<strong>and</strong> to run the VMware Tools installer program:<br />

sudo ./vmware-install.pl<br />

16. Accept the default values for any prompts you receive.<br />

Creating VMware Template Gold Images<br />

3850 6804–007 4–27


Creating VMware Template Gold Images<br />

17. Use the sudo vi text editor to edit the /etc/pam.d/vmtoolsd file, <strong>and</strong> replace the<br />

entire contents of that file with the following three lines:<br />

#%PAM-1.0<br />

auth required /lib/security/pam_unix.so shadow nullok<br />

account required /lib/security/pam_unix.so<br />

18. CHECKPOINT:<br />

Do the following:<br />

a. Return to the vSphere Client.<br />

b. Click Tenant-VLAN-NetAppliance in the left pane, <strong>and</strong> then select the<br />

Summary tab in the right pane.<br />

The value for VMware Tools under General should now be Running<br />

(Current). .<br />

19. Return to the VMware console for the tenant VLAN network appliance, <strong>and</strong> enter the<br />

following comm<strong>and</strong> to copy the saved config.boot file into the Vyatta configuration<br />

folder:<br />

cp /etc/Unisys/config.boot.orig<br />

/opt/vyatta/etc/config/config.boot<br />

20. Enter the following comm<strong>and</strong> to shut down <strong>and</strong> power off the tenant VLAN network<br />

appliance:<br />

sudo shutdown –hP now<br />

21. Edit the virtual machine settings <strong>and</strong> set the CD/DVD device to Client Device.<br />

22. Use vSphere to convert the virtual machine into a template.<br />

4.6. Preparing the vCenter Server to Sysprep the<br />

Target Template (Windows Server 2003 <strong>and</strong><br />

Windows XP Only)<br />

Note: Sysprep tools are included with Windows Server 2008, Windows Vista, <strong>and</strong><br />

Windows 7 operating systems, so you can skip this procedure if you are configuring these<br />

types of virtual machines.<br />

If you are using an existing vCenter server that you provided, you must perform this<br />

procedure from that vCenter server’s desktop. If you are using a Unisys-supplied vCenter<br />

with a vSphere Client connected to the management server, open a console to the<br />

vCenter server management VM. Do the following:<br />

1. Access the VMware knowledge base article ″Sysprep file locations <strong>and</strong> versions″ at<br />

the following URL: http://kb.vmware.com/kb/1005593.<br />

2. Follow the directions in that article to install the Sysprep files for the versions of<br />

Windows Server 2003 or Windows XP that you plan to use on your virtual machines.<br />

4–28 3850 6804–007


Notes:<br />

Creating VMware Template Gold Images<br />

• For Windows XP x64 operating systems, you must use the Windows Server 2003<br />

x64 Sysprep files.<br />

• For Windows Server 2003 operating systems, ensure that the password for the local<br />

administrator account on the virtual machine template is set to blank (″”).<br />

3850 6804–007 4–29


Creating VMware Template Gold Images<br />

4–30 3850 6804–007


Section 5<br />

Implementing a New Tenant VLAN<br />

This topic describes the procedures required to implement a new tenant VLAN, including<br />

the manual configuration that must be performed on the Management Network Appliance<br />

(the network appliance for the management server) <strong>and</strong> on the tenant VLAN network<br />

appliance.<br />

Each tenant can have one or more tenant VLAN network appliances; tenants cannot share<br />

appliances. (All VLANs on a single appliance must belong to the same tenant.) Each tenant<br />

VLAN network appliance can support up to seven different VLANs. Traffic on each VLAN is<br />

isolated from all the other VLANs, even those connected to the same appliance.<br />

When you add a new VLAN for an existing tenant, you have the option of adding a new<br />

tenant VLAN network appliance or adding the new VLAN to one of the tenant’s existing<br />

appliances.<br />

Perform the procedures in this section to create VLANs for new tenants or to create new<br />

VLANs for existing tenants.<br />

3850 6804–007 5–1


Implementing a New Tenant VLAN<br />

Figure 5–1 shows logical VLAN connections <strong>and</strong> IP addresses. Use this example when<br />

configuring a new VLAN.<br />

Figure 5–1. Logical VLAN Connections<br />

5.1. Configuring a DNS or Alternative for the Tenant<br />

A tenant might or might not have a DNS. A DNS in the cloud environment must support<br />

nonsecure dynamic DNS updates. Refer to Table 1–27 to determine whether a particular<br />

tenant has its own DNS, <strong>and</strong> then perform one of the following procedures:<br />

• 5.1.1 Configuring the Tenant DNS<br />

If the tenant has a DNS, refer to this procedure for an example of how to complete this<br />

configuration.<br />

• 5.1.2 Configuring the uChargeback Management VM if Tenants Do Not Have a DNS<br />

If a tenant does not have a DNS, or if the tenant DNS cannot support nonsecure<br />

dynamic DNS updates, perform this procedure to configure the uChargeback<br />

management VM to act as the DNS for the tenant VLAN.<br />

5–2 3850 6804–007


Note: If you previously configured the uChargeback management VM to act as the<br />

DNS for another tenant <strong>and</strong> you want to use the same zone for the new tenant, you<br />

might not have to perform this procedure.<br />

5.1.1. Configuring the Tenant DNS<br />

To enable the target virtual machines to register with the tenant’s internal DNS, the<br />

tenant’s internal DNS must provide a forward lookup zone for the tenant <strong>and</strong> must support<br />

nonsecure dynamic DNS updates.<br />

For example, if the tenant’s internal DNS is a Windows Server 2008 system, then you can<br />

configure it as described in the following procedure. Adapt this procedure for the tenant’s<br />

specific type of DNS.<br />

Do the following:<br />

1. Launch DNS Manager by clicking Start, pointing to Administrative Tools, <strong>and</strong><br />

then clicking DNS.<br />

2. In the left pane, exp<strong>and</strong> the DNS node, exp<strong>and</strong> the node, <strong>and</strong><br />

exp<strong>and</strong> the Forward Lookup Zones node.<br />

3. Under ForwardLookupZones, check to see if the tenant DNS domain name from<br />

Table 1–27 is already listed.<br />

4. If the domain name is not listed, do the following:<br />

a. Right-click ForwardLookupZones <strong>and</strong> add the new zone.<br />

b. In the New Zone Wizard, on the Dynamic Update page, select Allow both<br />

nonsecure <strong>and</strong> secure dynamic updates.<br />

c. Complete the New Zone Wizard.<br />

If the domain name is already listed, then do the following:<br />

a. Right-click the node, <strong>and</strong> click Properties.<br />

b. Click the General tab.<br />

c. Select Nonsecure <strong>and</strong> <strong>Secure</strong> in the Dynamic Updates list.<br />

d. Click OK.<br />

Implementing a New Tenant VLAN<br />

5.1.2. Configuring the uChargeback Management VM if Tenants<br />

Do Not Have a DNS<br />

If the tenant you are configuring does not supply a DNS that can support secure <strong>and</strong><br />

nonsecure dynamic updates, you must configure a tenant-side DNS zone in the<br />

uChargeback management VM to provide this functionality for the tenant commissioned<br />

virtual machines to use. Perform the following procedure for each tenant, or once for all<br />

tenants that do not provide a DNS.<br />

3850 6804–007 5–3


Implementing a New Tenant VLAN<br />

Note: The best practice is to configure one DNS zone per tenant. (This enables easier<br />

debugging <strong>and</strong> tenant offboarding, if necessary.) This zone is not accessible from the<br />

tenant’s home network.<br />

Caution<br />

The tenant-side DNS zone is required. The tenant virtual machines might not<br />

use the DNS zone directly, <strong>and</strong> the management VMs do not use the DNS zone<br />

directly, but it is required for the management-side DNS zone (which enables<br />

communication between management VMs <strong>and</strong> commissioned machines) to<br />

be updated properly.<br />

If any tenants do not have a DNS, or if any tenant DNS cannot support nonsecure dynamic<br />

DNS updates, do the following.<br />

Note: To determine if the tenant has a DNS, see Table 1–27.<br />

1. On the uChargeback management VM, open the DNS manager.<br />

2. Add a new zone to DNS on the uChargeback management VM using values from<br />

Table 1–27, as follows:<br />

a. Right-click Forward Lookup Zones in the left pane, <strong>and</strong> click New Zone. Do<br />

the following:<br />

• Enter a Primary zone, using the tenant DNS domain name.<br />

For example, the primary zone name might be NoDNS.TenantName.Local.<br />

Note: The zone name<br />

- Must match the Tenant DNS Domain name in Table 1–27<br />

- Must contain at least one period character<br />

- Must not be a zone that could be resolved externally<br />

• Select the Allow both nonsecure <strong>and</strong> secure dynamic updates<br />

option.<br />

Wait for the zone to be created <strong>and</strong> appear in the left pane.<br />

b. Select the new zone in the left pane, right-click the zone, <strong>and</strong> click New Host in<br />

the Options list.<br />

The New Host dialog box opens. Do the following:<br />

• Enter the host name of the uChargeback management VM.<br />

• Enter the IP address of the uChargeback management VM on the Intercom<br />

Network, using the value in Table 1–27.<br />

• Do not create an associated PTR record.<br />

c. Click Add Host to create the host record.<br />

5–4 3850 6804–007


d. Click Done to exit the New Host dialog box.<br />

3. Set the properties of the new zone, as follows:<br />

a. Right-click the new zone in the left pane, <strong>and</strong> click Properties.<br />

The Properties dialog box opens.<br />

b. Click the Start of Authority (SOA) tab, click the Primary server box, <strong>and</strong><br />

enter the host name of the uChargeback management VM with the DNS suffix of<br />

the new zone.<br />

For example, enter my-uChrg.NoDNS.TenantName.Local.<br />

c. Click the Name Servers tab, click the name that is displayed, <strong>and</strong> then click<br />

Edit.<br />

d. Click the Server Fully Qualified Domain Name (FQDN) box, <strong>and</strong> enter the<br />

same name as you entered on the Start of Authority (SOA) tab.<br />

e. Click the IP Address box, <strong>and</strong> enter the Intercom IP address of the uChargeback<br />

management VM in Table 1–27, <strong>and</strong> then press Enter.<br />

Note: Enter the same IP address as when you added the uChargeback<br />

management VM to this DNS zone previously.<br />

The address should appear under your entry with a green check mark.<br />

f. Click OK to exit the Properties dialog box.<br />

4. Exit the DNS manager.<br />

The new zone name is<br />

Implementing a New Tenant VLAN<br />

• Added to the tenant properties in RBADB when you perform the procedure in<br />

6.1 Updating <strong>Cloud</strong> Provider or Adding Tenant Information in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

Environment<br />

• Set as the DNS suffix in the virtual machines that are commissioned for this tenant<br />

5.2. Configuring Workload Servers for VLAN<br />

Networking<br />

You must configure each workload server on which the new tenant virtual machines will<br />

run to connect to the new tenant VLAN <strong>and</strong> to the Tenant Interconnect port group. (The<br />

Tenant Interconnect port carries traffic to <strong>and</strong> from each tenant’s own internal network.)<br />

You might do this for all workload servers in the environment or only those servers in a<br />

particular cluster.<br />

Note: If the tenant has multiple VLANs, they all share the same Tenant Interconnect. If<br />

you previously created a Tenant Interconnect for this tenant, you do not have to create<br />

another Tenant Interconnect.<br />

3850 6804–007 5–5


Implementing a New Tenant VLAN<br />

5.2.1. Underst<strong>and</strong>ing Workload Server Networking Connection<br />

Options<br />

There are several ways that you can configure workload servers to access these<br />

networks, as follows:<br />

• By dedicating a physical NIC (or team of NICs) per workload server to a network<br />

• By defining VLANs <strong>and</strong> sharing use of a physical NIC (or team of NICs)<br />

When VLANs are defined, the following are two main ways the VLANs can be<br />

configured using VMware:<br />

- Distributed virtual network switch (formerly known as vNetwork Distributed<br />

Switch)<br />

This procedure is the preferred method, because it enables you to configure the<br />

port groups across multiple workload servers at one time. However, you can<br />

perform this procedure only on workload servers with vSphere 4.0 or higher that<br />

have the license feature “Distributed Virtual Switch.” (This feature requires the<br />

vSphere Enterprise Plus license.)<br />

Note: You can create distributed virtual network switches only for workload<br />

servers with free physical network adapters; that is, network adapters that are not<br />

already used by virtual switches. If the workload server has a hardware limitation<br />

on the number of physical adapters, <strong>and</strong> the same physical adapter is used to<br />

connect to the Management Access Network, the Public Network, tenant VLANs,<br />

<strong>and</strong> the Tenant Interconnect, then you can use the same distributed virtual<br />

network switch to create port groups to access all these networks.<br />

- vSwitch virtual machine port groups<br />

This procedure is an alternate method to create vSwitch virtual machine port<br />

groups. It is not the preferred method, because it requires you to perform the<br />

same procedure on each workload server, which can be time-consuming <strong>and</strong><br />

error-prone.<br />

5.2.2. Configuring Access to Tenant VLAN Networks <strong>and</strong> Tenant<br />

Interconnect<br />

Perform one of the following procedures for each tenant VLAN network <strong>and</strong> for the Tenant<br />

Interconnect.<br />

Notes:<br />

• If the tenant has multiple VLANs, they all share the same Tenant Interconnect. If you<br />

previously created a Tenant Interconnect for this tenant, you do not have to create<br />

another Tenant Interconnect.<br />

• If you are using Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> in your environment, then for each<br />

tenant VLAN that is Stealth-enabled, you must create an associated clear text VLAN<br />

using the Stealth clear text VLAN ID <strong>and</strong> Stealth encrypted network label values from<br />

Table 1–26. You are directed to do this in the following procedures.<br />

5–6 3850 6804–007


• For a physical NIC: Option 1: Using a Dedicated Physical NIC to Access a Tenant VLAN<br />

Network or Tenant Interconnect<br />

• For a VLAN using a distributed virtual network switch (formerly known as vNetwork<br />

Distributed Switch): Option 2: Using a Distributed Switch to Access a Tenant VLAN<br />

Network or Tenant Interconnect<br />

• For a VLAN using workload server-specific vSwitch virtual machine port groups:<br />

Option 3: Creating vSwitch Virtual Machine Port Groups to Access a Tenant VLAN<br />

Network or Tenant Interconnect<br />

You can use different methods when configuring each network. For example, you can<br />

configure one network with a physical NIC <strong>and</strong> then configure a Distributed Virtual<br />

Network Switch for another network.<br />

Option 1: Using a Dedicated Physical NIC to Access a Tenant VLAN<br />

Network or Tenant Interconnect<br />

If you want to use a dedicated physical NIC to configure access to a tenant VLAN network<br />

or the Tenant Interconnect, do the following for each network you want to use a physical<br />

NIC on each workload server in Table 1–26.<br />

Note: If you want to use a Distributed Virtual Network Switch or workload server-specific<br />

vSwitch virtual machine port groups instead, you can skip this procedure.<br />

1. Using vSphere, connect to the vCenter server.<br />

2. Select the workload server in the left pane, <strong>and</strong> select the Configuration tab in the<br />

right pane.<br />

3. Select Networking.<br />

4. Locate the switch that connects to the physical NIC you want to use.<br />

5. Select Properties.<br />

6. Select VM Network <strong>and</strong> click Edit.<br />

7. For a tenant VLAN network, change the Network Label to the tenant VLAN network<br />

label from Table 1–26. For the Tenant Interconnect, change the Network Label to<br />

Interconnect.<br />

8. Click OK <strong>and</strong> then Close.<br />

Implementing a New Tenant VLAN<br />

9. For each Stealth-enabled tenant VLAN, repeat this procedure for the clear text VLAN<br />

associated with this tenant VLAN, which is specified in Table 1–26.<br />

10. Repeat this procedure for the other workload servers that have access to this<br />

network.<br />

3850 6804–007 5–7


Implementing a New Tenant VLAN<br />

Option 2: Using a Distributed Switch to Access a Tenant VLAN<br />

Network or Tenant Interconnect<br />

If you want to use a distributed virtual network switch to configure access to a tenant<br />

VLAN network or the Tenant Interconnect, do the following for each network you want to<br />

use a distributed switch. You can create a new distributed switch or add additional port<br />

groups to an existing distributed switch.<br />

Notes:<br />

• If you already performed the previous procedure to use a physical NIC, or if you want<br />

to use workload server-specific vSwitch virtual machine port groups instead, you can<br />

skip this procedure.<br />

• The distributed virtual network switch was formerly known as vNetwork Distributed<br />

Switch in VMware. In this procedure, it is simply referred to as a distributed switch.<br />

1. Using vSphere, connect to the vCenter Server that is managing the workload servers<br />

for which you want to create a distributed switch or add additional port groups to an<br />

existing switch.<br />

2. If you want to add additional port groups to an existing distributed switch, skip to the<br />

next step.<br />

If you want to create a new distributed switch, do the following:<br />

a. Point to Inventory on the View menu, <strong>and</strong> click Networking.<br />

The Networking Inventory page appears.<br />

b. In the left pane, select the datacenter where the workload servers are located.<br />

c. Point to Datacenter on the Inventory menu, <strong>and</strong> click New vSphere<br />

Distributed Switch.<br />

The Create vSphere Distributed Switch wizard appears.<br />

d. If you are prompted for the distributed switch version, select 4.0, 4.1.0, or<br />

5.0.0.<br />

All these levels are supported.<br />

e. In the Name box, enter a name for the new distributed switch in Table 1–22.<br />

f. In the Number of dvUplink Ports box, select the number of ports in<br />

Table 1–22, <strong>and</strong> then click Next.<br />

Each dvUplink port represents one physical network adapter. Set the value to<br />

represent the number of physical network adapters for all workload servers that<br />

you want to include in the distributed switch.<br />

g. Select Add now, <strong>and</strong> select the check boxes for each workload server <strong>and</strong><br />

physical adapter that you want to add to the distributed switch.<br />

Note: You can add only free physical adapters (that is, network adapters that are<br />

not already used by virtual switches) to a distributed switch.<br />

h. Click Next.<br />

i. Clear the Automatically create a default port group check box.<br />

5–8 3850 6804–007


j. Click Finish.<br />

3. From the vSphere Client connected to the vCenter Server, in the Networking View,<br />

right-click the distributed switch node in the left pane <strong>and</strong> click New Port Group.<br />

The Create Distributed Virtual Port Group dialog box appears.<br />

4. Enter a name for the port group in the Name box, as follows:<br />

• If you are configuring the tenant VLAN, use the Tenant VLAN network label<br />

value in Table 1–26.<br />

Note: It is recommended that you include the VLAN ID as part of the name, so<br />

that you can easily identify the port group with which it is associated.<br />

• If you are configuring the Tenant Interconnect, type <br />

Interconnect.<br />

5. Adjust the value in the Number of ports box to indicate the number of virtual<br />

machines that can connect to this VLAN, according to the tenant’s requirement.<br />

The number of ports is listed in Table 1–26.<br />

For the Tenant Interconnect, set this number to a value at least as large as the number<br />

of tenant VLANs that will be associated with the network appliance multiplied by 7,<br />

plus 2. (For example, for three network appliances, set this number to 23 or higher.)<br />

Note: Each vCenter has a limitation of 30,000 distributed virtual network switch<br />

ports.<br />

6. Select VLAN in the VLAN type list.<br />

7. Enter the VLAN ID. If you are configuring the tenant VLAN, use the Tenant VLAN<br />

ID value in Table 1–26. If you are configuring the Tenant Interconnect, use the Tenant<br />

interconnect VLAN ID value in Table 1–27.<br />

8. Click Next <strong>and</strong> then Finish.<br />

Implementing a New Tenant VLAN<br />

9. For each Stealth-enabled tenant VLAN, repeat Steps 3 through 8 for the clear text<br />

VLAN associated with this tenant VLAN, which is specified in Table 1–26.<br />

Note: The Create Distributed Virtual Port Group dialog box allows you to specify<br />

only limited configuration. You can modify additional configuration after the dvPort group is<br />

created by right clicking the port group in the left pane <strong>and</strong> editing its settings.<br />

Option 3: Creating vSwitch Virtual Machine Port Groups to Access a<br />

Tenant VLAN Network or Tenant Interconnect<br />

If you want to use a vSwitch virtual machine port group to configure access to a tenant<br />

VLAN or the Tenant Interconnect network do the following for each network you want to<br />

use a vSwitch virtual machine port group on each workload server in Table 1–11.<br />

Note: If you already performed the previous procedures to use a physical NIC or<br />

distributed virtual network switch, you can skip this procedure.<br />

3850 6804–007 5–9


Implementing a New Tenant VLAN<br />

1. Do the following to open the Networking configuration view for the workload server:<br />

a. In the vSphere Client, connect to the vCenter server.<br />

b. From the View menu, click Inventory, then click Hosts <strong>and</strong> Clusters.<br />

c. In the left pane, select a workload server.<br />

d. In the right pane, click the Configuration tab.<br />

e. In the Hardware group, click Networking.<br />

2. If the vSwitch you want to use does not exist, do the following to create a new switch<br />

<strong>and</strong> configure it.<br />

Note: If the vSwitch already exists, do not perform this step. Perform the following<br />

step instead.<br />

a. Click Add Networking, which is located near the top right of the right pane.<br />

The Add Network Wizard opens.<br />

b. On the Connection Type page, choose Virtual Machine.<br />

c. On the Virtual Machines – Network Access page, choose Create a<br />

virtual switch, <strong>and</strong> select the check box next to an available virtual machine NIC<br />

(vmnic).<br />

d. On the Virtual Machines – Connection Settings page, enter a name for the<br />

VLAN in the Network Label box, as follows:<br />

• If you are configuring the tenant VLAN, use the Tenant VLAN network<br />

label value in Table 1–26.<br />

Note: It is recommended that you include the VLAN ID as part of the name,<br />

so that you can easily identify the port group with which it is associated.<br />

• If you are configuring the Tenant Interconnect, type <br />

Interconnect.<br />

e. Enter the VLAN ID. If you are configuring the tenant VLAN, use the Tenant<br />

VLAN ID value in Table 1–26. If you are configuring the Tenant Interconnect, use<br />

the Tenant interconnect VLAN ID value in Table 1–27.<br />

f. On the Ready to Complete page, click Finish.<br />

3. If the vSwitch you want to use already exists, on the Networking Configuration tab, do<br />

the following.<br />

Note: If the vSwitch you want to use does not already exist, perform the preceding<br />

step instead to create <strong>and</strong> configure a new switch.<br />

a. Click Properties for the vSwitch.<br />

The vSwitch Properties dialog box appears.<br />

b. Click Add.<br />

The Add Networking Wizard appears.<br />

c. On the Connection Type page, choose Virtual Machine.<br />

5–10 3850 6804–007


d. On the Virtual Machines – Connection Settings page, enter a name for the<br />

VLAN in the Network Label box, as follows:<br />

• If you are configuring the tenant VLAN, use the Tenant VLAN network<br />

label value in Table 1–26.<br />

Note: It is recommended that you include the VLAN ID as part of the name,<br />

so that you can easily identify the port group with which it is associated.<br />

• If you are configuring the Tenant Interconnect, type <br />

Interconnect, using the Tenant Name value from Table 1–24.<br />

e. Enter the VLAN ID. If you are configure the tenant VLAN, use the Tenant<br />

VLAN ID value in Table 1–26. If you are configuring the Tenant Interconnect, use<br />

the Tenant interconnect VLAN ID value in Table 1–27.<br />

f. On the Ready to Complete page, click Finish.<br />

g. Click Close to close the vSwitch Properties dialog box.<br />

Implementing a New Tenant VLAN<br />

h. For each Stealth-enabled tenant VLAN network, repeat this procedure for the clear<br />

text VLAN associated with this tenant VLAN, which is specified in Table 1–26.<br />

4. Repeat this procedure for the other workload servers that have access to this<br />

network.<br />

Note: You must configure the physical switches that connect the workload servers <strong>and</strong><br />

the physical switch that protects the tenant’s private access point to allow this new VLAN.<br />

5.3. Deploying a New Tenant VLAN Using a New or<br />

Existing Tenant VLAN Network Appliance<br />

To deploy a new tenant VLAN, you use a Unisys-supplied tenant VLAN network appliance.<br />

The following procedures describe how to configure a new tenant VLAN using a new or<br />

existing tenant VLAN network appliance, as follows:<br />

• If you are adding a new tenant (<strong>and</strong> a new VLAN), then you must deploy a new tenant<br />

VLAN network appliance for that tenant. Perform the steps in 5.3.1 Deploying a New<br />

Tenant VLAN Network Appliance <strong>and</strong> VLAN.<br />

• If you are adding a new VLAN for an existing tenant, you have the option to configure<br />

the new VLAN on one of the tenant’s existing tenant VLAN network appliances, as<br />

described in 5.3.2 Adding a New VLAN to an Existing Tenant VLAN Network<br />

Appliance. Each tenant VLAN network appliance can support up to seven VLANs.<br />

5.3.1. Deploying a New Tenant VLAN Network Appliance <strong>and</strong><br />

VLAN<br />

Note: Before beginning this procedure, ensure that the cloud provider <strong>and</strong> tenant XML<br />

files on the jump box management VM are up-to-date.<br />

3850 6804–007 5–11


Implementing a New Tenant VLAN<br />

Perform the following procedure to deploy a new tenant VLAN network appliance <strong>and</strong><br />

VLAN:<br />

1. Run the vSphere Client <strong>and</strong> connect to the vCenter server.<br />

2. If you are performing this procedure as directed in 5.3.2 Adding a New VLAN to an<br />

Existing Tenant VLAN Network Appliance or when the tenant VLAN network appliance<br />

virtual machine already exists, skip to the following step.<br />

Otherwise, do the following to deploy a new tenant VLAN network appliance:<br />

a. From the VMs <strong>and</strong> Templates view, select the Tenant VLAN<br />

NetAppliance template that you imported in 4.4 Importing Tenant VLAN<br />

Network Appliance <strong>and</strong> Load Balancer Templates, right-click, <strong>and</strong> then click<br />

Deploy Virtual Machine from this Template to deploy a new virtual<br />

machine to act as the tenant VLAN network appliance in Table 1–26.<br />

b. Name the virtual machine using the host name value from Table 1–25.<br />

This name is case-sensitive.<br />

Caution<br />

You must name this tenant VLAN network appliance using the host name<br />

value, spelling <strong>and</strong> capitalizing the name exactly as it appears in Table 1–25.<br />

c. Select the following options during deployment:<br />

• Ignore any warnings you receive that state that a virtual Ethernet card network<br />

adapter is not supported. You might receive multiple warnings.<br />

• Do not use the same resource pools as the ones that will be used for the end<br />

user virtual machines; these resource pools are specified in Table 1–13. (You<br />

can create a separate resource pool for each tenant’s infrastructure VMs.)<br />

• Select Thin provisioned format for the Disk Format option.<br />

• Select Do not customize for the Guest Customization option.<br />

• Make sure the Power on this virtual machine after creation option is<br />

cleared.<br />

3. Perform this step to configure the virtual machine Network Adapter settings only if all<br />

of the following conditions apply:<br />

• Your vCenter Server is running vCenter Server 5.x.<br />

Note: The Unisys supplied vCenter Server management VM is running vCenter<br />

Server 5.0.<br />

• The workload server—on which the tenant VLAN network appliance is running—is<br />

running VMware ESX or ESXi version 4.1.<br />

• One or more of the port groups—which you want to be assigned as the networks<br />

for the network adapters on the tenant VLAN network appliance—belongs to a<br />

distributed virtual network switch (as opposed to a st<strong>and</strong>ard switch).<br />

5–12 3850 6804–007


If all of these conditions do not apply, proceed to the next step (power on the virtual<br />

machine).<br />

If all of these conditions do apply, do the following:<br />

a. When the new virtual machine is created, right-click the virtual machine, <strong>and</strong> then<br />

click Edit Settings.<br />

b. Configure the virtual machine Network Adapter settings as follows.<br />

Notes:<br />

• The network connection labels must already exist on the workload server.<br />

• The Ethernet Interface column is for reference only to indicate the ethernet<br />

interface that is used by the network appliance software.<br />

Network<br />

Adapter Connected at Power On<br />

1 Enable, if any of the<br />

following properties in<br />

Table 1–25 are set to Yes:<br />

• Internet Access –<br />

Outgoing<br />

• Internet Access –<br />

Incoming<br />

• Able to respond to a<br />

ping comm<strong>and</strong>?<br />

Implementing a New Tenant VLAN<br />

Network Connection Network<br />

Label<br />

Public Network eth0<br />

2 Enable If the VLAN is not Stealth-enabled,<br />

the tenant VLAN network label for<br />

VLAN[1] in Table 1–26.<br />

If the VLAN is Stealth-enabled, the<br />

Stealth clear text network label for<br />

VLAN[1] in Table 1–26.<br />

Ethernet<br />

Interface<br />

eth1<br />

3 Enable Management Access Network eth2<br />

4 Enable Interconnect eth3<br />

3850 6804–007 5–13


Implementing a New Tenant VLAN<br />

Network<br />

Adapter Connected at Power On<br />

5-10 If additional tenant VLANs<br />

are being supported with<br />

this appliance, Enable.<br />

Otherwise, Disable.<br />

Network Connection Network<br />

Label<br />

For network adapters that are in<br />

use by additional tenant VLANs,<br />

choose one of the following, based<br />

on whether the VLAN is Stealthenabled:<br />

• If the VLAN is not<br />

Stealth-enabled, the tenant<br />

VLAN network label for<br />

VLANs[2] to [n-3] in Table 1–26.<br />

• If the VLAN is Stealth-enabled,<br />

the Stealth clear text network<br />

label for VLANs[2] to [n-3] in<br />

Table 1–26.<br />

For network adapters that are not<br />

in use by additional tenant VLANs,<br />

enter <br />

Interconnect.<br />

For example, if you have one<br />

additional tenant VLAN, configure<br />

Network Adapter 5 for that VLAN.<br />

Then, configure Network Adapters<br />

6–10 as <br />

Interconnect.<br />

Ethernet<br />

Interface<br />

eth4 to<br />

ethn-1<br />

Note: The range of available network adapters for extra VLANs begins at<br />

Network Adapter 5. For example, if this Tenant VLAN Network Appliance supports<br />

three tenant VLANs, you must enable two extra network adapters: numbers 5 <strong>and</strong><br />

6.<br />

c. Click OK to save the Network Adapter settings.<br />

4. Power on the virtual machine.<br />

5. Open a console to the tenant VLAN network appliance, <strong>and</strong> wait until the log-on<br />

prompt appears.<br />

6. After the log-on prompt appears, close the console to the tenant VLAN network<br />

appliance.<br />

7. Open a console to the jump box management VM.<br />

8. Enter one of the following comm<strong>and</strong>s in the Windows PowerShell (x86) comm<strong>and</strong><br />

window:<br />

• If you are adding a new tenant VLAN network appliance <strong>and</strong> a new VLAN, enter<br />

the following comm<strong>and</strong>:<br />

.\Config-TVNA.ps1 –tenant -new<br />

Where is the tenant name listed in Table 1–24. If the tenant<br />

name contains spaces, enclose the name in quotation marks in the comm<strong>and</strong>.<br />

5–14 3850 6804–007


If the workload server is running VMware ESX or ESXi 4.x or earlier, <strong>and</strong> the<br />

vCenter Server that is managing the workload servers is running vCenter Server<br />

5.x, you must add the following parameters to this comm<strong>and</strong>.<br />

Note: The Unisys supplied vCenter Server management VM is running vCenter<br />

Server 5.0.<br />

-vCenter <br />

-vCenterUser -vCenteruserPw <br />

Use the information in Table 1–11 for the workload server that hosts the tenant<br />

VLAN network appliance you are configuring.<br />

If you added these three vCenter parameters to the comm<strong>and</strong>, <strong>and</strong> if you<br />

already configured the virtual machine Network Adapter settings (by performing<br />

the step earlier in this topic), then add the following argument to the comm<strong>and</strong>.<br />

(You were instructed to configure the Network Adapter settings if your vCenter<br />

Server is running vCenter Server 5.x, if the tenant VLAN network appliance is<br />

running on a VMware ESX or ESXi 4.1 workload server, <strong>and</strong> if one or more of the<br />

port groups is using a distributed virtual network switch.) Add the following to<br />

the comm<strong>and</strong>:<br />

-skipNICs<br />

• If you are running this comm<strong>and</strong> to add a new VLAN to an existing tenant VLAN<br />

network appliance, enter the following comm<strong>and</strong>:<br />

.\Config-TVNA.ps1 –tenant <br />

Where is the tenant name listed in Table 1–24. If the tenant<br />

name contains spaces, enclose the name in quotation marks in the comm<strong>and</strong>.<br />

If the workload server is running VMware ESX or ESXi 4.x or earlier, <strong>and</strong> the<br />

vCenter Server that is managing the workload servers is running vCenter Server<br />

5.x, you must add the following parameters to this comm<strong>and</strong>.<br />

Note: The Unisys supplied vCenter Server management VM is running vCenter<br />

Server 5.0.<br />

-vCenter <br />

-vCenterUser -vCenteruserPw <br />

Use the information in Table 1–11 for the workload server that hosts the tenant<br />

VLAN network appliance you are configuring.<br />

If you added these three vCenter parameters to the comm<strong>and</strong>, <strong>and</strong> if you<br />

already configured the virtual machine Network Adapter settings (by performing<br />

the step earlier in this topic), then add the following argument to the comm<strong>and</strong>.<br />

(You were instructed to configure the Network Adapter settings if your vCenter<br />

Server is running vCenter Server 5.x, if the tenant VLAN network appliance is<br />

running on a VMware ESX or ESXi 4.1 workload server, <strong>and</strong> if one or more of the<br />

port groups is using a distributed virtual network switch.) Add the following to<br />

the comm<strong>and</strong>:<br />

Notes:<br />

-skipNICs<br />

Implementing a New Tenant VLAN<br />

• In 5.2.2 Configuring Access to Tenant VLAN Networks <strong>and</strong> Tenant Interconnect,<br />

you were instructed to create a Tenant Interconnect named <br />

3850 6804–007 5–15


Implementing a New Tenant VLAN<br />

Interconnect. This comm<strong>and</strong> searches for the string <br />

Interconnect <strong>and</strong> Interconnect (no space). If the comm<strong>and</strong><br />

cannot identify the Tenant Interconnect using these strings, a dialog box<br />

appears; enter the Tenant Interconnect name to proceed.<br />

• If a warning is displayed for the server certificate, ignore it.<br />

The script performs the following actions:<br />

• Sets a new password for the vyatta account.<br />

Note: The next time you log onto the tenant VLAN network appliance, you must<br />

use the new password for user vyatta from Table 1–25.<br />

• Sets the host name.<br />

• Configures the first four network adapter interfaces.<br />

• Configures the MAC address information for the remaining six network adapter<br />

interfaces to ensure that the assigned MAC addresses are correct.<br />

• Assigns the uChargeback management VM as the netflow collector, using the<br />

uChargeback IP address on the Intercom Network.<br />

• Configures the DNS server addresses to which all DNS requests will be<br />

forwarded.<br />

• If the Intercom address range is nonst<strong>and</strong>ard, updates that range in the<br />

MGMT_VMS firewall group <strong>and</strong> the static route.<br />

• If the tenant does not have a DNS of their own, then enables access to the DNS<br />

server on the uChargeback management VM.<br />

To enable this access, the script adds the addresses of the uChargeback<br />

management VM on the <strong>Cloud</strong> Management Network <strong>and</strong> the uAdapt Server<br />

Control Network to the MGMT_VMS firewall group, <strong>and</strong> also creates static routes<br />

to ensure that traffic to those addresses is forwarded through the Management<br />

Network Appliance.<br />

• If pings from the Internet are not allowed, then modifies the<br />

ALLOW_ESTABLISHED firewall to prevent such pings.<br />

• If either outgoing or incoming Internet access is allowed, then configures a<br />

system gateway address.<br />

• For each tenant VLAN supported by this Tenant VLAN Network Appliance,<br />

- Configures an IP address on the network adapter interface for that tenant<br />

VLAN.<br />

- Configures DHCP settings for the tenant VLAN, including the start <strong>and</strong> stop<br />

addresses, the address of the default router, the address of the DNS server,<br />

<strong>and</strong> the DNS domain name.<br />

- Adds the tenant VLAN address range to the TENANT_VLAN_NETWORKS<br />

firewall group.<br />

- If outgoing Internet access is allowed, configures a masquerade NAT rule on<br />

eth0 for traffic originating from this tenant VLAN.<br />

5–16 3850 6804–007


- Configures an SNAT rule for traffic from the tenant VLAN to the management<br />

VMs.<br />

This rule translates the source address of any packets from the tenant-side<br />

address to the management-side address.<br />

- Configures a DNAT rule for traffic from the management VMs to the tenant<br />

VLAN.<br />

This rule translates the destination address of any packets from the<br />

management-side address to the tenant-side address.<br />

- Configures a static route for traffic from the tenant VLAN to the Tenant<br />

Internal Network, ensuring that such traffic passes through the Tenant Internal<br />

Router on the Tenant Interconnect.<br />

- If you are using the Active Directory management VMs provided with the<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, configures the NTP service to synchronize with the time<br />

servers on the Active Directory management VMs.<br />

- Reboots the tenant VLAN network appliance.<br />

- Assigns the network adapters to the correct external networks. If this is the<br />

initial configuration of the tenant VLAN network appliance, then all ten<br />

network adapters are assigned to the correct networks. If this is a later<br />

configuration (you are adding one or more VLANs to an existing tenant VLAN<br />

network appliance), then only the corresponding network adapters are<br />

reassigned.<br />

9. Wait until the Config-TVNA script stops displaying messages.<br />

10. Verify that the script completed successfully<br />

If the comm<strong>and</strong> was successful, the script does the following:<br />

• Displays the message ″Completed normally,″ along with information about the log<br />

location<br />

• Displays a message indicating that the password for the vyatta user is being<br />

modified.<br />

• Displays one or more messages indicating that network adapters have been<br />

assigned to VMware networks.<br />

• Reboots the tenant VLAN network appliance.<br />

Implementing a New Tenant VLAN<br />

If unsuccessful, the script displays an error message. Typically the message indicates<br />

an error in the data in one of the XML files. For example, the message might indicate<br />

that an invalid subnet mask was specified for a certain address. To correct such a<br />

problem, do the following:<br />

a. Make corrections to the configuration worksheet <strong>and</strong> export the XML files to the<br />

jump box management VM again.<br />

b. Rerun the comm<strong>and</strong> in the PowerShell (x86) comm<strong>and</strong> window.<br />

To correct any other problems, refer to the troubleshooting document for <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> on the Unisys Support Web site (www.support.unisys.com).<br />

3850 6804–007 5–17


Implementing a New Tenant VLAN<br />

CHECKPOINT:<br />

1. After the tenant VLAN network appliance has rebooted, open a console to the tenant<br />

VLAN network appliance virtual machine that you just deployed, <strong>and</strong> log in using the<br />

user name vyatta <strong>and</strong> the New password for user vyatta in Table 1–25 of the<br />

tenant’s workbook.<br />

Note: If there is no new password specified, use the Default password for user<br />

vyatta in Table 1–25 instead.<br />

2. Ping the IP address of the Management Network Appliance on the Management<br />

Access Network, as specified in Table 1–5.<br />

3. Verify that the ping is successful.<br />

5.3.2. Adding a New VLAN to an Existing Tenant VLAN Network<br />

Appliance<br />

If you have previously deployed a tenant VLAN network appliance for a certain tenant, you<br />

can configure additional VLAN connections on the same appliance. Each tenant VLAN<br />

network appliance can support seven VLANs.<br />

Perform the following procedure to add a new VLAN to an existing tenant VLAN network<br />

appliance.<br />

Note: Use this procedure only if you are adding a new (<strong>and</strong> previously unplanned) tenant<br />

VLAN to a tenant VLAN network appliance that you already configured.<br />

However, if you had previously planned to have multiple tenant VLANs, then you do not<br />

need to perform this procedure. (The procedure in 5.3.1 Deploying a New Tenant VLAN<br />

Network Appliance <strong>and</strong> VLAN configured multiple tenant VLANs on the tenant VLAN<br />

network appliance.)<br />

1. Revise the worksheet for this tenant by filling out an additional VLAN column in<br />

Table 1–26.<br />

2. Export the worksheet for this tenant to an XML file, as described in 1.1.6 Exporting the<br />

Data.<br />

3. Perform the previous procedure, 5.3.1 Deploying a New Tenant VLAN Network<br />

Appliance <strong>and</strong> VLAN, except that you must skip step 2 (deploying the tenant VLAN<br />

network appliance from a template) because the virtual machine already exists.<br />

To configure more than seven VLANs for the same tenant, you must configure an<br />

additional tenant VLAN network appliance. See 5.3.1 Deploying a New Tenant VLAN<br />

Network Appliance <strong>and</strong> VLAN.<br />

5–18 3850 6804–007


5.4. Configuring the Management Network<br />

Appliance for a New Tenant VLAN<br />

When you deploy a new tenant VLAN, you must configure the Management Network<br />

Appliance. Use one of the following procedures, depending on whether you are using a<br />

virtual Management Network Appliance or a physical router. If you are using a virtual<br />

Management Network Appliance, refer to the Network Appliance management VM<br />

information in Table 1–5.<br />

5.4.1. Configuring the Virtual Management Network Appliance<br />

for a New VLAN<br />

1. Open a console to the jump box management VM.<br />

2. Ensure that the cloud provider XML file on the jump box management VM is up-to-date.<br />

3. Ensure that a PowerShell (x86) window is open on the jump box management VM.<br />

If it is not already open, from the Start menu, point to All Programs, Accessories,<br />

<strong>and</strong> then Windows PowerShell, <strong>and</strong> click Windows PowerShell (x86).<br />

4. Enter the following comm<strong>and</strong> from the PowerShell (x86) window on the jump box<br />

management VM:<br />

.\Config-TenantOnMNA.ps1<br />

If necessary, include the following parameters in the comm<strong>and</strong>:<br />

• If high availability (HA) is enabled, include the following:<br />

- If the name of the vCenter server administrator user has been updated,<br />

include<br />

-hostUser <br />

- If the password for the vCenter server administrator user has been updated,<br />

include<br />

-hostUserPw <br />

Note: These additional parameters are required regardless of whether the<br />

vCenter Server is provided by Unisys or the cloud provider.<br />

• If HA is not enabled, <strong>and</strong> the root user on the management server is using an<br />

updated password, include<br />

-hostUserPw <br />

• If the vyatta user on the Management Network Appliance is using an updated<br />

password, include<br />

-vmUserPw <br />

You are prompted to browse to the location of the XML file. Be sure to browse<br />

to the appropriate tenant XML file <strong>and</strong> not to the cloud provider XML file.<br />

For example, enter the following comm<strong>and</strong> for a tenant with updated credentials for<br />

the vyatta user on the Management Network Appliance:<br />

.\Config-TenantOnMNA.ps1 -vmUserPw myNewPw<br />

Implementing a New Tenant VLAN<br />

3850 6804–007 5–19


Implementing a New Tenant VLAN<br />

The script performs the following actions:<br />

• Adds static routes to the management-side tenant VLAN ranges by way of the<br />

tenant VLAN network appliance address on the Management Access Network.<br />

• Adds the management-side tenant VLAN ranges to the TARGET_VM firewall<br />

network group.<br />

• If the tenant is not supplying their own DNS, adds NAT rules to enable traffic to<br />

reach the DNS server on the uChargeback management VM.<br />

Wait until the script stops displaying messages.<br />

Note: If you receive a warning message that there are limitations in your VMware<br />

ESX license, this means that the script cannot be completed because the required<br />

VMware license is not installed on the management server. If you receive this<br />

warning, you can either install the required VMware license or perform the steps in<br />

12.6.1 Configuring the Virtual Management Network Appliance for a New VLAN (with<br />

a VMware License Restriction).<br />

CHECKPOINT:<br />

Verify that the script completed successfully.<br />

If successful, the script displays the message ″Completed normally,″ along with some<br />

information about the log location. In this case, open a comm<strong>and</strong> prompt on the <strong>Cloud</strong><br />

Orchestrator management VM, enter the following comm<strong>and</strong>, <strong>and</strong> verify that the<br />

tenant VLAN network appliance responds:<br />

ping <br />

If unsuccessful, the script displays an error message. Typically, the message<br />

indicates an error in the data in one of the XML files. For example, the message<br />

might indicate that an invalid subnet mask was specified for a certain address. To<br />

correct such a problem,<br />

a. Make corrections to the configuration worksheet.<br />

b. Export the <strong>Cloud</strong> Provider XML file to the jump box management VM.<br />

c. Repeat this procedure from the beginning.<br />

To correct any other problems, refer to the troubleshooting document for <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> on the Unisys support Web site at http://www.support.unisys.com<br />

5. Close the PowerShell (x86) window.<br />

5.4.2. Configuring a Physical Management Network Appliance<br />

for a New VLAN<br />

Notes:<br />

• The following procedure uses comm<strong>and</strong>s appropriate for Cisco switches. If you have<br />

another br<strong>and</strong> of switch, you must adapt these comm<strong>and</strong>s for that switch.<br />

• The following examples assume that the VLAN ID is 402, that it has an IP range<br />

192.168.102.0/24, <strong>and</strong> that the Management Access Network IP address range is<br />

172.31.2.0/24.<br />

5–20 3850 6804–007


1. Log in to the switch in privileged mode by typing enable, <strong>and</strong> then responding to the<br />

password prompt.<br />

The prompt changes to end with #. (For example, it changes from MySwitch> to<br />

MySwitch#.)<br />

2. Type the following comm<strong>and</strong> to enter configuration mode:<br />

configure terminal<br />

The prompt changes to end with (config)#. (For example, it changes from MySwitch#<br />

to MySwitch(config)#.)<br />

3. Declare the VLANs by entering the following comm<strong>and</strong>s.<br />

Note: If you want to use extended VLAN IDs (numbers higher than 1005), you must<br />

set vtp mode to transparent.<br />

vlan <br />

exit<br />

Where VLAN ID list is the list of VLAN IDs that you want to be accessible to the<br />

workload server. (If the workload server is in a cluster, the list should be identical for<br />

every workload server in the cluster.) The VLAN IDs are listed in Table 1–20.<br />

For example, enter<br />

vlan 402<br />

exit<br />

4. Enter the following comm<strong>and</strong>s to create an access list that enables the virtual<br />

machines running on the tenant VLAN to access the management VMs running on<br />

the Management Access Network:<br />

access-list permit <br />

<br />

<br />

For example, enter<br />

access-list 402 permit ip 192.168.102.0 0.0.0.255<br />

172.31.1.0 0.0.0.255<br />

5. Enter the following comm<strong>and</strong>s to create an access list to enable the management<br />

VMs to access the tenant virtual machines using the Management Access<br />

Network VLAN:<br />

access-list permit any<br />

<br />

For example, enter<br />

Implementing a New Tenant VLAN<br />

access-list 402 permit ip any 172.31.2.0 0.0.0.255<br />

6. Enter the following comm<strong>and</strong>s to enable the management VMs to access the<br />

tenant VLAN:<br />

access-list permit <br />

<br />

<br />

3850 6804–007 5–21


Implementing a New Tenant VLAN<br />

For example, enter<br />

access-list 402 permit ip 172.31.1.0 0.0.0.255<br />

192.168.102.0 0.0.0.255<br />

7. Enter the following comm<strong>and</strong>s to prevent a tenant VLAN from sending any<br />

traffic to ports 61132 <strong>and</strong> 61133, which are used by the <strong>Cloud</strong> Orchestrator<br />

management VM:<br />

access-list deny udp<br />

<br />

host eq <br />

For example, enter<br />

access-list 402 deny udp 192.168.102.0 0.0.0.255 host<br />

172.31.1.6 eq 61132<br />

access-list 402 deny udp 192.168.102.0 0.0.0.255 host<br />

172.31.1.6 eq 61133<br />

8. Enter the following comm<strong>and</strong>s to create an access group to apply the<br />

access lists to the tenant VLAN:<br />

interface <br />

ip access-group in<br />

ip access-group out<br />

For example, enter<br />

interface vlan 400<br />

ip access-group 402 in<br />

ip access-group 402 out<br />

9. Enter the following comm<strong>and</strong>s to add a static route to the new tenant VLAN<br />

network appliance:<br />

ip route <br />

<br />

<br />

For example, enter<br />

ip route 192.168.102.0 255.255.255.0 172.31.2.102<br />

10. If the tenant does NOT have a DNS server, NAT rules must be created to<br />

ensure that the tenant VLAN can communicate with the DNS on the<br />

uChargeback management VM. Use ip nat comm<strong>and</strong>s to configure the<br />

following.<br />

Note: A physical switch must support NAT to perform these comm<strong>and</strong>s.<br />

Refer to the documentation for your switch for more information on NAT <strong>and</strong><br />

the specific comm<strong>and</strong>s that apply.<br />

5–22 3850 6804–007


a. Configure the management access network VLAN interface as the<br />

network subject to inside NAT translation.<br />

b. Configure NAT rules to translate the <strong>and</strong> destination<br />

addresses to the address.<br />

11. Enter the following comm<strong>and</strong> to verify the configuration:<br />

show running-config<br />

12. Save the configuration by entering the following comm<strong>and</strong>:<br />

copy running-config startup-config<br />

You see the following: Destination Filename [startup-config]?<br />

13. Press Enter.<br />

CHECKPOINT:<br />

You see the response [OK].<br />

Enter the following comm<strong>and</strong> <strong>and</strong> verify that the tenant VLAN network appliance<br />

responds:<br />

ping <br />

5.5. Configuring the <strong>Cloud</strong> Orchestrator <strong>and</strong><br />

uChargeback Management VMs to<br />

Communicate with Tenant VLAN<br />

Perform the following procedure to enable communication between a tenant VLAN <strong>and</strong><br />

the Management Access Network <strong>and</strong> Intercom Network.<br />

Notes:<br />

• Ensure that the XML files on the jump box management VM are up to date.<br />

1. Open a console to the jump box management VM.<br />

2. Enter the following comm<strong>and</strong> from the PowerShell comm<strong>and</strong> window:<br />

.\Configure-Routes.ps1 –tenantName<br />

“”<br />

3. Enter the credentials if prompted.<br />

Implementing a New Tenant VLAN<br />

The script uses information in the cloud provider XML file <strong>and</strong> a tenant XML file (which<br />

were exported from the configuration workbook in 2.7 Completing <strong>and</strong> Exporting Tenant<br />

Worksheets) to configure static routes that allow communication to the new VLAN from<br />

the following:<br />

3850 6804–007 5–23


Implementing a New Tenant VLAN<br />

• <strong>Cloud</strong> Orchestrator management VM<br />

• uChargeback management VM<br />

• Jump box management VM<br />

• Stealth Licensing management VM (if Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is enabled)<br />

5.6. Configuring the Tenant VLAN Network<br />

Appliance to be Monitored by the Nagios<br />

Collector<br />

Note: Perform this procedure on each tenant VLAN network appliance for VLANs with<br />

tenant servers that will be monitored by the Nagios Collector software, if it is included in<br />

your environment.<br />

1. Using a vSphere Client that is connected to the vCenter server, open the console to<br />

the tenant VLAN network appliance.<br />

2. Log in, using the vyatta user credentials, <strong>and</strong> enter the following comm<strong>and</strong>:<br />

configure<br />

3. Enter the following comm<strong>and</strong> to create a static DNS entry in the appliance, using<br />

values provided by your Unisys service consultant:<br />

set system static-host-mapping<br />

host-name <br />

inet <br />

This static DNS entry enables the Nagios agent to communicate with Nagios<br />

Collector over the Intercom Network.<br />

4. Enter the following comm<strong>and</strong>s:<br />

commit<br />

save<br />

exit<br />

5.7. Additional Nagios Collector Configuration<br />

Information<br />

Consider the following additional configuration information for the Nagios collector<br />

software as you add new components to your environment <strong>and</strong> perform ongoing<br />

operations:<br />

• Configure the firewall on Windows virtual machines to enable monitoring for all<br />

profiles.<br />

• It is recommended to use the value specified in to reference the collector when configuring the agent on the<br />

workload servers. This name was configured by your Unisys service consultant during<br />

the initial implementation.<br />

• Nagios profiles are defined in the Nagios Collector, which is not part of the <strong>Secure</strong><br />

5–24 3850 6804–007


<strong>Private</strong> <strong>Cloud</strong> product <strong>and</strong> must be implemented separately. Nagios profiles are<br />

created when the Nagios Collector is implemented.<br />

When commissioning a resource, enter the name of an applicable Nagios profile as<br />

the Nagios Profile parameter of the blueprint used to commission the resource.<br />

5.8. Configuring External Servers to Communicate<br />

with Tenant VLANs<br />

Use the procedure in this section if the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment is configured to<br />

use VLANs for tenant isolation <strong>and</strong> the external server requires communication with<br />

commissioned tenant resources on the tenant VLANs. You must add static route<br />

statements on the external server to properly route traffic to the tenant VLANs using the<br />

Management Network Appliance as the gateway.<br />

Skip this section if the external server does not require communication with tenant<br />

resources.<br />

Procedure for Windows External Servers<br />

1. Start the Windows Comm<strong>and</strong> Prompt using the Run as administrator option.<br />

2. Enter the follow comm<strong>and</strong> to add static routes:<br />

route -p add mask <br />

where<br />

is the management-side tenant VLAN subnet from Table 1–25.<br />

is the VLAN netmask from Table 1–25.<br />

is the Management Network Appliance IP address on the Intercom<br />

Network from Table 1–5.<br />

3. Repeat this comm<strong>and</strong> for each tenant VLAN as required.<br />

Example<br />

route -p add 10.3.1.0 mask 255.255.255.0 172.31.1.200<br />

CHECKPOINT:<br />

Verify that the external server is able to communicate with a tenant resource on the<br />

tenant’s VLAN, using the FQDN of the tenant resource. If the tenant VLAN is configured,<br />

use the management side FQN of the tenant resource. For example,<br />

ping tenant-0003.managed.spc.local<br />

Implementing a New Tenant VLAN<br />

3850 6804–007 5–25


Implementing a New Tenant VLAN<br />

5–26 3850 6804–007


Section 6<br />

Creating <strong>and</strong> Managing Tenant<br />

Configurations<br />

This section describes how to create <strong>and</strong> manage tenant configurations using the Excel<br />

workbook, the Populator service, <strong>and</strong> the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. When you export<br />

data from the Excel workbook <strong>and</strong> run the appropriate Populator effector, the tenant,<br />

projects, <strong>and</strong> unrefined blueprints are created in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal <strong>and</strong> in<br />

RBADB, <strong>and</strong> departments for the tenant <strong>and</strong> projects are created in uChargeback. Perform<br />

the procedures in this section to add these components <strong>and</strong> refine blueprints so that they<br />

can be used by tenants.<br />

When you onboard a new tenant, add new projects for an existing tenant, or create a new<br />

blueprint, you must perform the appropriate procedures as described in this section. If you<br />

are adding multiple tenants, repeat the procedures for the next tenant, using the XML data<br />

file for that tenant.<br />

6.1. Updating <strong>Cloud</strong> Provider or Adding Tenant<br />

Information in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

Environment<br />

Perform the following procedure to do the following in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

environment:<br />

• Update cloud provider information<br />

• Add new tenants<br />

• Update existing tenants<br />

When you perform this procedure for a tenant, you also automatically add or update all<br />

tenant projects <strong>and</strong> create new blueprints that can be refined.<br />

Use the appropriate XML data file for the cloud provider or for the tenant you are adding or<br />

updating.<br />

1. If you have not already done so, export the updated cloud provider or tenant data<br />

configuration XML file <strong>and</strong> save it to the jump box management VM.<br />

Note: See 1.1 Completing Worksheets for Installation <strong>and</strong> Configuration for more<br />

information on exporting this file.<br />

2. Open a console to the jump box management VM.<br />

3850 6804–007 6–1


Creating <strong>and</strong> Managing Tenant Configurations<br />

3. Enter the following comm<strong>and</strong> from the PowerShell comm<strong>and</strong> window:<br />

.\Copy-Directory.ps1 –vmlist uco<br />

This script copies the XML files from the jump box management VM to the <strong>Cloud</strong><br />

Orchestrator management VM.<br />

4. Open a console to the <strong>Cloud</strong> Orchestrator management VM.<br />

5. Launch a Web browser, <strong>and</strong> access the uOrchestrate <strong>Operations</strong> Console using the<br />

URL in Table 2–2.<br />

6. Log in to the <strong>Operations</strong> Console using the credentials in Table 2–1.<br />

7. If you receive a message that the <strong>Operations</strong> Console has stopped polling, click OK.<br />

8. In the Service Organization pane on the left, click the Populator service (refer<br />

to Figure 6–1).<br />

Note: The position of the Populator service in the list can vary.<br />

Figure 6–1. <strong>Operations</strong> Console Populator<br />

9. Exp<strong>and</strong> Effectors in the right pane to view the effectors.<br />

6–2 3850 6804–007


10. Under All Effectors, click one of the following effectors:<br />

• If you are adding a new tenant, click addTenant.<br />

This effector adds one tenant, including projects <strong>and</strong> unrefined blueprints for that<br />

tenant. It requires an XMLFileName parameter to identify the XML data file for the<br />

tenant. Use the filename from step 1, including the extension.<br />

If you are adding more than one tenant, you must complete this procedure for<br />

each tenant individually.<br />

• If you are making modifications to an existing tenant, click updateTenant.<br />

This effector updates one tenant, including projects <strong>and</strong> unrefined blueprints for<br />

that tenant. It requires an XMLFileName parameter to identify the XML data file<br />

for the tenant. Use the filename from step 1, including the extension.<br />

• If you are updating the cloud properties, click update<strong>Cloud</strong>Properties.<br />

This effector updates the cloud properties in RBADB.<br />

Note: You do not need to enter a value for the XMLFileName parameter. The<br />

default value <strong>Cloud</strong>Provider.xml is used.<br />

11. Click Execute.<br />

12. Check the result in the Result pane.<br />

You should see the message “Completed” when the process is complete.<br />

13. Exp<strong>and</strong> Logs in the right pane to view the log messages.<br />

Status <strong>and</strong> error messages from the Populator service are recorded both under Logs<br />

<strong>and</strong> in the following file:<br />

\Unisys\SPC-Automation\logs\Configuration.log<br />

Notes:<br />

• In the <strong>Operations</strong> Console, you can either filter the messages by level or check the<br />

level of each message to determine if any errors are being reported.<br />

• If you see an error that states the <strong>Cloud</strong> folder does not exist, then you logged into<br />

the <strong>Operations</strong> Console using the wrong credentials. You must use the credentials<br />

for the uOrchestrate <strong>Operations</strong> Console in Table 2–1.<br />

14. If errors are reported, do the following:<br />

a. Make the appropriate corrections in the cloud provider or tenant data worksheet<br />

<strong>and</strong> export the file.<br />

b. Repeat this procedure.<br />

Creating <strong>and</strong> Managing Tenant Configurations<br />

Note: If you are updating a tenant, run the updateTenant effector (rather than<br />

the addTenant effector).<br />

6.2. Configuring Stealth-Enabled VLANs<br />

Perform the following procedure one time for each Stealth-enabled VLAN:<br />

3850 6804–007 6–3


Creating <strong>and</strong> Managing Tenant Configurations<br />

1. For the Stealth-enabled VLAN that you are configuring, verify that the information<br />

specified in Table 1–31 matches the vCenter configuration, as follows:<br />

• Folder name – Verify that the folder name specified in Table 1–31 exists in vCenter<br />

(when viewed using the VMs <strong>and</strong> Templates view in the vSphere Client). If a folder<br />

with this name does not exist in vCenter, access the VMs <strong>and</strong> Templates view in<br />

vSphere Client, <strong>and</strong> create the folder under the Datacenter specified in<br />

Table 1–11.<br />

Note: The name of this folder must be unique within vCenter. The same folder<br />

can be shared by different tenants or by different Stealth-enabled VLANs, but the<br />

folder must have a unique name.<br />

• Resource pool – Verify the resource pool specified in Table 1–31 exists in vCenter<br />

in the appropriate workload server or cluster (the server or cluster where the<br />

infrastructure VMs should be created). If the resource pool does not exist, create it<br />

in the appropriate workload server or cluster.<br />

• Datastore name – Verify the datastore name value matches one of the storage<br />

names that is accessible by the workload servers or the cluster. If the datastore<br />

name is incorrect, make the appropriate correction.<br />

Notes:<br />

- If the value in the workbook is updated, re-export the tenant worksheet <strong>and</strong><br />

copy it to the jump box management VM. See 1.1.6 Exporting the Data for<br />

more information.<br />

- If the same storage is being used for commissioned virtual machines, the<br />

name of the storage should be compatible with the value defined in<br />

Table 1–13.<br />

• Folder within the datastore – Verify that the folder name in the “Connection<br />

information for Workload vCenter” section of Table 1–9 exists in the datastore<br />

specified in the previous bullet. If this folder does not exist in that datastore, then<br />

create the folder <strong>and</strong> upload the master.flp file to it.<br />

2. Open a console to the jump box management VM.<br />

3. Enter the following comm<strong>and</strong> from the Powershell comm<strong>and</strong> window:<br />

.\Generate-OnBoardingXML.ps1<br />

–tenantName “”<br />

Note: Quotation marks are required around the tenant name if the contains spaces.<br />

This script produces one XML file for each Stealth-enabled VLAN for the specified<br />

tenant. The XML files are located in C:\ProgramData\Unisys\SPC-Automation\XML,<br />

<strong>and</strong> the file names have the following format: OnBoarding_.xml.<br />

The comm<strong>and</strong> also generates a Job Groups XML file named<br />

“StealthOnBoardingJobs-restartable.xml,” <strong>and</strong> several other supporting XML files.<br />

These files are located in the C:\Unisys\Stealth\_ folder,<br />

where is the name of the tenant being onboarded from Table 1–24<br />

<strong>and</strong> the is the identifier for the Stealth-enabled tenant VLAN specified in<br />

Table 1–26.<br />

6–4 3850 6804–007


4. Open a comm<strong>and</strong> prompt window, <strong>and</strong> type the following comm<strong>and</strong>:<br />

cd C:\Unisys\Stealth<br />

5. In the comm<strong>and</strong> prompt window, type the following comm<strong>and</strong>:<br />

java -jar AutomationClient.jar C:\Unisys\Stealth\<br />

_\StealthOnBoardingJobs-restartable.xml<br />

where the <strong>and</strong> are the folder names generated earlier in<br />

this procedure as a result of running the Generate-OnBoardingXML comm<strong>and</strong>.<br />

The java -jar comm<strong>and</strong> starts the onboarding process for the specified Stealthenabled<br />

VLAN. This process takes about one <strong>and</strong> a half hours to complete.<br />

6. Verify the following registry entries exist on the Stealth Proxy Server <strong>and</strong> Stealth<br />

Relay Server infrastructure VMs, as follows:<br />

a. Open a console to the Stealth Proxy Server infrastructure VM.<br />

The Stealth Proxy Server VM name, user name, <strong>and</strong> password are listed in<br />

Table 1–31.<br />

b. On the Start menu, click Run, enter regedit in the Open box, <strong>and</strong> then click<br />

OK.<br />

c. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\Software\SaberNet.<br />

d. Verify that a REG_SZ registry entry named Syslog exists, which contains the IP<br />

address of the Stealth Relay Server.<br />

If this registry entry does not exist, do the following:<br />

• Right-click SaberNet, point to New, <strong>and</strong> then click String Value.<br />

• Name the value Syslog.<br />

• Right-click Syslog, <strong>and</strong> click Modify.<br />

• In the Edit String dialog box, in the Value Data box, enter the IP address of<br />

the Stealth Relay Server from Table 1–31.<br />

• Click OK to close the Edit String dialog box.<br />

e. Close the Registry Editor.<br />

f. Close the console to the Stealth Proxy Server infrastructure VM.<br />

g. Restart the Stealth Proxy Server infrastructure VM.<br />

Creating <strong>and</strong> Managing Tenant Configurations<br />

h. Open a console to the Stealth Relay Server infrastructure VM.<br />

The Stealth Relay Server VM name, user name, <strong>and</strong> password are listed in<br />

Table 1–31.<br />

i. On the Start menu, click Run, enter regedit in the Open box, <strong>and</strong> then click<br />

OK.<br />

j. In the Registry Editor, navigate to HKEY_LOCAL_MACHINE\Software\SaberNet.<br />

k. Verify that a REG_SZ registry entry named Syslog exists <strong>and</strong> contains the value<br />

of the Stealth Licensing management VM FQN from Table 1–32.<br />

3850 6804–007 6–5


Creating <strong>and</strong> Managing Tenant Configurations<br />

If this registry entry does not exist, do the following:<br />

• Right-click SaberNet, point to New, <strong>and</strong> then click String Value.<br />

• Name the value Syslog.<br />

• Right-click Syslog, <strong>and</strong> click Modify.<br />

• In the Edit String dialog box, in the Value Data box, enter the value of the<br />

Stealth Licensing management VM FQN from Table 1–32.<br />

• Click OK to close the Edit String dialog box.<br />

l. Close the Registry Editor.<br />

m. Close the console to the Stealth Relay Server infrastructure VM.<br />

n. Restart the Stealth Relay Server infrastructure VM.<br />

7. Repeat the previous two steps for each Stealth-enabled VLAN XML for the tenant.<br />

Note: If you experience any problems, see 12.14 Troubleshooting Configuring Stealth-<br />

Enabled VLANs.<br />

CHECKPOINT:<br />

1. Open a console to the Stealth Licensing management VM.<br />

2. Verify the log information in Syslog.<br />

6.3. Underst<strong>and</strong>ing Blueprints <strong>and</strong> General<br />

Blueprint <strong>Guide</strong>lines<br />

A blueprint defines the resources that users can commission using the <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> portal. When users commission resources, they provide values for a set of<br />

parameters, based on constraints that the administrator or operator configures. Each<br />

blueprint is specific to a type of resource—virtual machine, physical server, or virtual<br />

desktop—<strong>and</strong> its associated attributes.<br />

The types of resources that can be created <strong>and</strong> managed by users are determined by the<br />

blueprints that you create.<br />

6–6 3850 6804–007


Underst<strong>and</strong>ing Base Blueprints, Unrefined Blueprints, <strong>and</strong> Refined<br />

Blueprints<br />

Blueprints can be categorized as base blueprints, unrefined blueprints, <strong>and</strong> refined<br />

blueprints, as follows:<br />

• Base blueprints are default blueprints that cannot be changed or cannot be used to<br />

commission resources. There is one base blueprint for each type of resource: virtual<br />

machine, physical server, <strong>and</strong> virtual desktop.<br />

When you update the tenant worksheet with information about the blueprints that you<br />

want to create <strong>and</strong> then run the Populator addTenant or updateTenant effector, the<br />

base blueprints are automatically copied <strong>and</strong> saved with the name of your new<br />

blueprint. These copies are then edited to create more specific instances of a type of<br />

resource: this process is called blueprint refinement.<br />

• Unrefined blueprints<br />

When the Populator addTenant or updateTenant effector is run, unrefined blueprints<br />

are created using the blueprint name <strong>and</strong> description specified in the tenant<br />

worksheet. Unrefined blueprints must be refined before they can be used to<br />

successfully commission resources.<br />

Note: When you run the updateTenant effector, any blueprints you already created<br />

<strong>and</strong> refined remain unchanged, <strong>and</strong> any new blueprints you added to the workbook are<br />

created in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal <strong>and</strong> in RBADB.<br />

• Refined blueprints<br />

Refined blueprints are blueprints that administrators or operators have refined. Users<br />

can use these blueprints to successfully commission resources.<br />

When a user commissions a resource from a blueprint, the values saved in the refined<br />

blueprint <strong>and</strong> the values entered by the user are copied to the resource. A resource is<br />

always associated with the blueprint that was used to commission it, but if you later<br />

modify the blueprint values, those changed values are not copied to the resource.<br />

You can refine all attributes associated with a blueprint, except the blueprint resource type<br />

(virtual machine, physical server, or virtual desktop).<br />

The following guidelines apply to refining blueprints.<br />

Blueprint Name<br />

Blueprints should have unique <strong>and</strong> meaningful names to enable end users to easily<br />

recognize the type of platform they are creating when they select a blueprint. The<br />

recommended blueprint naming convention is to indicate certain key attributes about the<br />

environment, such as<br />

• The operating system type <strong>and</strong> version<br />

Creating <strong>and</strong> Managing Tenant Configurations<br />

• The functionality of the resource (such as a Web server, database server, <strong>and</strong> so forth)<br />

or application stack included with the resource<br />

• Whether the blueprint is for a virtual machine, physical server, or virtual desktop<br />

3850 6804–007 6–7


Creating <strong>and</strong> Managing Tenant Configurations<br />

For example, W2K3x64Exchange–VM indicates a Windows Server 2003 virtual machine<br />

that is used as an Exchange server. W2K3x86SQL2005–P indicates a Windows Server<br />

2003 physical machine that is used as an SQL server. VOaaSGoldImageA-1024 indicates a<br />

virtual desktop using the file gold image named goldimageA.VHD with 1024 MB of<br />

memory.<br />

Setting Constraints<br />

As you configure blueprints, you can set constraints for each attribute. As the<br />

administrator, you configure each attribute to display for the user, as follows:<br />

• Configure user access <strong>and</strong> visibility to the attribute using one of the following values:<br />

- Read-write – The user commissioning a resource can see the attribute <strong>and</strong> can<br />

select from a list of values or type a value.<br />

- Read-only – The user commissioning a resource can see the attribute <strong>and</strong> selected<br />

value, but cannot change the value. If you set an attribute to read-only, <strong>and</strong> if a<br />

value is required for the resource to be successfully commissioned, you must<br />

specify a default value.<br />

For example, an OS Type is required for each resource, <strong>and</strong> so if you set the OS<br />

Type to read-only, you must specify an OS Type. In contrast, a Resource Pool<br />

Override attribute is not required, <strong>and</strong> so you can set this value to read-only <strong>and</strong><br />

leave it blank. As you create blueprints, you are given specific guidelines as to<br />

which blueprint attributes are required <strong>and</strong> which attributes should be set to<br />

read-only.<br />

- Hidden – The user cannot see (or change) the attribute or the value you selected. If<br />

you set an attribute to hidden, <strong>and</strong> if a value is required for the resource to be<br />

successfully commissioned, you must specify a default value.<br />

For example, an OS Type is required for each resource, <strong>and</strong> so if you set the OS<br />

Type to hidden, you must specify an OS Type. In contrast, a Resource Pool<br />

Override attribute is not required, <strong>and</strong> so you can set this value to hidden <strong>and</strong> leave<br />

it blank. As you create blueprints, you are given specific guidelines as to which<br />

blueprint attributes are required <strong>and</strong> which attributes should be set to hidden.<br />

For some attributes, you can select the access type you want to use, but for some<br />

other attributes, you are directed to set the access to read-only or hidden.<br />

• Fix the value of an attribute.<br />

To fix the value of an attribute, set the default value that you want to use, <strong>and</strong> then set<br />

the access to read-only or hidden so that the user cannot change it.<br />

• Provide a default value.<br />

If the attribute access is set to read-write, the default value for a blueprint property is<br />

the value that is suggested to the commissioning user. However, the user can change<br />

the value. (If the attribute access is set to read-only or hidden, the default value is the<br />

value used for the commissioned resource <strong>and</strong> the user cannot change it.)<br />

If you do not want to suggest a default value (if the user must pick a value based on a<br />

specific situation), you do not have to specify a default unless you are specifically<br />

instructed to do so. However, if the value is required, the user must specify a value in<br />

order to successfully commission a resource.<br />

6–8 3850 6804–007


Example<br />

For example, an OS Type for each resource is required, <strong>and</strong> so if you set that value to<br />

read-write <strong>and</strong> do not provide a default, the user must specify an OS Type. In contrast,<br />

Operator Action Instructions (additional actions that users request for their resources)<br />

is not required, <strong>and</strong> so you can set this value to read-write <strong>and</strong> not specify a default,<br />

<strong>and</strong> the user can leave it blank. As users commission blueprints, they are given<br />

directions on which values are required.<br />

• Provide a list of values (known as a ″One Of″ list) from which the user can select a<br />

value for an attribute.<br />

When you provide a One Of list, you set the access to read-write so that the user can<br />

select from the list of values. You can also set a default value to be initially suggested.<br />

You select the Refined check box to create a list.<br />

• Specify further constraints that limit a user’s data entry.<br />

If you want the user to enter values that meet certain criteria, you can select One Of or<br />

Regular Expression under Further Constraints. For example, if the name the user<br />

enters for a virtual machine must begin with “VM,” you can select the Regular<br />

Expression option <strong>and</strong> then enter “VM.*” in the Regular Expression box.<br />

Note: If you are setting access to an attribute as read-only or hidden, do not<br />

configure any Further Constraints. The user cannot enter any values for the attributes,<br />

<strong>and</strong> the Further Constraints are therefore meaningless.<br />

For example, if the resource type is a virtual machine <strong>and</strong> you want users to be able to<br />

commission a Windows Server 2008 with a fixed number of CPUs <strong>and</strong> a variable amount<br />

of memory, you could refine the blueprint parameters as follows:<br />

• CPU: In the Default list, select 1. Set the Access to read-only.<br />

The user sees the value CPU: 1 but cannot change it.<br />

• Memory: From the One Of list, select only the 2048 <strong>and</strong> 4096 check boxes (because<br />

Windows Server 2008 requires at least 2 GB of memory). Set the Default to 2048 to<br />

suggest that the user use less memory. Set the Access to read-write.<br />

The user sees a list with the choices 2048 <strong>and</strong> 4096. The value 2048 is selected, but<br />

the user can change the value to 4096.<br />

• Template: In the Default list, select the template for Windows Server 2008. Set the<br />

Access to hidden.<br />

The user does not see the template.<br />

• OS Type: In the Default list, select Windows Server 2008. Set the Access to read-only.<br />

The user sees the OS Type: Windows Server 2008 but cannot change it.<br />

6.4. Creating Blueprints<br />

Creating <strong>and</strong> Managing Tenant Configurations<br />

Do the following to create a new virtual machine or virtual desktop blueprint.<br />

Note: Only Unisys service consultants can refine new physical server blueprints using<br />

3850 6804–007 6–9


Creating <strong>and</strong> Managing Tenant Configurations<br />

the procedures in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Implementation <strong>Guide</strong> (3850 6846).<br />

1. Meet the prerequisites for the type of the blueprint you are creating, as follows:<br />

• For new virtual machines blueprints, you must have created VMware vCenter<br />

Server templates for virtual machine commissioning, as described in<br />

Section 4, Creating VMware Template Gold Images).<br />

• For virtual desktops, configure the Virtual Office as a Service solution, as<br />

described in the <strong>Secure</strong> Virtual Office as a Service Implementation <strong>and</strong> Best<br />

Practices <strong>Guide</strong>.<br />

2. Create unrefined blueprints <strong>and</strong> add them to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal as<br />

follows:<br />

Note: If you are onboarding a new tenant, you should have already entered the<br />

blueprint names in the worksheet, exported the worksheet, <strong>and</strong> run the Populator<br />

addTenant effector as part of the onboarding process. If you did so, you have already<br />

created unrefined blueprints, <strong>and</strong> you can skip to the next step.<br />

a. Access the tenant worksheet <strong>and</strong> enter information for blueprints. The worksheet<br />

for each tenant includes data in Table 1–24 through Table 1–42. When the<br />

procedures in this section refer to any of these tables, be sure to use the data<br />

from the correct worksheet for the tenant.<br />

b. Export the worksheet as described in 1.1.6 Exporting the Data.<br />

c. Run the appropriate Populator effector as described in 6.1 Updating <strong>Cloud</strong><br />

Provider or Adding Tenant Information in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Environment.<br />

The Populator effectors create the unrefined blueprints in the <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> portal <strong>and</strong> in RBADB.<br />

3. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> your cloud administrator credentials.<br />

4. Click <strong>Administration</strong>, <strong>and</strong> then click Manage Blueprints.<br />

5. Under Manage Blueprints, select the project associated with the blueprint you<br />

want to refine.<br />

The Blueprint pane is updated to list all blueprints associated with the project.<br />

6. Under Blueprints, select the blueprint you want to refine, <strong>and</strong> then click Edit<br />

Blueprint.<br />

The blueprint name <strong>and</strong> description appear in the blueprint by default, based on the<br />

values you entered in the tenant worksheet. You must refine all other values to match<br />

the values you entered in the tenant worksheet.<br />

7. Enter the values for each blueprint attribute based on the resource type <strong>and</strong> using the<br />

values in the tenant worksheets, as follows:<br />

• For virtual machines, the tenant worksheet is Table 1–35. See 6.5 Virtual Machine<br />

Attributes <strong>and</strong> Values for detailed information on each attribute <strong>and</strong> value.<br />

• For virtual desktops, the tenant worksheet is Table 1–39. See 6.6 Virtual Desktop<br />

Attributes <strong>and</strong> Values for detailed information on each attribute <strong>and</strong> value.<br />

Note: If you are creating a virtual machine blueprint, you see the Performance<br />

Monitoring category with Nagios Profile <strong>and</strong> the Migrate VM attributes. These<br />

6–10 3850 6804–007


attributes are intended for Unisys service consultants who are configuring custom<br />

Nagios monitoring or migrating virtual machines from earlier versions of the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong>, respectively. Customer administrators <strong>and</strong> operators should set the<br />

access for these attributes to Hidden <strong>and</strong> make no other changes to the values.<br />

8. Enter values for each group of attributes, <strong>and</strong> then click Next.<br />

9. After you enter values for all attributes, click Apply.<br />

6.5. Virtual Machine Attributes <strong>and</strong> Values<br />

This topic describes the details of all available virtual machine attributes <strong>and</strong> values.<br />

6.5.1. Virtual Machine General Configuration<br />

Table 6–1. Virtual Machine Basic Attributes <strong>and</strong> Values<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

Blueprint<br />

Name<br />

Blueprint<br />

Description<br />

The name of the blueprint, which is displayed to administrators, operators, <strong>and</strong> users.<br />

You enter this value in the tenant worksheet, <strong>and</strong> when you run the Populator addTenant<br />

or updateTenant effector, this name is used in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />

Notes:<br />

• If you update this value in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, you must also update it in<br />

the tenant worksheet.<br />

• Blueprint names must following the guidelines in 2.8.4 Naming <strong>Guide</strong>lines for<br />

Components in the <strong>Cloud</strong> Environment.<br />

A description of the blueprint, which is displayed only to administrators <strong>and</strong> operators.<br />

Table 6–2. Virtual Machine General Configuration Attributes <strong>and</strong> Values<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

Name<br />

Descriptive name<br />

for the resource<br />

being<br />

commissioned (not<br />

the blueprint name).<br />

• Default: Leave this box blank so that the user can enter a name for the<br />

commissioned resource.<br />

• Access: Select Read-Write.<br />

Creating <strong>and</strong> Managing Tenant Configurations<br />

Note: This user-configured value is used only for display <strong>and</strong> tracking purposes. It is<br />

not related to the virtual machine host name.<br />

3850 6804–007 6–11


Creating <strong>and</strong> Managing Tenant Configurations<br />

Table 6–2. Virtual Machine General Configuration Attributes <strong>and</strong> Values (cont.)<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

CPUs<br />

Number of CPUs.<br />

Memory<br />

Memory size in<br />

megabytes (MB).<br />

• One Of: Select the CPU values that you want the user to be able to select from.<br />

You can select one or more values.<br />

• Default: If you want the user to select from a list of number of CPUs, you can<br />

set a default or select none.<br />

If you want to force the user to use a specific number of CPUs, select the specific<br />

value in the Default list.<br />

Note: The Default value must be one of the values selected in the One Of box.<br />

• Access: If you want the user to select the number of CPUs, select Read-Write.<br />

If you want to force the user to use a specific number of CPUs, select Read-<br />

Only or Hidden.<br />

Note: All memory must be entered in multiples of 512 MB.<br />

• Default: If you want to force the user to use a specific amount of memory, enter<br />

it in this box. Or, if you want the user to select from a range or list of memory, you<br />

can set a default value in this box.<br />

If you do not want to set a specific amount of memory or a default amount of<br />

memory, leave this box blank.<br />

• Further Constraints:<br />

- None: If you want to force the user to use a specific amount of memory,<br />

enter that amount in the Default box, <strong>and</strong> then set the Further Constraints<br />

to None.<br />

- One Of: If you want the user to select from a list of specific values, set the<br />

Further Constraints to One Of, <strong>and</strong> then enter the values in the One Of box.<br />

Separate the values you enter with commas. If you enter a value in the<br />

Default box, you must also enter that same value in the One Of box.<br />

- Range: If you want the user to select from a range of values (using a slider<br />

bar), set the Further Constraints to Range, <strong>and</strong> then enter the minimum <strong>and</strong><br />

maximum values <strong>and</strong> the increment for the slider bar.<br />

The Minimum <strong>and</strong> Maximum values must be multiples of 512 MB. The<br />

Increment value must equal 512 MB.<br />

• Access: If you want the user to select the amount of memory, select Read-<br />

Write.<br />

If you want to force the user to use a specific amount of memory, select Read-<br />

Only or Hidden.<br />

6–12 3850 6804–007


Table 6–2. Virtual Machine General Configuration Attributes <strong>and</strong> Values (cont.)<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

Template<br />

Template to be<br />

used by the<br />

VMware clone <strong>and</strong><br />

customization<br />

process.<br />

OS Type<br />

Operating system<br />

installed in the<br />

target template.<br />

Note: The Template value must match the OS Type value. Therefore, if you want to<br />

provide a list of templates for the user to choose from, it is highly recommended that<br />

they all have the same operating system.<br />

• Refined: If you select this check box, the One Of list appears, <strong>and</strong> you can<br />

create a list of templates from which the end user can select.<br />

• Default: If you want the user to select from a list of templates, you can set a<br />

default or select none.<br />

If you want to force the user to use a specific template, select it in the Default list.<br />

• Access: If you want the user to select from a list of templates, select Read-<br />

Write.<br />

Notes:<br />

Creating <strong>and</strong> Managing Tenant Configurations<br />

If you want to force the user to use a specific template, select Read-Only or<br />

Hidden.<br />

• The OS Type must match the operating system installed in the template.<br />

Therefore, you should only configure a list of operating systems if you provide a<br />

list of templates. It is highly recommended that you select one operating system<br />

<strong>and</strong> set the value to Read-Only or Hidden.<br />

• If you are a Unisys service consultant migrating a blueprint from a previous<br />

version of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, select the operating system type that is<br />

closest to the one previously used for the blueprint. (Do not use Other for a<br />

Windows Server 2008 blueprint type, as you did in previous releases.)<br />

• Refined: If you select this check box, the One Of list appears, <strong>and</strong> you can<br />

create a list of operating systems from which the end user can select.<br />

• Default: If you want the user to select from a list of operating system, you can<br />

set a default or select none.<br />

If you want to force the user to use a specific operating system, select it in the<br />

Default list.<br />

• Access: If you want the user to select from a list of operating systems, select<br />

Read-Write.<br />

If you want to force the user to use a specific template, select Read-Only or<br />

Hidden.<br />

3850 6804–007 6–13


Creating <strong>and</strong> Managing Tenant Configurations<br />

6.5.2. Virtual Machine Resource Balancer<br />

Table 6–3. Virtual Machine Resource Balancer Attributes <strong>and</strong> Values<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

Resource Pool<br />

Override<br />

A regular<br />

expression that<br />

limits the resource<br />

pools that are<br />

considered to host<br />

the commissioned<br />

virtual machine.<br />

This value overrides<br />

the st<strong>and</strong>ard<br />

system-wide<br />

resource pool filter.<br />

Datastore<br />

Override<br />

A regular<br />

expression that<br />

limits the<br />

datastores that are<br />

considered to host<br />

the commissioned<br />

virtual machine.<br />

This value overrides<br />

the st<strong>and</strong>ard<br />

system-wide<br />

datastore filter.<br />

If you want to override the st<strong>and</strong>ard system-wide resource pool filter <strong>and</strong> manually<br />

limit the resource pools that are used to host commissioned virtual machines, enter<br />

the following values. Otherwise, skip this attribute.<br />

• Default: Enter an expression that you want to use to limit the resource pools<br />

used for the commissioned virtual machines <strong>and</strong> that matches resource pools in<br />

your environment.<br />

For example, if you want to limit the resource pools to pools that begin with the<br />

word “Windows,” then enter “Windows.*” in this box.<br />

• Access: Set this value to Read-Only or Hidden.<br />

Note: Do not set any Further Constraints. This value should be read-only or hidden<br />

from the user, <strong>and</strong> so further constraints are meaningless.<br />

If you want to override the st<strong>and</strong>ard system-wide datastore filter <strong>and</strong> manually limit<br />

the resource pools that are used to host commissioned virtual machines, enter the<br />

following values. Otherwise, skip this attribute.<br />

• Default: Enter an expression that you want to use to limit the datastores used<br />

for the commissioned virtual machines <strong>and</strong> that matches the datastores in your<br />

environment.<br />

For example, if you want to limit the datastores to datastores that begin with the<br />

word “Windows,” then enter “Windows.*” in this box.<br />

• Access: Set this value to Read-Only or Hidden.<br />

Note: Do not set any Further Constraints. This value should be read-only or hidden<br />

from the user, <strong>and</strong> so further constraints are meaningless.<br />

6–14 3850 6804–007


6.5.3. Virtual Machine Operating System Customization<br />

Table 6–4. Virtual Machine Operating System Customization Attribute <strong>and</strong> Values<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

Customize OS<br />

Enables<br />

customization of<br />

the virtual machine<br />

operating system.<br />

• Default: Select True.<br />

• Access: Select Hidden.<br />

Note: You must select these values. If you change the Default value to None or<br />

False, or if you allow the user to change it, none of the custom values you enter are<br />

configured in the virtual machine operating system.<br />

Table 6–5. Virtual Machine Operating System Attributes <strong>and</strong> Values<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

Machine Name<br />

Source<br />

Algorithm used to<br />

assign a name to a<br />

commissioned<br />

resource.<br />

• Refined: Do not select this check box.<br />

Creating <strong>and</strong> Managing Tenant Configurations<br />

• Default: Select one of the following machine name sources:<br />

- Generated: The system assigns a name based on the HostNamePrefix<br />

property set during initial implementation in the VMware Sysprep<br />

Configuration .<br />

- UserAssigned: The user assigns the host name. The host name must be<br />

between one <strong>and</strong> 15 characters; must include only letters, numbers, <strong>and</strong><br />

hyphens; must begin <strong>and</strong> end with a letter or number; <strong>and</strong> must not consist<br />

entirely of numbers.<br />

- UseDefault: The system assigns a value for Machine Name Source based<br />

on the UserProvidedMachineName property set during initial<br />

implementation in the VMware Sysprep Configuration. If the<br />

UserProvidedMachineName property is True, then the UserAssigned<br />

Machine Name Source is used. If the UserProvidedMachineName property<br />

is False, then the Generated Machine Name Source is used.<br />

- MCP: If you are configuring a blueprint for an MCP server, select this value.<br />

• Access: Set this value to Read-Only or Hidden.<br />

3850 6804–007 6–15


Creating <strong>and</strong> Managing Tenant Configurations<br />

Table 6–5. Virtual Machine Operating System Attributes <strong>and</strong> Values (cont.)<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

Host Name<br />

Input into the<br />

generation of the<br />

virtual machine<br />

operating system<br />

host name.<br />

Windows<br />

License Key<br />

The license key for<br />

a Window operating<br />

system.<br />

R<strong>and</strong>om<br />

Password<br />

Determines if a<br />

r<strong>and</strong>om<br />

administrative<br />

password is<br />

assigned for<br />

additional security.<br />

This value enables the user to enter a unique host name, if either of the following is<br />

configured:<br />

• The Machine Name Source value is UserAssigned.<br />

• The Machine Name Source value is UseDefault, <strong>and</strong> the<br />

UserProvidedMachineName is set to True during initial implementation in the<br />

VMware Sysprep Configuration .<br />

If the Machine Name Source value is Generated or MCP, this value is ignored.<br />

• Default: Leave this box blank.<br />

• Access: If the user should enter a host name, set this value to Read-Write. If<br />

the user does not enter a host name, set this value to Hidden.<br />

• Default:<br />

- For non-Windows operating systems, leave this box blank.<br />

- For Windows operating systems, type the Windows operating system<br />

product key.<br />

• Access: Set the value to Hidden.<br />

• One Of: Select one or more of the following values:<br />

- Yes: A r<strong>and</strong>omly generated Administrator (for Windows) or root (for Linux)<br />

password will be assigned to the newly commissioned virtual machine.<br />

- No: A predefined password is assigned, based on the<br />

SysPrepVMAdminPwd property set during initial implementation in the<br />

VMware Sysprep Configuration table.<br />

- UseDefault: The system assigns a value for R<strong>and</strong>om Password based on<br />

the SysPrepR<strong>and</strong>omAdminPwd property set during the initial<br />

implementation in the VMware Sysprep Configuration table. If the<br />

SysPrepR<strong>and</strong>omAdminPwd property is True, then a r<strong>and</strong>om password is<br />

assigned (same as value Yes). If the SysPrepR<strong>and</strong>omAdminPwd property is<br />

False, then a predefined password is assigned, based on the<br />

SysPrepVMAdminPwd property set during initial implementatin in the<br />

VMware Sysprep Configuration table (same as value No).<br />

• Default: If you want the user to choose whether to implement a r<strong>and</strong>om<br />

administrator password, you can set a default or select none. If you want to<br />

force the user to use a particular option, select it in the Default list.<br />

• Access: If you want the user to be able to configure this attribute, set this value<br />

to Read-Write. If not, set this value to Read-Only or Hidden.<br />

6–16 3850 6804–007


Table 6–5. Virtual Machine Operating System Attributes <strong>and</strong> Values (cont.)<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

Auto Logon<br />

Count<br />

For Windows<br />

operating systems,<br />

defines how many<br />

times the operating<br />

system performs an<br />

automatic log on<br />

during or after<br />

Sysprep.<br />

Run Once<br />

Comm<strong>and</strong><br />

Defines a “run once<br />

comm<strong>and</strong>” for<br />

Windows virtual<br />

machine operating<br />

systems; this<br />

comm<strong>and</strong> is<br />

executed during<br />

Sysprep<br />

processing.<br />

Note: For non-Windows operating systems, skip this attribute.<br />

• Default: Enter 1.<br />

• Access: Set this value to Read-Only or Hidden.<br />

Note: For non-Windows operating systems, skip this attribute.<br />

• Default: Depending on the Windows operating system, enter one of the<br />

following values:<br />

- For Windows Server 2003 or Windows XP, enter<br />

C:\dns-setup.vbs<br />

- For Windows Vista <strong>and</strong> Windows 7 operating systems, enter<br />

shutdown /r /f /t 0<br />

The shutdown constant causes the virtual machine operating system to be<br />

restarted, so it is logged out after Sysprep is complete.<br />

- For Windows Server 2008 environments with the optional Key Management<br />

Service (KMS) server, enter<br />

C:\activate.vbs<br />

Creating <strong>and</strong> Managing Tenant Configurations<br />

The script specifies the name of the KMS host to contact <strong>and</strong> activates<br />

Windows.<br />

• Access: Set this value to Read-Only or Hidden.<br />

3850 6804–007 6–17


Creating <strong>and</strong> Managing Tenant Configurations<br />

Table 6–6. Virtual Machine Network Configuration Attributes <strong>and</strong> Values<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

DHCP<br />

If this setting is<br />

true, the virtual<br />

machine is<br />

configured to use<br />

DHCP for all<br />

network adapters. If<br />

this setting is false,<br />

the first network<br />

adapter is<br />

configured with the<br />

fixed address<br />

information<br />

specified in the<br />

commission<br />

request <strong>and</strong> any<br />

other network<br />

adapters are<br />

configured for<br />

DHCP.<br />

IPv4 Address<br />

If DHCP is False,<br />

this is the fixed IP<br />

address to use for<br />

the first network<br />

adapter in the<br />

virtual machine.<br />

This setting should<br />

be left blank if using<br />

DHCP.<br />

Subnet Mask<br />

If DHCP is False,<br />

this is the subnet<br />

mask to use for the<br />

fixed IP address.<br />

Gateway<br />

If DHCP is False,<br />

this is the default<br />

gateway to use for<br />

the fixed IP<br />

address.<br />

• Default:<br />

- Select None if you do not want to set a default.<br />

- Select True if you want the virtual machine to use DHCP by default.<br />

- Select False if you want the virtual machine to set a static IP address by<br />

default.<br />

• Access: Set this value to Read-Write if you want to allow the user to select the<br />

address type, or set this value to Read-Only or Hidden if you want the virtual<br />

machine to use a specific address type.<br />

Note: If you set the Default to None, you must set the Access to Read-Write.<br />

• Default: Leave this box blank.<br />

• Access:<br />

- Set this value to Read-Write if DHCP is False or if you allowed the user to<br />

specify the DHCP setting.<br />

- Set this value to Read-Only or Hidden if DHCP is True.<br />

• Default: Leave this box blank.<br />

• Access:<br />

- Set this value to Read-Write if DHCP is False or if you allowed the user to<br />

specify the DHCP setting.<br />

- Set this value to Read-Only or Hidden if DHCP is True.<br />

• Default: Leave this box blank.<br />

• Access:<br />

- Set this value to Read-Write if DHCP is False or if you allowed the user to<br />

specify the DHCP setting.<br />

- Set this value to Read-Only or Hidden if DHCP is True.<br />

6–18 3850 6804–007


Table 6–6. Virtual Machine Network Configuration Attributes <strong>and</strong> Values (cont.)<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

Port Group<br />

Network Name<br />

This setting is used<br />

for VLANs. The Port<br />

Group Network<br />

Name is also known<br />

as the Tenant VLAN<br />

Network Label; it<br />

identifies the<br />

tenant’s VLAN on<br />

the workload<br />

server. The first<br />

virtual machine<br />

network adapter is<br />

assigned to the<br />

value specified in<br />

the blueprint.<br />

COI Set<br />

This setting is used<br />

if your environment<br />

includes Stealth for<br />

<strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong>. The COI Set<br />

determines which<br />

other components<br />

this virtual machine<br />

can communicate<br />

with.<br />

• Refined: Ensure this check box is not selected.<br />

• Default:<br />

- If you are not using VLANs, select Unchanged.<br />

- If you are using VLANs, select the VLAN that matches the Tenant VLAN<br />

network label in Table 1–26.<br />

• Access: Set this value to Read-Only or Hidden.<br />

Note: These settings are recommended for a normal configuration. However, if your<br />

tenant has multiple VLANs <strong>and</strong> has end users who are knowledgeable about<br />

networking (for example, if you are configuring a test environment for a group of<br />

software developers) you could allow these users to choose their own VLAN selecting<br />

the Refined check box, select multiple VLANs in the Default list, <strong>and</strong> set the Access to<br />

Read-Write.<br />

Virtual machines commissioned from this template will include this Stealth for <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> COI Set.<br />

• Default:<br />

Creating <strong>and</strong> Managing Tenant Configurations<br />

- Enter one COI Set Name from Table 1–33 in the tenant worksheet.<br />

- If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is not included in your environment, leave<br />

this box blank.<br />

• Access: For security, set this value to Hidden.<br />

Note: Do not set any Further Constraints. This value should be read-only or hidden<br />

from the user, <strong>and</strong> so further constraints are meaningless.<br />

3850 6804–007 6–19


Creating <strong>and</strong> Managing Tenant Configurations<br />

6.5.4. Virtual Machine Additional Instructions<br />

Table 6–7. Virtual Machine Additional Instruction Attributes <strong>and</strong> Values<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

Operator Action<br />

Required<br />

Determines<br />

whether additional<br />

operator actions<br />

can be requested.<br />

Operator Action<br />

Instructions<br />

Lists all required<br />

operator actions.<br />

VM Migration<br />

Specifies whether a<br />

virtual machine<br />

should be migrated<br />

from an earlier<br />

version of the<br />

<strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong>.<br />

• Default:<br />

- Select None if you do not want to set a default.<br />

- Select True if you want to specify that additional operator actions can be<br />

requested by default.<br />

- Select False if you want to specify that additional operator actions cannot be<br />

requested by default.<br />

• Access: Set this value to Read-Write if you want to allow the user to select<br />

whether additional operator actions can be requested, or set this value to<br />

Hidden if you want to specify whether additional operator actions can be<br />

requested.<br />

Note: If you set the Default to None, you must set the Access to Read-Write.<br />

If Operator Action Required is True, this text box provides a place for the user to enter<br />

required actions.<br />

• Default: Leave this box blank, or enter parameters that help the user to enter<br />

meaningful operator actions. For example, enter:<br />

Additional required disk size (in GB):<br />

Additional software:<br />

Additional memory (in GB):<br />

Note: The user can overwrite any text you enter.<br />

• Access:<br />

- Set this value to Read-Write if Operator Action Required is True or if you<br />

allowed the user to specify this setting.<br />

- Set this value to Hidden if Operator Action Required is False.<br />

Unisys service consultants use this attribute to migrate virtual machines from earlier<br />

versions of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment.<br />

Note: Unless you are a Unisys service consultant migrating virtual machines from an<br />

earlier version of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, you must not change these values.<br />

• Default: Enter True if you are migrating a virtual machine.<br />

• Access: Select Hidden.<br />

6–20 3850 6804–007


Table 6–7. Virtual Machine Additional Instruction Attributes <strong>and</strong> Values (cont.)<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

Migration VM<br />

Name<br />

Specifies the name<br />

of the virtual<br />

machine to be<br />

migrated.<br />

Unisys service consultants use this attribute to list the name of the virtual machine<br />

being migrated from an earlier version of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment.<br />

Note: Unless you are a Unisys service consultant migrating virtual machines from an<br />

earlier version of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, you must not change these values.<br />

Default: If VM Migration is True, enter the name of the VMware virtual machine that<br />

you want to migrate. Otherwise, leave this box blank.<br />

Access: Select Hidden.<br />

Table 6–8. Resource Pre-Expiration Notification<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

Provide Lease<br />

Details<br />

Specifies<br />

whether the user<br />

should be notified<br />

in advance when<br />

the resource<br />

lease will expire.<br />

Creating <strong>and</strong> Managing Tenant Configurations<br />

• Lease pre-expiration notification: Select one of the following values:<br />

- Do not send pre-expiration notifications: The user does not receive<br />

notice before the resource expires.<br />

- 1 Day: The user receives notice one day before the resource expires.<br />

- 1 Week: The user receives notice one week before the resource expires.<br />

- Custom: Type a Date Value <strong>and</strong> select a Date Option to determine when<br />

the user should receive notice that the resource will expire.<br />

Enter the Date Value as a whole number, <strong>and</strong> then select the Date Option as<br />

either Day, Week, Month, or Hour.<br />

For example, enter 12 as the Date Value <strong>and</strong> select Hour as the Date Option to<br />

notify the user 12 hours before the resource expires.<br />

6.6. Virtual Desktop Attributes <strong>and</strong> Values<br />

This topic describes the details of all available virtual desktop attributes <strong>and</strong> values.<br />

3850 6804–007 6–21


Creating <strong>and</strong> Managing Tenant Configurations<br />

6.6.1. Virtual Desktop General Configuration<br />

Table 6–9. Virtual Desktop Basic Attributes <strong>and</strong> Values<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

Blueprint<br />

Name<br />

Blueprint<br />

Description<br />

The name of the blueprint, which is displayed to administrators, operators, <strong>and</strong> users.<br />

You enter this value in the tenant worksheet, <strong>and</strong> when you run the Populator addTenant<br />

or updateTenant effector, this name is used in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />

Notes:<br />

• If you update this value in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, you must also update it in<br />

the tenant worksheet.<br />

• Blueprint names must following the guidelines in 2.8.4 Naming <strong>Guide</strong>lines for<br />

Components in the <strong>Cloud</strong> Environment.<br />

A description of the blueprint, which is displayed only to administrators <strong>and</strong> operators.<br />

Table 6–10. Virtual Desktop General Configuration Attributes <strong>and</strong> Values<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

Name<br />

Descriptive name<br />

for the resource<br />

being<br />

commissioned (not<br />

the blueprint name).<br />

Assign to User<br />

The name of the<br />

user who will use<br />

the virtual desktop.<br />

• Default: Leave this box blank so that the user can enter a name for the<br />

commissioned resource.<br />

• Access: Select Read-Write.<br />

Note: This user-configured value is used only for display <strong>and</strong> tracking purposes. It is<br />

not related to the virtual desktop host name.<br />

• Default: Leave this box blank so that the person commissioning the virtual<br />

desktop can enter the user name.<br />

Notes:<br />

- An operator might commission multiple virtual desktops on behalf of a group<br />

of users.<br />

- This value must match the user name as it is configured in Session Manager<br />

during the Virtual Office as a Service deployment.<br />

• Access: Select Read-Write.<br />

6–22 3850 6804–007


6.6.2. Virtual Desktop Additional Instructions<br />

Table 6–11. Virtual Desktop Additional Instruction Attributes <strong>and</strong> Values<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

Operator Action<br />

Required<br />

Determines<br />

whether additional<br />

operator actions<br />

can be requested.<br />

Operator Action<br />

Instructions<br />

Lists all required<br />

operator actions.<br />

• Default:<br />

- Select None if you do not want to set a default.<br />

- Select True if you want to specify that additional operator actions can be<br />

requested.<br />

- Select False if you want to specify that additional operator actions cannot be<br />

requested.<br />

• Access: Set this value to Read-Write if you want to allow the user to select<br />

whether additional operator actions can be requested, or set this value to<br />

Hidden if you want to specify whether additional operator actions can be<br />

requested.<br />

Note: If you set the Default to None, you must set the Access to Read-Write.<br />

If Operator Action Required is True, this text box provides a place for the user to enter<br />

required actions.<br />

• Default: Leave this box blank, or enter parameters that help the user to enter<br />

meaningful operator actions. For example, enter:<br />

Additional software:<br />

Note: The user can overwrite any text you enter.<br />

• Access:<br />

Creating <strong>and</strong> Managing Tenant Configurations<br />

- Set this value to Read-Write if Operator Action Required is True or if you<br />

allowed the user to specify this setting.<br />

- Set this value to Hidden if Operator Action Required is False.<br />

3850 6804–007 6–23


Creating <strong>and</strong> Managing Tenant Configurations<br />

Table 6–12. Resource Pre-Expiration Notification<br />

Attribute Name<br />

<strong>and</strong> Description Values<br />

Provide Lease<br />

Details<br />

Specifies<br />

whether the user<br />

should be notified<br />

in advance when<br />

the resource<br />

lease will expire.<br />

• Lease pre-expiration notification: Select one of the following values:<br />

- Do not send pre-expiration notifications: The user does not receive<br />

notice before the resource expires.<br />

- 1 Day: The user receives notice one day before the resource expires.<br />

- 1 Week: The user receives notice one week before the resource expires.<br />

- Custom: Type a Date Value <strong>and</strong> select a Date Option to determine when<br />

the user should receive notice that the resource will expire.<br />

Enter the Date Value as a whole number, <strong>and</strong> then select the Date Option as<br />

either Day, Week, Month, or Hour.<br />

For example, enter 12 as the Date Value <strong>and</strong> select Hour as the Date Option to<br />

notify the user 12 hours before the resource expires.<br />

6–24 3850 6804–007


Section 7<br />

Onboarding Tenants, Creating Users,<br />

<strong>and</strong> Assigning Roles<br />

Perform the procedures in this section to onboard new tenants, create users in Active<br />

Directory, <strong>and</strong> assign users to roles.<br />

Note: If you experience problems with any of the procedures in this section, see<br />

12.7 Troubleshooting Onboarding Tenants <strong>and</strong> Users.<br />

7.1. Underst<strong>and</strong>ing User Roles<br />

A user role is associated with a set of privileges. When a cloud administrator assigns a<br />

user to a role, the user receives the privileges corresponding to that role. A user can be<br />

assigned to multiple roles.<br />

The user roles are predefined in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, but cloud administrators<br />

are responsible for assigning users to roles.<br />

The following are the predefined <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> user roles.<br />

Liferay Administrator<br />

A user in this role has administrative privileges for Liferay, which is the software<br />

foundation of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. The Liferay administrator can access the<br />

Liferay menu bar <strong>and</strong> perform advanced operations.<br />

You should sign on as the Liferay Administrator only when directed, <strong>and</strong> when you are<br />

done performing the specific operation, you should immediately sign out <strong>and</strong> sign back in<br />

using your regular administrator credentials.<br />

<strong>Cloud</strong> Administrator<br />

A user in this role has administrative privileges within the cloud environment to monitor<br />

<strong>and</strong> manage the cloud on behalf of the cloud provider. For example, cloud administrators<br />

create tenants, monitor tenant usage, <strong>and</strong> configure tenant <strong>and</strong> project information in the<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal <strong>and</strong> other cloud interfaces (for example, the <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> workbook <strong>and</strong> RBADB).<br />

<strong>Cloud</strong> administrators can also define roles <strong>and</strong> projects for tenant users.<br />

3850 6804–007 7–1


Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles<br />

<strong>Cloud</strong> administrators receive notifications (by e-mail, by Remedy ticket, or by both) when<br />

any action occurs in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. This includes when resources are<br />

commissioned, when operational changes take place, <strong>and</strong> if any errors occur during the<br />

commissioning process.<br />

<strong>Cloud</strong> Operator<br />

<strong>Cloud</strong> User<br />

A user in this role performs any required manual operations for resources being<br />

commissioned <strong>and</strong> then uses the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal to authorize commissioning<br />

requests. <strong>Cloud</strong> operators receive notifications (by e-mail, by Remedy ticket, or by both)<br />

when any action occurs in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. This includes when resources<br />

are commissioned, when operational changes take place, <strong>and</strong> if any errors occur during<br />

the commissioning process.<br />

A user in this role does not have privileges to perform actions in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

portal <strong>and</strong> can only view the resources on the portal. This is a default role for users in the<br />

cloud provider organization who sign in to the portal for the first time. Existing cloud<br />

administrators can assign users in this role to become new cloud administrators or cloud<br />

operators, as appropriate.<br />

Tenant Administrator <strong>and</strong> Tenant Operator<br />

Tenant User<br />

Users in either of these roles have administrator privileges that are restricted to resources<br />

belonging to the tenant. Tenant administrators <strong>and</strong> tenant operators can use the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> portal to create commissioning requests for the tenant.<br />

Tenant administrators can also define roles <strong>and</strong> projects for tenant users.<br />

A user in this role can see the tenant data <strong>and</strong> commission resources using the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> portal. As part of the commissioning process, the user making the<br />

commissioning request also receives notifications about the request status.<br />

Machine Owner<br />

A user cannot be assigned to this role, because this role is dedicated to users that either<br />

initially created a resource or had the ownership of a resource transferred to them.<br />

A machine owner commissions a resource <strong>and</strong> is responsible for deciding when any<br />

associated actions should be performed, including starting, stopping, taking snapshots,<br />

<strong>and</strong> so on. The machine owner is also responsible for the maintenance of the applications<br />

that run on the machine. The machine owner remains in this role as long as the<br />

commissioned resource exists <strong>and</strong> ownership is not transferred to another user.<br />

7–2 3850 6804–007


7.2. Adding Tenants, Projects, <strong>and</strong> User Roles to the<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal<br />

Perform the procedures in this topic to onboard new tenant organizations in the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> portal.<br />

7.2.1. Tenant Onboarding Overview<br />

Use the Onboard New Tenant function, which is available from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

<strong>Administration</strong> tab, to onboard new tenants <strong>and</strong> configure the following:<br />

• Tenant organization name <strong>and</strong> organization alias<br />

• Default user role<br />

• User roles <strong>and</strong> permissions<br />

• Tenant projects<br />

7.2.2. Onboarding a New Tenant<br />

To onboard a new tenant, do the following:<br />

1. Sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal using your cloud administrator credentials.<br />

2. Ensure that the tenant workbook file (Tenant-.xml) is accessible from<br />

the system that you are using to access the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />

3. Select the <strong>Administration</strong> tab, click Onboard Tenants <strong>and</strong> then click Browse.<br />

The Choose File to Upload dialog box appears.<br />

4. Navigate to the XML file of the new tenant that you want to onboard <strong>and</strong> click Open.<br />

5. Click Onboard New Tenant.<br />

A confirmation message appears.<br />

6. Click OK to confirm.<br />

When you upload the Tenant-.xml file, it is validated. An error<br />

message appears if a tenant with the same name already exists.<br />

CHECKPOINT:<br />

Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles<br />

• Do the following to verify that the tenant organization appears correctly in the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> portal:<br />

1. Sign in to the <strong>Secure</strong> <strong>Cloud</strong> Portal using the URL from Table 2–2 <strong>and</strong> the Liferay<br />

administrator credentials from Table 2–1.<br />

2. Click OK when you receive one or more errors that there has been an error<br />

processing your request or that you do not have permission to view requests.<br />

3. At the top of the window, directly below the browser address bar, select<br />

Manage, <strong>and</strong> then click Control Panel.<br />

4. In the left pane, under Portal, click Organizations.<br />

3850 6804–007 7–3


Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles<br />

The Organization names for each tenant are displayed.<br />

5. Ensure that Regular Organization is displayed in the Type column for each<br />

organization.<br />

6. Click the tenant name for the tenant you onboarded. The detail page appears.<br />

7. Click Custom Fields in the right pane.<br />

8. Verify that the fields are populated with the values from Table 1–24. This includes<br />

the Default Role Name (in the worksheet, Tenant initial logon role), Organization<br />

Alias (Tenant email suffix), <strong>and</strong> Default Project (Tenant initial logon project).<br />

• Do the following to verify that the roles have been created for the new tenant <strong>and</strong> that<br />

the permissions have been set appropriately in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal:<br />

1. In the left pane of the Control Panel, under Portal, click Roles.<br />

2. Verify that the following roles exist for each tenant:<br />

- _Administrators<br />

- _Operators<br />

- _Users<br />

- _MachineOwner<br />

7.3. Creating <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Users in Active<br />

Directory<br />

Perform the following procedure to create <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> users in Active Directory.<br />

This includes cloud provider users (who you want to administer <strong>and</strong> operate the cloud<br />

environment), as well as tenant administrators, operators, <strong>and</strong> users.<br />

Do the following:<br />

1. Access Active Directory Users <strong>and</strong> Computers.<br />

2. To create one or more users, do the following:<br />

a. Right-click Users, point to New, <strong>and</strong> then click User.<br />

The New Object – User page appears.<br />

b. In the First name box, enter the first name of the user.<br />

c. In the Last name box, enter the last name of the user.<br />

d. In the User Logon name box, enter a name that will be used to identify this user<br />

in Active Directory.<br />

Note: The User Logon name cannot contain any spaces or special characters,<br />

or the user will not be able to sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />

e. Click Next.<br />

f. In the Password box, enter a password that will be used to sign into the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> portal.<br />

g. In the Confirm password box, reenter the password.<br />

7–4 3850 6804–007


Note: Ensure that the User must change password at next logon check<br />

box is not selected. If the check box is selected, the user will not be able to sign in<br />

to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />

h. Click Next.<br />

i. Click Finish.<br />

j. Right-click the user that you just created, <strong>and</strong> select Properties.<br />

k. Enter the e-mail address in the Email box.<br />

Notes:<br />

Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles<br />

• The e-mail address you enter will be used to sign in to the <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> portal.<br />

• The e-mail address can contain special characters (such as a hyphen);<br />

however, an alphanumeric character must appear both before <strong>and</strong> after each<br />

special character.<br />

• If you are entering a cloud provider user, the e-mail address suffix that you<br />

enter must match the cloud provider “E-mail suffix” in Table 1–8. If you are<br />

entering a tenant user, the e-mail address suffix that you enter must match<br />

the “Tenant E-mail Suffix” in Table 1–24.<br />

l. Click Apply, <strong>and</strong> then click OK.<br />

3. Repeat the previous steps to create additional users.<br />

4. Only if you are adding a cloud administrator or operator or tenant administrator or<br />

operator, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal using the URL from Table 2–2 <strong>and</strong><br />

the e-mail address <strong>and</strong> password you configured in Active Directory.<br />

After signing in successfully, you can immediately sign out <strong>and</strong> then sign in as the next<br />

administrator or operator.<br />

Note: Do not perform this step for tenant users.<br />

7.4. Assigning <strong>Cloud</strong> Provider <strong>and</strong> Tenant Users to<br />

Roles, <strong>and</strong> Assigning Tenant Users to Projects<br />

When a new user signs in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal for the first time, the<br />

credentials are validated using Active Directory, <strong>and</strong> then the user is assigned to the<br />

default user role for the organization (based on the e-mail address suffix used to sign in).<br />

For example, if the e-mail suffix for the cloud provider is cloudprovider.com as configured<br />

in Table 1–8, a new user who signs in as john.doe@cloudprovider.com is automatically<br />

assigned to the default cloud provider user role.<br />

New tenant users who sign in to the portal for the first time are assigned to the default role<br />

<strong>and</strong> default project for their tenant organization in the same way, based on the tenant<br />

e-mail suffix in Table 1–24.<br />

3850 6804–007 7–5


Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles<br />

Assigning Users to Roles<br />

Do the following to assign the cloud administrators <strong>and</strong> operators, as well as tenant<br />

administrators <strong>and</strong> operators, to their appropriate role:<br />

1. Sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal using the URL in Table 2–2 <strong>and</strong> your cloud<br />

administrator credentials.<br />

Note: During the initial implementation, your Unisys service consultant configured<br />

one cloud administrator, based on the <strong>Cloud</strong> Administrator user information for the<br />

initial cloud administrator user in Table 1–8. This initial cloud administrator can assign<br />

other cloud users to the cloud administrator role.<br />

2. Select the <strong>Administration</strong> tab, <strong>and</strong> then select Role <strong>and</strong> Project Membership<br />

in the left pane.<br />

The Role Membership Tenant, Folders & Projects portlet appears.<br />

3. To assign a cloud provider user to a cloud administrator or operator role, click <strong>Cloud</strong><br />

under Tenant, Folders & Projects.<br />

To assign a tenant user to a tenant administrator, operator, or user role, click the tenant<br />

name under Tenant, Folders & Projects.<br />

The list of users associated with the cloud provider or tenant organization appears<br />

under Users.<br />

4. Click Assign to Role.<br />

The Assign Role dialog box appears.<br />

5. Assign the users to the appropriate role by selecting the appropriate check box next to<br />

the user name.<br />

Note: If appropriate, you can assign multiple roles to a user.<br />

6. Click Save.<br />

If necessary, use this procedure to update a user’s assigned role.<br />

Assigning Tenant Users to Projects<br />

Do the following to assign tenant users to projects.<br />

Note: <strong>Cloud</strong> administrators <strong>and</strong> cloud operators are not assigned to projects, because<br />

they are able to administer all tenants <strong>and</strong> projects.<br />

1. On the Role Membership Tenant, Folders & Projects portlet, select a tenant project.<br />

Under Users, you see a list of all users currently assigned to the project.<br />

2. Click Assign to Project.<br />

The Assign Projects dialog box appears. The Assign Projects dialog box includes all<br />

tenant users, whether or not they are assigned to the particular project.<br />

3. Select the check box next to the user name to assign a user to that project, or clear the<br />

check box next to the user name to remove a tenant from a project.<br />

7–6 3850 6804–007


Note: If you want to assign all of the tenant users to a project, select the check box in<br />

the heading (next to the Last Name label).<br />

4. Click Save.<br />

Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles<br />

If necessary, use this procedure to update a user’s assigned project.<br />

7.5. Checkpoint: Commissioning a Resource<br />

Do the following to verify that you can commission a resource:<br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> log in as a user who has permission to commission a<br />

resource.<br />

Note: It is recommended that you log in as a user, not as an administrator or<br />

operator.<br />

2. Click Commission <strong>and</strong> Manage, <strong>and</strong> then click Commission Resources in the<br />

left pane.<br />

3. Under Projects, select the project associated with the blueprint you want to<br />

commission.<br />

The Blueprint pane is updated to list all blueprints associated with the project.<br />

4. Under Blueprints, select the blueprint you want to commission, <strong>and</strong> then click<br />

Commission.<br />

5. Enter values for the blueprint attributes that were marked as Read-Write during the<br />

blueprint creation, <strong>and</strong> click Next to advance to the next set of blueprint attributes.<br />

At minimum, you must enter a Name for the virtual machine on the General<br />

Configuration page. (This is a name that you designate <strong>and</strong> use for your own<br />

reference; it is not the virtual machine host name.)<br />

See the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Interface Help (8207 3115) for more information about<br />

the values that users should enter when commissioning a blueprint.<br />

6. Click Finish to begin the process of commissioning the virtual machine.<br />

7. To monitor the progress of the virtual machine commissioning, do the following:<br />

a. Select Manage Requests in the left pane.<br />

b. Select the request in the Request Overview pane, <strong>and</strong> view details <strong>and</strong> status<br />

in the Request Details <strong>and</strong> Request Status tables.<br />

8. When you receive notification that the new resource is available, connect to the virtual<br />

machine using the remote access method specified in the template (for example,<br />

using Remote Desktop, VNC, or SSH).<br />

If you are using tenant VLANs to isolate tenant resources, <strong>and</strong> if you have not<br />

configured Public Network access for this resource, you must connect from the<br />

tenant’s home site or from the console of another virtual machine associated with the<br />

same tenant.<br />

Verify that you can log on using the credentials specified in the e-mail message or<br />

ticket.<br />

3850 6804–007 7–7


Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles<br />

Note: If you access the virtual machine before the commissioning is finalized, you<br />

might see the Sysprep process in action. Do not respond to these dialog boxes,<br />

because they are h<strong>and</strong>led automatically during the Sysprep process.<br />

When complete, decommission the virtual machine using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal,<br />

to ensure that you do not use an operating system license.<br />

Note: The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal is the only interface you should use to<br />

decommission (delete) virtual machines.<br />

7–8 3850 6804–007


Section 8<br />

Additional Networking Configuration<br />

This section includes additional networking configuration, including directions on Stealthenabling<br />

existing tenant VLANs, enabling inbound connections from the Internet for tenant<br />

VLANs, configuring the load balancer included with the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, <strong>and</strong> setting<br />

tenant VLAN firewall exceptions for VLANs belonging to the same tenant. These<br />

procedures are optional. Perform them as appropriate for your network environment.<br />

8.1. Enabling Stealth for an Existing Tenant VLAN<br />

You can enable Stealth on an existing tenant VLAN if there are no resources running on the<br />

VLAN.<br />

If there are resources running on the VLAN that you do not need to keep, use the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> portal to decommission these resources before continuing with this topic.<br />

See 11.1 Stopping <strong>and</strong> Decommissioning Virtual Machines or 11.2 Stopping <strong>and</strong><br />

Decommissioning Physical Machines for more information. If there are resources running<br />

on the VLAN that cannot be decommissioned, contact your Unisys service consultant.<br />

Note: You do not need to perform this procedure if you are configuring a new tenant<br />

VLAN that you have already identified as Stealth-enabled in the tenant workbook when<br />

you perform the procedures in Section 5, Implementing a New Tenant VLAN. Only<br />

perform this procedure if you want to Stealth-enable a VLAN that you have already<br />

configured as non-Stealth-enabled.<br />

Do the following to modify a configured tenant VLAN to be Stealth enabled:<br />

1. Modify the tenant worksheet to enable Stealth for the VLAN by entering the<br />

appropriate information in the following tables:<br />

a. Table 1–26<br />

b. Table 1–31<br />

c. Table 1–32<br />

d. Table 1–34 <strong>and</strong> Table 1–35<br />

2. Validate <strong>and</strong> export the tenant worksheet. See 1.1.5 Validating the Workbook <strong>and</strong><br />

1.1.6 Exporting the Data for more information.<br />

As instructed in 1.1.6 Exporting the Data, copy the Tenant-.xml file to<br />

the jump box management VM in the C:\ProgramData\Unisys\SPC-Automation\xml<br />

directory.<br />

3850 6804–007 8–1


Additional Networking Configuration<br />

3. Use a vSphere Client to connect to the vCenter server that is managing the workload<br />

servers.<br />

4. Create the clear text VLAN associated with this tenant VLAN using one of the options<br />

in 5.2.2 Configuring Access to Tenant VLAN Networks <strong>and</strong> Tenant Interconnect.<br />

Use the information in Table 1–26 to create the clear text VLAN.<br />

5. Locate the tenant VLAN network appliance that is connected to the existing tenant<br />

VLAN. The name of the tenant VLAN network appliance is the Host name value in<br />

Table 1–25.<br />

6. Select the tenant VLAN network appliance in the left pane, <strong>and</strong> then click Edit<br />

Settings under Comm<strong>and</strong>s.<br />

The Properties dialog box appears.<br />

7. Select the Network adapter that is connected to this tenant VLAN in the left pane.<br />

8. In the right pane, under Network Connection, change the Network label from the<br />

existing tenant VLAN to the clear text VLAN associated with this tenant VLAN.<br />

9. Click OK to close the Virtual Machine Properties dialog box.<br />

10. Prepare Stealth-enabled versions of any templates that you want to use on the<br />

Stealth-enabled VLAN, as described in 4.3 Preparing an Existing Virtual Machine or<br />

Template for a Stealth-Enabled VLAN.<br />

11. Perform the following procedures in Section 6, Creating <strong>and</strong> Managing Tenant<br />

Configurations:<br />

a. Update the tenant information, as described in 6.1 Updating <strong>Cloud</strong> Provider or<br />

Adding Tenant Information in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Environment.<br />

b. Configure the Stealth-enabled VLAN, as described in 6.2 Configuring Stealth-<br />

Enabled VLANs.<br />

c. Refine blueprints for the Stealth-enabled VLAN, as described in 6.4 Creating<br />

Blueprints <strong>and</strong> 6.5 Virtual Machine Attributes <strong>and</strong> Values.<br />

8.2. Configuring Network Appliances for Inbound<br />

Internet Connections<br />

Note: Perform this procedure if Table 1–25 indicates that Internet Access – Incoming is<br />

Yes for this tenant.<br />

Tenant VLANs commonly use IP address ranges to which messages from the Internet<br />

cannot be routed. These include<br />

• Addresses that are defined as non-routable (any addresses in the ranges<br />

192.168.0.0/16, 10.0.0.0/8, or 172.16.0.0 through 172.31.255.255)<br />

• Addresses that are outside of those ranges but are effectively non-routable if they are<br />

misplaced relative to their expected location in the Internet network topology<br />

Users on the Internet cannot initiate an inbound connection to any <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

virtual machines that have a non-routable address on the tenant VLAN.<br />

8–2 3850 6804–007


However, if the tenant requires inbound Internet connections (for example, if the tenant is<br />

running a Web application on the VLAN) then the tenant’s Internet users must be able to<br />

initiate connections to the appropriate Web sites. To enable these types of connections,<br />

you must configure the tenant VLAN network appliance to enable selected inbound<br />

connections to reach that application. This configuration involves Network Address<br />

Translation (NAT) forwarding rules <strong>and</strong> firewall rules.<br />

For the NAT forwarding rules to work properly, any tenant virtual machines that are running<br />

Web servers must have a static IP address on the tenant VLAN. This is necessary<br />

because the NAT rules are based on IP addresses rather than on host names.<br />

To plan the static IP addresses for your Web servers, refer to Table 1–26. Select static IP<br />

addresses in the tenant VLAN subnet range for the tenant VLAN, making sure to avoid<br />

addresses in the DHCP range. Record the static IP address that you assign so you do not<br />

reuse them for any other virtual machines.<br />

8.2.1. Disabling Internet Access for Tenant Virtual Machines<br />

If the tenant does not have any requirement for inbound Internet connections, you can<br />

disable the eth0 adapter to prevent all Internet connections. Do the following:<br />

1. Run the vSphere Client <strong>and</strong> connect to the vCenter server that is managing the<br />

workload servers.<br />

2. From the View menu, point to Inventory, <strong>and</strong> then click VMs <strong>and</strong> Templates.<br />

3. In the left pane, right-click the tenant VLAN network appliance, <strong>and</strong> click Edit<br />

Settings.<br />

4. On the Virtual Machine Properties dialog box, click the Hardware tab, <strong>and</strong> then click<br />

the network adapter used to enable Internet access.<br />

By default, this is Network Adapter 1. In Linux operating systems, this adapter is<br />

referred to as eth0.<br />

5. In the right pane, clear the Connected check box, <strong>and</strong> clear the Connect at Power<br />

On check box.<br />

6. Click OK.<br />

Additional Networking Configuration<br />

8.2.2. Underst<strong>and</strong>ing Inbound Connection Limitations<br />

The pre-supplied tenant VLAN network appliance template has firewall settings configured<br />

to disallow new inbound connections. The CUST_PUBLIC_IN firewall rule set includes the<br />

clause default-action drop, which means that all traffic is blocked unless otherwise<br />

specified. The CUST_PUBLIC_IN rule set is assigned as an in-filter of the Internet adapter<br />

(eth0). An in-filter affects all traffic that enters through the Internet adapter <strong>and</strong> traverses<br />

the network appliance to another destination.<br />

In the tenant VLAN network appliance template, the CUST_PUBLIC_IN also includes an<br />

exception to allow inbound traffic for sessions that were originally initiated by the tenant<br />

virtual machines. This exception is implemented in rule 100, as follows:<br />

3850 6804–007 8–3


Additional Networking Configuration<br />

name CUST_PUBLIC_IN {<br />

default-action drop<br />

rule 100 {<br />

action accept<br />

state {<br />

established enable<br />

}<br />

}<br />

}<br />

8.2.3. Providing a Public Source IP Address in Outbound<br />

Packets<br />

By default, network packets include the IP address of the source that created the packet.<br />

This means that outbound packets include the IP address of the tenant virtual machines.<br />

Since this IP address is usually non-routable, it would be impossible for any response to<br />

find its way back to the virtual machine.<br />

To enable two-way traffic, the source IP address of any outbound packets must be<br />

translated into a public IP address of the network appliance. The tenant VLAN network<br />

appliance might have already been configured with this NAT masquerade rule when it was<br />

deployed.<br />

CHECKPOINT:<br />

To verify this rule, or to configure the rule if needed, do the following:<br />

1. Using vSphere, connect to the vCenter server, <strong>and</strong> launch a console to the tenant<br />

VLAN network appliance.<br />

2. Log on using the credentials for the tenant VLAN network appliance.<br />

3. Enter the following comm<strong>and</strong>:<br />

configure<br />

4. Enter the following comm<strong>and</strong>:<br />

show service nat<br />

5. Review the output to determine if there is a rule with its type set to masquerade <strong>and</strong><br />

a source IP address range for the tenant VLAN.<br />

If the rule is present, it looks like the following:<br />

Rule 90 {<br />

outbound-interface eth0<br />

source {<br />

address 192.168.103.0/23<br />

}<br />

type masquerade<br />

}<br />

If the rule is defined, no further action is required.<br />

8–4 3850 6804–007


If you need to configure the rule, do the following:<br />

a. Assuming that the tenant VLAN addresses are in the range 192.168.103.0, enter<br />

the following comm<strong>and</strong>s:<br />

set service nat rule outbound-interface eth0<br />

set service nat rule source address 192.168.103.0/24<br />

set service nat rule type masquerade<br />

Note: The rule number must meet the following requirements:<br />

• It must be the same in all three comm<strong>and</strong>s.<br />

• It must be a rule number that is not currently in use.<br />

• It should be separated by other rule values by at least 10.<br />

b. Enter the following comm<strong>and</strong>:<br />

commit<br />

c. Enter the following comm<strong>and</strong>:<br />

save<br />

6. Enter the following comm<strong>and</strong> to exit configuration mode:<br />

exit<br />

8.2.4. Enabling Inbound Internet Connections<br />

Additional Networking Configuration<br />

Some of your tenants might require inbound Internet connections, for example for a Web<br />

application such as an E-store. These types of Web applications must allow inbound<br />

connections to be initiated by Internet end users. To configure access to these types of<br />

Web applications, you must do the following:<br />

1. Optionally, configure an additional IP address on the public NIC of the tenant VLAN<br />

network appliance.<br />

2. Configure a NAT rule to forward traffic from the network appliance to the virtual<br />

machine hosting the Web application.<br />

3. Configure a firewall rule to allow traffic to reach the virtual machine hosting the Web<br />

application.<br />

NAT rules <strong>and</strong> firewall rules can optionally be configured to specify port numbers in<br />

addition to IP addresses. The use of port numbers enables more precise control over how<br />

the target virtual machine can be accessed. If the tenant is running multiple Web<br />

applications on the same VLAN, these applications can be accessed through a shared IP<br />

address with distinct port numbers, or through distinct public IP addresses on the network<br />

appliance.<br />

The following examples describe configurations that use shared <strong>and</strong> unique public IP<br />

addresses. Use this information to help configure Web application routing, as appropriate<br />

for your <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment.<br />

3850 6804–007 8–5


Additional Networking Configuration<br />

Shared Public IP Address Example<br />

In this example, a tenant is running a Web application on a virtual machine. This application<br />

is named PetStore.<br />

If you want end users to access the PetStore Web site URL using the public IP address of<br />

the tenant VLAN network appliance with a port number as part of the Web address, you<br />

can use this type of configuration. Typically, you should choose a port number in the range<br />

of 49152–65535, which is the range defined by the Internet Assigned Numbers Authority<br />

(IANA) for dynamic or private ports.<br />

For the PetStore example, end users enter http://192.59.196.38:49152, assuming that<br />

192.59.196.38 is the public IP address of the tenant VLAN network appliance <strong>and</strong> 49152 is<br />

the port number that identifies the PetStore Web application. The PetStore Web server is<br />

a target virtual machine with the address 192.168.100.101, <strong>and</strong> the PetStore Web<br />

application uses the default port for HTTP traffic (port 80) <strong>and</strong> the default port for HTTPS<br />

traffic (port 443).<br />

To enable access to the PetStore Web site using the shared public IP address <strong>and</strong> port<br />

number, do the following:<br />

1. Access the virtual machine that is hosting the PetStore Web application, <strong>and</strong> log on to<br />

Windows.<br />

2. Use the st<strong>and</strong>ard Windows method to configure a fixed IP address on the tenant<br />

VLAN (private IP address). For example, set the IP address to 192.168.100.101.<br />

3. Using vSphere, connect to the vCenter server, <strong>and</strong> launch a console to the tenant<br />

VLAN network appliance.<br />

4. Log on using the credentials for the tenant VLAN network appliance.<br />

5. Enter the following comm<strong>and</strong>:<br />

configure<br />

6. Enter the following comm<strong>and</strong> to list the existing NAT rules:<br />

show service nat<br />

Make a note of the highest rule number that is currently in use. Add at least 10 to<br />

this number to determine the rule number that you create in the next step.<br />

7. To configure a forwarding rule for inbound traffic (in this example, rule 100) from the<br />

public IP address (in this example, 192.59.196.38:49152) to the private IP address (in<br />

this example, 192.168.100.101:80), enter the following comm<strong>and</strong>s:<br />

set service nat rule 100 type destination<br />

set service nat rule 100 protocol tcp_udp<br />

set service nat rule 100 inbound-interface eth0<br />

set service nat rule 100 destination address<br />

192.59.196.38<br />

set service nat rule 100 destination port 49152<br />

set service nat rule 100 inside-address address<br />

192.168.100.101<br />

set service nat rule 100 inside-address port <br />

8–6 3850 6804–007


Use a rule number that is not currently in use, <strong>and</strong> use appropriate IP addresses for<br />

your environment. Use the appropriate port if your Web application uses HTTP (80)<br />

or HTTPS (443), <strong>and</strong> it accepts both HTTP <strong>and</strong> HTTPS, perform this step twice (once<br />

using each port number).<br />

8. Enter the following comm<strong>and</strong> to display the current set of rules for the<br />

CUST_PUBLIC_IN firewall group:<br />

show firewall name CUST_PUBLIC_IN<br />

Make a note of the highest rule number in use by this firewall group.<br />

9. If your Web application uses HTTP traffic, enter comm<strong>and</strong>s in the following format to<br />

set a firewall exception:<br />

set firewall name CUST_PUBLIC_IN rule <br />

protocol tcp_udp<br />

set firewall name CUST_PUBLIC_IN rule <br />

action accept<br />

set firewall name CUST_PUBLIC_IN rule <br />

destination address <br />

set firewall name CUST_PUBLIC_IN rule <br />

destination port <br />

For the , use a number at least 10 higher than the highest rule<br />

number that is currently in use. For the , use the IP address<br />

of the Web server (192.168.100.101, in the PetStore example). For the , use the port number that the Web server expects for HTTP traffic (port 80,<br />

in the Pet Store example).<br />

10. If your Web application uses HTTPS traffic, enter comm<strong>and</strong>s in the following format<br />

to set a firewall exception:<br />

set firewall name CUST_PUBLIC_IN rule <br />

protocol tcp_udp<br />

set firewall name CUST_PUBLIC_IN rule <br />

action accept<br />

set firewall name CUST_PUBLIC_IN rule <br />

destination address <br />

set firewall name CUST_PUBLIC_IN rule <br />

destination port <br />

For the , use a number at least 10 higher than the highest rule<br />

number that is currently in use. For the , use the IP address<br />

of the Web server (192.168.100.101, in the PetStore example). For the , use the port number that the Web server expects for HTTPS traffic (port<br />

443, in the Pet Store example).<br />

11. Enter the following comm<strong>and</strong>:<br />

commit<br />

12. Enter the following comm<strong>and</strong>:<br />

save<br />

Additional Networking Configuration<br />

3850 6804–007 8–7


Additional Networking Configuration<br />

If you need to map additional Web applications to use the public IP addresses on the<br />

tenant VLAN network appliance, repeat the previous procedure with a different port<br />

number for the public IP address (49152 in the previous example) <strong>and</strong> a different private IP<br />

address (192.168.100.101 in the previous example).<br />

Unique Public IP Address Example<br />

In this example, a tenant is running a Web application on a virtual machine. This application<br />

is named AutoParts.<br />

If you want to simplify the AutoParts Web site URL <strong>and</strong> prevent end users from having to<br />

enter a port number as part of the Web address, you can assign an additional public IP<br />

address to the public (eth0) NIC on the network appliance. Then, you can configure<br />

forwarding from this IP address to the virtual machine that is hosting the AutoParts Web<br />

application, as follows:<br />

1. Access the virtual machine that is hosting the AutoParts Web application, <strong>and</strong> log on<br />

to Windows.<br />

2. Use the st<strong>and</strong>ard Windows method to configure a fixed IP address on the tenant<br />

VLAN (private IP address). For example, set the IP address to 192.168.100.102.<br />

3. Using vSphere, connect to the vCenter server, <strong>and</strong> launch a console to the tenant<br />

VLAN network appliance.<br />

4. Log on using the credentials for the tenant VLAN network appliance.<br />

5. Enter the following comm<strong>and</strong>:<br />

configure<br />

6. Add a public IP address for the virtual machine that is hosting the AutoParts Web<br />

application by entering the following comm<strong>and</strong>:<br />

set interfaces ethernet eth0 address 192.59.196.39/24<br />

In this example, the IP address is 192.59.196.39/24. Use an appropriate IP address<br />

for your environment.<br />

7. Enter the following comm<strong>and</strong> to list the existing NAT rules:<br />

show service nat<br />

Make a note of rule numbers that are not in use.<br />

8. To configure a forwarding rule for inbound traffic (in this example, rule 110) from the<br />

public IP address (in this example, 192.59.196.39) to the private IP address (in this<br />

example, 192.168.100.102), enter the following comm<strong>and</strong>s:<br />

set service nat rule 110 type destination<br />

set service nat rule 110 protocol tcp_udp<br />

set service nat rule 110 inbound-interface eth0<br />

set service nat rule 110 destination address<br />

192.59.196.39<br />

set service nat rule 110 inside-address address<br />

192.168.100.102<br />

8–8 3850 6804–007


Use a rule number that is not currently in use, <strong>and</strong> use appropriate IP addresses for<br />

your environment.<br />

9. Depending on whether your Web application uses HTTP or HTTPS traffic, enter the<br />

following comm<strong>and</strong>s to set a firewall exception. If you want to use HTTP, enter 80<br />

for the port in the following comm<strong>and</strong>s, <strong>and</strong> if you want to use HTTPS,<br />

enter 443 for the port .<br />

If your Web application accepts both HTTP <strong>and</strong> HTTPS, enter the following<br />

comm<strong>and</strong>s twice. The first time you enter these comm<strong>and</strong>s, use rule 300 <strong>and</strong> port<br />

80. The second time you enter these comm<strong>and</strong>s, use a different rule number <strong>and</strong><br />

port 443.<br />

Enter the following comm<strong>and</strong>s:<br />

set firewall name CUST_PUBLIC_IN rule 300<br />

protocol tcp_udp<br />

set firewall name CUST_PUBLIC_IN rule 300<br />

action accept<br />

set firewall name CUST_PUBLIC_IN rule 300<br />

destination address 192.168.100.102<br />

set firewall name CUST_PUBLIC_IN rule 300<br />

destination port <br />

set interfaces ethernet eth0 firewall in<br />

name CUST_PUBLIC_IN<br />

Note: Regardless of whether you enter these comm<strong>and</strong>s once or twice, use a rule<br />

number that is not currently in use, <strong>and</strong> use the appropriate IP addresses for your<br />

environment.<br />

Use the appropriate destination IP address for your environment, which is the static IP<br />

address of the Web application on the tenant VLAN network. Do not use the public IP<br />

address, because the destination NAT rule translates the destination IP address before<br />

the packet reaches the firewall.<br />

10. To change the source address of outbound traffic from the Auto Parts Web server so<br />

the source appears to be the public address (in this example, 192.59.196.39), enter<br />

the following comm<strong>and</strong>s:<br />

set service nat rule 5 type source<br />

set service nat rule 5 outbound-interface eth0<br />

set service nat rule 5 source address<br />

192.168.100.102<br />

set service nat rule 5 outside-address address<br />

192.59.196.39<br />

Use appropriate IP addresses for your environment.<br />

Note: The rule number for this rule must be lower than the number of the<br />

masquerade rule that you established previously, as discussed in 8.2.3 Providing a<br />

Public Source IP Address in Outbound Packets. Otherwise, the masquerade rule<br />

would take precedence.<br />

11. Enter the following comm<strong>and</strong>:<br />

commit<br />

12. Enter the following comm<strong>and</strong>:<br />

Additional Networking Configuration<br />

3850 6804–007 8–9


Additional Networking Configuration<br />

save<br />

If you need to map additional Web applications to other public IP addresses on the tenant<br />

VLAN network appliance, repeat the previous procedure with a different public IP address<br />

(192.59.196.39 in the previous example) <strong>and</strong> a different private IP address<br />

(192.168.100.102 in the previous example).<br />

8.3. Configuring an HAProxy Load Balancer for Web<br />

Applications<br />

The following topics describe how to configure a new HAproxy load balancer for Web<br />

applications. These instructions are for the open source HAproxy load balancer<br />

(http://haproxy.1wt.eu/).<br />

The load balancer virtual machine <strong>and</strong> all Web servers that use the load balancer must be<br />

configured with static IP addresses. To plan the static IP addresses, refer to Table 1–26.<br />

Select static IP addresses in the tenant VLAN subnet range for the tenant VLAN, making<br />

sure to avoid addresses in the DHCP range. Record the static IP address that you assign<br />

so you do not to reuse them for any other virtual machines.<br />

8.3.1. Deploying a New HAProxy Virtual Machine<br />

To deploy a new HAProxy virtual machine, do the following:<br />

1. Deploy a new virtual machine from the HAproxy Load Balancer template.<br />

(4.4 Importing Tenant VLAN Network Appliance <strong>and</strong> Load Balancer Templates<br />

describes how to import this template.)<br />

a. Using vSphere, connect to the vCenter server that is managing the workload<br />

servers.<br />

b. Deploy a virtual machine using the HAproxy Load Balancer template. Select the<br />

following options when deploying the virtual machine:<br />

• For Disk Format, select Same format as source.<br />

• For Guest Customization, select Do not customize.<br />

• Do not enable the option Power on the virtual machine after creation.<br />

c. After the new VM is created, select the Edit Settings option <strong>and</strong> configure the<br />

Network Adapter setting to the appropriate tenant VLAN. Make sure to select the<br />

Connect at power on option for the Network Adapter.<br />

d. Click OK to save the settings.<br />

e. Power on the virtual machine.<br />

2. Open a console to the new virtual machine <strong>and</strong> log in, using the user id spcadmin <strong>and</strong><br />

password U*spc2341.<br />

3. To assign the static IP address to the load balancer virtual machine <strong>and</strong> change the<br />

host name, first enter the appropriate IP addresses <strong>and</strong> host name in the following<br />

table:<br />

8–10 3850 6804–007


IP address<br />

Subnet mask<br />

Property Value<br />

Gateway address (the tenant VLAN network appliance IP<br />

address on the tenant VLAN)<br />

Host name<br />

Configure the IP addresses <strong>and</strong> change the host name, as follows:<br />

a. Select System, point to <strong>Administration</strong>, <strong>and</strong> then click Network.<br />

Note: If you are prompted to enter a password, enter U*spc2341.<br />

The Network Settings dialog box appears.<br />

b. Select the appropriate Ethernet connection <strong>and</strong> click Properties.<br />

The Properties dialog box opens for the connection.<br />

c. Select Static IP address in the Configuration list.<br />

d. Enter the IP address, subnet mask, <strong>and</strong> gateway address from the preceding table<br />

in the appropriate boxes.<br />

e. Click OK to save the changes <strong>and</strong> close the dialog box.<br />

f. In the Network Settings dialog box, select the General tab, enter the new<br />

host name in the Host name box, <strong>and</strong> click Close to save all changes.<br />

A message box appears stating that the host name is changed.<br />

g. Click Change Host name on the message box.<br />

h. Click Close to close the Network Settings dialog box.<br />

4. Reboot the HAProxy virtual machine.<br />

5. Configure inbound port forwarding on the tenant VLAN network appliance to forward<br />

inbound traffic from the Internet to the load balancer. Refer to 8.2 Configuring<br />

Network Appliances for Inbound Internet Connections for instructions on configuring<br />

inbound port forwarding.<br />

Note: When configuring the firewall rule for inbound port forwarding for the<br />

destination address <strong>and</strong> destination port, use the IP address <strong>and</strong> the port number of<br />

the Inside IP address <strong>and</strong> Inside IP address port from the following table.<br />

Address Type Comment Value<br />

Destination IP<br />

address:<br />

The IP address of the tenant VLAN network<br />

appliance connected to your Public Network,<br />

which is labeled the Public Network.<br />

Additional Networking Configuration<br />

3850 6804–007 8–11


Additional Networking Configuration<br />

Address Type Comment Value<br />

Destination IP<br />

address port:<br />

The port number that end users must append to<br />

the destination IP address in order to access<br />

your Web application.<br />

Inside IP address: The IP address of this load balancer on the<br />

tenant VLAN.<br />

Inside IP address<br />

port:<br />

The port number set for the load balancer in the<br />

haproxy.cfg file. By default, the port number in<br />

the file is set to 80.<br />

8.3.2. Configuring the HAProxy Configuration File<br />

Next, perform the following procedure to configure an HAproxy configuration file. A<br />

sample configuration file named haproxy.cfg is stored at /etc/Unisys/Loadbalancer/. You<br />

can modify this file or start a new configuration file <strong>and</strong> save it with a .cfg extension.<br />

The following instructions use the sample HAproxy configuration file to explain which<br />

fields need to be modified <strong>and</strong> the purpose of the fields. In order to modify the files, you<br />

must be logged in as root.<br />

Perform the following procedure to log in as root <strong>and</strong> configure the file:<br />

1. Open a Terminal window on the LoadBalancer appliance console.<br />

2. Enter the following comm<strong>and</strong> to log in as root:<br />

su<br />

3. When you are prompted for a password, enter<br />

U*spc2341<br />

4. Enter the following comm<strong>and</strong> to open the HAProxy configuration file so that you can<br />

edit it:<br />

vi /etc/Unisys/Loadbalancer/haproxy.cfg<br />

This file defines a group (“listen” block) called LOAD_BALANCER that contains 2<br />

servers: WEB_SERVER_1 <strong>and</strong> WEB_SERVER_2. The sample configuration file is as<br />

follows:<br />

global<br />

# Sets the maximum per-process number of concurrent connections.<br />

# Proxies stop accepting connections when this limit is reached.<br />

maxconn 4096<br />

# Writes pids of all daemons into file.<br />

# The file must be accessible to the user starting the process.<br />

pidfile /var/run/haproxy.pid<br />

# Makes the process fork into background. This is the recommended<br />

# mode of operation.<br />

8–12 3850 6804–007


daemon<br />

defaults<br />

mode http<br />

retries 3<br />

option redispatch<br />

maxconn 2000<br />

contimeout 5000<br />

clitimeout 50000<br />

srvtimeout 50000<br />

listen LOAD_BALANCER aaa.bbb.ccc.ddd:80<br />

mode http<br />

cookie LOAD_BALANCER insert<br />

balance roundrobin<br />

#balance leastconn<br />

option httpclose<br />

option forwardfor<br />

stats enable<br />

stats auth myuser:mypass<br />

server WEB_SERVER_1 ###.###.###.###:8080 #cookie LOAD_BALANCER_01<br />

check<br />

server WEB_SERVER_2 ###.###.###.###:8080 #cookie LOAD_BALANCER_02<br />

check<br />

5. This configuration file uses the roundrobin balance option; to use the leastconn<br />

balance option instead, insert a # sign in front of the “balance roundrobin” line <strong>and</strong><br />

remove the # sign from the “balance leastconn” line.<br />

6. Add valid IP addresses <strong>and</strong> port numbers to the configuration file as follows:<br />

• On the “listen LOAD_BALANCER aaa.bbb.ccc.ddd:80” line, do the following:<br />

- Change aaa.bbb.ccc.ddd to the IP address of the load balancer.<br />

- Update the port number (80) if it is different from the one already in the<br />

configuration file.<br />

• On the “server WEB_SERVER_1 ###.###.###.###:8080” <strong>and</strong> “server<br />

WEB_SERVER_2 ###.###.###.###:8080” lines, change the<br />

###.###.###.###:8080 to the IP address of the servers. Also change the port<br />

number if it is different from the one already in the configuration file.<br />

7. If needed, customize any field in the configuration file that is shown in uppercase:<br />

• LOAD_BALANCER<br />

• WEB_SERVER_1<br />

• WEB_SERVER_2<br />

• LOAD_BALANCER_01<br />

• LOAD_BALANCER_02<br />

Additional Networking Configuration<br />

3850 6804–007 8–13


Additional Networking Configuration<br />

8. Specify if you want to use the cookie load balancer feature. This feature works as<br />

follows:<br />

• When a user reaches the LOAD_BALANCER group (using http://aaa.bbb.ccc.ddd),<br />

the cookie LOAD_BALANCER is created <strong>and</strong> the server ID specified for “cookie”<br />

in the servers definitions is stored in it (that is, in LOAD_BALANCER_01 or<br />

LOAD_BALANCER_02).<br />

• With this cookie, HAProxy forces the use of the server stored within the cookie for<br />

the entire session.<br />

The “cookie LOAD_BALANCER insert” line <strong>and</strong> the “cookie LOAD_BALANCER_XX”<br />

parts in the LOAD_BALANCER group block control this feature. In the sample file, this<br />

feature is disabled. To enable this feature, remove the # that precedes the “cookie<br />

LOAD_BALANCER_XX” parts in the LOAD_BALANCER group block.<br />

9. Determine if you want to enable or disable the statistics page. The HAProxy load<br />

balancer has a built-in statistics page that can be reached from<br />

http://aaa.bbb.ccc.ddd/haproxy?stats.<br />

To enable the statistics page, change the user <strong>and</strong> password on the “stats auth<br />

myuser:mypass” line.<br />

To disable the statistics page, remove the following lines from the configuration file (or<br />

insert a # before these lines):<br />

• stats enable<br />

• stats auth myuser:mypass<br />

10. Save the configuration file.<br />

11. Verify that the HAProxy service shell script references the appropriate configuration<br />

file. Do the following:<br />

a. Enter the following comm<strong>and</strong> to open the haproxy service shell script so that you<br />

can edit it:<br />

vi /etc/init.d/haproxy<br />

b. Locate the line that references the location of the haproxy.cfg file. The line looks<br />

like the following:<br />

CONFIG=/etc/Unisys/Loadbalancer/haproxy.cfg<br />

c. Verify that the line correctly references the path <strong>and</strong> file, or update it so that it<br />

references the appropriate file.<br />

12. To enable the HAProxy load balancer to start from a shell script, do the following:<br />

a. Enter the following comm<strong>and</strong> to open the haproxy service shell script:<br />

sudo vi /etc/default/haproxy<br />

Note: This is not the same file that you opened in the previous step. Be sure to<br />

open /etc/default/haproxy.<br />

b. Change the ENABLED=0 setting to ENABLED=1.<br />

13. Reboot the LoadBalancer appliance.<br />

8–14 3850 6804–007


8.4. Configuring Tenant VLAN Firewall Exceptions<br />

By default, the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> network configuration does not permit<br />

communication between virtual machines that reside on different tenant VLANs, even if<br />

those VLANs belong to the same tenant.<br />

If your tenants have a specific need to enable communication across VLANs, perform one<br />

of the following procedures:<br />

• 8.4.1 Enabling Selected Tenant VLANs to Communicate<br />

• 8.4.2 Enabling All Tenant VLANs to Communicate<br />

Note: These procedures apply only to tenant VLANs that belong to the same tenant.<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> does not support communication between tenant VLANs that<br />

belong to different tenants<br />

8.4.1. Enabling Selected Tenant VLANs to Communicate<br />

To enable selected tenant VLANs for a given tenant to communicate with each other, do<br />

the following:<br />

1. Using a vSphere Client that is connected to the vCenter server, open the console to<br />

the tenant VLAN network appliance.<br />

2. Log in, using the vyatta user credentials, <strong>and</strong> enter the following comm<strong>and</strong>:<br />

configure<br />

3. Enter the following comm<strong>and</strong> to display the TENANT_VLANS_OUT firewall rule set:<br />

show firewall name TENANT_VLANS_OUT<br />

4. Verify that the output appears as follows:<br />

Additional Networking Configuration<br />

default-action accept<br />

rule 100 {<br />

action drop<br />

source {<br />

group {<br />

network-group TENANT_VLAN_NETWORKS<br />

}<br />

}<br />

}<br />

}<br />

Note: If the TENANT_VLANS_OUT rule set is different than the output shown<br />

previously, then the rule set has previously been customized for your environment.<br />

Refer to the firewall documentation at http://www.vyatta.org/documentation for<br />

assistance in underst<strong>and</strong>ing your existing rules. Then, adapt the remaining step in this<br />

procedure as needed for your environment.<br />

5. Add new rules to the TENANT_VLANS_OUT rule set to allow communication between<br />

selected tenant VLANs.<br />

3850 6804–007 8–15


Additional Networking Configuration<br />

The existing rule 100 has the effect of blocking all traffic between different tenant<br />

VLANs. Because rules are enforced in numerical order, any exceptions that you create<br />

should have rule numbers less than 100.<br />

For example, if you want to enable communication between two VLANs whose<br />

address ranges are 192.168.116.0 <strong>and</strong> 192.168.120.0, you could use the following<br />

comm<strong>and</strong>s to create rules 10 <strong>and</strong> 20:<br />

set firewall name TENANT_VLANS_OUT rule 10<br />

action accept<br />

set firewall name TENANT_VLANS_OUT rule 10<br />

source address 192.168.116.0/24<br />

set firewall name TENANT_VLANS_OUT rule 10<br />

destination address 192.168.120.0/24<br />

set firewall name TENANT_VLANS_OUT rule 20<br />

action accept<br />

set firewall name TENANT_VLANS_OUT rule 20<br />

source address 192.168.120.0/24<br />

set firewall name TENANT_VLANS_OUT rule 20<br />

destination address 192.168.116.0/24<br />

commit<br />

save<br />

The resulting rule set appears as follows:<br />

default-action accept<br />

rule 10 {<br />

action accept<br />

destination {<br />

address 192.168.120.0/24<br />

}<br />

source {<br />

address 192.168.116.0/24<br />

}<br />

}<br />

rule 20 {<br />

action accept<br />

destination {<br />

address 192.168.116.0/24<br />

}<br />

source {<br />

address 192.168.120.0/24<br />

}<br />

}<br />

rule 100 {<br />

action drop<br />

source {<br />

group {<br />

network-group TENANT_VLAN_NETWORKS<br />

}<br />

}<br />

}<br />

8–16 3850 6804–007


}<br />

Rule 10 allows traffic from 192.168.116.0 to reach 192.168.120.0, <strong>and</strong> rule 20 allows<br />

traffic from 192.168.120.0 to reach 192.168.116.0. However, the existing rule 100<br />

prevents either of these tenant VLANs from communicating with any other tenant VLANs.<br />

Restoring Blocked VLAN Traffic<br />

If you want to undo this change <strong>and</strong> restore the blocking of traffic between selected<br />

tenant VLANs, delete the rules you created. For example, enter the following:<br />

delete firewall name TENANT_VLANS_OUT rule 10<br />

delete firewall name TENANT_VLANS_OUT rule 20<br />

commit<br />

save<br />

8.4.2. Enabling All Tenant VLANs to Communicate<br />

To enable all tenant VLANs for a given tenant to communicate with one another, do the<br />

following:<br />

1. Using a vSphere Client that is connected to the vCenter server, open the console to<br />

the tenant VLAN network appliance.<br />

2. Log in, using the vyatta user credentials, <strong>and</strong> enter the following comm<strong>and</strong>:<br />

configure<br />

3. Enter the following comm<strong>and</strong> to display the TENANT_VLANS_OUT firewall rule set:<br />

show firewall name TENANT_VLANS_OUT<br />

4. Verify that the output appears as follows:<br />

default-action accept<br />

rule 100 {<br />

action drop<br />

source {<br />

group {<br />

network-group TENANT_VLAN_NETWORKS<br />

}<br />

}<br />

}<br />

}<br />

5. Do one of the following, based on the output result:<br />

Additional Networking Configuration<br />

• If the TENANT_VLANS_OUT rule set appears as shown previously, then disable<br />

rule 100 by entering the following comm<strong>and</strong>s:<br />

set firewall name TENANT_VLANS_OUT rule 100 disable<br />

commit<br />

save<br />

• If the TENANT_VLANS_OUT rule set is different than the output shown<br />

previously, then the rule set has previously been customized for your<br />

3850 6804–007 8–17


Additional Networking Configuration<br />

environment. Enter comm<strong>and</strong>s to disable or delete all rules in this rule set that<br />

have an action value other than accept. For assistance, refer to the firewall<br />

documentation at http://www.vyatta.org/documentation .<br />

Restoring Blocked VLAN Traffic<br />

If you want to undo this change <strong>and</strong> restore the blocking of traffic between all tenant<br />

VLANs, enter the following comm<strong>and</strong>s:<br />

delete firewall name TENANT_VLANS_OUT rule 100 disable<br />

commit<br />

save<br />

8.5. Changing the Predefined IP Address on the<br />

Intercom Network<br />

The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is preconfigured to use the 172.31.1.0/24 IP address for all<br />

interfaces that connect to the Intercom Network. If you need to change this IP address<br />

<strong>and</strong> mask, you can do so by performing the following procedures.<br />

Before you begin this procedure, you should update the cloud provider <strong>and</strong> tenant<br />

worksheets to reflect the new values you want to use.<br />

8.5.1. Configuring the Jump Box, SQL Server, Portal, WSUS,<br />

Active Directory, <strong>and</strong> vCenter Server Management VMs<br />

to Use a New Intercom Network IP Address<br />

If you want to use a new Intercom Network IP address, do the following to configure the<br />

SQL Server, <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, WSUS, Unisys-supplied Active Directory, <strong>and</strong><br />

vCenter Server management VMs.<br />

Note: You might not be using all of these management VMs.<br />

1. Open a console to the SQL Server management VM.<br />

2. Access Network Connections, <strong>and</strong> then access the Intercom Network Properties<br />

dialog box for TCP/IPv4.<br />

3. Update the properties to reflect the new Intercom Network IP address values in<br />

Table 1–5.<br />

4. Using Notepad, open the file C:\Windows\System32\drivers\etc\hosts.<br />

5. Update each management VM entry in the hosts file, using the new Intercom<br />

Network IP address values in Table 1–5.<br />

6. Save <strong>and</strong> close the hosts file.<br />

7. If your environment includes VLANs <strong>and</strong> you are updating the Unisys supplied Active<br />

Directory management VMs, do the following:<br />

Note: Skip this step if you are updating any other management VMs.<br />

8–18 3850 6804–007


a. Open a comm<strong>and</strong> prompt using the Run As Administrator option.<br />

b. Type the following comm<strong>and</strong>:<br />

route print<br />

c. Note all of the entries listed in Persistent Routes section.<br />

d. For each Persistent Routes entry that uses the Management Network Appliance<br />

IP address on the Intercom Network as the “Gateway Address,” type the<br />

following comm<strong>and</strong>:<br />

route -p change <br />

<br />

For example, if the route print comm<strong>and</strong> shows the following persistent route:<br />

10.1.1.0 255.255.255.0 172.31.1.200<br />

Change the route to use the new Intercom Network IP of the management<br />

network appliance, as follows:<br />

route -p change 10.1.1.0/24 172.31.2.200<br />

Note: The CIDR notation for each tenant’s VLAN information is in Table 1–26.<br />

Repeat the previous steps to configure the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal management VM.<br />

If you are using the WSUS <strong>and</strong> VMware Update Manager management VM, repeat the<br />

previous steps on that VM.<br />

If you are using the Unisys supplied Active Directory management VMs, repeat the<br />

previous steps on those VMs.<br />

If you are using the Unisys-supplied vCenter Server management VM, repeat the previous<br />

steps on that VM.<br />

8.5.2. Configuring the uAdapt Controller Management VM to<br />

Use a New Intercom Network IP Address<br />

If you want to use a new Intercom Network IP address, do the following to configure the<br />

uAdapt Controller Management VM:<br />

1. Open a console to the uAdapt Controller Management VM.<br />

2. Open the file /etc/hosts.<br />

3. Update each management VM entry in the hosts file, using the new Intercom<br />

Network IP address values in Table 1–5.<br />

4. Save <strong>and</strong> close the file.<br />

5. Open the file /etc/sysconfig/network-scripts/ifcfg-eth0.<br />

Additional Networking Configuration<br />

6. Update the IPADDR= line with the new Intercom Network IP address.<br />

3850 6804–007 8–19


Additional Networking Configuration<br />

8.5.3. Configuring the uChargeback Management VM to Use a<br />

New Intercom Network IP Address<br />

If you want to use a new Intercom Network IP address, do the following to configure the<br />

uChargeback management VM:<br />

1. Open a console to the uChargeback management VM.<br />

2. Access Network Connections, <strong>and</strong> then access the Intercom Network Properties<br />

dialog box for TCP/IPv4.<br />

3. Update the properties to reflect the new Intercom Network IP address values in<br />

Table 1–5.<br />

4. Set the Preferred DNS Server to the new uChargeback Management VM IP<br />

address on Intercom Network. Click OK until you exit the Properties dialog box.<br />

5. Using Notepad, open the file C:\Windows\System32\drivers\etc\hosts.<br />

6. Update each management VM entry in the hosts file, using the new Intercom<br />

Network IP address values in Table 1–5.<br />

7. Save <strong>and</strong> close the hosts file.<br />

8. Access DNS Manager.<br />

9. In the left pane, exp<strong>and</strong> Forward Lookup Zones.<br />

10. For each zone in the left pane, update the IP addresses of all uChargeback<br />

management VM entries that contains the preconfigured IP address on the Intercom<br />

Network, 172.31.1.3, to use the new IP address.<br />

11. Access the uChargeback Administrator.<br />

In approximately one minute, you see a warning dialog box that you are unable to<br />

connect to the database server. (You receive this warning because you changed the IP<br />

address of the SQL Server management VM.)<br />

12. Click OK.<br />

13. Wait several minutes until the uChargeback Administrator Database Configuration<br />

Wizard appears.<br />

14. In the Database Configuration Wizard, enter the following values:<br />

• Server Name: <br />

• Instance Name: <br />

• Database Name: uChgData<br />

15. Click Finish.<br />

16. When the uChargeback Administrator appears, close it.<br />

17. If your environment includes VLANs, do the following:<br />

a. Open a comm<strong>and</strong> prompt using the Run As Administrator option.<br />

b. Type the following comm<strong>and</strong>:<br />

route print<br />

8–20 3850 6804–007


c. Note all of the entries listed in Persistent Routes section.<br />

d. For each Persistent Routes entry that uses the Management Network Appliance<br />

IP address on the Intercom Network as the “Gateway Address,” type the<br />

following comm<strong>and</strong>:<br />

route -p change <br />

<br />

For example, if the route print comm<strong>and</strong> shows the following persistent route:<br />

10.1.1.0 255.255.255.0 172.31.1.200<br />

Change the route to use the new Intercom Network IP of the management<br />

network appliance, as follows:<br />

route -p change 10.1.1.0/24 172.31.2.200<br />

Note: The CIDR notation for each tenant’s VLAN information is in Table 1–26.<br />

8.5.4. Configuring the <strong>Cloud</strong> Orchestrator Management VM to<br />

Use a New Intercom Network IP Address<br />

If you want to use a new Intercom Network IP address, do the following to configure the<br />

<strong>Cloud</strong> Orchestrator management VM:<br />

1. Open a console to the <strong>Cloud</strong> Orchestrator management VM.<br />

2. Access Network Connections, <strong>and</strong> then access the Intercom Network Properties<br />

dialog box for TCP/IPv4.<br />

3. Update the properties to reflect the new Intercom Network IP address values in<br />

Table 1–5.<br />

4. Set the Preferred DNS Server to the new uChargeback Management VM IP<br />

address on Intercom Network. Click OK until you exit the Properties dialog box.<br />

5. Using Notepad, open the file C:\Windows\System32\drivers\etc\hosts.<br />

6. Update each management VM entry in the hosts file, using the new Intercom<br />

Network IP address values in Table 1–5.<br />

7. Save <strong>and</strong> close the hosts file.<br />

8. Using Notepad, open the file C:\Unisys\uspc\conf\uspcnetwork.config.xml.<br />

9. Using the values from Table 1–5, update the following nodes in the config.xml file:<br />

• udpAddr<br />

• tcpAddr<br />

Additional Networking Configuration<br />

3850 6804–007 8–21


Additional Networking Configuration<br />

10. Restart the following services.<br />

Caution<br />

Before restarting these services, ensure that no commissioning requests are in<br />

progress by responding to all outst<strong>and</strong>ing approval requests <strong>and</strong> waiting for all<br />

in-progress commissioning requests to be completed.<br />

• Unisys SPC Network Service<br />

• <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> UCO Service<br />

11. If your environment includes VLANs, do the following:<br />

a. Open a comm<strong>and</strong> prompt using the Run As Administrator option.<br />

b. Type the following comm<strong>and</strong>:<br />

route print<br />

c. Note all of the entries listed in Persistent Routes section.<br />

d. For each Persistent Routes entry that uses the Management Network Appliance<br />

IP address on the Intercom Network as the “Gateway Address,” type the<br />

following comm<strong>and</strong>:<br />

route -p change <br />

<br />

For example, if the route print comm<strong>and</strong> shows the following persistent route:<br />

10.1.1.0 255.255.255.0 172.31.1.200<br />

Change the route to use the new Intercom Network IP of the management<br />

network appliance, as follows:<br />

route -p change 10.1.1.0/24 172.31.2.200<br />

Note: The CIDR notation for each tenant’s VLAN information is in Table 1–26.<br />

After you change the Intercom Network IP address for the <strong>Cloud</strong> Orchestrator<br />

management VM, you must do the following to change the configuration for the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> portal management VM:<br />

1. Open a console to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal management VM.<br />

2. Using Notepad, open the portal-ext.properties file, which is located in the<br />

following directory: C:\Unisys\liferay-portal-6.0.6\tomcat-<br />

6.0.29\webapps\ROOT\WEB_INF\classes<br />

3. Locate the axis.servlet.hosts.allowed property in the portal-ext.properties file.<br />

4. Enter the new Intercom Network IP address for the <strong>Cloud</strong> Orchestrator management<br />

VM in the axis.servlet.hosts.allowed property. (Use commas to separate the IP<br />

address numbers.)<br />

8–22 3850 6804–007


5. Save <strong>and</strong> close the properties file.<br />

8.5.5. Configuring the Management Network Appliance to Use<br />

a New Intercom Network IP Address<br />

If you are using VLANs in your environment <strong>and</strong> you want to use a new Intercom Network<br />

IP address, perform one of the following procedures to configure the Management<br />

Network Appliance, depending on whether the network appliance is virtual or physical.<br />

If you are not using VLANs, or if you want to use the default Intercom Network IP address,<br />

you can skip this topic.<br />

Configuring a Virtual Management Network Appliance to Use a New<br />

Intercom Network IP Address<br />

If you have a virtual Management Network Appliance, do the following to configure it to<br />

use a new Intercom Network IP address:<br />

1. Return to the console for the jump box management VM.<br />

2. Ensure that the cloud provider XML file on the jump box management VM is up-todate.<br />

3. From the Start menu, point to All Programs, Accessories, <strong>and</strong> then Windows<br />

PowerShell, <strong>and</strong> then click Windows PowerShell (x86).<br />

4. Enter the following comm<strong>and</strong> from the PowerShell (x86) window on the jump box<br />

management VM:<br />

.\Config-MNAicom.ps1<br />

Additional Networking Configuration<br />

The script configures the Intercom Network on the appliance using the information<br />

from the <strong>Cloud</strong> Provider XML file.<br />

Note: If you receive a warning message that there are limitations in your VMware ESX<br />

license, this means that the script cannot be completed because the required VMware<br />

license is not installed on the management server. If you receive this warning, you can<br />

either install the required VMware license or perform the steps in 12.6.2 Configuring the<br />

Virtual Management Network Appliance to Use a New Intercom Network IP Address (with<br />

a VMware License Restriction).<br />

Configuring a Physical Management Network Appliance to Use a<br />

New Intercom Network IP Address<br />

If you have a physical Management Network Appliance, do the following to configure it to<br />

use a new Intercom Network IP address.<br />

Note: The following procedure uses comm<strong>and</strong>s appropriate for Cisco switches. If you<br />

have another br<strong>and</strong> of switch, you must adapt these comm<strong>and</strong>s for that switch.<br />

3850 6804–007 8–23


Additional Networking Configuration<br />

1. Connect the console cable to the switch <strong>and</strong> connect to it using the Hyper Terminal, or<br />

connect to the switch using Telnet.<br />

2. Log in to the switch in privileged mode by typing enable, <strong>and</strong> then responding to the<br />

password prompt.<br />

The prompt changes to end with #. (For example, it changes from MySwitch> to<br />

MySwitch#.)<br />

3. Type the following comm<strong>and</strong> to enter configuration mode:<br />

configure terminal<br />

4. Enter the following comm<strong>and</strong>s to configure a new gateway IP address for the<br />

Intercom Network VLAN:<br />

interface vlan <br />

ip address <br />

5. Create new access lists with updated Intercom Network IP addressing information<br />

from Table 1–5 <strong>and</strong> Table 1–20, as follows:<br />

a. Note the current access lists that are using the Intercom Network by entering<br />

the following comm<strong>and</strong>:<br />

show access-lists<br />

b. Delete the current access lists that are using the Intercom Network by entering<br />

the following comm<strong>and</strong>:<br />

no access-list <br />

c. Create new access lists using the updated Intercom Network information by<br />

entering comm<strong>and</strong>s like the following:<br />

access-list permit any<br />

<br />

Note: If an access list number is changed from its previous value, ensure the<br />

appropriate access group is updated to use the new number.<br />

6. If NAT rules exist to enable the tenant VLAN to communicate with the DNS on the<br />

uChargeback management VM, use ip nat comm<strong>and</strong>s to update the rules to use the<br />

new uChargeback management VM Intercom Network IP address from Table 1–5.<br />

7. Enter the following comm<strong>and</strong> to verify the configuration:<br />

show running-config<br />

8. Save the configuration by entering the following comm<strong>and</strong>:<br />

copy running-config startup-config<br />

You see the following: Destination Filename [startup-config]?<br />

9. Press Enter.<br />

You see the response [OK].<br />

8–24 3850 6804–007


8.5.6. Configuring a Tenant VLAN Network Appliance to Use a<br />

New Intercom Network IP Address<br />

Perform the following procedure to configure a tenant VLAN network appliance to use a<br />

new Intercom Network IP address range:<br />

1. Revise the worksheet for this tenant by filling out an additional VLAN column in<br />

Table 1–26.<br />

2. Export the worksheet for this tenant to an XML file, as described in 1.1.6 Exporting the<br />

Data.<br />

3. Perform the procedure 5.3.1 Deploying a New Tenant VLAN Network Appliance <strong>and</strong><br />

VLAN, skip step 2 (deploying the tenant VLAN network appliance from a template)<br />

because the virtual machine already exists.<br />

If you need to configure more than seven VLANs for the same tenant, you must configure<br />

an additional tenant VLAN network appliance. See 5.3.1 Deploying a New Tenant VLAN<br />

Network Appliance <strong>and</strong> VLAN.<br />

8.5.7. Configuring the Stealth Components to Use a New<br />

Intercom Network IP Address<br />

Note: If your environment does not include the Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, skip this<br />

topic.<br />

Configuring the Stealth Licensing Server to Use a New Intercom<br />

Network IP Address<br />

If you want to use a new Intercom Network IP address, do the following to configure the<br />

Stealth Licensing management VM:<br />

1. Open a console to the Stealth Licensing management VM.<br />

2. Access Network Connections, <strong>and</strong> then access the Intercom Network Properties<br />

dialog box for TCP/IPv4.<br />

3. Update the properties to reflect the new Intercom Network IP address values in<br />

Table 1–5.<br />

4. Using Notepad, open the file C:\Windows\System32\drivers\etc\hosts.<br />

5. Update each management VM entry in the hosts file, using the new Intercom<br />

Network IP address values in Table 1–5.<br />

6. Save <strong>and</strong> close the hosts file.<br />

7. Do the following to reconfigure the SSL certificate on the Stealth Licensing<br />

management VM to use the new Intercom Network IP address:<br />

a. Enter the following comm<strong>and</strong> from a comm<strong>and</strong> prompt:<br />

netsh http show sslcert<br />

Additional Networking Configuration<br />

3850 6804–007 8–25


Additional Networking Configuration<br />

This comm<strong>and</strong> produces output similar to the following example:<br />

SSL Certificate bindings:<br />

-------------------------<br />

IP:port : 172.31.1.14:443<br />

Certificate Hash : 387d7c267b6601571a13124151e0c1020044fe99<br />

Application ID : {1ad74a6e-2af9-4c14-8277-c4a1fa7e2134}<br />

Certificate Store Name : MY<br />

Verify Client Certificate Revocation : Enabled<br />

Verify Revocation Using Cached Client Certificate Only : Disabled<br />

Usage Check : Enabled<br />

Revocation Freshness Time : 0<br />

URL Retrieval Timeout : 0<br />

Ctl Identifier : (null)<br />

Ctl Store Name : (null)<br />

DS Mapper Usage : Disabled<br />

Negotiate Client Certificate : Disabled<br />

The first output line (IP:port) shows the current IP address with which the<br />

certificate is associated.<br />

b. Stop the dynamic licensing service, as follows:<br />

net stop USSL_DynamicLicensing<br />

c. Delete the current association by specifying the IP address (IP:port) in the<br />

following comm<strong>and</strong>:<br />

netsh http delete sslcert ipport=<br />

Note: In this example, the IP:port value is 172.31.1.14:443.<br />

d. To associate the certificate with the correct address, enter the following<br />

comm<strong>and</strong>:<br />

netsh http add sslcert ipport=<br />

certhash=<br />

appid={1ad74a6e-2af9-4c14-8277-c4a1fa7e2134}<br />

where:<br />

is the new Intercom Network IP address of the<br />

Stealth Licensing management VM.<br />

is the IP address with which the certificate is associated.<br />

Note: The application ID must appear exactly as shown in the example.<br />

e. Start the dynamic licensing service, as follows:<br />

net start USSL_DynamicLicensing<br />

8. If your environment includes VLANs, do the following:<br />

a. Open a comm<strong>and</strong> prompt using the Run As Administrator option.<br />

b. Type the following comm<strong>and</strong>:<br />

route print<br />

c. Note all of the entries listed in Persistent Routes section.<br />

8–26 3850 6804–007


d. For each Persistent Routes entry that uses the Management Network Appliance<br />

IP address on the Intercom Network as the “Gateway Address,” type the<br />

following comm<strong>and</strong>:<br />

route -p change <br />

<br />

For example, if the route print comm<strong>and</strong> shows the following persistent route:<br />

10.1.1.0 255.255.255.0 172.31.1.200<br />

Change the route to use the new Intercom Network IP of the management<br />

network appliance, as follows:<br />

route -p change 10.1.1.0/24 172.31.2.200<br />

Note: The CIDR notation for each tenant’s VLAN information is in Table 1–26.<br />

Configuring the Virtual Stealth Gateway to Use a New Intercom<br />

Network IP Address<br />

To configure the Virtual Stealth Gateway to use a new Intercom Network IP address, see<br />

10.18.1 Adding COI Sets <strong>and</strong> Modifying COI Set Members. You must change all filters that<br />

refer to the previous Intercom Network subnet address to refer to the new subnet value.<br />

You must perform this procedure for each Stealth-enabled tenant VLAN.<br />

8.5.8. Updating RBADB to Use the New Intercom Network IP<br />

Address<br />

To update RBADB to use the new Intercom Network IP address, do the following:<br />

1. Perform the procedure in 6.1 Updating <strong>Cloud</strong> Provider or Adding Tenant Information in<br />

the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Environment, running the update<strong>Cloud</strong>Properties<br />

effector.<br />

After you complete that procedure, return to this topic.<br />

2. If you have any tenants in your environment, <strong>and</strong> if any of those tenants are using the<br />

uChargeback management VM to act as their DNS server, you must update the<br />

uChargeback management VM IP address on the Intercom Network for each tenant.<br />

To do so<br />

a. Make the appropriate corrections in the tenant data worksheet.<br />

b. Export the worksheet to an XML file, using the procedure in 1.1.6 Exporting the<br />

Data, <strong>and</strong> copy it to the following directory on the jump box management VM:<br />

\Unisys\SPC-Automation\XML<br />

c. Perform the procedure in 6.1 Updating <strong>Cloud</strong> Provider or Adding Tenant<br />

Information in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Environment, running the Populator<br />

updateTenant effector.<br />

3. Click Log Off, <strong>and</strong> then close the browser window.<br />

Additional Networking Configuration<br />

3850 6804–007 8–27


Additional Networking Configuration<br />

8.5.9. Checkpoint<br />

To verify that the new IP address for the Intercom Network is working properly,<br />

commission a virtual machine using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />

8–28 3850 6804–007


Section 9<br />

Changing Credentials <strong>and</strong> Performing<br />

Final Installation Tasks<br />

Credentials include the user name <strong>and</strong> password that enable you to log on to the product<br />

user interfaces. Initially, each product uses default credentials. The procedures in this<br />

section instruct you to change the credentials appropriately. The final checkpoint verifies<br />

that you can commission resources using the updated credentials. If the Virtual Office as a<br />

Service solution is included in your environment, you are also directed to install <strong>and</strong><br />

configure it at the end of this section.<br />

9.1. Recording Updated Credentials<br />

Credentials are the user name <strong>and</strong> password that enable you to log on to a product. For<br />

some products, you can change both the user name <strong>and</strong> password, but for others<br />

products, you can change only the password.<br />

It is strongly recommended that you change all credentials from the default values, using<br />

the procedures in this topic. Record the changed values in Table 2–1 <strong>and</strong> in the Excel<br />

workbook.<br />

9.2. Prerequisites to Changing Credentials<br />

Before you begin to change credentials, do the following:<br />

1. Verify that no commissioning requests are in progress by responding to all outst<strong>and</strong>ing<br />

approval requests <strong>and</strong> waiting for all in-progress commissioning requests to be<br />

completed. See 10.6 Responding to Requests Using the Operator Prompts Page for<br />

more information.<br />

2. Take a snapshot of each management VM. (You can delete these snapshots after you<br />

confirm the final checkpoint in this section.) Do the following:<br />

a. Open a console to the jump box management VM.<br />

b. Open a PowerShell comm<strong>and</strong> window from the jump box management VM, <strong>and</strong><br />

enter the following comm<strong>and</strong> to automatically take a snapshot of all management<br />

VMs (except the jump box management VM):<br />

.\Checkpoint-Snapshots.ps1<br />

–Name “”<br />

–Description “”<br />

3850 6804–007 9–1


Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

Notes:<br />

• Quotation marks are required around <strong>and</strong> .<br />

• The is optional.<br />

If the script encounters a duplicate snapshot name for a management VM, it<br />

prompts you to do one of the following:<br />

• Enter a new value for , where the quotation marks are<br />

not required.<br />

• Enter C to continue, using the same name for the new snapshot.<br />

• Enter Q to quit taking snapshots <strong>and</strong> exit the script.<br />

• Press the Enter key to skip taking a snapshot for the VM.<br />

If the script displays the error message “a general system error occurred” or<br />

“VMware Tools is not running,” ensure that VMware Tools or the services for<br />

VMware Tools is running on each management VM (which can take a few minutes<br />

after a management VM is powered on), <strong>and</strong> then execute the script again.<br />

c. After the script completes, shut down the jump box management VM, manually<br />

take a snapshot, <strong>and</strong> then power it back on.<br />

3. Update the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal settings <strong>and</strong> prevent users from signing into<br />

the portal as follows:<br />

a. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

portal using the URL in Table 2–2 <strong>and</strong> the Liferay administrator credentials in<br />

Table 2–1.<br />

b. From the Manage list (at the left of the top pane), click Control Panel.<br />

c. Click Portal Settings under Portal in the left pane, <strong>and</strong> then click<br />

Authentication in the right pane.<br />

d. Click LDAP, <strong>and</strong> then click the Edit icon next to the LDAP server.<br />

e. Change the value in the Principal box to an invalid name, <strong>and</strong> then click Save.<br />

This disconnects the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal communication with Active<br />

Directory server.<br />

f. From the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal management VM, access Services, <strong>and</strong> then<br />

restart the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal service.<br />

Any users currently signed in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal are disconnected.<br />

9.3. Procedures for Changing Credentials<br />

The following topics describe the procedures to change the credentials in Table 2–1.<br />

Before changing any credentials, be sure to complete the prerequisites described in<br />

9.2 Prerequisites to Changing Credentials.<br />

9–2 3850 6804–007


Note: During the implementation of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment, you are<br />

required to create new domain accounts (for example, for the uChargeback administrator)<br />

or use existing domain accounts (for example, for the Active Directory management VM).<br />

These credentials are not listed in Table 2–1, because there are no default values, but they<br />

are listed in the cloud provider workbook tables. Unless specifically stated in this topic, you<br />

can update these values using the st<strong>and</strong>ard domain credential management process for<br />

your environment.<br />

9.3.1. VMware ESXi Management Interface<br />

To change credentials for the root user, do the following:<br />

1. Open a vSphere Client to the management server.<br />

2. Select the management server node in the left pane <strong>and</strong> select the Local Users <strong>and</strong><br />

Groups tab.<br />

3. Right-click the root user <strong>and</strong> click Edit to edit the user properties.<br />

4. Update the password.<br />

5. Close the vSphere Client.<br />

CHECKPOINT:<br />

Open a new vSphere Client connection <strong>and</strong> verify that you can connect to the<br />

management server using the updated credentials.<br />

9.3.2. uAdapt Controller Management VM<br />

To change credentials for the root user, do the following:<br />

1. Open a console to the uAdapt Controller management VM, <strong>and</strong> log on using the<br />

current root credentials.<br />

2. Change the root password using the passwd comm<strong>and</strong>.<br />

3. Log off.<br />

Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

4. Log on using the updated credentials.<br />

9.3.3. Windows Management VMs Administrator Accounts<br />

Note: Depending on your environment, not all of the following management VMs could<br />

be in use.<br />

It is recommended that all the Windows based management VMs have the same<br />

Windows administrator credentials. Change them in the following order, using the<br />

procedures that follow:<br />

1. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal management VM<br />

2. <strong>Cloud</strong> Orchestrator management VM<br />

3. uChargeback management VM<br />

3850 6804–007 9–3


Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

4. SQL Server management VM<br />

5. vCenter server management VM<br />

6. WSUS management VM<br />

7. Jump box management VM<br />

8. Stealth Licensing management VM<br />

To change credentials for the local administrator user, do the following:<br />

1. Open a console to the next management VM in the previous list, log on using local<br />

administrator credentials, <strong>and</strong> complete the rest of this procedure before opening<br />

another console.<br />

2. To rename the local administrator, do the following:<br />

a. Open Server Manager, exp<strong>and</strong> Configuration, exp<strong>and</strong> Local Users <strong>and</strong><br />

Groups, <strong>and</strong> then click Users.<br />

b. Locate the default administrator user <strong>and</strong> rename it.<br />

Caution<br />

Do not use the Server Manager interface to change the password, because an<br />

irreversible loss of information can occur.<br />

c. Log off.<br />

d. Log on using the new local administrator name.<br />

3. To change the Windows administrator password, do the following:<br />

a. Send a Ctl-Alt-Del to the management VM console, <strong>and</strong> then click Change a<br />

Password.<br />

b. Ensure that the username box contains the local administrator user name.<br />

c. Enter the old <strong>and</strong> new passwords in the boxes, <strong>and</strong> then press Enter.<br />

d. Log off.<br />

e. Log on using the updated administrator credentials.<br />

4. Repeat this procedure for each management VM that you are modifying. Refer to the<br />

previous list for the recommended order.<br />

9.3.4. uAdapt Console<br />

To change credentials for the uAdapt Console admin user, do the following:<br />

1. Connect to the uAdapt Console using the URL in Table 2–2 <strong>and</strong> log on.<br />

2. Select Accounts on the View menu.<br />

9–4 3850 6804–007


3. Select Admin in the Assigned Users list.<br />

4. Change the password in the right pane, <strong>and</strong> click the floppy disk icon to save the new<br />

password.<br />

5. Log out.<br />

CHECKPOINT:<br />

Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

Log on to the uAdapt Console using the updated credentials.<br />

6. Open a console to the uChargeback management VM, <strong>and</strong> log on using domain<br />

credentials with administrator privileges, as shown in Table 1–10.<br />

a. Launch the uChargeback Administrator.<br />

b. On the Tools menu, point to Options, click Security, <strong>and</strong> then click Next to go<br />

to the second page.<br />

The Security Configuration Options dialog box appears.<br />

3850 6804–007 9–5


Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

7. If you changed the uAdapt Console Admin credentials, do the following:<br />

a. For the uAdapt Controller, update the values in the URL, Account <strong>and</strong> two<br />

Password boxes.<br />

b. Click Finish.<br />

CHECKPOINT:<br />

On the uChargeback management VM console, do the following:<br />

1. Launch the uChargeback Administrator.<br />

2. On the Tools menu, point to Monitor, <strong>and</strong> click Restart Monitor.<br />

3. On the Tools menu, point to Monitor, <strong>and</strong> click View Monitor Log.<br />

9–6 3850 6804–007


4. A success message is logged for uAdapt, which is similar to the following example:<br />

Discovering uAdapt inventory at http://xxx.xxx.xxx.xxx.<br />

Controller version=3.2.x.xxxxx<br />

Note: An error message might be logged during the time when the credentials are<br />

changed on the uChargeback management VM, <strong>and</strong> the uChargeback <strong>Administration</strong><br />

Service Account credentials are not yet updated to match. Refer to<br />

9.3.13 uChargeback Services Domain Account for information on changing the<br />

uChargeback <strong>Administration</strong> Service Account credentials.<br />

9.3.5. SQL Server Database Administrator<br />

To change credentials for the SQL Server database administrator sa user, do the following:<br />

1. Open a console to the SQL Server management VM, <strong>and</strong> log on as the local<br />

administrator user.<br />

2. Start the SQL Server Management Studio <strong>and</strong> connect using Windows<br />

Authentication.<br />

3. Exp<strong>and</strong> the Security <strong>and</strong> then the Logins folders in the Object Explorer pane, rightclick<br />

sa, <strong>and</strong> click Properties.<br />

4. Update the values in the Password <strong>and</strong> Confirm password boxes, <strong>and</strong> click OK.<br />

5. Reboot the server to break any existing connections to the databases.<br />

CHECKPOINT:<br />

From the SQL Server management VM console, do the following:<br />

1. Start SQL Server Management Studio.<br />

2. Select the SQL Server Authentication authentication option.<br />

3. Log on using the updated credentials.<br />

9.3.6. RBADB Database Passwords<br />

You can change the RBADB database passwords for the following accounts:<br />

• ODSUI, which is the account that enables the RBADB Administrative interface to<br />

access the RBADB database<br />

• ODSRun, which is the account that enables the <strong>Cloud</strong> Orchestrator management VM<br />

to access the RBADB database<br />

Perform the following procedures to change the passwords for these accounts.<br />

ODSUI RBADB Database Account<br />

Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

To change credentials for the RBADB database ODSUI account, do the following:<br />

1. Perform the procedure in 9.3.5 SQL Server Database Administrator for the ODSUI<br />

account (rather than for the sa account).<br />

3850 6804–007 9–7


Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

2. Open a console to the uChargeback management VM console, <strong>and</strong> log on as the local<br />

administrator user.<br />

3. Using a text editor, such as Notepad, open the following file:<br />

C:\Program Files (x86)\Apache Software Foundation\Tomcat<br />

6.0\conf\Catalina\localhost\RBADB.xml<br />

4. Update the password in the RBADB.xml file to match the password that you updated<br />

on the SQL Server management VM for the ODSUI account.<br />

5. Save <strong>and</strong> close the file.<br />

6. Restart the Apache Tomcat 6 service.<br />

ODSRun RBADB Database Account<br />

To change credentials for the RBADB database ODSRun account, do the following:<br />

1. Perform the procedure in 9.3.5 SQL Server Database Administrator for the ODSRun<br />

account (rather than for the sa account).<br />

2. Open a console to the <strong>Cloud</strong> Orchestrator management VM, <strong>and</strong> log on as the local<br />

administrator user.<br />

3. Using a text editor, such as Notepad, open the following file:<br />

C:\Unisys\UCO\conf\ODSAdapter.properties<br />

4. Update the password in the ODSAdapter.properties file to match the password that<br />

you updated on the SQL Server management VM for the ODSRun account.<br />

5. Save <strong>and</strong> close the file.<br />

6. Restart the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> UCO service.<br />

Caution<br />

Before restarting this service, ensure that no commissioning requests are in<br />

progress by responding to all outst<strong>and</strong>ing approval requests <strong>and</strong> waiting for all<br />

in-progress commissioning requests to be completed.<br />

9.3.7. vCenter Database Administrator<br />

Note: Only perform this procedure if you are using the vCenter Server supplied by<br />

Unisys.<br />

9–8 3850 6804–007


To change credentials for the vCenter database administrator vpxuser, do the following:<br />

1. From a configuration workstation, do the following:<br />

a. Launch vSphere Client to the vCenter server.<br />

b. Click vCenter Server Settings on the <strong>Administration</strong> menu.<br />

c. Select Advanced Settings in the left pane.<br />

d. Update the values in the VirtualCenter.DBPassword box, <strong>and</strong> click OK.<br />

e. Exit the vSphere Client.<br />

2. Log on to the SQL Server management VM console as the local administrator user.<br />

3. Start the SQL Server Management Studio <strong>and</strong> connect using Windows<br />

Authentication.<br />

4. Exp<strong>and</strong> the Security <strong>and</strong> then the Logins folders in the Object Explorer pane, rightclick<br />

vpxuser, <strong>and</strong> click Properties.<br />

5. Update the values in the Password <strong>and</strong> Confirm password boxes to match the<br />

value you entered for VirtualCenter.DBPassword, <strong>and</strong> click OK.<br />

6. Open the vCenter server VM console, <strong>and</strong> restart the VMware VirtualCenter Server<br />

service.<br />

CHECKPOINT:<br />

Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

From a configuration workstation<br />

1. Launch vSphere Client <strong>and</strong> verify that you can connect to the vCenter server.<br />

2. Using the Inventory view, make sure that the expected inventory of workload servers<br />

<strong>and</strong> virtual machines is displayed.<br />

9.3.8. <strong>Cloud</strong> Orchestrator Database Administrator<br />

To change credentials for the <strong>Cloud</strong> Orchestrator database administrator,<br />

lifecycle-dbadmin, do the following.<br />

Note: Do not change the lifecycle-dbadmin user name.<br />

1. Open a console to the <strong>Cloud</strong> Orchestrator management VM, <strong>and</strong> log on as the local<br />

administrator user.<br />

2. Stop the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> UCO (Unisys <strong>Cloud</strong> Orchestrator) service.<br />

3. Open a console to the SQL Server management VM, <strong>and</strong> log on as the local<br />

administrator user.<br />

4. Start SQL Server Management Studio, <strong>and</strong> connect using Windows authentication.<br />

5. Exp<strong>and</strong> the Security folder <strong>and</strong> then exp<strong>and</strong> the Logins folders in the Object<br />

Explorer pane.<br />

6. Right-click lifecycle-dbadmin, <strong>and</strong> click Properties.<br />

7. Update the values in the Password <strong>and</strong> Confirm password boxes, <strong>and</strong> then click<br />

OK.<br />

3850 6804–007 9–9


Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

8. In Windows Explorer, navigate to the C:\ProgramData\Unisys\ConfigSQL folder <strong>and</strong><br />

locate the LifecycleDbChangePw.bat file.<br />

9. Edit the LifecycleDbChangePw.bat file to replace the current password with the new<br />

password.<br />

10. Run the LifecycleDbChangePw.bat file.<br />

11. Enter Y when you receive a warning about replacing the existing task.<br />

The script adds a task with the new database password <strong>and</strong> replaces the existing task<br />

with the old password.<br />

12. Log on to the <strong>Cloud</strong> Orchestrator management VM console as the local administrator<br />

user.<br />

13. Navigate to the C:\Unisys\UCO\conf folder, <strong>and</strong> edit the hibernate-mssql.cfg.xml<br />

file.<br />

14. Edit the line to replace the existing password with the new password.<br />

15. Save <strong>and</strong> close the file.<br />

16. Start the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> UCO (Unisys <strong>Cloud</strong> Orchestrator) service, <strong>and</strong><br />

then verify that the service starts running <strong>and</strong> remains running.<br />

9.3.9. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal Database Administrator<br />

To change credentials for the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal database administrator,<br />

Portal-dbadmin, do the following.<br />

Note: Do not change the Portal-dbadmin user name.<br />

1. Open a console to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal management VM, <strong>and</strong> log on as the<br />

local administrator user.<br />

2. Stop the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal service.<br />

3. Open a console to the SQL Server management VM, <strong>and</strong> log on as the local<br />

administrator user.<br />

4. Start SQL Server Management Studio, <strong>and</strong> connect using Windows authentication.<br />

5. Exp<strong>and</strong> the Security folder <strong>and</strong> then exp<strong>and</strong> the Logins folders in the Object<br />

Explorer pane.<br />

6. Right-click Portal-dbadmin, <strong>and</strong> click Properties.<br />

7. Update the values in the Password <strong>and</strong> Confirm password boxes, <strong>and</strong> then click<br />

OK.<br />

8. Return to the console for the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal management VM.<br />

9. Navigate to the C:\Unisys\liferay-portal-6.0.6\tomcat-<br />

6.0.29\webapps\ROOT\WEB-INF\classes folder <strong>and</strong> edit the portalext.properties<br />

file.<br />

10. Edit the line ″jdbc.default.password=″ to replace the existing<br />

password with the new password.<br />

9–10 3850 6804–007


11. Save <strong>and</strong> close the file.<br />

12. Start the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal service.<br />

9.3.10. Tomcat Manager<br />

To change credentials for the Tomcat manager admin user, do the following:<br />

1. Open a console to the uChargeback management VM, <strong>and</strong> log on as a local<br />

administrator.<br />

2. Using a text editor, such as Wordpad, open the following file.<br />

Note: The Wordpad text editor maintains the formatting in the file, which makes the<br />

file easier to update.<br />

C:\Program Files (x86)\Apache Software Foundation\Tomcat 6.0\conf\tomcatusers.xml<br />

3. Update the user name <strong>and</strong> password.<br />

4. Save <strong>and</strong> close the file.<br />

5. Restart the Apache Tomcat 6 service.<br />

CHECKPOINT:<br />

From the uChargeback management VM console, do the following:<br />

1. Access https://localhost:8443 using a Web browser, <strong>and</strong> click Continue.<br />

Note: If you get a certificate warning, dismiss it; it is not a problem.<br />

2. Verify that you can access the Tomcat Manager using the updated credentials.<br />

9.3.11. RBADB Administrator Interface<br />

Note: To change credentials for the RBADB database, see 9.3.6 RBADB Database<br />

Passwords.<br />

To change credentials for the RBADB admin user on the RBADB administrator interface,<br />

do the following:<br />

1. From the jump box management VM, access RBADB using a browser <strong>and</strong> the URL in<br />

Table 2–2, <strong>and</strong> log on as the admin user.<br />

2. Select Site Users in the left pane, <strong>and</strong> click the Admin Admin user.<br />

3. Click Reset Password in the upper right corner.<br />

4. Enter the new password in both boxes (to enter <strong>and</strong> confirm the new password), <strong>and</strong><br />

then click Submit.<br />

5. Close the browser to RBADB.<br />

CHECKPOINT:<br />

Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

Open a browser to RBADB using the updated credentials.<br />

3850 6804–007 9–11


Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

9.3.12. Unisys-Supplied Domain Controllers<br />

If you configured the optional, Unisys-supplied Domain Controllers, change the Windows<br />

administrator credentials.<br />

Note: It is recommended that all Windows based management VMs have the same<br />

Windows administrator credentials. Therefore, you should change the administrator<br />

credentials to match those you configured in 9.3.3 Windows Management VMs<br />

Administrator Accounts.<br />

You can also add other administrator <strong>and</strong> non-administrator users to the domain, but it is<br />

not necessary.<br />

When you perform this procedure on one Domain Controller, the change is automatically<br />

made to the other Domain Controller.<br />

To change the credentials of the Unisys-supplied management-side Domain Controllers,<br />

do the following:<br />

1. Open a console to the primary Domain Controller (SPC-AD1) <strong>and</strong> log on using the<br />

Windows credentials in Table 2–1.<br />

2. To rename the administrator, do the following:<br />

a. Access Active Directory Users <strong>and</strong> Computers, <strong>and</strong> select Users in the<br />

left pane.<br />

b. Right-click the default administrator user, <strong>and</strong> then click Rename.<br />

c. Type the new administrator name, <strong>and</strong> then press Enter.<br />

d. Click Yes when you receive a warning that you should log out <strong>and</strong> log in using the<br />

new user name.<br />

e. In the Rename User dialog box, in the User logon name box, enter the new<br />

name for the user. This should be the same name that you specified previously<br />

when you renamed the user.<br />

f. Select the appropriate domain in the Domain list.<br />

g. Click OK.<br />

h. Log off.<br />

i. Log on using the new administrator name.<br />

3. To change the Windows administrator password, do the following:<br />

a. Send a Ctl-Alt-Del to the Domain Controller console, <strong>and</strong> then click Change a<br />

Password.<br />

b. Ensure that the username box contains the updated administrator user name.<br />

c. Enter the old <strong>and</strong> new passwords in the boxes, <strong>and</strong> then press Enter.<br />

CHECKPOINT:<br />

Log off the Domain Controller <strong>and</strong> log back in as the domain administrator user using the<br />

new credentials.<br />

9–12 3850 6804–007


Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

When you have verified the new credentials, close the console to the Domain Controller<br />

management VM.<br />

9.3.13. uChargeback Services Domain Account<br />

Caution<br />

Do not perform this procedure if you will be commissioning physical servers. If<br />

you will be commissioning physical servers, leave the Services Domain<br />

Account as it was configured previously.<br />

To change credentials for the uChargeback Services domain account, do the following:<br />

1. Open a console to the uChargeback management VM, <strong>and</strong> log on using uChargeback<br />

administrator credentials in Table 1–10.<br />

2. Run the uChargeback Administrator<br />

3. On the Tools menu, point to Options, <strong>and</strong> click Security.<br />

4. Make note of the Account in the Service Account section; leave the dialog box<br />

open.<br />

5. Send a Ctl-Alt-Del to the virtual machine console, <strong>and</strong> click Change a Password<br />

(for the server).<br />

The Change Password dialog box opens.<br />

6. Change the user name to the account from the Service Account section that you<br />

noted previously. Refer to the values in Table 1–10.<br />

7. Enter the old <strong>and</strong> new passwords in the boxes, <strong>and</strong> press Enter.<br />

The Change Password dialog box closes.<br />

8. In the Service Account section, update the two password values to match the new<br />

passwords for the Service account.<br />

3850 6804–007 9–13


Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

9. Click Finish.<br />

The Unisys DWP Monitor Service <strong>and</strong> Unisys DWP Sdk Host services are restarted.<br />

10. Open a console to the <strong>Cloud</strong> Orchestrator management VM, <strong>and</strong> log on using<br />

administrator credentials.<br />

11. Edit the following file:<br />

C:\Program Files (x86)\Apache Software Foundation\Tomcat<br />

6.0\webapps\platform\WEB-INF\classes\platformapi-config.properties.<br />

12. Update the value for provider.metric.pass to match the password value for the<br />

uChargeback service in Table 1–10.<br />

13. Restart the Apache Tomcat 6 service.<br />

9–14 3850 6804–007


CHECKPOINT:<br />

Check that the following services are started on the uChargeback management VM:<br />

• Unisys DWP Monitor Service<br />

• Unisys DWP Sdk Host<br />

9.3.14. <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Liferay Administrator<br />

To change the password for a <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Liferay administrator, do the following.<br />

Note: All cloud <strong>and</strong> tenant user credentials should be configured using Active Directory.<br />

Use the st<strong>and</strong>ard Active Directory method to change those credentials as needed.<br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> the Liferay administrator credentials in Table 2–1.<br />

2. Click the Welcome tab, <strong>and</strong> then click the name of the Liferay administrator.<br />

Note: If you are prompted to do so, reenter your credentials.<br />

The My Account page appears.<br />

3. On the Details page, update the Email Address <strong>and</strong> any other Name properties, if<br />

required, <strong>and</strong> then click Save.<br />

4. Click Password under User Information in the right pane.<br />

5. On the Password page, type the current password, type the new password, <strong>and</strong> then<br />

enter the new password again.<br />

6. Click Save.<br />

7. Sign out, <strong>and</strong> close the browser window.<br />

CHECKPOINT:<br />

On the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

1. Sign in using the updated credentials.<br />

2. Verify that you can access the Control Panel from the Manage list at the left of the<br />

top pane.<br />

9.3.15. Virtual Management Network Appliance Administrator<br />

If you are using VLANs to isolate tenant networks, <strong>and</strong> if you are using a virtual<br />

Management Network Appliance to connect the management server or servers to the<br />

Management Access Network, do the following to change the credentials for the<br />

administrator account that can configure the virtual Management Network Appliance:<br />

1. Open a console to the Management Network Appliance management VM, <strong>and</strong> log on<br />

using the default administrator credentials.<br />

2. Enter the following comm<strong>and</strong>s:<br />

configure<br />

Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

3850 6804–007 9–15


Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

set system login user vyatta authentication<br />

plaintext-password <br />

commit<br />

save<br />

3. Log off using the logout comm<strong>and</strong>.<br />

CHECKPOINT:<br />

Log on using the updated credentials.<br />

9.3.16. Tenant VLAN Network Appliance Administrator<br />

If you are using VLANs to isolate tenant networks, then the administrator password was<br />

updated automatically when you ran the Config-TenantApp.sh script, as described in<br />

5.3.1 Deploying a New Tenant VLAN Network Appliance <strong>and</strong> VLAN. The script updated the<br />

password to the value in Table 1–25.<br />

If you want to change the password again, do the following:<br />

1. Open a console to the tenant VLAN network appliance, <strong>and</strong> log on using the current<br />

administrator credentials.<br />

2. Enter the following comm<strong>and</strong>s:<br />

configure<br />

set system login user vyatta authentication<br />

plaintext-password <br />

commit<br />

save<br />

3. Log off using the logout comm<strong>and</strong>.<br />

CHECKPOINT:<br />

Log on using the updated credentials.<br />

9.3.17. uChargeback vCenter User<br />

To configure the uChargeback vCenter User, do the following:<br />

1. If you are using the vCenter Server supplied by Unisys, change the credentials for the<br />

uChargeback vCenter User, as follows.<br />

Note: If you are using an existing vCenter Server in your environment, use your own<br />

procedures for changing the credentials.<br />

9–16 3850 6804–007


a. Open a console to the vCenter Server management VM, <strong>and</strong> log on using the local<br />

Windows administrator user credentials.<br />

b. Open the Server Manager, exp<strong>and</strong> Configuration, exp<strong>and</strong> Local Users <strong>and</strong><br />

Groups, <strong>and</strong> then click Users.<br />

c. Locate the uChargeback vCenter User <strong>and</strong> rename it.<br />

d. Send a Ctl-Atl-Del comm<strong>and</strong> to the console.<br />

e. Click Change a password.<br />

f. Set the user to be the uChargeback vCenter User.<br />

g. Enter the previous password <strong>and</strong> new password in the boxes, <strong>and</strong> then press<br />

Enter.<br />

h. Close any vSphere Client sessions connected to vCenter Server, <strong>and</strong> then restart<br />

the VMware VirtualCenter Server service.<br />

2. If you renamed the uChargeback vCenter User, assign the new user name to the<br />

Read-Only role in vCenter Server, as follows:<br />

a. Using vSphere Client, connect to vCenter Server using the vCenter administrator<br />

user credentials.<br />

b. Select the Hosts & Clusters inventory view.<br />

c. Right-click the workload datacenter in the left pane <strong>and</strong> click Add Permission.<br />

The Assign Permissions dialog box appears.<br />

d. Click Add under Users <strong>and</strong> Groups.<br />

The Select Users <strong>and</strong> Groups dialog box appears.<br />

e. Leave the default value, (server), in the Domain box.<br />

f. Enter the new uChargeback vCenter User in the Users box.<br />

g. Click Check Names to verify that the user name is correct.<br />

If the user is not correct, an Incorrect username error message is displayed.<br />

h. Click OK.<br />

The Select Users <strong>and</strong> Groups dialog box closes.<br />

i. Select Read-only from the Assigned Role list.<br />

j. Click OK.<br />

Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

The Assign Permissions dialog box closes.<br />

3. Open a console to the uChargeback management VM, <strong>and</strong> log on using a<br />

uChargeback administrator account from Table 1–10.<br />

4. Run the uChargeback Administrator.<br />

5. Point to Options on the Tools menu, click Security, <strong>and</strong> then click Next to go to<br />

the second page.<br />

The Security Configuration Options dialog box appears.<br />

3850 6804–007 9–17


Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

6. In the Virtual Center section, update the values in the Account <strong>and</strong> two<br />

Password boxes.<br />

7. Click Finish.<br />

CHECKPOINT:<br />

On the uChargeback Administrator, do the following:<br />

1. Point to Monitor on the Tools menu, <strong>and</strong> click Restart Monitor.<br />

2. Point to Monitor on the Tools menu, <strong>and</strong> click View Monitor Log.<br />

Verify that the vCenter inventory was successfully discovered.<br />

9.3.18. <strong>Cloud</strong> Orchestrator vCenter User<br />

To configure the <strong>Cloud</strong> Orchestrator vCenter User, do the following:<br />

1. If you are using the vCenter Server supplied by Unisys, change the credentials for the<br />

<strong>Cloud</strong> Orchestrator vCenter User, as follows.<br />

Note: If you are using an existing vCenter Server in your environment, use your own<br />

procedures for changing the credentials.<br />

a. Open a console to the vCenter Server management VM, <strong>and</strong> log on using the local<br />

Windows administrator user credentials.<br />

b. Open the Server Manager, exp<strong>and</strong> Configuration, exp<strong>and</strong> Local Users <strong>and</strong><br />

Groups, <strong>and</strong> then click Users.<br />

c. Locate the <strong>Cloud</strong> Orchestrator vCenter User <strong>and</strong> rename it.<br />

d. Send a Ctl-Atl-Del comm<strong>and</strong> to the console.<br />

e. Click Change a password.<br />

f. Set the user to be the <strong>Cloud</strong> Orchestrator vCenter User.<br />

g. Enter the previous password <strong>and</strong> new password in the boxes, <strong>and</strong> then press<br />

Enter.<br />

h. Close any vSphere Client sessions connected to vCenter Server, <strong>and</strong> then restart<br />

the VMware VirtualCenter Server service.<br />

2. If you renamed the <strong>Cloud</strong> Orchestrator vCenter user, assign the user to the vCenter<br />

<strong>Cloud</strong> Orchestrator role, as follows:<br />

a. Launch the vSphere Client <strong>and</strong> connect to the vCenter server, using administrator<br />

credentials.<br />

b. Select the Hosts & Clusters inventory view.<br />

c. Right-click the workload datacenter <strong>and</strong> click Add Permission.<br />

The Assign Permissions dialog box appears.<br />

d. Click Add under Users <strong>and</strong> Groups to add the <strong>Cloud</strong> Orchestrator user for this<br />

role.<br />

The Select Users <strong>and</strong> Groups dialog box is displayed.<br />

9–18 3850 6804–007


Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

e. Leave the default value, (server), in the Domain box.<br />

f. Select the vCenter <strong>Cloud</strong> Orchestrator user, click Add, <strong>and</strong> then click OK.<br />

g. Select the <strong>Cloud</strong> Orchestrator user role in the Assigned Role list.<br />

h. Click OK to close the dialog box.<br />

3. Log on to the <strong>Cloud</strong> Orchestrator management VM console using administrator<br />

credentials, <strong>and</strong> do the following:<br />

a. Stop the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> UCO (Unisys <strong>Cloud</strong> Orchestrator) service.<br />

b. In Wordpad, open the following file:<br />

C:\Unisys\UCO\mlets\serviceInstance.mlet<br />

Note: The Wordpad editor maintains formatting in the file, which makes it easier<br />

to update.<br />

c. Update the user <strong>and</strong> password parameter values with the new <strong>Cloud</strong> Orchestrator<br />

vCenter user credential values. These values appear in the following lines in this<br />

file:<br />


Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

4. Update the values in the Password <strong>and</strong> Confirm password boxes, <strong>and</strong> then click<br />

OK.<br />

5. Log on to the WSUS management VM console as the local administrator user.<br />

Note: The following steps use the VMware Update Manager Utility to change<br />

vumuser credentials that the VMware Update Manager uses. For additional<br />

documentation on the Update Manager Utility, refer to the VMware Web site <strong>and</strong><br />

perform a documentation search on “Update Manager Utility.”<br />

6. Navigate to the Update Manager installation directory:<br />

C:\Program Files (x86)\VMware\Infrastructure\Update Manager<br />

7. Double-click VMwareUpdateManagerUtility.exe.<br />

8. Enter the vCenter Administrator credentials in the User Name <strong>and</strong> Password<br />

boxes.<br />

9. Click Login.<br />

10. Click Database Settings in the Options pane of the Update Manager Utility.<br />

11. In the Configurations pane, enter vumuser in the User Name box, if it does not<br />

already exist in the box.<br />

12. Enter the same vumuser password in the Password <strong>and</strong> Confirm Password<br />

boxes that was entered in step 4.<br />

13. Click Apply.<br />

14. Restart the VMware vCenter Update Manager Service.<br />

CHECKPOINT:<br />

From a configuration workstation, do the following:<br />

1. Launch vSphere Client, <strong>and</strong> open the vCenter management VM console using<br />

administrator credentials.<br />

2. Run the VMware vSphere Client.<br />

3. Select Manage Plug-ins from the Plug-ins menu, right-click VMware vCenter<br />

Update Manager Extension, <strong>and</strong> then click Enable.<br />

4. Verify that the plug in is successfully enabled.<br />

5. Close the dialog box <strong>and</strong> exit vSphere.<br />

9.3.20. HAProxy Load Balancer for Web Applications<br />

If you are using the HAproxy load balancer for Web applications, which is an optional<br />

component included with the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, do the following to change the<br />

password for the spcadmin <strong>and</strong> root users:<br />

1. Select System, point to <strong>Administration</strong>, <strong>and</strong> then click Users <strong>and</strong> Groups.<br />

2. In the Users Settings dialog box, select the appropriate user <strong>and</strong> click the<br />

Properties button.<br />

9–20 3850 6804–007


3. Select Set password by h<strong>and</strong>, <strong>and</strong> enter the new password for the user in the<br />

User password <strong>and</strong> Confirmation boxes.<br />

4. Click OK.<br />

Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

9.3.21. Stealth Infrastructure VMs, <strong>Administration</strong> Application,<br />

<strong>and</strong> Dynamic Licensing Web Interface<br />

Note: If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is not included in your environment, skip the<br />

following procedures.<br />

Perform the procedures in this topic to change the credentials for the tenant Stealth<br />

Infrastructure VMs, for the <strong>Administration</strong> Application (which runs on the Stealth<br />

Configuration Machine infrastructure VM for each tenant), or to change the credentials for<br />

the Dynamic Licensing Web Interface (which runs on the Stealth Licensing management<br />

VM for the cloud environment as a whole).<br />

If you want to change the credentials for the Stealth Licensing management VM, perform<br />

the procedure in 9.3.3 Windows Management VMs Administrator Accounts.<br />

Stealth Configuration Machine, Stealth Transfer Machine, Stealth<br />

Proxy Server, <strong>and</strong> Stealth Relay Server Infrastructure VMs<br />

If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment, five Stealth<br />

infrastructure VMs are created for each Stealth-enabled VLAN.<br />

To change the credentials for the Stealth Configuration Machine, Stealth Transfer Machine,<br />

Stealth Proxy Server, <strong>and</strong> Stealth Relay Server infrastructure VMs, do the following. (You<br />

can change the password for one or all of the infrastructure VMs.)<br />

Note: To change the password for the Virtual Stealth Gateway infrastructure VM,<br />

perform the procedure in Virtual Stealth Gateway Infrastructure VM.<br />

1. Open a console to the first infrastructure VM whose credentials you want to change,<br />

<strong>and</strong> log on as the local administrator user specified in Table 1–31.<br />

2. To rename the local administrator user, do the following:<br />

a. Open Server Manager, exp<strong>and</strong> Configuration, exp<strong>and</strong> Local Users <strong>and</strong><br />

Groups, <strong>and</strong> then click Users.<br />

b. Locate the local administrator user, right-click the user, <strong>and</strong> then select Rename.<br />

Note: When you perform this procedure on the Stealth Configuration Machine<br />

infrastructure VM, you see an Administrator user named FDAdmin. Do not<br />

change the user name for the FDAdmin user.<br />

c. Rename the local administrator user.<br />

d. Close Server Manager.<br />

Note: Do not use Server Manager to change the local administrator password,<br />

because an irreversible loss of information can occur.<br />

3850 6804–007 9–21


Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

e. Log off.<br />

3. To change the local administrator password, do the following:<br />

a. Log on using the local administrator user name.<br />

b. Send a Ctl-Alt-Del comm<strong>and</strong> to the infrastructure VM console, <strong>and</strong> then click<br />

Change a Password.<br />

c. Ensure that the username box contains the local administrator user name.<br />

d. Enter the old <strong>and</strong> new passwords in the boxes, <strong>and</strong> then press Enter.<br />

e. Log off.<br />

f. Log on using the updated administrator credentials.<br />

Note: When you perform this procedure on the Stealth Configuration Machine<br />

infrastructure VM, you can perform this step twice: once for the local administrator<br />

user whose user name you changed <strong>and</strong> once for the FDAdmin user. The local<br />

administrator user <strong>and</strong> the FDAdmin user share the same initial password that you<br />

entered in Table 1–31. (The new passwords you assign for the local administrator user<br />

<strong>and</strong> for the FDAdmin user can be different values. If you change only the local<br />

administrator user password, be sure to make a note of the original password so that<br />

you can later log in as the FDAdmin user, if required.)<br />

4. Repeat this procedure for each Stealth infrastructure VM that you are modifying.<br />

5. Update Table 1–31 in the tenant worksheet to include the new credentials you<br />

entered for each infrastructure VM.<br />

6. If you changed the user name or password for the Stealth Transfer Machine<br />

infrastructure VM, you must also run the updateTenant effector. Perform the<br />

procedure in 6.1 Updating <strong>Cloud</strong> Provider or Adding Tenant Information in the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> Environment, <strong>and</strong> run the updateTenant effector for the tenant whose<br />

Stealth infrastructure VMs were updated.<br />

Virtual Stealth Gateway Infrastructure VM<br />

To change the password for the Virtual Stealth Gateway infrastructure VM, do the<br />

following.<br />

Note: You cannot change the user name for the Virtual Stealth Gateway infrastructure<br />

VM.<br />

1. Open a console to the Stealth Configuration Machine infrastructure VM (which is<br />

associated with the Virtual Stealth Gateway infrastructure VM whose password you<br />

want to change).<br />

Log in using the FDAdmin user name <strong>and</strong> password. (The local administrator user <strong>and</strong><br />

the FDAdmin user share the same initial password that you entered in Table 1–31.)<br />

2. Open a comm<strong>and</strong> prompt.<br />

3. Change the directory to C:\Stealth Files\Software.<br />

4. Enter the following comm<strong>and</strong>:<br />

changeVSGpassword.bat <br />

9–22 3850 6804–007


You see a dialog box that prompts you to enter <strong>and</strong> confirm the new password.<br />

5. Enter <strong>and</strong> confirm the new password for the Virtual Stealth Gateway infrastructure<br />

VM.<br />

You see a message that states that the password was changed.<br />

6. Close the comm<strong>and</strong> prompt.<br />

Dynamic Licensing Web Interface<br />

Note: For more information on accessing the Dynamic Licensing Web Interface <strong>and</strong> the<br />

Stealth licensing settings you can view <strong>and</strong> change, see 10.18.4 Viewing <strong>and</strong> Configuring<br />

Stealth Licensing Options.<br />

To change the password for the Stealth Dynamic Licensing Web Interface, you must<br />

update the password on both the <strong>Cloud</strong> Orchestrator management VM <strong>and</strong> the Stealth<br />

Licensing management VM. Do the following:<br />

1. Open a console to the <strong>Cloud</strong> Orchestrator management VM, <strong>and</strong> log on using the<br />

current administrator credentials.<br />

2. Edit the following file in Notepad:<br />

C:\Program Files (x86)\Apache Software Foundation\Tomcat<br />

6.0\webapps\platform\WEB-INF\classes\platformapi-config.properties<br />

3. Locate the line that reads:<br />

Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

<strong>Cloud</strong>.PlatformAPI.provider.license.password=<br />

The default password is U*spc2341.<br />

4. Update the password to a new value.<br />

5. Save <strong>and</strong> close the platformapi-config.properties file.<br />

6. Access Services, <strong>and</strong> restart the Apache Tomcat 6.0 Service.<br />

7. Close the console to the <strong>Cloud</strong> Orchestrator management VM.<br />

8. Open a console to the Stealth Licensing management VM, <strong>and</strong> log on using the<br />

current administrator credentials.<br />

9. Open a comm<strong>and</strong> prompt using the Run as administrator option.<br />

10. Change the directory to C:\Program Files\Unisys\Stealth Solution for LAN.<br />

11. Enter the following comm<strong>and</strong> to change the password to match the value you entered<br />

on the <strong>Cloud</strong> Orchestrator management VM:<br />

dynamiclicensing.exe /set WebPassword <br />

Note: If the password contains spaces, enclose it in quotation marks.<br />

12. Close the comm<strong>and</strong> prompt.<br />

13. Close the console to the Stealth Licensing management VM.<br />

3850 6804–007 9–23


Changing Credentials <strong>and</strong> Performing Final Installation Tasks<br />

9.4. Restoring Users’ Connection to the Portal After<br />

Credentials Have Been Changed<br />

Before you began to change credentials, you were advised to update the <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> portal settings to prevent users from signing into the portal. Do the following to<br />

reverse this procedure <strong>and</strong> enable users to sign into the portal:<br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />

2. From the Manage list (at the left of the top pane), click Control Panel.<br />

3. Click Portal Settings under Portal in the left pane, <strong>and</strong> then click<br />

Authentication in the right pane.<br />

4. Click LDAP, <strong>and</strong> then click the Edit icon next to the LDAP server.<br />

5. Change the value in the Principal box to the user name that the portal uses to<br />

authenticate with LDAP. This value is the same as the Principal (User) value from<br />

Table 1–6.<br />

6. Test the connection, <strong>and</strong> then click Save.<br />

This enables the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal communication with Active Directory<br />

server.<br />

9.5. Performing a Final Commissioning Checkpoint<br />

As a final checkpoint when you are finished changing credentials for all management VMs,<br />

do the following:<br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> credentials that enable you to commission virtual<br />

machines.<br />

2. Verify that you can successfully commission a machine by repeating the procedure in<br />

7.5 Checkpoint: Commissioning a Resource .<br />

9.6. Installing Virtual Office as a Service<br />

If the Virtual Office as a Service (VOaaS) is included in the environment, refer to the <strong>Secure</strong><br />

Virtual Office as a Service Implementation <strong>and</strong> Best Practices <strong>Guide</strong> (3843 4536) for<br />

information on installing the Virtual Office servers, completing networking for these<br />

servers, creating virtual desktop gold images, <strong>and</strong> configuring new tenants in the<br />

database.<br />

9–24 3850 6804–007


Section 10<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

This section describes the tasks performed by administrators <strong>and</strong> operators to support the<br />

cloud environment.<br />

10.1. Underst<strong>and</strong>ing How Requests are Processed<br />

During the configuration process, the Unisys service consultant sets up one or more of the<br />

following methods for user requests to be passed to administrators <strong>and</strong> operators:<br />

• Through e-mail<br />

• Through your Remedy ITSM ticketing system<br />

If your environment already includes BMC Remedy IT Service Management (ITSM)<br />

software suite version 7, the Unisys service consultant can configure tickets to be<br />

generated through the existing ticketing system.<br />

• Through the Unisys Remedy ITSM ticketing system<br />

If you choose, the Unisys service consultant can configure the tickets to be h<strong>and</strong>led by<br />

an off-site Unisys Remedy ITSM ticketing system.<br />

You receive notifications when action is required. If Remedy ITSM is configured in your<br />

environment, a Remedy ticket is generated to deliver this request. If Remedy ITSM is not<br />

configured, or if both Remedy ITSM <strong>and</strong> e-mail are configured, you receive an e-mail<br />

message.<br />

Users also receive notifications based on how the environment is configured.<br />

10.2. Responding to Virtual Machine Requests<br />

Users request new virtual machines, request that virtual machines be started or stopped,<br />

<strong>and</strong> request that virtual machines be decommissioned (deleted) using the <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> portal. These tasks are performed, for the most part, automatically by the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> portal, <strong>and</strong> little manual action is required by administrators or operators. You<br />

receive notifications of new requests <strong>and</strong> when new virtual machine are commissioned.<br />

Note: Virtual machines must always be decommissioned using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

portal. Do not delete virtual machines directly from VMware vCenter.<br />

3850 6804–007 10–1


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

If your version of Remedy ITSM is provided by Unisys <strong>and</strong> located at a Unisys datacenter,<br />

or if you are using e-mail to h<strong>and</strong>le <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> requests, no action is required.<br />

Only if your environment uses Remedy ITSM (a version provided by your organization),<br />

you must update the Remedy ticket status field manually as the request is processed.<br />

(The ticket status is set as “Draft” <strong>and</strong> does not change automatically.)<br />

Your site administrator determines whether users can request additional operator actions<br />

when commissioning virtual machines. These additional actions are not part of the normal,<br />

automatic, commissioning process, such as the following:<br />

• Adding an additional virtual hard drive of a specific size<br />

• Adding additional memory<br />

• Adding an additional virtual NIC<br />

• Installing specified software<br />

If the user requested additional actions for the virtual machine, you are notified of the<br />

actions <strong>and</strong> their requested values through your normal method of notification. You receive<br />

only the user-requested additional actions <strong>and</strong> values if the person who created the<br />

blueprint enabled users to request additional operator actions.<br />

You must examine each request <strong>and</strong> decide whether it was filled automatically or whether<br />

you need to perform a manual action to fill the request. When you finish satisfying all<br />

additional requests for a virtual machine, you<br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> your cloud administrator credentials.<br />

2. Click the <strong>Administration</strong> tab.<br />

You see the Operator Prompts in the right pane.<br />

3. Select the waiting requests for which you completed additional actions, <strong>and</strong> approve<br />

them.<br />

4. Notify the user that the requested virtual machine is ready, using your normal<br />

procedure.<br />

The site administrator should provide operator training for the following:<br />

• The types of additional operator actions that users can request <strong>and</strong> valid values for<br />

each actions<br />

• The wording of administrator-defined properties that identify the additional operator<br />

actions that users can request<br />

• The value of any filters that apply to blueprints <strong>and</strong> how they affect the possible<br />

operator actions<br />

• How to perform the manual action for each request<br />

10–2 3850 6804–007


10.3. Managing Expired Virtual Machines<br />

When a virtual machine lease expires, the virtual machine is stopped, <strong>and</strong> it appears as<br />

Expired on the Resource Overview page of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. To access<br />

this page, click Commission <strong>and</strong> Manage, <strong>and</strong> then click Manage Resources.<br />

From this page, you can change the lease, detach, or decommission (delete) an expired<br />

virtual machine. To filter the list of all virtual machines <strong>and</strong> display only those that have<br />

expired, select Lease from the Filter list, select Expired from the secondary list, <strong>and</strong><br />

then click Go.<br />

10.4. Responding to Physical Server Requests<br />

Users request that new physical servers be commissioned using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

portal. Users request that physical servers be started, stopped, or decommissioned<br />

(deleted) through another method; the Unisys service consultant helps determine the<br />

method used to communicate these issues to administrators <strong>and</strong> operators.<br />

All physical server tasks require manual action by an administrator or operator. Refer to the<br />

following topics for more information on h<strong>and</strong>ling physical server requests.<br />

10.4.1. Commissioning New Physical Servers<br />

When a user requests that a new physical server be commissioned, you receive a notice<br />

asking you to start one of the uAdapt personas that was created when the account was<br />

configured.<br />

Do the following to start the uAdapt persona:<br />

1. Launch the uAdapt Console.<br />

2. Access the Dashboard view from the View menu.<br />

3. In the left list box, select Server Pools:Personas.<br />

4. Locate the server pool that matches the user request. Typically, the pool name is<br />

comprised of a company name (identified in the request as the ″company″) <strong>and</strong> the<br />

″blueprint″ name listed in the request. Use the pool that does not end with ″-active.″<br />

5. If a persona is available in the pool, then select a persona from the pool, making a note<br />

of the persona name.<br />

If no persona is available in the pool, then you must either contact your Unisys service<br />

consultant to arrange for an increase in the number of physical servers <strong>and</strong> personas<br />

available to your users, or you must delete an existing physical server to make those<br />

resources available to another user. See 10.4.3 Decommissioning Physical Servers<br />

(Releasing Physical Server Resources).<br />

6. In top-right list box, select Persona Assignment.<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

7. In the second (lower) list box, select the matching pool name that ends with “-active.”<br />

3850 6804–007 10–3


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

For example, if the initial server pool is named<br />

Widget-W2K3x86MULT-CI-Small-0008-P, select the server pool named Widget-<br />

W2K3x86MULT-CI-Small-0008-P-active.<br />

8. Save the uAdapt configuration.<br />

9. Start the persona by selecting Start Persona on the right menu.<br />

10. Save the uAdapt configuration.<br />

11. After the persona is started, access the Catalog view, <strong>and</strong> then select Personas on<br />

the top-left list box.<br />

12. Select the persona that was selected in Step 5.<br />

13. Verify that Persona is selected in the top-right list box.<br />

14. Copy the value from the Name field, <strong>and</strong> then paste it in the Description field. In<br />

the Name field, type the ″physical machine name″ as it is listed in the user request.<br />

15. Save the uAdapt configuration.<br />

16. Ensure that the persona goes into the running state in uAdapt.<br />

17. Log onto the persona using Remote Desktop or the server console.<br />

18. From a comm<strong>and</strong> prompt, enter the following comm<strong>and</strong>:<br />

ipconfig /all<br />

19. From the output of this comm<strong>and</strong>, examine the IP addresses listed for each<br />

connection.<br />

Use this information to determine which connection is attached to the uAdapt Server<br />

Control Network, which connection is attached to the <strong>Cloud</strong> Management Network,<br />

<strong>and</strong> which connection (if any) is connected to the Public Network.<br />

Make a list of which connection names (such as Local Area Connection, Local Area<br />

Connection 2, <strong>and</strong> so forth) are connected to which network.<br />

20. Access Network Connections, as follows:<br />

• For Windows Server 2003, click Start, point to Control Panel, <strong>and</strong> then click<br />

Network Connections.<br />

• For Window Server 2008, click Start, <strong>and</strong> then click Control Panel. Doubleclick<br />

Network <strong>and</strong> Sharing Center, then click Manage network<br />

connections.<br />

21. Configure the network connections so that IPv6 is disabled, <strong>and</strong> so that only one of the<br />

network connections registers itself.<br />

If the system has a connection to the Public Network, then configure that network<br />

connection to register itself in DNS. Otherwise, configure the network connection for<br />

the <strong>Cloud</strong> Management Network to register itself in DNS.<br />

Note: Physical server commissioning cannot be finalized if the system registers with<br />

multiple DNS addresses.<br />

To configure each connection, perform the following steps:<br />

a. Double-click the connection in Network Connections.<br />

b. On the Status dialog box, click Properties.<br />

10–4 3850 6804–007


c. On the Properties dialog box, under This connection uses the following<br />

items, select one of the following, depending on your operating system:<br />

• For Windows Server 2008, clear the Internet Protocol Version 6<br />

(TCP/IPv6) check box, select Internet Protocol Version 4 (TCP/IP4),<br />

<strong>and</strong> then click Properties.<br />

• For Windows Server 2003, select Internet Protocol (TCP/IP), <strong>and</strong> then<br />

click Properties.<br />

Note: Because IPv6 is not supported by Windows Server 2003, there is no<br />

need to disable IPv6 explicitly.<br />

d. On the Internet Protocol Properties dialog box, click Advanced.<br />

e. On the Advanced TCP/IP Settings dialog box, select the DNS tab.<br />

f. Select the Register this connection’s addresses in DNS check box.<br />

g. Enable or clear the Use this connection’s DNS suffix in DNS<br />

registration check box.<br />

Note: Enable only one connection.<br />

h. Click OK to close the Advanced TCP/IP Settings dialog box.<br />

i. Click OK to close the Internet Protocol (TCP/IP) Properties dialog box.<br />

j. Click Close to close the Properties dialog box.<br />

22. Change the computer name to match the physical computer name; this name is the<br />

same as the changed persona name.<br />

23. Configure the server to synchronize time with a time server that is compatible with the<br />

uChargeback management VM.<br />

This is required in order for resource utilization metrics to display the correct data in<br />

the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />

24. When Windows prompts you to reboot, click No.<br />

Note: You must use the uAdapt Console to “reboot” the Windows operating system<br />

by stopping <strong>and</strong> restarting the persona, as described in the following steps.<br />

25. Using the uAdapt Console, stop the persona, <strong>and</strong> then start it again.<br />

These comm<strong>and</strong>s enable the computer name change to take effect in Windows<br />

without causing the persona to retarget to a different server.<br />

Do the following to stop <strong>and</strong> then start the persona:<br />

a. Select Personas from the top-left list box.<br />

b. Select the persona.<br />

c. Select Stop Persona comm<strong>and</strong> in the right menu.<br />

d. Save the configuration.<br />

The persona changes states <strong>and</strong> eventually ends in the dormant state.<br />

e. In the top-right list box, select Persona Assignment.<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

3850 6804–007 10–5


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

f. Verify that the top list box value is Try to run on server in Pool <strong>and</strong> that the<br />

bottom list box is set to the “-active” pool associated with the request.<br />

g. Select Start Persona on the right menu.<br />

h. Save the configuration.<br />

The persona changes states <strong>and</strong> eventually goes into the running state.<br />

26. Open a console to the <strong>Cloud</strong> Orchestrator management VM.<br />

27. Launch a Web browser, <strong>and</strong> access the uOrchestrate <strong>Operations</strong> Console using the<br />

URL in Table 2–2.<br />

28. Log in to the <strong>Operations</strong> Console using the credentials in Table 2–1.<br />

29. If you receive a message that the <strong>Operations</strong> Console has stopped polling, click OK.<br />

30. When you see the question, “What is the Computer Name of the newly started<br />

persona xxx?” enter the computer name (persona name) of the commissioned<br />

physical server.<br />

The computer name you enter must be resolvable from the <strong>Cloud</strong> Orchestrator <strong>and</strong><br />

the uChargeback management VMs. This can be the fully qualified domain name of<br />

the server, where the domain suffix is the Domain value from Table 1–9. For example,<br />

if the host name of the server is host-1, <strong>and</strong> the Domain value in Table 1–9 is<br />

Managed.example.com, then enter host-1.Managed.example.com.<br />

(The name that appears in this message is the ″User Entered Name″ listed in the user<br />

request, which is different from the physical computer name/persona name.)<br />

31. Click response.<br />

After you enter the computer name, the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal completes the<br />

physical machine request. When the request is complete, the user who requested the<br />

physical server receives a notice that the physical server has been commissioned <strong>and</strong><br />

can be accessed using the new computer name.<br />

32. On the persona, ensure that the Unisys DWP Meter service is started <strong>and</strong> is<br />

configured to start automatically when the operating system is started.<br />

33. Restart the server using the following procedure, 10.4.2 Starting or Stopping Physical<br />

Servers.<br />

10.4.2. Starting or Stopping Physical Servers<br />

When a user requests that a physical server be started or stopped, you receive a notice<br />

requesting that you complete this action.<br />

Starting a Physical Server<br />

Do the following to start a physical server:<br />

1. Launch the uAdapt Console.<br />

2. Access the Catalog view from the View menu.<br />

3. Select Personas in the top-left list box.<br />

10–6 3850 6804–007


4. Select the persona that matches the computer name that the user requested you<br />

start.<br />

5. In the top-right list box, select Persona Assignment.<br />

6. Verify that the top list box value is Try to run on server in Pool <strong>and</strong> that the<br />

bottom list box is set to the “-active” pool associated with the request.<br />

7. Select Start Persona on the right menu.<br />

8. Save the configuration.<br />

The persona changes states <strong>and</strong> eventually ends in the running state.<br />

9. Verify that the state has changed to ″Running″ to ensure that the persona has<br />

successfully started.<br />

Stopping a Physical Server<br />

Do the following to stop a physical server:<br />

1. Launch the uAdapt Console.<br />

2. Access the Catalog view from the View menu.<br />

3. Select Personas from the top-left list box.<br />

4. Select the persona that the user requested to stop.<br />

5. Select Stop Persona on the right menu.<br />

6. Save the configuration.<br />

The persona changes states <strong>and</strong> eventually ends in the dormant state.<br />

7. Verify that the state has changed to ″Dormant″ to ensure that the persona has<br />

successfully stopped.<br />

Caution<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

Do not change the server pool for the persona to the non-active pool; the<br />

non-active pool is only for personas that are not commissioned.<br />

10.4.3. Decommissioning Physical Servers (Releasing Physical<br />

Server Resources)<br />

When you decommission a physical server, you release its resources back to the cloud so<br />

that they can be reassigned.<br />

When a user requests that a physical server be decommissioned, you receive a notice<br />

requesting that you complete this action.<br />

3850 6804–007 10–7


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

Decommission a physical server <strong>and</strong> making its resources available to other users includes<br />

the following tasks:<br />

1. Stopping the persona in uAdapt.<br />

2. Reinitializing the operating system image for this persona from the gold image that<br />

was configured by the Unisys service consultant. For the storage LUN for this<br />

persona, this involves doing either of the following:<br />

• Writing over the storage LUN.<br />

• Deleting the storage LUN <strong>and</strong> creating an identically named LUN.<br />

3. Moving the persona from the active pool to the inactive pool.<br />

Note: After you stop <strong>and</strong> decommission virtual machines, they are moved into the<br />

Archived Servers Department in uChargeback. This enables you to create historical<br />

reports, as needed. However, if you want to fully delete the virtual machines from<br />

uChargeback, see 11.8 Removing Tenant Resources <strong>and</strong> Departments from uChargeback.<br />

Stopping the Persona<br />

Stop the persona in uAdapt. See 10.4.2 Starting or Stopping Physical Servers.<br />

Managing the Storage LUN<br />

Reinitialize the operating system image for this persona from the gold image that was<br />

configured by the Unisys service consultant. For the storage LUN for this persona, do<br />

either of the following:<br />

• Write over the existing LUN<br />

• Delete the existing LUN <strong>and</strong> create a new LUN with an identical name<br />

In order for the physical server to be recommissioned using uAdapt, you must<br />

rename the LUN using the exact name used previously. If you do not, the physical<br />

server becomes uncommissionable, <strong>and</strong> you must call your Unisys service consultant<br />

for assistance in creating a new persona.<br />

Use the documentation provided by your storage system to perform one of these tasks.<br />

Moving the Persona to the Inactive Server Pool<br />

Do the following to move the uAdapt persona from the active to the inactive server pool:<br />

1. Launch the uAdapt Console.<br />

2. Access the Catalog view from the View menu.<br />

3. Select Personas from the top-left list box.<br />

4. Select the persona that is being deleted.<br />

5. In the top-right list box, select Persona Assignment.<br />

6. In the second (lower) list box, select the matching pool name that does not end with<br />

10–8 3850 6804–007


″active.″ For example, if the assigned server pool is named Widget-W2K3x86-active,<br />

select the server pool named Widget-W2K3x86.<br />

7. Save the configuration.<br />

8. In the top-right list box, select Persona.<br />

9. Copy the value from the Description field, <strong>and</strong> then past it in the Name field.<br />

10. Save the configuration.<br />

10.5. Responding to Virtual Desktop Requests<br />

Users request that new virtual desktops be commissioned using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

portal. Users can also request that virtual desktops be deleted (decommissioned) using<br />

the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. If a virtual desktop needs to be started or stopped, the<br />

administrator or operator receives a message by e-mail, by Remedy ticket, or by both,<br />

depending on the configuration.<br />

All virtual desktop tasks require manual action by an administrator or operator. Refer to the<br />

following topics for more information on h<strong>and</strong>ling requests.<br />

10.5.1. Commissioning New Virtual Desktops<br />

When a user uses the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal to request that a virtual desktop be<br />

created, a notification (e-mail, Remedy ticket, or both) is created to direct the cloud<br />

administrator or operator to manually create the required desktop.<br />

The notification includes the specific blueprint name that should be used <strong>and</strong> a link to the<br />

<strong>Secure</strong> Virtual Office as a Service Implementation <strong>and</strong> Best Practices <strong>Guide</strong> (3843 4536),<br />

which provides detailed instructions on implementing the Virtual Office as a Service<br />

solution, onboarding new tenants, <strong>and</strong> creating new virtual desktops. This document is<br />

available from the Unisys Product Support Web site (www.support.unisys.com). You can<br />

also refer to the <strong>Secure</strong> Virtual Office as a Service Session Manager Help (3826 5187),<br />

which is available directly from the Session Manager connection broker interface.<br />

After the desktop has been created <strong>and</strong> started in Session Manager, the administrator or<br />

operator must sign into the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal <strong>and</strong> approve the pending request.<br />

The administrator or operator must also manually maintain a mapping of the resource<br />

descriptive name to the desktop name created. (This is used later when deleting virtual<br />

desktops.)<br />

10.5.2. Starting, Stopping, <strong>and</strong> Deleting Virtual Desktops<br />

Starting <strong>and</strong> Stopping Virtual Desktops<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

In general, users do not have to request that virtual desktops be started. When a user<br />

starts the process to connect to the virtual desktop using the Thin Client software, the<br />

software automatically tries to start the virtual desktop if it is not already running. Users<br />

can also use the Thin Client software to request that a virtual desktop be restarted (that is,<br />

3850 6804–007 10–9


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

if the virtual desktop is running, it is stopped <strong>and</strong> then restarted). A user can make a stop<br />

request from within the virtual desktop operating system, if the operating system image<br />

was built with a capability that enables users to shut it down.<br />

If a user needs administrator or operator assistance to start or stop a virtual desktop, the<br />

user must create a request using the method established with the Unisys service<br />

consultant.<br />

Deleting Virtual Desktops<br />

When a user uses the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal to request that a virtual desktop be<br />

decommissioned (deleted), a notification—through e-mail, Remedy ticket, or both—is<br />

created to direct the cloud administrator or operator to manually complete the deletion<br />

process.<br />

The notification contains the resource descriptive name to be deleted <strong>and</strong> a link to the<br />

<strong>Secure</strong> Virtual Office as a Service Implementation <strong>and</strong> Best Practices <strong>Guide</strong>, which<br />

provides detailed instructions on deleting the Virtual Office as a Service desktop.<br />

10.6. Responding to Requests Using the Operator<br />

Prompts Page<br />

Operator prompts are generated by the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> when the automation<br />

software encounters a condition that requires intercession by an administrator or operator.<br />

For example, an operator prompt is generated if a user requests a custom configuration for<br />

a virtual machine, or if a commissioning request has failed due to a configuration or<br />

infrastructure problem (such as insufficient space to create a new virtual machine).<br />

In these cases, the administrator or operator responsible for h<strong>and</strong>ling the prompt should<br />

review the information presented <strong>and</strong> determine how to proceed. In the event of an error,<br />

if the problem can be resolved (for example, by adding additional storage), the<br />

administrator or operator should take whatever action is necessary to resolve the problem,<br />

<strong>and</strong> then approve the prompt. The automation software will retry the operation that failed.<br />

If the error cannot or should not be resolved (for example, due to invalid user input), the<br />

administrator or operator should reject the operator prompt. The automation software<br />

then informs the requesting user that his request has failed.<br />

The Operator Prompts page of the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal enables administrators <strong>and</strong><br />

operators to approve or reject requests. Do the following to access the Operator Prompts<br />

page:<br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> your cloud administrator or cloud operator credentials.<br />

2. Click <strong>Administration</strong>.<br />

In the right pane, you see the Operator Prompt Overview, the Operator Prompt Details,<br />

<strong>and</strong> Operator Prompt Status tables. Each table provides a different level of detail about the<br />

operator prompts.<br />

10–10 3850 6804–007


See the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Interface Help for more information on using this page.<br />

10.7. Managing Tenant Users<br />

Perform the following procedures to change a user’s e-mail address, deactivate or<br />

reactivate a user, or delete a user.<br />

10.7.1. Updating a Tenant User’s E-mail Address<br />

To change a tenant user’s e-mail address, do the following.<br />

Note: If you change a user’s e-mail address in Active Directory, you must perform the<br />

following procedure to change the e-mail address in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />

2. From the Manage list (at the left of the top pane), click Control Panel.<br />

3. In the left pane, under Portal, click Users.<br />

The Users page appears with a list of active users.<br />

4. Click the user whose e-mail address you want to change.<br />

5. Type the new e-mail address in the Email Address box.<br />

6. Click Save.<br />

10.7.2. Moving a User from One Tenant Organization to Another<br />

Note: Before moving a tenant user from one organization to another, ensure that the<br />

user does not own any resources (virtual machines, physical servers, or virtual desktops.)<br />

If the user owns any resources, you must either decommission those resources or change<br />

the ownership of those resources before performing this procedure. See<br />

Section 10, <strong>Cloud</strong> Portal <strong>Operations</strong>, for more information about decommissioning virtual<br />

machines, virtual desktops, or physical servers, or see the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Interface<br />

Help for information about changing ownership of a resource.<br />

If you need to move a user from one tenant organization to another, do the following:<br />

1. Sign in to the <strong>Secure</strong> <strong>Cloud</strong> Portal using the URL from Table 2–2 <strong>and</strong> the Liferay<br />

administrator credentials from Table 2–1.<br />

2. Click OK when you receive one or more errors that there has been an error processing<br />

your request or that you do not have permission to view requests.<br />

3. At the top of the window, directly below the browser address bar, select Manage,<br />

<strong>and</strong> then click Control Panel.<br />

4. In the left pane, under Portal, click Users.<br />

The Users page appears.<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

3850 6804–007 10–11


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

5. Using the First Name, Last Name, or Email Address boxes, search for the user<br />

whose organization you want to change.<br />

Note: You might have to click Advanced to see all available search fields.<br />

6. When you locate the user, click the user name.<br />

The Details page appears containing the details of the user.<br />

7. In the right pane, click Organizations.<br />

8. Click Select to assign the user to an organization.<br />

The Organizations window appears.<br />

9. Select one of the listed organizations.<br />

Note: You can search for an organization, if required.<br />

10. Click Remove next to the user’s former organization to remove the association with<br />

that organization.<br />

11. Click Roles.<br />

12. Click Remove next to the role or roles associated with the user’s former organization.<br />

13. At the bottom of the right pane, click Save.<br />

14. Exit Control Panel, <strong>and</strong> log out.<br />

15. Log in using your cloud administrator credentials, <strong>and</strong> assign the user to the<br />

appropriate role <strong>and</strong> project using the Role <strong>and</strong> Project Membership page. See<br />

7.4 Assigning <strong>Cloud</strong> Provider <strong>and</strong> Tenant Users to Roles, <strong>and</strong> Assigning Tenant Users<br />

to Projects for more information.<br />

10.7.3. Deactivating or Reactivating Tenant Users<br />

The following procedure describes how to deactivate tenant users <strong>and</strong> prevent them from<br />

logging in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. It also describes how to reactivate users, if<br />

needed.<br />

Do the following to deactivate a user:<br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />

2. From the Manage list (at the left of the top pane), click Control Panel.<br />

3. In the left pane, under Portal, click Users.<br />

The Users page appears with a list of active users.<br />

4. Locate the users you want to deactivate, <strong>and</strong> select the check boxes next to the user<br />

names.<br />

5. Click Deactivate (at the top of the list of users) to deactivate the users.<br />

If you want to reactivate a user, do the following:<br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />

10–12 3850 6804–007


2. From the Manage list (at the left of the top pane), click Control Panel.<br />

3. In the left pane, under Portal, click Users.<br />

The Users page appears with a list of active users.<br />

4. From the Active list, select No, <strong>and</strong> then click Search.<br />

Note: You might have to click Advanced under the Search button to view the<br />

Active list.<br />

A list of the deactivated users appears.<br />

5. Locate the users you want to activate, <strong>and</strong> select the check boxes next to the user<br />

names.<br />

6. Click Restore (at the top of the list of users) to reactivate the users.<br />

10.7.4. Deleting Tenant Users <strong>and</strong> User Roles<br />

Deleting Tenant Users <strong>and</strong> User Roles from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

Portal<br />

To delete tenant users, do the following:<br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />

2. From the Manage list (at the left of the top pane), click Control Panel.<br />

3. In the left pane, under Portal, click Users.<br />

The Users page appears with a list of active users.<br />

4. If you have not already deactivated the users you want to delete, do the following. If<br />

the users are already deactivated, skip to the next step.<br />

Do the following to deactivate users:<br />

a. Select the check boxes next to the users who you want to deactivate.<br />

b. Click Deactivate (at the top of the list of users) to deactivate the users.<br />

5. From the Active list, select No, <strong>and</strong> then click Search.<br />

Note: You might have to click Advanced under the Search button to view the<br />

Active list.<br />

A list of the deactivated users appears.<br />

6. Locate the users you want to delete, <strong>and</strong> select the check boxes next to the user<br />

names.<br />

7. Click Delete (at the top of the list of users) to delete the selected users.<br />

To delete a tenant user role, do the following.<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />

2. From the Manage list (at the left of the top pane), click Control Panel.<br />

3850 6804–007 10–13


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

3. In the left pane, under Portal, click Roles.<br />

The Roles page appears with a list of roles.<br />

4. Locate the tenant user role you want to delete, click the Actions button for that user<br />

role, <strong>and</strong> then click View Users.<br />

5. Verify that no users are associated with the role you are deleting.<br />

If any users are associated with the role, you should create a new role <strong>and</strong> reassign<br />

the users before continuing.<br />

6. Locate the tenant user role you want to delete, click the Actions button for that user<br />

role, <strong>and</strong> then click Delete.<br />

10.8. Editing Blueprints<br />

To edit a blueprint that has already been refined, do the following.<br />

Note: Some blueprint attributes cannot be changed, such as blueprint type.<br />

1. Click <strong>Administration</strong>, <strong>and</strong> then click Manage Blueprints.<br />

2. Under Manage Blueprints, select the project associated with the blueprint you<br />

want to edit.<br />

The Blueprint pane is updated to list all blueprints associated with the project.<br />

3. Under Blueprints, select the blueprint that you want to edit, <strong>and</strong> then click Edit<br />

Blueprint.<br />

4. Edit the values as required.<br />

Note: The blueprint name cannot be longer than 128 characters. Only numbers (0-9),<br />

uppercase <strong>and</strong> lowercase letters (A-Z, a-z), space, hyphen (-), underscore (_), period (.),<br />

ampers<strong>and</strong> (&), <strong>and</strong> at sign (@) characters are allowed.<br />

See the following topics for information:<br />

• 6.5 Virtual Machine Attributes <strong>and</strong> Values<br />

• 6.6 Virtual Desktop Attributes <strong>and</strong> Values<br />

5. After you finish editing the values, click Apply.<br />

10.9. Deleting Blueprints or Projects from the <strong>Cloud</strong><br />

Environment<br />

Note: Renaming projects is not a supported operation. To give a project a different name,<br />

you must delete it using the procedures in this topic <strong>and</strong> then recreate it using the new<br />

name.<br />

If you want to delete a blueprint, you must delete it from both the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

portal <strong>and</strong> from RBADB. If you want to delete a project, you must delete it from both<br />

RBADB <strong>and</strong> from uOrchestrate.<br />

10–14 3850 6804–007


Perform the procedures in this topic to delete components from the cloud environment.<br />

10.9.1. Deleting Blueprints from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

Portal<br />

Note: To delete a blueprint, you must first decommission the resources that have been<br />

commissioned using the blueprint. You receive the following error message when you try<br />

to delete a blueprint that has resources tied to it:<br />

There has been a problem processing your request.<br />

To delete a blueprint from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, do the following:<br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> your cloud administrator or cloud operator credentials.<br />

2. Click <strong>Administration</strong>, <strong>and</strong> then click Manage Blueprints.<br />

3. Under Manage Blueprints, select the tenant folder.<br />

The Blueprint pane is updated to list all blueprints associated with the tenant.<br />

4. Under Blueprints, select the blueprint that you want to delete, <strong>and</strong> then click<br />

Delete Blueprint.<br />

A confirmation message appears.<br />

5. Confirm that you want to delete the blueprint.<br />

The blueprint is deleted from the tenant <strong>and</strong> from all tenant projects with which it is<br />

associated.<br />

6. Delete the blueprint from RBADB. See Removing a Blueprint from a Contract <strong>and</strong><br />

Deleting a Blueprint.<br />

10.9.2. Deleting Projects or Blueprints from RBADB<br />

If you want to delete tenant projects or blueprints from RBADB, perform the following<br />

procedures.<br />

Note: If you delete a tenant, the projects associated with the tenant are deleted<br />

automatically. (See 11.6 Removing a Tenant Contract <strong>and</strong> Tenant from RBADB for<br />

information about deleting tenants.) However, any blueprints associated with the tenant<br />

must be deleted individually, as described later in this topic.<br />

In addition, remove any deleted projects or blueprints from the tenant data worksheet, so<br />

that any future updates in the worksheet can be applied correctly to RBADB.<br />

Note: It is not necessary to export the worksheet at this time.<br />

Restrictions When Deleting Items in RBADB<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

• A project cannot be deleted if it is associated with any commissioned resources.<br />

• A contract cannot be deleted if it is associated with any commissioned resources.<br />

3850 6804–007 10–15


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

• A tenant cannot be deleted if it is associated with a contract.<br />

• A blueprint cannot be deleted if it is associated with a contract.<br />

Verifying that Commissioned Resources Are Not Associated with<br />

Tenants, Projects, or Blueprints<br />

You cannot delete a tenant, project, or blueprint if it is associated with any commissioned<br />

resources. To verify that commissioned resources are not associated with tenants,<br />

projects, or blueprints, do the following:<br />

1. From the jump box management VM, access RBADB using the URL in Table 2–2.<br />

2. Log in with the RBADB Administrator credentials in Table 2–1.<br />

3. Click Contracts in the left pane.<br />

4. Select the contract for the tenant.<br />

You see the Contracted Resources page, which includes a table listing associated<br />

blueprints.<br />

5. For any Blueprint Type whose Deployed value is not 0, select View Deployed<br />

Resources from the Actions list.<br />

You see the Deployed Resources page, which includes a table listing<br />

commissioned resources. Commissioned resources are grouped by project, <strong>and</strong> each<br />

machine is identified by the tenant fully qualified name (FQN).<br />

For any deployed resources that are associated with tenants, projects, or blueprints<br />

that you want to decommission (delete), do the following:<br />

a. Access the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, <strong>and</strong> verify that the commissioned<br />

resources have not been decommissioned. If any commissioned resources have<br />

not been decommissioned from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, you must ensure<br />

that they are decommissioned.<br />

If possible, you should request that users decommission their own virtual<br />

machines. The procedure that explains how users decommission virtual machines<br />

is included in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Interface Help. However, if users are no<br />

longer available to decommission their own virtual machines, you might have to<br />

decommission them. See 11.1 Stopping <strong>and</strong> Decommissioning Virtual Machines<br />

for more information.<br />

The procedure that explains how administrators decommission physical servers is<br />

described in 10.4.3 Decommissioning Physical Servers (Releasing Physical Server<br />

Resources).<br />

b. If any commissioned resources still remain in RBADB, access the Deployed<br />

Resources page, <strong>and</strong> delete those resources by clicking the recycle bin icon next<br />

to each machine.<br />

Note: Perform this step only if you are sure that the resources do not exist in the<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. The recycle bin icon is provided only to resolve errors<br />

between commissioned resources that do not exist in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

portal but still appear in RBADB. If you delete a resource that still exists in the<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, serious errors can occur.<br />

10–16 3850 6804–007


Removing a Blueprint from a Contract <strong>and</strong> Deleting a Blueprint<br />

Note: The Import VMware Virtual Machine blueprint can be removed from the tenant’s<br />

contract; however, you should not remove this blueprint from RBADB.<br />

A blueprint cannot be deleted if it is associated with a contract. To remove a blueprint from<br />

a contract (if the contract has not already been deleted) <strong>and</strong> delete a blueprint, do the<br />

following in RBADB:<br />

1. From the jump box management VM, access RBADB using the URL in Table 2–2.<br />

2. Log in with the RBADB Administrator credentials in Table 2–1.<br />

3. If you need to remove a blueprint from a contract (if the contract has not already been<br />

deleted), do the following:<br />

a. Click Contracts in the left pane.<br />

b. Select the contract for the tenant.<br />

You see the Contracted Resources page, which includes a table of associated<br />

blueprints.<br />

c. Verify that there are no commissioned resources associated with the blueprint<br />

(that the value in the Deployed column is 0). See Verifying that Commissioned<br />

Resources Are Not Associated with Tenants, Projects, or Blueprints.<br />

d. Select Delete Resource from the Actions list.<br />

e. Click OK to confirm that you want to remove the blueprint from the contract.<br />

4. Click Blueprint Types in the left pane.<br />

5. Select the blueprint you want to delete.<br />

6. Click Delete.<br />

7. Click OK to confirm that you want to delete the blueprint.<br />

Deleting a Project<br />

To delete a project, do the following.<br />

Note: If you delete a tenant, all associate projects are automatically deleted from<br />

RBADB.<br />

1. From the jump box management VM, access RBADB using the URL in Table 2–2.<br />

2. Log in with the RBADB Administrator credentials in Table 2–1.<br />

3. Click Accounts in the left pane.<br />

4. Click SubAccounts for the tenant whose project you want to delete.<br />

5. Select the subaccount for the project you want to delete.<br />

6. Click Delete.<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

Note: If the Delete button is not active, there might be commissioned resources<br />

associated with this project. See Verifying that Commissioned Resources Are Not<br />

Associated with Tenants, Projects, or Blueprints for information on how to verify this<br />

3850 6804–007 10–17


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

<strong>and</strong> delete commissioned resources if required.<br />

7. Click OK to confirm that you want to delete the project.<br />

8. Perform the procedure in 10.9.3 Removing Projects from uOrchestrate to remove the<br />

project from uOrchestrate.<br />

10.9.3. Removing Projects from uOrchestrate<br />

To remove a project from uOrchestrate, do the following:<br />

1. Open a console to the <strong>Cloud</strong> Orchestrator management VM.<br />

2. Launch a Web browser, <strong>and</strong> access the uOrchestrate <strong>Operations</strong> Console using the<br />

URL in Table 2–2.<br />

3. Log in to the <strong>Operations</strong> Console using the credentials in Table 2–1.<br />

4. If you receive a message that the <strong>Operations</strong> Console has stopped polling, click OK.<br />

5. In the Service Organization pane on the left, click the Registration service.<br />

6. Exp<strong>and</strong> Effectors in the right pane to view the effectors.<br />

7. Under All Effectors, click removeSubAccountStructure.<br />

This effector removes a single project from an existing tenant. Type the name of the<br />

tenant that owns the project in the tenant parameter, <strong>and</strong> then type the name of the<br />

project that you want to delete in the subAccount parameter.<br />

8. Click Execute.<br />

9. Check the result in the result pane.<br />

You should see the message “Success” when the process is complete.<br />

10. If there were any errors encountered attempting to delete the tenant or project,<br />

resolve them, <strong>and</strong> then rerun the effector.<br />

For example, if you see an error message that states that a folder cannot be deleted<br />

because a resource is associated with it, delete the resource, <strong>and</strong> then rerun the<br />

effector.<br />

10.9.4. Archiving Projects in uChargeback<br />

After you delete projects from RBADB <strong>and</strong> uOrchestrate, you should archive those<br />

projects in uChargeback. Do the following:<br />

1. From a vSphere Client, open a console to the uChargeback management VM, <strong>and</strong> log<br />

in using the domain uChargeback administrator account from Table 1–10.<br />

2. Access the uChargeback Administrator from the Start menu by pointing to All<br />

Programs, pointing to Unisys, pointing to uChargeback,, <strong>and</strong> then clicking<br />

Administrator.<br />

3. In the Object Browser tree in the left pane, exp<strong>and</strong> the Departments tree, select<br />

the project that has been deleted from RBADB <strong>and</strong> uOrchestrate, <strong>and</strong> drag that project<br />

under Archived Accounts.<br />

10–18 3850 6804–007


If you want to fully delete a project after archiving it, see 11.8 Removing Tenant Resources<br />

<strong>and</strong> Departments from uChargeback.<br />

10.10. Configuring Snapshot Limits <strong>and</strong> Managing<br />

Snapshots<br />

The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment enables you to take snapshots of your virtual<br />

machines at any time. These snapshots are known as versions on the <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> portal.<br />

As an administrator, you can limit the number of snapshots that can be taken. By default,<br />

the snapshot limit is not set, meaning that one snapshot can be taken for each virtual<br />

machine. You can update this value to allow the appropriate amount of storage for your<br />

environment to be used to store snapshots.<br />

10.10.1. Configuring Snapshot Limits<br />

You configure snapshots limits using the Excel worksheets. You can configure limits at<br />

three levels:<br />

• For the entire <strong>Cloud</strong> environment<br />

• For a specific tenant folder<br />

• For a specific project folder<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

If you set these three values differently, then the snapshot limits at the lower levels of the<br />

hierarchy take precedence over snapshot limits at higher levels. That is, snapshot limits<br />

defined at the project level take precedence over the tenant <strong>and</strong> <strong>Cloud</strong> level limits, <strong>and</strong><br />

snapshot limits defined at the tenant level take precedence over the <strong>Cloud</strong> level limit. The<br />

only exception is that the default value (blank) does not override snapshot limits set at<br />

higher levels of the hierarchy.<br />

If you want to prevent users from saving snapshots, then set the appropriate snapshot<br />

limit to 0; you can set this limit on the <strong>Cloud</strong> level, the tenant level, or project level. If you<br />

set the <strong>Cloud</strong> level snapshot to 0 <strong>and</strong> you leave the tenant <strong>and</strong> project values blank, then<br />

users cannot save snapshots. However, if you set the <strong>Cloud</strong> level snapshot to 0 <strong>and</strong> then<br />

set a different value for a particular tenant or project, only virtual machines that belong to<br />

that tenant or project can save snapshots.<br />

The snapshot limits you set apply to each virtual machine individually. That means that if<br />

you set the snapshot limit to 10 at the project level, <strong>and</strong> if you have 10 virtual machines in<br />

that project, then you could have a total of 100 snapshots.<br />

To update the snapshot limit for the cloud environment, change the Snapshot Limit in<br />

Table 1–9, export the cloud provider worksheet, <strong>and</strong> run the Populator<br />

update<strong>Cloud</strong>Properties effector, as described in 6.1 Updating <strong>Cloud</strong> Provider or Adding<br />

Tenant Information in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Environment.<br />

To set the snapshot limit for a tenant, change the Snapshot Limit in Table 1–29. To set the<br />

3850 6804–007 10–19


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

snapshot limit for a project, change the Snapshot Limit in Table 1–40. Then, export the<br />

worksheet, <strong>and</strong> then run the Populator updateTenant effector as described in 6.1 Updating<br />

<strong>Cloud</strong> Provider or Adding Tenant Information in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Environment.<br />

10.10.2. Managing Snapshots<br />

You can create, delete, or revert a snapshot of a virtual machine.<br />

Note: You cannot take snapshots of a physical server or a virtual desktop.<br />

The portal enables you to take snapshots of your virtual machines at any time. These<br />

snapshots are known as versions. A virtual machine snapshot is a representation of the<br />

state of a virtual machine <strong>and</strong> its data at a given time. Snapshots are useful for storing a<br />

virtual machine state that you might need to restore as the current processing state in the<br />

future.<br />

The portal enables you to do the following tasks:<br />

• Creating New Snapshots<br />

• Reverting to a Different Snapshot<br />

• Deleting a Snapshot<br />

Creating New Snapshots<br />

Do the following to create a new snapshot:<br />

1. Click Commission <strong>and</strong> Manage, <strong>and</strong> then click Manage Resources.<br />

2. Select the virtual machine for which you want to take a snapshot in the Resource<br />

Overview pane, <strong>and</strong> click Create Snapshot.<br />

Create Snapshot dialog box appears.<br />

Note: If the virtual machine is running, the best practice is to stop the virtual machine<br />

before taking a snapshot. This ensures that you know the state of the virtual machine<br />

before you take the snapshot, <strong>and</strong> the size of the snapshot is smaller if the snapshot is<br />

taken when the virtual machine is stopped.<br />

3. Type a name for the new snapshot, enter a description of the snapshot, <strong>and</strong> click<br />

Execute.<br />

Reverting to a Different Snapshot<br />

1. Click Commission <strong>and</strong> Manage, <strong>and</strong> then click Manage Resources.<br />

2. Select the virtual machine in the Resource Overview pane <strong>and</strong> click Revert<br />

Snapshot.<br />

Revert Snapshot dialog box appears. Revert Snapshot displays a list of all the<br />

available snapshots, with the latest snapshot selected.<br />

3. Select the snapshot that you want to revert to <strong>and</strong> click Execute.<br />

10–20 3850 6804–007


Note: When you activate a different snapshot, you lose the current state of your virtual<br />

machine, unless you first stop the virtual machine <strong>and</strong> take a snapshot before activating<br />

another snapshot.<br />

Deleting a Snapshot<br />

1. Click Commission <strong>and</strong> Manage, <strong>and</strong> then click Manage Resources.<br />

2. Select the virtual machine in the Resource Overview pane <strong>and</strong> click Delete<br />

Snapshot.<br />

Delete Snapshot dialog box appears. Delete Snapshot displays a list of all the<br />

available snapshots, with the latest snapshot selected.<br />

3. Select the snapshot that you want to delete <strong>and</strong> click Execute.<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

10.11. Using the Resource Utilization Dashboard<br />

The Resource Utilization dashboard enables the users—based on their roles <strong>and</strong><br />

privileges—to view the utilization information (CPU, Memory, Storage, <strong>and</strong> Network) of<br />

various resources allocated to the tenants <strong>and</strong> their associated projects.<br />

When you initially sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, you see the Resource<br />

Utilization Overview dashboard on the Home page.<br />

This dashboard provides a graphical overview of CPU utilization, Memory utilization,<br />

Storage utilization, <strong>and</strong> Network utilization for virtual machines <strong>and</strong> physical servers in a<br />

single pane.<br />

This data is gathered every 15 minutes, <strong>and</strong> the time zone listed on the dashboard is that<br />

of the uChargeback management VM. uChargeback can manage data from workload<br />

servers in different time zones, but all data is stored using the uChargeback management<br />

VM time zone. It is highly recommended that you synchronize your system clocks so that<br />

data can be meaningfully compared across multiple workload servers.<br />

For CPU <strong>and</strong> Memory utilization, each resource in the cloud environment is grouped in one<br />

of four categories: low, medium, high, <strong>and</strong> critical. Each category is a range of percentages<br />

of the total available capacity. A Unisys service consultant configures these categories<br />

during initial implementation.<br />

For example, the categories can be defined as follows: Low (0-30%), Medium (31-60%),<br />

High (61-75%), <strong>and</strong> Critical (76-100%). If there are a total of 1000 resources (800 virtual<br />

machines <strong>and</strong> 200 physical servers) in the cloud environment, you can graphically view the<br />

number of resources that fall into each range for CPU utilization <strong>and</strong> Memory utilization.<br />

In contrast, for Storage <strong>and</strong> Network utilization, the values displayed are for all virtual<br />

machines <strong>and</strong> all physical servers in the cloud environment (rather than on a resource-byresource<br />

basis).<br />

CPU Utilization: The average percentage of available CPU capacity that a resource<br />

consumes for a given 15-minute period.<br />

3850 6804–007 10–21


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

Note: For virtual machines, this is the view presented by the virtualization server rather<br />

than the view from the virtual machine operating system.<br />

Every 15 minutes, uChargeback requests the average utilization for each resource, <strong>and</strong><br />

then each resource is sorted into one of four ranges based on that measurement (low,<br />

medium, high, <strong>and</strong> critical).<br />

The uChargeback metric “Server CPU Percent Average” is derived as follows:<br />

• For virtual machines: VMware metric cpu.usage.average<br />

• For physical servers, one of the following, based on the operating system:<br />

- Windows: perfmon Processor object <strong>and</strong> % Processor Time counter<br />

- Linux: /proc file system /proc/stat<br />

Memory Utilization:<br />

The amount of memory that is actively used, as estimated by VMkernel based on recently<br />

accessed memory pages, which is expressed as a percentage of the allocated memory for<br />

the resource for a 15-minute period. For example, if the resource has been allocated 1024<br />

MB <strong>and</strong> is using 512 MB, then the memory utilization is 50%.<br />

Every 15 minutes, uChargeback requests the average utilization for each resource, <strong>and</strong><br />

then each resource is sorted into one of four ranges based on that measurement (low,<br />

medium, high, <strong>and</strong> critical).<br />

The uChargeback metric “Server Memory Percent Active” is computed as (VMware<br />

metric mem.active.average / VMware metric<br />

VirtualMachine.config.hardware.memoryMB) × 100.<br />

Storage Utilization: The total used <strong>and</strong> total free space (in GB) across all virtual<br />

machines <strong>and</strong> physical servers for a 15-minute period. This includes running, stopped, <strong>and</strong><br />

expired resources.<br />

Every 15 minutes, uChargeback requests the utilization for each resource, <strong>and</strong> the results<br />

from all resources are aggregated in one value for used space (GB) <strong>and</strong> one value for free<br />

space (GB).<br />

The uChargeback metrics “Server Storage Available” <strong>and</strong> “Server Storage Used” are<br />

derived as follows:<br />

• For virtual machines: VMware metrics guest.disk.freeSpace <strong>and</strong> guest.disk.capacity<br />

minus guest.disk.freeSpace<br />

• For physical servers, one of the following, based on the operating system:<br />

- Windows: Windows Management Instrumentation (WMI) Win32_LogicalDisk<br />

object <strong>and</strong> Size property<br />

- Linux: df –h Linux comm<strong>and</strong><br />

Network Utilization: The total number of bytes transmitted <strong>and</strong> received over all NICs<br />

on all resources for a 15-minute period.<br />

10–22 3850 6804–007


Every 15 minutes, uChargeback requests the utilization for each resource, <strong>and</strong> the results<br />

from all resources are aggregated in one value for I/O transmitted <strong>and</strong> one value for I/O<br />

received.<br />

The uChargeback metrics “Server I/O Network Xmt” <strong>and</strong> “Server I/O Network Rcv” are<br />

derived as follows:<br />

• For virtual machines: VMware metrics net.transmitted.average <strong>and</strong><br />

net.received.average<br />

• For physical servers, one of the following, based on the operating system:<br />

- Windows: Windows Performance Counter – Network Interface category <strong>and</strong><br />

Bytes Received/sec counter name<br />

- Linux: /proc file system /proc/net/dev<br />

To view additional details at the cloud, tenant, or project level <strong>and</strong> to sort by resource type,<br />

click Tenant/Project Utilization.<br />

For more information, see the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Interface Help.<br />

10.12. Configuring Resource Utilization Ranges<br />

When a user initially signs in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, he or she sees the<br />

Resource Utilization Overview dashboard. This dashboard provides a graphical overview of<br />

CPU utilization, Memory utilization, Storage utilization, <strong>and</strong> Network utilization for virtual<br />

machines, physical servers, <strong>and</strong> virtual desktops in a single pane.<br />

For CPU <strong>and</strong> Memory utilization, each resource in the cloud environment is grouped in one<br />

of four categories: low, medium, high, <strong>and</strong> critical. Each category is a range of percentages<br />

of the total available capacity. For Storage <strong>and</strong> Network utilization, the values displayed are<br />

for all virtual machines <strong>and</strong> all physical servers in the cloud environment (rather than on a<br />

resource-by-resource basis).<br />

CPU <strong>and</strong> memory ranges are common to all tenants in the cloud. Values for the CPU <strong>and</strong><br />

memory ranges are set by default. If required, you can modify these values by changing<br />

the following parameters in the configuration file, ECMConfig.properties, <strong>and</strong> then<br />

restarting the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />

Valid ranges for CPU <strong>and</strong> Memory Thresholds are between 0 <strong>and</strong> 100 in the following<br />

format:<br />

-<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

3850 6804–007 10–23


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

Do the following to view <strong>and</strong> change these ranges:<br />

1. Navigate to the following directory on the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal management<br />

VM:<br />

\\webapps\unisys-ecm-portlet\WEB-INF\config<br />

For example, navigate to C:\Unisys\liferay-portal-6.06\tomcat-6.0.29\webapps\unisysecm-portlet\WEB-I<br />

NF\config<br />

2. Open the following file using a text editor, such as Notepad:<br />

ECMConfig.properties<br />

3. For each of the following ranges, modify the specified parameters as desired:<br />

• CPU Threshold (cpuThreshold) - low, medium, high, <strong>and</strong> critical ranges<br />

• Memory Threshold (memoryThreshold) - low, medium, high, <strong>and</strong> critical ranges<br />

4. Restart the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal service.<br />

10.13. Managing the Lifecycle Database<br />

The <strong>Cloud</strong> Orchestrator Lifecycle database uses table structures to store the following<br />

entities:<br />

• Requests<br />

• Approval requests<br />

• Various log entries<br />

If the number of entries in these tables is high, the database becomes large <strong>and</strong><br />

performance can be affected. On the other h<strong>and</strong>, removing too many entries from the<br />

database can hinder debugging <strong>and</strong> tracing efforts.<br />

The Lifecycle database contains stored procedures for removing the older unneeded<br />

database table entries to manage the size of the database <strong>and</strong>, thereby, improve<br />

performance. The stored procedures use parameters that specify how old table entries<br />

need to be before they are deleted. The default settings are as follows:<br />

• Requests are deleted when they are older than one day.<br />

• Log entries are deleted when they are older than one week.<br />

A Windows scheduled task calls the stored procedures once an hour, using a data file at<br />

the following location on the database server in the <strong>Cloud</strong> Management Environment to<br />

determine which procedures to call:<br />

c:\ProgramData\Unisys\ConfigSQL\LifecycleCleanup.sql<br />

Initially, the data file contains the following lines:<br />

exec uorch_lifecycle.dbo.Request_Delete<br />

exec uorch_lifecycle.dbo.ActionLog_Delete<br />

10–24 3850 6804–007


You can append the following parameters, separated by a comma <strong>and</strong> a space, to<br />

determine which entries to delete:<br />

• Number of units (integer)<br />

• Unit type (one of ‘minutes’, ‘hours’, ‘days’, ‘weeks’, or ‘months’, including the single<br />

quotation marks)<br />

For example, to delete requests that are older than two weeks instead of the default one<br />

day, you can change the first line in the LifecycleCleanup.sql file to<br />

exec uorch_lifecycle.dbo.Request_Delete 2, ‘weeks’<br />

The stored procedures calculate the age of any single entry based on the newest entry in<br />

the table. Therefore, if the newest entry in the requests table is 10:00 AM on June 16,<br />

then the preceding example causes the stored procedures to delete all requests that<br />

completed before 10:00 AM on June 2 the next time the Windows scheduled task runs.<br />

10.14. Creating uChargeback Criteria<br />

Specifications<br />

uChargeback enables you to analyze usage data for the virtual machines in the <strong>Cloud</strong><br />

environment <strong>and</strong> export that usage data for billing, if required. The first step is to create a<br />

criteria specification to identify the resource usage data that uChargeback generates. A<br />

criteria specification is a set of parameters that uChargeback Exporter <strong>and</strong> Calculator use<br />

to extract usage data from the uChargeback database.<br />

Caution<br />

Criteria specifications are based upon the usage data that is collected.<br />

Therefore, do not create a criteria specification until usage data has been<br />

collected by the uChargeback management server from a managed server.<br />

1. To add a criteria, in the uChargeback Administrator, right click the Criteria<br />

Specification node in the Object Browser, <strong>and</strong> select Add New Criteria.<br />

The following is an example Criteria Specification named Billing. Create a criteria<br />

specification that is appropriate for the environment.<br />

Table 10–1. Example Criteria Specification, Page 1 Data<br />

Option Name Option Value Comments<br />

Name Billing<br />

Summary<br />

Level<br />

Sum by Server<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

3850 6804–007 10–25


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

Table 10–1. Example Criteria Specification, Page 1 Data (cont.)<br />

Option Name Option Value Comments<br />

Department<br />

Level<br />

Gr<strong>and</strong>child Departments<br />

Date Range Last Month If this option is grayed out,<br />

do not proceed. There must<br />

be usage data collected<br />

from a managed server in<br />

order to specify a Date<br />

Range.<br />

Interval 1 Month<br />

Resources<br />

Tree<br />

Server Count Active<br />

Server CPU Time<br />

Server Memory Allocated<br />

Servers Tree By department is checked <strong>and</strong> <strong>Secure</strong> <strong>Cloud</strong> is<br />

checked<br />

Sources Tree To exclude Processor Idle <strong>and</strong> System Idle, the<br />

System Idle Process <strong>and</strong> Processor Idle boxes<br />

are cleared<br />

2. Click Next.<br />

Table 10–2. Example Criteria Specification, Page 2 Data<br />

Option Name Option Value<br />

Selected Tab Usage Data<br />

Load Data immediately True (box is checked)<br />

For more information, see the “Add or Edit Criteria Specification” topic in the uChargeback<br />

Installation, Configuration, <strong>and</strong> <strong>Operations</strong> <strong>Guide</strong>. This document is available from the<br />

uChargeback Administrator.<br />

10.15. Importing Existing Virtual Machines<br />

If your environment or your tenants’ environments include existing virtual machines, you<br />

can import them to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> so that they can be managed using the<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. The Unisys <strong>Cloud</strong> Import Utility imports virtual machines into<br />

the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment, as described in this subsection.<br />

10–26 3850 6804–007


10.15.1. Prerequisites for Importing Virtual Machines<br />

Before you run the Import Utility, verify the following:<br />

• The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal has tenants, projects, blueprints, <strong>and</strong> users<br />

configured.<br />

• The <strong>Cloud</strong> Orchestrator management VM <strong>and</strong> <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> management VM<br />

are in a running state.<br />

• The virtual machines to be imported exist in vCenter.<br />

• The virtual machines to be imported use a valid DNS zone, as defined by the provider<br />

or tenant account against which they will be imported.<br />

• A valid DNS entry, containing the management-side DNS address, exists for the virtual<br />

machines to be imported in the DNS zone for commissioned virtual machines or any<br />

other zone reachable using the DNS servers in Table 1–3.<br />

• A valid DNS entry exists for the machines to be imported in the tenant DNS server.<br />

• The virtual machines to be imported are running <strong>and</strong> respond to ping requests using<br />

the virtual machines fully qualified name as defined in the cloud provider DNS server.<br />

• The virtual machines to be imported do not contain snapshots that include the percent<br />

sign (%) in the snapshot name.<br />

• If any agents are required by software running in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

environment, the virtual machines to be imported contain those required agents. For<br />

example, if Nagios is included in your environment, install the required Nagios agents<br />

before importing the virtual machines.<br />

10.15.2. Utility Components <strong>and</strong> Layout<br />

The Import Utility has the following components, as shown in Figure 10–1:<br />

• Virtual Machines list<br />

The left pane contains the Virtual Machines list, which displays the c<strong>and</strong>idate virtual<br />

machines that can be imported. C<strong>and</strong>idate virtual machines are virtual machines that<br />

exist in the vCenter inventory but are not managed by the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>.<br />

• Import table<br />

The upper-right pane contains the Import table. The Import table defines the required<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> information for each virtual machine, including the virtual<br />

machine name, hostname, Nagios profile (if applicable for your environment), tenant,<br />

project, associated user, <strong>and</strong> the lease period.<br />

• Request table<br />

The middle-right pane contains the Request table, which displays information about<br />

recent import requests, including the following:<br />

- Request ID<br />

A unique identifier representing an individual import request.<br />

- VM Name<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

3850 6804–007 10–27


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

The virtual machine name associated with an individual import request.<br />

- Status<br />

The status of an individual import request. This field displays summary information<br />

about the success or failure of a given request.<br />

- Time Started<br />

The start time of a given import request.<br />

- Time Completed<br />

The completion time of a given import request.<br />

• Request details<br />

The lower-right pane displays detailed information about the individual import request<br />

for the virtual machine that is currently selected in the Request table.<br />

Figure 10–1. Unisys <strong>Cloud</strong> Import Utility<br />

10–28 3850 6804–007


10.15.3. Using the Import Utility<br />

Launching the Import Utility<br />

To launch the Import Utility, do the following:<br />

1. Open a console to the <strong>Cloud</strong> Orchestrator management VM.<br />

2. Open a comm<strong>and</strong> prompt, <strong>and</strong> navigate to C:\Unisys\UCO\vmimport.<br />

3. Run com.unisys.cloud.vmimport.jar.<br />

The Unisys <strong>Cloud</strong> Import Utility opens.<br />

Selecting Virtual Machines to Import<br />

To select virtual machines to import, do the following:<br />

1. In the left pane of the Import Utility, select one or more virtual machines that you want<br />

to import. (The left pane of the import utility displays all c<strong>and</strong>idate virtual machines<br />

available for import.)<br />

2. Do either of the following to move the selected virtual machines to the Import table:<br />

• Click <strong>and</strong> drag the selected virtual machines from the Virtual Machines list to the<br />

Import table.<br />

• Right-click one of the selected virtual machines in the Virtual Machines list, <strong>and</strong><br />

then click Select for Import.<br />

The selected virtual machines are removed from the Virtual Machine list <strong>and</strong> added to<br />

the Import table.<br />

If you need to remove a virtual machine from the Import table <strong>and</strong> return it to the<br />

Virtual Machines list, you can select <strong>and</strong> drag the virtual machine back to the Virtual<br />

Machines list, or you can right-click a virtual machine <strong>and</strong> then click Delete.<br />

Entering Data in the Import Table<br />

After one or more virtual machines have been added to the Import table, you must provide<br />

a value for each cell in the table in order to successfully import the virtual machines.<br />

Perform one of the following procedures to enter values in the Import table:<br />

• To enter a value in any one cell, click that cell <strong>and</strong> type the required information.<br />

• To enter all required values for a single virtual machine, do the following:<br />

1. Right-click a virtual machine, <strong>and</strong> then click Edit.<br />

2. Enter the values in the Edit Single Import dialog box.<br />

3. Click OK to save your changes.<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

3850 6804–007 10–29


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

• To enter shared values for a group of virtual machines, do the following:<br />

1. Select the virtual machines that share some of the same values.<br />

2. Right-click, <strong>and</strong> then click Edit.<br />

3. Enter the values in the Edit Multiple Import dialog box<br />

Note: You cannot enter values for the Name or Hostname in the Edit Multiple<br />

Import dialog box, because those are unique entries for each virtual machine.<br />

4. Click OK to save your changes.<br />

5. Enter values in each Name <strong>and</strong> Hostname cell individually for each virtual<br />

machine, <strong>and</strong> update any other values as required.<br />

Enter the following values for each virtual machine:<br />

• Name<br />

A descriptive name for the virtual machine to be imported (for example, “webserver”<br />

or “testVM”). This value is required; if you do not provide a value, the Import Utility will<br />

not attempt to import the virtual machine.<br />

• Host Name<br />

The host name used by the virtual machine operating system. This value must exactly<br />

match the host name of the operating system, or the import operation will fail. This<br />

value is required; if you do not provide a value, the Import Utility will not attempt to<br />

import the virtual machine.<br />

• Nagios Profile<br />

This optional field is intended for use only if your environment includes Nagios <strong>and</strong> if<br />

the imported virtual machine will be monitored by Nagios. This value should contain a<br />

valid host profile.<br />

• VM Name<br />

The virtual machine name as it appears in vCenter. Do not change this value.<br />

• Tenant<br />

This <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> tenant with which the imported virtual machine should be<br />

associated. This value is required; if you do not provide a value, the Import Utility will<br />

not attempt to import the virtual machine.<br />

• Project<br />

This <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> tenant project with which the imported virtual machine<br />

should be associated. This value is required; if you do not provide a value, the Import<br />

Utility will not attempt to import the virtual machine.<br />

• User<br />

The specific user with which the imported virtual machine should be associated. This<br />

value is required; if you do not provide a value, the Import Utility will not attempt to<br />

import the virtual machine.<br />

• Lease Duration (Days)<br />

10–30 3850 6804–007


The lease period (in days) of the virtual machine to be imported. Enter the number of<br />

days until the virtual machine lease expires, or enter Permanent to indicate that a<br />

virtual machine lease should never expire. This value is required; if you do not provide<br />

a value, the Import Utility will not attempt to import the virtual machine.<br />

Starting <strong>and</strong> Monitoring the Import Operation<br />

After you enter the required information in the Import table for one or more virtual<br />

machines, do one of the following to start the import:<br />

• Select Import from the Action menu.<br />

• Right-click the Import table, <strong>and</strong> then click Import.<br />

When the import operation starts, the Request table in the middle-right pane of the Import<br />

Utility is populated with an entry for each virtual machine being imported.<br />

The Request table entries are updated as the import operation occurs. You can select an<br />

individual entry to view more detailed information about an individual import request in the<br />

Request details pane.<br />

When a request is complete, you can remove it from the Request table by right-clicking<br />

the request, <strong>and</strong> then clicking Delete.<br />

H<strong>and</strong>ling Failed Requests<br />

If a request fails, right-click the failed request in the Request table, <strong>and</strong> click Select for<br />

Import. This returns the virtual machine to the Import table, <strong>and</strong> you can review <strong>and</strong><br />

revise your input <strong>and</strong> attempt the import operation again.<br />

10.15.4. Operational Considerations<br />

Rolling Back an Import Operation<br />

Although the Import Utility provides a mechanism for starting an import operation, it does<br />

not provide any further life-cycle management operations (for example, the Detach or<br />

Decommission operation used to remove a virtual machine from <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

management). If an imported virtual machine needs to be removed from management by<br />

the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> for any reason, remove that virtual machine using the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> portal.<br />

Refreshing the Display<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

The Import Utility does not automatically refresh after it is launched. In some cases, you<br />

might need to refresh the display to discover newly created virtual machines, users, or<br />

projects. You can refresh the display by selecting Refresh from the View menu. When a<br />

refresh operation is in progress, parts of the Import Utility are temporarily disabled <strong>and</strong><br />

cannot be used until the view is completely refreshed.<br />

3850 6804–007 10–31


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

H<strong>and</strong>ling Duplicate Virtual Machine Names<br />

The Import Utility requires virtual machine names to be unique. If two or more virtual<br />

machines use the same name, an error is displayed, <strong>and</strong> the virtual machines are excluded<br />

from the virtual machines pane. This requirement for unique names is for all virtual<br />

machines, whether they are currently managed by the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal or<br />

whether they are outside the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment.<br />

If you want to import a virtual machine that shares a name with a virtual machine already<br />

managed by the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, rename that virtual machine in vCenter, verify<br />

that the rename operation was successful, <strong>and</strong> then refresh the Import Utility. Do not<br />

rename the virtual machine in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />

If your environment contains a duplicate virtual machine names, you receive an error each<br />

time you launch the Import Utility. If you do not want to import these machines, but you<br />

want the Import Utility to stop displaying this error, you can set the following property in<br />

the C:\Unisys\UCO\vmimport\conf\ImportUtil.properties file:<br />

#===========================================================#<br />

# Indicates that the import utility should display an error<br />

# message when two or more virtual machines use the same<br />

# name. If display_duplicate_vm_error = true, the utility<br />

# will display an error for each virtual machine name that<br />

# identifies two or more virtual machines.<br />

# If display_duplicate_vm_error = false, the import utility<br />

# will not display an error when duplicate virtual machines<br />

# are encountered.<br />

#===========================================================#<br />

display_duplicate_vm_error=false<br />

Note: The change to the ImportUtil.properties file is a global change, <strong>and</strong> if you update<br />

this setting, you never again receive notice that there are duplicate virtual machine names<br />

in the environment.<br />

10.15.5. Inspecting Logs <strong>and</strong> Troubleshooting<br />

Log Files<br />

If import failures occur, the log files might provide information about the causes of the<br />

failures.<br />

• The Import Utility log file is in the following folder:<br />

C:\Unisys\UCO\vmimport\logs<br />

• The Unisys <strong>Cloud</strong> Orchestrator service log file is in the following folder:<br />

C:\Unisys\uorchestrate\platform\log<br />

10–32 3850 6804–007


Troubleshooting<br />

If you receive either of the following errors, do the following to resolve them:<br />

• Error encountered when connecting to the Virtual Center Server<br />

If the Import Utility displays a message that it is unable to locate the connection<br />

information for Virtual Center, do the following:<br />

- Verify that the C:\Unisys\UCO\conf\serviceInstance.mlet file exists <strong>and</strong> contains<br />

the required information for connecting to vCenter, including the appropriate URL,<br />

user name, <strong>and</strong> password.<br />

For example:<br />

<br />

<br />

<br />

- Verify that the C:\Unisys\UCO\vmimport\conf\ImportUtil.properties file exists <strong>and</strong><br />

references the C:\Unisys\UCO\conf\serviceInstance.mlet file.<br />

• Error encountered when connecting to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Platform API<br />

If the Import Utility displays a message that an error was encountered when<br />

connecting to the platform API, open the following file <strong>and</strong> verify that the values are<br />

correct:<br />

C:\Unisys\UCO\vmimport\conf\ImportUtil.properties<br />

The expected values are as follows:<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

#===========================================================================#<br />

# The endpoint of the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Platform API<br />

#===========================================================================#<br />

platform_api_endpoint=http://localhost:8447/platform/1.0<br />

#===========================================================================#<br />

# The absolute path of the Unisys u<strong>Cloud</strong>Truststore file. This file<br />

# should contain all relevant Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> keys.<br />

#===========================================================================#<br />

javax.net.ssl.keyStore=C:/Unisys/<strong>Secure</strong>d/Certificate/u<strong>Cloud</strong>Truststore.jks<br />

#===========================================================================#<br />

# The password used for the keystore referenced by the javax.net.ssl.keyStore<br />

# property.<br />

#===========================================================================#<br />

javax.net.ssl.keyStorePassword=U*spc2341<br />

#===========================================================================#<br />

# The absolute path of the Unisys u<strong>Cloud</strong>Truststore file. This file<br />

# should contain all relevant Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> keys.<br />

#===========================================================================#<br />

javax.net.ssl.trustStore=C:/Unisys/<strong>Secure</strong>d/Certificate/u<strong>Cloud</strong>Truststore.jks<br />

#===========================================================================#<br />

# The password used for the keystore referenced by the javax.net.ssl.trustStore<br />

3850 6804–007 10–33


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

# property.<br />

#===========================================================================#<br />

javax.net.ssl.trustStorePassword=U*spc2341<br />

If any of the information in this file is inaccurate or has been customized to suit your<br />

environment, you must update the values above to reflect your custom settings.<br />

10.16. Configuring Tenant-Dedicated Workload<br />

Servers Manually<br />

The following topics describe the steps to create an initial tenant-dedicated hardware<br />

environment as part of the on-boarding process for a new cloud tenant. You can repurpose<br />

workload servers from a public cloud or multitenant private cloud infrastructure pool to<br />

serve as VMware ESX or ESXi workload servers that are dedicated to one tenant in the<br />

cloud environment. The cloud management environment is shared across all instances of<br />

the tenant-dedicated servers <strong>and</strong> the public cloud or multi-tenant private cloud in that<br />

cloud instance.<br />

Note: If you want to remove a workload server from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> (even if<br />

you later intend to add it back into the cloud environment), you must first migrate all virtual<br />

machines <strong>and</strong> templates from that workload server to another workload server still in use.<br />

If you remove a workload server while it is still hosting virtual machines <strong>and</strong> templates <strong>and</strong><br />

then re-add it, the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> will not recognize the virtual machines <strong>and</strong><br />

templates as existing components in the environment. See the VMware documentation<br />

for more information on migrating virtual machines <strong>and</strong> templates.<br />

10.16.1. Creating Workload Server Clusters with HA <strong>and</strong> DRS<br />

Do the following to create workload server clusters with high availability (HA) <strong>and</strong> VMware<br />

Distributed Resource Scheduler (DRS):<br />

1. From a vSphere Client, connect to the vCenter management VM.<br />

2. In the Hosts <strong>and</strong> Clusters Inventory view, do one of the following:<br />

For a new cluster<br />

a. Right-click the datacenter name <strong>and</strong> click New Cluster.<br />

b. Enter a name for the cluster.<br />

For an existing cluster, right-click the cluster name <strong>and</strong> click Edit Settings.<br />

3. For Cluster Features, select VMware HA <strong>and</strong> VMware DRS to enable them.<br />

4. For a new cluster, click Next, select any desirable options, click Next several times,<br />

<strong>and</strong> then click Finish.<br />

For an existing cluster, select a feature in the left pane, select any desirable options for<br />

each feature, <strong>and</strong> then click OK.<br />

5. To add a workload server to the cluster, right-click the new cluster name <strong>and</strong> click Add<br />

Host.<br />

10–34 3850 6804–007


6. Enter the host name or IP address of the workload server <strong>and</strong> the root user name <strong>and</strong><br />

password for that server, <strong>and</strong> then click Next.<br />

If a Security Alert dialog box appears asking you to verify the authenticity of the<br />

server, click Yes.<br />

7. For licensing, assign an existing license or assign a new license, <strong>and</strong> then click Next.<br />

8. When prompted about virtual machine resources, select the option to put all of this<br />

server’s virtual machines in the cluster’s root resource pool, <strong>and</strong> then click Next.<br />

9. Click Finish.<br />

Repeat this procedure for all the workload clusters <strong>and</strong> servers.<br />

10.16.2. Completing Additional HA Tasks<br />

Refer to the vSphere Availability <strong>Guide</strong> for additional information on high availability (HA)<br />

configuration.<br />

Configure your redundant consoles to use the heartbeat network <strong>and</strong> any other HA<br />

capability that is required.<br />

10.16.3. Configuring a vMotion Interface for each Workload<br />

Server in each Cluster<br />

Configure vMotion so that virtual machines do not have to be powered off when they are<br />

migrated to another workload server. For security reasons, VMware best practices<br />

recommend that the service console <strong>and</strong> vMotion use their own networks. Do the<br />

following:<br />

1. From a vSphere Client, connect to the vCenter management VM.<br />

2. In the Hosts <strong>and</strong> Clusters Inventory view, select the workload server.<br />

3. Select the Configuration tab <strong>and</strong> click Networking.<br />

4. Click Add Networking in the upper right of the window.<br />

5. Select VMkernel, <strong>and</strong> click Next.<br />

6. Select whether to use an existing virtual switch or create a new switch, <strong>and</strong> click<br />

Next.<br />

7. Configure the port group properties, as follows, <strong>and</strong> click Next.<br />

a. Enter a network label.<br />

Use network labels to identify migration-compatible connections that are common<br />

to two or more workload servers.<br />

b. If a VLAN is being used, enter the number (between 1 <strong>and</strong> 4095) in the VLAN ID<br />

box.<br />

c. Select Use this port group for vMotion.<br />

8. Select the IP settings for the virtual switch, <strong>and</strong> click Next.<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

3850 6804–007 10–35


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

9. Click Finish.<br />

10.16.4. Adding Tenants<br />

To ensure tenant isolation for dedicated workload servers, do the following:<br />

• Add tenants to the cloud environment, using the instructions in Section 6, Creating<br />

<strong>and</strong> Managing Tenant Configurations.<br />

• Set up resource pools <strong>and</strong> datastores for a cloud. using the guidelines in<br />

10.16.5 Configuring Resource Groups <strong>and</strong> Datastores <strong>and</strong> the naming conventions in<br />

10.16.6 Best Practices for Datastore <strong>and</strong> Resource Pool Naming.<br />

10.16.5. Configuring Resource Groups <strong>and</strong> Datastores<br />

For the <strong>Cloud</strong> Orchestrator load balancer to run correctly, you need to create resource<br />

pools in vCenter for the workload servers (VMware ESX or ESXi virtualization servers), as<br />

follows:<br />

1. Start a vSphere Client, <strong>and</strong> connect to the vCenter server.<br />

2. Go to the Inventory Hosts <strong>and</strong> Clusters view <strong>and</strong> add new resource pools by<br />

performing one of the following procedures:<br />

• If you are using workload server HA or DRS, right-click the workload server cluster<br />

<strong>and</strong> click New Resource Pool.<br />

• Otherwise, right-click a workload server, <strong>and</strong> click New Resource Pool.<br />

3. Enter one of the resource pool names from Table 1–13. Retain the defaults for the rest<br />

of the values, or set them to match the provider’s local policy, <strong>and</strong> click OK.<br />

Note: See 10.16.6 Best Practices for Datastore <strong>and</strong> Resource Pool Naming for more<br />

information on resource pool naming.<br />

4. Repeat steps 2 <strong>and</strong> 3 for each workload server or cluster in vCenter. There must be at<br />

least one resource pool for each workload server or cluster.<br />

5. Verify that the datastore names for the workload server conform to the naming<br />

convention in Table 1–13 by selecting the workload server in the left pane, <strong>and</strong> then<br />

selecting the Summary tab for each workload server.<br />

Note: See 10.16.6 Best Practices for Datastore <strong>and</strong> Resource Pool Naming for more<br />

information on resource pool naming.<br />

10.16.6. Best Practices for Datastore <strong>and</strong> Resource Pool<br />

Naming<br />

Public <strong>Cloud</strong><br />

Use generic datastore <strong>and</strong> resource pool names to ensure that they are isolated from a<br />

private cloud. To ensure uniqueness, a naming convention in the following form is<br />

recommended:<br />

10–36 3850 6804–007


For example, specify the following:<br />

1. Using the vSphere Client, add a resource pool for each cluster specifying a generic<br />

resource pool name, such as the following:<br />

• Public-RP-1<br />

• Public-RP-2<br />

• {<br />

2. Using the vSphere Client, specify a generic identification for each virtual machine<br />

datastore that is used by the cluster, such as the following:<br />

• Public-DS-1<br />

• Public-DS-2<br />

• {<br />

3. Specify the following regular expressions in the virtual machine blueprint constant<br />

values:<br />

Name: ResourcePoolFilter<br />

Type: String<br />

Description: Resource Pool Filter<br />

Name: DatastoreFilter<br />

Type: String<br />

<strong>Private</strong> <strong>Cloud</strong><br />

Description: Datastore Filter<br />

Name / Type / Description Value<br />

Public-RP-.*<br />

Public-DS-.*<br />

Use tenant-unique datastore <strong>and</strong> resource pool names to ensure that tenant VMs are<br />

isolated. To ensure uniqueness, a naming convention in the following form is<br />

recommended:<br />

<br />

For example, if a tenant account is named Widget, specify the following:<br />

1. Using the vSphere Client, add a resource pool for each cluster specifying a generic<br />

resource pool name, such as the following:<br />

• WDG-RP-1 or Widget-RP-1<br />

• WDG-RP-2 or Widget-RP-2<br />

• {<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

3850 6804–007 10–37


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

2. Using the vSphere Client, specify a generic identification for each virtual machine<br />

datastore that is used by the cluster, such as the following:<br />

• WDG-DS-1 or Widget-DS-1<br />

• WDG-DS-2 or Widget-DS-2<br />

• {<br />

3. Specify the following regular expressions in the virtual machine blueprint constant<br />

values:<br />

Name: ResourcePoolFilter<br />

Type: String<br />

Description: Resource Pool Filter<br />

Name: DatastoreFilter<br />

Type: String<br />

Description: Datastore Filter<br />

Name / Type / Description Value<br />

10.16.7. Moving Workload Servers Between Clusters<br />

To move workload servers between clusters, do the following:<br />

1. From a vSphere Client, connect to the vCenter management VM.<br />

2. Repeat the following procedure for each affected template:<br />

Caution<br />

WDG-RP-.* or Widget-RP-.*<br />

WDG-DS-.* or Widget-<br />

DS-.*<br />

If a template resides on a workload server that is being repurposed <strong>and</strong> you do<br />

not want to move it with the server, you need to convert it temporarily to a<br />

virtual machine so that it is migrated to another workload server in the cluster.<br />

Otherwise, the template cannot be accessed while the server is in<br />

maintenance mode.<br />

a. In the Hosts <strong>and</strong> Clusters Inventory view, select the workload server that is<br />

being repurposed, <strong>and</strong> then click the Virtual Machines tab.<br />

b. Right-click a template <strong>and</strong> click Convert to Virtual Machine.<br />

c. Select the cluster in which the template currently resides, <strong>and</strong> click Next.<br />

d. Click Next <strong>and</strong> then Finish.<br />

10–38 3850 6804–007


3. In the Hosts <strong>and</strong> Clusters Inventory view, right-click the workload server <strong>and</strong><br />

click Enter Maintenance Mode.<br />

Click Yes or OK for any warning messages.<br />

If any virtual machines are on the virtualization server, ensure the Move powered<br />

off <strong>and</strong> suspended virtual machines to other hosts in the cluster option is<br />

selected.<br />

4. When the request completes, use the drag-<strong>and</strong>-drop mouse action to move the<br />

workload server to the desired cluster.<br />

5. For any templates that you converted to a virtual machine, in the Hosts <strong>and</strong><br />

Clusters Inventory view, right-click the virtual machine, point to Template, <strong>and</strong><br />

click Convert to Template.<br />

6. Right-click the workload server <strong>and</strong> click Exit Maintenance Mode to remove the<br />

maintenance mode on the server.<br />

10.17. Updating the <strong>Cloud</strong> Name in the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> Portal<br />

The following procedure is optional if you want to change the cloud name in <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> portal. Skip this procedure if you do not want to change the cloud name.<br />

To update the cloud name in <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, run the following script from a<br />

Powershell session on the jump box console, depending on whether the default password<br />

is being used for the PortalDB database:<br />

• The default password is being used for the PortalDB database:<br />

.\Update-<strong>Cloud</strong>NameInPortal.ps1<br />

• The default password is not being used for the PortalDB database:<br />

.\Update-<strong>Cloud</strong>NameInPortal.ps1 –updatePw $true<br />

Enter the correct password for the PortalDB database when prompted.<br />

The script performs the following actions:<br />

• Stops the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal service on the portal management VM, if<br />

it is running<br />

• Edits all ecm_*.bat files on the SQL management VM to update them with the correct<br />

password if the default password is not being used.<br />

• Edits the following file on the SQL management VM to update the <strong>Cloud</strong> Name value<br />

from Table 1–1:<br />

C:\ProgramData\Unisys\ConfigSQL\ecm_db_update.sql<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

• Runs the following file on the SQL management VM to update the PortalDB<br />

database:<br />

C:\ProgramData\Unisys\ConfigSQL\ecm_db_update_data.bat<br />

• Runs the following file on the SQL management VM to display the values in the<br />

SPC_PlatformInstances table:<br />

3850 6804–007 10–39


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

C:\ProgramData\Unisys\ConfigSQL\ecm_db_select_data.bat<br />

• Starts the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal service on the portal management VM<br />

CHECKPOINT:<br />

Review the output from the script to verify that the cloud name is updated in the Platform<br />

Name column of the SPC_PlatformInstances table.<br />

10.18. Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> <strong>Operations</strong><br />

If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in the cloud environment, you can perform<br />

the following procedures as needed.<br />

10.18.1. Adding COI Sets <strong>and</strong> Modifying COI Set Members<br />

Overview<br />

If your environment includes Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, you might need to modify<br />

the COI configuration for a tenant Stealth-enabled VLAN. You might need to add new COI<br />

Sets for new virtual machines that will run in the existing Stealth-enabled VLAN, change<br />

COI Set access, or correct mistakes in the initial COI configuration.<br />

By performing the procedures in this topic, you are adding COI Sets to the existing VLAN<br />

or modifying the communication between existing COI Sets. The name of the COI Set<br />

assigned to commissioned virtual machines does not change, but the way that the COI<br />

Sets communicate across the VLAN does change.<br />

For example, you might have the following existing configuration:<br />

Stealth ID COI Set Name<br />

Stealth VLAN [1] HRSet FinanceSet,<br />

EngineeringSet<br />

External<br />

Access COI Sets to Access [COI Set Members]<br />

[HR, Finance,<br />

Engineering]<br />

Stealth VLAN [1] FinanceSet [Finance]<br />

Stealth VLAN [1] EngineeringSet [Engineering]<br />

If you add a new department called Marketing, <strong>and</strong> you want to configuring your existing<br />

HR <strong>and</strong> Engineering virtual machines to communicate with the marketing department, you<br />

can update this configuration by adding a new COI Set <strong>and</strong> modifying two of your existing<br />

COI Sets:<br />

10–40 3850 6804–007


Stealth ID COI Set Name<br />

Stealth VLAN [1] HRSet FinanceSet,<br />

EngineeringSet,<br />

MarketingSet<br />

External<br />

Access COI Sets to Access [COI Set Members]<br />

[HR, Finance,<br />

Engineering,<br />

Marketing]<br />

Stealth VLAN [1] FinanceSet [Finance]<br />

Stealth VLAN [1] EngineeringSet MarketingSet [Engineering,<br />

Marketing]<br />

Stealth VLAN [1] MarketingSet [Marketing]<br />

All of the existing virtual machines still have the same COI Set Name, but the ability to<br />

access other virtual machines in the Stealth-enabled VLAN has changed as a result of the<br />

addition of one COI Set <strong>and</strong> the modification of two other COI Sets.<br />

You use the open source Dia tool to perform the procedure to add or modify COI Sets.<br />

(This tool was installed for you by your Unisys service consultant during initial<br />

implementation.)<br />

After you finish updating the COI Sets using Dia, you should also update the tenant<br />

workbook with these changes so that you have a record of the current Stealth<br />

implementation. In the tenant workbook, you should update both the COI Set list <strong>and</strong><br />

update the COI Set value for any blueprints you changed. If you delete one or more COI<br />

Sets, you should also delete the commissioned virtual machines that were created using<br />

the COI Sets that you deleted, <strong>and</strong> then commission new virtual machines using the new<br />

COI Sets.<br />

Required Files for Adding or Modifying COI Sets<br />

The following files are generated on the jump box management VM during the initial<br />

onboarding process <strong>and</strong> are needed when you add or modify COI Sets:<br />

• In the directory where the initial XML files for onboarding were generated:<br />

AddModifyCOISets.xml<br />

• In the C:\Unisys\Stealth directory:<br />

shares.txt<br />

.dia<br />

Copy these three files to the following directory on the <strong>Cloud</strong> Orchestrator management<br />

VM (where all subsequent configuration is performed):<br />

C:\Unisys\UCO\Stealth<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

3850 6804–007 10–41


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

Using Dia to Add <strong>and</strong> Modify COI Sets<br />

Note: You do not use Dia to update the IP address filters for the Home Site or Internet;<br />

instead, you do so using the AddModifyCOISets.xml file.<br />

Directions to update filters are included in the procedure to finalize COI Set changes in<br />

Finalizing COI Set Changes.<br />

To add or modify the COI Sets, do the following:<br />

1. If you have not already done so, copy the three required files from the jump box<br />

management VM to the C:\Unisys\UCO\Stealth on the <strong>Cloud</strong> Orchestrator<br />

management VM.<br />

2. On the <strong>Cloud</strong> Orchestrator management VM Start menu, point to Programs, point to<br />

Dia, <strong>and</strong> then click Dia.<br />

3. Click Open on the File menu.<br />

The Open Diagram dialog box appears.<br />

4. In the Open Diagram dialog box, navigate to C:\Unisys\UCO\Stealth.<br />

5. Select .dia, <strong>and</strong> then click Open.<br />

6. On the View menu, click Best Fit.<br />

The full view of the diagram exp<strong>and</strong>s on the grid.<br />

On the left side of the grid, you see one symbol for each of the components you can<br />

use to update the COI Sets, as follows:<br />

• A cube to create new COI Sets<br />

• An dotted line <strong>and</strong> arrow to enable communication between COI Sets<br />

• A cloud shape to enable communication with the tenant Home Site<br />

• A cloud shape to enable communication with the Internet<br />

In the center of the grid, you see the current COI Sets, the dotted lines that represent<br />

their communications, <strong>and</strong> cloud shapes to indicate communications with the Home<br />

Site <strong>and</strong> Internet. COI Sets that can administer the Stealth solution (that include the<br />

Stealth Admin COI) are red.<br />

7. Make sure that all components are exposed on the grid by dragging each COI Set <strong>and</strong><br />

each line slightly to expose any underlying components.<br />

8. To add a new COI Set, do the following:<br />

a. Select the COI Set cube on the left side of the grid.<br />

b. On the Edit menu, click Duplicate. (Alternatively, press Ctrl+D. The Duplicate<br />

function is a combination of copy <strong>and</strong> paste.)<br />

A new COI Set appears, <strong>and</strong> the cursor is automatically positioned for you to<br />

automatically name the COI Set.<br />

10–42 3850 6804–007


Notes:<br />

• If you do not see the cursor in the COI Set cube, select the COI Set, <strong>and</strong> then<br />

press F2.<br />

• Do not rename existing COI Sets.<br />

c. Delete the label “COI Set” from the COI Set you just created, <strong>and</strong> enter a new<br />

name. Use the following guidelines to name the new COI Set:<br />

• Use 12 or fewer alphanumeric characters.<br />

• Use a name that is unique in the Stealth-enabled VLAN. (You can use the<br />

same name that you used for a different VLAN or for a different tenant.)<br />

d. Drag the new COI Set to the appropriate place on the grid.<br />

9. To update the communication with a new or existing COI Set, do the following:<br />

a. Select the dotted line <strong>and</strong> arrow on the left side of the grid, <strong>and</strong> then on the Edit<br />

menu, click Duplicate.<br />

b. Drag the two ends of the line into place. Note the following:<br />

• Every dotted line must have an arrow on only one end. (It might appear that a<br />

line has an arrow on two ends, but that is simply two or more stacked lines.<br />

You can drag one line aside to view the line or lines beneath it.)<br />

• For two COIs to communicate, the arrow should point from the COI Set<br />

whose COI you want to include in the other COI Set. Using the COI Sets table<br />

in the tenant workbook, you should draw the communication path in Dia from<br />

right-to-left (from the COI Sets to Access pointing to the COI Set Name).<br />

In the example described earlier in this topic, the HRSet had the FinanceSet<br />

<strong>and</strong> EngineeringSet configured as COI Sets to Access. Therefore, the arrow<br />

points from the FinanceSet to the HRSet, <strong>and</strong> another line points from the<br />

EngineeringSet to the HRSet. In this example, the arrow on the new line<br />

should point from the MarketingSet to the HRSet. (This means that the<br />

Marketing COI is included in the HRSet.)<br />

• When a line is successfully associated with a COI Set, when you select the<br />

line, the end displays a red square. (When a line is unassociated, the end of<br />

the line displays a green square.)<br />

You might have to drag one line on top of another line to successfully<br />

associate the line with a COI.<br />

• Use the orange square box in the middle of the dotted line to change the<br />

shape <strong>and</strong> direction of the line.<br />

10. To add new communication with the Home Site or Internet, do the following:<br />

a. Select the Home Site cloud or Internet cloud on the left side of the grid.<br />

b. On the Edit menu, click Duplicate. (Alternatively, press Ctrl+D. The Duplicate<br />

function is a combination of copy <strong>and</strong> paste.)<br />

A new cloud appears.<br />

Note: Do not rename the Home Site or Internet.<br />

c. Drag the new cloud to an appropriate place on the grid.<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

3850 6804–007 10–43


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

d. Select the dotted line <strong>and</strong> arrow on the left side of the grid, <strong>and</strong> then on the Edit<br />

menu, click Duplicate.<br />

e. Drag the end of the new line to a COI Set, <strong>and</strong> drag the arrow into the Home Site<br />

or Internet.<br />

11. To add the Stealth Admin COI to an existing COI Set (so that the virtual machines<br />

commissioned from the blueprint that includes that COI Set can administer Stealth),<br />

do the following:<br />

a. Select the COI Set.<br />

b. Right-click the COI Set, <strong>and</strong> click Properties.<br />

c. In the Fill Color list, select the red fill color.<br />

Note: If you did not select the COI Set (if you simply right-clicked the COI Set<br />

without first selecting it), you do not see this option. Close the Properties box <strong>and</strong><br />

begin again by selecting the COI Set.<br />

d. Click Apply, <strong>and</strong> then click OK.<br />

12. To delete a COI Set, select the COI Set, <strong>and</strong> then press Delete. Delete or redirect all<br />

of the lines associated with the COI Set.<br />

Note: If you delete one or more COI Sets, you should also delete the commissioned<br />

virtual machines that were created using the COI Sets that you deleted.<br />

13. When you are finished making changes to the COI Sets, click Save as on the File<br />

menu.<br />

The Save Diagram dialog box appears.<br />

14. Name the file using a different name than the original file name.<br />

For example, name it Ver2_.dia.<br />

15. Click Save.<br />

Finalizing COI Set Changes<br />

Do the following to finalize the changes you made using Dia:<br />

1. Using Notepad, open AddModifyCOISets.xml.<br />

2. Locate , <strong>and</strong> verify the user name <strong>and</strong> the password for the<br />

workload server on which the infrastructure VMs are running. If you changed the user<br />

name or password for the workload server, update these values.<br />

3. Locate , <strong>and</strong> verify the following values:<br />

• configMachinePassword – the password for the Stealth Configuration Machine<br />

infrastructure VM<br />

• VSGAdminPassword – the password for the Virtual Stealth Gateway infrastructure<br />

VM<br />

If you changed either of these passwords, update these values.<br />

4. Under , locate , <strong>and</strong><br />

change the value to the new file name:<br />

10–44 3850 6804–007


Ver2_.dia<br />

<br />

5. To modify filters, update the following values in the tag appropriately, using<br />

Cisco Access Control List wildcard mask notation.<br />

Note: You can calculate the Cisco Access Control List wildcard mask notation from<br />

the CIDR notation by using the following formula: CIDR a.b.c.d/x = Cisco Access List<br />

a.b.c.d/*(32-x).<br />

For example, if the CIDR notation is 192.16.96.0/24, then the Cisco Access Control<br />

List wildcard mask notation is 192.16.96.0/*8.<br />

Filters specify the external IP addresses that are allowed to communicate with<br />

Stealth-enabled virtual machines. Traffic to or from an IP address not included in the<br />

filter is discarded by the Virtual Stealth Gateway. For example, if the tenant’s home<br />

site uses the IP address range 172.16.240.0 to 172.16.255.255, the Cisco Access<br />

Control List wildcard mask range in the Home filter list would be 172.16.240.0/*12<br />

(<strong>and</strong> the CIDR notation would be /20).<br />

Update the following filters, as required:<br />

• CME (<strong>Cloud</strong> Management Environment)<br />

Note: You should not change the CME filter value unless you changed the IP<br />

address values of the <strong>Cloud</strong> Management Environment on the Intercom Network.<br />

• Internet<br />

Note: You can enter 0.0.0.0/0 to enable complete access to the Internet.<br />

• Home Site<br />

6. Click Save on the File menu, <strong>and</strong> then close Notepad.<br />

7. Open a comm<strong>and</strong> prompt, <strong>and</strong> navigate to the C:\Unisys\UCO\stealth directory.<br />

8. Enter the following comm<strong>and</strong> to create the appropriate XML files:<br />

Java –jar AutomationClient.jar<br />

GenerateAddMofifyCOISetsXML<br />

C:\Unisys\UCO\Stealth\<br />

AddModifyCOISets.xml><br />

<br />

When the script is finished, the following files appear in the :<br />

• AddModifyCOISets.xml<br />

• ReprovisionAffectedVMs.xml<br />

9. Enter the following comm<strong>and</strong> to modify the COI Sets on the Virtual Stealth Gateway<br />

infrastructure VM:<br />

Java –jar AutomationClient.jar<br />

BatchJob<br />

\AddModifyCOISets.xml<br />

shares.txt<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

10. Enter the following comm<strong>and</strong> to update any already commissioned virtual machines<br />

that are affected by the COI Set changes:<br />

3850 6804–007 10–45


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

Java –jar AutomationClient.jar<br />

BatchJob<br />

\ReprovisionAffectedVMs.xml<br />

shares.txt<br />

When a virtual machine is commissioned, the COI Set that is assigned to that virtual<br />

machine is kept in a file named .ser on the <strong>Cloud</strong><br />

Orchestrator management VM. This file is accessed for current virtual machines,<br />

which have their COIs reprovisioned according to the new COI Set configuration<br />

when you run this ReprovisionAffectedVMs.xml comm<strong>and</strong>.<br />

Updating the Workbook <strong>and</strong> Deleting Unneeded Virtual Machines<br />

After you finish updating the COI Sets, you should also update the tenant workbook with<br />

these changes so that you have a record of the current Stealth implementation. In the<br />

tenant workbook, you should update both the COI Set list <strong>and</strong> update the COI Set value for<br />

any blueprints you changed.<br />

If you delete one or more COI Sets, you should also delete the commissioned virtual<br />

machines that were created using the COI Sets that you deleted, <strong>and</strong> then commission<br />

new virtual machines using the new COI Sets.<br />

10.18.2. Viewing Stealth Licenses in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

Portal<br />

When Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment, the Stealth<br />

Licenses page displays the licenses. To access this page from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

portal, select the <strong>Administration</strong> tab, <strong>and</strong> then click Stealth Licenses.<br />

This page displays the total number of stealth licenses included in your cloud environment,<br />

the number of licenses allocated to each tenant, <strong>and</strong> the number of licenses that are still<br />

available. The Usage Information pane displays the total licenses used by each tenant<br />

<strong>and</strong> each Stealth-enabled VLAN in the tenant.<br />

Note: Each tenant can have one or more Stealth-enabled VLANs. Stealth-enabled VLANs<br />

protect the communication between virtual machines in your cloud environment through<br />

the use of the Communities of Interest (COI). This enables multiple groups of virtual<br />

machines to share the same network without fear of another group accessing their data,<br />

which results in a more secure infrastructure<br />

When licenses are required for a particular tenant, the requests are communicated to the<br />

Stealth Licensing management VM.<br />

For information on underst<strong>and</strong>ing licensing, see the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Overview <strong>and</strong><br />

Planning <strong>Guide</strong>. For more information on this page, see the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Interface<br />

Help.<br />

10–46 3850 6804–007


10.18.3. Accessing Logs <strong>and</strong> Monitoring Tunnels Using the<br />

<strong>Administration</strong> Application<br />

The Stealth Solution <strong>Administration</strong> Application is a Web-based interface that enables you<br />

to access log <strong>and</strong> diagnostic information <strong>and</strong> to monitor Stealth tunnel usage on a Stealthenabled<br />

VLAN basis.<br />

Do the following to access <strong>and</strong> log on to the <strong>Administration</strong> Application pages for a<br />

particular tenant Virtual Stealth Gateway:<br />

1. Log on to a virtual machine that includes the Admin COI.<br />

Note: You can open a console to the Stealth Configuration Machine, which includes<br />

the Admin COI.<br />

2. Open a browser window, <strong>and</strong> enter the following URL in the address bar:<br />

http://:8080/stealth<br />

For example, enter http://192.168.222.222:8080/stealth.<br />

3. Type the Stealth Web administrator user name <strong>and</strong> password from Table 1–31.<br />

4. Click Logon.<br />

The Appliance Status page opens.<br />

See the help available with the <strong>Administration</strong> Application for more information on viewing<br />

logs <strong>and</strong> diagnostics information, clearing log information, <strong>and</strong> monitoring tunnel usage.<br />

Notes:<br />

• If you have any problems accessing or using the <strong>Administration</strong> Application Web<br />

pages, add the Virtual Stealth Gateway IP address to the Internet Explorer trusted<br />

sites. Do the following:<br />

1. Select Internet options from the Internet Explorer Tools menu.<br />

2. Select the Security tab.<br />

3. Click Trusted sites, <strong>and</strong> then click Sites.<br />

4. Add the Virtual Stealth Gateway IP address to the Trusted sites.<br />

5. Click Close to close the Trusted sites dialog box.<br />

6. Click OK to close the Internet Options dialog box.<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

• For security purposes, Unisys advises that you do not allow the browser to remember<br />

your log-on information, such as user name <strong>and</strong> password.<br />

• User log-on information is recorded in the Windows event log on the appliance.<br />

10.18.4. Viewing <strong>and</strong> Configuring Stealth Licensing Options<br />

You can view <strong>and</strong> configure Stealth licensing options for the components that run the<br />

Stealth license service. These include the Stealth Licensing management VM (for the<br />

cloud environment as a whole) <strong>and</strong> the Stealth Relay Server infrastructure VMs <strong>and</strong><br />

Stealth Proxy Server infrastructure VMs (for each tenant).<br />

3850 6804–007 10–47


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

Note: The Stealth license service also runs on the Virtual Stealth Gateway infrastructure<br />

VM, but for security reasons, you cannot open a console to that VM or change its settings.<br />

These licensing options are configured during initial implementation <strong>and</strong> tenant<br />

onboarding, <strong>and</strong> changes are usually not required. However, you can make changes if<br />

required for your environment or for a particular tenant. For example, if you need to view<br />

the number of licenses in use for a particular tenant or restrict the number of Stealth<br />

licenses that can be used, you can do so using the procedures in this topic.<br />

Viewing Stealth Licensing Options in the Dynamic Licensing Web<br />

Interface<br />

This topic describes how you can make changes to the Stealth licensing options using a<br />

comm<strong>and</strong> line interface. You can also view (but not change) these settings using the more<br />

user-friendly Dynamic Licensing Web interface. To view these Stealth licensing settings<br />

from the Dynamic Licensing Web interface, do the following:<br />

1. Using the vSphere Client, open a console to the Stealth Proxy Server infrastructure<br />

VM or the Stealth Configuration Machine infrastructure VM.<br />

2. In a browser, enter the following URL in the address bar to connect to the Dynamic<br />

Licensing Web interface running on the Stealth Licensing management VM, Stealth<br />

Relay Server infrastructure VM, or the Stealth Proxy Server infrastructure VM:<br />

http://:/uisdynlic/param<br />

For example, from a console on the Stealth Proxy Server infrastructure VM, enter<br />

https://172.31.1.14/uisdynlic/param (if the port value is 443) or<br />

https://172.31.1.14:444/uisdynlic/param (if you changed the port value to 444).<br />

3. When prompted, enter the Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Dynamic Licensing Web<br />

interface credentials from Table 2–1.<br />

Updating Stealth Licensing Options using the Comm<strong>and</strong> Line<br />

Interface<br />

Do the following to verify the Stealth licensing options or make changes to the<br />

configuration (using a comm<strong>and</strong> line interface):<br />

1. Using the vSphere Client, open a console to the Stealth Licensing management VM to<br />

view the Stealth license server settings for the cloud environment.<br />

Note: If you want to view the Stealth license server settings for a particular tenant,<br />

open a console to the Stealth Relay Server infrastructure VM or the Stealth Proxy<br />

Server infrastructure VM for that tenant.<br />

2. If you are accessing the Stealth Licensing management VM, log on using the st<strong>and</strong>ard<br />

Windows management VM user name <strong>and</strong> password from Table 2–1.<br />

If you are accessing the Stealth Relay Server infrastructure VM or the Stealth Proxy<br />

Server infrastructure VM, log on using the tenant-specific password.<br />

3. Open a comm<strong>and</strong> prompt using the Run as administrator option.<br />

4. Change the directory to C:\Program Files\Unisys\Stealth Solution for LAN.<br />

10–48 3850 6804–007


5. Enter one of the following comm<strong>and</strong>s to see the current status:<br />

• To see the number of available licenses for the entire cloud environment <strong>and</strong> the<br />

number of licenses allocated (labeled InUse) to all of the tenant Virtual Stealth<br />

Gateway infrastructure VMs, access the Stealth Licensing management VM <strong>and</strong><br />

enter the following comm<strong>and</strong>:<br />

dynamiclicensing.exe /alloc<br />

• To see the status of the licensing service, access the Stealth Relay Server<br />

infrastructure VM or the Stealth Proxy Server infrastructure VM <strong>and</strong> enter the<br />

following comm<strong>and</strong>:<br />

dynamiclicensing.exe /status<br />

You see the total number of allocated <strong>and</strong> available licenses, which should be<br />

equal. (For example, if a Virtual Stealth Gateway requested 10 licenses to be<br />

allocated, then that is the total available to the tenant at this time.)<br />

6. Enter the following comm<strong>and</strong> to see the current settings:<br />

dynamiclicensing.exe /set<br />

Note: Enter dynamiclicensing.exe /? to see a list of all values you can configure<br />

or enter dynamiclicensing.exe /set ? to see an explanation of each setting.<br />

When you enter dynamiclicensing.exe /set, you see the following:<br />

• DebugFile – The file to which the license service prints debugging information.<br />

The initial value is C:\Stealth\LicService.txt. If there are any problems in your<br />

environment, you might be asked to submit this file to the Unisys service<br />

consultant.<br />

• DebugFileSize – The maximum file size of the debugging file. If this limit is<br />

reached, then the earliest information in the file is overwritten. The default file size<br />

is 102400 KB (100 MB).<br />

• JournalFile – The file to which the license allocations <strong>and</strong> changes are recorded.<br />

The default is blank; therefore, license allocations are not recorded. You can<br />

change this if required.<br />

For example, to set the JournalFile, enter<br />

dynamiclicensing.exe /set JournalFile<br />

C:\Stealth\LicJournal.txt<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

When you set this value, you must restart the Stealth license service.<br />

Note: If you want to use a file name that includes spaces, you must enclose the<br />

file name in quotation marks.<br />

• LicenseChunk – The additional number of licenses that are requested by default<br />

by any Virtual Stealth Gateway. Do not change the LicenseChunk value, as it has<br />

no effect on the Stealth Licensing management VM, the Stealth Proxy Server<br />

infrastructure VM, or the Stealth Relay Server infrastructure VM.<br />

By default, this value is set to 0, which means that the Virtual Stealth Gateway<br />

dynamically requests additional licenses in direct proportion to the number of<br />

licenses that are already in use for that tenant. When the first request is made<br />

from a recently created Virtual Stealth Gateway, a small number of licenses (six)<br />

are requested. As additional virtual machines are commissioned, the Virtual<br />

3850 6804–007 10–49


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

Stealth Gateway dynamically requests additional licenses in direct proportion to<br />

the number of licenses that are already in use for that tenant; that is, it requests<br />

approximately 20% more licenses than the number of licenses currently in use.<br />

This dynamic licensing model helps to ensure that licenses are available as new<br />

virtual machines begin running <strong>and</strong> require Stealth licenses.<br />

Note: If a Virtual Stealth Gateway requests more licenses than are available, the<br />

Stealth Licensing management VM allocates the amount that is available.<br />

• LicenseLimit – The maximum number of licenses available. If, for any reason, you<br />

want to limit the number of licenses that can be used to less than are provided<br />

through the Stealth fob, you can set this parameter to a smaller value on the<br />

Stealth Licensing management VM.<br />

For example, if you purchased 400 licenses total, <strong>and</strong> you want to limit the<br />

environment to use only 100 licenses to reduce network traffic for a short time,<br />

then you can log on to the Stealth Licensing management VM console <strong>and</strong> set the<br />

LicenseLimit to 100 by entering<br />

dynamiclicensing.exe /set LicenseLimit 100<br />

This value has no impact on the Stealth Relay Server <strong>and</strong> Stealth Proxy Server,<br />

<strong>and</strong> so you should not change it on those infrastructure VMs.<br />

• LicenseTimeout – The number of seconds that a virtual machine can run without<br />

a license until communication stops. Do not change the LicenseTimeout value,<br />

as it has no effect on the Stealth Licensing management VM, the Stealth Proxy<br />

Server infrastructure VM, or the Stealth Relay Server infrastructure VM.<br />

The default value is 1800 seconds, or 30 minutes. This value enables virtual<br />

machines to continue communicating across the Stealth VLAN, even if there is<br />

an interruption in communication with the Stealth Licensing management VM.<br />

• LogLevel – The default value is set to 7 for normal logging. Information is saved<br />

to the Windows application log (which is accessible from Server Manager for the<br />

VM). You can set this value to 127 if you want to provide both application logging<br />

<strong>and</strong> debugging-level logging information. To do so, enter<br />

dynamiclicensing.exe /set LogLevel 127<br />

• MinLicenses – The minimum number of licenses to request for a tenant VLAN.<br />

You can set this value on a Stealth Relay Server or Stealth Proxy Server<br />

infrastructure VM, <strong>and</strong> the minimum number of licenses you request will be preallocated<br />

for the tenant VLAN. This setting can be used to ensure that enough<br />

licenses are available for high-priority applications running on a particular Stealth<br />

VLAN.<br />

For example, if a tenant purchases 100 licenses <strong>and</strong> wants to be sure that those<br />

license are immediately allocated, you can set the MinLicense value to 100, <strong>and</strong><br />

100 licenses are initially allocated. When the number of licenses needed<br />

exceeds the allocated amount, additional licenses are requested according to the<br />

regular formula for dynamic licensing. (Licenses are requested in direct<br />

proportion to the number of licenses that are already in use for that tenant; that<br />

is, the amount requested is approximately 20% more licenses than the number<br />

of licenses currently in use.)<br />

The default value is 0, meaning that licenses are requested in proportion to the<br />

number of licenses already in use.<br />

10–50 3850 6804–007


To change the minimum number of licenses, enter<br />

dynamiclicensing.exe /set MinLicenses <br />

• PollInterval – This determines the frequency of license requests. All the license<br />

systems that connect to each other should use the same value, <strong>and</strong> so you<br />

should not change this value.<br />

• Port – The port that the management VM or infrastructure VM listens on for<br />

incoming requests. The default port is 31420. You can change this port if<br />

necessary by entering<br />

dynamiclicensing.exe /set Port <br />

The VMs listen for communication as follows:<br />

- The Stealth Licensing management VM listens for communication from the<br />

Stealth Relay Server infrastructure VMs.<br />

- Each Stealth Relay Server infrastructure VM listens for communication from<br />

the associated Stealth Proxy Server infrastructure VM.<br />

- Each Stealth Proxy Server infrastructure VM listens for communication from<br />

the associated Virtual Stealth Gateway infrastructure VM.<br />

Note: If you change the port value, you must update the ServerAddresses value<br />

for any management or infrastructure VM that attempts to access this VM to<br />

update the port value in the address.<br />

• ServerAddresses – The IP addresses of the server to which the VM is transmitting<br />

messages about Stealth licensing (for requesting <strong>and</strong> releasing licenses). These<br />

values are automatically configured during tenant onboarding based on the values<br />

in the tenant workbook. On the Stealth Proxy Server infrastructure VM, this is the<br />

IP address of the Stealth Relay Server. On the Stealth Relay Server, this is the IP<br />

address of the Stealth Licensing management VM. On the Stealth Licensing<br />

management VM, this value is blank, because the Stealth Licensing management<br />

VM is not transmitting messages to any other components regarding license<br />

requests.<br />

• SSP – The <strong>Secure</strong> Socket Protocol is used to encrypt <strong>and</strong> transmit the license<br />

requests between VMs. This value is 1 to indicate SSP is enabled. Do not change<br />

this value.<br />

The protocol uses a h<strong>and</strong>shake when a connection between machines is<br />

established to determine the encryption keys. SSP is required when<br />

communicating with a license source or when Stealth is not available; otherwise,<br />

the VMs automatically communicate using Stealth. SSP requires that you log on to<br />

the VM; therefore, your credentials must be known to the VM.<br />

• WebCertificate – The certificate name (CN) or thumbprint used for SSL for the<br />

connection to the Dynamic Licensing Web interface (as described at the beginning<br />

of this topic). The Unisys service consultant configures this certificate during the<br />

initial implementation.<br />

To see the certificate, enter<br />

netsh http show sslcert<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

3850 6804–007 10–51


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

To change the certificate on the Stealth Licensing management VM, Stealth<br />

Relay Server infrastructure VM, or Stealth Proxy Server infrastructure VM, first<br />

import the new certificate into the certificate store. Then, enter the following<br />

comm<strong>and</strong>:<br />

netsh http add sslcert<br />

ipport=:<br />

certhash=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx<br />

appid={1ad74a6e-2af9-4c14-8277-c4a1fa7e2134}<br />

Note: The appid must appear exactly as shown.<br />

For example, enter<br />

netsh http add sslcert ipport=192.168.233.34:443<br />

certhash=3bc4388ee6gee90e6acbhcd9acdc175d89469443<br />

appid={1ad74a6e-2af9-4c14-8277-c4a1fa7e2134}<br />

• WebPassword – The password that the Stealth Licensing management VM uses<br />

for the Dynamic Licensing Web interface. The default value is listed in Table 2–1.<br />

To change this value, perform the procedure in Dynamic Licensing Web<br />

Interface.<br />

• WebPort – The port that the Stealth Licensing management VM uses for the<br />

Dynamic Licensing Web interface. The default value is 443, <strong>and</strong> so you access<br />

these Web pages using the URL format: http://:/uisdynlic/param. For<br />

example, from a console on the Stealth Proxy Server infrastructure VM, you<br />

would enter https://172.31.1.14/uisdynlic/param (if the port value is 443) or<br />

https://172.31.1.14:444/uisdynlic/param (if you changed the port value to 444).<br />

To change the port value, enter<br />

dynamiclicensing.exe /set WebPort <br />

10.18.5. Increasing the License Count for Stealth for <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong><br />

If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment, you receive a licensing<br />

fob (USB device) which determines the number of Stealth-enabled virtual machines that<br />

can be active at one time for Stealth-secured communications. By default, if your cloud<br />

environment includes Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, you receive a fob with 10 licenses.<br />

If your initial order included additional Stealth licenses, your Unisys service consultant<br />

configured your management server to use the fob with the greater number of licenses<br />

you ordered. If your cloud environment is configured for HA, you receive two identical<br />

fobs.<br />

If you want to increase the number of Stealth licenses that are available in your<br />

environment, contact your Unisys service consultant, who will help you order a new fob<br />

with a greater licensing count. When you receive your new fob, simply remove the old fob<br />

from the management server, <strong>and</strong> insert the new fob in its place. You must insert the new<br />

fob into the same USB port in the management server in which the old fob was located. (If<br />

your environment includes HA, you must remove <strong>and</strong> replace the fobs in both<br />

management servers in the same USB ports.)<br />

10–52 3850 6804–007


As long as you take no more than 30 minutes to remove the old fob <strong>and</strong> insert the new<br />

fob, no additional configuration is necessary. The Stealth Licensing management VM<br />

automatically registers the new fob <strong>and</strong> the increased license count.<br />

Note: If you take longer than 30 minutes to remove <strong>and</strong> replace the fob, your Unisys<br />

service consultant must reconfigure the Stealth Licensing management VM to<br />

communicate with the USB drive containing the fob. Therefore, it is highly recommended<br />

that you have the new fob ready to insert before removing the old fob.<br />

10.18.6. Enabling Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> After Initial<br />

Implementation<br />

When you placed your order for the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, the Stealth for <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> feature was automatically included (if your cloud environment is located in a nonexport<br />

restricted country). This includes the Stealth Licensing management VM, software<br />

to Stealth-enable VLANs <strong>and</strong> virtual machines, <strong>and</strong> the Stealth licensing fob (with 10<br />

available licenses).<br />

If, during initial implementation, you instructed your Unisys service consultant not to<br />

configure Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>, then those components were not configured. If<br />

you later decide to use Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>—either on a trial basis with the 10<br />

available licenses or using a fob with a greater available license count—you must contact<br />

your Unisys service consultant to upgrade your environment to include this feature.<br />

10.19. Important Operational Restrictions<br />

The following operations are not supported in the cloud environment:<br />

• Do not use an XML editor to edit the cloud provider or tenant XML files created by the<br />

workbook.<br />

You must use Microsoft Excel to make all required changes <strong>and</strong> then to produce the<br />

updated XML files.<br />

• You cannot rename tenant projects. To give a tenant project a new name, you must do<br />

the following:<br />

- Delete all resources associated with the blueprint by performing the procedures in<br />

11.1 Stopping <strong>and</strong> Decommissioning Virtual Machinesor 11.2 Stopping <strong>and</strong><br />

Decommissioning Physical Machines. (Resources cannot be moved between an<br />

old project <strong>and</strong> a new project.)<br />

- Delete the project by performing the procedure in 10.9 Deleting Blueprints or<br />

Projects from the <strong>Cloud</strong> Environment.<br />

- Create a new project using the tenant worksheet.<br />

<strong>Cloud</strong> Portal <strong>Operations</strong><br />

• If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment, note the following:<br />

- You cannot remove Stealth from commissioned Stealth-enabled virtual machines<br />

or existing Stealth-enabled VLANs.<br />

- You cannot add Stealth to already-commissioned virtual machines or to existing<br />

VLANs that include resources.<br />

3850 6804–007 10–53


<strong>Cloud</strong> Portal <strong>Operations</strong><br />

If you want to remove Stealth from any component, delete the current component <strong>and</strong><br />

recreate it using the appropriate template. If you want to add Stealth to an alreadycommissioned<br />

virtual machine, delete the virtual machine <strong>and</strong> recreate it using the<br />

appropriate template.<br />

If you want to add Stealth to an existing VLAN, perform the procedure in 8.1 Enabling<br />

Stealth for an Existing Tenant VLAN to delete the resources running on the VLAN <strong>and</strong><br />

then Stealth-enable the VLAN.<br />

• Use only approved characters in tenant, project, <strong>and</strong> blueprint names. See<br />

2.8.4 Naming <strong>Guide</strong>lines for Components in the <strong>Cloud</strong> Environment.<br />

10–54 3850 6804–007


Section 11<br />

Removing Tenants <strong>and</strong> Components<br />

from the <strong>Cloud</strong> Environment<br />

This section describes how to remove tenants or tenant components from your <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> environment, if you are hosting a multi-tenant environment. To completely<br />

remove tenants, their users, their machines, <strong>and</strong> the tenant infrastructure from the <strong>Cloud</strong><br />

environment, perform the procedures in 11.1 Stopping <strong>and</strong> Decommissioning Virtual<br />

Machines through 11.8 Removing Tenant Resources <strong>and</strong> Departments from uChargeback.<br />

If you want to remove a specific tenant component, perform the procedure in this section<br />

that is associated with that particular component. If you simply want to suspend tenant<br />

operations, you can perform only the procedures to disable users <strong>and</strong> stop virtual<br />

machines <strong>and</strong> physical servers.<br />

11.1. Stopping <strong>and</strong> Decommissioning Virtual<br />

Machines<br />

Do the following to stop the tenant virtual machines <strong>and</strong> decommission them (delete them<br />

from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>).<br />

Note: If you want to suspend a tenant account, you can simply stop the virtual machines<br />

without decommissioning them. After the virtual machines have been stopped, they<br />

cannot be restarted by any of the users (assuming that the tenant users have been<br />

disabled).<br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> your cloud administrator credentials.<br />

2. Click Commission <strong>and</strong> Manage, <strong>and</strong> then click Manage Resources.<br />

3. Select a running virtual machine in the Resources Overview table <strong>and</strong> click Stop.<br />

The status of the virtual machine transitions to Stopping <strong>and</strong> then to Stopped, but this<br />

transition could take some time.<br />

Select the next running virtual machine, <strong>and</strong> click Stop. (You do not need to wait until<br />

one machine is stopped before requesting that the next machine be stopped.)<br />

4. Select the resource in the Resources Overview table, <strong>and</strong> click Decommission to<br />

delete the virtual machine.<br />

A dialog box appears asking you to confirm that you want to decommission (delete)<br />

the specified resource.<br />

3850 6804–007 11–1


Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />

5. Click OK to confirm.<br />

On the Manage Requests page, a new entry appears. When the status of the remove<br />

entry changes to Success, the resource has been decommissioned. The resource<br />

also is removed from Manage Resources.<br />

6. Click <strong>Administration</strong>.<br />

7. On the Operator Prompts page, reject any outst<strong>and</strong>ing requests from the tenant.<br />

8. After all of the virtual machines in all projects have been stopped <strong>and</strong><br />

decommissioned, from a vSphere Client, connect to the vCenter management VM,<br />

using its current host name or IP address.<br />

9. Verify that all of the tenant virtual machines have been deleted.<br />

10. If any virtual machines still exist, verify that they are not still present in the <strong>Cloud</strong><br />

Orchestrator portal, <strong>and</strong> then delete them manually in vCenter.<br />

Note: After you stop <strong>and</strong> decommission virtual machines, they are moved into the<br />

Archived Servers Department in uChargeback. This enables you to create historical<br />

reports, as needed. However, if you want to fully delete the virtual machines from<br />

uChargeback, see 11.8 Removing Tenant Resources <strong>and</strong> Departments from uChargeback.<br />

11.2. Stopping <strong>and</strong> Decommissioning Physical<br />

Machines<br />

To stop tenant physical servers, perform the following procedure: 10.4.2 Starting or<br />

Stopping Physical Servers.<br />

To decommission tenant physical servers (delete them from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong>),<br />

perform the following procedure: 10.4.3 Decommissioning Physical Servers (Releasing<br />

Physical Server Resources).<br />

Notes:<br />

• If you want to suspend a tenant account, you can simply stop the physical servers<br />

without decommissioning them. After the physical servers have been stopped, they<br />

cannot be restarted by any of the users (assuming that the tenant users have been<br />

disabled).<br />

• After you stop <strong>and</strong> decommission virtual machines, they are moved into the Archived<br />

Servers Department in uChargeback. This enables you to create historical reports, as<br />

needed. However, if you want to fully delete the virtual machines from uChargeback,<br />

see 11.8 Removing Tenant Resources <strong>and</strong> Departments from uChargeback.<br />

11–2 3850 6804–007


11.3. Removing the Tenant Virtual Components in<br />

vCenter<br />

Removing Network Appliances <strong>and</strong> Load Balancers in vCenter<br />

Do the following to remove the tenant network appliances <strong>and</strong> load balancers:<br />

1. From a vSphere Client, connect to the vCenter Server using its current host name or IP<br />

address.<br />

2. Shut down <strong>and</strong> remove any VLAN network appliances. To do so<br />

a. In the Hosts <strong>and</strong> Clusters Inventory view, right-click a VLAN network<br />

appliance virtual machine, select Power, <strong>and</strong> then click Shut Down Guest.<br />

b. After the VLAN network appliance virtual machine is shut down, right-click it, <strong>and</strong><br />

select Delete from Disk.<br />

c. Click Yes in the confirmation dialog box.<br />

3. Shut down <strong>and</strong> remove any Load Balancer virtual machines. To do so<br />

a. In the Hosts <strong>and</strong> Clusters Inventory view, right-click a load balancer virtual<br />

machine, select Power, <strong>and</strong> then click Shut Down Guest.<br />

b. After the load balancer virtual machine is shut down, right-click it, <strong>and</strong> select<br />

Delete from Disk.<br />

c. Click Yes in the confirmation dialog box.<br />

Removing Stealth Infrastructure VMs from vCenter<br />

If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment <strong>and</strong> enabled for the<br />

tenant, remove the tenant Stealth infrastructure VMs from each of the tenant Stealthenabled<br />

VLANs. There are five Stealth infrastructure VMs for each Stealth-enabled VLAN,<br />

<strong>and</strong> they are named using the following format:<br />

• SConfig<br />

• SProxy<br />

• SRelay<br />

• STM<br />

• VSG<br />

Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />

Removing Networking in vCenter<br />

Note: If Stealth for <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is included in your environment <strong>and</strong> enabled for<br />

the tenant, each Stealth-enabled VLAN consists of a pair of VLANs: a clear-text VLAN <strong>and</strong><br />

an encrypted VLAN. Be sure to remove both of these VLANs.<br />

Do the following to remove the tenant networking:<br />

3850 6804–007 11–3


Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />

1. From a vSphere Client, connect to the vCenter management VM using its current host<br />

name or IP address.<br />

2. Remove the distributed virtual network switch or virtual machine port groups. To do so<br />

For a distributed virtual network switch port group, do the following:<br />

a. In the Networking Inventory view, right-click the port group name, <strong>and</strong> then<br />

click Delete.<br />

b. Click Yes in the confirmation dialog box.<br />

For a virtual machine port group, do the following:<br />

a. In the Hosts <strong>and</strong> Clusters Inventory view, select a workload server.<br />

b. Select the Configuration tab, <strong>and</strong> then click Networking.<br />

c. Select Properties for a virtual switch.<br />

d. Select a port group, <strong>and</strong> then click Remove.<br />

e. Click Yes in the delete confirmation dialog box.<br />

f. Repeat these steps for each workload server.<br />

Removing Datastores, Resource Pools, <strong>and</strong> Templates in vCenter<br />

Do the following to remove datastores, resource pools, <strong>and</strong> templates:<br />

1. From a vSphere Client, connect to the vCenter management VM using its current host<br />

name or IP address.<br />

2. Ensure that datastores do not contain any of the tenant folders or virtual machines. To<br />

do so<br />

a. In the Datastores view, right-click the datastore name, <strong>and</strong> select Browse<br />

Datastore.<br />

b. Delete any folders or virtual machines belonging to the tenant.<br />

3. If you have certain datastores that were used only by the tenant you are deleting, then<br />

you should make the datastore unavailable to the tenant. For example, you can delete<br />

the datastore or rename it.<br />

To rename a datastore, do the following:<br />

a. In the Datastores view, right-click the datastore name, <strong>and</strong> click Rename.<br />

b. Type a new name for the datastore.<br />

To delete a datastore, do the following:<br />

a. In the Datastores view, right-click the datastore name, <strong>and</strong> click Delete.<br />

b. Click Yes in the confirmation dialog box.<br />

11–4 3850 6804–007


Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />

4. If you have certain resource pools that were used only by the tenant you are deleting,<br />

then delete those resource pools as follows:<br />

a. In the Hosts <strong>and</strong> Clusters Inventory view, right-click a resource pool name,<br />

<strong>and</strong> then click Remove.<br />

b. Click Yes in the confirmation dialog box.<br />

5. If you have certain templates that were used only by the tenant you are deleting, then<br />

delete those templates as follows:<br />

a. In the VMs <strong>and</strong> Templates view, right click a template name, <strong>and</strong> then click<br />

Delete from Disk.<br />

b. Click Yes in the confirmation dialog box.<br />

11.4. Removing Management-Side Tenant<br />

Infrastructure in vCenter<br />

Removing a Zone in uChargeback for a Tenant with no DNS<br />

During initial VLAN configuration, if a tenant did not have a DNS, or if the tenant DNS could<br />

not support non-secure dynamic DNS updates, the uChargeback management VM was<br />

configured to act as the tenant DNS server. Do the following to remove a zone in the<br />

uChargeback management VM, if it is acting as the tenant DNS:<br />

1. From a vSphere Client, open a console to the uChargeback management VM.<br />

2. Launch DNS Manager by clicking Start, pointing to Administrative Tools, <strong>and</strong><br />

then clicking DNS.<br />

3. If you created a unique forward lookup zone for this tenant, then in the Forward<br />

Lookup Zones node, right-click the tenant’s zone <strong>and</strong> click Delete.<br />

4. Click Yes in the confirmation dialog box.<br />

Removing Static Routes to Tenant VLANs<br />

Perform this procedure on the jump box management VM, the <strong>Cloud</strong> Orchestrator<br />

management VM, the uChargeback management VM, <strong>and</strong> (if Stealth for <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> is included in your environment <strong>and</strong> enabled for the tenant) the Stealth Licensing<br />

management VM. Do the following to remove static routes to tenant VLANs:<br />

1. From a vSphere Client, open a console to the management VM.<br />

2. Open a comm<strong>and</strong> prompt, using the Run as Administrator option, <strong>and</strong> enter the<br />

following comm<strong>and</strong> to delete a static route for the VLAN:<br />

route -p delete <br />

3. Repeat the previous steps for the next management VM.<br />

3850 6804–007 11–5


Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />

Removing Tenant Information from a Virtual Management Network<br />

Appliance<br />

If your Management Network Appliance is virtual, do the following to remove the tenantspecific<br />

information.<br />

Note: If your Management Network Appliance is physical, skip this procedure, <strong>and</strong><br />

perform the following procedure.<br />

1. From a vSphere Client, open a console to the Management Network Appliance virtual<br />

machine.<br />

2. Log on.<br />

3. Enter the following comm<strong>and</strong>:<br />

configure<br />

4. To remove static routes to the tenant VLAN network appliance, do the following:<br />

a. Enter the comm<strong>and</strong> the following comm<strong>and</strong>, <strong>and</strong> note all routes to the tenant<br />

VLANs:<br />

show protocols static<br />

b. For each route to the tenant VLAN, enter the following comm<strong>and</strong>:<br />

delete protocols static route<br />

<br />

5. To remove tenant firewall rules, do the following:<br />

a. Enter the following comm<strong>and</strong>, <strong>and</strong> note all the network entries which contain<br />

VLAN information for the tenant:<br />

show firewall group network-group TARGET_VM<br />

b. For each network entry that includes tenant VLAN information, enter the<br />

following comm<strong>and</strong>:<br />

delete firewall group network-group TARGET_VM network<br />

<br />

6. Enter the following comm<strong>and</strong>s to commit <strong>and</strong> save the changes:<br />

commit<br />

save<br />

exit<br />

Removing Tenant Information from a Physical Management Network<br />

Appliance<br />

If your Management Network Appliance is physical, do the following to remove the tenantspecific<br />

information.<br />

11–6 3850 6804–007


Notes:<br />

• If your Management Network Appliance is virtual, do not perform this procedure;<br />

instead, perform the previous procedure.<br />

• The following procedure uses comm<strong>and</strong>s appropriate for Cisco switches. If you have<br />

another br<strong>and</strong> of switch, you must adapt these comm<strong>and</strong>s for that switch.<br />

1. To remove tenant VLAN IDs, enter the following comm<strong>and</strong>:<br />

no vlan <br />

2. To remove tenant access lists, enter the following comm<strong>and</strong>:<br />

no access-list <br />

3. To remove tenant access groups on the Management Access Network VLAN, enter<br />

the following comm<strong>and</strong>s:<br />

interface <br />

no ip access-group in<br />

no ip access-group out<br />

4. To remove tenant VLAN IDs for each switchport interface to a workload server, enter<br />

the following comm<strong>and</strong>s:<br />

interface <br />

switchport trunk allowed vlan remove <br />

5. To remove tenant routes, enter the following comm<strong>and</strong>:<br />

no ip route <br />

<br />

6. To remove any existing NAT rules, use no ip nat comm<strong>and</strong>s.<br />

Note: A physical switch must support NAT to perform these comm<strong>and</strong>s. Refer to the<br />

documentation for your switch for more information on NAT <strong>and</strong> the specific<br />

comm<strong>and</strong>s that apply.<br />

Remove the following rules:<br />

a. Remove the management access network VLAN interface as the network subject<br />

to inside NAT translation.<br />

b. Remove NAT rules that translate the <strong>and</strong> destination addresses to the address.<br />

7. Enter the following comm<strong>and</strong> to verify the configuration:<br />

show running-config<br />

8. Save the configuration by entering the following comm<strong>and</strong>:<br />

copy running-config startup-config<br />

You see the following: Destination Filename [startup-config]?<br />

9. Press Enter.<br />

Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />

You see the response [OK].<br />

3850 6804–007 11–7


Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />

11.5. Deleting Tenant Account Entities<br />

The following topics describe the steps required to delete a configured tenant account<br />

from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. Using a browser connected to the <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> portal, sign in using the Liferay Administrator credentials.<br />

To delete a tenant account, perform the procedures in this topic.<br />

Note: When you delete a tenant, project, or blueprint using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

portal, you must also delete that component from RBADB. See the following procedures<br />

for more information.<br />

11.5.1. Deleting Tenant Users <strong>and</strong> User Roles<br />

Deleting Tenant Users <strong>and</strong> User Roles from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

Portal<br />

To delete tenant users, do the following:<br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />

2. From the Manage list (at the left of the top pane), click Control Panel.<br />

3. In the left pane, under Portal, click Users.<br />

The Users page appears with a list of active users.<br />

4. If you have not already deactivated the users you want to delete, do the following. If<br />

the users are already deactivated, skip to the next step.<br />

Do the following to deactivate users:<br />

a. Select the check boxes next to the users who you want to deactivate.<br />

b. Click Deactivate (at the top of the list of users) to deactivate the users.<br />

5. From the Active list, select No, <strong>and</strong> then click Search.<br />

Note: You might have to click Advanced under the Search button to view the<br />

Active list.<br />

A list of the deactivated users appears.<br />

6. Locate the users you want to delete, <strong>and</strong> select the check boxes next to the user<br />

names.<br />

7. Click Delete (at the top of the list of users) to delete the selected users.<br />

To delete a tenant user role, do the following.<br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />

2. From the Manage list (at the left of the top pane), click Control Panel.<br />

3. In the left pane, under Portal, click Roles.<br />

11–8 3850 6804–007


Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />

The Roles page appears with a list of roles.<br />

4. Locate the tenant user role you want to delete, click the Actions button for that user<br />

role, <strong>and</strong> then click View Users.<br />

5. Verify that no users are associated with the role you are deleting.<br />

If any users are associated with the role, you should create a new role <strong>and</strong> reassign<br />

the users before continuing.<br />

6. Locate the tenant user role you want to delete, click the Actions button for that user<br />

role, <strong>and</strong> then click Delete.<br />

11.5.2. Removing a Tenant User Group from the <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> Portal<br />

To remove a tenant user group, do the following:<br />

1. From the Manage list (at the left of the top pane), click Control Panel.<br />

2. In the left pane, under Portal, click User Groups.<br />

The User Groups page appears with a list of user groups.<br />

3. Select the check box for a tenant user group you want to delete, <strong>and</strong> then click<br />

Delete.<br />

11.5.3. Deleting Blueprints from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

Portal<br />

Note: To delete a blueprint, you must first decommission the resources that have been<br />

commissioned using the blueprint. You receive the following error message when you try<br />

to delete a blueprint that has resources tied to it:<br />

There has been a problem processing your request.<br />

To delete a blueprint from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, do the following:<br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> your cloud administrator or cloud operator credentials.<br />

2. Click <strong>Administration</strong>, <strong>and</strong> then click Manage Blueprints.<br />

3. Under Manage Blueprints, select the tenant folder.<br />

The Blueprint pane is updated to list all blueprints associated with the tenant.<br />

4. Under Blueprints, select the blueprint that you want to delete, <strong>and</strong> then click<br />

Delete Blueprint.<br />

A confirmation message appears.<br />

5. Confirm that you want to delete the blueprint.<br />

The blueprint is deleted from the tenant <strong>and</strong> from all tenant projects with which it is<br />

associated.<br />

3850 6804–007 11–9


Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />

6. Delete the blueprint from RBADB. See Removing a Blueprint from a Contract <strong>and</strong><br />

Deleting a Blueprint.<br />

11.5.4. Deleting a Tenant Organization<br />

To delete a tenant organization, do the following.<br />

Note: Before you delete a tenant organization, you must delete any associated users,<br />

user roles, <strong>and</strong> user groups.<br />

1. From the Manage list (at the left of the top pane), click Control Panel.<br />

2. In the left pane, under Portal, click Organizations.<br />

The Organizations page appears with a list of tenants.<br />

3. Select the check box for the tenant organization that you want to delete, <strong>and</strong> then click<br />

Delete.<br />

11.6. Removing a Tenant Contract <strong>and</strong> Tenant from<br />

RBADB<br />

A tenant cannot be deleted if it is associated with a contract. To delete a tenant contract<br />

<strong>and</strong> then delete a tenant from RBADB, do the following:<br />

1. From the jump box management VM, access RBADB using the URL in Table 2–2.<br />

2. Log in with the RBADB Administrator credentials in Table 2–1.<br />

3. Click Contracts in the left pane.<br />

4. Select the contract for the tenant.<br />

You see the Contracted Resources page, which includes a table of associated<br />

blueprints.<br />

5. Verify that there are no commissioned resources associated with the contract (that the<br />

values in the Deployed column are all 0). See Verifying that Commissioned<br />

Resources Are Not Associated with Tenants, Projects, or Blueprints.<br />

6. Click Edit in the upper right of the screen.<br />

7. Click Delete.<br />

8. Click OK to confirm that you want to delete the contract.<br />

9. Click Accounts in the left pane.<br />

10. Select the tenant you want to delete.<br />

11. Click Delete.<br />

12. Click OK to confirm that you want to delete the tenant.<br />

The tenant is deleted, <strong>and</strong> any projects associated with the tenant are also<br />

automatically deleted.<br />

13. Delete the blueprints associated with the tenant you deleted, as described in<br />

11–10 3850 6804–007


Removing a Blueprint from a Contract <strong>and</strong> Deleting a Blueprint.<br />

11.7. Removing Tenants from uOrchestrate<br />

To remove a tenant from uOrchestrate, do the following:<br />

1. Open a console to the <strong>Cloud</strong> Orchestrator management VM.<br />

2. Launch a Web browser, <strong>and</strong> access the uOrchestrate <strong>Operations</strong> Console using the<br />

URL in Table 2–2.<br />

3. Log in to the <strong>Operations</strong> Console using the credentials in Table 2–1.<br />

4. If you receive a message that the <strong>Operations</strong> Console has stopped polling, click OK.<br />

5. In the Service Organization pane on the left, click the Registration service.<br />

6. Exp<strong>and</strong> Effectors in the right pane to view the effectors.<br />

7. Under All Effectors, click removeTenantStructure.<br />

This effector removes a tenant <strong>and</strong> all associated projects. Type the name of the<br />

tenant that you want to delete in the tenant box.<br />

8. Click Execute.<br />

Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />

9. Check the result in the result pane.<br />

You should see the message “Success” when the process is complete.<br />

10. If there were any errors encountered attempting to delete the tenant or project,<br />

resolve them, <strong>and</strong> then rerun the effector.<br />

For example, if you see an error message that states that a folder cannot be deleted<br />

because a resource is associated with it, delete the resource, <strong>and</strong> then rerun the<br />

effector.<br />

11.8. Removing Tenant Resources <strong>and</strong> Departments<br />

from uChargeback<br />

Note: The following procedure explains how to fully delete tenant resources <strong>and</strong><br />

departments from uChargeback. However, if you want to archive projects (rather than<br />

deleting them) to ensure that you can continue to create historical reports, perform the<br />

procedure in 10.9.4 Archiving Projects in uChargeback.<br />

To remove tenant resources <strong>and</strong> departments from uChargeback, do the following:<br />

1. From a vSphere Client, open a console to the uChargeback management VM, <strong>and</strong> log<br />

in using the domain uChargeback administrator account from Table 1–10.<br />

2. Access the uChargeback Administrator from the Start menu by pointing to All<br />

Programs, pointing to Unisys, pointing to uChargeback,, <strong>and</strong> then clicking<br />

Administrator.<br />

3. In the Object Browser tree in the left pane, exp<strong>and</strong> the Departments tree, <strong>and</strong><br />

then select Archived Servers.<br />

3850 6804–007 11–11


Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />

All of the tenant servers that have been decommissioned using the <strong>Cloud</strong><br />

Orchestrator portal should be located in this department.<br />

4. In the right pane, highlight the entire row for the server to be deleted by selecting the<br />

arrow in the far-left column.<br />

5. Right-click on the row, <strong>and</strong> select Delete Server.<br />

6. Click Yes to confirm that you want to delete the server.<br />

7. Repeat the previous three steps for each server you want to delete.<br />

8. Ensure there are no other servers that belong to the tenant, by doing the following:<br />

a. In the Object Browser tree in the left pane, exp<strong>and</strong> the Managed Servers<br />

tree <strong>and</strong> view the list of servers.<br />

b. If there are any servers assigned to departments that belong to the tenant, rightclick<br />

on the server name <strong>and</strong> select Delete Server.<br />

9. Delete the tenant departments from uChargeback by doing the following:<br />

a. Exp<strong>and</strong> the Departments tree <strong>and</strong> locate the tenant departments.<br />

b. Right-click a department name, <strong>and</strong> select Delete Department.<br />

c. In the delete confirmation dialog box, select Yes.<br />

10. Close the uChargeback Administrator.<br />

11.9. Removing a Stealth-Enabled VLAN from the<br />

Tenant Infrastructure<br />

The procedures in this topic describe how to remove a single Stealth-enabled VLAN from a<br />

tenant infrastructure, while maintaining the tenant infrastructure as a whole. If you are<br />

removing a tenant in its entirety, perform the procedures in 11.1 Stopping <strong>and</strong><br />

Decommissioning Virtual Machines through 11.8 Removing Tenant Resources <strong>and</strong><br />

Departments from uChargeback.<br />

Note: You cannot remove Stealth from commissioned Stealth-enabled virtual machines<br />

or existing Stealth-enabled VLANs, <strong>and</strong> you cannot add Stealth to already-commissioned<br />

virtual machines or existing VLANs that include resources. Note the following:<br />

• If you want to remove Stealth from any component, delete the current component <strong>and</strong><br />

recreate it using the appropriate template.<br />

• If you want to add Stealth to an already-commissioned virtual machine, delete the<br />

virtual machine <strong>and</strong> recreate it using the appropriate template.<br />

• If you want to add Stealth to an existing VLAN, perform the procedure in 8.1 Enabling<br />

Stealth for an Existing Tenant VLAN to delete the resources running on the VLAN <strong>and</strong><br />

then Stealth-enable the VLAN.<br />

Updating the Tenant Worksheet<br />

Update the tenant worksheet to remove the Stealth-enabled VLAN. Also remove the<br />

VLAN from any virtual machine blueprints. Then, export the tenant worksheet to the jump<br />

11–12 3850 6804–007


Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />

box management VM, as described in 1.1.6 Exporting the Data.<br />

Stopping <strong>and</strong> Decommissioning Virtual Machines<br />

Decommission all virtual machines that were deployed on the Stealth-enabled VLAN, as<br />

described in 11.1 Stopping <strong>and</strong> Decommissioning Virtual Machines.<br />

Removing the Stealth Infrastructure VMs from vCenter<br />

1. From a vSphere Client connected to the vCenter Server, locate the Stealth<br />

Infrastructure VMs for the Stealth-enabled VLAN you are removing. The Stealth<br />

Infrastructure VMs are named using the following format:<br />

• SConfig<br />

• SProxy<br />

• SRelay<br />

• STM<br />

• SVSG<br />

2. Shut down each infrastructure VM, <strong>and</strong> then delete each infrastructure VM.<br />

Removing Stealth-Enabled VLAN Networking in vCenter<br />

1. Configure the tenant VLAN network appliance’s network setting so that the network<br />

adapter connected to the associated clear text VLAN is set to the <br />

Interconnect network label.<br />

2. Verify that the Connected <strong>and</strong> Connect at power on check boxes for the<br />

network adapter are cleared.<br />

3. Remove the virtual machine port groups or the distributed virtual network switch port<br />

group associated with the Stealth-enabled VLAN.<br />

Each Stealth-enabled VLAN consists of a pair of VLANs: a clear text VLAN <strong>and</strong> an<br />

encrypted VLAN. Be sure to remove the virtual machine port groups or distributed<br />

virtual network switches associated with both of these VLANs from each workload<br />

server.<br />

Removing Management-Side Tenant VLAN Infrastructure<br />

Perform this procedure on the jump box management VM, the <strong>Cloud</strong> Orchestrator<br />

management VM, the uChargeback management VM, <strong>and</strong> the Stealth Licensing<br />

management VM. Do the following to remove static routes to tenant VLANs:<br />

1. From a vSphere Client, open a console to the management VM.<br />

2. Open a comm<strong>and</strong> prompt, using the Run as Administrator option, <strong>and</strong> enter the<br />

following comm<strong>and</strong> to delete the static route for the tenant VLAN that you are<br />

deleting:<br />

route –p delete <br />

3. Repeat the previous steps for the next management VM.<br />

3850 6804–007 11–13


Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />

Removing VLAN Information from a Virtual Management Network<br />

Appliance<br />

If your Management Network Appliance is virtual, do the following to remove the tenantspecific<br />

VLAN information.<br />

Note: If your Management Network Appliance is physical, skip this procedure, <strong>and</strong><br />

perform the following procedure.<br />

1. From a vSphere Client, open a console to the Management Network Appliance virtual<br />

machine.<br />

2. Log on.<br />

3. Enter the following comm<strong>and</strong>:<br />

configure<br />

4. To remove static routes to the tenant VLAN network appliance, do the following:<br />

a. Enter the comm<strong>and</strong> the following comm<strong>and</strong>, <strong>and</strong> note all routes to the tenant<br />

VLANs:<br />

show protocols static<br />

b. For each route to the tenant VLAN, enter the following comm<strong>and</strong>:<br />

delete protocols static route<br />

<br />

5. To remove tenant firewall rules, do the following:<br />

a. Enter the following comm<strong>and</strong>, <strong>and</strong> note all the network entries which contain<br />

VLAN information for the tenant:<br />

show firewall group network-group TARGET_VM<br />

b. For each network entry that includes tenant VLAN information, enter the<br />

following comm<strong>and</strong>:<br />

delete firewall group network-group TARGET_VM network<br />

<br />

6. Enter the following comm<strong>and</strong>s to commit <strong>and</strong> save the changes:<br />

commit<br />

save<br />

exit<br />

Removing VLAN Information from a Physical Management Network<br />

Appliance<br />

If your Management Network Appliance is physical, do the following to remove the tenantspecific<br />

VLAN information.<br />

11–14 3850 6804–007


Notes:<br />

• If your Management Network Appliance is virtual, do not perform this procedure;<br />

instead, perform the previous procedure.<br />

• The following procedure uses comm<strong>and</strong>s appropriate for Cisco switches. If you have<br />

another br<strong>and</strong> of switch, you must adapt these comm<strong>and</strong>s for that switch.<br />

1. To remove tenant VLAN IDs, enter the following comm<strong>and</strong>:<br />

no vlan <br />

2. To remove tenant access lists, enter the following comm<strong>and</strong>:<br />

no access-list <br />

3. To remove tenant access groups on the Management Access Network VLAN, enter<br />

the following comm<strong>and</strong>s:<br />

interface <br />

no ip access-group in<br />

no ip access-group out<br />

4. To remove tenant VLAN IDs for each switchport interface to a workload server, enter<br />

the following comm<strong>and</strong>s:<br />

interface <br />

switchport trunk allowed vlan remove <br />

5. To remove tenant routes, enter the following comm<strong>and</strong>:<br />

no ip route <br />

<br />

6. To remove any existing NAT rules, use no ip nat comm<strong>and</strong>s.<br />

Note: A physical switch must support NAT to perform these comm<strong>and</strong>s. Refer to the<br />

documentation for your switch for more information on NAT <strong>and</strong> the specific<br />

comm<strong>and</strong>s that apply.<br />

Remove the following rules:<br />

a. Remove the management access network VLAN interface as the network subject<br />

to inside NAT translation.<br />

b. Remove NAT rules that translate the <strong>and</strong> destination addresses to the<br />

address.<br />

7. Enter the following comm<strong>and</strong> to verify the configuration:<br />

show running-config<br />

8. Save the configuration by entering the following comm<strong>and</strong>:<br />

copy running-config startup-config<br />

You see the following: Destination Filename [startup-config]?<br />

9. Press Enter.<br />

Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />

You see the response [OK].<br />

3850 6804–007 11–15


Removing Tenants <strong>and</strong> Components from the <strong>Cloud</strong> Environment<br />

Removing the Tenant VLAN Definition in RBADB<br />

1. From the jump box management VM, access RBADB using the URL in Table 2–2.<br />

2. Log in using the RBADB administrator credentials.<br />

3. Select Accounts in the left pane.<br />

4. Locate the tenant whose VLAN you are removing, <strong>and</strong> click the VLANs link for that<br />

tenant.<br />

5. Locate the Stealth-enabled VLAN that you are removing, <strong>and</strong> click the Edit VLAN link<br />

for that VLAN.<br />

6. On the VLAN page, click Delete to delete the VLAN definition from the tenant.<br />

Updating Blueprints Associated with the VLAN<br />

Using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, delete or edit each blueprint that references the<br />

VLAN you are removing (so that the VLAN cannot be used for virtual machines<br />

commissioned from the blueprint).<br />

11–16 3850 6804–007


Section 12<br />

Troubleshooting<br />

Use the procedures in this section to troubleshoot your <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment.<br />

12.1. Troubleshooting Errors When Using a <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> Workbook<br />

Error messages that are similar to the following can appear when you are working with a<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook:<br />

Could not load an object because it is not available on<br />

this machine.<br />

Object Library invalid or contains references to object<br />

definitions that could not be found.<br />

Compile error in hidden module.<br />

Microsoft Office Excel has encountered a problem <strong>and</strong> needs<br />

to close.<br />

Error messages can appear at the following times:<br />

• After opening a workbook<br />

• After enabling macros while a workbook is open<br />

• When hovering the cursor over a button in the workbook<br />

These errors can occur when the locally cached versions of controls for Microsoft Office<br />

Excel become unusable after you receive new software security updates or other updates<br />

from Microsoft Corporation. For more information, refer to the Microsoft article titled ″EXD<br />

files are created when you insert controls″ at the following URL:<br />

http://support.microsoft.com/kb/290537<br />

An example of a security update that can cause this problem is MS12-027: Security<br />

Update for Office 2010: April 10, 2012, as described at the following URL:<br />

http://support.microsoft.com/kb/2598039<br />

3850 6804–007 12–1


Troubleshooting<br />

Resolution:<br />

1. Close the workbook without saving changes.<br />

Caution<br />

It is important not to save changes, or the controls in the workbook might be<br />

deleted automatically.<br />

2. Close any copies of Excel or other Microsoft Office programs that are currently<br />

running.<br />

3. Search for <strong>and</strong> delete all *.exd files on your hard disk, as follows:<br />

Note: The following steps are for Windows 7 environments. If you have a different<br />

Windows environment, modify the steps as needed.<br />

a. Open File Explorer, <strong>and</strong> click Folder <strong>and</strong> Search Options on the Organize<br />

menu.<br />

The Folder Options dialog box opens.<br />

b. Select the Search tab, <strong>and</strong> then select the Include system directories check<br />

box under the When searching non-indexed locations heading.<br />

c. Select the View tab <strong>and</strong> do the following in the Advanced settings list:<br />

• Select the Show Hidden Files, Folders, <strong>and</strong> Drives option under the<br />

Hidden Files <strong>and</strong> Folders heading.<br />

• Clear the Hide Extensions for Known File Types check box.<br />

d. Click OK.<br />

e. In the left pane, exp<strong>and</strong> Computer <strong>and</strong> double-click the name of your hard drive.<br />

The hard drive name <strong>and</strong> identifier (such as C:) appears in the address field at the<br />

top of the window.<br />

f. Click the search box at the upper right of the window, enter the following, <strong>and</strong><br />

press Enter:<br />

*.exd<br />

The search begins, <strong>and</strong> a progress bar monitors the search process. A list<br />

appears containing files that meet the search criteria.<br />

g. Delete all the *.exd files in the search list.<br />

Note: For the specific paths to *.exd files, refer to the knowledge base article at the<br />

following URL:<br />

http://support.unisys.com/common/ShowWebPage.aspx?id=5896&pla=SPC&nav=SPC<br />

12–2 3850 6804–007


12.2. Troubleshooting Signing In to the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> Portal<br />

The first time you sign into the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, you might see an error<br />

message about a security certificate in your browser window. The specific message <strong>and</strong><br />

your response depend on your specific browser, as follows:<br />

• Internet Explorer version 8 displays an error message in red on the right of the address<br />

line that states there is no certificate. Click Certificate Error to view <strong>and</strong> install the<br />

certificate.<br />

• Mozilla Firefox versions 3.6 <strong>and</strong> higher display a message about the lack of a security<br />

certificate <strong>and</strong> provide a link to add an exception. Click the link <strong>and</strong> identify the<br />

certificate.<br />

If you continue to see an error message on the address line, ignore it as long as you can<br />

sign into the portal. After you satisfy the certificate error issue, the Sign In dialog box<br />

appears.<br />

12.3. H<strong>and</strong>ling Suspended, Failed, <strong>and</strong> Aborted Jobs<br />

Underst<strong>and</strong>ing Failed Requests<br />

If a user requests an action for a virtual machine or a physical server, <strong>and</strong> if that task fails,<br />

you receive a message (by e-mail, by Remedy ITSM ticket, or by both) that there has been<br />

a failed job. The user sees the status of the failed job in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal. To<br />

see details, you can sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal using the credentials of the<br />

user who made the original request.<br />

There is no requirement to delete failed or aborted jobs; however, you should review the<br />

status of the job using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal to try to determine why the failure<br />

occurred. After the problem has been resolved, you might need to direct the user to<br />

perform the same action again.<br />

H<strong>and</strong>ling Suspended Build Requests for Virtual Machines<br />

If a user submits a request for a new virtual machine, <strong>and</strong> if there is not enough space<br />

available in the datastore, the build request is suspended, <strong>and</strong> you receive a message (by<br />

e-mail, by Remedy ITSM ticket, or by both) notifying you of the problem. Do the following:<br />

1. Define a new datastore or increase the size of the existing datastore using VMware<br />

vCenter.<br />

Detailed instructions on how to complete these procedures are explained in the<br />

VMware documentation.<br />

2. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> your cloud administrator or cloud operator credentials.<br />

3. Locate the pending authorization, <strong>and</strong> accept the request.<br />

Troubleshooting<br />

3850 6804–007 12–3


Troubleshooting<br />

If you performed the operation to define a new datastore or increase the existing<br />

datastore, the request should be processed. If you did not define a new datastore, or if<br />

the datastore you defined was not sufficient, you are notified by e-mail, by Remedy<br />

ITSM ticket, or by both.<br />

If you cannot define a new datastore or adjust the existing datastore, you can decline<br />

the user request, <strong>and</strong> the new virtual machine is not created.<br />

12.4. Troubleshooting Machine Names<br />

During the initial planning of your <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment, you were prompted<br />

to determine how virtual machine <strong>and</strong> physical server host names should be configured.<br />

The two configuration options are as follows:<br />

• Use the host name provided by the user in the machine request.<br />

• Use an automatically generated host name (up to 11 characters, customized for your<br />

environment, followed by a four-digit, leading-zero-filled number).<br />

Enabling users to provide their own virtual machine <strong>and</strong> physical server host names<br />

improves usability <strong>and</strong> provides flexibility for users to determine host names as they<br />

desire. However, this method also increases the likelihood that users might experience<br />

errors when requesting new machines, because the host names must meet all of the<br />

following requirements:<br />

• Must contain between one <strong>and</strong> 15 characters.<br />

• Must include only letters, numbers, <strong>and</strong> hyphens (-); however, cannot begin or end<br />

with a hyphen.<br />

• Must not consist entirely of numbers.<br />

• Must not already exist in the workload environment.<br />

• Must not already exist in DNS at the time that the system is commissioned.<br />

The Unisys service consultant configures this global setting. You can override this setting<br />

on a blueprint-specific basis using the Machine Name attribute when you configure<br />

blueprints. Refer to Table 6–5 for more information.<br />

12.5. Troubleshooting Physical Server Resources<br />

When a user requests that you commission a physical server for his or her use, he or she<br />

has no way to know if physical server resources of the type requested are available. You<br />

can verify whether physical servers are available using uAdapt.<br />

If all of your physical servers are currently in use, you can do the following:<br />

• Decommission one of the current physical servers in use <strong>and</strong> reallocate the server<br />

resources to a new user. See 10.4.3 Decommissioning Physical Servers (Releasing<br />

Physical Server Resources) for more information.<br />

• Request that your Unisys service consultant exp<strong>and</strong> your <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

configuration to add additional server resources.<br />

12–4 3850 6804–007


12.6. Configuring the Virtual Management Network<br />

Appliance with a VMware License Restriction<br />

If you are not able to configure the virtual Management Network Appliance—as described<br />

in 5.4.1 Configuring the Virtual Management Network Appliance for a New VLAN or<br />

8.5.5 Configuring the Management Network Appliance to Use a New Intercom Network IP<br />

Address—due to VMware license restriction, this topic provides an alternative<br />

configuration method.<br />

This procedures in this topic use an active network connection between the jump box<br />

management VM <strong>and</strong> the Management Network Appliance; therefore, you might be<br />

required to temporarily change the jump box management VM network configuration.<br />

12.6.1. Configuring the Virtual Management Network<br />

Appliance for a New VLAN (with a VMware License<br />

Restriction)<br />

This procedure performs the same function as 5.4.1 Configuring the Virtual Management<br />

Network Appliance for a New VLAN. If you are unable to complete the procedure in<br />

5.4.1 Configuring the Virtual Management Network Appliance for a New VLAN due to a<br />

VMware license restriction, perform the following steps:<br />

1. Access the console for the jump box management VM.<br />

2. Launch the PowerShell (x86) window by clicking Start, pointing to All Programs,<br />

pointing to Accessories, pointing to Windows PowerShell, <strong>and</strong> clicking<br />

Windows PowerShell (x86).<br />

3. Enter the following comm<strong>and</strong> to determine if the current IP address on the jump box<br />

management VM is compatible with the current IP address of the Management<br />

Network Appliance on the Intercom Network:<br />

ping <br />

4. If you do not receive a response from the ping, temporary assign the jump box<br />

management VM an IP address for the Intercom Network connection that is<br />

compatible with the current IP address of the Management Network Appliance.<br />

5. Enter the following comm<strong>and</strong>:<br />

.\Config-TenantOnMNA.ps1 –usePutty $true<br />

–tenantXML “”<br />

Where is the XML file name for the tenant<br />

workbook. Be sure to include the .xml extension in the name.<br />

If necessary, include the following parameters in the comm<strong>and</strong>:<br />

• If the root user on the Management Server is using an updated password,<br />

include<br />

-hostUserPw <br />

Troubleshooting<br />

• If the vyatta user on the Management Network Appliance is using an updated<br />

password, include<br />

3850 6804–007 12–5


Troubleshooting<br />

-vmUserPw <br />

For example, enter the following for a tenant named Example with updated<br />

credentials for the vyatta user on the Management Network Appliance:<br />

.\Config-TenantOnMNA.ps1 –usePutty $true –tenantXML “Tenant-Example.xml”<br />

–vmUserPw myNewPw<br />

6. If you changed the jump box management VM IP address, reset it to the previous IP<br />

address in Table 1–5.<br />

7. Return to 5.4.1 Configuring the Virtual Management Network Appliance for a New<br />

VLAN, <strong>and</strong> perform the CHECKPOINT.<br />

12.6.2. Configuring the Virtual Management Network<br />

Appliance to Use a New Intercom Network IP Address<br />

(with a VMware License Restriction)<br />

This procedure performs the same function as 8.5.5 Configuring the Management<br />

Network Appliance to Use a New Intercom Network IP Address. If you are unable to<br />

complete the procedure in 8.5.5 Configuring the Management Network Appliance to Use<br />

a New Intercom Network IP Address due to a VMware license restriction, perform the<br />

following steps:<br />

1. Access the console for the jump box management VM.<br />

2. Launch the PowerShell (x86) window by clicking Start, pointing to All Programs,<br />

pointing to Accessories, pointing to Windows PowerShell, <strong>and</strong> clicking<br />

Windows PowerShell (x86).<br />

3. Enter the following comm<strong>and</strong> to determine if the current IP address on the jump box<br />

management VM is compatible with the default IP address of the Management<br />

Network Appliance on the Intercom Network:<br />

ping 172.31.1.200<br />

4. If you do not receive a response from the ping, temporary assign the jump box<br />

management VM an IP address for the Intercom Network connection that is<br />

compatible with the default IP address of the Management Network Appliance.<br />

Note: The default IP address of the Management Network Appliance is<br />

172.31.1.200.<br />

5. Enter the following comm<strong>and</strong>:<br />

.\Config-MNAicom.ps1 –usePutty $true<br />

If the vyatta user on the Management Network Appliance is using an updated<br />

password, include the following parameter:<br />

-vmUserPw <br />

For example, enter<br />

.\Config-MNAicom.ps1 –usePutty $true –vmUserPw myNewPw<br />

6. Open a console to the Management Network Appliance <strong>and</strong> sign in using the vyatta<br />

user credentials from Table 2–1.<br />

12–6 3850 6804–007


7. Enter the following comm<strong>and</strong>:<br />

Config-MNAicom.sh<br />

8. If you changed the jump box management VM IP address, reset it to the previous IP<br />

address in Table 1–5.<br />

9. Return to 8.5.5 Configuring the Management Network Appliance to Use a New<br />

Intercom Network IP Address, <strong>and</strong> perform the CHECKPOINT.<br />

12.7. Troubleshooting Onboarding Tenants <strong>and</strong><br />

Users<br />

Perform the procedures in this topic if you have any problems onboarding tenants <strong>and</strong><br />

users.<br />

12.7.1. Troubleshooting Sign In Problems Due to an Unknown<br />

E-mail Suffix<br />

When a new user signs in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal for the first time, the<br />

credentials are validated using Active Directory, <strong>and</strong> then the user is assigned to the<br />

default user role for the organization (based on the e-mail address suffix used to sign in).<br />

For example, if the e-mail suffix for the cloud provider is cloudprovider.com as configured<br />

in Table 1–8, a new user who signs in as john.doe@cloudprovider.com is automatically<br />

assigned to the default cloud provider user role.<br />

New tenant users who sign in to the portal for the first time are assigned to the default role<br />

for their tenant organization in the same way, based on the tenant e-mail suffix in<br />

Table 1–24.<br />

If a user signs in <strong>and</strong> his or her e-mail suffix is not recognized, do the following to assign<br />

that user to the appropriate organization:<br />

1. Sign in to the <strong>Secure</strong> <strong>Cloud</strong> Portal using the URL from Table 2–2 <strong>and</strong> the Liferay<br />

administrator credentials from Table 2–1.<br />

2. Click OK when you receive one or more errors that there has been an error processing<br />

your request or that you do not have permission to view requests.<br />

3. At the top of the window, directly below the browser address bar, select Manage,<br />

<strong>and</strong> then click Control Panel.<br />

4. In the left pane, under Portal, click Users.<br />

The Users page appears.<br />

5. Using the First Name, Last Name, or Email Address boxes, search for the user<br />

who does not have an organization assigned to him.<br />

Note: You might have to click Advanced to see all available search fields.<br />

6. When you locate the user, click the user name.<br />

The Details page appears containing the details of the user.<br />

Troubleshooting<br />

3850 6804–007 12–7


Troubleshooting<br />

7. In the right pane, click Organizations.<br />

8. Click Select to assign the user to an organization.<br />

The Organizations window appears.<br />

9. Select one of the listed organizations.<br />

Note: You can search for an organization, if required.<br />

10. At the bottom of the right pane, click Save.<br />

12.7.2. Verifying <strong>and</strong> Updating the E-mail Suffixes for an<br />

Organization<br />

Use this procedure to verify, <strong>and</strong> if necessary update, the e-mail suffixes for an<br />

organization. (Users are automatically assigned to the appropriate organization based on<br />

their e-mail address suffix.) Do the following:<br />

1. Sign in to the <strong>Secure</strong> <strong>Cloud</strong> Portal using the URL from Table 2–2 <strong>and</strong> the Liferay<br />

administrator credentials from Table 2–1.<br />

2. Click OK when you receive one or more errors that there has been an error processing<br />

your request or that you do not have permission to view requests.<br />

3. At the top of the window, directly below the browser address bar, select Manage,<br />

<strong>and</strong> then click Control Panel.<br />

4. In the left pane, under Portal, click Organizations.<br />

The Organizations page appears.<br />

5. Click <strong>Cloud</strong> to update the e-mail suffixes for your cloud organization, or click a tenant<br />

name to update the e-mail suffixes for that tenant.<br />

6. On the organization page, in the right pane, click Custom Fields.<br />

The Custom Fields page appears.<br />

7. In the Organization Alias box, verify the existing e-mail suffixes.<br />

8. If required, type one or more additional e-mail suffixes.<br />

Separate the new suffixes with a comma or add each new suffix on a new line.<br />

9. At the bottom of the right pane, click Save.<br />

12.7.3. Verifying <strong>and</strong> Updating the Default Role for an<br />

Organization<br />

Use this procedure to verify, <strong>and</strong> if necessary update, the default role for an organization.<br />

(Users are automatically assigned to a default role in an organization based on their e-mail<br />

address suffix.) Do the following:<br />

1. Sign in to the <strong>Secure</strong> <strong>Cloud</strong> Portal using the URL from Table 2–2 <strong>and</strong> the Liferay<br />

administrator credentials from Table 2–1.<br />

2. Click OK when you receive one or more errors that there has been an error processing<br />

your request or that you do not have permission to view requests.<br />

12–8 3850 6804–007


3. At the top of the window, directly below the browser address bar, select Manage,<br />

<strong>and</strong> then click Control Panel.<br />

4. In the left pane, under Portal, click Organizations.<br />

The Organizations page appears.<br />

5. Click <strong>Cloud</strong> to update the e-mail suffixes for your cloud organization, or click a tenant<br />

name to update the default role for that tenant.<br />

6. On the organization page, in the right pane, click Custom Fields.<br />

The Custom Fields page appears.<br />

7. In the Default Role Name box, verify the current default role.<br />

8. If required, enter a new default role name, as follows:<br />

• _Administrators<br />

• _Operators<br />

• _Users<br />

Caution<br />

Users who sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal using an e-mail address<br />

suffix associated with an organization are automatically assigned to the default<br />

role for that organization. Be very careful before reassigning the default role to<br />

Administrator or Operator, as this can give new users the ability to change<br />

portal settings <strong>and</strong> resources.<br />

9. At the bottom of the right pane, click Save.<br />

12.7.4. Updating the Default Project for a Tenant<br />

Note: This procedure applies only to tenant organizations. <strong>Cloud</strong> administrators <strong>and</strong><br />

cloud operators are not assigned to projects, because they are able to administer all<br />

tenants <strong>and</strong> projects.<br />

Use this procedure to verify, <strong>and</strong> if necessary update, the default project for a tenant.<br />

(Users are automatically assigned to a default project in an organization based on their<br />

e-mail address suffix.) Do the following:<br />

1. Sign in to the <strong>Secure</strong> <strong>Cloud</strong> Portal using the URL from Table 2–2 <strong>and</strong> the Liferay<br />

administrator credentials from Table 2–1.<br />

2. Click OK when you receive one or more errors that there has been an error processing<br />

your request or that you do not have permission to view requests.<br />

3. At the top of the window, directly below the browser address bar, select Manage,<br />

<strong>and</strong> then click Control Panel.<br />

4. In the left pane, under Portal, click Organizations.<br />

Troubleshooting<br />

3850 6804–007 12–9


Troubleshooting<br />

The Organizations page appears.<br />

5. Click a tenant name to update the default project for that tenant.<br />

6. On the organization page, in the right pane, click Custom Fields.<br />

The Custom Fields page appears.<br />

7. In the Default Project Name box, verify the current default project.<br />

8. If required, enter a new default project name. The default project must exist in<br />

Table 1–40.<br />

9. At the bottom of the right pane, click Save.<br />

12.7.5. Troubleshooting Tenant Permissions in the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> Portal<br />

Tenant user roles are automatically assigned permissions in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

portal, <strong>and</strong> tenant personnel can access applications <strong>and</strong> data based on the permissions<br />

defined for the user role to which they are assigned. If you need to verify that these roles<br />

are correct or change them, do the following.<br />

Caution<br />

Be very careful when viewing <strong>and</strong> changing permissions. If you change<br />

permissions for your cloud personnel <strong>and</strong> remove editing privileges from all<br />

users, you could make your cloud environment completely unusable. If you<br />

change permissions for tenant personnel, you could compromise security if<br />

tenant users are allowed to see other tenants’ components.<br />

Do NOT make any permissions changes unless you are certain how these<br />

changes will impact your cloud environment <strong>and</strong> your tenants.<br />

1. Sign in to the <strong>Secure</strong> <strong>Cloud</strong> Portal using the URL from Table 2–2 <strong>and</strong> the Liferay<br />

administrator credentials from Table 2–1.<br />

2. Click OK when you receive one or more errors that there has been an error processing<br />

your request or that you do not have permission to view requests.<br />

3. At the top of the window, directly below the browser address bar, select Manage,<br />

<strong>and</strong> then click Control Panel.<br />

4. In the left pane of the Control Panel, under Portal, click Roles.<br />

5. Click Actions next to each role name, <strong>and</strong> then click Define Permissions to verify<br />

that the permissions for the selected role are defined correctly.<br />

The permissions for each role are defined in Table 12–1.<br />

6. If you want to remove a permission, click Delete in the permission role.<br />

7. If you want to add additional permissions, click a permission type in the Resource<br />

Set column, <strong>and</strong> then select one or more check boxes to add permissions.<br />

12–10 3850 6804–007


For example, if you want your Tenant Administrators to be able to add Help content,<br />

click Help under Resource Set, <strong>and</strong> then select the Add to Page check box.<br />

Alternatively, from the roles page on the Define Permissions tab, you can select a<br />

permission type under the Applications group from the Add Permissions list,<br />

<strong>and</strong> then select one or more check boxes to add permissions.<br />

8. Click Save to save your changes.<br />

Table 12–1. Tenant Role Permissions<br />

Resource Set Action Machine Owner<br />

Tenant<br />

Administrators<br />

Tenant<br />

Operators Tenant Users<br />

Help Add to Page Not applicable No No No<br />

Request<br />

Details<br />

Request<br />

Overview<br />

Request<br />

Status<br />

Resource<br />

Details<br />

Configuration Not applicable No No No<br />

View Not applicable Yes Yes Yes<br />

Add to Page Not applicable No No No<br />

Configuration Not applicable No No No<br />

Preferences Not applicable No No No<br />

View Not applicable Yes Yes Yes<br />

Add to Page No No No No<br />

Configuration No No No No<br />

Preferences Yes Yes Yes Yes<br />

View No Yes Yes Yes<br />

View Requests Yes Yes Yes No<br />

Add to Page Not applicable No No No<br />

Configuration Not applicable No No No<br />

View Not applicable Yes Yes Yes<br />

Add to Page Not applicable No No No<br />

Configuration Not applicable No No No<br />

Preferences Not applicable No No No<br />

View Not applicable Yes Yes Yes<br />

Troubleshooting<br />

3850 6804–007 12–11


Troubleshooting<br />

Table 12–1. Tenant Role Permissions (cont.)<br />

Resource Set Action Machine Owner<br />

Resource<br />

Overview<br />

Commission<br />

Resources<br />

Role<br />

Membership<br />

Tenant<br />

Administrators<br />

Tenant<br />

Operators Tenant Users<br />

Add to Page No No No No<br />

Change Lease Yes Yes Yes No<br />

Change Owner No Yes No No<br />

Configuration No No No No<br />

Create Snapshot Yes Yes Yes No<br />

Decommission<br />

Resource<br />

Yes Yes Yes No<br />

Delete Snapshot Yes Yes Yes No<br />

Detach Resource No No No No<br />

Preferences Yes Yes Yes Yes<br />

Revert Snapshot Yes Yes Yes No<br />

Start Resource Yes Yes Yes No<br />

Stop Resource Yes Yes Yes No<br />

Suspend Resource Yes Yes Yes No<br />

View No Yes Yes Yes<br />

View Resources Yes Yes Yes No<br />

Add to Page No No No No<br />

Commission Not applicable Yes No Yes<br />

Configuration No No No No<br />

Delete Blueprint Not applicable No No No<br />

Edit Blueprint Not applicable No No No<br />

View Not applicable Yes Yes Yes<br />

View Tenants <strong>and</strong><br />

Projects<br />

View Role<br />

membership<br />

Yes Yes Yes Yes<br />

Not applicable Yes No No<br />

Assign Project Not applicable Yes No No<br />

Assign Role Not applicable Yes No No<br />

Assign Project Not applicable Yes No No<br />

Assign Role Not applicable Yes No No<br />

View Not applicable Yes No No<br />

12–12 3850 6804–007


12.8. Resolving <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal<br />

Messages<br />

This section describes messages you might receive when using the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

portal <strong>and</strong> how to resolve them.<br />

Error Message:<br />

Out of Memory at line: x<br />

Resolution:<br />

Restart the browser.<br />

Error Message:<br />

Rejected Commission Request. Approval Denied<br />

(Blueprint is not a Contracted Resource)<br />

This error message occurs when a cloud administrator attempts to commission a blueprint<br />

for one tenant using the project for another tenant.<br />

Resolution:<br />

When commissioning resources for testing purposes, cloud administrators should ensure<br />

that they use a blueprint <strong>and</strong> a project associated with the same tenant.<br />

Note: This error only occurs for cloud administrators, who can view multiple tenant<br />

blueprints <strong>and</strong> projects, <strong>and</strong> should never appear to tenant end users.<br />

Error Message:<br />

Approval Denied. (Project contracted limits exceeded.)<br />

The message occurs when the contract limit for the project is exceeded.<br />

Resolution:<br />

Increase the tenant contract limit or the project contract limit by updating the workbook<br />

<strong>and</strong> then running the Populator effector. See 6.1 Updating <strong>Cloud</strong> Provider or Adding Tenant<br />

Information in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Environment for additional information.<br />

Error Message:<br />

User does not have permission to view<br />

Requests/Resources/Operator Prompts<br />

Troubleshooting<br />

This message occurs when the user’s role does not have permission to view requests,<br />

view resources, or view operator prompts.<br />

3850 6804–007 12–13


Troubleshooting<br />

Resolution:<br />

Assign the user a role with greater privileges.<br />

See Section 7, Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles , <strong>and</strong><br />

12.7.5 Troubleshooting Tenant Permissions in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Portal for<br />

additional information.<br />

Error Message:<br />

Unique User ID Custom Field Value is missing.<br />

This message occurs when the Uniqueuserid field is empty for the user in the Control<br />

Panel. This could happen if the users uniqueuserid were accidentally removed from the<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal Control Panel.<br />

Resolution:<br />

Enter the value for the Uniqueuserid field by doing the following:<br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />

2. From the Manage list (at the left of the top pane), click Control Panel.<br />

3. Click Users under Portal in the left pane.<br />

The Users page appears.<br />

4. Click Actions next to a user name corresponding to the user for which you want to<br />

verify the Uniqueuserid value, <strong>and</strong> then click Edit.<br />

The Details page appears.<br />

5. Make a note of the value in the Screen Name box.<br />

6. Click Custom Fields under Miscellaneous in the left pane.<br />

7. Type the following in the Uniqueuserid box, based on the user’s organization:<br />

• For cloud administrators <strong>and</strong> operators, type SPC_<br />

• For tenant administrators, operators, <strong>and</strong> users, type<br />

_.<br />

For example, if John J Smith is an SPC administrator <strong>and</strong> his Screen Name is smithjj1,<br />

type SPC_smithjj1.<br />

8. Click Save.<br />

See Section 7, Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles , for additional<br />

information.<br />

Error Message:<br />

Department Custom Field Value is missing.<br />

The message occurs when the Department field is empty for the user in the Control Panel.<br />

12–14 3850 6804–007


Resolution:<br />

Enter the value for the user in the Department field.<br />

See Section 7, Onboarding Tenants, Creating Users, <strong>and</strong> Assigning Roles , for additional<br />

information.<br />

Error Message:<br />

REASON FOR FAILURE: Commission postAction failed;<br />

consult the message log for details<br />

The message occurs when the commissioning of a resource (virtual machine) fails.<br />

Go to the operator prompt for the request. The following message appears in the<br />

Request Details pane:<br />

new Axis Fault: (403)Forbidden<br />

On the <strong>Cloud</strong> Orchestrator management VM, the Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> UCO<br />

service failed to add the new resource to uChargeback because of a problem with the<br />

uChargeback credentials. In Table 1–10, the credentials are referred to as the uChargeback<br />

Service credentials <strong>and</strong> <strong>Cloud</strong> Orchestration Runbook credentials.<br />

The following problems might exist:<br />

• The passwords might have expired.<br />

• The <strong>Cloud</strong> Orchestrator management VM might have been configured with incorrect<br />

user names or passwords for these accounts. This could happen, for example, if you<br />

changed the credentials for the cloud <strong>and</strong> later upgraded the cloud to a new software<br />

level without first updating the <strong>Cloud</strong>Provider.xml on the jump box management VM.<br />

To troubleshoot the problem, perform the following steps on the <strong>Cloud</strong> Orchestrator<br />

management VM:<br />

1. Open the following file in Notepad:<br />

C:\Program Files (x86)\Apache Software Foundation<br />

\Tomcat 6.0\webapps\platform\WEB-INF\classes<br />

\platformapi-config.properties<br />

2. Make a note of the values listed for the following items (the credentials for the<br />

uChargeback service):<br />

• provider.metric.domain<br />

• provider.metric.user<br />

• provider.metric.pass<br />

3. Open the following file in Notepad:<br />

C:\Unisys\UCO\conf\uChargebackSecurityConfig.xml<br />

Troubleshooting<br />

3850 6804–007 12–15


Troubleshooting<br />

4. Make a note of the values listed for the following items (the credentials for the <strong>Cloud</strong><br />

Orchestration Runbook account):<br />

• ems:Request username<br />

• ems:HttpAuthentication password<br />

5. Log out of Windows.<br />

6. Try to log in using the uChargeback service credentials, making a note of any problems<br />

that occur.<br />

• If the log in fails, then you know that the user name or password is incorrect.<br />

• If the log in succeeds but Windows prompts you to enter a new password, then<br />

you know that the password has expired.<br />

7. Try to log in using the <strong>Cloud</strong> Orchestration Runbook credentials, making a note of any<br />

problems that occur.<br />

• If the log in fails, then you know that the user name or password is incorrect.<br />

• If the log in succeeds but Windows prompts you to enter a new password, then<br />

you know that the password has expired.<br />

Resolution:<br />

You can resolve an incorrect user name or password, as follows:<br />

1. Open the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> workbook, using Excel.<br />

2. Inspect the values for the uChargeback Service credentials <strong>and</strong> <strong>Cloud</strong> Orchestration<br />

Runbook credentials in Table 1–10, <strong>and</strong> change these values if desired.<br />

3. Click Export on the Table of Contents to export the <strong>Cloud</strong> Provider worksheet as<br />

<strong>Cloud</strong>Provider.xml.<br />

4. In the domain controller for your cloud, modify the existing accounts to match the user<br />

name <strong>and</strong> password that you entered in the workbook.<br />

5. Upload the new version of the <strong>Cloud</strong>Provider.xml file to the following location on the<br />

jump box management VM:<br />

C:\ProgramData\Unisys\SPC-Automation\xml<br />

6. Open the PowerShell prompt <strong>and</strong> run the following script:<br />

Config-UCO-SystemProp.ps1<br />

7. Restart the following services on the <strong>Cloud</strong> Orchestrator management VM.<br />

Caution<br />

Before restarting these services, ensure that no commissioning requests are in<br />

progress by responding to all outst<strong>and</strong>ing approval requests <strong>and</strong> waiting for all<br />

in-progress commissioning requests to be completed.<br />

12–16 3850 6804–007


• Unisys <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> UCO<br />

• Apache Tomcat 6<br />

You can resolve expired passwords in either of the following ways:<br />

• Use the domain controller to mark the password as not expired, as follows:<br />

1. When Windows prompts you to enter a new password on the <strong>Cloud</strong> Orchestrator<br />

management VM, click Cancel to ab<strong>and</strong>on your login attempt.<br />

2. On the domain controller, run the Active Directory Users <strong>and</strong> Computers<br />

tool.<br />

3. Open the properties for the expired account <strong>and</strong> enable the following options:<br />

- Password never expires<br />

- Unlock account<br />

• Update the cloud to use a revised password, as follows:<br />

1. Update the account password when prompted by Windows.<br />

2. Perform the previous procedure for resolving an incorrect user name or password.<br />

12.9. Restoring a Closed Pane in the <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> Portal<br />

If you close one of the open panes in the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal, do the following to<br />

restore it:<br />

1. From a workstation on the Public Network, sign in to the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal<br />

using the URL in Table 2–2 <strong>and</strong> your Liferay administrator credentials.<br />

2. From the Add list (at the left of the top pane), click More.<br />

3. Click Unisys SPC Portal, <strong>and</strong> then select the pane (portlet) you want to restore.<br />

4. Drag <strong>and</strong> drop the pane onto the page, or click Add next to the pane name.<br />

12.10. Log Files Maintenance<br />

Troubleshooting<br />

Log files are automatically written to the \logs directory. The is typically<br />

\liferay-portal-x.x.x\tomcat-x.x.x\ where x.x.x represents the software version.<br />

Each file includes a timestamp, so you can clearly see when each was created. As part of<br />

general maintenance, you should delete older log files on a monthly basis.<br />

3850 6804–007 12–17


Troubleshooting<br />

12.11. Reporting Problems to Unisys<br />

If you need to report a problem to Unisys, you do so using a User Communication Form<br />

(UCF). Enter the product name SECPRIVATECLOUD, <strong>and</strong> then list the specific<br />

component with which you are experiencing an issue; for example, uAdapt or the Unisys<br />

<strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal.<br />

You are prompted to provide specific details <strong>and</strong> gather diagnostics information, if<br />

applicable.<br />

12.12. Troubleshooting Datastore Filter <strong>and</strong><br />

ResourcePoolFilter Constants<br />

The Datastore Filter <strong>and</strong> ResourcePoolFilter constants in the blueprint are case-sensitive<br />

<strong>and</strong> must match exactly the values in vCenter.<br />

If an error occurs in finding a datastore, an e-mail notification is sent to the operator with<br />

the subject title “Insufficient Disk Space Approval Notification.”<br />

12.13. Disconnecting Users from the <strong>Secure</strong> <strong>Private</strong><br />

<strong>Cloud</strong> Portal <strong>and</strong> Enabling Maintenance<br />

Mode<br />

If you need to disconnect all users from the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal—for example,<br />

before changing credentials, before updating software, or if you are diagnosing a problem<br />

with the environment—perform the procedure in 9.2 Prerequisites to Changing<br />

Credentials.<br />

To allow users to reconnect when you have finished the required maintenance, perform<br />

the procedure in 9.4 Restoring Users’ Connection to the Portal After Credentials Have<br />

Been Changed.<br />

12.14. Troubleshooting Configuring Stealth-<br />

Enabled VLANs<br />

In 6.2 Configuring Stealth-Enabled VLANs, you configure Stealth-enabled VLANs. The<br />

process of onboarding a new Stealth-enabled VLAN takes about one <strong>and</strong> a half hours to<br />

complete. If you experience problems due to a configuration error or a problem with the<br />

vCenter server, perform the procedures in this topic.<br />

12–18 3850 6804–007


During onboarding, a transcript is produced that indicates the progress of the “job<br />

groups,” including which job group is running <strong>and</strong> its status. If a failure occurs, the process<br />

of Stealth onboarding can be restarted from the last successful step. Almost any failed job<br />

group can be restarted, with the following two exceptions:<br />

• If the Stealth on-boarding fails during the “Provision VSG” job group, the Virtual<br />

Stealth Gateway <strong>and</strong> Stealth Configuration Machine infrastructure VMs have probably<br />

been left in unknown states. Therefore, if the “Provision VSG” job group fails, you<br />

must restore the VM snapshot, <strong>and</strong> restart the previous job group (“Create Config<br />

Machine”) so that the previous snapshots of the infrastructure VMs are used. See the<br />

procedure later in this topic for more information.<br />

• Failure to activate a Microsoft license on the Stealth Configuration Machine, Stealth<br />

Proxy Server, or Stealth Relay Server infrastructure VMs is not considered fatal <strong>and</strong><br />

does not halt the onboarding process. Therefore, you do not have to restart these jobs<br />

if they fail. See the procedure later in this topic for information on activating these<br />

licenses in case of failure.<br />

Job Group Order<br />

(Note that failure to activate a Microsoft license on the Virtual Stealth Gateway<br />

infrastructure VM is considered fatal <strong>and</strong> does stop the onboarding process, because<br />

there is no way to activate the license manually or through automation after the Virtual<br />

Stealth Gateway has been configured. In this case, you must restart the onboarding<br />

process from the previous successful step.)<br />

The Stealth job groups occur in the following order:<br />

• Create Transfer Machine<br />

• Create VSG<br />

• Activate VSG License<br />

• Deploy VSG<br />

• Create Config Machine<br />

• Provision VSG<br />

• Activate Config Machine License<br />

• Create Proxy Server<br />

• Provision Proxy Server<br />

• Activate Proxy Server License<br />

• Create Relay Server<br />

• Provision Relay Server<br />

• Activate Relay Server License<br />

• Delete All Snapshots<br />

Troubleshooting<br />

3850 6804–007 12–19


Troubleshooting<br />

Underst<strong>and</strong>ing Error Conditions<br />

If you see “Automation step failed,” this indicates that a step in one of the tasks of a job<br />

group failed. When there is a job group failure, the Stealth onboarding process will stop.<br />

(The only exception, as stated previously, is Windows license activation failures for the<br />

Stealth Configuration Machine, Stealth Proxy Server, or Stealth Relay Server infrastructure<br />

VMs, which will not cause the onboarding to stop.)<br />

The details of the error message appear immediately above the “Automation step failed”<br />

error. You might see various virtual machine configuration errors or <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

configuration errors. vCenter errors are enclosed in brackets {}.<br />

Read the error condition details, <strong>and</strong> resolve the error condition based on the information<br />

provided. If you need assistance, see 12.16 Troubleshooting Articles on the Unisys<br />

Product Support Web Site, <strong>and</strong> access the Troubleshooting article on Stealth onboarding.<br />

After the error condition is resolved, perform the following procedure to restart the failed<br />

job group.<br />

Note: If the Windows license activation fails for the Stealth Configuration Machine,<br />

Stealth Proxy Server, or Stealth Relay Server infrastructure VMs, perform the procedure to<br />

activate a failed license rather than the procedure to restart a failed job group.<br />

Restarting a Failed Job Group<br />

To restart a failed job group, do the following:<br />

1. If the failed job is any other job other than Provision VSG, skip to the next step.<br />

If the failed job is Provision VSG, do the following:<br />

a. Using the vSphere Client, connect to the vCenter server that is managing the<br />

workoad servers.<br />

b. Locate the Virtual Stealth Gateway infrastructure VM whose provisioning job<br />

failed. The Virtual Stealth Gateway infrastructure VM name is in Table 1–31 of the<br />

tenant worksheet.<br />

c. Right-click the infrastructure VM, point to Snapshot, <strong>and</strong> then click Revert to<br />

Current Snapshot.<br />

d. After the snapshot is restored, restart the infrastructure VM.<br />

e. Perform the remaining steps in this procedure, rerunning the Create Config<br />

Machine job (rather than the Provision VSG job).<br />

2. If a console to the jump box management VM is not already available, open a console<br />

to the jump box management VM.<br />

3. Enter the following comm<strong>and</strong> in the Powershell comm<strong>and</strong> window:<br />

Java –jar AutomationClient.jar<br />

C:\Unisys\Stealth\_\<br />

StealthOnBoardingJobs-restartable.xml “”<br />

12–20 3850 6804–007


The StealthOnBoardingJobs-restartable.xml is located in the<br />

C:\Unisys\Stealth\_ folder, where is the<br />

name of the tenant being onboarded from Table 1–24 <strong>and</strong> the is the<br />

identifier for the Stealth-enabled tenant VLAN specified in Table 1–26.<br />

Activating Failed Licenses<br />

After the onboarding process is complete, review the transcript <strong>and</strong> note any license<br />

activation failures. Failure to activate a Microsoft license on the Stealth Configuration<br />

Machine, Stealth Proxy Server, or Stealth Relay Server infrastructure VMs is not<br />

considered fatal <strong>and</strong> does not halt the onboarding process. However, you must do the<br />

following to activate these licenses:<br />

1. If a console to the jump box management VM is not already available, open a console<br />

to the jump box management VM.<br />

2. Enter the following comm<strong>and</strong> in the Powershell comm<strong>and</strong> window:<br />

Java –jar AutomationClient.jar<br />

C:\Unisys\Stealth\_\<br />

StealthOnBoardingJobs-restartable.xml “” 1<br />

The StealthOnBoardingJobs-restartable.xml is located in the<br />

C:\Unisys\Stealth\_ folder, where is the<br />

name of the tenant being onboarded from Table 1–24 <strong>and</strong> the is the<br />

identifier for the Stealth-enabled tenant VLAN specified in Table 1–26.<br />

The Job Group Name should be one of the following:<br />

• Activate Config Machine License<br />

• Activate Proxy Server License<br />

• Activate Relay Server License<br />

1 indicates that only the given job is executed.<br />

12.15. Identifying the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong><br />

Software Version<br />

The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> software version is listed on the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> portal,<br />

under the Help menu. For example, version 2.0 of the software is listed as “Unisys <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong> v.2.0.”<br />

You can also identify the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> software version used to commission a<br />

virtual machine by navigating to one of the following text files on any of the Unisys<br />

supplied virtual machines:<br />

• For Windows virtual machines<br />

C:\ProgramData\Unisys\SPC Version.txt<br />

• For Linux virtual machines<br />

/etc/Unisys/SPC-Version.txt<br />

Troubleshooting<br />

3850 6804–007 12–21


Troubleshooting<br />

12.16. Troubleshooting Articles on the Unisys<br />

Product Support Web Site<br />

The Unisys Product Support Web site includes troubleshooting articles for the <strong>Secure</strong><br />

<strong>Private</strong> <strong>Cloud</strong>. To locate these articles<br />

1. Log on to the Unisys Product Support Web site at www.support.unisys.com.<br />

2. Click <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> in the Infrastructure Management platform list.<br />

The <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> Support Site opens.<br />

3. Click TroubleShooting on the left pane under the Support Options heading.<br />

A list of troubleshooting articles appears.<br />

Select the article you want to review. You can also use the Search capability at the top of<br />

the page.<br />

12–22 3850 6804–007


Appendix A<br />

Incorporating an External Server into<br />

the <strong>Cloud</strong> Management Environment<br />

If your environment includes a external server (such as an Active Directory server, vCenter<br />

server, patch management system, Nagios collector or other value-add component) that is<br />

not reachable on the cloud management network, perform the steps in this appendix to<br />

connect that server to your cloud management environment.<br />

A.1. Requirements for Incorporating an External<br />

Server<br />

Keep the following requirements in mind when incorporating an external server in the<br />

<strong>Cloud</strong> Management Environment:<br />

• The external server must connect to the management server using the Intercom<br />

Network or the <strong>Cloud</strong> Management Network. (It is recommended that the external<br />

server connects using the Intercom Network.)<br />

If necessary, add an additional network adapter to the server.<br />

• For the management VMs to be able to communicate with the external server over<br />

the Intercom Network, the Intercom Network on the management server must be<br />

configured to use a physical network adapter. Determine which network adapter on<br />

the management server the Intercom Network uses. If the network adapter on the<br />

management server is shared using VLAN tagging, also determine the VLAN ID to<br />

use.<br />

• To verify communication with other management VMs, make sure the external server<br />

responds to a ping comm<strong>and</strong> over the Intercom Network.<br />

A.2. Configuring the Management Server Intercom<br />

Network Connection to Communicate with<br />

External Servers<br />

In a Non-HA Configuration<br />

Use the procedure in either A.2.1 Using a Dedicated Network Adapter or A.2.2 Using a<br />

Shared Network Adapter to configure the Intercom Network on the management server<br />

so that management VMs can communicate with an external server that is not a virtual<br />

machine running on the management server.<br />

3850 6804–007 A–1


Incorporating an External Server into the <strong>Cloud</strong> Management Environment<br />

Skip this procedure if the external server has already been incorporated into the <strong>Cloud</strong><br />

Management Environment.<br />

In an HA Configuration<br />

Note: Do not perform the procedures in this section if the management server is set up<br />

for HA.<br />

If the management server is already set up in an HA configuration, the Unisys service<br />

representative completes all necessary network changes required on the Intercom<br />

Network after configuring High Availability on the management server. No additional<br />

configuration is required on the management server to set up the Intercom Network to<br />

use a physical adapter.<br />

A.2.1. Using a Dedicated Network Adapter<br />

Perform the following procedure if a dedicated network adapter on the management<br />

server enables the management VMs <strong>and</strong> the external server to communicate using the<br />

Intercom Network.<br />

1. Connect a network cable from the network adapter to be used for the Intercom<br />

Network to the external switch.<br />

2. From the vSphere Client connected to the management server, select the<br />

management server node in the left pane.<br />

3. Select the Configuration tab, <strong>and</strong> click Networking under Hardware.<br />

4. Click Properties for the Intercom Network virtual machine port group (vSwitch4).<br />

The vSwitch4 Properties window opens.<br />

5. Select the Network Adapters tab, <strong>and</strong> click Add.<br />

6. Select the check box for the entry that corresponds to the network adapter from step<br />

1.<br />

7. Click Next several times, <strong>and</strong> then click Finish.<br />

A.2.2. Using a Shared Network Adapter<br />

Perform the following procedure if the network adapter for the Intercom Network on the<br />

management server is shared using VLAN tagging. For example, use this procedure if the<br />

same network adapter is used for the Intercom Network <strong>and</strong> the Management Access<br />

Network (if a tenant VLAN is enabled) using VLAN IDs.<br />

1. Make sure the physical switch used by the physical adapter on the management<br />

server is configured to support the VLAN ID for the Intercom Network.<br />

2. Launch the vSphere Client, connect to the management server, <strong>and</strong> log in, using the<br />

root user from Table 2–1.<br />

3. Select the Configuration tab, <strong>and</strong> click Networking under Hardware.<br />

4. Locate the Intercom Network virtual machine port group (vSwitch4).<br />

A–2 3850 6804–007


Incorporating an External Server into the <strong>Cloud</strong> Management Environment<br />

5. Identify all the virtual machines that are using the Intercom Network port group, <strong>and</strong><br />

disconnect them, as follows:<br />

Note: You must disconnect all virtual machines that are powered on from the<br />

Intercom Network before you can delete the Intercom Network port group in the next<br />

step.<br />

a. Open the VM Properties dialog box for a virtual machine.<br />

b. Clear the Connected option under Device Status for the network adapter<br />

configured for the Intercom Network.<br />

Caution<br />

Do not power off the virtual machine; do not clear the Connect at power on<br />

option.<br />

c. Repeat for the next virtual machine.<br />

6. Click Remove for the Intercom Network virtual machine port group (vSwitch4), <strong>and</strong><br />

then click Yes to confirm removing the port group.<br />

7. Locate the virtual switch associated with the network adapter being shared, <strong>and</strong><br />

select Properties for the virtual switch.<br />

The vSwitch Properties window opens.<br />

8. Select the Ports tab, <strong>and</strong> click Add.<br />

9. Select Virtual Machine, <strong>and</strong> click Next.<br />

10. Type Intercom Network in the Network Label box.<br />

11. Type the VLAN ID for the Intercom Network in the VLAN ID box, using the value from<br />

Table 2–1.<br />

12. Click Next <strong>and</strong> then Finish.<br />

13. Reconnect the Intercom Network connection for each virtual machine that was<br />

disconnected from the Intercom Network.<br />

A.3. Updating the Hosts File on All Management<br />

VMs <strong>and</strong> External Servers Running Windows<br />

Perform the following procedure for each management VM running Windows <strong>and</strong> marked<br />

InUse in Table 1–5 <strong>and</strong> for other external servers running Windows that are incorporated<br />

into the <strong>Cloud</strong> Management Environment.<br />

Note: For the vCenter management VM, perform this procedure only if it is supplied by<br />

Unisys. Do not perform this procedure on a customer-supplied vCenter management VM.<br />

3850 6804–007 A–3


Incorporating an External Server into the <strong>Cloud</strong> Management Environment<br />

1. Launch Notepad using the Run as administrator option.<br />

2. In Notepad, open the file c:\windows\system32\drivers\etc\hosts.<br />

3. Insert an entry for the external server’s IP address on the Intercom Network. Use the<br />

same naming convention for assigning an “internal hostname” for the server.<br />

4. Save the file <strong>and</strong> close Notepad.<br />

5. Repeat the procedure on the next management VM or external server running<br />

Windows (except a customer-supplied vCenter management VM, as noted).<br />

A.4. Updating the Hosts File on uAdapt<br />

Management VM <strong>and</strong> External Servers Running<br />

Linux<br />

Note: Skip this procedure if you are not incorporating an external server.<br />

Perform the following procedure for the uAdapt management VM <strong>and</strong> on other external<br />

servers running Linux that are incorporated in the <strong>Cloud</strong> Management Environment.<br />

1. Log in to the server using a user that has root user privileges.<br />

2. Edit the file /etc/hosts using a text editor.<br />

3. Insert an entry for the external server’s IP address on the Intercom Network. Use the<br />

same naming convention for assigning an “internal hostname” for the server.<br />

4. Save the file <strong>and</strong> close the editor.<br />

5. Repeat the procedure on other external servers running Linux.<br />

A.5. Configuring External Servers<br />

Note: Skip this procedure if you are not incorporating an external server.<br />

Perform the procedure in this section on each external server:<br />

1. Connect the external server to the Intercom Network.<br />

a. Connect a network cable from the network adapter to be used for the Intercom<br />

Network to the external switch.<br />

b. Locate the network connection for the Intercom Network.<br />

c. Assign a static IP address for the network connection. The IP address must be<br />

within the allowable IP range on the Intercom Network. See Table 1–4.<br />

2. Configure the hosts file.<br />

If the external server is running<br />

• Windows. Copy the contents of the hosts file from the jump box management VM<br />

to the external server’s hosts file.<br />

• Linux. Copy the contents of the hosts file from the uAdapt management VM or the<br />

A–4 3850 6804–007


Incorporating an External Server into the <strong>Cloud</strong> Management Environment<br />

Management Network Appliance to the external server’s hosts file. If neither are<br />

InUse, use the contents of the hosts file on the jump box management VM as<br />

input.<br />

3. Configure the static routes.<br />

If the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> environment is configured to use VLANs for tenant<br />

isolation <strong>and</strong> the external server requires communication with commissioned tenant<br />

resources on the tenant VLANs, add static route statements on the external server to<br />

properly route traffic to the tenant VLANs using the Management Network Appliance<br />

as the gateway.<br />

Skip this step if the external server does not require communication with tenant<br />

resources.<br />

Procedure for Windows External Servers<br />

a. Start the Windows Comm<strong>and</strong> Prompt using the Run as administrator option.<br />

b. Enter the follow comm<strong>and</strong> to add static routes:<br />

route -p add mask <br />

where<br />

is the management-side tenant VLAN subnet from Table 1–26.<br />

is the VLAN netmask from Table 1–26.<br />

is the management network appliance IP address on the<br />

Intercom Network from Table 1–5.<br />

c. Repeat this comm<strong>and</strong> for each tenant VLAN as required.<br />

Example<br />

route -p add 10.3.1.0 mask 255.255.255.0 172.31.1.200<br />

4. Configure the DNS resolver.<br />

If the external server requires communication with commissioned tenant resources<br />

using FQDN, configure the server to use the appropriate DNS server so the tenant<br />

resource’s FQN is resolved to the correct IP address.<br />

If the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is not configured to use VLANs for tenant isolation, the<br />

external server uses the same DNS servers as the <strong>Cloud</strong> Orchestrator management<br />

VM.<br />

If the <strong>Secure</strong> <strong>Private</strong> <strong>Cloud</strong> is configured to use VLAN for tenant isolation, the<br />

external server communicates with commissioned tenant resources on the tenant<br />

VLANs using the management side hostname. Configure the server’s DNS so that it<br />

resolves the tenant resource’s management side hostname (fully qualified name) to<br />

the management side IP address.<br />

For example, tenant resource tenant tenant-0003.managed.spc.local is resolved to<br />

10.3.1.15.<br />

3850 6804–007 A–5


Incorporating an External Server into the <strong>Cloud</strong> Management Environment<br />

CHECKPOINT:<br />

1. Verify that the external server responds to a ping comm<strong>and</strong> from the jump box<br />

management VM using the “internal hostname”. That is, ping the external server<br />

using its IP address on the Intercom Network.<br />

2. Verify that the external server can ping the jump box management VM using the<br />

“internal hostname”. That is, ping the jump box management VM using its IP address<br />

on the Intercom Network.<br />

3. Verify that the external server can communicate with a tenant resource on the tenant’s<br />

VLAN using the FQDN of the tenant resource. If a tenant VLAN is configured, use the<br />

management side FQN of the tenant resource. For example, ping tenant-<br />

0003.managed.spc.local.<br />

A–6 3850 6804–007


© 2012 Unisys Corporation.<br />

All rights reserved.<br />

*38506804-007*<br />

3850 6804–007

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!